Posts by doublelayer

Re: Find my?

The article specifies that they were looking at collection when there is no account signed in. In order to use the feature that finds a lost device, you need to associate the device with an account and access that account to get the data. By definition, they did not have that feature enabled and it sent data anyway. If the data was only sent when people had requested that service, it would be different.

Re: It's this sense of entitlement that get's me

Basically yes. You don't have to sign in if you want to use it as a phone. You'll get the Apple apps, including browser, can use it as a phone, get OS updates, all that. If you want to install apps though, you'll need to sign in. It could be worse, like Chrome OS, but it is limited without an account.

Starlink, do you mean? If so, no, it doesn't.

Until they can release a lot more satellites, Starlink can't cover the whole world nor can it provide bandwidth for everybody. It can provide some bandwidth, which is why it's being sold now, but if you put millions of people on it, it wouldn't be functional. Starlink needs satellites in orbit which requires a lot of rocket launches. It also needs a lot of downlink facilities which scale arithmetically with the user count. To be most efficient, those downlink facilities will need to be geographically distributed, which means there will need to be enough cables to serve all the places with such facilities.

In addition, there are problems with satellite which make it unusable in some areas. Areas where a receiver can't be positioned correctly, where that receiver is likely to be damaged by local conditions, or where the receiver will be occluded by clouds, storms, etc are all places where people will prefer the reliability of a cable if they can get it. It's also usually cheaper once it gets built--even with U.S. prices being higher than most other countries, Starlink contracts are quite a bit more so. A Starlink-style system does provide some advantages, but as much as Spacex's advertising copy might claim, it's not a panacea for all network-related problems.

Re: Stalker's dream

"you have to make 6 million calculations a minute on 18 million datapoints. Just to get the 'raw' location data."

Sorry, but this doesn't sound as difficult as I think you meant it to. My desktop can process millions of operations per second. A server can do it even faster by throwing more cores at the problem, because it's completely parallelizable. The only tricky part is getting the large databases into the processing system, but since they have high-speed connections to send user data, it's not that difficult to do that either. Existing software is available to take that raw location data and display it on a map, and I'm sure there are companies willing to build a system to analyze that kind of raw intelligence.

Any network will get malware on it eventually. Some networks get malware on them a lot more often than others. These things are not contradictory.

Any system will lose data permanently eventually. Some systems have no backups and therefore will lose data permanently more often and in a more damaging manner. These things are not contradictory.

The most sophisticated attack will eventually get access through a very good security system. A good enough security system will block less sophisticated attacks. These things are not contradictory.

Some of this is about doing the job well. Ransomware can be prevented more often by employing security measures that make it harder to install. While it can't be prevented in all cases, the risk can be reduced. If ransomware does strike, it will be debilitating, but if there are good backups, it will lessen the cost of fixing things. A sophisticated attacker may manage to infect the backups too, but it's possible to avoid that. Therefore, it is justifiable to say that a place with local admin rights for everybody and no backup system has failed to do its job related to security. We're not being sanctimonious any more than you would be if you told me not to leave the keys to my car in the car and then walk away. It's a precaution they have to take and they didn't. This doesn't apply to everybody, but you'll find it applies to a lot of them.

Re: Well...

"In some jurisdictions, recording ("wiretapping") can be legally done with only one party's consent"

Yes, but not with a third party. In such jurisdictions, if I call you, I can record our conversation. However, if I call you and a third person not on the call records it, even if you know that, it is not legal. Also, California doesn't allow this. Florida does, but that proviso applies there.

Re: Who still uses a 5 year old "smartphone"

Well, me for one. My main phone is from 2016. Why? Because the newer phones provide only a few benefits. They're larger. That's a downside for me. They have more cameras. Given that I use the camera maybe four times a year to demonstrate something, that's not very important. They have 5G. If I was using my data connection outside WiFi range a lot, this would... probably not make a difference because 5G coverage is still limited. As it is, I don't use the data connection very often and 4G has been just fine for it. They have faster CPUs, which I wouldn't mind, but I don't do heavy lifting with my phone's CPU so its speed is relatively unimportant to me. I have nothing that I want from a new phone, and by not spending money on a new phone, I can have the ability to buy something else which will be more useful.

Re: Oh how the woke wimper

Freedom of speech means the government can't be the one giving you consequences. This seems to be required teaching about once a month, so let's do it a few more times. North Korea does not have it because, if you say the wrong thing, the government comes to arrest you. If I don't like what you said and tell you never to come to my house again, that's not a violation of your freedom of speech. If I don't like what you said and make it so you can't post on my site again, that's not a violation of your freedom of speech. If I don't like what you said and say something to you that you don't like, that's not a violation of your freedom of speech. If I don't like something you said and refuse to associate with you ever again, that's not a violation of your freedom of speech. If I don't like something you said and I tell other people that you said it, and they also don't like what you said, that is not a violation of your freedom of speech. As long as the government doesn't come to arrest you or otherwise affect your rights, your freedom of speech has not been violated.

