Slashdot Mirror
Leaked Memo Says Apple Provides Backdoor To Governments
Voline writes "In a tweet early this morning, cybersecurity researcher Christopher Soghoian pointed to an internal memo of India's Military Intelligence that has been liberated by hackers and posted on the Net. The memo suggests that, "in exchange for the Indian market presence" mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as "RINOA") have agreed to provide backdoor access on their devices.
The Indian government then "utilized backdoors provided by RINOA" to intercept internal emails of the U.S.-China Economic and Security Review Commission, a U.S. government body with a mandate to monitor, investigate and report to Congress on 'the national security implications of the bilateral trade and economic relationship' between the U.S. and China. Manan Kakkar, an Indian blogger for ZDNet, has also picked up the story and writes that it may be the fruits of an earlier hack of Symantec. If Apple is providing governments with a backdoor to iOS, can we assume that they have also done so with Mac OS X?"
The next time you text "i hacked my xbox!" to your friend, expect federal prison for life.
It's all a big setup. The Patriot Act lets them investigate anything, anywhere, without a warrant. Now they are on your devices. Now any terrorist loses his rights as an American. The next war is at civil. No wonder the troops are coming back home.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
It is so stupid of Manan Kakkar to have totally ignored the issue and come up with a centralised biased opinion against Apple with the statement: "If Apple is providing governments with a backdoor to iOS, can we assume that they have also done so with Mac OS X?."
Such an uninformed idiot to not have noticed, how serious the issue but rather wants to gain publicity by making this, big against Apple.
Ridiculous
I'm not a huge open source guru. I have nothing against it and I use open source software all the time. But I'm not a zealot on the subject. Still... this is unacceptable. If I buy a bit of software from apple or microsoft, it has to be understood that I control the security. I bought the OS. I bought the machine. I own that license. if they're going behind my back to sell my security to a third party... then I consider that a breach of contract and I'm really not amused.
If this is valid... and it hasn't been confirmed yet... then anyone that signed that agreement is untrustworthy.
Nothing else to say on the matter.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Is there any reason to believe that governments wouldn't put pressure on all OS vendors, telecom providers, etc that wanted to sell into their countries to do something like that? I'd be very surprised if very many cellphones so in the USA don't have a way in for the Feds.
...) originate in China, what are the odds that they are not all compromised?
At the same time, if you are concerned about the possibility of backdoors, it's awfully easy to bury one in deep in some standard hardware component that user space processes and most of the OS don't normally interract with. Since most of our cellphones and PCs (and GPSs and media boxes and cameras and
Suppose you were an idiot. And suppose you were a member of congress. But then I repeat myself. -- Mark Twain
Just stop trusting closed source software and companies already!
How RIM, Nokia and Apple becomes just Apple is beyond me. Magic?
As if it was any different anywhere else...
That's what you get for using closed crap, biatches!
Natural selection is at it again!
The only way to be reasonably sure of security is by using open source encryption (TrueCrypt, PGP). If you're only using a "black box" system to protect your information, you should expect that governments (and crime syndicates who can bribe individual government employees) will have access to your information.
What's surprising is that anyone with secrets worth protecting doesn't already know this, or hasn't already hired someone competent enough to tell them this.
This smells of bullshit. Now a tweet and a few images are considered legit news? Couldn't just one journalist or blogger pick up the phone and get the "RINOA" comment on the matter? Or is it just easier to post conspiracy-laden speculation ending with a giant question mark?
This is what lawsuits are used for.
Why do you think China is the only one compromising our chips?
What did you "sign" when you click through the EULA? (e.g. "You agree that we can share information gathered from you with our affiliates . . . etc etc etc" )
How long you think this will take to be implemented in USA and the rest of the world? Honestly I doubt there isn't a backdoor in android, windows, etc, it is just a target too good for someone as the government of almost any country. When it becomes viable I don't see why they wouldn’t do it at hardware level on PCs (UEFI seems a good target to me) and so on.
I would say that FOSS software would solve it but it would just move the problem to somewhere else, the problem is not the software being non-free, it is that there are people willing to do that kind of surveillance, and if they couldn’t do it via software they would find another way.
Unless you've personally verified every single line of code in the OS, you're not really better off. You've just hoping that others have verified every single line of code, and unless you've verified that they're all trustworthy, you're just hoping that's true, too.
...and in case anyone's thinking this is an astroturf troll, I use Linux, not Windows or Mac. I've exclusively used Linux for 11 years now.
You know, your argumented and reasonable stance on this problem is what led many "open source zealots" like me into their present situation. In a functional legal environment you could use proprietary software and assume that such a breach of confidence would have so serious consequences for the companies involved that no one would dare to take the risk to put a backdoor in their software or to even make it possible. This is not however the case, this affair is one of many (CarrierIQ, Echelon, illegal-later-legalized wiretapping, Bluecoat, Amesys, etc...) and the only cure seems to use open source everywhere a backdoor could exist. And that means, mostly, everywhere.
Anyway, I like how you present it : "I'm not an open source zealot, I'm merely an opponent to secret backdoors"
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
If I buy a bit of software from apple or microsoft, it has to be understood that I control the security. I bought the OS. I bought the machine. I own that license.
HaHaHaHaHa, HoHoHoHoHo, HaHa, Hoooo....
Eh, turn your keyboard around, gullible is written under it.
There's no scientific consensus that life is important.
THIS is VERY SERIOUS allegation!!! If it gets found out that OS X has a government backdoor, I'm immediately selling my Mac Book Pro & iPhone a go bare bones, off the grid, just like John Connor...
I get your point, but if you think that "open source" is any kind of guarantee of security, you are sadly mistaken. Do you trust that the binaries supplied are not tampered with? Have you, or someone you trust, personally audited the code?
And how about the toolchain? If you haven't read it yet, I highly recommend Reflections on Trusting Trust by Ken Thompson. Prepare to lie awake at night...
I understand that RIM is mentioned in he article, but this is an Apple focused story.
"Helping to keep you two steps ahead of the Thought Police!"
Huh? How has a government or large corporation been wronged?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Open source is not much protection against spyware. Any device that has automatic upgrades of any description - open source or otherwise - are open to simple spyware installs with a subsequent upgrade to cover the tracks.
Well, you're slightly better off. Unless you expect a global conspiracy where every person who ever read the code and would talk about it has been bought or silenced.
The key is that it's heaps harder to slip a backdoor into OSS simply because far more people can (and do) examine it. The chance that someone finds it and reports it is simply by some margin higher.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
How can anyone be so naive to assume that any system that is commercially produced in large numbers these days does *not* have in-built backdoors for the alphabet soup agencies? Living under a rock much, are we?
Same goes for Google, Facebook and all the rest. If you, even for one second, assume that the three letter agencies do not have permanent liaison staff at the HQs of these companies, and are not free to browse the data accumulated by these companies at will (including specially built data mining apps that cater for their needs, and their needs alone), you are seriously deluded.
Sorry to put it this bluntly, but reality can be a bit harsh at times.
The only real question is what to do about this status quo, and whether it is both possible, or realistic, to ever change it. All things considering, our society is arguably (still) the most free society on the planet. "They" are listening to everything, which is most definitely not the way it should be. But then, "they" have also not been hugely disruptive of discourse within society so far - mainly, I would wager, because "they" are mostly fairly normal citizens who work for the *** agencies. In particular, "they" are not a pampered, segregated elite of any sort, e.g. like the IT minions of the investment banking crooks^H^H^H^H^H^Hcrowd, or the secret service bastards of the former communist countries (who enjoyed considerable privileges beyond what normal citizens ever got). Rather, due to the never-too-stellar payment schemes of government services, the people in charge of all this are, by and large, fairly normal people. Most of them, at least. To quite some degree, I would wager that we can fairly safely count on that sort of people not being all too willing to cooperate in the creation of an actively evil 1984-ish state (as opposed to the passively listening one we have at the moment).
This is not to say that these developments are in any way positive. Nor is it to say that we should just roll over, and stop fighting developments like that. No way. We need to sharpen our instincts for (as it were) "digital freedom" much, much more. But as a part of this, we also need to be realistic about the status quo. Which is currently... odd: theoretically fairly evil, but in practice, apparently still fairly manageable.
Just my 0.2$
A.
Anybody has a link to original dump of documents "liberated" by hackers?
This back-door is available for Secret Service, among others. It can access your phone remotely and delete things without you knowing it even took place. Don't ask me how I got this info. If you are in doubt, verify it with other sources. The NSA-key incident shows Windows has something similar. Apple, Windows or the cloud(doh!) can't be trusted with secure information for any government except maybe USA. But, who's to say that China hasn't got copies of the source-code for Windows or Apple products? How many Chinese computer-experts does it take to reverse engineer these products? How cheap is it to hire these people in China? The people who made these back-doors depended on security by obscurity. Stupid people often make the false assumption that they are smart. It's not the last time you see something like this. Some might say that the solution is not to connect it to the Internet. The problem is that at CD or Thumb-drive with some new hacking software can compromise those systems with ease. You see, an unconnected system is not up to date security-wise.
I could have made a good career protecting secrets. But, I saw ahead. I chose a different path. Although trying to protect secrets might seem like easy and good money, it's the opposite. Transparency and accountability is the key. Say what you're doing, and don't do stuff that will enrage the public. I hope the world gives this a try some day. Although, I hardly expect it. Smart-phones are today the equivalent of a cavity-search of your privacy. People get that, and loathe their governments in return. Then we get protests in the streets. Not about this particular issue, but a general sentiment that everything is wrong with the government.
If a person were to help another government gain access to confidential data, it would be called treason. If APPLE or Nokia does it, it is OK? Can someone please explain that?
The shiny backdoors the US government was so keen on to spy on its own citizens are also used by foreign governments to spy on the US government. Maybe security and privacy is worth something after all.
Wouldn't the governments and companies involved just deny all accusations?
However, a true proof would be finding and preferably exploiting that backdoor.
You are forgetting that these companies are making hardware, not just software.
This is quite serious since if this trend continues, liberating projects such as Tor may become ineffective against repressive regimes.
And face it, the worst is not the possible surveillance by the ones that originally placed this. These people did invest significantly to place and hide the backdoor. They will use information gained from it only sparingly, to protect the source. After all, if they are caught possessing information that they can only have gotten this way, the backdoor becomes worthless.
