This is the same thinking that gives you the idea of a "golden key" - A backdoor (sorry, "Framework") that weakens people's privacy, but is magically only usable by one government's TLAs, because China immediately asking for a copy of the key "because terrorism" is of course unreasonable and requires a presidential statement to that effect....
Under UK's RIPa, the police are perfectly entitled to connect to any website, then demand the https secret key from any individual in their jurisdiction who has (or can obtain) that key (they need to connect first as they need a data set that is encrypted with the key to justify the demand); that doesn't need a new law or ruling, its an already existing non-judicial warrant route (and has a gag order attached in the NSL style)
As I understand it, many police departments have already set their budgets around estimated "income" from seizures; the loss of that money could impact all the nice toys they pl.. I mean, policing. yeah, that's it.
that this is actually aimed at "pass4sure" type websites, where memorizing the asked questions is a common method to acquire the actual question lists without having to sneak a camera or other recording device into the exam.
they are claiming copyright on the specific questions and answers, rather than the base study material that is supposed to impart the learning to pass the exam - but it does put them in the odd position that remembering what questions you took is a violation of their copyright (rather than, for example, the act of reproducing their exam questions from memory)
And more so; much of the law that the NSA is struggling to get passed is already in force here, and many laws that have passed are simply to work around the EU demands that the UK *stop* doing such things unless they have a law that explicitly permits it...
The UK is often more of a test lab for US policies than a country in its own right.
I don't see this as a good idea. Lets say you have a site that is competing with other similar sites on content; it is purely a provider of info (so no user submissions or logins to worry about) but has lost pagerank to another site that has better content.
To improve your google rankings, you can either: a) add or update content to improve the quality of your site b) buy a worthless https certificate (for $150/year or so)
While I am a strong believer that https should be applied wherever appropriate, I am not sure "everywhere" is appropriate.
It is being made plain that the apparatus of other countries (UK to a great extreme, but also Germany etc, plus the constant accusations against Chinese companies) is just as untrustworthy; fold in some obvious staged "victories" like *one* NSL being withdrawn when Microsoft challenged it (out of the dozens they no doubt get) and statements like Microsoft's declaration recently that they have *never* been even asked to add backdoors to their products (which was later debunked by statements from staff familiar with, for example, Bitlocker) and there is a blatant attempt to wash away the stigmata of being under the US Intel thumb by misdirection and outright lies...
This is a snowball thing. There is now so much money riding on it (particuarly disgorgement of illegally obtained fees) TW can't afford to *not* fight any attempt to invalidate the copyright - and given that, there is no additional cost (to them) of continuing to demand fees;
I suspect also that executives are either fooling themselves that they can somehow just declare HB to be public domain, tell the court the issue is moot (as it is now public domain) and walk away, should they be faced with a lawsuit like this one -or- Have a golden parachute deal where they can walk away with a big payoff and move to another equally abusive copyright maximalist, because after all, its the *company* that did this, not them, right?
Sort of. In practice, they can't force him to leave the embassy grounds, but *can* revoke his diplomatic credentials (if any) and order him to leave the country.
That means if he takes one step outside the embassy gates, he can be seized and escorted to the nearest airport (but yeah, he can sit in the embassy as long as he wants)
Problem is, TLS is largely opportunistic; in the past, when I needed to force a connection to NOT be secure, I have simply hidden the STARTTLS offer in the EHLO response (literally rewrote that packet to read STARTTTT) and the link proceeded without attempting a secure handshake.
In cases where TLS *is* begun, actually checking the poffered certificate is the exception, not the rule - some will actually check expiry or domain name match, almost none will verify the CA chain (so a self-signed is fine) - again, this makes interception easy.
Adding this step does help - it means that attackers need to perform an active attack replacing some or all of the traffic, rather than passively recording - but it isn't much more than a speed bump against a determined attacker with ISP router access.
