You can read Morganstein's full letter here. [PDF alert]
I read Morganstein's letter. I will repeat what I wrote above: what the bill calls for to be publicly available is the science (i.e. the methodology) and the data. Personal details are not part of the data!!! Those are administrative details.
Just as Morganstein says, simply stripping names is not always enough to de-personalize data. But other methods are easily available.
To meet the strict letter of the law, the EPA must publish my SSN, DOB, and medical history, or they can't use the study.
Please show us exactly where it says this.
In a medical study, your SSN, DOB, and (non-anonymized) medical information are not data. In fact they are mostly irrelevant to the actual DATA of the study. Your approximate DOB may be important, and your medical history (and I very highly doubt they would require a complete medical history) might be relevant, but your name or SSN? Fucking hardly.
From the full article, the law as written, would bar the EPA from using any studies involving confidential patient information unless they were made public.
This is really reaching, by anybody's standards. I read the article, and Morganstein's letter.
The language of the bill calls for "publicly available science". It does not say that the subjects of any studies cannot be kept confidential. That's just malarkey.
As I wrote above: such studies or surveys, by their very nature, are presumed to be repeatable. The idea is that anyone else who conducted such a study, with a similar but separate sample of individuals, would come up with the same results. After all: that's what the studies are for.
To the best of my knowledge, it doesn't anywhere say that study subjects cannot be anonymous. The only thing that can't be anonymous or secret are the authors and their methodologies.
I don't mind honest debate about the issue, but the idea that the statement "publicly available" could reasonably apply to study subjects is a pretty long and thin stretch of the imagination.
What's also not common sense is that this would keep EPA from using health studies from confidential sources. By their very nature, such studies are presumed to be repeatable; if not, then the researcher(s) are using questionable statistical methods at best. Like biased sampling methods, for example.
There is nothing in there that would preclude using decent studies which used non-controversial methodology. Whether the subjects of the studies remain confidential, or not.
The obvious target is to tie up all EPA regulations until courts have confirmed the reproducibility of the data used to base the decision on. It will fall to the EPA to prove their data is reproducible by someone who wishes to not reproduce it. Everything else would be illegal.
The language of the bill is very clear. It is intended to do what it says: make sure our regulatory bodies (employees of The People) are making their decisions based on publicly available, sound science.
Why should they be able to keep their "science" secret, as they have? That's obviously a non-starter. Especially when they're attempting to shove the most expensive regulations in history off on the public.
My point was that IF they were being used to dazzle IR cameras, they're pointless because IR cameras wouldn't see your face behind the glasses anyway. They might recognize A face, but not YOUR face.
Also, not mentioned earlier but just as cogent: IR blasters wouldn't work on most halfway decent cameras anyway, because they have IR filters on them... precisely because IR messes up the exposure.
He reported it AFTER exploring it en mass, and while his motives *may* have been pure... the degree he went to can and were used to harm him.
Contrary to what was reported from many sources, he DID go to them first, before publishing the exploit. The fault for not fixing it immediately rests on them, not him.
What he did was normal curiosity. Hell, I've done it. In fact I don't know of any web or security professionals who haven't. Got an ID in the URL? Increment it by one, see what happens. We all do it.
Granted, we don't normally explore it to the degree he did. But what he did was ridiculously simple, and hardly even deserves the term "hacking" at all. What THEY did was akin to leaving the back gate open and putting out a sign that says "Come on in!", then complaining about it when someone did.
Anyway, I'll repeat what I said about my own experience: I didn't need to go "fishing" for information in that case. It was being sent TO ME, just in a non-obvious way. I stumbled across it, I didn't go looking for it or trying to exploit it. I sure could have, though.
The point of the emitters is not block IR but screw up the camera's exposure.
The point of my comment was that with IR cameras, that's probably not necessary.
If you had large, flat, regular glass lenses, IR cameras would not see your facial features behind them.
But if it's about screwing up regular cameras with IR (because most digital cameras are sensitive to IR to some degree), that's a different matter. But the idea still has problems because most "regular" digital cameras have IR filters on them anyway, for precisely the reason that IR screws up exposure. So I still don't see the point.