IMO the real problem is if the backdoor can be used by others that do not have to protect their investment or respect laws (however flimsy). For an example of surveillance software made by people without much of a clue about security, look to the German "Bundestrojaner", recently analyzed by the CCC. Severe flaws include no authentication or encryption on data transfer, a hard-coded AES key that seems to be the same in all instances used for command transfer (still no authentication), and data-transfer via a foreign server (which is likely illegal). In addition, these cretins are of course not liable if somebody uses their backdoor and likely will not even notice.
Same old story: For a few temporary small benefits, people are willing to accept enormous potential damage. That is my personal definition of evil.
On the protection side: Use reputed open-source. There is at least some chance that somebody will notice a backdoor and that the person will not be easy to silence. And once somebody has found such a problem, anybody can verify it. Not so with closed-source. There it would be a lot more difficult to find anything, and then to get taken seriously as others cannot easily verify a finding. Some postings here already demonstrate that problem. In addition, use restrictive firewall settings and encryption. Difficult to do in a mobile setting, I know, so as a last measure, do not trust any device not under your own system-administration. In particular, do not trust any mobile phone or similar system. You may also want to add markers to any document you do put on potentially backdoored devices, so you can identify the source. This last step also helps against insiders leaking data.
Of course, if your secrets are transient and not worth risking the backdoor for (even fore a 3rd party user of said backdoor), then you are probably reasonably secure. This should apply to most people for private use.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
When someone with OSX goes to prison because of info passed along to US government, it's a very small comfort that they can get their OSX licence money back because a breach of contract.
Nothing new here: http://en.wikipedia.org/wiki/Lawful_interception
You may not like that, but that's the way it is. Communications providers can be forced to provide back doors for "legal spying" by governments. All governments know this, and use other methods to protect "sensitive" communications. Any other stuff is, well, who cares?
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Unless you've personally verified every single line of code in the OS, you're not really better off.
Even if you do, you're not sure. Your compiler may be compromised. See: Reflections on trusting trust.
Manan Kakkar is a total Microsoft fan.
"[...] Proud to be a Windows Desktop Experience MVP.
I’ve had more luck with gadgets than girls. So till things even out, I am sleeping with gadgets.
I cover Indian IT for ZDNet, write about technology for Techie Buzz and irregularly do a podcast called Microsoft Talk. I used to be the editor for The Next Web's Microsoft channel.
[...]
Apple’s scorecard of WP7 inspirations and being a Windows Phone user using an iPhone, my first reaction was Apple copied Microsoft.[...]"
http://www.beingmanan.com/
Disgusting :D
I bought the OS. I bought the machine.
Technically, while you bought the hardware, you did not buy the OS.
With the machine, you've got the right to do whatever you please with. (Modify, lease ...) Not so with the OS you believe you purchased.
Typically with proprietary software, you only buy a license to use it as-is, and you are not even entitled to study how it works, or even look for backdoors.
IMHO, this is the major problem with proprietary software, and an outrage that such agreements have any legal stance in a free-market society.
I'm just waiting for my ironymeter to jump to 11 when the US Government condemns the spying.
In Soviet Russia, I ruled you
an internal memo of India's Military Intelligence that has been liberated by hackers
Let's set the record straight: that memo was stolen.
Catalin Braescu
Ofaly.com
send squall to go set his bitch back in line.
-Noc
This is borderline FUD. Yes it's possible to poison the code but with a proprietary closed system it's damn near certain you're backdoored. If for nothing else than for the company who sells the software to keep tabs on it. It's in their best interests not to sell you out because loss of credibility means loss of revenue but if the stakes are high enough they can be persuaded. For this reason it's not a problem for the average Joe usually but if you have anything you want kept secure and the stakes are high you'd be a fool to rely on your proprietary OS being secure. Risk management rules apply.
... just look at the source oh, wait...
Scientia est Potentia
IF I was involved in anything where security was paramount. I mean here life or death basically. I'd certainly need to be sure of all my code and that would mean analyzing and compiling code. As for my own, individual security I feel more comfortable with a linux distro. It might be backdoored but I'm absolutely certain that Windows is compromised and I'm almost as sure about OS X.
Really Android is open source, sure. But the Android handset run custom proprietary drivers and a layer on top of it and then, even for the open source part, you cannot really tell what was used to build them. So unless you install your own build at home Android version (including drivers), it is not better than any other system (from that point of view).
The memo was leaked. That shows a bad sign on the companies and government. So they are wronged by leaking the memo.
The best way OBVIOUSLY is to forbid the leaking of memo's. Right?
Don't fight for your country, if your country does not fight for you.
Is anyone really surprised at a story that involves Apple and "open back doors"?
Ahem.
You are welcome on my lawn.
If I buy a bit of software from apple or microsoft, it has to be understood that I control the security. I bought the OS. I bought the machine. I own that license.
You ssem to be laboring under a misconception. You do not OWN the software and there are conditions on the LICENSE TO USE THE SOFTWARE. You may own the machine, but you do not own the OS and you do not own the software. You have a license to use both and you have agreed to conditions of use spelled out in that license which include, in almost every case, the fact that the agreement can be changed by the licensor at any time for any reason and may include agreement by you to allow this kind of access.
You really should learn about how the software licensing and business works.
No need for global conspiracy. You don't control what code is used to build your Android handset. The handset maker just tell you what base version they used and you need to trust them. Even on a vanilla Galaxy Nexus that would be trivial to slip a backdoor.
Maybe if you *write* your own compiler you'd be safe, but building it doesn't protect you from anything. The compiler you're using to compile the compiler might be compromised.
(Yes, it's been done...)
No sig today...
Exactly. Even the open source community is built on a massive foundation of blind trust, because perhaps one user in a hundred thousand will actually look at the source. Otherwise, no matter if it's open or closed, the average user says, "That looks neat, I'm gonna install that".
A personal anecdote: my open source theft recovery package for Macs has several thousand users. All of the source (with comments) is bundled with the installer, yet I often get questions from users about what the program does "under the hood", when they could easily learn the answer themselves by reading the source code.
The overwhelming majority of users seem to like open source because it's free, not because it is theoretically more secure. I might have been collecting private information from the users of my program for the past three years, and I often wonder if a single one of them would have bothered to check the source in all that time.
The best attack vector for any malware is incredibly simple: bundle it into something useful, and then give it away. You can guarantee that some people will install it (for the same reason they'll pick up and use a "lost" USB memory stick), because it is human nature to want to take advantage of something that is freely given.
"If Apple is providing governments with a backdoor to iOS, can we assume that they have also done so with Mac OS X?"
Yes and no. It's called 1394 (Firewire), and it has DMA access to read/write anything it wants, which includes retrieving encryption keys from ram of a running system, or tweaking a few bits here and there to kill a locked screensaver, for example.
When you read papers on high security environments that disable hardware ports by filling them with epoxy etc., this is what they are trying to stop (aside from obvious uses like copying files to something like a thumbdrive).
Enjoy! :)
Nothing has to be understood, you didn't buy the software you are renting it and the license agreement says so... It also says that you have no comeback against the company providing it. If you didn't like those terms, then you shouldn't have accepted them.
Companies exist to make profit, its only logical that they would sell you (a small fry) out to a large government willing to pay a lot more money and open up a potentially huge market to them. This is what companies do, welcome to capitalism.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
If they gave India special access, then presumably they gave Israel special access!
So does Israel have the same ability to intercept comms that India apparently has? What about source code? Did Microsoft let Israel see Windows source code thus exposing Windows users to Israeli cyber-attack? Or OSX for that matter?
What you're all saying is that it's time to go back to two elderly gentlemen sitting on a park bench having a quiet chat.
Even if a backdoor is discovered, there's no guarantee that credibility will be lost... A smart backdoor would look like a bug and could easily be explained away as such... Exploitable security holes are commonplace, who's to say some of them weren't originally designed as backdoors?
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I think as a practical matter, any spying done on devices outside of RIM would have to be at the cellular carrier level - and that wouldn't require the handset makers to cooperate at all. Blackberries all get routed through RIM's servers, but pretty much every other smartphone is just an Internet node.
In the same vein, I'd think that if it's on wifi there wouldn't be anything special that a backdoor would get. Maybe I'm just not paranoid enough.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Well Mr Smartypants, how are you going to "risk manage" your proprietary radio binaries?
Go read NDAA, shamelessly passed by Senate (both parties) and shamelessly signed by Obama little more than a week ago. It allows for indefinite military detention of people your lovely govt. calls "terrorists" without charges and without recourse to a court of law as they're free to ignore court orders. With NDAA passed, US is now officialy a police state of kind it used to install in some many Latin countries in the past. You can kiss your freedoms goodbye as your constitution now has been teared down along with all its amendments.
I doubt US millitary will use it to full extent at first as it would be a major PR disaster, but as time passes and popular anger at corporations/government grows you'll see more and more of people in jail just refusing to do that our corporate overlords want.
The key is that it's heaps harder to slip a backdoor into OSS simply because far more people can (and do) examine it. The chance that someone finds it and reports it is simply by some margin higher.
My thoughts exactly. If you think about this as a developer who wants to implement a backdoor, open source is much more risky for you. You'll have to be clever in order to hide it in plain sight, and there is still a good chance someone will find it. In contrast, when the software is closed, you can write the simplest possible backdoor, and not worry about being seen.
Escher was the first MC and Giger invented the HR department.
Of all of the professionals who inspect traffic/packets for different reasons - nobody noticed anything suspicious?
I'm absolutely certain that Windows is compromised and I'm almost as sure about OS X.
Yeah, and some people are absolutely certain that FEMA death camps are being readied for the coming of the NWO. Left your evidence in your other jacket?
For fun reading about how this "scheme" worked, flip back to the leaked documents ... http://imgur.com/a/8XoGf#0 ...
a. an Indian spy agency is monitoring US-China relations ... but only spying on the US side ?
b. they cannot get interior access since the USCC has a LAN, a VPN, and a POP ... and no working connections with Anonymous
c. so instead, they decide to tap the cellphones ...
d. and they publish some USCC email logs
I don't know. It's hard for me to believe that a spy agency is so inept ...
Given the revelations about the relationship of Corporations and Government ties over the years, is there any reason to believe Apple is somehow "Thinking Different" with respect to how it would react if "asked" by Government officials to 'do something'?
The nail which stands up will be pounded down - why should Apple say "no" when firms like Qwest (no longer) exists as an example when one does not follow a "polite suggestion" of the Government?
Comments seem to miss the fact that India used this back door to spy on a us government organization? Isn't that a problem? It's the cyber equivalent to selling arms to Iran or north Korea...