His original tweet was: "We are considering several scenarios, including potentially supporting a fork under appropriate free license, w/ a fully reproducible build." But later followed up with: "Just for the record, we are not 'forking Truecrypt'. We plan to audit it and perhaps organize (financial) support around such an effort."
Now, there IS a fork in the process of creation over at http://truecrypt.ch/ but as it is in the early stages of the process, and the Audit guys have yet to complete the rest of their study of the app crypto, it would be better to leave this on the back-burner until we know what bugs need to be fixed....
Oddly...
Re: Would this be a DCMA worthy use?
Well, given....
b)The NSA apparently has no issues with sharing that database with "five eyes" partners
I would think that odds are good that foreign spies have better access to the official system than this private one...
Re: Hubris...
Of course...
Should be fun
Re: flying bombs
a) the same could apply to cars, vans, baby carriages..
b) people who are going to break the law ANYHOW, won't care too much if the FAA have approved their usage or not...
I am assuming....
they are claiming copyright on the specific questions and answers, rather than the base study material that is supposed to impart the learning to pass the exam - but it does put them in the odd position that remembering what questions you took is a violation of their copyright (rather than, for example, the act of reproducing their exam questions from memory)
GCHQ has always been "NSA Lite"
The UK is often more of a test lab for US policies than a country in its own right.
Sadly,...
To improve your google rankings, you can either:
a) add or update content to improve the quality of your site
b) buy a worthless https certificate (for $150/year or so)
While I am a strong believer that https should be applied wherever appropriate, I am not sure "everywhere" is appropriate.
PR Offensive has already long since started, now in full swing
Certainly sounds like
If only there was some app you could use to determine just how big of a dick he rea.... oh, wait....
:)
I am just assuming...
I suspect also that executives are either fooling themselves that they can somehow just declare HB to be public domain, tell the court the issue is moot (as it is now public domain) and walk away, should they be faced with a lawsuit like this one
-or-
Have a golden parachute deal where they can walk away with a big payoff and move to another equally abusive copyright maximalist, because after all, its the *company* that did this, not them, right?
(untitled comment)
Because they have a wealth of blackmail material on those who are supposed to be regulating them?
Re: Re: Corrupt UN and Corrupt USA
Re: Wrong headline
That means if he takes one step outside the embassy gates, he can be seized and escorted to the nearest airport (but yeah, he can sit in the embassy as long as he wants)
I think it is more interesting...
At least the USA is doing *something* right.
TLS
In cases where TLS *is* begun, actually checking the poffered certificate is the exception, not the rule - some will actually check expiry or domain name match, almost none will verify the CA chain (so a self-signed is fine) - again, this makes interception easy.
Adding this step does help - it means that attackers need to perform an active attack replacing some or all of the traffic, rather than passively recording - but it isn't much more than a speed bump against a determined attacker with ISP router access.
Already here..
https://www.mailvelope.com/
(although the firefox version doesn't seem to work with the current release of firefox, the chrome version works just fine)
Audit guys are backpeddling a bit but..
https://twitter.com/matthew_d_green/
His original tweet was:
"We are considering several scenarios, including potentially supporting a fork under appropriate free license, w/ a fully reproducible build."
But later followed up with:
"Just for the record, we are not 'forking Truecrypt'. We plan to audit it and perhaps organize (financial) support around such an effort."
Now, there IS a fork in the process of creation over at http://truecrypt.ch/ but as it is in the early stages of the process, and the Audit guys have yet to complete the rest of their study of the app crypto, it would be better to leave this on the back-burner until we know what bugs need to be fixed....
More comments from DaveHowe >>
Techdirt has not posted any stories submitted by DaveHowe.
Submit a story now.
Tools & Services
TwitterFacebook
RSS
Podcast
Research & Reports
Company
About UsAdvertising Policies
Privacy
Contact
Help & FeedbackMedia Kit
Sponsor/Advertise
Submit a Story
More
Copia InstituteInsider Shop
Support Techdirt