Slashdot Mirror

You try all possible inputs at a rate of 180 billion combinations per second. Thus the attack knows precisely what the original password was in only 26 minutes, which fits the definition of "reversing" the hash in no more than 26 minutes.

Ok. That is fast. Still - there are two md5 hashes with a salt added - so it would likely take 52 minutes - although I think you could call that a distinction without a difference.

How do you reverse an MD5 hash if it is not?

You try all possible inputs at a rate of 180 billion combinations per second.

For an 8 character alphanumeric with a few symbols, thats about 48 bits of entropy, which equates to 1564 seconds (26 minutes) to try every single possible input. Since you used a 128-bit hash on 48 bits of entropy, the odds are very very very good that only one single input will result in the stored MD5 hash.

Thus the attack knows precisely what the original password was in only 26 minutes, which fits the definition of "reversing" the hash in no more than 26 minutes.

Indeed...

Here is a 25 GPU cluster that can go after MD5 hashes.

The cluster can try 180 billion combinations per second against the widely used MD5 algorithm

Realize that an 8 character password is only about 48 bits of entropy, so if you find a key that hashes to that 128-bit MD5 hash code then its almost certain that that is in fact the password and not just a random collision. I am appalled at the horrible password "protection" practice in use today. In the 1980's we knew better and didnt store the entire god damned hash.

That's exactly the problem CAs solve.

That's exactly the problem the commercial CA's *cause* when they co-operate with oppressive governments. http://arstechnica.com/security/2010/03/govts-certificate-authorities-conspire-to-spy-on-ssl-users/

Govâ(TM)t, certificate authorities conspire to spy on SSL users ... which meant that CAs must be handing over certificates so that they could be used with the device.

What I gathered from the Ars Technica article is that for a lot of things, the phone just acts like a remote sending instructions on where to obtain the stream. If you pass it a YouTube video, the Chromecast will directly contact YouTube for that video and not pass through your phone. I assume it does the same thing for Netflix. I'm not quite sure what it does for video and audio stored on the phone... does it copy that video and audio to the cloud then stream it from there or does it pass it directly from the phone to the Chromecast. I would think that in the case of content already stored on the phone that it will just stream directly from the phone, but unless there are more specifications released, I'm not 100% sure.

The reverse also happens - you can get DMCA takedowns on objects to print. And this happened years ago.

http://arstechnica.com/tech-policy/2011/04/the-next-napster-copyright-questions-as-3d-printing-comes-of-age/

What we're seeing is basically the same thing with software patents - immense twisting of IP laws to cope with stuff that really never occurred before.

After all, you used copyright for stuff you wrote, and that stuff you wrote was typically a book, a play, music, whatever, meant to be enjoyed by others. Or it could be an ancillary book like an instruction manual.

And patents usually applied to things that did stuff (not counting design patents) - utility patents. Machines that took something as input, ground through it, and produced something at the output.

But now you have written things that do machine things - software that is hardware (e.g., RTL). Software that replaces hardware (e.g., in machines where software replaces complex mechanical movements), software that creates hardware (3D printers). It's really never occurred before in the known history - we have created something revolutionary - software.

Hell, even in the old CNC days the CNC code was never an issue since they're usually customized for the machine and generated (either manually or through automation) from the basic CAD file.

We live in interesting times ,and really, IP laws need to be revised because we can't squeeze software as either a copyright or a patent thing - it just leads to the mess we're in now.

Could you link to those announcements please?

There are lots of Canonical announcements about machines coming preloaded with Unbuntu. Not many shipments.

• "Canonical Partners with ASUS for Ubuntu Linux" (2011) "This is part of a new engagement and it's great to be working with such an innovative player," Chris Kenyon, vice president OEM Services at Canonical told InternetNews.com. "To put this in perspective we are now working directly with Asus, Lenovo, Dell and Acer on enabling systems."
• "Dell to offer Ubuntu on a select assortment of budget computers" (2007) "Dell announced plans today to offer Ubuntu Linux 7.04 preinstalled on "select consumer products." Dell has at various times offered some overpriced Linux options, but never a "budget" one. Dell currently offers a Ubuntu laptop for developers. It costs $1549 and will ship Real Soon Now. The same machine is available now with Windows for $999.
• "Ubuntu To Ship on 5% of All PCs Sold Next Year" (2012) Yeah, right.

