Posts by doublelayer

Re: Diversified to death?

"There's no money in a browser engine?!! Come again? They're raking in $400 million (!) a YEAR."

But not for the browser engine, for the market share. The engine itself isn't making them the profit. Should Google succeed in getting Chrome to 98% market share, they wouldn't have any reason to keep paying Firefox to send users to their pages and earning them ad revenue. The engine is the thing that is most reassuring about Mozilla, because they haven't abandoned it and it continues to allow some competition, especially important as Google keeps putting things into Chromium that rely on Google-run services. Basically, the thing that makes Mozilla money is their history of having a great browser, and they are currently using at least some of that money in maintaining a good browser engine.

That doesn't help. Firefox security is critical, and it's the main security team that I care about, but Mozilla's recent product is a VPN, which is one of the ways they are planning to make money. That isn't Firefox, meaning the Firefox security team probably doesn't work on it. Who does? I probably wouldn't be that confident investing in a VPN if the main organization security team had been completely eliminated, and Mozilla is facing a market that already has established competitors while their effort is only a couple months old. I would have thought that it would be in their interest to put as much behind this project as they can to ensure customer confidence and hence customers.

In addition, they must know that firing workers without a clear indication of funding problems is going to cause concern among those of us who pay the most attention. Those people who pay a lot of attention are also the ones most likely to understand the benefits of and need for a VPN. So they are going to risk harming their image amongst what is probably the largest demographic of VPN customers. I don't understand that decision.

Re: Over sensitivity

"Why is there so much of a concern that the app may be too sensitive, and is likely to over estimate the risk of infection from people 2m or more away?"

It is a lesser concern than various other potential problems, but mostly the worry is that people will become desensitized to requests to quarantine. If the app detects people at a distance, then it will probably pick up lots of them who are on the other side of walls or windows. If it produces a lot of warnings from this then people will be frequently requested to quarantine. If people quarantine without symptoms for a few times, they may think the app isn't doing anything, meaning they ignore it next time it says something. These particular ifs haven't been proven too happen yet, but it could reduce the efficacy of the app if they did. There are other concerns which are more important, including the opposite (no reports because of lacking adoption or testing leading to complacency), but it is at least worth some consideration.

Re: It really is time that anything included in a standard is royalty free.

"I think you misunderstand how 3gpp works. It is not a governmental organisation and the standards developed by 3gpp are not approved by government"

I'll be the first to admit that I'm not particularly knowledgeable about the IP included in this particular case. My comments were more generic, and if they don't apply here, they still apply elsewhere. Plenty of standards in wireless communication are approved by regulatory bodies and include proprietary technology. For a basic example, digital audio radio broadcasting. It's not exactly the closest match to this situation, but I'm using it as my example because the technology is so simple. There are a few technologies in common use in different countries, but in most cases, each country has one standard which is in use while other standards are not approved outside of experimentation. The most common standards are DAB+ (Europe, Australia), DAB (U.K.), HD (Canada, U.S.). Each one contains different proprietary technology, including which audio compression engine is required, meaning license fees from all radio stations and possibly all radio receivers (some standards require it, some don't seem to). Each is supported by a government-enforced monopoly in those countries in which it is used. This is the kind of situation I am talking about. Perhaps I should have done a better job to indicate the general coverage of my original post, but in my opinion, such monopolies may warrant more expansive FRAND restrictions.

Re: It really is time that anything included in a standard is royalty free.

Original: "meaning the holders of the IP now have a license to print money at the expense of all the other manufacturers and consumers"

Response: "No, that's what FRAND is for - Fair, Reasonable And Non-Discriminatory royalties, if your invention gets adopted into the standard."

Exactly. I understand that. What I am suggesting is that possibly the FRAND standard allows too much leeway, and in some cases where standards are supported by an external party, it may need strengthening. You'll note that there seem to be many disagreements between IP holders and IP purchasers about whether terms are in fact fair and nondiscriminatory, which are rather important. Legislation may not be able to handle the fair price part, as the more leverage the IP holder has the less likely they are to agree to any price short of their original ask, but legislation might be able to produce better terms that enforce nondiscrimination. Only by investigating where the current FRAND process fails can we figure out what if anything is needed and how we can apply policy that will improve the situation.

