This is the same thinking that gives you the idea of a "golden key" - A backdoor (sorry, "Framework") that weakens people's privacy, but is magically only usable by one government's TLAs, because China immediately asking for a copy of the key "because terrorism" is of course unreasonable and requires a presidential statement to that effect....
Under UK's RIPa, the police are perfectly entitled to connect to any website, then demand the https secret key from any individual in their jurisdiction who has (or can obtain) that key (they need to connect first as they need a data set that is encrypted with the key to justify the demand); that doesn't need a new law or ruling, its an already existing non-judicial warrant route (and has a gag order attached in the NSL style)
As I understand it, many police departments have already set their budgets around estimated "income" from seizures; the loss of that money could impact all the nice toys they pl.. I mean, policing. yeah, that's it.
that this is actually aimed at "pass4sure" type websites, where memorizing the asked questions is a common method to acquire the actual question lists without having to sneak a camera or other recording device into the exam.
they are claiming copyright on the specific questions and answers, rather than the base study material that is supposed to impart the learning to pass the exam - but it does put them in the odd position that remembering what questions you took is a violation of their copyright (rather than, for example, the act of reproducing their exam questions from memory)
And more so; much of the law that the NSA is struggling to get passed is already in force here, and many laws that have passed are simply to work around the EU demands that the UK *stop* doing such things unless they have a law that explicitly permits it...
The UK is often more of a test lab for US policies than a country in its own right.
I don't see this as a good idea. Lets say you have a site that is competing with other similar sites on content; it is purely a provider of info (so no user submissions or logins to worry about) but has lost pagerank to another site that has better content.
To improve your google rankings, you can either: a) add or update content to improve the quality of your site b) buy a worthless https certificate (for $150/year or so)
While I am a strong believer that https should be applied wherever appropriate, I am not sure "everywhere" is appropriate.
PR Offensive has already long since started, now in full swing
It is being made plain that the apparatus of other countries (UK to a great extreme, but also Germany etc, plus the constant accusations against Chinese companies) is just as untrustworthy; fold in some obvious staged "victories" like *one* NSL being withdrawn when Microsoft challenged it (out of the dozens they no doubt get) and statements like Microsoft's declaration recently that they have *never* been even asked to add backdoors to their products (which was later debunked by statements from staff familiar with, for example, Bitlocker) and there is a blatant attempt to wash away the stigmata of being under the US Intel thumb by misdirection and outright lies...
This is a snowball thing. There is now so much money riding on it (particuarly disgorgement of illegally obtained fees) TW can't afford to *not* fight any attempt to invalidate the copyright - and given that, there is no additional cost (to them) of continuing to demand fees;
I suspect also that executives are either fooling themselves that they can somehow just declare HB to be public domain, tell the court the issue is moot (as it is now public domain) and walk away, should they be faced with a lawsuit like this one -or- Have a golden parachute deal where they can walk away with a big payoff and move to another equally abusive copyright maximalist, because after all, its the *company* that did this, not them, right?
Sort of. In practice, they can't force him to leave the embassy grounds, but *can* revoke his diplomatic credentials (if any) and order him to leave the country.
That means if he takes one step outside the embassy gates, he can be seized and escorted to the nearest airport (but yeah, he can sit in the embassy as long as he wants)
Problem is, TLS is largely opportunistic; in the past, when I needed to force a connection to NOT be secure, I have simply hidden the STARTTLS offer in the EHLO response (literally rewrote that packet to read STARTTTT) and the link proceeded without attempting a secure handshake.
In cases where TLS *is* begun, actually checking the poffered certificate is the exception, not the rule - some will actually check expiry or domain name match, almost none will verify the CA chain (so a self-signed is fine) - again, this makes interception easy.
Adding this step does help - it means that attackers need to perform an active attack replacing some or all of the traffic, rather than passively recording - but it isn't much more than a speed bump against a determined attacker with ISP router access.
His original tweet was: "We are considering several scenarios, including potentially supporting a fork under appropriate free license, w/ a fully reproducible build." But later followed up with: "Just for the record, we are not 'forking Truecrypt'. We plan to audit it and perhaps organize (financial) support around such an effort."
Now, there IS a fork in the process of creation over at http://truecrypt.ch/ but as it is in the early stages of the process, and the Audit guys have yet to complete the rest of their study of the app crypto, it would be better to leave this on the back-burner until we know what bugs need to be fixed....
On the post: Hillary Clinton Finally Answers Questions About Her Email... And It Only Raises More Questions
Oddly...
On the post: Elsevier Appears To Be Slurping Up Open Access Research, And Charging People To Access It
Re: Would this be a DCMA worthy use?
On the post: How Hillary Clinton Exposed Her Emails To Foreign Spies... In Order To Hide Them From The American Public
Well, given....
b)The NSA apparently has no issues with sharing that database with "five eyes" partners
I would think that odds are good that foreign spies have better access to the official system than this private one...
