Please create an account to participate in the Slashdot moderation system


Forgot your password?

Comment: Different jurisdiction (Score 3, Insightful) 137

by DrYak (#48610989) Attached to: Microsoft Gets Industry Support Against US Search Of Data In Ireland

If I own a car located in Sweden, and I'm a US citizen in the US, arrested in the US... can the court compel me to make arrangements to produce for the court something in that car's glove box? I don't actually know...could one? Its not entirely unreasonable to speculate that they could make that demand and then hold me in contempt if I refused to make that arrangement.

Depends on what is the car's glove box.

- If it's something that Sweden doesn't give a damn about (some trivial object), well you could produce it for the court, and the court might be unhappy if you refuse to produce it and actively make obstruction (if the court offer to send a swedish cop to retrieve the object and you refuse to give the key your are kindly asked to provide them, you're the problem)


- If it's something that is illegal to export out of the country according to Swedish or EU law (weapon, endangered specie, nuclear fuel, etc.), then you CANNOT LEGALLY produce it to the court. What the court is asking you is illegal in Sweden. If you do it anyway, you're going to have big problems with a Swedish court.

According to you, it is also the legal property of Microsoft US. They don't need to compel the Irish to do anything. They can (arguably) simply compel the US entity in their jurisdiction to summon its own property.

Sorry, no. They can't. It's not legal in EU countries (and a few other europeans countries) to move private data around without consent.

Microsoft US cannot summon data in Ireland, without the explicit consent of the data owner. If they move the data anyway, they can be sued in Ireland for it.

While in a foreign country, you cannot commit a crime (under that country's law), even if it's your home country asking for you.
(Otherwise, spying would be entirely legal: because it was done on the order of the spy's home country).

It is also subject to the orders of its owner, what with it being property and all. So as long a Microsoft US doesn't demand that it do something illegal by Irish law, it has to do whatever Microsoft US tells it to do.

But moving private data around without the owner's consent *IS* illegal in most EU and other european countries.

What the US court asks *IS* illegal in Ireland.
and the US court HAS NO power in Ireland. They are giving orders out of their jurisdiction.

If so, this boils down to can a court compel a property owner to direct his property to do something (such as forward a document in that properties possession), even if the property happens to be in another country? (one could also substitute "property" for "slave" in that sentence... and

When looked at like that, its not really ridiculous at all.

Except forwarding that document is absolutely illegal in Ireland.

It works better if you substitute "slave" in that sentence: What if there is no slavery in that country ?! What if all humans are considered free?

This is not a case of a court making demands directly of an Irish citizen; which is the possible strawman you erected.

No, but the data happens to be in Ireland, not in the US. Irish and EU law apply there. Nobody gives a damn shit about US there. Exporting the data IS illegal.

Again let's change the details. Let's take some Extremist / totalitarian government. The goverment asks one of its citizen to assassinate a target (that etremist / totalitarian regime has law that make this request legally binding and mandatory). The citizen then travels to US, and shoots the target: an innocent US citizen - who happen to have angered the government with some publication.
Is the assissnation legal, even if it was ordered according to the law of the extremist government? No, because that government has no jurisdiction in the US. In the US, US-law apply, and you are not allowed to shoot random inocent people, just because some other random dude accross the globe gave you an order.

Same situation here. Data is Ireland. Irish and EU law does apply. Law says that it's illegal to export data without owner's consent. Microsoft can't give it to US, even if US courts orders to.

This is the case of a court making demands of a US corporation. The nature of that demand is that the US corporation in turn compel its own property in Ireland to do its bidding.

It might seem equivalent in the end, but they are NOT the same thing. For example there is no way the courts in the USA can compel ME to do anything because I am not in the USA, nor am I the legal property of any entity in the USA.

And juste like you're out of US' jurisdiction, so is the data in Ireland, according to local laws.

Comment: Different country... (Score 1) 137

by DrYak (#48610733) Attached to: Microsoft Gets Industry Support Against US Search Of Data In Ireland

A person defies a valid court order? They're arrested and in jail for contempt of court.

Unless that "court order" comes from a completely different country, and ask the person to do something which is absolutely illegal in the current country of that person.
Then the person can laugh and throw the court order in the trash can. (But depending on the "completely different country" 's law, the person's car which was left back there could be seized and destroyed as a retribution).

That's exactly the situation here: A court in the *USA* issues an order to search data in *Ireland*.
No US court has any power to order whatever in the EU. They cannot force anyone in Ireland to do anything. They have no power here.
Not only that, but strict EU laws about data privacy make it *illegal* to do what the US court ask in any country of the EU (and a few other non-EU European countries). If anyone in Ireland were to do what the US asked, they would be thrown in jail for their illegal activities.

Now the court wants to harm Microsoft-US, in retaliation because Microsoft-EU choose to abide to EU-laws and not do what the US court told them to do.

