Thinking about it, they'd still be able to invest in foreign businesses with no US presence, since, technically, those businesses wouldn't be subject to Section 230.
Of course, that might not be a great look for the state.
"U.S. officials say Huawei Technologies Co. can covertly access mobile-phone networks around the world through “back doors” designed for use by law enforcement"
Yup. They're talking about "Communications Assistance for Law Enforcement Act" (CALEA) Lawful Intercept interfaces. These are backdoors built into telco equipment specifically in order to allow for easy electronic surveillance in accordance with US Federal Law.
So the US Government is claiming is that a telco equipment vendor (Huawei, in this case) has the ability to access the backdoors the US Government requires be built into telco equipment, to which the short reply should be:
"Of course they do - Huawei is required by the US Government to install the back door, which necessarily gives them access to the source code supporting it, and therefore access to the LI interface."
Funny that other, US-based telco equipment vendors in the exact same position aren't also being held up as spies.
This is a timely, real-world example of why "good-guy access only" crypto is a bad idea - provided by none other than the US Government itself.
It's definitely circumstantial, but a win7 VM that I use on a regular basis got an updated version of c:\windows\system32\crypt32.dll this morning after I ran windows update on the system.
The timestamps on the file show a modification date of 12/10/2019 12:32AM, and a local file creation date of 1/14/2020 11:32AM.
I'm pretty sure that file hadn't been touched since I did a new install on the VM back in the June time frame, and outside of this vulnerability there aren't a lot of reasons that MS would have re-built it and distributed it if it hadn't been subject to the same vulnerability.
Actually, the trigger for HIPAA coverage isn't actually medical treatment, it's insurance billing. (Remember, it's the "Health Insurance Portability and Accountability Act".
Covered Entities are generally directly associated with insurance billing, and Business Associates get looped in by providing services to Covered Entities.
There are a limited number of places that offer medical services and are strictly private payer, so they wouldn't come under HIPAA unless they're also working in conjunction with a CE.
23&me, Family Tree DNA, etc, don't bill insurance, so they don't fall under HIPAA as Covered Entities. And since their tests aren't CLIA validated, there's pretty much no chance of their results being used in clinical decision making, so they almost certainly don't have Business Associate Agreements in place with any Covered Entities.
Google isn't a covered entity, but if the doctor publicizes the fact that this person actually did visit him in a professional capacity, that would violate HIPPA laws.
1/ HIPAA, Not HIPPA
2/ HIPAA would probably be a factor, but it's not a given. There are a few cases where HIPAA wouldn't be in play, legally speaking.
3/ Google does sign Business Associate Agreements with HIPAA Covered Entities, which means there are instances where HIPAA is a factor for Google.
4/ Even if HIPAA isn't in play, there should be a at least one and possibly several licensing/accrediting bodies that are.
5/ HIPAA and 1-star reviews notwithstanding, this guy is going to put himself out of business with his own actions. And deservedly so.
Fortunately, I just use it for hiding from my ISP and not for privacy.
This is the piece most people miss - they fail to accurately determine what their threat model is, and then get upset when they pick the wrong countermeasure(s).
VPN's are not one-size-fits-all.
PureVPN is probably just fine if you're trying to hide your porn habit from your moderately technical partner/spouse/parent/child, hiding your job search from your boss, want to watch the newest episode of the Orville from a geo-restricted IP address, or just don't want Verizon selling your browsing history to a marketing firm.
If you're planning on doing something where subpoenas or warrants could get involved, VPN Platforms recommended by sites like Techdirt are probably not your best option. Additional research (from a location not trivially tied to you) is strongly recommended.
The VPN logs only showed when he was online, and from what IP addresses, and at what times.
In other words, the VPN logs only contained metadata.
This is a perfect example as to why it's so disingenuous when the Law Enforcement and Intelligence communities claim it's no big deal because they're only collecting metadata and not content.
Exactly. Duration of the stream would be an indicator, as well.
If the telco sees multiple sequential constant-ish rate downloads with minimal return traffic, lasting either 20-23 minutes or 45-49 minutes (standard 30/60 minute US tv time block, minus commercials) and they can be reasonably certain it's video.
Coupled with many VPN platforms being trivially fingerprinted and identifiable by the types of network equipment in use by telco's, and it gets to be pretty easy to either QOS the user or the VPN platform down to an "acceptable" rate by the telco.