I was with you until you said "easily" figure out what was going on under the hood by reading the source. Easy for you? Yes, you wrote it. Easy for me? In most cases, unless it's a really ridiculous source tree. Easy for the average user? You're giving the average person on the internet too much credit! :)
While most people cannot, or will not read the source code... It only takes one of them to read it and find a backdoor, and then tell the world.
If your really paranoid, you can read the code yourself or find someone you trust to do it for you. Personally i'd much rather trust a friend, or someone who is working explicitly *for me* than a company which has the primary goal of making profit at any expense.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
heh....I'm certain enough for me. But you feel free to do what you want. I don't feel the need to prove it to people who I don't value.
To everyone that's telling "oh you didn't buy it, you licensed it!" or "But you clicked OK on the EULA!" or any variation on that theme. I'm pretty confident I could effortlessly sue the silly pants off any company that did this to me... especially if I could show damages in court. What jury is going to sit there and say "oh, he clicked OK on the EULA..." From a legal standpoint, EULAs are almost worthless against consumers and I even question how effective they are against corporations. There are different legal standards here. A big corporation for example has a legal obligation to actually read everything to the last line and appreciate what all the various legal terms mean. One person that has no special legal knowledge can't be reasonably expected to sign such things.
The basis of legal contracts is that BOTH sides know, understand, and agree to the contract. If it can be demonstrated that either side could not be expected to reasonably know, understand, or agree to everything in a contract then the contract is invalid.
For example, if a blind man signs a 500 pages legal contract it's almost certainly invalid. To make such a contract valid there would have be documentation that made it clear throughout that the man read or understood the contract. That might mean having a notary read it and occasionally inital segments of the contract to signify that given portions had been communicated. Or it might mean giving the man a copy of the contract in braille or something.
The problem with EULAs is that no one reads them and worse no one can really be expected to read them. How many EULAs do you see in a day? I see about three on average and I think I've only read about two of them... and that was because I was bored.
EULAs mostly exist not to restrain consumers because they can't reasonably be applied to them. They exist to restrain other corporations who also use the software. Because other corporations don't have this protection. It's one of the big differences legally between small and large organizations. Small groups generally are given a lot of legal slack. Big companies have to make a point of dotting every i and crossing every t. They have to read all these EULAs. And while I bet they don't even do it, they would have a much harder time making the same legal argument in court that they simply don't have the reasonable expectation of reading or understanding such documents.
If Microsoft or Google did something that meant thousands of credit card numbers were stolen. Something where you could show damages. There is no EULA that would defend them. They'd get their silly pants sued off if it could be demonstrated that it was their fault.
Now if it was an issue of malware or something then they can probably successfully argue that end users have a responsibility to secure their systems and MS or Google didn't steal the numbers in any case or intentionally make them available. However, if MS and google intentionally used backdoors to get such information or sold the keys to those back doors to a third party that then used them to get the information. THEN those companies would be screwed sideways.
If the twentieth paragraph in the EULA says "oh by the way, we reserve the right to let third parties pilfer your data at will" it wouldn't stand in court.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
No password needed (But you need to find the hidden port / number to get to the right login screen)
Installing your own build is no use at all - Anything like that would be likely to be in the radio part. (amss.mbn for qualcomm)
We meet again!
to information security is to use one-time-pad cyphers, use them manually, using a scratchpad that you can utterly obliterate after use to encrypt, then destroy the evidence. Every other technique is by definition just some degree of "keeping them honest" or "keeping them guessing". The pad must be truly and utterly random too, which some people have argued is not actually possible, but I guess it depends on whom you prefer to believe, Einstein or Bohr. I'm in the Einstein camp myself, and don't believe true randomness exists, but we can, I think, come safely close enough for most purposes. Use a good solid randomization technique, keep your messages short and sweet, and you should be fine. Using PGP or GPG or PIG in a BLANKET or whatever... PGP was perfectly named. Pretty Good Privacy. Note how they never called it PP, or AP, or CATFP... (you can probably guess what most of those would be... for any who can't, they're Perfect, Absolute, and Complete and Total Fucking Privacy.) Anyway, the more information you pass to others, speaking generally, the greater the chance of intercept. Get used to it. Also, about back doors in Apple's wretched systems... unless your iPhone or iPad or iMac or whatever is TEMPEST proof, it doesn't really matter, the backdoor is a matter of convenience, if they REALLY wanted to know what you were doing, they'd just listen to the RF emanations being emitted by your device with every press of a key, or every single refresh of the screen. Or has everyone forgotten about those?
I'd be more surprised if there was a corporation whose software didn't have a backdoor into it for a government.
So, if "America" backdoors products they sell in India...
Privacy is terrorism.
I dunno. Back in college I used to write code which did a task and also had some form of back door. I'd then challenge my friends to find it.
rarely could they find it even in reasonably minor applications or scripts.of course better coders would be better at finding them but better coders would also be better at hiding them.
Because the carrier ads the government back door on its own?
The EULA can say im not allowed to reverse engineer, but its uneforceable.
Good-bye
Bradley Manning provided access to U.S. government secrets to everyone, because (or ostensibly because) the U.S. government was not duly informing the United States Citizens of the military's actions in their name.
Apple(*) provided access to U.S. government secrets to a foreign national government, because they wanted that foreign national government to give them quid pro quo access to a lucrative market.
Seems pretty clear Apple will be facing more severe charges than Bradley Manning, right? ... Or, at least, it's going to be in the same ballpark, right? ... Well, OK, at least, same kind of national debate, where questions of treason get raised, right? ... No? ... OK, then, well, umm, WTF?!?
* Note: RIM and Nokia are foreign -- an interesting angle to consider, but not as similar to Manning as Apple.
Stop-Prism.org: Opt Out of Surveillance
When Apple reaches 95% marketshare and tells ATT, T-Mo, Sprint and Verizon that they can only sell iphones, then you MIGHT have a valid comparison.
Good-bye
made a deal with MS so that the Tunisian government would buy MS products, but IE would come shipped to accept Tunisian certificates by default (which OSes typically did not do).
if you can publish phony certs, you can snoop on people.
The actual agreement between MS and Ben Ali was leaked on line, you can go read it.
It is apparent that you have not seen the episode of South Park about the HumanCentiPad. If you get your choice of positions, I suggest that you be first, trust me on this one. As for your license to use an operating system. You agreed to a lot of stuff that you cannot do and that they can do. I saved you the time and effort of searching for Apple's agreements http://www.apple.com/legal/sla/ . Enjoy and remember, foods that you eat may not be agreeable with others.
because, you know, i dont know, maybe the government believes that the jewish people are a cancer on the face of a nordic europe... do you think thats ok? do you think the government has a right to do that?
Why do you think it's so easy for spies to steal your cell phone data? You see it on shows like Chuck and 24 all the time! Spies all have a magical device that plugs into any cell phone and downloads all the data in exactly as long as it takes for the phone's owner to almost get back from the bathroom, giving them just enough time to put it back where it belongs.
How could they do that if Apple (i.e. every evil phone maker) wasn't providing them with a back door?
That's why I always carry a dummy phone with decoy data on it while my bluetooth headset is secretly connected to my real phone, which is hidden in my shoe!
who knows. i always knew there was something funny about QString though.
Bush, Obama, Romney.
It no longer matters who you vote for, they are all owned.
Deleted
Your PI calculator had a backdoor, huh?
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
You don't control what code is used to build your Android handset.
Speak for yourself. You can compile Android from the source yourself, or you can download any of the dozens for customer ROMs and kernels. How many custom iOS roms are there?
being leaked for iphones. there is a specific law about classified information being leaked for certain types of cryptographic information, but then only if its leaked to certain people.
the espionage act uses the phrase 'national defense information' not 'classified information'... because its a narrower concept.
but mostly, because presidents and congressmen leak classified information ALL the time to backup themselves in political fights. thats why so many news stories have the phrase "unnamed sources" or "those familiar with the matter" or "officials say that". thats pretty much all examples of someone leaking classified information.
so whenever a bill comes to congress saying 'leaking classified info is illegal', a bunch of them shit their pants because they themselves leaked it in order to make themselves look good / hurt their opponents.
Buried exploits exist but they can't easily be maintained since miniscule code changes tend to break them, and its not like you can put a comment around it saying "dont change this, need it to eavesdrop on users for the indian govt."
Compare to closed source where you can put exactly that comment down and everyone in the company respects it.
Go fanboys go! Fund your demise!
And then see: Reflecting on the reflections of trusting reflected trust.
what makes you think the investment banking "community" isn't glued at the hip to the intelligence community? some evidence:
1. the book "The Asylum" by Leah McGrath Goodman. the CIA and NSA had wires going directly to NYMEX. The government gave classified information to the guys running the New York Mercantile Exchange during the Gulf War - nevermined alot of those guys were drug addicts and alcoholics with sex addiction problems. the 'relationship' continued, but nobody knows how long. why? Nymex was the oil trading market - when people say 'the price of oil is XXX dollars', that was decided by the market of traders at NYMEX.
2. if you read the wikileaks cables, you will notice that JP Morgan is an 'intelligence source' for the state department. dozens and dozens of those cables were basically "so and so , of JP Morgan, says this and this and this about the situation in country xyz".
"can we assume that they have also done so with Mac?" Yes.
the espionage act applies to 'national defense information' of the US, and you have to have delivered it or 'retained' it .
here, apple is just providing the indian government with a backdoor. are you going to argue that the instructions on how to backdoor login to iOS are somehow 'national defense information' of the united states?
the problem with that kind of case is the DOJ sued apple, they'd have to sue a whole crapload of other business interests ... and that would be a problem for the DOJ's boss - the office of president, which typically enjoys the full financial support of various tech companies.
That is why we install the OS ourselves.
Palm trees and 8
You own a license to use their software under their terms. Apple/Microsoft is still very much in control due to "updating" mechanisms. OSS/Close source is part of the equation, but the company running the show has more to do with privacy and security (see carrier iQ).
the government. how can it be considered stealing?
were possible because someone inside the Soviet Union, for some reason, reused a bunch of 'one time' pads.
the two situations are not exactly the same. Manning is accused of giving information about the national defense to other parties. it would be very hard to argue that apple did that. they just gave instructions to India about how to backdoor their phones.
now the more accurate analogy would not be Bradley Manning, it would be the 'Cambridge Associates' who went under Grand Jury investigation in 2011 regarding their alleged assistance to Wikileaks (and are still under investigation). They are charged with Conspiracy to Commit Espionage. 18 USC 793 g.
now, the other law i think applies here would be the Computer Fraud and Abuse Act. why? the Espionage Act only applies to 'national defense information'. but the Computer Fraud and Abuse Act has its own sort of 'mini-espionage-act' inside of it... that applies to not just national defense information, but also "foreign relations" information. This is the only reason Manning could be sued on so many counts of violating the CFAA, for example the Reyjkavic 13 memo about Icelandic Bank Fraud - thats under the CFAA.
what you have here against Apple, could, theoretically, be Conspiracy to violate the Computer Fraud and Abuse Act, section (1) I believe is the Computer Espionage section.
