Slashdot Mirror

The only thing they "backed off" from was a a default setting. Big deal.

Paid for by Google Ads. Yeah, it's a problem.

IIRC, they were the first to even include that feature in their browser.

It was a proposed government standard. It was first implimented by collaborators after that meeting, and a plugin published for download on Mozilla's homepage. So no, they were not the first. Mozilla was the first browser to have it included, but that was not because of the Mozilla Foundation.

AFAIK there is still no other browser that offers such functionality. Not even Ghostery does the same job.

All browsers save cookies. They are documented ways of recovering them; for obvious reasons. Sorry.

How? How have they "infected" it?

The same way rich lobbyists infected Congress.

Mozilla was not always getting most of its revenue from Google,

Which means nothing in the present, in which they are.

Google isn't "giving" them the money, it's from ads,

No, Google is giving them money. But don't take my word for it; It's in the FAQ for their financial statements. Just browse down to the question "How does Mozilla generate revenue?"

The majority of Mozillaâ(TM)s revenue is generated from search and commerce functionality included in our Firefox product through all major search partners including Google, Bing, Yahoo, Yandex, Amazon, Ebay and others. Mozillaâ(TM)s reported revenues also include very important individual and corporate donations and grants, which are growing significantly, as well as other forms of income from our investable assets.

and Google's disappearance tomorrow would not make Mozilla "implode". They'd just have to advertise elsewhere.

Yeah. 90% of their revenue dries up and it's just a simple matter of pointing their ad servers to a new place...

I think you have extremely grossly overstated your case.

But I don't think I have "extremely grossly overstated" anything... in fact, if anything, I was trying to understate things to avoid flames from idiot fanboys who think their youthful idealism is shared by the companies whose products they use. But as that has failed, I'm reverting to my usual brand of bluntness. So with that in mind: I think you've been smoking more crack than the Toronto mayor. You were wrong on every point you made, and not just a little.

Disingenuous. "They DO not pass through supernodes" is not the same as "They CAN not pass through supernodes."

Microsoft had at that time already obtained a patent describing recording agents that can be placed in a multitude of devices, including routers. There is also the note of a recording agent software that represents “a software module that logically and/or physically sits between the call server and the network.” According to Microsoft, the agent will have access “to each communication sent to and from the call server,” which clearly refers to the general infrastructure of a VoIP service and network.

Disingenuous. "They DO NOT pass through supernodes" clearly says that calls do not pass through supernodes, whether they can or not. Furthermore, the patent on recording agents is completely irrelevant - it's clearly something useful for.. oh, I don't know... Unified Communications Systems like Lync.

http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PG01&s1=20110153809.PGNR.&OS=DN/20110153809RS=DN/20110153809

The only conclusion you can make is that:

While we don't know the full details of how Skype handles its key exchange, what is clear is that Skype is in a position to impersonate its customers, or, should it be forced, to give a government agency the ability to impersonate its customers. As Skype acts as the gatekeeper of conversations, and the only entity providing any authentication of callers, users have no way of knowing if they're directly communicating with a friend they frequently chat with, or if their connection is being intercepted using a man in the middle attack, made possible due to the disclosure of cryptographic keys by Skype to the government.

http://paranoia.dubfire.net/2012/07/the-known-unknows-of-skype-interception.html?m=1

Actually, no, that's not the only conclusion you can make. It's the only conclusion that you are willing to make, because you're a tinfoil hat nutter.

This has not changed the underlying nature of Skype’s peer-to-peer (P2P) architecture, in which supernodes simply allow users to find one another (calls do not pass through supernodes)

Disingenuous. "They DO not pass through supernodes" is not the same as "They CAN not pass through supernodes."

Microsoft had at that time already obtained a patent describing recording agents that can be placed in a multitude of devices, including routers. There is also the note of a recording agent software that represents “a software module that logically and/or physically sits between the call server and the network.” According to Microsoft, the agent will have access “to each communication sent to and from the call server,” which clearly refers to the general infrastructure of a VoIP service and network.