Comment: Not exactly (Score 1) 295

by DrYak (#48602017) Attached to: French Cabbies Say They'll Block Paris Roads On Monday Over Uber

instead listens to ordinary people who exercise their democratic voice.

Well, not exactly.

"Exercising a democratic yell on a megaphone" would be the appropriate way to describe the French way.
The small group which manage to piss off the most people is the one to obtain the attention.
Instead of having the most rich bully being at the top, you have the most annoying one.

Meanwhile, just on the other side of a border, you have countries like switzerland with a real direct democracy.
As in "it's the people who actually decide and have a final word on everything".
Want to change something ? Instead of pouring money or pissing of people, you just gather the necessary amount of signatures, and then you can submit your law propostion for voting. If it passes voting you law is passed and is enforced.
ANYONE can do it, just gather the necessary amount of signatures to be able to submit for vote.

That's what I call "Exercising the democratic voice".

Comment: "4:3" vs "4x3" (Score 1) 330

by DrYak (#48441359) Attached to: Eizo Debuts Monitor With 1:1 Aspect Ratio

It's not 4:3, it's 1:1

Yes. And he was saying "4x3". As in "put 12 display in an array. 3 row of 4 screens each."
You end up with a giant wall, with 4:3 aspect ratio (as each tile is square).

Then you buy 132 more displays, arrange them in 16 columns of 9 (16x9) and you can cover a building's facade with your very own 16:9 tiled jumbo diplay in LD ("ludicrous definition") and create an open-air cinema with your neightbours

But, as he mentionned, driving 144 display tiles in total is going to be a little bit complicated.
(5 display max per Radeon card. 4 Radeon cards per motherboard. 20 displays per PC Tower. You could probably driver 2 tiles per display port using splitters like matrox is down, so you need 1 PC tower per 40 tiles. So at least 4 bit PC towers to drive all this).

But totally worth so you and your neighbours can together brag about being the first "Ludicruous Definition" cinema of the city (256x the resolution of Ultra HD).

Comment: Theory (Score 2) 140

You would effectively starve to death within a year of symptoms showing up, regardless of how much you ate. (IIRC, actual starvation could prevent/slow the progress in some way)

Well from a purely theoretical point of view:
it could be possible to survive on a low-carb diet, eating only proteins and fats and avoiding sugar completely.
Basically, eating only steak and salad, never bread.
(The kind of diet that bodybuilders use).

In that situation the body obtains most of its energy by burning fat and maintains blood sugar levels by gluconeogenesis.
(This metabolic regime consumes some proteins, hence the increase need of meat to avoid starvation).

But it's complicated to get correctly.
Compensating the Type 1's lack of insulin is much simpler.

That's what some think early human diet looked like before agriculture (the theory basis behind the paleo diet).
That's also used by body builders to burn fat (as mentionned above).
Before insulin that was the only way to keep Type 1 diabetics alive.
It was also recently been mentionned as a insuline-free alternative treatment. Was mentionned on /. recently.

Comment: Instagram (Score 1) 206

by DrYak (#48338083) Attached to: Zuckerberg: Most of Facebook Will Be Video Within Five Years

I think it's not so much that no one cares as that decent video calls require more infrastructure than a phone. The camera needs to be steady, lighting needs to be good, sound isolation needs to be good... all in all, video calls work much better from a laptop sitting on a desk in an office, or better yet in a conference room with dedicated video-conferencing equipment.

And some goes for most other forms of video.
Making a decent video clip instead of just quickly recording something with a camera phone, is difficult.
Much more than putting some effort into a photo.

Until some startup finds a way to do the video equivalent of Instagram (i.e.: making it easy to create nice video clips) video won't be a major communication medium.

Comment: Welcome to SIGINT (Score 2) 122

by DrYak (#48337655) Attached to: New NXP SoC Gives Android Its Apple Pay

If you think that some software sandboxing is the equivalent of a "secure enclave" chip in terms of secure-ness, you're sadly mistaken.

If you think that a "secure enclave" is really secure, when its implemented as a SEPARATE CORE ON THE SAME FUCKING SILICON, you really don't believe in SIGINT.
In a world where scientist have been able to guess GPG private key just by analysing signal.
Accoustic signals: Noise.
Over a smartphone's crappy mic.
Do you really think that a "secure" core on the same piece of silicon stands any chance?

Comment: Equivalence (Score 4, Informative) 122

by DrYak (#48337615) Attached to: New NXP SoC Gives Android Its Apple Pay

Functionnally: They are equivalent.
- In both case, it's a payment system, and supports NFC protocol so that you can pay wirelessly just buy putting the phone next to the payment machine.

