Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Comment Re:FBI Word games (Score 1) 245

On the contrary, they work just as well as in other cases. Just because a warrant is granted, this does not guarantee a search will be fruitful.

The difference is that encryption guarantees the search will not be fruitful.

Given that situation, I would tend to lean toward the side that favors the citizenry over their government masters.

Me too, not least because I think the pendulum has swung too far towards government. But I also recognize that proper law enforcement is a good thing.

Comment Re:FBI Word games (Score 1) 245

True, but even if they did ban encryption, there will always be some other way to achieve the same ends, especially if you are a criminal who doesn;t care about the law.

Just like trying to ban guns by law Its a stupid idea to begin with, since it only limits/restricts/unnecessarily punishes law-abiding people, so they weren't ever a threat anyway.

Most criminals don't plan very well. If they had to get illegal encryption software to secure their communications and papers, they'd screw it up. For that matter, even in the present where it's legal but not on by default in most cases, they won't do it. The problematic situation is when everything is strongly encrypted by default, all the time -- which I think is a good thing, and in fact a big part of my day job is to make that true on all Android devices. But even though it is a good thing in general, it will have a significant negative impact on law enforcement.

Comment Re:FBI Word games (Score 1) 245

There's also that pesky 'secure in your own home' concept, whereby the planting of false evidence is meant to be at least slightly difficult. Once they have access, there's nothing stopping escalation to curtail someone that is causing an issue.

Encryption or the lack thereof has no impact on that whatsoever.

Comment Re:FBI Word games (Score 1) 245

But I think it's important to admit that there is a real subject of debate here.

No. There isn't.

Problem is that encryption is more than just sending messages to your co-conspirators. There's banking. Paying bills. All that other good stuff that we do without thinking about the encryption. Back door on encryption means that that's all gone. Can't afford to do online banking with broken encryption. Can't afford a lot of the conveniences of modern living (haven't had to actually write a check in years. And don't expect to have to again)....

Actually, banking, etc., are exactly the areas where escrowed encryption would work just fine. The bank could simply escrow its private keys with a federal agency and the cops could get stuff decrypted with a court order. Done, and done. But it's irrelevant, because a warrant served on the bank will get your transaction records.

No, the relevant sort of encryption here is local storage encryption.

Comment Re: FBI Word games (Score 1) 245

Sorry, but the state at which all laws are fully enforced to their maximum extent is not the ideal our society was founded on. Rather, we accept that some lawbreakers will get away as the cost of our freedom. In essence, law abiding citizens have a vested interest n ensuring that law enforcement is NOT 100 percent successful.

Obviously. But we're likely moving the balance point, which bears discussion.

Comment Re:I don't see the bug either (Score 2) 26

I have asked on an internal mailing list. If the response is something I can share here, I will.

The response is basically that it's not worth fixing because there are so many other ways to do the same thing, many of them arguably better (for the attacker). Fixing this would require redesign of lots of stuff... and it couldn't prevent any of the other attacks that achieve the same thing, so it would be a lot of effort for no return.

An example of a similar/better attack:

In that demonstration the example banking site is not HTTPS-protected, but the attack would work just as well if it were. There are other ways as well, I'm told (I'm not a web security guy).

My takeaway is that *every* time I type or submit sensitive data into a web page I must check the address bar. I actually do that anyway; this just reaffirms the importance of that habit.

Comment Re:I don't see the bug either (Score 4, Insightful) 26

Maybe. I think the issue (if any) lies here:

2) Get them to click on a login using Google link that sends them to (something like this)

The problem is that the Google login page will be totally legitimate. The lock icon will be green, certificate pinning will ensure all is safe/good, etc. So it's not completely unreasonable that a person who might have been suspicious (but not too suspicious to click the link) prior to this point would now decide "okay, this is legit", and continue onward... and not notice that on the fake login page they're no longer on a Google site.

So, if it's a weakness, it's one that doesn't affect totally clueless users, who could have been directed to the fake login page to begin with, and it doesn't affect clueful/careful users who check their address bar at both the real and fake login pages and know how to tell the difference. It affects only somewhat careful users who check their address bar at the real login page and then figure they're safe from there on out. Well, it also has to be a user to is willing to click a Google login link from a random, untrusted site.

So I agree it's very, very narrow. I'm not sure I agree it's not an issue. But I know the Google Security Team guys well (I work for Google, on security, though not this stuff), and they're extraordinarily paranoid (that's a good thing), so my guess is that there is some other mitigating factor that I'm not seeing, and they just haven't done a good job of communicating the rationale to the researcher, or have some reason they can't communicate it.

