I think the biggest thing would be to stop requiring judgements to be "reasonable" in the aggregate. Work up an average cost for an individual to deal with the results of a data breach (including their own personal time), then by law set the liability of the data collector per individual exposed at either that average or the actual documented costs, whichever is greater, plus legal costs and fees. 50 million records exposed at an average cost of $200 per person to fix? Total liability starts at $10 billion and goes up from there, plus lawyers' fees on top of that. No trying to figure a reasonable total penalty, you take the reasonable cost per individual and multiply it by the number of individuals and the company's responsible for contacting all individuals affected.
There isn't an easy way to set up an automatic wipe like you describe, but many phones have an option to encrypt the storage (internal and SD card) so that a password has to be entered during boot before the phone can even read it's own storage. You'd combine this with a scheduled-reboot app (requires a rooted phone to work) that would trigger a restart of the phone at a certain time each day. You could use a remote-power-off app as well, but doing it automatically on a preset schedule avoids the issue of you having to actively do something after the phone was confiscated. I'd have to dig into whether there's software out there that could invalidate the decryption credentials (forcing a re-entry of the password) if the device is idle for longer than a set time (something like the lock screen, but operating at the hardware layer rather than the level of the UI and external interfaces).
Have to agree. "Don't enable the Submit button before the form's completely ready to be submitted." is a standard thing for any Web page or application. If that button does anything before the form's completely loaded and rendered, the developers failed even India Consulting Firm Coding 101.
Re: Response to: TKnarr on Oct 20th, 2018 @ 4:08pm
As to #2, these chips were installed in the Ethernet connector itself. That means they have access to the physical Ethernet so they can inject their own packets in between legitimate packets. And if you'd read the article, the extra network traffic that would imply was exactly how they were in fact detected according to the author.
As to #1, go look up the specs for Intel's chipsets like the current X299. They include on-board network hardware (specifically an Intel I219) which is connected to the Ethernet connector itself via a PCIe x1 and the SMBus. That would give hardware embedded in the Ethernet connector a nice neat line into the hardware's internals.
And perhaps it might be a lot of money. Maybe. Remember that this is China, which specializes in manufacturing chips for electronics manufacturers. I'm pretty sure their government could fund a fab line for the necessary chip, they could probably even piggyback it onto an existing fab line other companies were paying for. Installing it in every Supermicro board manufactured in China wouldn't be expensive, it's just a small tweak to the cost they're already charging Supermicro to manufacture the boards after all. Putting it into every board would actually make it less likely to be detected since there'd be no anomalies in the components to be noticed and the chip is probably on the original blueprints labelled as something innocuous so anyone checking would see that the connector's exactly as specced. You'd need to actually peel the chip apart before you'd find any hint of anything wrong. Or be monitoring for unusual network traffic, and that's often difficult as there's so much and only the most paranoid would go to that effort. Your targets wouldn't be the high-security networks that'd be the main places that'd spot that traffic either, they'd be the lower-security stuff in big datacenters where you can scoop up information from the commercial side where security isn't nearly as tight. Set the chip up to do a limited number of time-delayed pings at first power-up and shut itself off if it didn't get a response and by the time anyone looking notices the traffic and goes hunting for the source the trail's gone cold.
As for juicy, remember that the government contracts out almost all of it's military hardware. You may not be able to steal the designs from the government, but scoop up the info on what the civilian subcontractors are making for the contractors making the hardware and you can get a pretty good idea what's being delivered. Plus the sheer monetary value of simple commercial espionage, of course, and commercial security is a complete joke as we've witnessed time and time again.
This article covers something that appears different from the original article. It looks plausible: the extra chip is in the connection between the Ethernet connector itself and the internal NICs in the CPU, which'd give it both network access and potentially access to the PCIe bus and/or the internal bus connecting components within the CPU. In a multi-layer motherboard I can see hiding some extra traces that'd be sufficient to give the chip enough access to monitor memory and the hard drives. Add in the claims that the technique was also found in NSA leaks back in 2013 (the TAO catalog from the NSA's Advanced Network Technologies group) and it looks like it falls into the "I really don't want to think they did that, but I can see too many ways they can feasibly do it and I know the potential payoff would be enough to tempt even a saint" category.
