Forgot your password?
typodupeerror

Comment: Re:Also Disturbing (Score 1) 116

by danheskett (#46771699) Attached to: Lavabit Loses Contempt Appeal

Well you are right. Thanks for that. I think that I have improperly cement Section I as the only one establishing courts because it is the one most cited in research, Section II being well settled by this point.

I was not originally suggesting the Court seek out cases or controversies, or have a police power (like in, say, France).

I do suggest that they need to actively distrust in hearings and rulings the claim that the Government will do what it says. In the case, Lavabit, the Government says matter of factly that it will not use the SSL keys to do anything to the other 400,000 customers of Lavabit's service, but that is (a) not binding and (b) not believable. It would be ideal if a Judge, hearing such a claim, pro-actively took steps to either force the Government to adhere to that (i.e. consent agree) or to in some other way hold it harmless. It is really in a way too bad that the Government can't usually be forced to post a bond. Levinson was fairly clearly concerned that the Government would overstep their authority, leaving his customers damaged and himself without recourse. This was the nature of his request to provide the data after the fact (after he could verify it was only targeted to one customer who under investigation). The Judge immediately dismissed his concern because the Government stated - in a non-binding, non-policy specific way - that they would only tap one customer.

Comment: Re:Also Disturbing (Score 2) 116

by danheskett (#46770895) Attached to: Lavabit Loses Contempt Appeal

Judges should NOT start being proactive.

I suppose I should have said "in their rulings". Meaning, they should be defacto skeptical of Government claims, and defacto assume that Government shall not be trusted. Currently, they take the Government's claims at face value. I.E. the Government says they wont use any data they are not allowed to, so we trust them. They should be proactive in assuming that the Government lies.

n the US, at least, judges are - per the US constitution - reactive.

Really? Where is that? Article III establishes the Judicary, but does not in any way circumscribe the power of the Courts, or make them reactive in nature. There is nothing even suggesting that a suit must be made - only that the Supreme Court has original jurisdiction.

The entire concept of a reactive, ex-post facto review based Court is entirely based on statue and tradition (Marbury v. Madison et all). There is nothing inherently anti-Constitutional about, for example, the Court being given, by Congress, an ad-hoc review power of any government action. Or a pre-enactment review authority over all legislation.

At very least, allowing judges to be proactive would require a massive rewriting of laws, starting with the constitution and working your way down.

I disagree. Most of it is all stacked precedent and not black letter law.

Comment: Re:A remarkable order. (Score 3, Insightful) 116

by danheskett (#46770139) Attached to: Lavabit Loses Contempt Appeal

The cogent and accurate description of public key cryptography a

Disagree. The "padlock" analogy was garbage. In PKI, anyone cannot simply "lock the padlock" as the author of the ruling states. For any key-set, exactly 1 key can "lock", and exactly 1 key can "unlock". The brief claimed that anyone could come by and lock it, and that's not true. And it's relevant since, as Levinson stated, with the keys, the Government could impersonate his service to any of his 400,000 users.

As we know, they government routinely uses deception. The DEA creates fake histories of evidence and plants it on local law enforcement.

Comment: Also Disturbing (Score 4, Insightful) 116

by danheskett (#46770093) Attached to: Lavabit Loses Contempt Appeal

I think one thing we need to be aware of is that the Court defers to the Government's claim that, once decrypted, the Government will not view anything but the "metadata" of the communication, not it's "content", and not for anyone but the target.

Every legal case, every Court hearing, from here forever, the Government must never be given the benefit of the doubt. Any time they have the capability to abuse that claim, we must assume that they will, and Judges should start factoring that assumption into their discussions. We know, only through illicit disclosures, the government will abuse the legal theories that are plainly written in black letter law (Section 215 for example), and will simply declare that the domestic law doesn't not apply for any number of novel theories outside the review of anyone.

Judges must start being proactive. I think it's fairly clear that Levinson was skeptical that the Government would only target one user, and that the Government would never use any of that data that they were not permitted to have. In that regard, he was 100% right that forcing mass decryption is in fact "a general warrant", the precise protection that the 4th Amendment's specific language was intended for.

The whole affair also shows how badly the Stored Communications Act and the Pen/Trap statue's are drafted and how out of date they are. The Law must finally realize that there is no such thing as "meta-data" anymore. It's a label without meaning. The message is the message, including the routing information. "Content" versus "Meta-data" is a garbage distinction with email. The entire layer 7 message - headers and all, is the content.

Comment: Demonstrates the futility of opposition.. (Score 5, Informative) 116

by danheskett (#46769715) Attached to: Lavabit Loses Contempt Appeal

I think that the ruling and the case demonstrate the futility and the problems with attempting to defend yourself or your clients against the government. It seems clear to me that Lavabit suspected that the order was overbroad, but had no idea what to do about it. The contempt charge was probably inevitable as he searched for a legal basis and representation to do what was quite obviously "the right thing".

The ruling also has a powerful, and sad, commentary on our system of government as it stands today:

"Because of the nature of the underlying criminal investigation, portions of the record, including the target’s identity, are sealed."