I have asked on an internal mailing list. If the response is something I can share here, I will.

Comment Re:How to make it cheaper? (Score 1) 58

I see the carpooling part, but the summary also mentions charging fares, not splitting costs. Presumably the car owner is for hire and accepts them, Google just uses something along the lines of "Uber Pool" and "Lyft Line" which also matches riders going in the same direction. Which isn't a differentiator at all, as the article claims.

The difference is that no the much lower fares will be too low to motivate anyone to take driving on as a job. If the fare value is so low that it doesn't even cover the full value of vehicle fuel and wear and tear, much less the driver's time, then no one will try to make money at it. Instead, it will just be a way to defray part of the cost of a journey one was making anyway. In other words, ride sharing.

Comment Re:FBI Word games (Score 1) 245

I'm glad that we have people on our side that are smarter than him.

You realize you're implicitly siding with criminals here, right? They also want to keep the FBI out of their data.

Oh, I agree with your conclusions. Banning encryption, or requiring backdoors, is a simply unacceptable level of intrusion in a democratic society. Its potential for abuse is too extreme to risk.

BUT... law-abiding citizens do also have an interest in seeing that lawbreakers are caught. Assuming we vote in people who pass appropriate laws and criminalize things that seriously and negatively affect our lives, things like murder, kidnapping, robbery, identity theft, and pot smoking (kidding!), then we really do want cops to be able to get the information needed to identify the perpetrators of crimes and to prosecute them. So we do not want a situation in which evidence is not generally available, leading to either failing to lock up a lot of people who are actively dangerous to us, or to locking up a lot of innocent people because we've had to lower the standards of evidence required for prosecution.

I'm pretty certain that we're just going to have to accept a world in which prosecutions are a lot harder, because the alternative is even worse. I also don't think it will be as bad as all that, because most criminals are stupid. It doesn't matter if the conspirators' email is encrypted when one of them posts the deed on Facebook. But I think it's important to admit that there is a real subject of debate here.

Comment Re:FBI Word games (Score 2) 245

> "With good reason, the people of the United States -- through judges and law enforcement -- can invade our private spaces," Comey said, adding that that "bargain" has been at the center of the country since its inception.

Yes, but for specific limited instances and after obtaining warrants for each case. What Comey/The FBI are actually demanding is our freedom to use encryption be completely removed so that they can perform warrantless mass monitoring on a national scale.

To be fair, encryption does change the situation a bit. It creates a world where warrants do not work, not unless you can also be compelled to provide decryption keys/passwords... and even then, if the penalty for the crime you're alleged to have committed is worse than the penalty for refusing to divulge your password, you'll keep your mouth shut. Also, penalizing refusal to provide information runs into another problem (besides 5th amendment constraints): what if you legitimately can't provide the information, but can't convince the judge that you can't? How many innocent but forgetful people will we jail?

So, this really is a new world for law enforcement. On the one hand, if encryption is banned or backdoored, it gives them unprecedentedly broad and deep surveillance, potentially routine global surveillance. On the other, if encryption is legal and routine, they find themselves simply unable to get information that in decades and centuries past they could have gotten with a warrant and a search of your home/office.

There is an imperfect historical analogue: Very high security safes. In the past, people might keep possibly-incriminating evidence in a safe. If the safe was really, really good this occasionally created a situation where police could not get in because they lacked the tools and skills. Courts ruled they could not demand the combination. But the situation with encryption is different for a few reasons.

First, it's different because high-quality safes are expensive and rare. making the problem correspondingly rare. Encryption is cheap and easy.

Second, it's different because it's a pain to remember to keep all of your potentially-incriminating documents in a safe. Encryption can be automated so it's applied to everything. No need to think about it. Indeed, security advocates (like me) encourage encryption of absolutely everything, all the time.

Third, it's different because while a safe can always be cracked given enough time and effort, proper encryption is effectively invulnerable. Barring bugs in implementation, or defects in key management processes (e.g. weak passwords), we have no reason to believe anyone can break current-generation cryptographic algorithms.

So there is a real question that needs to be debated openly, in public. We need to understand the consequences of ubiquitous strong encryption on law enforcement, and we need to weigh that against privacy.

And then we need to tell the cops "Sorry, privacy wins. And even if it didn't, the sort of police state we'd need to put in place to effectively restrict secure encryption is simply unacceptable". But we should have the data, and the open, honest public debate so that everyone can come to understand what is blindingly obvious to those who already understand encryption.