It's probably that the wording is controlled by the marketing and legal departments, who aren't intimately familiar with the internals of the various products. The engineers, who truly know what's going on under the hood, aren't consulted until after the fact (if then). There's also the disconnect in world-view: to the engineers the fact that Weather stores location data in it's own data storage for it's own purposes isn't relevant at all to whether that same data appears in the Location History storage. As long as Weather doesn't feed the data to Location History, the statement that turning off Location History makes Location History stop recording your location is correct even though Weather is still tracking your location so it can show you the weather in places you visit regularly. To make matters worse, I suspect the average smartphone user's understanding is closer to the engineers' than the lawyers' so you end up with not one but two layers of translation errors.
I'd like to note something that's skipped over here: the nature of the choice companies/platforms give users. All the transparency and control in the world is useless if the choice offered is "give us permission to do anything/everything or don't use our platform/website". Hobson's choice is no choice at all most of the time.
Re: "Would you look at that, seems I need to leave RIGHT NOW."
I think judges should start enforcing the rule that once the defendant files anything in the case, even just a response, the plaintiff can't voluntarily dismiss the case anymore without the defendant agreeing to the dismissal. Along with an explicit rule that says the fact that the defendant refused to agree to a dismissal may not be used to the defendant's detriment at any later point in the case (ie. no more saying that if the plaintiff offers to settle and dismiss the case and the defendant rejects it and ends up winning less than the settlement offer the defendant's treated as having lost).
Remember that their plan isn't to protect their DRM against cracking. It's to protect their ability to sell their DRM to game companies. I'd even bet that their financial people see the DRM being cracked as a revenue opportunity: version N of it being cracked means the game companies have to shift to version N+1, which being a major version upgrade requires buying a new license.
When it comes to "balanced" reporting, I just remember what Robert Heinlein had several of his characters expound: the second best way to lie convincingly is to tell the truth but not all of it. Report the facts but omit some crucial ones so that people reading the material will get a distorted view and jump to incorrect conclusions.
With Calibre there's no time spent on the book. You need a few minutes when you install the plug-in to configure it with the info from/for your reader. After that the plug-in operates in the background, silently removing the DRM as you import the e-book into Calibre. I haven't seen it add any appreciable time to the import either, so it's basically negligible overhead.
What'd be even better is if the court ruled that since the government has no authority to retaliate in this manner and the councilmembers knew or should have known this, their actions cannot have been in the course of their duties and they are personally liable for the damages (and if they want the city to pay they'll have to sue it themselves).
I think the out is in the fact that the prohibition is on a party requiring disclosure of source code owned by a different party. In the case of open-source licenses, the party requiring the disclosure is the one who owns the code. In such a case they wouldn't be demanding disclosure of source code owned by a different party and the prohibition wouldn't apply.
The idea isn't to get a ruling about whether it's de minimis fair use. The idea is to get a ruling that the defendant (HBO) can't raise de minimis fair use as a defense either because they've themselves prevailed on the claim that de minimis use is still infringing or (better, because it'd apply to all media companies and not just HBO) that de minimis use doesn't make it fair use. This would hit the media companies hardest because they have the widest variety of possible-fair-use occurrences in their product and are open to claims from the largest number of copyright holders.
I almost wish the plaintiff's attorney had gone and found cases where HBO had made the same sort of "any use is infringement, no matter how minor" argument and won, and used that to shoot down HBO's defense here just to drive home to the media companies the point that their idea of how copyright works is just as dangerous for them as it is for the public.
That isn't intermediary liability though. The government decided where to place the crosswalk, so they'd be directly liable for their choice. Intermediary liability would be holding the contractor who painted the crosswalk where the government told him to liable for the government's choice.
It's not so much that the firms have a built-in bias in favor of Facebook as that Facebook's the only party that can select arbitration panels and it deliberately selects panels that favor Facebook. Basically case 2 quickly and inevitably becomes equivalent to case 1 unless the selection process is designed to prevent any single party from having sole control of the selection of arbitration panel.