Re: It really is time that anything included in a standard is royalty free.

That is concerning, but so is the alternative which is that a standard is made and soon adopted by a government which makes it the suggested or only approved option, meaning the holders of the IP now have a license to print money at the expense of all the other manufacturers and consumers. If some standards organization without any conflict of interest wants to make their own standard with proprietary technology, it doesn't harm people very much. If it's a standard that can be forced on people, not so good. Mobile communications standards usually require regulatory oversight, meaning that if you get a patent into a standard and get that standard approved as the only accepted way for people to use their phones countrywide, you have a lot of money on the way. And since we get a lot of benefits from using similar technologies all over the world, if you can get that standard in use somewhere powerful before other countries adopt their own standards, you have even more chance to get money. With that kind of gift being provided, I don't feel it's too much to require that standards that are part of a governmental requirement be subject to more restrictive requirements on royalty rights. We could work to ensure those restrictions don't allow a small company with a really good idea to be trampled, but if that small company is planning to trample others by charging them ridiculous prices once they get a monopoly on standard compliance, I lose my sympathy.

Re: One Possibility

"Between robots that actually work, much enhanced 3-D printing and the possibility of shipping much stuff to folks as "kits" that any twelve year old can assemble, the classical "factory" may largely fade away in the next few decades."

Your first two are possible, but your last one seems unlikely to me. That would be nice, but I don't think much will be made in kit form for two reasons. First, companies like their planned obsolescence, and making it easy to assemble and probably disassemble their products isn't going to appeal to that kind of place. Second, the places that do make kits for things often don't make one any twelve year old can assemble. Instead, they make one that twelve year olds who already know how to assemble things because they have all the tools and have broken enough stuff to know how to operate them can assemble into things that still look a bit fragile. With people wanting durability and convenience, I can't see many things going that way, especially things like phones with expensive components (and dangerous ones giving the high-capacity battery) which people would like sealed for water resistance.

Re: Too stupid to care?

Sadly, it's not exactly that. A server implementing HSTS has to say this and not allow normal HTTP access. However, a site can implement HSTS and still allow HTTP connections which get redirected, and a lot of them do to avoid looking broken to people who aren't familiar with it. Take my site for example. If you request any page over HTTP, the server sends a 301 saying it's been moved to the HTTPS site. So you can't retrieve something over HTTP from my server directly. However, an attacker who is replacing your traffic could intercept that HTTP request, not give it to you, fetch the real page from me using HTTPS, and present it back to you as if my server hadn't attempted to do the redirect. There are some pretty good solutions to this, but each comes with a downside:

1. I could block HTTP requests rather than redirecting them. This forces all connections to be secure and makes it harder to pull the redirect on someone. It means that people who type my domain name and whose browsers attempt HTTP will think my site is down though.

2. The user could check the address bar for the secure site icon and the domain name they're trying to access. This would take them all of three seconds.

3. The user could type the HTTPS. This would take them all of two seconds.

4. The user could install a plugin that does 3 for them. It might break and they'd have to remember what they did so they could click the button to allow the two exceptions.

5. The browser makers could modify their default policy for when a user enters just a domain name and try to send an HTTPS request first. If and only if it fails send an HTTP one.

Re: I continue to be surprised

"Now, conversely, if I were running a Bitcoin exchange, I would definitely want https to be the default setting, if for no other reason than wanting to ensure that the Dunning-Krugerrands wind up in my pocket and not someone else's when I decide to fake my death and abscond to a foreign country with the proceeds of my clients' ill-placed trust."

The problem there is that the attacker probably does use HTTPS to connect to the exchange, just with them impersonating the client. It's probably not easy to determine that it's not the user on the other end, and almost certainly such a coordinated group has different nodes making the connections so they can't be identified as exit nodes and blocked that way.

"If I were the client of such an exchange, I would definitely pay close attention to whether https is being used as well, but I'm not sure what the interface for such a thing looks like, so maybe it's not obvious."

The exit node can't easily provide a forged certificate because the client's machine will still verify it, so they're probably seeing the insecure site icon like on any other HTTP-only site. Either that or they get redirected to a secure site that is controlled by the attacker and therefore doesn't use the same domain name. It would really help the clients to make sure that is not there whenever they're accessing something sensitive, but maybe it would be better for there to be a setting to enforce that. That doesn't seem out of character for the Tor browser to warn or even block HTTP-only on the clear web and 301s pointing to different domains.