How would you imagine than an IR emitter would block IR, in any case? The emitters are there to dazzle IR-sensitive cameras.
You missed my point.
I simply meant that large glass lenses -- even those clear to visible light -- will serve to hide any facial features behind them to IR. It probably wouldn't stop recognition of a face, but it would probably be sufficient to obscure your face.
I noticed in the pictures given as illustration, that was not true. Eyes were clearly visible behind the lenses. So either the lenses are not normal glass, or those pictures weren't actually involving much in the infrared spectrum.
It would be nice to be able to comment on YouTube videos (even reply/respond to comments on my OWN videos), but I refuse to switch to G+ and give them that info.
Exactly. I didn't use Google+. I didn't WANT to use Google+. When Google tried to force everyone to use one identity (which didn't work, by the way), my response was simply to stop commenting on YouTube, and stop using Google+ altogether.
There is one person -- and only one -- who now occasionally chats with me via Google Hangouts, and I'm trying to quash that use as well.
All in all, it was a dick move on Google's part, and it drove users away in, well, droves. Have you notices how FEW comments there are on YouTube now, compared to before that switch?
I have been slowly but surely divorcing myself from Google's services. Now, they want to be the judge of how "factual" web pages are, based on dubious methodology. No thanks.
So it looks like Google Search will be the next to go.
Nobody took computer security seriously back in 2001. Things have changed a lot since then.
I have to agree with you in general, but banks should have been concerned about it. Online banking was a fairly new thing, but even then, I am pretty sure this mistake violated Federal regulations.
Wrong. You are the one trying to rewrite history. Japan did NOT want a war with the USA, instead believing that U.S. people had little resolve for war, and that knocking out Perl Harbor would remove U.S. presence and influence from South Pacific, so Japan could continue its colonization plan in Asia.
I have to agree with HornWumpus. Maybe it's a matter of terminology, but their expectation that America would itself not want to engage in war, is not the same as not wanting to go to war with America. Pearl Harbor was an act of war. You seem to be denying that.
But I'm willing to chalk it up to misunderstanding.
In my own (quite extensive) experience working in distributed teams, you're almost never going to find the entire team using OS X; it's a near certainty that all OSs will be represented, so a single-platform solution is a non-starter, no matter how good it may be.
I don't know that I'd agree with "almost never". In my own experience, also extensive, and also distributed, most of the people I have had need to use a whiteboard with were already using OS X. It has a disproportionate presence among developers, although Apple lately seems less willing to support its developer base.
At the same time, I won't pretend that my own experience represents the typical situation. I'm not going to claim it's everybody's thing. Which is why I wrote "IF you're on OS X..."
Your glibly dismissive attitude overlooks so much, but instead of answering the points you play affronted, thereby not answering the points raised. You know damn well you were wrongly dismissive.
You didn't MAKE any points. Instead, you argued with something I didn't say. I merely stated that it USUALLY doesn't work that way, and explained why. My description was accurate. I didn't say it was impossible. But you glibly assumed that it was LIKELY. It was not.
Notorious troll Weev" did the above (although he went to the media FIRST apparently) and included the exposed data, and as a result was sentenced to 41 months in federal prison and $73,000 in restitution. The EFF and many others condemned the prosecution.
Very different situation. This leak was TO computers, and didn't involve going to "unauthorized" addresses. The information was right there on your local machine if you knew where to look. No remote exploration necessary. I would rather not discuss the details but if you knew them I am sure you would agree that it was alarmingly stupid.
Agreed, though, that Weev was railroaded. He did nothing wrong except to piss off powerful people. It was (is) a travesty of justice. Same with Aaron Swartz.
Banks are regulated (at least, they are around here), so take it to the regulatory commission if the bank themselves don't do anything. Also, for most companies, unless it is in writing, it didn't happen. Don't call. Snail-mail.
I probably should have done this. I didn't WANT to create a stink, but by the end of this sequence of events I was just plain dumbfounded that they would be -- pardon my language -- so fucking stupid.
When going to the paper didn't work, I probably should have contacted the authorities. Instead, I just switched to another bank.