There are other tablet and phone Ubuntu announcements, which you can find with Google. Someone is taking "pre-orders" for a Ubuntu tablet for delivery in late 2013.

Despite all their press releases, Canonical seems unable to get any manufacturer to ship a preloaded Ubuntu machine in volume.

The "strongly encouraged to change the password on the other service" bit is perhaps an open admission that they didn't salt; or maybe it's an admin lacking knowledge of the salt/no-salt situation and playing it safe by warning users. Still disappointing.

No, because cracking passwords, even salted one, is ridiculously easy. Hell, take a well salted database, a stolen password list, and a way to compute the password. You can probably find a good chunk of accounts with the basic set of passwords.

Salting just prevents the use of rainbow tables, which means cracking passwords takes a few hours instead of a few seconds. Hell, you probably could use one of those bitcoin miner ASICs to do it - cracking passwords is really just computing hashes, and the R&D in computing hashes faster and faster means hashed and salted passwords are getting easier to crack.

Ars Technica details it better.
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

The "strongly encouraged to change the password on the other service" bit is perhaps an open admission that they didn't salt; or maybe it's an admin lacking knowledge of the salt/no-salt situation and playing it safe by warning users. Still disappointing.

No, because cracking passwords, even salted one, is ridiculously easy. Hell, take a well salted database, a stolen password list, and a way to compute the password. You can probably find a good chunk of accounts with the basic set of passwords.

Salting just prevents the use of rainbow tables, which means cracking passwords takes a few hours instead of a few seconds. Hell, you probably could use one of those bitcoin miner ASICs to do it - cracking passwords is really just computing hashes, and the R&D in computing hashes faster and faster means hashed and salted passwords are getting easier to crack.

Ars Technica details it better.
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

Hindsight is 20/20. Here are a few things Microsoft should have done:

• - Listen to users before releasing Win8, not wait until Win8.1 to start "listening"
• - Listen to users when market testing the first run of Surface ads, not wait until reviewers have panned the ads, the product, and the OS, and then start making decent ads
• - Listen to users before forcing UEFI Secure Boot (without an unlock), not wait until there is an uproar to say oops, change the Win8 logo requirements (desktop PCs escape armageddon... for now)
• - Listen to users before forcing always-on connected DRM with the new Xbox, not wait until there is an uproar then take some more things away from their platform
• - News flash! Listen to your shareholders! and get rid of Ballmer (ok, clearly there has not been a full scale shareholder revolt. yet.)
• - Listen to users who are jumping ship for Google and Apple, to see if a more humble Microsoft could win some of them back

Instead it's more of the same old Ballmer monkey tricks.

Somewhere it helps to be ahead of the curve and not chronically behind it. Listening is good, yes, but who was Apple listening to when they created the iPhone? MS completely lacks anything close to that kind of vision or innovation. They wait for others to innovate, see if its making money, then jump in and try to grab marketshare. That worked in the '90's. It doesn't work now. A moron could see the RT was DOA.

• - Listen to users before releasing Win8, not wait until Win8.1 to start "listening"
• - Listen to users when market testing the first run of Surface ads, not wait until reviewers have panned the ads, the product, and the OS, and then start making decent ads
• - Listen to users before forcing UEFI Secure Boot (without an unlock), not wait until there is an uproar to say oops, change the Win8 logo requirements (desktop PCs escape armageddon... for now)
• - Listen to users before forcing always-on connected DRM with the new Xbox, not wait until there is an uproar then take some more things away from their platform
• - News flash! Listen to your shareholders! and get rid of Ballmer (ok, clearly there has not been a full scale shareholder revolt. yet.)
• - Listen to users who are jumping ship for Google and Apple, to see if a more humble Microsoft could win some of them back

Instead it's more of the same old Ballmer monkey tricks.

Admittedly, I've bookmarked this article for later perusal. That said, it strikes me that the following might already foot the bill:

http://arstechnica.com/information-technology/2012/05/codel-buffer-management-could-solve-the-internets-bufferbloat-jams/

Unlike other active queue management (AQM) algorithms, CoDel is not interested in the sizes of the queues. Instead, it measures how long packets are buffered. Specifically, CoDel looks at the minimum time that packets spend in the queue. The maximum time relates to good queues which resolve quickly, but if the minimum is high, this means that all packets are delayed and a bad queue has built up. If the minimum is above a certain threshold—the authors propose 5 milliseconds—for some time, CoDel will drop (discard) packets. This is a signal to TCP to reduce its transmission rate. If the minimum delay experienced by buffered packets is 5ms or less, CoDel does nothing.