Re: I continue to be surprised

"HTTPS doesn't stop your ISP, TOR exit node, etc, from seeing what sites you go to. This is mentioned in the article."

The article mentions that connections are often made to cleartext HTTP pages first before being redirected, which gives an attacker an opening, but that's just the first page. It gives some detail about the domain, but that's it. For example, I'm not even using modern security but my ISP doesn't know what pages I visited during my session here. They would know that I'm active and reading The Register, but not which articles I read. I don't really care if they do know that, but I might care about similar information leaked from a different site. For this reason, HTTPS is useful even when you aren't sending information. In addition, more advanced security measures can keep my ISP from knowing some of the information they could get before, (although since this site uses its own IP addresses, I couldn't hide everything without VPNing through my ISP).

Of course the professional users will have a backup. Unless they are only professionals in their field and don't know how to, but most of them will have a backup. The backup is useful in case of drive failure, because you can replace the drive and restore the backup to it. Oh, wait a minute, I meant that the backup is useful in the case that the drive fails and the user has to either boot to the backup disk, probably over USB, or restore the backup to a new drive in something else. Neither is a good approach if you need fast throughput, because you probably didn't buy two machines to do the fast professional work on when you only need one. You could buy a spare iMac, and if your work is really important you might, but it might be easier just to buy something that can take a new disk and put a new disk in.

As for network storage, no, that's not going to work. People who need local processing usually also need local storage so their processing actually helps. If you get a processor that's twice as fast as the old one and put your data on a network connection that slows you down, there's little reason to have bought the faster computer in the first place. Sure, the data gets synced to the network eventually, but it's for a rolling backup and for easier access. When you're doing complex stuff with said data, you want it on the same machine that does the processing, and usually with the fastest access you can get, which is why there's a business for really nice SSDs and in-memory caching.

"Imagine if there was a criminal charge that would be levied against senior manager or officials of an organisation for allowing their security to be lax enough that they 1- allowed a significant and dangerous malware onto theri network and 2 - their systems were too poorly configured/maintained to allow them to recover from 1 in a timeous way."

On the surface, this sounds nice. I'm all for accountability, and the senior management is the place that most often needs and fails to be accountable. However, I think the criminal penalty would probably break things, and maybe we should be more lenient but more precise in our penalties.

If such a criminal penalty were enacted, almost certainly it would include a provision making it the fault of the technical people if they could be proven incompetent. For example, the senior managers hire people and pay for backups, but the techs don't actually do that. It makes logical sense, and it would undoubtedly get lobbied into the law. The problem here is that, in every case, the senior management will do everything it can to put the blame on somebody in IT rather than take the blame themselves. They will be backed up by the legal and financial power of their business, while the IT person will be backed up by their life savings, which will have to serve for their protection from charges of incompetence and for their legal expenses for wrongful dismissal. The answer to this would probably be things like required audits by an independent third party to confirm that IT are doing what they should be doing, which would be nice, but would also mean IT has to keep stopping normal work to complete the audits and the business has to pay for them frequently. This is easy for a large business, but it could make things hard for the small ones.

Re: Yes but no

"I hope they do not fire their IT staff."

I'd be surprised to hear they have much in the way of IT staff. I'd guess they have a couple people whose job is maintaining desktops and contracts with places to write web apps they need to provide city services, meanwhile the maintenance of infrastructure, backups, etc is handled by whoever needs it at the time. I've seen many systems run in this way because IT is a cost center, and backups even more so. Then this happens and they can't recover because they didn't make any backups or provide for a restore process.

Re: I wonder if...

"Assuming they leave their calling card and have a 'reputation' to protect"

You assume a large thing. A lot of ransomware artists don't see their job as requiring a reputation advantage. The smaller the scale of their effort, the less reason they have to write a decrypting program or actually check they're encrypting correctly instead of just corrupting every file. Even for those longstanding efforts that do have a reputation, nothing stops a competing criminal from designing their malware to look like one that is more trustworthy, if such a word can be applied to malware. It's been done to attempt to throw off attribution; it can be done to get more money.