“The U.S. Patent and Trademark Office published a Microsoft patent application that reaches back to December 2009 and describes ‘recording agents’ to legally intercept VoIP phone calls. The ‘Legal Intercept‘ patent application is one of Microsoft’s more elaborate and detailed patent papers, which is comprehensive enough to make you think twice about the use of VoIP audio and video communications. The document provides Microsoft’s idea about the nature, positioning and feature set of recording agents that silently record the communication between two or more parties.”

http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PG01&s1=20110153809.PGNR.&OS=DN/20110153809RS=DN/20110153809

The only conclusion you can make is that:

While we don't know the full details of how Skype handles its key exchange, what is clear is that Skype is in a position to impersonate its customers, or, should it be forced, to give a government agency the ability to impersonate its customers. As Skype acts as the gatekeeper of conversations, and the only entity providing any authentication of callers, users have no way of knowing if they're directly communicating with a friend they frequently chat with, or if their connection is being intercepted using a man in the middle attack, made possible due to the disclosure of cryptographic keys by Skype to the government.

http://paranoia.dubfire.net/2012/07/the-known-unknows-of-skype-interception.html?m=1

Tech journalists: Stop hyping unproven security tools
Monday, July 30, 2012 | Christopher Soghoian
http://paranoia.dubfire.net/2012/07/tech-journalists-stop-hyping-unproven.html

http://static.guim.co.uk/sys-images/Media/Pix/pictures/2010/3/25/1269523445370/Austin-Heap-001.jpg

"Preface: Although this essay compares the media's similar hyping of Haystack and Cryptocat, the tools are, at a technical level, in no way similar. Haystack was at best, snake oil, peddled by a charlatan. Cryptocat is an interesting, open-source tool created by a guy who means well, and usually listens to feedback.

In 2009, media outlets around the world discovered, and soon began to shower praise upon Haystack, a software tool designed to allow Iranians to evade their government's Internet filtering. Haystack was the brainchild of Austin Heap, a San Francisco software developer, who the Guardian described as a "tech wunderkind" with the "know-how to topple governments."

The New York Times wrote that Haystack "makes it near impossible for censors to detect what Internet users are doing." The newspaper also quoted one of the members of the Haystack team saying that "It's encrypted at such a level it would take thousands of years to figure out what youâ(TM)re saying."

Newsweek stated that Heap had "found the perfect disguise for dissidents in their cyberwar against the worldâ(TM)s dictators." The magazine revealed that the tool, which Heap and a friend had in "less than a month and many all-nighters" of coding, was equipped with "a sophisticated mathematical formula that conceals someoneâ(TM)s real online destinations inside a stream of innocuous traffic."

Heap was not content to merely help millions of oppressed Iranians. Newsweek quoted the 20-something developer revealing his long term goal: "We will systematically take on each repressive country that censors its people. We have a list. Donâ(TM)t piss off hackers who will have their way with you.

The Guardian even selected Heap as its Innovator of the Year. The chair of the award panel praised Heap's "vision and unique approach to tackling a huge problem" as well as "his inventiveness and bravery."

This was a feel-good tech story that no news editor could ignore. A software developer from San Francisco taking on a despotic regime in Tehran.

There was just one problem: The tool hadn't been evaluated by actual security experts. Eventually, Jacob Appelbaum obtained a copy of and analyze the software. The results were not pretty -- he described it as "the worst piece of software I have ever had the displeasure of ripping apart."

Soon after, Daniel Colascione, the lead developer of Haystack resigned from the project, saying the program was an example of "hype trumping security." Heap ultimately shuttered Haystack.

After the proverbial shit hit the fan, the Berkman Center's Jillian York wrote:

I certainly blame Heap and his partnersâ"for making outlandish claims about their product without it ever being subjected to an independent security review, and for all of the media whoring theyâ(TM)ve done over the past year.

But I also firmly place blame on the media, which elevated the status of a person who, at best was just trying to help, and a tool which very well could have been a great thing, to the level of a kid genius and his silver bullet, without so much as a call to circumvention experts.

http://blogs-images.forbes.com/jonmatonis/files/2012/07/web_chat.png

Cryptocat: The press is still hypin'

In 2011, Nadim Kobeissi, then a 20 year old college student in Canada started to develop Cryptocat, a web-based secure chat servi

Lots of people do this without getting caught.

http://www.dubfire.net/boarding_pass/

Glad they are closing this loophole, it is one of the very few things the TSA has done or is doing that makes sense.