We are right back at Star Chambers and secret courts and hidden rulings and anonymous witnesses. We've devolved back to a legal system which is only concerned with secrecy.

Comment: Re:Two things to note (Score 1) 526

by danheskett (#46763203) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

The reason is understandable and explained in the above paragraph - the vast majority of software developers out there are probably not able to contribute meaningfully to a project such as OpenSSL.

You got it big time, right on the nose. The power of Open Source is that it attracts professionals and experts from across the world to contribute. Do we really think that there is a big concentration of the best and most skilled crypto experts in the world all centered around Redmond Washington USA? Money will only go so far. There are likely exploits in Microsoft's SSL stack that are so subtle that their small team of experts are not even aware that they exist. Assuming they were not paid for by the NSA or other agency.

Comment: Re:The bug was found because it was open source.. (Score 1) 526

by danheskett (#46763183) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Agree. OpenBSD and folks like Theo are integral to pushing the world forward on this stuff. You have my point exactly which is it is statistically unlikely that there isn't an SSL exploit, in the wild today, that is undetectable, undisclosed, unknown. We don't even know what we don't know. For all we know, the NSA and Microsoft collobrated to weaken the standard, make an implementation fault, and suppress it from being discovered, patched, and closed. Literally, MS can deny it, the NSA can deny, but it's all based on trust. And trust is a crappy plan.

With OpenSSL, it's not based on only on trust, it's based on verification.

Was I annoyed that I had to spend 2 hours investigating and answering client questions? You betcha. Is it a heck of a lot better than the alternative? It's not even close.

Comment: Re:It doesn't. (Score 1) 526

by danheskett (#46763165) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Right, and I agree. However, for example in case of Heartbleed, I run a fairly sophisticated IDS platform, and do my own random log reviews, and all that, (turns out I was never at risk on any of my networks), but it still didn't turn up evidence of Heartbleed, nor would it even if I was actively exploited.

You do what you can, but it's never enough.

Comment: Also (Score 3, Informative) 526

by danheskett (#46761341) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

I would like to just point out this is a huge win in my book for Debian. Those of us running an all Debian oldstable environment, getting backported security patches, and sticking with the tried and true version of OpenSSL instead of that newfangled 1.0 code release got to write nice letters to our customers saying we still don't use Windows and we were never vulernable.

LONG LIVE OLDSTATBLE.

Comment: Re:It doesn't. (Score 1) 526

by danheskett (#46761313) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

And we know this happens - researchers learn about zero-day exploits in the field everyday. Whats the odds that we learn about all of them? Zero, I'd wager.

People who do really deep audits of a system after a breach know what this is like. When you get that feeling that you are up against something new, or something unreported.

Comment: This was positive (Score 4, Interesting) 526

by danheskett (#46761289) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Heartbleed was positive for the world. The bug was found by code review, twice independently in a short period of days. It was patched rapidly across a hundred different versions and platforms, and now the world is vastly more safe. The system worked exactly as it should.

It is entirely likely that Heartbleed is out there for a closed platform. Or worse. And it's likely that it is being exploited right now by not only our own Government in the US, but our foreign rivals for economic and political gain. And what's worse, there is probably code out there that is defunct, full of Heartbleeds, bleeding exploits into the wild uncontrollably.

The only downside it exposed is that some projects have a lock on what they do. OpenSSL is so good that everyone uses it, and no one is seriously interested in forking it or doing a new implementation.

Comment: Re:Over 18 (Score 5, Insightful) 614

by DigiShaman (#46759763) Attached to: IRS Can Now Seize Your Tax Refund To Pay a Relative's Debt

Well YES! That's the Democrat (the politicians, not the voters) Party for you. Rules for them, and rules for everyone else. They actually believe in a caste based system. The idea being that if you accept your position in life, you'd be less inclined to fight for a higher standard of living. It makes management of a serfdom much easier along with the ease of accumulation of power.

Comment: Re:Wanna give up on these guys yet ? (Score 1) 564

by DigiShaman (#46758993) Attached to: Microsoft Confirms It Is Dropping Windows 8.1 Support

Ok, (1) what web portal? (2) when your email client is giving you a generic "something broke" message, how do you know to validate the password?

Occam's razor. It should be applied when troubleshooting.

E-mail passwords often expire on custom hosted servers. E-mail passwords for accounts hosted by your ISP, Gmail, Yahoo, Outlook.com..etc, don't. Company hosted mail, yes, quite common for that to happen. Especially true of your using a company Exchange server as the credentials are tied back to Active Directory.

The only time I've ever broke down a TCP/IP dump file was when troubleshooting PPTP VPN connectivity over a Verizon air card seven years ago (SSL VPN; use it yeah yeah, I know..) The problem was that some segments of their network were configured differently depending on what cell tower you were communicating against. For whatever reason, Verizon had a problem in that it was breaking the GRE protocol. Eventually, we isolated which which of the three cell towers were causing the problem out in the field (refinery complex for safety crewmen needing to log with a remote laptop).

1 Billion dollars of budget deficit = 1 Gramm-Rudman

Working...