--
another analogy would be George Hotz + FailOverflow, who published information about how to jailbreak the playstation 3. They were sued by Sony - but that was in civil court, not in criminal court. the DOJ never went after Hotz.
Speak for the vast majority of Android owners, you mean.
Giving info on US/China communication to India. That goes well beyond normal privacy issues. Or perhaps it's just the government getting a taste of it's own medicine?
If Microsoft or Google did something that meant thousands of credit card numbers were stolen. Something where you could show damages. There is no EULA that would defend them. They'd get their silly pants sued off if it could be demonstrated that it was their fault.
Unless their future EULA contains the AT&T/Sony PSN/Microsoft Xbox Live "you cannot sue us individually or in a class action, you must enter into 'arbitration' by a 'neutral 3rd party' (who is paid for by AT&T/Sony/Microsoft)". Then what? Oh, this won't stand up in court? But it has, at least contractually from AT&T mobile, and the fact that EULA's have stood up in court as valid contracts in the past gives Sony's and Microsoft's TOS some teeth. Make no mistake - this was put into place at least partially due to Sony's liability in their recent break-ins and data exposure - they're just covering themselves for future data loss (what do they care, it's our data, and it hurts our credit, not theirs). It's a sad state, that we the people (the 99%) are less able to hold the corporations (the 1%) accountable for wrongdoing today. Expect this trend to continue favoring the 1%.
You don't control what code is used to build your Android handset.
Sure you do. Cyanogen is fully open source and you can build it yourself. Okay, you might want some closed source drivers, but that is the same case with any OS, and there are plenty of phones available with fully OS drivers. You don't have to use any closed source Google apps if you don't want to either, there are OS alternatives to them all (included in Cyanogen).
What part specifically don't you control?
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
so google settled at 500 million with the government over the books scanning.. and 500 million with the FTC over drug ads..
so right there, I've proven definitively that google is at least half as evil as microsoft in your terms?
every day http://en.wikipedia.org/wiki/Special:Random
If Apple is spying on the US government, obviously I don't want to do business with Apple anymore. Can Slashdot readers to help me choose a new manufacturer, operating system, and e-mail? From the evidence presented in this document, we know that RIM and Nokia have also provided backdoors. Is there any mobile device manufacturer that can replace both my iPhone and my iPad and hasn't been proven by this document to spy on my government? Before you answer, remember that it isn't just the manufacturer I need to be worried about. Unless the operating system is completely free and open source software, I could never be sure. Obviously I will need a FLOSS OS too. Finally, I will need an e-mail service to replace ICloud. Can anyone recommend a generous, stable, and free e-mail service that can use the impenetrable POP protocol? I would prefer if the e-mail service provider in question was an outspoken opponent of the proposed Stop Online Privacy Act. Can anyone recommend a solution that meets all of these requirements? Anyone?
the big diff is if the source does bad stuff its easy to find and fix once you figured something was wrong.
plus, when its big (a mobile OS for example), there's hundred of people from various places writing and eyeballing source and commits. those people have no incentive to get backdoors in, and if there's a blacksheep, it's going to be very tricky to insert rogue code (it has to look like regular code with a security bug, and the bug must be non-trivial so others won't notice).
For iOS it's different. This story has to be a PR disaster for the backdoor to be removed. Plus they could just change it and claim it was removed (in some PR fashion, like, we removed a security feature that helped capture terrorists and was used under the rules of law, or whatever)
The big question is: What has google done?
IMHO certainly it has not installed the backdoor, but if you wanna be sure I suggest to buy a compatible phone, wipe everything on it, recompile and install Android from source avoiding any proprietary program. We probably agree that's very unlikely that any backdoor would be present in any free/open source program, much less one with such high visibility.
Yes, some Google apps are proprietary (Market, Maps, Videos...), you may want to use open source alternatives if you really don't trust Google.
The latest version (4.0, Ice Cream Sandwich) of the Android source code is available at: http://source.android.com/
Disclaimer: I speak only for myself and not anyone else. IANARE.
There's a hidden treasure in Python 3.x: __prepare__()
That is wy I use a custom ROM. Either an AOSP that has never been touched by the big corporations or one that has been scrubbed clean of all extra unneeded software.
I still cannot guarantee that there still isn't a backdoor or some sort of spyware, but chances go up a lot.
Would you mind to post an example? I'd like to learn how to detect potentially malicious code.
Communications providers can be forced to provide back doors for "legal spying" by governments. All governments know this, and use other methods to protect "sensitive" communications.
Governments have shown from time to time it's not quite as simple as that.
http://en.wikipedia.org/wiki/Greek_wiretapping_case_2004–2005
(the irony is strong with this one)
The consumer is Apples target market. This is who pays their paychecks. Apple has almost 100 billion dollars cash. That's 20% of India's entire tax revenue for the year. So what is India going to possibly pay Apple to do something that would destroy its brand confidence in Apples target market. This doesn't make any sense. India has nothing to offer that could influence Apple.
This article is a pack of lies. Everyone knows that Apple doesn't cater to or hardly care about the government/enterprise market. The idea that Apple would make software change, let alone one that put customers data at risk, is laughable.
And it STILL won't happen.
Apple is big money. You can be sure that enough Grants and Franklins will be kissing palms that the absolute worst that would happen to Apple is a little slap on the wrist.
~X~
For a few temporary small benefits, people are willing to accept enormous potential damage. That is my personal definition of evil.
For me that is definition of sucker.
Can't sue if your trapped in gulag bay.
The fundamental flaw to most of these "if you're not doing anything wrong, surveillance shouldn't bother you" arguments is the equation of privacy to secrecy. Privacy is about MY control of MY information. ie I chose what is public, vs private based on MY preferences. That could complete transparency, but I am in control - not the three letter agency.
what if the backdoor was in the unaccessibe radio cpu
Jehovah be praised, Oracle was not selected
I will have to go hunting around, but I seem to remember a rumor that went around while OS X was still be referred to as Rhapsody that went something like, "NSA requests backdoor into Rhapsody" with the story saying something about it being needed because of how difficult it would be (at the time, 1998-2000) difficult for them to hack if they "needed to". So, I am fairly certain there is a backdoor into OS X. If anyone else remembers or can find a link please reply. I will also search and reply.
Good follow-up info. Thank you!
Stop-Prism.org: Opt Out of Surveillance
Just because no one has the time to read millions of lines of code alone doesn't mean that every line of code won't get seen by someone.
Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
Two big reasons:
1. OS X is a lot more open. than iOS.
2. For a backdoor to be useful, it has to have a covert way to communicate. All the internet hardware for OS X is straightforward to monitor for unexplained network access. It would be much easier to sneak data out through the wireless carrier portion of iOS.
To a Lisp hacker, XML is S-expressions in drag.
I think this apply to BlackBerry devices connected with BIS only. For BES devices (you have own mail server with blackberry software on it) it's still secure. Remember some goverments to ban BlackBerry devices - obviously it means they can not have backdoor for BES devices.
The fact that we occasionally find these memos is anything but controversial or surprising. What is surprising is that some idiots believe that these back doors do not exist everywhere. The myth of privacy and the delusion of safety are ludicrous. You are the product, and you are not a beautiful or unique snowflake.
You didn't buy the OS, you purchased a license to use it. You own the license, as you've pointed out, but it's only just that: a contract between you and MS (or Apple, etc) subject to change at their discretion. Have you looked at these EULAs? There is no understanding that you "control the security" either expressed or implied. You are licensed to use a software product - if the actual owner of that product decides that it's in their best interest to forward information pertaining to you usage of their product to a governmental authority it's their decision to make. ...and yes, I agree that this is an example of why open source is superior.
http://en.wikipedia.org/wiki/Vernor_v._Autodesk,_Inc.
So, court upheld that according to the EULA you don't own the software you bought, you're only licensing it.
Freely given has nothing to do with it. If I buy something and pay a LOT of money for it, I also want to take advantage of, or in real words, use it.
Don't fight for your country, if your country does not fight for you.
True, however, if it communicates with anything, packet sniffers such as Wireshark will find the packets it is sending.
There was a time when efficient encryption was considered a weapon and could not be exported from the US. This was given up later.
Looking back this was just logical. The point is that controlling what code is being exported is very hard and anyway coming up with good encryption is not that hard anyway. But once you have devices everywhere that can use end-to-end encryption of communications very easily and cheaply, everyone can use that and encrypted communication is basically out of control.
The only halfway practical way to deal with this is: Just allow all of this but make sure that you get access to the devices at a point BEFORE any encryption takes place (and after decryption).
I don't like the very idea, but on the other hand I really can't imagine any state or government to accept safe encryption in communications being the norm with no way to listen in. Democracy or not, but ubiquitous encrypted communication for everyone (including criminals, terrorists, whoever) is something that is impossible to accept for any government that sees controlling and policing as part of the job description.
Having noticed this years ago, I removed any software that was proprietary. Ain't there, can't spy. At least with Linux, I have a lot more ability to monitor transmission of data, as opposed to any other OS. Regular penetration testing with tools like OPENVas and hacking at my own systems insures that they are as clean as possible.
Can I guarantee data or communication security? No, to think so is foolish. At best I can mitigate threats such as this by using all available tools.
The main problem with what you are saying, however, is that the license terms aren't on the outside of the box, they are in the box, and you don't see that until you open the box. I've not these issues with Linux, ever.
More proof that Apple "caring" about users is complete bullshit. They only care about their bottom line. This is why they have so many user-unfriendly policies.
Boycott Apple.
I dunno. Back in college I used to write code which did a task and also had some form of back door. I'd then challenge my friends to find it.
rarely could they find it even in reasonably minor applications or scripts.of course better coders would be better at finding them but better coders would also be better at hiding them.
Its usually not horribly difficult to find a backdoor if you listen on with wireshark unless they do a very good job of hiding the traffic.
My thoughts exactly. If you think about this as a developer who wants to implement a backdoor, open source is much more risky for you. You'll have to be clever in order to hide it in plain sight, and there is still a good chance someone will find it. In contrast, when the software is closed, you can write the simplest ,, backdoor, and not worry about being seen.