Re: Do end users have standing to sue over this?

No, they have reasons to sue over the other things and this too. You've described the data as what apps and how long (I.E. when). There are several good reasons I don't want Google to have a log of what I do with my phone, including when it was in use for each thing. And there is no good reason for them to collect said information. I as a user would feel this alone violates my privacy.

Now, if the allegations made here are correct, they have a lot more data than that. If they are analyzing how I interact with apps, it's probably not just seeing whether I use them a lot, but instead seeing how they are used (E.G. which utilities of each app I am using), how active I am during use, etc. This has all sorts of potential to contain personal information, and I can't know it's happening, let alone see what data is collected or control it. This is deeply concerning. The only potential reason not to punish Google intensely for this is if they can prove that it doesn't do what the allegations say it does. I haven't yet found a good technical analysis of this, as most of the coverage of the topic has happened in the past few weeks. If they can't release a comment that can disprove the allegations, I predict numerous complaints worldwide, and those complaints will be justified.

Re: Victim shaming

Your concerns are valid and they are often taken into account during extradition hearings. In many cases, if country A does not think the event was a crime, they will refuse to extradite. If country B's punishment for the crime exceeds country A's, it is common that country A will only agree to extradite under some conditions including a limit on punishment. These considerations are often seen in such cases, and there have been cases where country B decided not to meet country A's requirements and country A refused to extradite and charged the suspect themselves.

As for your discussion on where Twitter is located, that is somewhat clear. The company is located in the United States. They may own other entities, but the entity which controls the servers which were broken into is the main company based in the United States. The crime that is mostly being discussed here is accessing those servers, meaning that the locations of the people impersonated is not at issue. The location of the people used during the attack is similarly unimportant. In this case, the U.K. and U.S. both have jurisdiction over this particular suspect, so the U.S. may request to have the suspect tried there. If they do, the U.K. will be free to refuse that request and they will consider points such as yours when they do. It is worth keeping in mind that, should the U.S. make a request, it is not only legal but very standard for cases such as these.

Re: Victim shaming

"Then again why should Mason Sheppard be tried in the US, British citizen in UK when it happened, surely subject to UK law."

Crimes can be tried either in the country where the perpetrator resides or the country where the crime took place (for digital crimes, this means the country of the victim). For this reason, it's rather normal that there would be the potential for this crime to be tried in the U.S. and extradition requested. The U.K. of course has the option to refuse extradition and try separately. The U.S. might want to extradite to the U.S. rather than wait for the U.K. to try the suspect in the hopes that information from all suspects might lead to more effective trials; for instance, if the same investigators get to question all suspects, they are more likely to get information against others involved.

Re: I must be missing something...

"I don't know why you think scientists who are experts in their field, should be any better at office software than they are say at plumbing or arc-welding."

They should because the office software is part of their job. Now probably it shouldn't be that big a part, but if they insist on using Excel for their database, then they need to know how to use it for the database-style things they intend to do. Column typing is one of those things.

I'm a programmer. I only need to know how to write code, so I shouldn't have to know very much about infrastructure which I don't administer, right? We probably all know programmers like that. Yet that knowledge is crucial to understanding how my code will be working and therefore making my products useful. It isn't a thing specifically named in my job description, but if I don't know how to do it, I am not as good an employee.

Re: They are creating a database ...

Some people have this very strong aversion to databases. They don't necessarily provide a reason, and if they did you wouldn't understand it. I've seen lots of people do this, including several types who know about databases but still use spreadsheets. Part of it might be that they don't want to have to write the UI around the database and the only reasonably common portable database format is SQLite*, but that's not a great reason.

*For example, the MS Access database format isn't easy to open if you don't have a license for Access. Dumps from other databases might need tailoring if you're using a different server, or people just don't want to run servers. I view an SQLite file as a perfectly valid way to send a dataset, but I'm comfortable issuing SQL queries. I don't know if there are good GUIs for that which allow viewing, sorting, adding, and all of that without needing to learn SQL, but if not maybe we should write one for the biologists. Anyone want to collaborate on that open source project?

By the way, XKCD has been prescient as always.