Hardware-wise: They are not exactly the same.
- Google Wallet is just a generic payment system (like PayPal, etc.) In most phone, it's simply the OS (Android) being able to talk over NFC to the payment machine. It's up to the OS and Application to hangle security any way they choose (might or might not involve hardware - most implementation do not. But some smartphone did have some form of it).
- Apple's system specifically uses a separate piece of hardware: a TPM-like chip that is secured and hardened and holds the actual banking information (which never leaves the chip). Security is by definition handled by the specific chip.The whole systems works like a wireless credit-card with a smartphone bolted next to it, the smartphone being able to act as a GUI to the credit card, but the card handling the transaction themselves.
Some Android Smartphone did in fact work exactly like that. (Had a dedicated chip which was more or less a micro credit card, which handled the NFC talk it self and the smartphone merely interfacing with the card).
- NXP is a vendor of chip that makes hardware components for payment. They've worked on Apple's chip. They are now selling this chip for android smartphone manufacturers too.

Apple's emphasis is on security: They want their "dedicated non-hackable credit-card-on-a-chip" approach.
Google's emphasis is on making the technology available everywhere. High end phone will have a chip, low-end phone will simply emulate a virtual credit card by having a piece of software talk over NFC. But it's going to be available as widely as possible.

From a security point of view:
Google's idea isn't the most secure ever: it rellies on the OS being good at correctly isolating and sandboxing apps. But bugs happen.
Apple's idea isn't perfect either. In theory, a separate piece of hardware is easier to make tamper proof. In practice, it's just a subpart of the same piece of silicon as the rest of the system (they are SoC. System-on-chip. Nearly the whole modern smartphone is a single chip) hacker are bound to find a way to leak sensitive data (I mean, for fuck's sake: hackers have been able to deduce GPG private key by reading signals leaking out of a compute. Noise. Captured by a smartphone's mic. If they can steal your crypto just by listening caps singing over a crappy mic, do you really think that a core on the same piece of silicon is isolated enough ?!)

Comment: Will they ? (Score 1) 64

by DrYak (#48221193) Attached to: Tracking a Bitcoin Thief

So what? Since there's no central authority to block transactions or seize funds they'll simply be passed around until any relation with the crime is meaningless with almost everybody in the transaction chain is blissfully unaware that somewhere they were stolen.

Will they pass them around? Enough to blur any relation ship? In a secure way that never leaks any identity?
(oops, one of the exchange I sent money to managed to record my IP address. No matter how much I keep mixing downstream, part of identity are leaked here)

Remember that they have adversaries like government who (as recently proven for the NSA, for example) have quite a few ressources.
A single policeman might not be able to pull enough data and analysis.
But if goverment suspects that some big danger as possible ("pedo-terrorist pirates!" threat, or more realistically: juicy corporate spying opportunities :-P ) and decides to throw ressources at it, tracking might be achievable.

It's not impossible for the thief to manage to get out un-identified. But it requires being particuliarly smart.

Imagine if cash was that way, every time the grocery store tried to despoit money at the bank the bank would say "oh no, this and that bill came from a gas station robbery two years ago so we'll return it to the gas station and deduct it from your deposit.

Cash *does* function this way (a bit): bills have serial numbers. Of the grocery stores deposits a bill with a known serial number on it, police might show up the next day asking for the CCTV suveraillance tapes, because that serial number happens to be a bill passed through the hands of known drug kingpin/terrorist/pedophily ring leader/etc. do it enough with enough of such incidents, and you might get a vague idea of the identity of the people you're looking for.
Unless the criminals have been absolutely perfect in their laundering and have managed to never leak any info (i.e.: by the time the known bill are flagged, they're in the hand of complete random strangers).

Google for "Ransom bill reappear" type of news reports.

Comment: Mass analysis (Score 1) 64

by DrYak (#48220901) Attached to: Tracking a Bitcoin Thief

1 single transaction tracked ? Yes, you mostly get just 1 other bitcoin wallet.

Massively track thousands of such transaction? (that's beyond the capabilities of a small budget research team. But that's well within the capabilities of any decent government) And correlate them with "end-point transaction" (transaction that can be traced to a real-world identity: buying something from an e-shop using bitcoins and ordering it delivered to an address) ?
then, if the tracked person isn't using an insanely high number of "tumbler/mixers" (i.e.: laundering) or moving it in-and-out of tons of exchanges (basically also a form of mixing), you might find some correlation:
aka "a significant number of these BTC have transited to these wallets all mapped to the same real-world address/person"
that is not enough to warrant an arrest, but that is enough to put these real-world persons with the shortest "path" to the tracked transaction on a suspects list for further investigation by classical police work.