The "paperwork" has never been lost—every shred of documentation is intact and on file. In fact, engineers at Marshall Space Flight Center have been spending the past year busily disassembling and working with components from several stored F-1 engines. They've constructed highly detailed CAD models of the engines, and even done hot firing on one of the gas generator segments.

I penned a very detailed piece on this over at Ars Technica earlier this year, including photos and video of one of the gas generator hot-fires. The piece includes multiple interviews with senior propulsion scientists at MSFC, and thoroughly debunks the "but the blueprints are lost!" urban myth.

The first stage rocket engine is not a complete rocket. Aruably the engine is very important, but many other things are important too. The underlying point is we can't built a Saturn 5 again. We would need to basically redesign the whole rocket to get there.

The "paperwork" has never been lost—every shred of documentation is intact and on file. In fact, engineers at Marshall Space Flight Center have been spending the past year busily disassembling and working with components from several stored F-1 engines. They've constructed highly detailed CAD models of the engines, and even done hot firing on one of the gas generator segments.

I penned a very detailed piece on this over at Ars Technica earlier this year, including photos and video of one of the gas generator hot-fires. The piece includes multiple interviews with senior propulsion scientists at MSFC, and thoroughly debunks the "but the blueprints are lost!" urban myth.

CyamogenMod Privacy Guard>/a>, it gives the applications you configure that way empty data for your contacts and other privacy important data. It works like Incognito/private mode on browsers

Except I think you're ignoring thermodynamics. Specifically, while performance has gone up exponentially, processing power/watt hasn't faired nearly as well--that is, it's on a much shallower line. Consider that today, the whole world's computing power combined isn't capable of cracking something like AES-128--a source from 2011 indicates the computational power of the world then at ~6.4*10^18 operations/second or ~2^63 ops/second which, even exceptionally optimistically, would mean ~2^64 (128-1-63) seconds to brute force a key.or ~585 years.

To get that figure down to under a year would require ~10 doublings. That'd take ~18 years, but performance/watt would only have doubled ~6.2 times. So, total power usage would have to go up 16 fold. And of course, that's all insanely optimistic given the truth that (a) most computers aren't replaced every time performance doubles, (b) not all those computers are under control of one organization, (c) even if they were, that'd mean 100% usage (GPUs too) devoted to the one task of cracking *one* key, and (d) actually cracking a key is probably at least two orders of magnitude off from what I'm figuring.

PS - This is all based on Server Trends and an Arstechnica article on world storage/computation power, so take from it what you will.

Google does it with wifi passwords. I assume they do it with other credentials too.
http://arstechnica.com/security/2013/07/does-nsa-know-your-wifi-password-android-backups-may-give-it-to-them/

All the nice sentences just to talk around full compliance with CALEA?
Its not like it was just some fax with a time, ip and port number from some city police department.. with an amazing letterhead.
http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act
http://www.independent.co.uk/news/edward-snowden-claims-microsoft-collaborated-with-nsa-and-fbi-to-allow-access-to-user-data-8705755.html
http://www.salon.com/2013/07/11/snowden_docs_detail_collaboration_between_nsa_and_microsoft/
http://arstechnica.com/tech-policy/2013/07/nsa-taps-skype-chats-newly-published-snowden-leaks-confirm/
http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data
http://en.wikipedia.org/wiki/Usage_share_of_operating_systems
US Adult Computer and Adult Internet Users
http://www.census.gov/compendia/statab/2012/tables/12s1158.pdf
The tiny % number wrt to big US computer use number and US MS marketshare seem to add up :)
Interesting http://cryptome.org/2013-info/06/whistleblowing/whistleblowing.htm lists gov works, bankers, military, a call-centre-employee, health insurance PR, a few former NSA, CIA, FBI employees, people in sports and education, press, lawyers...
In this broad mix, how/why did so many within the US computer/CS/networking elite stay so silent? Did they feel it was just a domestic link to the FBI in continuous use?
Was the psychological profiling and testing of contractors near perfect Cash was great?
So few staff over so many product ranges over many years?