If I tried to implement something like that, my colleagues would find out and I would get fired. Now if my company decided to implement a backdoor, then open or closed source doesn't make much difference, because nobody outside the company would ever see the code. On the other hand, there would be quite a few witnesses, and there would be evidence, and overall this would be quite a dangerous idea.
i trust, others are reading it. And i assume its to much danger for projects like linux to get caught doing nasty stuff. This would be in all IT-News, next the reputation of linux would be zero. And spies know this, this is why they do not even ask these project to do so.
And somebody tried to sneak in a backdoor into linux once (something in exit.c), it was found in very little time.
You don't even need to go so far. My high school had a special program where students would purchase and own a laptop and use it in class. It was required for the program and the laptop truly was YOURS. They had extensive warranty programs and tech support for the students, but you still owned the laptop and would do so even if you were to leave the school at any point.
What I discovered mere months after getting the laptop was that the school's tech support had created a hidden Windows account (named "backdoor", how original) which had administrative rights and the same password for every laptop in the entire school. Five minutes of L0pht (not even illegal since I was applying it on my own property) gave me administrative access to hundreds of laptops.
I never actually spoke about it a whole lot outside of a few friends, but I think this highlights how people who have no clue about security can cause possible trainwrecks. Imagine if a malicious person had access to such information? That's hundreds of laptops used daily by minors that could be spied on.
I bought the OS. I bought the machine. I own that license.
Actually...you don't "own" the OS like you own a car or other type of property. What you paid for was an agreement that you could use/lease the software. Carefully read your EULA and it explains it very clearly.
If this is a problem...you have two choices:
1. Use Open Source such as Linux or BSD Unix.
2. Pirate a copy off the net and use it any way you see fit.
Don't worry about the world coming to an end today. It's already tomorrow in Australia. - Charles M. Schulz
Linux is not safe either; too many posts on here illustrate that these open source advocates are still clueless fanboys no better than a Mac user saying they can't get viruses.
Closed binary drivers in your linux? yeah, I thought so...
Did YOU download, checksum and install your OS? On your phone? Yeah, I thought so.... (it is TRIVIAL to insert a backdoor and ignore GPL for that code! GPL has little power; all your phones were illegally tapped and nothing came out of that blatant violation of federal law.)
Did you compile your cell phone provider's proprietary code to drive the phone? Yeah, I thought so....
Did you install a custom open source BIOS or firmware? Yeah I thought so...
Finally, can you trust the chinese made chips (they are advancing in this area quickly; just making boards is enough to do a lot; who'd notice a keylogger in the motherboard for example) -- nah, China wouldn't want to bother, its not like they want to hack into Google or anything...
Have you heard of a Virtual Machine? DMA?
No, not really. If I use Free software, there is a MUCH greater chance that somebody somewhere who isn't on payroll (or subject to being sued out of existence) to toe the company line will spot a backdoor and tell the world. It could even be me. I don't need them to ALL be trustworthy, it only takes one trustworthy person looking at the bad code to get the word out there.
Of course, that isn't an absolute assurance, but the odds are certainly better.
If it's a concern, root the thing and install a self-compiled OS.
I assume that installing a hacked version od Android such as CyanogenMod can also be risky since you don't know exactly who compiled that OS and what threats are included unless you can reverse engineer it -- and I can't. The only pure way to be reassured would consist in compiling and installing the OS yourself from trusted open sources. But this is not given to anyone (nor is it to me).
Did I forget to wind my watch, or is it 2000 all over again? Picking between different flavors of vanilla, and a few trillion dollars, a few thousand lives, some wonderful Federal legislation, zero wage growth, zero oversight of the financial markets...
The problem is that to create real political change requires a hell of a lot more personal commitment than checking an alternative box every few years, or posting about Nader/Paul/Bo, etc.
Luke, help me take this mask off
This is a fallacy based on the idea that something is either completely secure or completely not secure. We don't live in that binary. We make security trade offs all the time, and measures which increase the time, cost and complexity of interception or attack are a good thing, even if they are not by themselves complete solutions.
Depends on where you live. (And might be a matter of time http://www.youtube.com/watch?v=HUEvRyemKSg)
If your really paranoid, you can read the code yourself or find someone you trust to do it for you.
The Linux kernel is 14 million lines of code alone, when I type in a password I'm guessing between the kernel, xorg and the browser at least double that. Even if only a tiny bit of the code paths are touched, what's to say there's not a trigger set up somewhere to peek at some buffers? It also probably doesn't include the compiler that converts it to binary code. Maybe a huge organization like say "the military" can look through it all, but you? And your friends? Practically the only thing you could be really, really sure of would be something small and hand coded in assembler. And that doesn't count hardware bugs, can you be sure there's no magic sequence you can play to your network card to cause it to start dumping memory out to a three letter agency? Particularly with a cell phone, you have no packet inspection between the cell phone and the tower. Even if you read every line of code in Android and the compiler you compiled it with, there could still be software hidden in the parts that run the radio and such that can spy on you. If there was something really, really critical I'd like an air gap, I'd have a non-networked computer and an USB stick. Because you can't really trust your gear, but it won't be able to communicate by magic. Of course there's some very convoluted ways around that, but then again there's simple ways like a $5 wrench.
Live today, because you never know what tomorrow brings
for violating the California Comprehensive Computer Fraud and Abuse whatever-act (sorry cant remember the exact name) in state court, sort of like Sony tried to sue GeoHotz.
im guessing the USCC has some big financial guns in it's own camp...
Or simply become broken or removed when the chosen hiding place ends up rewritten for some reason or other.
comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
Its funny to watch pseudo-adult plebs argue the symantecs while their country is stolen and their children are sold into indentured servitude. Its staggering how brainwashed the public is. Its really mind-blowing. Really. I can't even believe it. With the internet and everything.
With a self-compiled compiler.
When the policeman of the tie, rule you violate, hello punishment of the kitty?
Look at what you quoted. I am aware that I just own a license. However, any court worth it's salt will look poorly on a corporation that interprets that as meaning it can insert spy code into my systems and undermine my security intentionally.
The issue here will be showing actual damages to a court.
If you bring this to court and can show material damage of some kind that is quantified. Then you could gut them like a fish.
I know many in the corporate world view EULAs as fostian bargains that everyone that uses their products are stupid enough to sign. These EULAs are actually enforcable between corporations however you'll have a very hard time holding small businesses or consumers to them because it would be very very very easy to argue that they can not REASONABLY be expected to read and understand such agreements. The term "reasonable" is very important in contract law.
If it can be shown that either party in a contract could not have been reasonably expected to understand something or read it then it won't be enforcable. For that reason EULAs aren't particularly effective against consumers especially as it regards little hidden details. They can of course be expected to know that they're not support to pirate software. But they are likely not being made aware of the foreture of rights or other little things they might try to sneak into the contract.
Being sneaky with a contract works between big corporations. They can trick each other because they are expected to read and understand everything. However, individuals and small operations are given special protection. Generally anything that goes over our heads or is even a little slippery tends to not do well in court.
And if you add a jury trial to it... they're screwed.
The legal system has a lot of problems but it's more sensible then you give it credit.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Well, that depends if it's the device that's rooted or the communications that have a backdoor. Most countries have laws that demand police should be able to install wiretaps. It doesn't matter what ISP I go with, no matter which one my line could be tapped. Nor does it matter what phone carrier I go with, my line could be tapped. It's the law. So far there's no general requirement for software - and they'd have a helluva some convincing Firefox to include a backdoor when I use https to my bank - or was that some nasty criminal business? But emails, as far I've understood them they're like sending around postcards - if you can look at the bits flowing through you can read them. If you want any kind of security from the network it's running over, you have to encrypt them. But it's much easier to slap a "If you're not the intended recipient, please don't read" sticker on your postcard, instead of real security.
Live today, because you never know what tomorrow brings
Unless you've personally verified every single line of code in the OS, you're not really better off.
Even if you do, you're not sure. Your compiler may be compromised. See: Reflections on trusting trust.
This is why you always code in machine language!
Well if the government is monkeying with the law then anything is possible. However, the problem then becomes how does country A trust the code if country B has backdoors in it?
We all want to be secure and really the NSA etc are going to get more milage out of learning how to do their jobs properly which will mean putting taps on things without the company's knowledge or cooperation. They should be able to do that. What happens when a company says no or it's a foreign country they need to tap that doesn't use any allied company? Best to develop these skills in their day to day operations rather then relying the manufacturer or developer to give them a back door. These guys are supposed to be hiring and training armies of hackers and little cyber warriors to do this stuff. If all they're doing is calling up the president and saying "can we have access pretty please" then any chump with a country could say that.
So not only is this a dumb move for the companies and bad for consumers but it also sets a bad precedent for the intelligence agencies in that they get fat and lazy using the backdoor rather then actually breaking in like a real intelligence agency. I don't care how they do it. Just do it that way instead. tell the president you're their mother and you need access to his global communications network so you can bring by milk and cookies. It doesn't matter. But don't actually tell them who you are and then ask nicely for access... even worse is if they show some sort of documented court writ demanding access. Dive in some dumpsters... whatever... but this is just bad on too many levels.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
2 weeks after my wife and I bought our house in 2001, I was laid off. After 3 months of searching 9/11 happened, and the shit really hit the fan. Silicon Valley for a time looked like a ghost town. Moving trucks were moving east (getting the fuck out of dodge so to speak)
A year later I wound up getting a crappy job at a bar. 10 years later I'm still here, working on my own software that runs certain aspects of the bar (very profitably I might add) When we bought our house in 2001 interest rates were sky high, and the wife and I thought our futures in tech were pretty secured. I think we were at 10% interest. We refinanced twice over the 10 years trying to keep payments down so we could stay in our house.
In the last 2 years the ARM on our loan got so high we were paying over $1600@mo for the new interest charges alone. We were virtually on the brink of losing our house. Then the "Obama Affordable home" plan was passed. Bank of America didn't make it easy. My wife had to call them every single day for a year. (like calling your AT&T subcontractor when your T1 goes down) At one point they denied us because "We couldn't verify your identity" (one of the loan modders wrote my social security number down wrong)
Despite what you might think of Obama.. He's just doing the best he can. He's no Bill Clinton, but having to clean up after GWB can't be easy. He stopped the banks from bending over hardworking people. Osama was killed during his term. Troops are withdrawing from Iraq.
And a self-compiled linker and audited, on a host platform that you compiled yourself...
I am TheRaven on Soylent News
Just because you bought a device that comes with an open source operating system, doesn't mean the manufacture/carrier/reseller/darth vadar didn't build their own modified version of the code. The only way to be safe is to read it all yourself and build your own firmware.