(Saddly, often government don't have such concepts of "suspect list". Very often such unsure statistical result won't be used as a "hunch" but will get you put on the "no fly list" and such)

That's why bitcoin protocol is considered "pseudonymous" and not "anonymous".
That's also why we need to have:
- law against data-collection abuses (because someone brilliant in the NSA/CIA/etc. will definitely try to jail people on this base or at least put them on a "pedo watch list" without much tinking)
- better way to do anonymous transactions (optionnal tumblers/mixers for BTC, or alternate protocols that include provision for anonymity)

Comment: Workforce vs. number served (Score 5, Insightful) 720

by DrYak (#48220641) Attached to: Automation Coming To Restaurants, But Not Because of Minimum Wage Hikes

Currently, the way it's implemented in european country, McD doesn't use it to reduce workforce (you're still required to walk up to a clerk to retrieve your order).
McD uses it to accelerate it service and increase the "number served": by the time you finish typing your order and have confirmed, the order is already broadcast to employee's screen. By the time you finish paying and walk to the queue, your order is already ready.
This cuts drastically the waiting time, and european McD's use to cram more customer served per minutes.

In the long run such stategies won't neceessarily reduce the workforce that much, but on the other hand, they will be used to propel "fast food" to a whole new definition of "fast".
On the other hand, that will probably be quite alienating for the workforce: no more breaks between customers, no more small talk while ordering. Work experience is going to be Charlie Chaplin's "modern times"-style: read the screen, pack the bag, hand over the bag, as fast as possible and repeat so the next customer doesn't need to wait.

Comment: Good / Bad Idea (Score 1) 287

by DrYak (#48211237) Attached to: Will the Google Car Turn Out To Be the Apple Newton of Automobiles?

That's an idea which could be useful in theory.
(e.g.: Cars with drivers will still be able to display warning about red lights, speed limits, etc. based on the info broadcast by trafic signs)

But it has a few problems:

- The implementation will probably be botched. Expect the thing not being properly signed/authenticated, thus enabling malicious hackers to spoof information. (Similar to how hackers hijacked RDS-TMC and broadcast "bison crossing" in Germany a few year back on /. )

- Such system lacks a fail-safe option. A human might notice that a trafic light is off and will fall back to other driving behaviours. A robots might not realise that there is no emitting signal. (The robot can't see a missing emitter unlike a human who can notice a broken traffic light even without any light colour coming off). In some case it might be okay (missing traffic light: drivers are supposed to fall-back to priority-yield, which is probably the default behaviour of a robot when arriving at a crossing without signs), but it might be problematic in other case (a "danger ahead" sign with a broken emitter).

- Car insurance companies are going to abuse the shit out of this (cue in mandatory dongles that spy if you obey trafic signs. Of course driving dangerously and ignoring signs is bad. But violating privacy is bad too) At least european countries are a bit stricter regarding privacy.

Comment: The way bank do it (Score 3, Informative) 121

by DrYak (#48197153) Attached to: Google Adds USB Security Keys To 2-Factor Authentication Options

The way some bank do it, is that the authification asker (a 2F-protected service provider) sends a signed/encrypted message, that the security token decodes/verifies/displays. That message can't be tampered with (cryptography).

So the token will display the message (something like "Authentication required to access").
so if an attacker tries to intercept your credential by opening an actual google page in the background, you'll notice that what the thing pretends to be on screen and what the dongle register as an asker aren't the same.

The way to fool the user would be to try to look actually like the page you're trying to spoof. So an attacker needs to look like GMail, so the user thinks he's on Gmail, whereas actually it's a malware page maskarading as it and relying security tokens from the real Gmail.

Now the way that banks counter-act that, is that any critical action (payment, etc.) needs to be confirmed again by the security token system. So the theoretic man-in-the-middle can't inject payment for 10'000$ for his Cayman Islands account. Because every payment needs to be confirmed again. And the bank will issue confirmation message regarding transaction.
You'll notice if when paying a phone bill, the confirmation message instead is 10'000$ for Cayman Islands.

Overall, it works as if the security token is its very own separate device, designed to work over non-reliable non-trusty channel.

(The device doesn't implement a full TCP/IP stack. Most example device accepts only:
- a string of caracters as an input (i.e.: you need to type the last five digit of the account you need to send funds too. The bank will notice when you type the digit of your utility company, but the man-in-the-middle has tried to inject a cayman island account from your browser).
- a 2D flashing barcode to automate string input.
- for the most crazy solution: writing a string to file on a flash-disk, this flashdisk is shared with the security token's microcontroller.
Each time, the attack surface is very small. Only a short string of data is passed. You can't get much exploitable bugs.

For the output, only a string again:
- that you read and type from the token's screen.
- that the token can type on your behalf, communicating with a HID chip on the same device.
- the token can send it to a flash device that makes it visible inside a file.
Again, the security token it self is limited to send just a string. Very small attack surface. All the funny "stuff" are implemented outside, and thus very low risk of remote exploitability)

All the simple programs have been written.