Google is Evil! For us Droid users, the Goog pulled all of our adblocking apps from the Play Store! Most of them require a user to be rooted so since you can sideload because of that, the blockers can now be found at the OSS App Store F-Droid!

They already tried to use the Fourth Amendment. Problem is you basically have to make the government admit to how they violated the fourth amendment:

"The EFF is demanding that the Justice Department immediately process the records previously requested under FOIA and are asking for the feds to compensate them for any attorney fees incurred in their lawsuit against the government.

'As Congress gears up to reconsider the FAA, the American public needs to know how the law has been misused," EFF Senior Counsel David Sobel says. 'The DOJ should follow the law and release this information to the American public.'" http://rt.com/usa/blanketing-spy-program-information-983/

More...

http://arstechnica.com/tech-policy/2012/08/court-ruling-that-nsa-spying-violated-4th-amendment-remains-secret/
http://ncjolt.org/eff-seeks-answers-from-secret-court-in-ruling-on-nsa-spying-violations/
https://www.eff.org/document/complaint-19

Here is an article on it from Ars Technica, for anyone who thinks I'm making this shit up.

I'm only half kidding. As much fun as it is to mock Yahoo for being, well... Yahoo, they certainly deserve all the brownie points coming their way for defending their users' privacy.

And while the EFF is handing these out, they ought to give one to this guy.

According to this comment in the ArsTechnica discussion of their report on this story, the plantiff is actually a suspended lawyer who was formerly deployed and is now dealing with mental illness.

Maybe the commenter is taking the piss, but really ... that's the only explanation that makes any sense.

According to this comment in the ArsTechnica discussion of their report on this story, the plantiff is actually a suspended lawyer who was formerly deployed and is now dealing with mental illness.

Maybe the commenter is taking the piss, but really ... that's the only explanation that makes any sense.

There is still telegraph service in India. It's just the state run provider shutting down.

Source

http://arstechnica.com/tech-policy/2013/07/nsa-taps-skype-chats-newly-published-snowden-leaks-confirm/

...will it bring up a Google map showing the closest bathrooms? :-)

ARM has been focusing on mobile platform architecture for much longer than intel, its like Honda trying to make a truck, sure they did do it but its nothing like a company making nothing but trucks from the get-go. Intel needs to stay right where they are king and keep that crown and stop trying to follow rabbit holes thinking they might find money where ARM is the clear leader down in those places.

Problem is, Intel's kingdom is shrinking and while it's the bread and butter, it won't be large enough to sustain them in the long term.

Like buggy whip manufacturers, Intel's having to evolve ,and that's what they're doing. There's tons of crap that's wrong with x86, and perhaps Intel's stubbornness to the architecture is the wrong approach, but they have to try something.

Right now, Intel's trying to shoehorn x86 into ARM's territory. Will they be successful? So far, not so much, but who knows?

And a little competition for ARM can't be too bad a thing. Heck, ARM's trying to do a bit of the same by going 64-bit and entering the server room.

Just to follow up, here's how the so-called "oversight" works in the NSA

http://arstechnica.com/tech-policy/2013/07/5-things-snowden-leaks-revealed-about-nsas-original-warrantless-wiretaps/

Though ultimately more than 3,000 people—mostly within the NSA—were read into the program, the initial secrecy around it was so intense that, notoriously, even the NSA’s own lawyers weren’t allowed to see the legal reasoning justifying it until 2004—something NSA officials themselves found strange.

That secrecy meant that the NSA’s own Inspector General—the agency’s primary internal watchdog—wasn’t cleared to know about the program until August 2002, nearly a year after it began. Even that appears to have been a reluctant concession; NSA Director Michael Hayden had to “make a case” to the White House for reading the IG in. As a result, it was not until February 2003 that the IG “learned of PSP incidents or violations that had not been reported to overseers as required, because none had the clearance to see the report.” The precise nature of those “incidents or violations” remains unknown.

then what, nothing in OSS land takes responsibility for itself

Red Hat does. Even Ubuntu will to some extent. Any time you want you can get paid support for OSS and, given the right support contract and money they really will take care of you properly. The definitely take responsibility for the things they promise. (N.B. your two dollar desktop license really doesn't promise much at all).