Re: Why is the second part of:

It's not PayPal's job to validate each transaction to determine whether the sale is valid or not. They just move the money. As long as they do the checking to determine that it's not money laundering, they're in the clear. How should they know if the laptops are stolen or not? In fact, they won't even know the exchanged items are laptops.

That's possible, but it's not guaranteed. There are a few options. For example, the employee might not have entered on such a visa. He might have other rights of residency, or have been hired as an outsourced worker who visited only a short time. For that matter, he could have been a dual citizen which is unlikely but possible. Also note that the victim company also didn't get their name printed. Maybe they just don't want to be known as the people who broke the system that badly.

Fine. I'll concede that you are an office admin. The IT people who do more than that, though, are not. A person who does easy stuff with desktops like you describe is doing something users should know how to do. The person who made that default image probably knows more. The person who configured the network and got everybody online while monitoring their machines for security incidents knows more. The person who ensures the necessary servers are available so work can continue know more. These things are clearly IT. We can draw a line between IT and software development if you like and still acknowledge that there are roles on the IT side requiring more advanced skills.

Re: The Impossible Wall

That's correct. You can't FOIA Facebook. If you live in a country with GDPR or California with CCPA, you have the right to get a copy of their data on you. Be prepared to give them a bunch of identifying information so they can find the data on you. Be prepared for them to keep that information and not tell you about doing that. Also be prepared to see some lies about what they don't have.

Re: The Impossible Wall

"How do I go about ascertaining whether or no that Facebook has or doesn't have any of my information?"

Flip a coin. If it lands, they have some information about you. It might be wrong, but they have it. If it doesn't land, you are not on Earth. Since you have access to the internet, we presume you're on the ISS, in which case they have information about you. All paths return the same value.

Re: Looking for a new registrar

If you want a registrar that supported it for a while, the publicbenefit.uk homepage lists the supporters. The largest ones who supported for a while are Gandi, 20I, Coherent, Crystal, and ANY-Web. Two even larger ones, TUCOWS and Namecheap, also voted in support but made up their minds later. There are about 480 other supporting members available. I have only listed those managing over 30K .uk domains. There is plenty of competition available while allowing you to stick with companies supporting the motion.

It does take a lot of resources to actually create the software. Writing code which functions takes time. Making that code not crash takes time. Creating the resources which most nontrivial code uses takes time. And not only time, but also a lot of specialized resources like programmer knowledge, equipment, attention to detail, etc. Copying may be cheap, but that does not make the rest of it free. It is not. I'll grant that the car analogy is not perfect, but then little is. I'd try a book analogy, but some people also think those should be entirely free whether the author wants to do that or not, so it isn't as illustrative.

There are people out there who hate GPL with a passion. They have often taken the argument that licensing code under the GPL is violating their rights because it doesn't let them use it in proprietary software. I am very annoyed with those people. However, there are people who make similar arguments about anything not licensed under the GPL, including proprietary and permissive. They are wrong too. It is an issue of choice. What they have to realize is that copyleft is based on copyright, just like proprietary is. The reason GPL has the freedoms of GPL is that copyright law makes it happen.

Re: It's FLOSS btw

This argument is nice, but it doesn't always work. If you write code and make it copyleft, I'm happy because yay, free code. If you build a car and give that away too, yay, free car. This is not a moral imperative though. It's just a nice thing to do. I write code and release it for free (variety of licenses, but I have written GPL3 stuff because I want the license terms to apply). When I do, I understand that I'm not going to get money for the work unless I'm very lucky. It is also my right to create software which I don't release so freely as long as I don't use others' GPLed code to do it.

If someone writes some code, not using any copyleft components, and doesn't give that code to everyone but instead sells it, that's not an immoral act. Acting like it is is weird and is exactly the kind of thing that makes the original poster not want to take you into a meeting. Not having access to the code may be a sufficient reason not to use it. That's your choice, not an ethical certainty. Sadly, we don't always live in a world where code written from pure altruism is available or superior to proprietary code written for profit, which means that people who either don't care about or don't understand the license wars may choose the proprietary option.

I read the comment as giving Stallman credit for the Linux kernel. Now that I'm reading it again, it could be that or they could be correctly setting it apart and giving Stallman credit for the rest. I'm not sure which it is. If it's the latter, then my original critique is incorrect.

If it is the latter, it's unfair to lots of people who are not the FSF. This is the problem I have with those who are intent on calling Linux GNU/Linux. Yes, GNU deserves credit for lots of nice code they've written, but by including them in the name as some demand, it does two things that I see as harmful. The first is that it implies that GNU code is required for a Linux system that respects user freedoms. This is not true. Almost all the most popular and required GNU programs have non-GNU alternatives. There are alternatives for libc, GCC, the core utils, and quite a few other things.

The second problem is that plenty of other projects deserve some credit and don't get it when GNU and Linux are listed as if they're the most important. Most running Linux installations, desktop or server, have lots of software written by people who are neither the Linux foundation nor GNU. If the name of the system has to list all the important players, then it will be a very long name. KDE/Mozilla/Python/TDF/ApacheFoundation/Apple*/GNU/RedHat/Linux describes a basic desktop distro before the user installs anything, and there are undoubtedly plenty of others who deserve membership in the list but I stopped listing them. Not that it diminishes the real contributions made by the GNU project and the FSF, but such statements are often a lot more limited than they should be for honesty.