As many already pointed out: you can not trust the firmware image provided by the drive itself, for the simple reason that you have to talk to the very firmware you try to verify, and which may be compromised.
I don't buy it. The fact that you can upgrade firmware implies that the hardware exists for you to read as well as write the raw contents, without having to interact with those contents. It's a simple matter of reading sequential memory locations.
Writing firmware that upgrades other firmware would be an exercise in silliness. First: its function is fixed and should never need to be changed (if the design wasn't blatantly half-assed to begin with), and second, a PLA or other other write-once chip is simpler and cheaper than a general-purpose processor.
More importantly, has Congress delegated their authority over this specific issue to the FCC?
I'm not sure it's more important. As I mentioned elsewhere, SCOTUS has established clear precedent that the duration of a wrong act does not in turn make it legitimate. So it could be that way for 100 years, and still wrong, and able to be overturned.
How in the world do you manage to make the jump from: "The Congress shall have Power... To make all Laws which shall be necessary and proper for carrying into Execution the foregoing Powers" (emphasis mine) to "whatever it takes to run the country and enact the peoples will, they can do."
As GP said, we've been through this a dozen times. And each of those times, he has made the same flat claims with no supporting evidence.
He doesn't know the history or meaning of the necessary and proper clause, and he thinks the general welfare clause was a permissive one, despite the overwhelming historical proof otherwise. Not to mention the interstate commerce clause. I don't even bother to argue with him about it anymore. It's a waste of time, except when it might be valuable for others to read.
Slashdot Mirror
You can read Morganstein's full letter here. [PDF alert]
I read Morganstein's letter. I will repeat what I wrote above: what the bill calls for to be publicly available is the science (i.e. the methodology) and the data. Personal details are not part of the data!!! Those are administrative details.
Just as Morganstein says, simply stripping names is not always enough to de-personalize data. But other methods are easily available.
This is a non-issue.
To meet the strict letter of the law, the EPA must publish my SSN, DOB, and medical history, or they can't use the study.
Please show us exactly where it says this.
In a medical study, your SSN, DOB, and (non-anonymized) medical information are not data. In fact they are mostly irrelevant to the actual DATA of the study. Your approximate DOB may be important, and your medical history (and I very highly doubt they would require a complete medical history) might be relevant, but your name or SSN? Fucking hardly.
From the full article, the law as written, would bar the EPA from using any studies involving confidential patient information unless they were made public.
This is really reaching, by anybody's standards. I read the article, and Morganstein's letter.
The language of the bill calls for "publicly available science". It does not say that the subjects of any studies cannot be kept confidential. That's just malarkey.
As I wrote above: such studies or surveys, by their very nature, are presumed to be repeatable. The idea is that anyone else who conducted such a study, with a similar but separate sample of individuals, would come up with the same results. After all: that's what the studies are for.
To the best of my knowledge, it doesn't anywhere say that study subjects cannot be anonymous. The only thing that can't be anonymous or secret are the authors and their methodologies.
I don't mind honest debate about the issue, but the idea that the statement "publicly available" could reasonably apply to study subjects is a pretty long and thin stretch of the imagination.
What's also not common sense is that this would keep EPA from using health studies from confidential sources. By their very nature, such studies are presumed to be repeatable; if not, then the researcher(s) are using questionable statistical methods at best. Like biased sampling methods, for example.
There is nothing in there that would preclude using decent studies which used non-controversial methodology. Whether the subjects of the studies remain confidential, or not.
The obvious target is to tie up all EPA regulations until courts have confirmed the reproducibility of the data used to base the decision on. It will fall to the EPA to prove their data is reproducible by someone who wishes to not reproduce it. Everything else would be illegal.
The language of the bill is very clear. It is intended to do what it says: make sure our regulatory bodies (employees of The People) are making their decisions based on publicly available, sound science.
Why should they be able to keep their "science" secret, as they have? That's obviously a non-starter. Especially when they're attempting to shove the most expensive regulations in history off on the public.
The insult is the implication that no one uses Google+, thus only nobodies would actually be there.