Its free it (sort of works) if it doesnt fix it your self or fuck off

And this is the thing. We have seen before that people were sent to jail for bugs in breathalyzers. In some cases people who claimed these bugs were in courts that demanded source; they were set free. In other cases the proprietary software companies behind the machines managed to get them locked away without a fair trial.

If the shit hits the fan with OSS you always have one more option and the possibility to approach multiple support suppliers. This won't happen for free and it likely won't be included in any existing agreements, however you may be happy for the chance to spend $15000 on software consultancy and not spend the rest of your life in some US State hellhole. Your proprietary software vendor will be thinking of all the other people that might sue about a bug like that and will never ever help you out of the problem.

You are obviously unfamiliar with the level or reliance the federal government has on contract companies. There are thousands upon thousands of businesses whose sole income is from developing and managing top secret projects. This isn't the first or the last case of highly sensitive information becoming public because of a contract employee.

Here's another example:
Contractor at fault for leaking the specs of the Presidential helicopter Marine One

A fairly cursory google search will net you a few more.

Yep - MitM works for public keys. In fact, Microsoft was caught as a MitM for encrypted Scype calls, and while I don't know exactly what encryption scheme they used, it is definitely a MitM attack.

Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away http://arstechnica.com/security/2013/06/encrypted-e-mail-how-much-annoyance-will-you-tolerate-to-keep-the-nsa-away/

Skype *was* secure until someone gave it to the NSA, oh well. Put on your Luddite shoes and go back to writing letters flooding the world with them and confound the nosy parkers while supporting the USPS.

Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away http://arstechnica.com/security/2013/06/encrypted-e-mail-how-much-annoyance-will-you-tolerate-to-keep-the-nsa-away/

But while we project our own ideas of law on other countries, often they have no such squeamishness about domestic spying.

I thought that, too, but in this case Le Monde called this program "perfectly illegal". I'm inclined to believe its editors understand French law better than I (an American) do.

According to an article on Ars Technica, salted hashes are no longer relevant - they are cracking the hashes anyway without using rainbow tables. Using SHA256 instead of MD5 has more benefits in this regard than salted vs. unsalted.

Read this: http://arstechnica.com/information-technology/2010/12/openbsd-code-audit-uncovers-bugs-but-no-evidence-of-backdoor/

The resulting OpenBSD code audit turned up multiple vulnerabilities, including serious ones introduced by employees at NETSEC, the company the FBI allegedly contracted to introduce the backdoors. Theo de Raadt interprets these vulnerabilities as mistakes, and maybe they were. But realistically a backdoor would be made to look like a mistake, as in the Underhanded C contest mentioned above.

No, parent post has a point.

Let me illustrate this with actual examples where patent trolls sued small businesses for using a modern office scanner to scan documents to e-mail.

The Project Paperless via AdzPro letter-writing campaign is a kind of lowest-common-denominator patent demand. Patent-licensing companies are going after the users of everyday technology rather than their traditional targets, the tech companies that actually make technology. Smaller and smaller companies are being targeted. ...Project Paperless and its progeny don’t have any interest in going after the Canons and the Xeroxes of the world. After all, they have patent lawyers on payroll already and are in a far better position to push back. Project Paperless' spawn—AdzPro, AllLed, GosNel, and the others listed above—exemplify the new strategy. They send out vast quantities of letters, mainly to businesses that never could have imagined they’d be involved in any kind of patent dispute. They send them from anonymous and ever-changing shell companies. And at the end of the day, they either file only a few lawsuits—as Project Paperless did—or none at all, which has been the AdzPro strategy thus far.

“Going after the end users may ultimately be more lucrative for them,” said one patent litigator at a technology company that's closely monitoring the AdzPro situation. “If they extract a small amount from each possible end user, the total amount might well end up being a much larger sum than they could ever get from the manufacturers. The ultimate pot of gold could end up being much bigger."

Or other cases where frivolous suits were filed against small businesses for the use of technologies like WIFI .

In typical patent troll style, these shell companies (with names like AdzPro, FanPar, and HunLos) are asking businesses and users for a few thousand dollars—far less than what litigation would cost—as a licensing fee for using this basic technology. Unwilling or unable to lawyer up, most choose the more convenient route of settling ...
Over the past few years, we saw Lodsys threaten and sue a number of app developers for using technologies provided that companies like Apple and Google require their app developers to use. More recently, a patent troll called Innovatio has been suing restaurants, hotels, and companies for using WiFi. Yes, that’s right. WiFi.