Knowing how things have gone in the binding-arbitration area, I'm inclined to believe any businessman's proposal of another arbitration system will go the same way until I'm presented with evidence to the contrary.
Re: Predicting DOOM beyond all reason. A boy who cries werewolf!
No, it's that under the new law platforms will do less policing or more likely no policing at all simply because that's the only way to avoid being run out of business by lawsuits and criminal charges. Such an improvement.
It sounds like the proposed system is less an email system and more a records-management system where things like whether the recipient is authorized to receive a particular document or type of document (so that eg. documents that should be visible to only one party don't accidentally get sent to opposing counsel) come into play and "email message" is only one of many document types. I can only imagine the mess if they tried to start with an email system and impose those kinds of additional requirements on it.
On the post: Police Misconduct, Data Breaches, And The Ongoing Lack Of Accountability That Allows These To Continue
I think the biggest thing would be to stop requiring judgements to be "reasonable" in the aggregate. Work up an average cost for an individual to deal with the results of a data breach (including their own personal time), then by law set the liability of the data collector per individual exposed at either that average or the actual documented costs, whichever is greater, plus legal costs and fees. 50 million records exposed at an average cost of $200 per person to fix? Total liability starts at $10 billion and goes up from there, plus lawyers' fees on top of that. No trying to figure a reasonable total penalty, you take the reasonable cost per individual and multiply it by the number of individuals and the company's responsible for contacting all individuals affected.
On the post: Prosecutors Charge Suspect With Evidence Tampering After A Seized iPhone Is Wiped Remotely
Re: Is there a deadhand option?
There isn't an easy way to set up an automatic wipe like you describe, but many phones have an option to encrypt the storage (internal and SD card) so that a password has to be entered during boot before the phone can even read it's own storage. You'd combine this with a scheduled-reboot app (requires a rooted phone to work) that would trigger a restart of the phone at a certain time each day. You could use a remote-power-off app as well, but doing it automatically on a preset schedule avoids the issue of you having to actively do something after the phone was confiscated. I'd have to dig into whether there's software out there that could invalidate the decryption credentials (forcing a re-entry of the password) if the device is idle for longer than a set time (something like the lock screen, but operating at the hardware layer rather than the level of the UI and external interfaces).
On the post: Texas E-Voting Machines Switching Votes For Non-Nefarious But Still Stupid Reasons
Re:
Have to agree. "Don't enable the Submit button before the form's completely ready to be submitted." is a standard thing for any Web page or application. If that button does anything before the form's completely loaded and rendered, the developers failed even India Consulting Firm Coding 101.
On the post: Apple Demands Retraction Of Bloomberg's Big 'Chip Infiltration' Story; Bloomberg Has Some Explaining To Do
Re: Response to: TKnarr on Oct 20th, 2018 @ 4:08pm
As to #2, these chips were installed in the Ethernet connector itself. That means they have access to the physical Ethernet so they can inject their own packets in between legitimate packets. And if you'd read the article, the extra network traffic that would imply was exactly how they were in fact detected according to the author.
As to #1, go look up the specs for Intel's chipsets like the current X299. They include on-board network hardware (specifically an Intel I219) which is connected to the Ethernet connector itself via a PCIe x1 and the SMBus. That would give hardware embedded in the Ethernet connector a nice neat line into the hardware's internals.
And perhaps it might be a lot of money. Maybe. Remember that this is China, which specializes in manufacturing chips for electronics manufacturers. I'm pretty sure their government could fund a fab line for the necessary chip, they could probably even piggyback it onto an existing fab line other companies were paying for. Installing it in every Supermicro board manufactured in China wouldn't be expensive, it's just a small tweak to the cost they're already charging Supermicro to manufacture the boards after all. Putting it into every board would actually make it less likely to be detected since there'd be no anomalies in the components to be noticed and the chip is probably on the original blueprints labelled as something innocuous so anyone checking would see that the connector's exactly as specced. You'd need to actually peel the chip apart before you'd find any hint of anything wrong. Or be monitoring for unusual network traffic, and that's often difficult as there's so much and only the most paranoid would go to that effort. Your targets wouldn't be the high-security networks that'd be the main places that'd spot that traffic either, they'd be the lower-security stuff in big datacenters where you can scoop up information from the commercial side where security isn't nearly as tight. Set the chip up to do a limited number of time-delayed pings at first power-up and shut itself off if it didn't get a response and by the time anyone looking notices the traffic and goes hunting for the source the trail's gone cold.