And when did I imply any such thing? I'm think you read more into my comment than I actually wrote.
What I did write, was that there are obviously fewer comments on YouTube as a result of that action.
My point was that IF they were being used to dazzle IR cameras, they're pointless because IR cameras wouldn't see your face behind the glasses anyway. They might recognize A face, but not YOUR face.
Also, not mentioned earlier but just as cogent: IR blasters wouldn't work on most halfway decent cameras anyway, because they have IR filters on them... precisely because IR messes up the exposure.
He reported it AFTER exploring it en mass, and while his motives *may* have been pure... the degree he went to can and were used to harm him.
Contrary to what was reported from many sources, he DID go to them first, before publishing the exploit. The fault for not fixing it immediately rests on them, not him.
What he did was normal curiosity. Hell, I've done it. In fact I don't know of any web or security professionals who haven't. Got an ID in the URL? Increment it by one, see what happens. We all do it.
Granted, we don't normally explore it to the degree he did. But what he did was ridiculously simple, and hardly even deserves the term "hacking" at all. What THEY did was akin to leaving the back gate open and putting out a sign that says "Come on in!", then complaining about it when someone did.
Anyway, I'll repeat what I said about my own experience: I didn't need to go "fishing" for information in that case. It was being sent TO ME, just in a non-obvious way. I stumbled across it, I didn't go looking for it or trying to exploit it. I sure could have, though.
It wasn't like that. THEY were spilling information. I wasn't going looking for it.
Now if you seem to be insulted by my saying thing, think how the Google+ users feel insulted by what you say.
Why should I be insulted? You do as you please. I don't particularly care one way or the other.
Also, why should anybody else be insulted just because I don't want to use Google+??? I mean, I didn't even say why. I just didn't want to.
The point of the emitters is not block IR but screw up the camera's exposure.
The point of my comment was that with IR cameras, that's probably not necessary.
If you had large, flat, regular glass lenses, IR cameras would not see your facial features behind them.
But if it's about screwing up regular cameras with IR (because most digital cameras are sensitive to IR to some degree), that's a different matter. But the idea still has problems because most "regular" digital cameras have IR filters on them anyway, for precisely the reason that IR screws up exposure. So I still don't see the point.
How would you imagine than an IR emitter would block IR, in any case? The emitters are there to dazzle IR-sensitive cameras.
You missed my point.
I simply meant that large glass lenses -- even those clear to visible light -- will serve to hide any facial features behind them to IR. It probably wouldn't stop recognition of a face, but it would probably be sufficient to obscure your face.
I noticed in the pictures given as illustration, that was not true. Eyes were clearly visible behind the lenses. So either the lenses are not normal glass, or those pictures weren't actually involving much in the infrared spectrum.
I explicitly asked about requirements for encryption and they had none.
I have intentionally chosen not to reveal what the actual problem was. But believe me, it was worse than just lacking encryption.
It would be nice to be able to comment on YouTube videos (even reply/respond to comments on my OWN videos), but I refuse to switch to G+ and give them that info.
Exactly. I didn't use Google+. I didn't WANT to use Google+. When Google tried to force everyone to use one identity (which didn't work, by the way), my response was simply to stop commenting on YouTube, and stop using Google+ altogether.
There is one person -- and only one -- who now occasionally chats with me via Google Hangouts, and I'm trying to quash that use as well.
All in all, it was a dick move on Google's part, and it drove users away in, well, droves. Have you notices how FEW comments there are on YouTube now, compared to before that switch?
I have been slowly but surely divorcing myself from Google's services. Now, they want to be the judge of how "factual" web pages are, based on dubious methodology. No thanks.
So it looks like Google Search will be the next to go.
BUT, also...
Regular old glass blocks the vast majority of infrared. No special IR "emitters" are necessary. The lenses just look black to IR cameras.
Here's just one example which illustrates this very well.
Correction: it wasn't a "mistake". It was intentional. It was just half-assed design.
Nobody took computer security seriously back in 2001. Things have changed a lot since then.
I have to agree with you in general, but banks should have been concerned about it. Online banking was a fairly new thing, but even then, I am pretty sure this mistake violated Federal regulations.