Could be the guy listed here:
http://www.dubfire.net/

You can board a plane without ID.

http://files.dubfire.net/warner-tsa.pdf

...like that boarding pass thing, and other stuff, and then that story last Wednesday. I wouldn't want to be that guy and flying on a plane. :D

I find this very interesting because privacy researcher Chris Soghoian noted in a recent blog post that T-Mobile was the only major US wireless carrier that wasn't logging IP addresses and visited URLs of its users. He was lamenting the fact that AT&T's takeover would further erode privacy.Guess not, eh?

A perfect example of the how the security theater does nothing to improve security and is just fake is the boarding pass checker.

They check to make sure my ID has a hologram, but my boarding pass is a printout and can be easily faked. http://www.dubfire.net/boarding_pass/

You could have someone with a "clean record" buy a ticket and then easily alter the boarding pass to show the name of the actual person intending to fly even if they are on the no fly list.

In this case collecting the DOB of all passengers, checking for ID, etc. is all worthless.

Here is an article about how the TSA does *NOT* have the right to ask you for ID. Even their own in house legislative guy says this. There is a copy of the letter he sent out on TSA letter head stating that.

http://news.cnet.com/8301-13739_3-9769089-46.html
http://files.dubfire.net/warner-tsa.pdf

Should make for some interesting fun at the airport if everyone starts doing this. LOL

Meet the new boss, same as the old boss. This kind of thing has always gone on, makes you wonder why suddenly now it's "news" doesn't it ? Redirecting public attention from economic disaster, unpopular wars or just the beam in their own eye ?

better tin foil hat reading:
http://paranoia.dubfire.net/2009/04/current-red-hat-linux-employee-fedora.html

Not again!

Certainly not that Edward Markey!

Christopher Soghoian loves hearing the name Edward "barking rabid" Markey even more than I do.

I've said it before, and I'll
say
it
again!

CERTAINLY NOT THAT EDWARD MARKEY! Jeez, I bet Chris Soghoian thinks this is just special!

"With Steve Jobs' recent announcement of his intention to fight off the independent iPhone developers" - There was never any such announcement. Jobs was talking about SIM unlocking, not software use. RTFA.

"The question worth asking is: How will Apple try to defeat the hackers: Software updates, or lawsuits?" - That's not a question worth asking. Jobs has said it's a "cat-and-mouse" game. That means continual updates, continual hacks, continual further updates, etc.

"Will Apple risk losing its most frequently (ab)used legal tool, the Digital Millennium Copyright Act, in order to try and punish the developers of the iPhone unlocking tools?" - Link? Show where they've abused the DMCA, and then show that it's the tool they use most often. I'm betting they use keyboards more often. Hyperbole is NOT NEWS. This site is FOR NEWS. Save the trolling for comments.

"This CNET article explores the legal issues involved in this, which make it perfectly legal to reverse engineer your own iPhone, but illegal to share your circumventing source code with others." - No, it doesn't. It strokes the ego of a graduate student IN A NON-LAW-RELATED FIELD. See Chris Soghoian, Resume, available at http://www.dubfire.net/resume.html.

Furthermore, the submitter is in violation of rights under copyright law belonging to c|net and/or Chris Soghoain; the "summary" takes direct quotes from the c|net article linked by it.

Signed,
140.247.x.x

Wrong. You have obviously never seen a search warrant before. They are not a generic search "free pass" for the cops. It must state specifically what they are looking for, and the location.

Look here for a quick example noting page two the Attachment A part.
Or here for the Duke Lacrosse search warrant. Notice the "description of items being seized" section.
Or here if you want to see the search warrnat for the Virgina Tech shooter. Notice the first blank is where they fill in the location, and the second blank under "for the follwing property,objects, and/or persons".

By giving up liberty, we may be safer from terrorists, but we are less safe from our government, causing us to have neither Liberty nor Safety.

1. Give TSA employees scanners/computers, so that they can verify the validity of the boarding passes when you reach the security checkpoint. This is currently only done at the gate.
2. Do NOT allow people to print out boarding passes online. They're far too easy to spoof.
3. Stop assumming that just because you know who someone is, you know if they're a terrorist or not. Most of the 9/11 hijackers were not on the no-fly list, and none of the recent London liquid bomb-plot guys were on the no-fly list.

Chris reports that the FBI is knocking on his door. The boarding pass generator is also (at least temporarily) down.

Mr. Soghoian's website confirms that he's a student in information security. Thus it's no longer obvious why the university shouldn't defend him if need be.