My point is twofold: 1) Patents are being abused by patent trolls, who do not create, nor provide any incentive to creators and 2) Patent abuse is spreading to cause great distress to the general public. I'm sure that some of these businesses, when threatened, would opt to forgo the use of technologies such as scanners, WIFI etc. Scaring people off with frivolous lawsuits from using technology that could improve their performance, efficiency, efficacy or make their lives better is blocking progress.

Did you miss the article about the rifle scope?

This has been discussed before. The idea is to provide extensions to allow DRM to be implemented without plugins. See:
http://arstechnica.com/business/2013/05/drm-in-html5-is-a-victory-for-the-open-web-not-a-defeat/
http://www.w3.org/TR/2013/WD-encrypted-media-20130510/

There's good and bad in most situations. Sure, these people were employed, but many didn't actually earn living wages and were more indentured servants that were forced to live in company dormitories, eat company provided food, and work so many hours that it was illegal even under Chinese standards. They also are forced into repetitive actions that caused carpal tunnel and exposed to chemicals that caused other effects. I will provide just one article citing the poor working conditions, but there are many others. http://arstechnica.com/apple/2012/09/foxconn-worker-riot-closes-factory/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+(Ars+Technica+-+All+content)

Does this really signal a growing shift?

The shift already happened a few years back when all RSA SecureID tokens were compromised.

What happened here with Opera is small potatoes compared to the SecureID fiasco.

OT but you can change the view to a single window. Maybe it should be the default, but it has been an option since 2010. It is not perfect, but if you want to whine about a missing feature, you should at least have the decency to recognise its addition within three years...

LibreOffice is just as good as Office for 90% of tasks. GIMP, on the other hand, is still a dystopian nightmare compared to Photoshop, for one main reason: separate windows for everything.

Except Gimp has had a single window mode since 2.8 introduces an optional single-window mode these are the release notes http://www.gimp.org/release-notes/gimp-2.8.html here is ars reviewing it http://arstechnica.com/business/2012/05/hands-on-testing-the-gimp-28-and-its-new-single-window-interface/ the latest version of Gimp was released on Just a week ago and is 2.8.6 http://www.gimp.org/.

Although Multiple windows not that big a deal...was never a problem for me on the Mac version of photoshop.

With a docking station a Galaxy Note 2 is more than powerful enough for web browsing / MS Office / email type stuff.

Since when is Microsoft Office ported to Android? I thought mobile Microsoft Office was exclusive to Windows Phone and Windows RT, just as Halo 3 is exclusive to Xbox 360. Even the port of LibreOffice can't be released yet because it's too big for Google Play Store.

Have you seen this?

Just what we need! Microsoft wedges themselves into the 3D printing chain and then they can start to block certain things from being printed.

I don't tend to use the internet (or my computer) in a way that would make me susceptible to most infections

Vast majority of malware attacks spawned from legit sites

. Amateur radio is designed to be self policing. If somebody starts sending commercial / illegal / inappropriate transmissions, other radio ops are supposed to help figure out where the transmission is coming from and cooperate with the FCC in finding the miscreant.

Also I believe several treaties address this issue, and the open-ness of ham transmissions are the only reason people can talk to hams in other countries. Even during the height of cold war suspicions and distrust, you could talk to hams in the former USSR, as long as you talked about nothing at all, or radios or fishing or what ever.

That's not to say every conversation about fishing was really about fish.

Once you allow encryption, this presents a problem for other hams in other countries, they may be banned from talking to you even on unencrypted transmissions.

But seriously, when you have the NSA reading everyone's email, and mere use of PGP encrypted mail gets you on a watch list, I just can't see the same government enabling encrypted transmission by hams.

Big difference from Summery.

Qantas customers have the choice of installing the search tracker and are awarded up to
150 Qantas frequent flier points a month for doing so.

Summery makes it sound like Ubuntu's policy of sending all search results to Amazon to raise cash;
with no choice by users, nor reward of any sort.
http://arstechnica.com/business/2012/09/ubuntu-bakes-amazon-search-results-into-os-to-raise-cash/

Which legislation that is?

If you're talking US, I'll just link this comment over from Ars Technica.

TL;DR: It's illegal to intercept phones, everything else broadcasting unencrypted is fair game, as FCC decided when judging on this very case.