On the post: Why Online Attacks By Nations Are Problematic: Enemies Can Learn From Your Digital Weapons, Then Turn Improved Versions Against You
Re: Hubris...
On the post: EU's 'Counter-Terrorism Co-ordinator' Finally Says It: Force Internet Companies To Hand Over Their Crypto Keys
Of course...
On the post: Eric Holder Cuts Off Program That Helped Spur Police Asset Seizure 'Shopping Sprees'
Should be fun
On the post: The Interesting Thing About Google's Delivery Drones Is Not The Drones, But Massive Societal Shift They Envision
Re: flying bombs
a) the same could apply to cars, vans, baby carriages..
b) people who are going to break the law ANYHOW, won't care too much if the FAA have approved their usage or not...
On the post: Licensing Boards Think Studying For A Test Is Copyright Infringement, Forbid Memorization Of Material
I am assuming....
they are claiming copyright on the specific questions and answers, rather than the base study material that is supposed to impart the learning to pass the exam - but it does put them in the odd position that remembering what questions you took is a violation of their copyright (rather than, for example, the act of reproducing their exam questions from memory)
On the post: EU Lawyers Confirm 'General And Blanket Data Retention Is No Longer Possible' In European Union
GCHQ has always been "NSA Lite"
The UK is often more of a test lab for US policies than a country in its own right.
On the post: Google Now Using HTTPS As A (Very Slight) Ranking Signal In Search To Encourage More Encryption
Sadly,...
To improve your google rankings, you can either:
a) add or update content to improve the quality of your site
b) buy a worthless https certificate (for $150/year or so)
While I am a strong believer that https should be applied wherever appropriate, I am not sure "everywhere" is appropriate.
On the post: Report Says Backlash From NSA's Surveillance Programs Will Cost Private Sector Billions Of Dollars
PR Offensive has already long since started, now in full swing
On the post: Chubby Checker Checks His Lawsuit Against App That Checks Your Chubby
Certainly sounds like
If only there was some app you could use to determine just how big of a dick he rea.... oh, wait....
:)
On the post: Lawsuit Filed To Prove Happy Birthday Is In The Public Domain; Demands Warner Pay Back Millions Of License Fees
I am just assuming...
I suspect also that executives are either fooling themselves that they can somehow just declare HB to be public domain, tell the court the issue is moot (as it is now public domain) and walk away, should they be faced with a lawsuit like this one
-or-
Have a golden parachute deal where they can walk away with a big payoff and move to another equally abusive copyright maximalist, because after all, its the *company* that did this, not them, right?
On the post: NSA On Snowden's Claims Of Passing Around Nudie Pics: We Totally Wouldn't Allow That... If We Knew About It
Because they have a wealth of blackmail material on those who are supposed to be regulating them?
On the post: Remember That Report About WIPO Misconduct That WIPO Tried To Censor Through Bullying? It's Been Leaked
Re: Re: Corrupt UN and Corrupt USA
On the post: Germany Expels Top US Intelligence Official, Says It Will (Officially) Spy Back On US And UK
Re: Wrong headline
That means if he takes one step outside the embassy gates, he can be seized and escorted to the nearest airport (but yeah, he can sit in the embassy as long as he wants)
On the post: Guardian Installed SecureDrop Outside The UK, Due To Legal Threats
I think it is more interesting...
At least the USA is doing *something* right.
On the post: Shamed By Google's Email Security Transparency Report, Comcast Is Rushing To Better Encrypt Emails
TLS
In cases where TLS *is* begun, actually checking the poffered certificate is the exception, not the rule - some will actually check expiry or domain name match, almost none will verify the CA chain (so a self-signed is fine) - again, this makes interception easy.
Adding this step does help - it means that attackers need to perform an active attack replacing some or all of the traffic, rather than passively recording - but it isn't much more than a speed bump against a determined attacker with ISP router access.
On the post: Google To Enable End-To-End Email Encryption, Highlight Good Email Security Practices
Already here..
https://www.mailvelope.com/
(although the firefox version doesn't seem to work with the current release of firefox, the chrome version works just fine)
On the post: Security Experts Looking To Possibly Fork And Rescue TrueCrypt
Audit guys are backpeddling a bit but..
https://twitter.com/matthew_d_green/
His original tweet was:
"We are considering several scenarios, including potentially supporting a fork under appropriate free license, w/ a fully reproducible build."
But later followed up with:
"Just for the record, we are not 'forking Truecrypt'. We plan to audit it and perhaps organize (financial) support around such an effort."
Now, there IS a fork in the process of creation over at http://truecrypt.ch/ but as it is in the early stages of the process, and the Audit guys have yet to complete the rest of their study of the app crypto, it would be better to leave this on the back-burner until we know what bugs need to be fixed....
Next >>