The basis of legal contracts is that BOTH sides know, understand, and agree to the contract. If it can be demonstrated that either side could not be expected to reasonably know, understand, or agree to everything in a contract then the contract is invalid.
I think your legal theory that as long as you're oblivious to what you're signing on it won't stick is mostly your own imagination talking. When you are offered a contract the burden is generally on you to understand what you are signing, including getting any necessary help to do that. It's not my burden to prove that you understood everything you signed on, I might have to offer the blind man the contract in Braille but I don't have to make sure he reads it or understands it, only that he's been given the opportunity to do so and then signed indicating the contract was accepted. I guarantee you that if you go into any court room and say "I didn't bother to read it, I just agreed to it" or "I read it but it made no sense so I agreed to it anyway" you will lose.
The two sentences you might have some luck with is "As I understood this paragraph, it meant..." or "This part is unconscionable and no reasonable man would sign this if he'd seen it". In the first you're arguing that the meaning appeared to be clear, so you did your part but the contract was deceptive. In the second part you're arguing they hid a poison needle in a very big haystack. However, it only works for things you couldn't reasonably expect to find, like handing over your firstborn. If they show that these are common industry terms and conditions it's not going to fly, because no matter if you find the terms unreasonable or not it's not unusual that they're there. You won't be able to argue they came as a surprise.
To everyone that's telling "oh you didn't buy it, you licensed it!" or "But you clicked OK on the EULA!" or any variation on that theme. I'm pretty confident I could effortlessly sue the silly pants off any company that did this to me...
To use the word effortlessly is this context is clear proof you have absolutely no idea what you're talking about.
Live today, because you never know what tomorrow brings
I call BS...
If this were true virtually every 50 page mortgage contract would be null and void.
If people couldn't grasp the whole sub-prime mortgage "scam" that played a role blowing up the US economy, which could easily be communicated in a single sentence to anyone with a grade school education, what you claim is simply not the case.
So, just as an example, ...
If I wanted to hide something in the linux code for random number generation, and it was obfuscated, not well discussed, not well documented, deliberately made hard to understand, etc., how long would it take before someone actually managed to decipher the whole thing, and realize that the whole kernel random number generator was bleep and needed to be replaced?
It has already happened. The linux kernel RNG was crud, and I really hope it has been replaced by now.
Hiding something in open source? Not impossible. The real question is: What is the backlash when it finally comes out in the public?
The problem is that to create real political change requires a hell of a lot more personal commitment than checking an alternative box every few years, or posting about Nader/Paul/Bo, etc.
Spot on. The political systems have degenerated to the point that revolution is required to make real changes.
Deleted
yea a memo might get leaked.
A smart backdoor would look like a bug and could easily be explained away as such...
Tee hee. A while ago, one of the hacker sites had a competition to see who could hide a "backdoor" -- the idea was to take an image in a script compatible form (all the numbers were in text, rather than in binaries), black out a certain region (think redaction), and still have some way to have the redacted area be recoverable when the right inputs were given.
The catch? The code would be given a peer review, so you had to come up with something that would pass most attempts at oversight.
A lot of people tried to hide stuff in "error detection" routines.
The winning code had no bugs of any kind. It did perfect redaction of the specified area. No flaws, no errors, nothing to be spotted in code review.
Except for one oddball usage of fetching and writing individual characters -- getc() and putc(). The author explained that as an attempt to make sure that no matter what was in the input data, no matter how messed up the graphics were in an attempt to break the code, it would not have any overruns, no undefined behavior, etc.
Result? The "black" would be written out as "0", "00", or "000", depending on the light level of the source. For all three color channels.
Absolutely unnoticeable when viewed on a viewer. There was no hidden alpha channel, no slight alternation between black-0 and black-1, etc.
Yet you could still recover readable text, almost perfect pictures, etc.
Security hole back door? Very doable.
Urgh. Yes, stupidity can always be topped by bigger stupidity...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
If you're THAT paranoid, yes. Build a compiler just good enough to faithfully compile a compiler just good enough to compile a stage 1 Gnu compiler, etc...
If it's just the particular carrier you're paranoid of (like the person I replied to), using a compiler they haven't touched is sufficient.
If the paranoia runs even deeper, then it's impossible to prove that I don't work for THEM, so you should do the opposite of my advice and run the carrier's official release. They'll never expect that.....
Unless of course, that's what I want you to think they think you thing they think...
Fnord.
as most of OS X's core functionality is open source. It's possible for them to hide something in the quartz engine or something, but backdoors in the open source code would have to make it make it past many more eyeballs. The OpenBSD incident of a supposed "backdoor" (can't remember if it was actually verified or not) wasn't a backdoor but simply a purposeful vulnerability to a side channel attack.
From Nixon on, the same neocon slime (and no, there's no actual difference between neocons and neolibs, the neocons just want you to believe so) keeps reappearing in the next, or future and opposite party, administrations: Larry Summers and Timothy Geithner first appear in Geo. H.W. Bush's administration, then reappear in Clinton's, Linda Chavez first appears in Jimmy Carters, stays on for reappointment in Reagan's, then Bush #2 (the simian-looking fellow who gets almost his entire agenda enaced) tries to reappoint her in his.
And Obama reappoints Robert Mueller as FBI director, first appointed to DOJ by Bush #1 as chief of its criminal division when that BCCI investigation was getting close to the White House, then reappointed as FBI director by Bush #2 four days before 9/11/01. Interestingly, Mueller is the grandnephew of Richard Bissell, while his wife is the granddaughter of Charles Cabell (President Kennedy fired the three top guys at the CIA: Allen Dulles, Richard Bissell and Charles Cabell). And who is Timothy Geithner descended from? (Hint: on the Moore side of the family, also was a treasury secretary and once made the memorable quote that the poor should pay taxes, and only the poor should pay taxes.....)
Hm, I wonder if a smart keyboard ran its own OS, like Android, running an X client over a network to the main PC's X server, if that would secure the aggregated workstation better against keyloggers and other similar devices. Not trusting the local buses, which seem harder to secure. An Optimus keyboard might have the HW to run the OS and X client. A monitor that's just an OS and X server over a gigabit ethernet to the main PC might complete the picture. And maybe the whole thing would then run even faster.
Or maybe that all just kicks the can a little down the road, to where a keylogger or other spyware just infests the "app host" PC at the core.
--
make install -not war
I pretty much assumed that was the case when I found out the NSA has been contributing code for security to Windows and SELinux. No memos required.
Bullshit you closet closed software shill, fuck you for that misinformation or outright stupidity or whatever it is. Any single person in a group that spots a flaw in open source can point it out and others can confirm it. The important thing is that it takes one person, not all to verify it, and many people like me do read a lot of source code. I don't read it all, and others read other parts and there is a very good chance harmful things are eventually caught.
Closed source on the other hand has to be caught by a limited group with access to the code or by monitoring its actual behavior. It is orders of magnitude easier to subvert and prohibitively costly and error prone for outside inspection. It is not even close, it is not in the same ballpark, so fuck you twice more for your failed attempt to make your readers dumber.
It only took one person to find out that facebook was tracking you even when you were offline the service and spread the word, and only one person to find the rootkit in the Sony CDs and spread the word... still these two companies are enjoying their market share with almost no dent in it.
Do not subestimate the "Ah, you are exaggerating" reaction from people who are getting something for "free".
Gee... and you actually believed that things you write on postcards are private and won't be read by other people? Crimminy. Email is like a post card. Unless you put it in an envelope (strong encryption) then you should assume that other people can and will read it. There's an App for that. One was called Carnivore.
The Linux kernel is 14 million lines of code alone, when I type in a password I'm guessing between the kernel, xorg and the browser at least double that. Even if only a tiny bit of the code paths are touched, what's to say there's not a trigger set up somewhere to peek at some buffers?
Let's say you're walking in a city of 14 million people. You stop at an ATM and enter your PIN. What's to say that one of those 14 million isn't watching, hoping to steal your PIN and then your money?
When you're wandering around in a city full of strangers, there are real security concerns, some of them supported statistically by the sheer impossibility of being able to trust every member of a given community. But even given those limitations, you can still maintain a decent level of confidence simply by keeping tabs on who's watching you.
But you've got other fish to fry when the bank itself says, 'You don't need to know about what security measures we've put into place. Just trust us.'
FOSS is not a cure-all, and making something open source doesn't magically make it secure or even trustworthy. The only benefit is that it makes it possible to verify. Which is more than can be said for proprietary software.
Crumb's Corollary: Never bring a knife to a bun fight.
You think /evidence/ is needed?! Undesirables not only face detention without charge or trial, they also now face state assassination. Is that legal? Who cares; it's not being challenged, is it.
you had me at #!
A backdoor could hide as a simple security bug in the network/service code. In fact you can even make it so that its only a bug under certain conditions. Security bugs that can be used to exploit the target machine are found and fixed in OSS software all the time and nobody suspects them of being a backdoor.
there's hundred of people from various places writing and eyeballing source and commits. those people have no incentive to get backdoors in, and if there's a blacksheep, it's going to be very tricky to insert rogue code
Then please explain the reason why security bugs are found in OSS software. A backdoor is simply a security bug.
welcome our backdoor overlords, silly boy.
itines exploit recently closed open for five years allowed remote copying of iphone backups
"If Apple is providing governments with a backdoor to iOS, can we assume that they have also done so with Mac OS X?"
You could, or you could, for example, assume that, because OS X isn't a mobile phone OS, they weren't asked for those sorts of backdoors and didn't provide them. Or you could assume that they've provided both sets of backdoors, independently. I.e., the "if ... then" is somewhat bogus there.
One might be better advised to ask about backdoors in any OS, especially not-completely-open-source OSes, regardless of which particular vendor they came from. As noted elsewhere, the title of the /. article could be changed to "Leaked Memo Says That RIM Provides Backdoor To Governments" or "Leaked Memo Says That Nokia Provides Backdoor To Governments" without loss of generality. It could also be changed to "...Provides Backdoor To Indian Government", as the memo says nothing about other governments; the Indian government apparently required that to allow "Indian market presence", which is not to say that other governments do not impose similar requirements.
What's special about RIM, Nokia, and Apple, I have no idea.
I don't know about that - it seems to me that if there were such an egregious back door in a commercial OS then someone at that company would have leaked that information somewhere. I know I would.
AC because I'm a coward.
Their counter suit where they find child porn on your device would hit much quicker.
I agree with the earlier comment... how can we live in a country where there's no penalty for this sort of software?