They don't have to be exact, just close enough. And since 3rd party VPN performance is generally pretty lacking, being locked to a 10mbps stream may not actually be noticeable to the user.
I'd suggest that it's a mistake to equate the technical capabilities of an overworked, multi-tasked School District network administrator with the technical capabilities of a telco network analyst.
Yes, you can tunnel everything except the metadata.
Having worked on the telco engineering side: Metadata is pretty much always sufficient to perform whatever network management function is needed. If Verizon wants to rate limit video traffic encapsulated in an IPSec, SSL, l2tp, or whatever tunnel technology tunnel, it's a safe bet that they can.
Leaving aside the question of finding a VPN platform that can be used to stream 4k video, it should be noted that a VPN doesn't necessarily help here.
Practically speaking, there are a limited # of activities one can utilize a mobile phone for that will consume as much data as a video stream on a sustained basis.
If you run a 1080p or better video stream over your mobile device for any real length of time, Verizon will be able to make some very intelligent guesses as to what you're doing without having to know the specifics.
From a technical perspective, Verizon is probably using QOS to rate limit streams identified as Netflix traffic to 10mbps.
The Netflix client registers packet loss and sends feedback to netflix, which then downgrades video quality until the client no longer reports dropped packets. This results in a graduated step-down in video quality from 4k -> 1080 -> 720 -> 480.
On the Verizon side, it's just math: determine how much bandwidth is needed for each video tier and drop anything above that value.
With netflix, you can watch (some content) _on_ the plane, as well, as long as you've had enough foresight to download it to a tablet/phone ahead of time.
"They would get the phone and lock themselves in their room and change who they were," he said.
With one of his sons, then 12, he thought the problem became bad enough to warrant taking the phone away.
Yeah. A 12 year old boy locking himself away in his bedroom is more likely to be caused by puberty than a smartphone.
Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.
My money is that they're trying to pare down the scope of the breach to get under that 500 record mark, so that they don't have to go on the 5:00 news to advertise it.
Re: Good old playing to the gullible
Thinking about it, they'd still be able to invest in foreign businesses with no US presence, since, technically, those businesses wouldn't be subject to Section 230.
Of course, that might not be a great look for the state.
..and this is why backdoors mandated for law enforcement is bad
From the article:
"U.S. officials say Huawei Technologies Co. can covertly access mobile-phone networks around the world through “back doors” designed for use by law enforcement"
Yup. They're talking about "Communications Assistance for Law Enforcement Act" (CALEA) Lawful Intercept interfaces. These are backdoors built into telco equipment specifically in order to allow for easy electronic surveillance in accordance with US Federal Law.
Information about those standards is available here: https://ndcac.fbi.gov/file-repository/listandardscip-1.pdf/view
So the US Government is claiming is that a telco equipment vendor (Huawei, in this case) has the ability to access the backdoors the US Government requires be built into telco equipment, to which the short reply should be:
"Of course they do - Huawei is required by the US Government to install the back door, which necessarily gives them access to the source code supporting it, and therefore access to the LI interface."
Funny that other, US-based telco equipment vendors in the exact same position aren't also being held up as spies.
This is a timely, real-world example of why "good-guy access only" crypto is a bad idea - provided by none other than the US Government itself.
Re:
It's definitely circumstantial, but a win7 VM that I use on a regular basis got an updated version of c:\windows\system32\crypt32.dll this morning after I ran windows update on the system.
The timestamps on the file show a modification date of 12/10/2019 12:32AM, and a local file creation date of 1/14/2020 11:32AM.
I'm pretty sure that file hadn't been touched since I did a new install on the VM back in the June time frame, and outside of this vulnerability there aren't a lot of reasons that MS would have re-built it and distributed it if it hadn't been subject to the same vulnerability.
Re: A major HIPAA violation
Actually, it's a little simpler. These companies don't fall under HIPAA.
Re: Data protection
If the EU government is anything like the US government, Every major law along the lines of GDPR is going to have a carve outs for law enforcement.
In the US, it's practically boilerplate language.
Re: Re: HIPAA
Actually, the trigger for HIPAA coverage isn't actually medical treatment, it's insurance billing. (Remember, it's the "Health Insurance Portability and Accountability Act".
Covered Entities are generally directly associated with insurance billing, and Business Associates get looped in by providing services to Covered Entities.
There are a limited number of places that offer medical services and are strictly private payer, so they wouldn't come under HIPAA unless they're also working in conjunction with a CE.
