Forgot your password?
typodupeerror
The Courts

FCC Orders Comcast To Stop Labeling Equipment Rental a Service Fee 97

Posted by timothy
from the getting-mugged-is-just-a-toll dept.
An anonymous reader writes "The FCC denied an appeal by Comcast, which argued that its practice of charging customers separately for a DTA (digital terminal adapter) -- a converter box that allows cable subscribers with older televisions to receive digital channels, which the company said would be provided at no charge -- is not subject to rate regulation, because it is a service fee. The ruling was issued on March 19." Also from the article: "In an e-mail last week to the Star Tribune, Comcast vice president of corporate affairs Mary Beth Schubert said the case “involved a relatively minor dispute about the way certain items are presented on the rate card but has no effect on overall pricing.” But, [Michael Bradley, an attorney whose firm represented Minneapolis-area franchising authorities in the dispute] argued the FCC’s decision sets a strong precedent for transparency within the cable industry."

Comment: Re:FIPS 140-2 4.9.2. The Other Back Door. (Score 1) 168

by thue (#46624775) Attached to: NSA Infiltrated RSA Deeper Than Imagined

> 2^128 - 2^112 [...] it's significant, especially if you have a huge data center in Utah.

But 2^128/2^112=2^16=65536

As an upper limit, assume that you remove 100*2^112. But that will still only eliminate 100/65536=0.1% of the search space. Any key that is brute-forceable by NSA with those 0.1% removed is also brute-forceable without those 0.1% of the search space removed.

> What may be worse (I don't know) is the simultaneous equations that it creates that are invariant for keys from such a source. Maybe they could be used in a cryptographic attack to help solve the sorts of attack that try to build big systems of simultaneous equations to attack the key schedule.

Something like this seems slightly more likely. But assuming the bits were perfectly random before the removal of repeated blocks, for finite keys it still doesn't generate anything that couldn't have been generated by chance without the removal of repeated blocks.

Comment: Re:FIPS 140-2 4.9.2. The Other Back Door. (Score 1) 168

by thue (#46623443) Attached to: NSA Infiltrated RSA Deeper Than Imagined

I agree that the output is not random by the standard definition. And obviously a bad RNG.

But making a practical attack based on that seems unlikely to me.

> For the record, RdRand doesn't do this because I refused to put it in because it's a back door in the spec.

Wait what - you designed Intel's RdRand hardware RNG?

So, since there is a lot of paranoia about backdoors in that, is there a backdoor? :P

Comment: Re:On the record (Score 2) 99

by thue (#46360921) Attached to: 'Obnoxious' RSA Protests, RSA Remains Mum

For starters, they can come clean. All their press releases have been exercises in trying to say as little as possible, and be as misleading as possible whiile still not literally lying. For example, their non-denial of the $10,000,000 deal with NSA had half the press falsely reporting that RSA claimed there never any $10,000,000 deal.

Dual_EC_DRBG has been documented since 2006/2007 to be an insecure CSPRNG, even without the backdoor. I knew about it for example, and I do not even work in that field. The only way nobody at RSA Security (a huge company specializing in security) could not have heard about it is by putting their hands over their ears and yelling LALALA. And they didn't put 2 and 2 together about why NSA paid them $10,000,000 when the possible backdoor was discussed in the media and the cryptographic community?

I can accept that RSA Security might have been fooled in 2004. But they have not even tried to explain why they kept using Dual_EC_DRBG after 2006/2007. They have been caught with the hand in the cookie jar, and refuse to even try to defend themselves. Why should I try to invent explanations for their innocence for them?

> what evidence could RSA show us that would reinstate our trust

The point is that the circumstantial evidence is so hugely strong. This is not unfair - this is reality.

It is like finding you standing over a corpse in a pool of blood and a knife in your hand, with a $10 million payment to your account from the victims worst enemy. And you refusing to talk about how you got there, or why the victim's worst enemy sent you the $10 million. Do you think I have no right to make assumptions in that case?

Comment: Re:What did you expect? (Score 1) 99

by thue (#46357765) Attached to: 'Obnoxious' RSA Protests, RSA Remains Mum

> And the RSA did go on record. They said it wasn't true.

What RSA Security has specifically said is that they knew about the backdoor when they made the $10,000,000 deal. RSA Security has not denied that it turned out there was a backdoor, or that there was a $10,000,000 deal to make Dual_EC_DRBG the default in the BSAFE library.

If you read the keynote from the current RSA Conference, RSA's defense is that they stopped independently creating and verifying the cryptographical algorithms, instead just getting them straight from NIST and ANSI. And they knew or should have known that Dual_EC_DRBG was written by NSA.