Is there anything in the newest version of your OS you wouldn't be willing to go back to a previous one over this surveillance technology?
Wouldn't you rather switch to OSS or Windows 2000?
What's holding you back? Is it DirectX11?
By mentioning that the "Mac" users wanted to know what was "under the hood", you point out that they are sheep who trust their turtle-necked shepherds. I have never had such a request on my Ubuntu Sourceforge project, although I get very specific requests, code submissions, and compliments on the readability.
You don't always need to trust them. My phone's listed here and although I only had a quick look into a few of the files out of interest (not having any OS experience), I don't need to trust them because I could go through line by line if no-one has: http://www.htcdev.com/devcenter/downloads/P100
That's why I use GCC. The code and libraries are all open source and I have even "cat * | less"ed a few of them.
The point missed, however, is motivation. Apple puts in a backdoor to retain marketshare in a country. Microsoft and Cisco does that too. Companies that put root kits on Android phones are also in this category. These motivations simply do not work for open source developers.
The money is not in the sale of open source code, but in the support. Since most open source vendors make their money supporting business and government customers, there is a disincentive to have holes. First, changes to the codebase are examined much more closely than existing code. Second, all players can see the changes, so secrets are hard to keep. Third, open source projects make their bread and butter on stability, reliability, and predictability. Adding holes is a great way to lose customers and money.
Individual and small developers are in a different but similar situation. Some code to scratch an itch. Some code because they have a niche market. It does not serve their interest to have holes, so they aggressively patch them too.
Evidence lies in the fact that the most successful attacks against open source servers involve social engineering attacks (Anonymous vs H.B. Gary, China vs. Google). Go ahead and run Wireshark on one machine, to see what the other is doing. You will understand, in time, that open source platforms are the closest that we can ever get to "Trusted Computing".
Isn't that the point? With open source, you have to be better than the best coder that might ever read your code. With closed source, you don't have to be very good at all.
and I'm discouraged that you have been modded as informative by more than one person.
here is the relevant section. please point out the clause which provides exemption for american citizens.
SEC. 1021. AFFIRMATION OF AUTHORITY OF THE ARMED FORCES OF THE UNITED STATES TO DETAIN COVERED PERSONS PURSUANT TO THE AUTHORIZATION FOR USE OF MILITARY FORCE.
(a) In General- Congress affirms that the authority of the President to use all necessary and appropriate force pursuant to the Authorization for Use of Military Force (Public Law 107-40; 50 U.S.C. 1541 note) includes the authority for the Armed Forces of the United States to detain covered persons (as defined in subsection (b)) pending disposition under the law of war.
(b) Covered Persons- A covered person under this section is any person as follows:
(1) A person who planned, authorized, committed, or aided the terrorist attacks that occurred on September 11, 2001, or harbored those responsible for those attacks.
(2) A person who was a part of or substantially supported al-Qaeda, the Taliban, or associated forces that are engaged in hostilities against the United States or its coalition partners, including any person who has committed a belligerent act or has directly supported such hostilities in aid of such enemy forces.
(c) Disposition Under Law of War- The disposition of a person under the law of war as described in subsection (a) may include the following:
(1) Detention under the law of war without trial until the end of the hostilities authorized by the Authorization for Use of Military Force.
(2) Trial under chapter 47A of title 10, United States Code (as amended by the Military Commissions Act of 2009 (title XVIII of Public Law 111-84)).
(3) Transfer for trial by an alternative court or competent tribunal having lawful jurisdiction.
(4) Transfer to the custody or control of the person's country of origin, any other foreign country, or any other foreign entity.
(d) Construction- Nothing in this section is intended to limit or expand the authority of the President or the scope of the Authorization for Use of Military Force.
(e) Authorities- Nothing in this section shall be construed to affect existing law or authorities relating to the detention of United States citizens, lawful resident aliens of the United States, or any other persons who are captured or arrested in the United States.
(f) Requirement for Briefings of Congress- The Secretary of Defense shall regularly brief Congress regarding the application of the authority described in this section, including the organizations, entities, and individuals considered to be `covered persons' for purposes of subsection (b)(2).
I highly doubt this is true. Not one of these companies would want to be a part of a government looking in on another government's information. I'm pretty sure that they would be good contenders for treason charges if this was true, and while companies have a lot of power in America, I think most of them would have trouble getting past charges like this unscathed.
That being said, if it's going across wires and isn't encrypted, you shouldn't really expect it to be considered safe information.
For me, that was always kind of a "grain of salt" piece of reading. Like ya its possible for one of the smartest programmers in the field to come up with a theoretical situation that they, and a few others in this world could do to something like that.
Reminds me of trying to make a joke on /. there's always some fuckhead that tries to prove you're wrong in some edge case that rarely exists in the real world, kinda missing the whole point it was a joke, jumping to prove you wrong.
I also like do a lot of monitoring of the assembly during debugging, and have a fairly good idea what's going on there, and if I do that, I would hope that the folks making my beloved Linux kernel code and GNU compilers are doing the same, and are giving the community their best efforts to ensure a truly free safe and secure system. These are people dedicating their lives to computing freedom for exactly those backdoor reasons. If there's anyone you can trust it's them AFAIC. I have also looked over many KLOAssembly from the GNU compiler and I think there are enough people like me using this GNU stuff that it wouldn't be able to hide for long. There's more than one person knows what's going on with it at every level of detail, and the (hashed) same copies are used everywhere.
And there's too many bugs in the PC based system as a whole to make it worth the risk. It would be found, and that commit would easily identify you to the community.
BTW not calling you a fuckhead for posting that link. Was referring to the paper you linked, and not calling him a fuckhead either:). Was speaking of the AC random fuckhead from /. always...
Cheers
If you are not the intended recipient of this email, someone posted the wrong public key!
Bush, Obama, Romney.
It no longer matters who you vote for, they are all owned.
You forgot Ron Paul. Voting for the Constitutional position for decades. Often as the only vote against some usurpation (leading to the informal title "Dr No!".)
Ron Paul argued against this bill (though he did not interrupt his presidential campaign to cast a house vote against it - which would have been purely symbolic given the landslide). His son Rand was one of only 17 senators to vote against it.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Fails as a good government backdoor. Considering the speed governments react at, it's far too uncertain and the "blind" window would be amazing. Not to mention that it might tip off someone if the "bugs" are introduced by the same source every time, they just might revoke your permission to edit the source, locking you out altogether.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Why is it difficult for the citizens to comprehend the fact that every regime prefers you to be subservient and defenseless?
Slashdot = Sarcasm
Big Brother is always watching.
Fails as a good government backdoor. Considering the speed governments react at, it's far too uncertain and the "blind" window would be amazing.
Your first argument was how such a mis-feature was hard to introduce in OSS software because so many people audit the code (This is patently false as security bugs are found and fixed in OSS software all the time) . I provided a every simple scenario where somebody could get a linux contributor to include a hard/impossible to detect security bug in normal, working, useful code that is only triggered under the right conditions (which ofcource are chosen such that they wont show up in normal testing and usage of the code).
Now you claim that governments because of some intrinsic qualities are incapable of such sophistication. Your argument has now shifted to the probability of whether this is possible rather than the actuality of such an event. You seem to be only interested in your own little rhetoric victory rather than discussing the original point I replied to.
Not to mention that it might tip off someone if the "bugs" are introduced by the same source every time, they just might revoke your permission to edit the source, locking you out altogether.
The record for bugs is public - and without even looking I can bet you we can find many contributors who have accidentally (in most likelihood) introduced numerous bugs in the Linux code.
"If Apple is providing governments with a backdoor to iOS, can we assume that they have also done so with Mac OS X?"
Yes and no. It's called 1394 (Firewire), and it has DMA access to read/write anything it wants, which includes retrieving encryption keys from ram of a running system, or tweaking a few bits here and there to kill a locked screensaver, for example.
When you read papers on high security environments that disable hardware ports by filling them with epoxy etc., this is what they are trying to stop (aside from obvious uses like copying files to something like a thumbdrive).
Enjoy! :)
Even Linux allowed rooting via USB, so....
Fandroids hate facts.
...on a computer you built yourself from raw materials.
No problem: the radio CPU can't access anything on the application CPU (without support software on the application CPU, and here we assume the app CPU software is open source). So the only thing the radio CPU can snoop is the data traffic going over the wireless interface. Which is already visible to the network operator anyway. So there's not much point in hacking the radio chip, it's much much easier to snoop at the network level.
i.e. do you do business with IBM? because when that situation happened with them, they said 'ok, we will fire some jews'.
Since the bills coming up show only the changes, maybe it is past time to move to a version control system like Bazaar or Subversion.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
As to the burden to grasp a contract, it's a lot more complicated then that.
Contract law is very keen on context. The context of a contract is relevant as is the participants in the contract.
As to my knowledge of the matter, I have three contract lawyers in my family. They each either have or have retired from successful careers in major corporations such as Disney. In fact, one of them was sorta involved in the very work Disney went through to get Mickey's copyrights extended.
So while I personally can't claim to be an expert, it is an issue I've discussed at length people far more likely to have a clue then you. And each of them agreed that EULAs would be very hard to enforce on individuals. Specifically that while the gross nature of the EULA might be relevant that obscure passages and clauses in the EULA would likely be impossible to enforce. That is, the EULA might be able to protect the corporation from certain types of liability but they probably would not be able to grant the corporation the right to your data or other issues.
They also if you're interested were not happy about what happened with Mickey. Most lawyers are not aholes despite popular depictions. The problem is that the executives ordering them around are frequently aholes. At least according to them. And if the boss says "make this happen" it's your job to go out there and do it. So that's what they did. They were actually surprised they succeeded since they were pretty much convinced it was a waste of time.
Anyway, while of course they are strong on the point that it is generally upon the burden of the signer to know what they are signing... the law makes allowances for circumstances where that is unreasonable.
The term reasonable is very very very very important. Corporations generally do not have this protection. But individuals apparently can use it. Think of it like the special considerations a defendant is given if he decides to represent himself in court. He isn't required to comport himself with all the rules that a licensed lawyer is required to maintain. It is understood that the individual cannot reasonably be expected to be as good at the law or understand court procedure to the level of an actual lawyer. As such, he is held to a lower and more reasonable standard. Contract law has similar systems of addressing what is and is not reasonable.
If a signer could not reasonably understand a document before signing then it will not survive challenge in court. For example, if I don't speak english then its likely that any document I sign in English will be suspect unless there is some documentation that proves it was provided in an intelligible format. Perhaps the notary was fluent in spanish and simply explained every part of the document line by line to him and initialed as they went along.