23&me, Family Tree DNA, etc, don't bill insurance, so they don't fall under HIPAA as Covered Entities. And since their tests aren't CLIA validated, there's pretty much no chance of their results being used in clinical decision making, so they almost certainly don't have Business Associate Agreements in place with any Covered Entities.
Re:
1/ HIPAA, Not HIPPA
2/ HIPAA would probably be a factor, but it's not a given. There are a few cases where HIPAA wouldn't be in play, legally speaking.
3/ Google does sign Business Associate Agreements with HIPAA Covered Entities, which means there are instances where HIPAA is a factor for Google.
4/ Even if HIPAA isn't in play, there should be a at least one and possibly several licensing/accrediting bodies that are.
5/ HIPAA and 1-star reviews notwithstanding, this guy is going to put himself out of business with his own actions. And deservedly so.
(untitled comment)
I'd wager the answer is "not many".
Re: He did more than deprive someoneone of their liberty falsely
Realistically speaking, a police office getting fired for their conduct is about as "Maximal" as it gets when there's no loss of life involved.
Re: Re: Re: PureVPN was recommended by TechDirt
This is the piece most people miss - they fail to accurately determine what their threat model is, and then get upset when they pick the wrong countermeasure(s).
VPN's are not one-size-fits-all.
PureVPN is probably just fine if you're trying to hide your porn habit from your moderately technical partner/spouse/parent/child, hiding your job search from your boss, want to watch the newest episode of the Orville from a geo-restricted IP address, or just don't want Verizon selling your browsing history to a marketing firm.
If you're planning on doing something where subpoenas or warrants could get involved, VPN Platforms recommended by sites like Techdirt are probably not your best option. Additional research (from a location not trivially tied to you) is strongly recommended.
Re: Re:
In other words, the VPN logs only contained metadata.
This is a perfect example as to why it's so disingenuous when the Law Enforcement and Intelligence communities claim it's no big deal because they're only collecting metadata and not content.
Re: Re: Re: Re: Re: Use a VPN!
If the telco sees multiple sequential constant-ish rate downloads with minimal return traffic, lasting either 20-23 minutes or 45-49 minutes (standard 30/60 minute US tv time block, minus commercials) and they can be reasonably certain it's video.
Coupled with many VPN platforms being trivially fingerprinted and identifiable by the types of network equipment in use by telco's, and it gets to be pretty easy to either QOS the user or the VPN platform down to an "acceptable" rate by the telco.
They don't have to be exact, just close enough. And since 3rd party VPN performance is generally pretty lacking, being locked to a 10mbps stream may not actually be noticeable to the user.
Re: Re: Re: Use a VPN!
Yes, you can tunnel everything except the metadata.
Having worked on the telco engineering side: Metadata is pretty much always sufficient to perform whatever network management function is needed. If Verizon wants to rate limit video traffic encapsulated in an IPSec, SSL, l2tp, or whatever tunnel technology tunnel, it's a safe bet that they can.
Re: Use a VPN!
Practically speaking, there are a limited # of activities one can utilize a mobile phone for that will consume as much data as a video stream on a sustained basis.
If you run a 1080p or better video stream over your mobile device for any real length of time, Verizon will be able to make some very intelligent guesses as to what you're doing without having to know the specifics.
Cue Rate Limiting.
Re: Wait....
The Netflix client registers packet loss and sends feedback to netflix, which then downgrades video quality until the client no longer reports dropped packets. This results in a graduated step-down in video quality from 4k -> 1080 -> 720 -> 480.
On the Verizon side, it's just math: determine how much bandwidth is needed for each video tier and drop anything above that value.
Re: Another reason to cord cut
Re:
(untitled comment)
We're back to Correlation vs. Causation
Yeah. A 12 year old boy locking himself away in his bedroom is more likely to be caused by puberty than a smartphone.
Re: Hmm
More likely, it's this:
(from https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html)
My money is that they're trying to pare down the scope of the breach to get under that 500 record mark, so that they don't have to go on the 5:00 news to advertise it.
More comments from sigalrm >>
Techdirt has not posted any stories submitted by sigalrm.
Submit a story now.
Tools & Services
TwitterFacebook
RSS
Podcast
Research & Reports
Company
About UsAdvertising Policies
Privacy
Contact
Help & FeedbackMedia Kit
Sponsor/Advertise
Submit a Story
More
Copia InstituteInsider Shop
Support Techdirt