Forgot your password?
typodupeerror

Comment: Re:Also Disturbing (Score 1) 128

by danheskett (#46771699) Attached to: Lavabit Loses Contempt Appeal

Well you are right. Thanks for that. I think that I have improperly cement Section I as the only one establishing courts because it is the one most cited in research, Section II being well settled by this point.

I was not originally suggesting the Court seek out cases or controversies, or have a police power (like in, say, France).

I do suggest that they need to actively distrust in hearings and rulings the claim that the Government will do what it says. In the case, Lavabit, the Government says matter of factly that it will not use the SSL keys to do anything to the other 400,000 customers of Lavabit's service, but that is (a) not binding and (b) not believable. It would be ideal if a Judge, hearing such a claim, pro-actively took steps to either force the Government to adhere to that (i.e. consent agree) or to in some other way hold it harmless. It is really in a way too bad that the Government can't usually be forced to post a bond. Levinson was fairly clearly concerned that the Government would overstep their authority, leaving his customers damaged and himself without recourse. This was the nature of his request to provide the data after the fact (after he could verify it was only targeted to one customer who under investigation). The Judge immediately dismissed his concern because the Government stated - in a non-binding, non-policy specific way - that they would only tap one customer.

Comment: Re:Also Disturbing (Score 2) 128

by danheskett (#46770895) Attached to: Lavabit Loses Contempt Appeal

Judges should NOT start being proactive.

I suppose I should have said "in their rulings". Meaning, they should be defacto skeptical of Government claims, and defacto assume that Government shall not be trusted. Currently, they take the Government's claims at face value. I.E. the Government says they wont use any data they are not allowed to, so we trust them. They should be proactive in assuming that the Government lies.

n the US, at least, judges are - per the US constitution - reactive.

Really? Where is that? Article III establishes the Judicary, but does not in any way circumscribe the power of the Courts, or make them reactive in nature. There is nothing even suggesting that a suit must be made - only that the Supreme Court has original jurisdiction.

The entire concept of a reactive, ex-post facto review based Court is entirely based on statue and tradition (Marbury v. Madison et all). There is nothing inherently anti-Constitutional about, for example, the Court being given, by Congress, an ad-hoc review power of any government action. Or a pre-enactment review authority over all legislation.

At very least, allowing judges to be proactive would require a massive rewriting of laws, starting with the constitution and working your way down.

I disagree. Most of it is all stacked precedent and not black letter law.

Comment: Re:A remarkable order. (Score 3, Insightful) 128

by danheskett (#46770139) Attached to: Lavabit Loses Contempt Appeal

The cogent and accurate description of public key cryptography a

Disagree. The "padlock" analogy was garbage. In PKI, anyone cannot simply "lock the padlock" as the author of the ruling states. For any key-set, exactly 1 key can "lock", and exactly 1 key can "unlock". The brief claimed that anyone could come by and lock it, and that's not true. And it's relevant since, as Levinson stated, with the keys, the Government could impersonate his service to any of his 400,000 users.

As we know, they government routinely uses deception. The DEA creates fake histories of evidence and plants it on local law enforcement.

Comment: Also Disturbing (Score 4, Insightful) 128

by danheskett (#46770093) Attached to: Lavabit Loses Contempt Appeal

I think one thing we need to be aware of is that the Court defers to the Government's claim that, once decrypted, the Government will not view anything but the "metadata" of the communication, not it's "content", and not for anyone but the target.

Every legal case, every Court hearing, from here forever, the Government must never be given the benefit of the doubt. Any time they have the capability to abuse that claim, we must assume that they will, and Judges should start factoring that assumption into their discussions. We know, only through illicit disclosures, the government will abuse the legal theories that are plainly written in black letter law (Section 215 for example), and will simply declare that the domestic law doesn't not apply for any number of novel theories outside the review of anyone.

Judges must start being proactive. I think it's fairly clear that Levinson was skeptical that the Government would only target one user, and that the Government would never use any of that data that they were not permitted to have. In that regard, he was 100% right that forcing mass decryption is in fact "a general warrant", the precise protection that the 4th Amendment's specific language was intended for.

The whole affair also shows how badly the Stored Communications Act and the Pen/Trap statue's are drafted and how out of date they are. The Law must finally realize that there is no such thing as "meta-data" anymore. It's a label without meaning. The message is the message, including the routing information. "Content" versus "Meta-data" is a garbage distinction with email. The entire layer 7 message - headers and all, is the content.

Comment: Demonstrates the futility of opposition.. (Score 5, Informative) 128

by danheskett (#46769715) Attached to: Lavabit Loses Contempt Appeal

I think that the ruling and the case demonstrate the futility and the problems with attempting to defend yourself or your clients against the government. It seems clear to me that Lavabit suspected that the order was overbroad, but had no idea what to do about it. The contempt charge was probably inevitable as he searched for a legal basis and representation to do what was quite obviously "the right thing".

The ruling also has a powerful, and sad, commentary on our system of government as it stands today:

"Because of the nature of the underlying criminal investigation, portions of the record, including the target’s identity, are sealed."

