Answering myself to preserve the thread.

It looks like the export cipher suite must be enabled for this to work. So if you didn't turn off old, busted ciphers then you're potentially vulnerable.

Meh. Set your approved cipher suite and be done with it.

Yes. http://www.openssl.org/docs/apps/ciphers.html

The question is does OpenSSL accept the weak ciphers as a downgrade bug even when EXPLICITLY DISALLOWD.

I haven't seen answered in any of the linked articles so am digging/testing.

After the last couple of bugs my organization set the explicit cipher/algorithm/has acceptable list. The export ciphers were excluded on purpose from our list.

SSL Labs https://www.ssllabs.com/ has a recommended list buried in their documentation somewhere.

He's leaked a lot of things. So even if the jury agreed that some of it was justified, a situation where the public's need to know outweighed his promise to keep it secret, they could rule that on other things that wasn't the case. It isn't the sort of thing that would have to be taken as part and parcel.

As you said though, even in cases that people feel are justified, he still might be held guilty. The agreement regarding classified information you undertake doesn't have exemptions, it doesn't say "You agree to keep this secret unless you think the public needs to know," it is pretty cut and dried. So even if the jury believes he did the right thing, they very well could find him guilty because he still broke the law.

Yeah, but the cash registers don't record anything. That eliminates all the automated tracking of your purchases which is 99% percent of the problem. It is still possible to track what you buy though manual investigation, but that would be true even without the ATM info (security camera correlated with register records, etc).

Nope. The devil is in the details as to the nature of the law being violated.

The difference between a civil offense and a criminal offense are usually defined by the nature of the offense and the punishment assessed. Civil offenses involve violations of administrative matters.

Read more: http://criminal-law.freeadvice...

Palin violated Alaska State Law. Clinton violated Federal Law. Not directly comparable.

For whatever reason, the games industry has decided that these things are amazin' and everyone has to do it. Of course nobody is doing it, I mean Occulus has a prototype out that has some pretty major issues and no release date for final hardware but that's it. Everyone else doesn't even have any hardware at all.

So of course what companies lack in deliverables they make up in hype. Talk about how damn cool their shit will be, how the world will be changed, etc, etc. Particularly since it doesn't seem any of them have a solution to any of the issues. Most of the things aren't solved by magic, but by better technology which is being developed by other companies. Things like latency/refresh are largely going to be a combination of higher speed displays and faster GPUs to drive them. Well, those will get developed I'm sure, but by Samsung or LG, not by Occulus or Valve.

Valve has also been having some problems in this area as of late. They seem to wish to become more than just "the guys who run Steam" which makes sense, because Steam is super profitable but also unstable, people could migrate to a different store en masse for various reasons. However their "no bosses" organization means that a lot of playing happens and not as much delivering. So you see hype and noise, but not necessarily final products.

The Steam box is a good example. Heard lots about that for a long time, some hype videos about their controller, and yet nothing is on the market, and there is no date when anything might happen.

SSDs

Almost.

The Keystone-Cushing extension (Phase II), running away480-kilometre (300 mi) from Steele City to storage and distribution facilities (tank farm) at Cushing, Oklahoma, completed in February 2011.

The Gulf Coast Extension (Phase III), running 784-kilometre (487 mi) from Cushing to refineries at Port Arthur, Texas was completed in January 2014, and a lateral pipeline to refineries at Houston, Texas and a terminal will be completed in mid-2015.

It is only the Phase IV leg, running from between Hardisty, Alberta, and Steele City, Nebraska that wasn't approved. That part crosses the U.S.-Canadian border.

Obama signed off on the rest (symbolically, I believe, as I don't think it required Federal approval), back in 2011.

Your (and my, and any individual citizen's) personal interpretation of the Constitution is not the measure. It is the interpretation and implementation by our three branches of government. I realize that some reading this believe they have all been compromised, or that they think some particular thing is "obviously unconstitutional" (even though the judicial, legislative, and executive branches say otherwise), but the fact is we have the system of government we have. So how about you consider the alternative: one where you don't assume that everyone working at every/any level of government, e.g., NSA, doesn't have the worst motivations and is actually trying to do their best to honorably, legally, and Constitutionally, protect our nation and its people instead of the opposite. How about that?

If you would actually like to have a discussion, I am more than happy to engage. I have articulated these views (not on this specific topic, of course) long before I ever served in uniform, and they have nothing to do with a "paycheck" -- in fact, it's the inverse: the reason I chose to serve is because of my personal desire to do what I can to support things I believe in, and believe are important for our nation and my family and fellow citizens, not the other way around. Yes, our system of government is imperfect...grossly so -- but I choose to support it over any and all alternatives, warts and all. (And that is not to say that there are not things that cannot be improved.)