"Just because someone has been arrested and then released without charge if the case is still open do you delete everything"

In this case, charges were dropped. This basically means that the case isn't open. It's possible for someone to decide to file new charges, but unless that happens, the people concerned are not subjects of any charges and not arrested. The case is effectively closed, not open.

"do you delete everything e.g. the interview. Do you delete everything when the case is closed and say someone else is convicted. Surely you still have to keep the info just in case there has been a miscarriage of justice."

You can keep that if you need to. The point under dispute is whether you keep a public record of an arrest. You can keep the interviews and evidence in private without allowing the names of the people who were released without charges to be inextricably linked to something that is now viewed as not criminal.

"Personal information like photo/mugshot finger prints dna should be deleted."

I agree, but when they don't do so, they will use the same argument you have just made.

"Of course there is bugger all you can do if it is reported in the press."

Well, you can do some things. In Europe, this is where the right to be forgotten might be used. People will argue about that, but we can skip it for now since this is in America. Still, a newspaper story making clear what happened offers more context than a record that simply says "arrested on felony charge, no trial occurred". Someone doing a background check who reads the article and understands the context is more likely to make a reasonable decision than an automatic system that looks for felony charges in a database and counts people out on that basis.

Re: How terrifying

Well, most states have proven that they have and like that tech. There are also cases where someone was operating it, but the police never found out exactly who it was. Most of those I've seen were presumed to be state actors, but since we can't prove that, it's always possible that it was someone else. Since the hardware can be built by a nonstate person, it's not that surprising that some people have done this. It doesn't have to be a concerted effort for some new concerted effort to pick up the practice.

Re: Talyrand: they forgot nothing and learned nothing!

Your biggest problem isn't 5-7, it's just 5. Spies can always place calls from public areas without CCTV, well not very easily but we'll come back to that, but where will their recipients be? The person receiving the call won't know they need to receive a call, so they'll be wherever they were before, which is potentially exposing. They will have to keep their burner phone turned on to receive said calls, meaning it will be able to track their location if someone ever identifies that phone as a device of interest. If you were planning that the conversations are always preplanned, so both ends can go to a public place, how does spy A indicate to spy B that spy A has urgent information that spy B needs to know when they don't have a scheduled meeting for several days?

Now, a public place to make a call without surveillance cameras. I really hope no spies ever go to London or most cities really. There are cameras everywhere. If you find a place without cameras, someone could check feeds for the cameras near the place to find the person who spent the right amount of time in that place before leaving. The other problem is that, if you make a call in public, you have to say all your secret stuff in public. People can hear your conversation which either includes incriminating things or cryptic things, which might cause your listener to report you or listen in.

"does not mean that it is impossible to prevent tracking."

But in effect, it's really hard. To demonstrate this, let's see if your ideas work (not as well as we'd like).

"As the most obvious way, just prohibit people from bringing phones into the area."

This assumes we are talking about a specific secure area, but we can go with that assumption. Other comments have already explained the dangers of collection outside secure areas, so I'll limit myself to the secure ones. If you make people leave their phones outside the secure area, then a tracker can do several things. If they don't know where the secure area is, it's that place where lots of phones suddenly go offline when people put them into those isolation lockers. If no lockers, it's that place where a bunch of phones go to not move at all--if you have your phone on you, even if you're just moving around a room, the signal will change slightly. Not as much if it just sits on a table. Assuming they already know where the secure area is, they know now who goes there and when. They may not know what they do once inside, but they can track the phones as people travel to the secure area. This means you know when the area's personnel are away from their homes so you can search them, or when the area has most of its people so you can attack it for maximum destruction, or when the area is sparsely populated for some other type of activity like trying to plant bugs.

"Another way would be for the people running the secure area to set up their own base station which is made secure so that nobody can get location data from that base station."

So the area has its base station, and the data can't be intercepted. This doesn't necessarily mean that phones will switch to said station or that they won't also contact others. A lot of tower data comes from towers other than the primary one, which mostly comes from phones verifying that they're still on the best one. What happens if the station is on one side of the area while an attacker drives by the other side with a more powerful malicious station. They could easily convince several phones on that side to trust them instead. Of course, by that point, you may not have such a need for location information, but it could at least tell the attacker who works on that side of the area rather than the other side. If they have floor plans of the area, that data might be useful.