As for juicy, remember that the government contracts out almost all of it's military hardware. You may not be able to steal the designs from the government, but scoop up the info on what the civilian subcontractors are making for the contractors making the hardware and you can get a pretty good idea what's being delivered. Plus the sheer monetary value of simple commercial espionage, of course, and commercial security is a complete joke as we've witnessed time and time again.
On the post: Apple Demands Retraction Of Bloomberg's Big 'Chip Infiltration' Story; Bloomberg Has Some Explaining To Do
https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found- in-u-s-telecom
This article covers something that appears different from the original article. It looks plausible: the extra chip is in the connection between the Ethernet connector itself and the internal NICs in the CPU, which'd give it both network access and potentially access to the PCIe bus and/or the internal bus connecting components within the CPU. In a multi-layer motherboard I can see hiding some extra traces that'd be sufficient to give the chip enough access to monitor memory and the hard drives. Add in the claims that the technique was also found in NSA leaks back in 2013 (the TAO catalog from the NSA's Advanced Network Technologies group) and it looks like it falls into the "I really don't want to think they did that, but I can see too many ways they can feasibly do it and I know the potential payoff would be enough to tempt even a saint" category.
On the post: Google's Location Info Failure Might Interest The FTC
It's probably that the wording is controlled by the marketing and legal departments, who aren't intimately familiar with the internals of the various products. The engineers, who truly know what's going on under the hood, aren't consulted until after the fact (if then). There's also the disconnect in world-view: to the engineers the fact that Weather stores location data in it's own data storage for it's own purposes isn't relevant at all to whether that same data appears in the Location History storage. As long as Weather doesn't feed the data to Location History, the statement that turning off Location History makes Location History stop recording your location is correct even though Weather is still tracking your location so it can show you the weather in places you visit regularly. To make matters worse, I suspect the average smartphone user's understanding is closer to the engineers' than the lawyers' so you end up with not one but two layers of translation errors.
On the post: Appeals Court: No Immunity For Border Patrol Agent's Murder Of 16-Year-Old Mexican Citizen
I think, though, that agent Schwartz would do well to cancel any plans he has for vacations in Mexico for the foreseeable future.
On the post: We're Bad At Regulating Privacy, Because We Don't Understand Privacy
I'd like to note something that's skipped over here: the nature of the choice companies/platforms give users. All the transparency and control in the world is useless if the choice offered is "give us permission to do anything/everything or don't use our platform/website". Hobson's choice is no choice at all most of the time.
On the post: Accused Pirate Tries For Attorney's Fees After Copyright Troll Attempts To Run Away From Discovery
Re: "Would you look at that, seems I need to leave RIGHT NOW."
I think judges should start enforcing the rule that once the defendant files anything in the case, even just a response, the plaintiff can't voluntarily dismiss the case anymore without the defendant agreeing to the dismissal. Along with an explicit rule that says the fact that the defendant refused to agree to a dismissal may not be used to the defendant's detriment at any later point in the case (ie. no more saying that if the plaintiff offers to settle and dismiss the case and the defendant rejects it and ends up winning less than the settlement offer the defendant's treated as having lost).
On the post: Denuvo Martyrs Voksi Using Bulgarian Police In What Will Surely Be The End Of Denuvo's Troubles
Re:
Remember that their plan isn't to protect their DRM against cracking. It's to protect their ability to sell their DRM to game companies. I'd even bet that their financial people see the DRM being cracked as a revenue opportunity: version N of it being cracked means the game companies have to shift to version N+1, which being a major version upgrade requires buying a new license.