And again -- and I sincerely mean this -- if you are actually serious about engaging in a dialogue, I am happy to.

Yes, where to even begin...

Do you realize that over 70% of FOREIGN internet traffic enters, traverses, or otherwise touches the US?

Do you understand that an individualized warrant is required to target, collect, store, analyze, or disseminate the communications content of a US Person anywhere on the globe, and that the current law on the issue is stronger and more restrictive with regard to US Persons than it has ever been?

Do you understand that the FOREIGN communications we are going after are now intermixed with the communications of the rest of the world, including that of Americans?

Do you understand that when terrorists use Gmail, Facebook, Yahoo, WhatsApp, Hotmail, Twitter, Skype, etc. etc. etc., or Windows, or Dell computers, or Android phones, or Cisco routers, and so on, that there is no technical distinction between your communications and theirs, yet -- surprise -- we still would like to access those communications, and have legal, policy, and technical frameworks to do so, even if you have not personally inspected them yourself?

If you are a US citizen, and not covered by any warrant, no one cares about your communications. And almost by definition, no foreign intelligence agency (NSA, CIA, DIA) remotely gives a shit about your communications, and would greatly prefer to avoid it altogether, unless you have some kind of connection with foreign intelligence targets -- in which case any collection or monitoring of your communications would require an individualized warrant from FISC or another court of competent jurisdiction. I realize you think this isn't the case, and that all of your communications are being mined and monitored (illegally, no less), and since proving a negative is impossible, I won't be able to help in that regard.

My motivation for commenting on these topics on slashdot may be informed by my position, but has nothing to do with it beyond that.

No. The trigger for this isn't that companies are holding data...it's that users have data, and the NSA wants to force the companies to keep/get access their users data even if the company doesn't want to, so that the NSA can access it also. This is a *very* different proposition. If Apple doesn't want to hold its user's data, why should the NSA force them to just so that the NSA can read it? That seems to be the NSA's problem, not Apple's.

And? NSA may "want" a lot of things. That doesn't mean they are going to get it. But if a US-based company is holding encrypted data to which they also have access, you had damned well better believe the government is going to seek access to that data if it is supported by law. If companies want to take the direction of removing themselves from the encryption picture altogether, that is their prerogative. And guess what? There are other technical ways to get that data, such as before it's encrypted in the first place.

Saying "encryption" does not make the data magical, but it also doesn't entitle the NSA to special treatment. If they can break it, fine. If they can't, there is no valid reason for me to make it easy for them.

No, there isn't. And I didn't say there is. I was stating a set of facts, as are you. See? We can talk like adults.

Do we really believe that the US is the only one who has the "right" to access any backdoor/golden-key/whatever? That's absolute nonsense. If the US forces Apple, Google, MS, etc to build key escrow into their devices so that the NSA can read the data on them, then that key will be used by every government on the earth. If you really believe that the NSA will manage to keep exclusive control of a master key for all encryption for a given major vendor, then I'm going to call you delusional.

No...you are completely misunderstanding my point. If you reread what I said, you will note that nowhere did I argue that anyone should build a backdoor for anything...but the fact is that some US-based companies DO have the ability to decrypt stored encrypted data, which they sometimes do for any variety of reasons, and, if when those services are storing the foreign communications of adversaries of the United States, which they are, then we should have a legal framework that allows access to said data. That is all.

Arguing for a master key -- which is what you THINK ADM Rogers is arguing for, but actually isn't -- is antithetical to the security interests of the United States, our people, our military, our intelligence community, and anyone else who requires secure communications in any form. But if you have already formed your conclusions, that is fine. What ADM Rogers is arguing for is a legal framework for data access of entities that operate within and under a US legal construct...and if there is encrypted data present that the data holder cannot access, that is just the way it goes. But as you know, there a number of ways to access the contents of what is ultimately encrypted data without breaking the encryption...ways that are as old as this decades-old discussion.

And we are going to seek those ways, and I will say something that is offensive to many slashdotters' sensibilities: if you support the principles that you claim to -- things like freedom, of speech, of choice, of anything else -- then you should support the abilities of one of the strongest powers in the world at actually, materially, and in reality (not in your little internet fantasy) of actually protecting and projecting those ideals. Actually judging the actions of the US Intelligence Community based on facts, to say nothing of having some perspective on history and reality beyond what self-styled internet tech-libertarians tell you, would be helpful also.

OMG, that must invalidate everything I have to say!

Sorry, been there, done that, been through all the logical fallacies you can lob my way.