The legality and enforceability of EULAs has been an issue for many years. How many times do you think a EULA has successfully been used against a consumer or individual on the basis of them clicking "OK"? Practically never.
But it's more complicated then that. Another issue courts care about is little things like showing damage. Whatever a EULA says it's very hard to actually show damages in a software case where a EULA would be relevant especially between a corporation and an individual. I mean, why are we arguing about something? Is it just for giggles? Are you having a good time? Because courts don't like that either. They like to deal with issues where there is some material grievance. Something that is actual in reality and not something totally made up. Because if they talk about made up stuff that's all they'll do. So they like to keep it to real things where real things happened to other real people in reality.
I am not a lawyer. I am certain I have misstated, overstated, understated, and miss-characterized various elements of what I have said out of my own personal ignorance. That said, I have consulted what a court would consider experts on this subject and it was their opinion that I base mine on.
What are you basing your opinion on? Because I keep seeing people reference a South Park episode and all things considered it lacks weight as a legal argument.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
well... first, I don't know how they'd sue you for contraband on the machine since it isn't something the company has any stake in either way. Though I suppose they could blackmail you.
As to penalty, we need to show damages... or it has to be actually against the law. It might be against the law for all I know. THere are so many laws in this country that neither the lawyers nor the lawmakers really know what is going on anymore. They know the law as it is practiced and enforced of course but that doesn't mean there isn't some forgotten law buried in the stacks that somecrazyhow makes all this illegal already.
Anyway, there is a reason for putting backdoors into programs. Any programmer working on something does it because you don't like getting locked out of your own program. You want a fail safe. A "go to hell" plan that lets you get access no matter what because sometimes everything goes wrong and you need access now or you're going to get fired. So you put in a back door.
The problem with the backdoors is that they really really really shouldn't be secret. By all means, have them. But make them public and obvious. Idiots won't disable them and that's good because idiots are the ones that forget their passwords and need someone to ride to the rescue and use the backdoor to unlock all their stuff. Anyone halfway competent should be made aware of the backdoors during or immediately after installation... be given some means to easily disable them or change the authentication information used to access them so that they become THEIR backdoor rather then some fellow at the company.
Anyway... I think we'll all shift to linux at some point. Linux isn't ready yet for prime time despite what the linux gurus say. When you'd feel comfortable giving it to your grandmother is when it's ready. I'd feel comfortable giving windows or MacOS to my grandmother but I love her too much to subject her to linux. It has major polish issues. Ubuntu has come a long way to fix that but it needs to come the rest of the way.
When that happens I think some of these backdooring problems will be a problem of the past.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Remember folks, you took the pill. You set up MS as the bad guy, set up IOS as the "good: guy. And swallowed their crap. Now you gotta live with it.
Some of you programmers may recall a language called "machine assembly", thats how old I am. I've looked at codes and programs since then. Now is not better.
Governments are devolving returning to the basic government of pre magna carta. Where the baddest dude is the boss of all. But the baddest dude, wants the advantages of a modern society. After all ice cream is a 20th century invention. Before that was ices. Take us too far back and no electricty or batteries.
Against a single individual yes. Against all phones by RIM, Apple, Nokia...
You can't go out and drug and beat with a wrench millions of people to defeat crypto. (Well you could, but people would probably get really mad)
Whereas you can simply spy on everyone without.
Sure they can single someone out for drug/beatings, but they are probably going to do that anyway, and having or not having crypto will probably make very little difference.
It's the underhanded C contest.
Many of the image-processing solutions were very clever ways of hiding bugs in code. Some were more likely to pass a code review than others. Many of them would not really pass dedicated testing. The winning entry that you mention does character-substitution in an ASCII PPM file, replacing all digits with zeroes. If you look at the file in an image browser, it's actually redacted. If you look at the file in a text editor and have security in mind, you will immediately be very suspicious. The nice bit is that the code is very short and the error subtle enough that it's very easy to overlook the problem.
Gov't spying, yet another violation of our rights. The gov’t constantly violates our rights.
They violate the 1st Amendment by caging protesters and banning books like “America Deceived II”.
They violate the 4th and 5th Amendment by allowing TSA to grope you.
They violate the entire Constitution by starting undeclared wars.
Impeach Obama, support Ron Paul.
Last link of “America Deceived II” before it is completely banned:
http://www.amazon.com/America-Deceived-II-Possession-interrogation/dp/1450257437
The article states it's RIM, Nokia, and Apple, and the blurb states that, too. So why were RIM and Nokia left out of the title of this post?
And if it's not a product you want to use then it's not your problem and not your vote.
I would not be so sure about this... Look at this APU specs : http://www.stericsson.com/products/u8500-novathor.jsp
It emulate a modem for the phone OS to control the radio but it also use a bus in the SoC to move the data between the radio and the Soc for performance reason.
Jehovah be praised, Oracle was not selected
The diagram may be a bit misleading. If I understand correctly, this STE chip uses two separate dies in the same package connected with a chip-to-chip (C2C) interface. Keeping the modem and application parts on different packages is common in high-end chips, where you can afford the extra cost and it's more flexible as you can easily upgrade each parts independently. That's how it's done too in SnapDragons IIUC.
Now you could be right: the C2C (and it's future extension MIPI LLI) allows the modem to access the AP memory. The idea is to save a SDRAM component on the BOM, as the modem does not need anymore its own memory. If it's not done carefuly, the modem could indeed access to the AP RAM (same as if it's on the same die on a bus). Kind of like the Firewire DMA security issue where a Firewire device can access the whole of a host PC memory (ouch).
However, I sure do hope there is access control in the implementation to make it impossible for the modem to access anything but it's dedicated part of the common SDRAM, controlled from the AP who is the master in the system. The reason is not so much to enforce privacy, but to make the system more reliable and easier to debug. Imagine if a bug on the modem could corrupt the AP part of memory... With modem and AP software handled by different (and large) teams, this would be a nightmare.
But this reliability concern applies equally well to Firewire, and well... protection hasn't been enforced. So yes, there could be a way in some systems for the modem to access the AP memory. It's pretty poor engineering IMHO, and I don't think it'd ever be done intentionally: supporting a spying feature based on this would just be too costly really for the chip companies and they have no interest in this (already so much on their plate...).
Replying to myself... If one is really paranoid, then any system using C2C, LLI or integrating the modem with the AP part on the same die cannot be trusted indeed as JonySuede points out. Even if there is memory protection controlled from the AP, which could be verified if the AP software is open source, you would have to trust that the hardware protection works as intended and cannot be bypassed by the modem firmware.
In practice I don't believe this would happen. To complex, to costly, almost impossible to keep secret. Making the modem and AP part well isolated is really what makes sense.
well, thank for the detailed explanation. And the effective summarization of my point: you have to trust the hardware to do it's job at some point !
Jehovah be praised, Oracle was not selected
Informing others about this scumbag punk gmhowell (who thinks it's cool to harass others online, with his diabetic fatass pal tomhudson).
"I've been trolling people for 36 years. Why would I stop now? I've also never denied trolling you. Why would I?" - by gmhowell (26755) on Sunday April 17, @05:03AM (#35846218) Homepage
QUOTED VERBATIM DIRECTLY FROM -> http://slashdot.org/comments.pl?sid=2087330&cid=35846218
"I never denied trolling you" - by gmhowell (26755) on Tuesday December 14 2010, @01:55AM (#34543612) Homepage Journal
QUOTED VERBATIM DIRECTLY FROM -> http://slashdot.org/comments.pl?sid=1907528&cid=34543612
gmhowell posts journal on trolling myself, years ago now -> http://slashdot.org/journal/266768/the-best-thing-about-trolling-apk
PERTINENT QUOTE/EXCERPT:
"The best thing about trolling APK?" - http://slashdot.org/journal/266768/the-best-thing-about-trolling-apk
QUOTED VERBATIM FROM -> http://slashdot.org/journal/266768/the-best-thing-about-trolling-apk
---
gmhowell says he will stop next below (after I got on his case) too:
"But seriously, I may stop" - by gmhowell on Thursday June 16, @09:38PM (#36470452) Attached to: The best thing about trolling APK?
and
"Hmm... Maybe oughta lay off for a while." - by gmhowell (26755) on Thursday June 16, @09:38PM (#36470452) Homepage
I took him @ his word, & then laid off on retrolling he, but?
gmhowell starts up YET again (now by AC posts only)!
Proof? Ok, this week -> http://slashdot.org/journal/276148/now-this-is-entertaining
---
gmhowell's part of the "trolltalk.com" crew (a domain tomhudson, a total scumbag troll actually keeps no less).
gmhowell hangs around with (or is just another alternate registered 'luser' guise tomhudson keeps) tomhudson, a known troll
(tomhudson = a miserable fat diabetic wreck too that can't program for shit & *thinks* she can but hasn't been noted for it in anything in publication in the realm of the computer sciences, fact)!
Example:
"Wait until he starts on another kick, then reply to him as an AC. It's the new meme". - by tomhudson (43916) on Sunday May 09 2010, @08:29PM (#32150544) Homepage Journal
QUOTED VERBATIM DIRECTLY FROM -> http://slashdot.org/comments.pl?sid=1646272&cid=32150544
"BTW - if you're going to tell this guy to stop spamming his hosts file crap, make sure you do it anonymously" - by tomhudson (43916) on Saturday April 16 2011, @11:45AM (#35840680) Journal
QUOTED VERBATIM DIRECTLY FROM -> http://slashdot.org/comments.pl?sid=2086920&cid=35840680
---
(This "trolltalk.com" pack of weasels? Heh - They're all "scumbags of a feather that flock together")
---
gmhowell & crew from trolltalk.com also CHEAT THE MODERATION SYSTEM HERE, & others noted it also -> http://slashdot.org/comments.pl?sid=2236608&cid=36442386
"I do whatever amuses me at the moment. Sometimes that i
Let's say you're walking in a city of 14 million people. You stop at an ATM and enter your PIN. What's to say that one of those 14 million isn't watching, hoping to steal your PIN and then your money?
The difference is that you don't pass your PIN around between an unknown number of those people to get to the ATM, you put it there directly yourself. And if you're worried about some people peeking then you cover it with your hand or a cloth if you're really paranoid and no-one sees.
Maybe someone could ask Michael Riconosciuto how he successfully wrote a backdoor into the DOJ stolen inslaw PROMIS software sold worldwide to other governments and went unnoticed. Course you will have to ask him in the prison they have him protected in. You open a backdoor when you allow updates to software. Nothing new here.