Wrong. You are the one trying to rewrite history. Japan did NOT want a war with the USA, instead believing that U.S. people had little resolve for war, and that knocking out Perl Harbor would remove U.S. presence and influence from South Pacific, so Japan could continue its colonization plan in Asia.
I have to agree with HornWumpus. Maybe it's a matter of terminology, but their expectation that America would itself not want to engage in war, is not the same as not wanting to go to war with America. Pearl Harbor was an act of war. You seem to be denying that.
But I'm willing to chalk it up to misunderstanding.
In my own (quite extensive) experience working in distributed teams, you're almost never going to find the entire team using OS X; it's a near certainty that all OSs will be represented, so a single-platform solution is a non-starter, no matter how good it may be.
I don't know that I'd agree with "almost never". In my own experience, also extensive, and also distributed, most of the people I have had need to use a whiteboard with were already using OS X. It has a disproportionate presence among developers, although Apple lately seems less willing to support its developer base.
At the same time, I won't pretend that my own experience represents the typical situation. I'm not going to claim it's everybody's thing. Which is why I wrote "IF you're on OS X..."
Your glibly dismissive attitude overlooks so much, but instead of answering the points you play affronted, thereby not answering the points raised. You know damn well you were wrongly dismissive.
You didn't MAKE any points. Instead, you argued with something I didn't say. I merely stated that it USUALLY doesn't work that way, and explained why. My description was accurate. I didn't say it was impossible. But you glibly assumed that it was LIKELY. It was not.
End of discussion.
Notorious troll Weev" did the above (although he went to the media FIRST apparently) and included the exposed data, and as a result was sentenced to 41 months in federal prison and $73,000 in restitution. The EFF and many others condemned the prosecution.
Very different situation. This leak was TO computers, and didn't involve going to "unauthorized" addresses. The information was right there on your local machine if you knew where to look. No remote exploration necessary. I would rather not discuss the details but if you knew them I am sure you would agree that it was alarmingly stupid.
Agreed, though, that Weev was railroaded. He did nothing wrong except to piss off powerful people. It was (is) a travesty of justice. Same with Aaron Swartz.
Banks are regulated (at least, they are around here), so take it to the regulatory commission if the bank themselves don't do anything. Also, for most companies, unless it is in writing, it didn't happen. Don't call. Snail-mail.
I probably should have done this. I didn't WANT to create a stink, but by the end of this sequence of events I was just plain dumbfounded that they would be -- pardon my language -- so fucking stupid.
When going to the paper didn't work, I probably should have contacted the authorities. Instead, I just switched to another bank.
As many already pointed out: you can not trust the firmware image provided by the drive itself, for the simple reason that you have to talk to the very firmware you try to verify, and which may be compromised.
I don't buy it. The fact that you can upgrade firmware implies that the hardware exists for you to read as well as write the raw contents, without having to interact with those contents. It's a simple matter of reading sequential memory locations.
Writing firmware that upgrades other firmware would be an exercise in silliness. First: its function is fixed and should never need to be changed (if the design wasn't blatantly half-assed to begin with), and second, a PLA or other other write-once chip is simpler and cheaper than a general-purpose processor.
More importantly, has Congress delegated their authority over this specific issue to the FCC?
I'm not sure it's more important. As I mentioned elsewhere, SCOTUS has established clear precedent that the duration of a wrong act does not in turn make it legitimate. So it could be that way for 100 years, and still wrong, and able to be overturned.
How in the world do you manage to make the jump from: "The Congress shall have Power ... To make all Laws which shall be necessary and proper for carrying into Execution the foregoing Powers" (emphasis mine) to "whatever it takes to run the country and enact the peoples will, they can do."
As GP said, we've been through this a dozen times. And each of those times, he has made the same flat claims with no supporting evidence.
He doesn't know the history or meaning of the necessary and proper clause, and he thinks the general welfare clause was a permissive one, despite the overwhelming historical proof otherwise. Not to mention the interstate commerce clause. I don't even bother to argue with him about it anymore. It's a waste of time, except when it might be valuable for others to read.