*Apple, in the Linux company list? Yes. Several important components rely on Apple-maintained components. They include CUPS for printing, OpenCL, LLVM and Clang, etc. One could list each project by its independent name, but so the name fits in this comment box, I'm recommending we don't just glob together all the installed package names.

"I think Stallman ought to be recognised for his tremendous contribution to FOSS (as Linux is much more than just a kernel),"

Sorry in advance for the pedantry, but this is the wrong way round. Stallman didn't write Linux at all, and the people who did are not associated with the FSF or GNU. What those projects created are a lot of the utilities that go around the kernel. This has led to arguments between the two projects, for example Linux sticking with GPL version 2 only while the FSF is intent that version 3 is much better. Also, insert the Linux versus GNU/Linux argument here.

Re: "paint encrypted mobile phone services as something used exclusively by criminals"

You are wrong several times. Let's start with the obvious one:

"The culpability in this case is two-fold: (a) he sold strong encryption to drug dealers for the purpose of evading detection while committing a crime and (b) in the process of committing (a) he violated ITAR and US Export Control regulations."

A is covered in my original comment, short version is "more proof than that needed". For B, no, he did not violate U.S. export controls. He and his company are Canadian. The exports happened from Canada. U.S. export controls only apply to people exporting stuff from the U.S. Same with ITAR. It's a U.S. law and applies only to the U.S. Other countries have similar legislation, at times structured to be compatible, but it's not ITAR. Canada has export control legislation. Calling it ITAR and alleging that U.S. export regulations apply to Canadians makes it clear you do not understand how those laws work.

Now let's consider Canada's legislation. Actually, it's best we don't, because Canada hasn't charged anybody with breaking its export legislation, and they are the ones who would have to. But let's consider it anyway. In the list of controlled items, it originally seems somewhat damning since symmetric cryptography which works is prohibited (limit of 56 bit keys). However, there are long lists of exceptions. One of them looks like this:

"e. Portable or mobile radiotelephones and similar client wireless devices for civil use, that implement only published or commercial cryptographic standards (except for anti piracy functions, which may be non-published) and also meet the provisions of paragraphs a.2. to a.4. of the Cryptography Note (Note 3 in Category 5 - Part 2), that have been customised for a specific civil industry application with features that do not affect the cryptographic functionality of these original non-customised devices;"

Well, the phones themselves are mass-market with hardware modifications unrelated to the cryptography. So as long as they use public algorithms, they count under this exception. Public algorithms include AES and RSA. So now, if Canada wants to charge him, they will have to identify the encryption in use. I'm guessing it's likely to be a public one, in which case they have already allowed it.

Also see this FAQ about cryptography exports. It's useful in determining what is allowed and what is not.

By the way, you'll find that no charges for breaking export controls, whether Canadian or U.S., have been filed. That's because the lawyers understand what is illegal and what isn't. They are hinging their entire case on point A, and point A is quite plausibly true. Still, it needs more proof than you have.

Re: "paint encrypted mobile phone services as something used exclusively by criminals"

Well, they can both be used to commit a crime. A car lets a criminal get to or away from a crime scene a lot faster or you can kill someone with it. For the same reason, encryption can be used to hide information about your crime. Both can be put to nefarious use. They are also similar because both are heavily used by others for entirely legitimate purposes.

The important detail is whether the operators of the encrypted communication company knew their products were being sold to criminals. The wording there is important. It's not enough that the equipment was being used by criminals; car companies know that criminals will use cars and ISPs know that people will send malicious packets. The business has to know that they're interacting with a criminal for them to share culpability. Again, the wording is important. If they went to strange steps not to know their customers because they knew they would be criminals, then they knew and the circling around doesn't help them. If they actually thought the products were being used by normal businesses which would have a reason to want secure communications, they aren't culpable. This is the reason the trials of these companies have to be based on specific evidence from each company. There have been many companies deliberately aiding criminals and this might be one of them, but that has to be proven and just saying "they provide useful stuff that criminals used" isn't enough.

Re: Sounds “interesting”

"I once knew someone who left their wifi completely open (was a few years ago) so anyone could access it. Know I don’t know why unless he planned on hacking everyone who connected...."

I once considered doing that basically as a service. I already had a guest network set up which couldn't see my normal network, had bandwidth limits, and could support automatic cutoffs if I wanted them. I was thinking that I had a reasonable connection rate, never got near a bandwidth where they'd reduce my speeds, and therefore wouldn't mind letting others in WiFi range use it if they needed to move some data. Then I considered what would happen if the police showed up for information on a user, which I wouldn't have, and decided that my technical knowledge meant the lack of logs proved I was erasing them. So I didn't. Still, my idea to do it was basically altruistic.

Re: pwned by default

Not exactly. Just unpickling one can't run code. It can produce an object that is runnable. It should be treated like anything that can be executed, but not like something which automatically executes. It's one level below a document which can run data just by opening it.