We are right back at Star Chambers and secret courts and hidden rulings and anonymous witnesses. We've devolved back to a legal system which is only concerned with secrecy.

Comment: Re:Two things to note (Score 1) 580

by danheskett (#46763203) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

The reason is understandable and explained in the above paragraph - the vast majority of software developers out there are probably not able to contribute meaningfully to a project such as OpenSSL.

You got it big time, right on the nose. The power of Open Source is that it attracts professionals and experts from across the world to contribute. Do we really think that there is a big concentration of the best and most skilled crypto experts in the world all centered around Redmond Washington USA? Money will only go so far. There are likely exploits in Microsoft's SSL stack that are so subtle that their small team of experts are not even aware that they exist. Assuming they were not paid for by the NSA or other agency.

Comment: Re:The bug was found because it was open source.. (Score 1) 580

by danheskett (#46763183) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Agree. OpenBSD and folks like Theo are integral to pushing the world forward on this stuff. You have my point exactly which is it is statistically unlikely that there isn't an SSL exploit, in the wild today, that is undetectable, undisclosed, unknown. We don't even know what we don't know. For all we know, the NSA and Microsoft collobrated to weaken the standard, make an implementation fault, and suppress it from being discovered, patched, and closed. Literally, MS can deny it, the NSA can deny, but it's all based on trust. And trust is a crappy plan.

With OpenSSL, it's not based on only on trust, it's based on verification.

Was I annoyed that I had to spend 2 hours investigating and answering client questions? You betcha. Is it a heck of a lot better than the alternative? It's not even close.

Comment: Re:It doesn't. (Score 1) 580

by danheskett (#46763165) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Right, and I agree. However, for example in case of Heartbleed, I run a fairly sophisticated IDS platform, and do my own random log reviews, and all that, (turns out I was never at risk on any of my networks), but it still didn't turn up evidence of Heartbleed, nor would it even if I was actively exploited.

You do what you can, but it's never enough.

Comment: Also (Score 3, Informative) 580

by danheskett (#46761341) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

I would like to just point out this is a huge win in my book for Debian. Those of us running an all Debian oldstable environment, getting backported security patches, and sticking with the tried and true version of OpenSSL instead of that newfangled 1.0 code release got to write nice letters to our customers saying we still don't use Windows and we were never vulernable.

LONG LIVE OLDSTATBLE.

Comment: Re:It doesn't. (Score 1) 580

by danheskett (#46761313) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

And we know this happens - researchers learn about zero-day exploits in the field everyday. Whats the odds that we learn about all of them? Zero, I'd wager.

People who do really deep audits of a system after a breach know what this is like. When you get that feeling that you are up against something new, or something unreported.

Comment: This was positive (Score 4, Interesting) 580

by danheskett (#46761289) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Heartbleed was positive for the world. The bug was found by code review, twice independently in a short period of days. It was patched rapidly across a hundred different versions and platforms, and now the world is vastly more safe. The system worked exactly as it should.

It is entirely likely that Heartbleed is out there for a closed platform. Or worse. And it's likely that it is being exploited right now by not only our own Government in the US, but our foreign rivals for economic and political gain. And what's worse, there is probably code out there that is defunct, full of Heartbleeds, bleeding exploits into the wild uncontrollably.

The only downside it exposed is that some projects have a lock on what they do. OpenSSL is so good that everyone uses it, and no one is seriously interested in forking it or doing a new implementation.

Comment: Re:Fuck Obamacare (Score 1) 722

by danheskett (#46718455) Attached to: Can the ObamaCare Enrollment Numbers Be Believed?

Granted it might not be great care, but the idea that someone would be left out of a hospital if they had a serious problem is just FUD

EMTALA is garbage for anything other than just getting an urgent, tramatic problem stabilized. After that, they can and will dump you back to the street. You have cancer, and no money? Well, you'll get whatever your visit today demands for stabilization, and then back out. Compound nasty broken bone, but not money or insurance? They'll stabilize it, but probably not do the surgery required to repair the break.

Comment: Re:Lies (Score 1) 544

by danheskett (#46657271) Attached to: 60 Minutes Dubbed Engines Noise Over Tesla Model S

The main thing, is that real life is rather boring, and uninteresting. You watch any particular person, you will get board. But if you edit out the boring bits you get to the point faster.

I am not against editing. People are capable of understanding that a news piece on a person doesn't have to show that person taking a bathroom break.

Lets say you watch your Congress in action. Now Fox News will edit it so the Republicans will look like strong articulate leaders, and the Democrats will be stumbling on their own words. MSNBC may do it the other way around. If you have it fully unedited you will be watching hours of boring jabbering
Right, the point is that they are boring and jabbering. They talk to empty chambers in sentences designed to be excised by their supporters. Showing them, as they are, would provide the most accurate picture - boring, out of touch, nonsensical. "Cutting to the chase" is deception that case.

"Never face facts; if you do, you'll never get up in the morning." -- Marlo Thomas

Working...