Forgot your password?
typodupeerror

Comment: Re:Spare Change (Score 3, Insightful) 308

100 percent. Been there, done that.

There are four basic types of "homeless" -

1. The mentally ill.
2. Drug users and alcoholics that don't want to "get off the street" enough to do something about their habits.
3. Homeless people who lived too close to the edge and became unemployed, drug addicts and alcoholics who want to change their lives.

And here is Seattle - "Nicklesville" ...

4. People who feel that society should support their homeless lifestyle.

There are in fact many services for all of these groups except Number Four. The rest, if they work hard, give up the heavy booze and drugs (there are in fact programs), they can lift themselves out of homelessness.

And don't fool yourself, Number Four exists in great numbers, dragging the "real" homeless down to their level.

Comment: Re:Also Disturbing (Score 1) 122

by danheskett (#46771699) Attached to: Lavabit Loses Contempt Appeal

Well you are right. Thanks for that. I think that I have improperly cement Section I as the only one establishing courts because it is the one most cited in research, Section II being well settled by this point.

I was not originally suggesting the Court seek out cases or controversies, or have a police power (like in, say, France).

I do suggest that they need to actively distrust in hearings and rulings the claim that the Government will do what it says. In the case, Lavabit, the Government says matter of factly that it will not use the SSL keys to do anything to the other 400,000 customers of Lavabit's service, but that is (a) not binding and (b) not believable. It would be ideal if a Judge, hearing such a claim, pro-actively took steps to either force the Government to adhere to that (i.e. consent agree) or to in some other way hold it harmless. It is really in a way too bad that the Government can't usually be forced to post a bond. Levinson was fairly clearly concerned that the Government would overstep their authority, leaving his customers damaged and himself without recourse. This was the nature of his request to provide the data after the fact (after he could verify it was only targeted to one customer who under investigation). The Judge immediately dismissed his concern because the Government stated - in a non-binding, non-policy specific way - that they would only tap one customer.

Comment: Re:Also Disturbing (Score 2) 122

by danheskett (#46770895) Attached to: Lavabit Loses Contempt Appeal

Judges should NOT start being proactive.

I suppose I should have said "in their rulings". Meaning, they should be defacto skeptical of Government claims, and defacto assume that Government shall not be trusted. Currently, they take the Government's claims at face value. I.E. the Government says they wont use any data they are not allowed to, so we trust them. They should be proactive in assuming that the Government lies.

n the US, at least, judges are - per the US constitution - reactive.

Really? Where is that? Article III establishes the Judicary, but does not in any way circumscribe the power of the Courts, or make them reactive in nature. There is nothing even suggesting that a suit must be made - only that the Supreme Court has original jurisdiction.

The entire concept of a reactive, ex-post facto review based Court is entirely based on statue and tradition (Marbury v. Madison et all). There is nothing inherently anti-Constitutional about, for example, the Court being given, by Congress, an ad-hoc review power of any government action. Or a pre-enactment review authority over all legislation.

At very least, allowing judges to be proactive would require a massive rewriting of laws, starting with the constitution and working your way down.

I disagree. Most of it is all stacked precedent and not black letter law.

Comment: Re:A remarkable order. (Score 3, Insightful) 122

by danheskett (#46770139) Attached to: Lavabit Loses Contempt Appeal

The cogent and accurate description of public key cryptography a

Disagree. The "padlock" analogy was garbage. In PKI, anyone cannot simply "lock the padlock" as the author of the ruling states. For any key-set, exactly 1 key can "lock", and exactly 1 key can "unlock". The brief claimed that anyone could come by and lock it, and that's not true. And it's relevant since, as Levinson stated, with the keys, the Government could impersonate his service to any of his 400,000 users.

As we know, they government routinely uses deception. The DEA creates fake histories of evidence and plants it on local law enforcement.

Comment: Also Disturbing (Score 4, Insightful) 122

by danheskett (#46770093) Attached to: Lavabit Loses Contempt Appeal

I think one thing we need to be aware of is that the Court defers to the Government's claim that, once decrypted, the Government will not view anything but the "metadata" of the communication, not it's "content", and not for anyone but the target.

Every legal case, every Court hearing, from here forever, the Government must never be given the benefit of the doubt. Any time they have the capability to abuse that claim, we must assume that they will, and Judges should start factoring that assumption into their discussions. We know, only through illicit disclosures, the government will abuse the legal theories that are plainly written in black letter law (Section 215 for example), and will simply declare that the domestic law doesn't not apply for any number of novel theories outside the review of anyone.

Judges must start being proactive. I think it's fairly clear that Levinson was skeptical that the Government would only target one user, and that the Government would never use any of that data that they were not permitted to have. In that regard, he was 100% right that forcing mass decryption is in fact "a general warrant", the precise protection that the 4th Amendment's specific language was intended for.

The whole affair also shows how badly the Stored Communications Act and the Pen/Trap statue's are drafted and how out of date they are. The Law must finally realize that there is no such thing as "meta-data" anymore. It's a label without meaning. The message is the message, including the routing information. "Content" versus "Meta-data" is a garbage distinction with email. The entire layer 7 message - headers and all, is the content.