Comment Re:So, really seems to be "ride-sharing" (Score 1) 58

That's what Uber was supposed to be until they became an international taxicab company

Are you sure about that? The company was launched under the name UberCab, and as far as I can tell it was a car-hailing app from the beginning. I can find no evidence it was ever a carpooling app.

It seems to me that the challenge with an actual ridesharing app is getting to critical mass. You need enough cars participating that anyone looking for a ride is likely to find someone to pick them up most of the time. That's something of a problem for a car-hailing app like Uber, but not as much because it depends only on there being a driver in the vicinity... with actual ridesharing you need to find a driver that is close enough and is going to the same place (roughly). And is willing to add a little time to their journey to pick you up and drop you off.

I suppose if they can get a substantial percentage of the Waze userbase to participate, it should work. I might do it.

Comment Re:Gut check (Score 3, Interesting) 57

As an IT person for over twenty years, I still pain at this cloud presence. Who owns your data? Google, Amazon, Microsoft?

What, specifically, are you afraid will happen?

I can see being worried about handing your business data to a service provider who may be a competitor, but are you actually competing with any of these? And would they really get enough value from looking at your data to justify the immense damage to their business if they were caught spying on customers in violation of contractual obligations? Not likely. I suppose I could see Wal-mart refusing to host their data on AWS because there's a clear competitive conflict, and Wal-mart is big enough that Amazon might want to spy on them, but those cases are pretty rare, I think.

If your concern is about data loss if the provider goes belly up or has severe problems (e.g. a data center burns to the ground) then (a) your fears are pretty misplaced with respect to AWS, Azure or GCE, and (b) you should be keeping backups regardless of whether you're running your own systems or using a provider. If your concern is about downtime, your fears are really misplaced. The big cloud providers are much better at that than you are.

I know a number of small and mid-size companies that have never operated their own data centers, or even had colos, and are extremely happy with the way that works. It makes them able to respond to changes in business much more quickly and keeps their overhead low, especially during the early phases. Sign up a huge new client and need to double your capacity? Log on and fire it up (assuming you've architected for scalability). No need to worry about floor space or purchase orders or installation schedules. Lose a huge client or find an optimization and need to cut capacity by 30%? Log on and shut it down. No need to figure out what to do about the idled equipment or floor space. These companies find it's much better to stay focused on what they do well, writing software and selling services, rather than staff up big organizations to manage data center operations.

One significant (~600-person) and quite profitable SaaS company I know doesn't own *any* computing hardware. Their computing equipment is completely BYOD, employees use their own laptops, tablets and phones (with reimbursement, so I suppose their accountants might argue they own some stuff, technically). When they had to move buildings recently (due to growth), they simply leased a new building and told everyone (those who don't telecommute) to show up at the new location the next week. The new building had cubicles and wired and wireless Internet in place (w/redundant providers), all part of the lease. They did contract some movers to haul boxes of personal items from the old building to the new one, including developers' large monitors. The CEO likes to joke that he could move the entire company to a beach-side resort in Belize and they could all continue working without the slightest interruption, as long as the resort had good Wifi.

That's a bit extreme, and there's no doubt that that level of flexibility isn't free, but it's not as expensive as you might think. Moreover, if your workload is very static, and your IT department is solid and smooth-functioning, and labor costs in your area are low, it will cost more to pay a cloud provider than to do it yourself. Or if you have particularly-sensitive data to manage (and actually know how to manage it... something that is *rarely* true in my 15 years' experience as an IT security consultant), you may need to have your own hardware. But for many, many companies, the cloud is cheaper, faster, more flexible and more secure.

Comment Re: Weirdly specific statement (Score 1) 55

What is the limiting factor? Buildup of CO2?

People need a certain amount of oxygen for their metabolism, you need to carry that much. CO2 effects the blood pH: too little and the body is too alkaline, too much and it's too acidic. So, you need to maintain a precise amount of CO2 and remove the rest. The scrubbers in the space shuttle were able to regenerate the CO2-absorbent material after use, so there was use of power but material wasn't consumed.

Beyond this, you need to control temperature and humidity. The other requirements than atmosphere for crew survival are that you water, feed and shelter the crew, maintain orientation, and maintain a G-force envelope that doesn't injure the crew.

Slashdot Top Deals

"Being against torture ought to be sort of a bipartisan thing." -- Karl Lehenbauer