On the post: The View From Somewhere: The Press Needs To Be Anti-Partisan, Not Bi-Partisan
When it comes to "balanced" reporting, I just remember what Robert Heinlein had several of his characters expound: the second best way to lie convincingly is to tell the truth but not all of it. Report the facts but omit some crucial ones so that people reading the material will get a distorted view and jump to incorrect conclusions.
A lie of omission is still a lie.
On the post: Latest Denuvo Version Cracked Again By One Solo Hacker On A Personal Mission
Re: Re: Re: It's not just games though
With Calibre there's no time spent on the book. You need a few minutes when you install the plug-in to configure it with the info from/for your reader. After that the plug-in operates in the background, silently removing the DRM as you import the e-book into Calibre. I haven't seen it add any appreciable time to the import either, so it's basically negligible overhead.
On the post: Probable Cause Doesn't Excuse Retaliatory Arrest, Supreme Court Rules
Re:
What'd be even better is if the court ruled that since the government has no authority to retaliate in this manner and the councilmembers knew or should have known this, their actions cannot have been in the course of their duties and they are personally liable for the damages (and if they want the city to pay they'll have to sue it themselves).
On the post: Open Source Industry Australia Says Zombie TPP Could Destroy Free Software Licensing
I think the out is in the fact that the prohibition is on a party requiring disclosure of source code owned by a different party. In the case of open-source licenses, the party requiring the disclosure is the one who owns the code. In such a case they wouldn't be demanding disclosure of source code owned by a different party and the prohibition wouldn't apply.
On the post: HBO Wins Stupid Copyright, Trademark Lawsuit Brought By Graffiti Artist Over 2 Seconds Of Background Scenery
Re: Re: Amusing
The idea isn't to get a ruling about whether it's de minimis fair use. The idea is to get a ruling that the defendant (HBO) can't raise de minimis fair use as a defense either because they've themselves prevailed on the claim that de minimis use is still infringing or (better, because it'd apply to all media companies and not just HBO) that de minimis use doesn't make it fair use. This would hit the media companies hardest because they have the widest variety of possible-fair-use occurrences in their product and are open to claims from the largest number of copyright holders.
On the post: HBO Wins Stupid Copyright, Trademark Lawsuit Brought By Graffiti Artist Over 2 Seconds Of Background Scenery
I almost wish the plaintiff's attorney had gone and found cases where HBO had made the same sort of "any use is infringement, no matter how minor" argument and won, and used that to shoot down HBO's defense here just to drive home to the media companies the point that their idea of how copyright works is just as dangerous for them as it is for the public.
On the post: As Intermediary Liability Is Under Attack, Stanford Releases Updated Tool To Document The State Of Play Globally
Re: Re: Better yet…
That isn't intermediary liability though. The government decided where to place the crosswalk, so they'd be directly liable for their choice. Intermediary liability would be holding the contractor who painted the crosswalk where the government told him to liable for the government's choice.
On the post: Facebook Derangement Syndrome: The Company Has Problems, But Must We Read The Worst Into Absolutely Everything?
Re: Who appoints the arbiters?
It's not so much that the firms have a built-in bias in favor of Facebook as that Facebook's the only party that can select arbitration panels and it deliberately selects panels that favor Facebook. Basically case 2 quickly and inevitably becomes equivalent to case 1 unless the selection process is designed to prevent any single party from having sole control of the selection of arbitration panel.
Knowing how things have gone in the binding-arbitration area, I'm inclined to believe any businessman's proposal of another arbitration system will go the same way until I'm presented with evidence to the contrary.
On the post: As Expected Senate Overwhelmingly Passes Unconstitutional SESTA Bill, Putting Lives In Danger
Re: Predicting DOOM beyond all reason. A boy who cries werewolf!
No, it's that under the new law platforms will do less policing or more likely no policing at all simply because that's the only way to avoid being run out of business by lawsuits and criminal charges. Such an improvement.
On the post: German Lawyers Call For Their Profession's Bug-Ridden, Soon-To-Be Mandatory, Email System To Be Open Sourced
Next >>