Comment: Demonstrates the futility of opposition.. (Score 5, Informative) 122

by danheskett (#46769715) Attached to: Lavabit Loses Contempt Appeal

I think that the ruling and the case demonstrate the futility and the problems with attempting to defend yourself or your clients against the government. It seems clear to me that Lavabit suspected that the order was overbroad, but had no idea what to do about it. The contempt charge was probably inevitable as he searched for a legal basis and representation to do what was quite obviously "the right thing".

The ruling also has a powerful, and sad, commentary on our system of government as it stands today:

"Because of the nature of the underlying criminal investigation, portions of the record, including the target’s identity, are sealed."

We are right back at Star Chambers and secret courts and hidden rulings and anonymous witnesses. We've devolved back to a legal system which is only concerned with secrecy.

Comment: Re:Gentrification? (Score 1) 347

by metlin (#46764133) Attached to: San Francisco's Housing Crisis Explained

Your argument is silly because it completely discounts cost of living.

I live in Boston, and rent is just one portion of your expenditure. Taxes, childcare, private schools, parking, and even your average restaurant bill are all significantly higher. This winter, I paid more to shovel after one storm in Boston than my friends did to have someone shovel all winter in Cleveland.

My salary would get me a middle class living in Boston or SFO, a lower middle class living in NYC, and an affluent upper middle class living in most of the midwest.

Blanket statements that anything about X makes you rich (or super rich) is plain ridiculous. Heck, I'm in NYC as I'm typing this and I'm pretty sure you'd get a shoebox for $1500.

Comment: Re:Two things to note (Score 1) 560

by danheskett (#46763203) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

The reason is understandable and explained in the above paragraph - the vast majority of software developers out there are probably not able to contribute meaningfully to a project such as OpenSSL.

You got it big time, right on the nose. The power of Open Source is that it attracts professionals and experts from across the world to contribute. Do we really think that there is a big concentration of the best and most skilled crypto experts in the world all centered around Redmond Washington USA? Money will only go so far. There are likely exploits in Microsoft's SSL stack that are so subtle that their small team of experts are not even aware that they exist. Assuming they were not paid for by the NSA or other agency.

Comment: Re:The bug was found because it was open source.. (Score 1) 560

by danheskett (#46763183) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Agree. OpenBSD and folks like Theo are integral to pushing the world forward on this stuff. You have my point exactly which is it is statistically unlikely that there isn't an SSL exploit, in the wild today, that is undetectable, undisclosed, unknown. We don't even know what we don't know. For all we know, the NSA and Microsoft collobrated to weaken the standard, make an implementation fault, and suppress it from being discovered, patched, and closed. Literally, MS can deny it, the NSA can deny, but it's all based on trust. And trust is a crappy plan.

With OpenSSL, it's not based on only on trust, it's based on verification.

Was I annoyed that I had to spend 2 hours investigating and answering client questions? You betcha. Is it a heck of a lot better than the alternative? It's not even close.

Comment: Re:It doesn't. (Score 1) 560

by danheskett (#46763165) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Right, and I agree. However, for example in case of Heartbleed, I run a fairly sophisticated IDS platform, and do my own random log reviews, and all that, (turns out I was never at risk on any of my networks), but it still didn't turn up evidence of Heartbleed, nor would it even if I was actively exploited.

You do what you can, but it's never enough.

Comment: Also (Score 3, Informative) 560

by danheskett (#46761341) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

I would like to just point out this is a huge win in my book for Debian. Those of us running an all Debian oldstable environment, getting backported security patches, and sticking with the tried and true version of OpenSSL instead of that newfangled 1.0 code release got to write nice letters to our customers saying we still don't use Windows and we were never vulernable.

LONG LIVE OLDSTATBLE.

Comment: Re:It doesn't. (Score 1) 560

by danheskett (#46761313) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

And we know this happens - researchers learn about zero-day exploits in the field everyday. Whats the odds that we learn about all of them? Zero, I'd wager.

People who do really deep audits of a system after a breach know what this is like. When you get that feeling that you are up against something new, or something unreported.

Comment: This was positive (Score 4, Interesting) 560

by danheskett (#46761289) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

Heartbleed was positive for the world. The bug was found by code review, twice independently in a short period of days. It was patched rapidly across a hundred different versions and platforms, and now the world is vastly more safe. The system worked exactly as it should.

It is entirely likely that Heartbleed is out there for a closed platform. Or worse. And it's likely that it is being exploited right now by not only our own Government in the US, but our foreign rivals for economic and political gain. And what's worse, there is probably code out there that is defunct, full of Heartbleeds, bleeding exploits into the wild uncontrollably.

The only downside it exposed is that some projects have a lock on what they do. OpenSSL is so good that everyone uses it, and no one is seriously interested in forking it or doing a new implementation.

There are worse things in life than death. Have you ever spent an evening with an insurance salesman? -- Woody Allen

Working...