> "Recognizing that [after year 2000, open source, non-patented encryption was widely available], and encryption's inevitable shrinking contribution to out business, we worked to establish an approch to standards setting that was based on the input of the larger community rather than the intellectual property of any one vendor. We put our weight and trust behind a number of standards bodies - ANSI X9 and yes, the National Institute of Standards and technology (NIST). We saw our new role, not as the driver, but as a contributor to and beneficiary of open standards that would be stronger due to the input of the larger community."

Meanwhile RSA Security ignored all the independent research showing that Dual_EC_DRBG was radioactive. So RSA Security's defense is that they stopped doing any due diligence, and instead just copied everything straight from NSA. And because they stopped even trying to do independent cryptography, they were not aware of the possible backdoor. And you think RSA Security's statements in their defense are not laughable, and that people protesting this is just "a$$holes"?

Comment: Re:On what basis can you make this demand? (Score 1) 99

by thue (#46357617) Attached to: 'Obnoxious' RSA Protests, RSA Remains Mum

> They can't go and release the details of a confidential contract simply because somebody thinks it contains something it doesn't have.

Given that NSA made the contract in bad faith, is RSA Security still obligated to keep their silence? Maybe, but it seems insane. What RSA Security could say for starters was for example to explicitly confirm that a $10,000,000 contract exists. They haven't even done that.

RSA Security also have not yet given a good explanation for why they ignored the multitude of red flags until 2013. As cryptographer Matthew Green writes:

> So why would RSA pick Dual_EC as the default? You got me. Not only is Dual_EC hilariously slow -- which has real performance implications -- it was shown to be a just plain bad random number generator all the way back in 2006. By 2007, when Shumow and Ferguson raised the possibility of a backdoor in the specification, no sensible cryptographer would go near the thing. And the killer is that RSA employs a number of highly distinguished cryptographers! It's unlikely that they'd all miss the news about Dual_EC.

If RSA Security makes secret contracts that impacts other people's security, I don't see why RSA Security should get any benefit of the doubt. Why should we trust a company cloaked in secrecy who has shown themselves to be overwhelmingly incompetent and/or malicious?

Comment: Re:What lie? (Score 1) 99

by thue (#46357487) Attached to: 'Obnoxious' RSA Protests, RSA Remains Mum

> There's zero evidence that RSA knew about the weakness when accepting the money to include the algorithm in their products.

It is possible that RSA Security was not aware of the possible backdoor in 2004, though unlikely. But that in no way excuses or explains why RSA security kept using the algorithm after the flaws became apparent and widely known in 2006 and 2007: http://blog.cryptographyengine...

Comment: RSA considered Dual_EC research without merit? (Score 1) 99

by thue (#46357195) Attached to: 'Obnoxious' RSA Protests, RSA Remains Mum

Jeffrey Carr has a good point from the RSA Conference keynote:

> "When, last September, it became possible that concerns raised in 2007 might have merit as part of a strategy of exploitation, NIST as the relevant standards body issued new guidance to stop the use of this algorithm. We immediately acted upon that guidance, notified our customers, and took steps to remove the algorithm from use." - Art Coviello RSAC 2014 Keynote speech

So up until then, they apparently considered all the criticism of RSA security without merit? On what basis? The research was obviously right.

http://jeffreycarr.blogspot.dk...

If you read a bit more in the actual keynote, there is actually an unexpectedly frank explanation:

> "Recognizing that [after year 2000, open source, non-patented encryption was widely available], and encryption's inevitable shrinking contribution to out business, we worked to establish an approch to standards setting that was based on the input of the larger community rather than the intellectual property of any one vendor. We put our weight and trust behind a number of standards bodies - ANSI X9 and yes, the National Institute of Standards and technology (NIST). We saw our new role, not as the driver, but as a contributor to and beneficiary of open standards that would be stronger due to the input of the larger community."

But they ignore most of the input of the larger community, in favor of taking $10,000,000 from NSA to use their backdoored algorithm.

What we have seems to be standard exploitation of a valuable acquired brand which is no longer profitable. Take a high-quality brand with an outstanding reputation for independent quality checking. Fire everybody skilled (and expensive), and sell as many cheap commodity products under that brand as you can get away with, with as little expensive quality control as possible. Their claim is that they expected to get the quality control for free from NIST, which they knew was dominated by the NSA. Meanwhile, RSA Security choose to totally ignore any contradicting independent research.

Personally I believe the amount of incompetence and cluelessness claimed by RSA Security as defense strains credulity beyond breaking point.

The superior man understands what is right; the inferior man understands what will sell. -- Confucius

Working...