But whats the point? Any agency can still get around it.
They just mount a camera above the keyboard where you work and record your keystrokes.
They replace the encryption chips in the keyboard with specially manufactured chips with weak or no encryption.
Fact of the matter is that motherboard manufacturers will have to adopt a standard to include the chips on the keyboard and motherboard. Do you think they're gonna try and piss off the government by doing it?
Just goes to show that encryption (and by association digital signatures) isn't the silver bullet everyone thinks it is. I am scared of the day that a government accepts digital signatures as legally binding.
Bruce Schneier makes some excellent points in Secrets and Lies about the difference between having your computer digitally sign a document, and you physically signing a document. There is a huge difference when you consider all the different ways that you can convince the user to sign documents they didn't intend to.
If two men in a boat can sail up to the side of a miltary vessel and blow a fucking great hole in it, I'm sure that if anyone that dedicated wanted to, they could make a real mess of the Internet. But physical damage is going to be reasonably easy to fix as most major net nodes should have disaster recovery plans in place.
To really make a mess, why not write a nice virus or worm that would be much harder to react to and recover from.
Of course the ultimate would be to combine a few pieces into one large puzzle:- mass client infections, Root DNS DDOS attacks, email hijinks, and take out a few key cables/bottlenecks with backhoes. The trick is to create cascading failures that individually could be fixed, but the presentation of all problems at the same time makes the response and recovery that much more difficult.
Best Practice dictacts that anti-virus and firewall vendors get hit as well, just to highlight the point.
Keyboard loggers are an easy way to get around encryption, and we've got a product of our own which apparently has been very popular with the US TLA's - KeyGhost.
When I say we, I say we as a Kiwi, not as someone from KeyGhost. That might have been a little ambiguous. I don't work for them.
Who's next? As someone else has mentioned, it will be the UKUSA countries (US,UK,Canada,Australia,NZ). And it won't stop with a change of government. These alliances and treaties have been going for 50+ years now, I hardly think a change of govt in one of the member countries will affect a change in the SIGINT treaties. For example here in NZ, this change is coming in under the Labour govt, the least likely to implement it. National are far more likely to keep the alliance running smoothly, as they are the more conservative country when it comes to international politics.
As to the SIS being thugs? Yeah well thats true. But remember that everyone makes mistakes and that we only hear about their mistakes. We often don't hear when they are successful, for that would advertise sources etc that they have. And odds are it won't be the SIS going through the offending computer, but the GCSB. And they will be pretty smart. They trade places with other UKUSA orgs to learn tips and tricks and this includes rotational trips to the NSA. Odds are you won't notice them.
Do we need this legislation? Probably, as long as we have trusted people to supervise the proper use of the granted powers. Currently there is little protection against cracking into computers - I think you'd only get caught on wire fraud - so the law does need to be updated. Pedophiles and terrorists don't deserve the right to hide behind technology. OTOH individuals are entitled to protect their information and communication. We know this arguement, and I'm not going to bring it up here. We do need good oversight and clear reporting and control by elected officals though to ensure proper use of this tool should it be implemented.
Re ISP/Telcos role. Remember that NZ is a fantastic testbed for new technology. We currently have one of the largest VoIP installations in the world completed by Cisco (outside of CSCO itself). With the potential for VoIP, don't you think we would also make a great testbed for signal analysis testing of this new tech? Also, everyone knows that the Internet is an untrusted medium and should be treated as such, you should already assume that your ISP/Telco is logging and analysing your traffic. You'd be foolish not too, which means that the ISP/Telco role potentially changes little. Your traffic is travelling over a commercial service, and they have control. Don't like it? Get off our pipes, they'll say. Oh, and the Southern Cross Cable? Half owned by New Zealand Telecom, and a quarter owned each by Optus Cable and MCI Worldcom, it is going to carry a large amount of data between Australasia and North America. Odds are it will carry much of the South Pacific data. Of course they want to legalise access to this bandwidth.
It comes down to this. Use a firewall. Use special machines to access the net. Dumb them down. Remove the services that aren't required. Companies should completely segregate their trade secrets and critical info anyway, so the excuse of crackers using the proposed systems to perform industrial espionage just doesn't cut it. The corporate secrets shouldn't be on Internet connected machines anyway. This mirrors to individuals also. Keyboard loggers are an easy way to get around encryption, and we've got a product of our own which apparently has been very popular with the US TLA's - KeyGhost.
But most of all, ensure accountability and responsibility of the organisations involved. They better not criminalise the tools though - that would be going way too far.
This big dome complex is in the South Island near Blenheim (picture from GCSB web site) monitors satelitte traffic over our part of the globe. The North Island station (picture from GCSB website) is for high frequency South Pacific traffic.
Ads already take up over a third of my screen real estate, but companies are paying me for it. And so they should.
I think you are right about them being very hard to ignore, but for a different reason. I think they will be hard to ignore because they will actually be relevant. But not only will they be relevant, but the consumer will have more control.
The new AdStreaming industry (banner ads downloaded via software bars on your desktop, for which you get a cut of the advertising revenue) with companies such as AllAdvantage provide the potential to turn advertising around.
I have been experimenting with a number of AdStreaming services for 3 months now and it has been an interesting experience. I know my treatment of banner ads has changed.
In the past I may have looked and clicked on banner ads on web sites every once in a while, but since I am now being paid to have ads displayed on my desktop, I refuse to click on any banner adverts that are on my desktop without permission. I will now only pay credence to any ads for which I am paid for my time. So sorry, Andover, but I don't care what ads you have, I won't click on them.
AdStreaming software is becoming supportive of the consumer, and it may well become even more so. I know of one company that has already built a cookie-blocker into it which allows you complete control over cookies. What would be cool is a company including a banner ad blocker proxy. I didn't give a web site permission to take up my real estate, so I am going to block your advertising. I will only allow advertising that comes through software of my choice, which I get remuneration for. For any web site owners that bitch about advertising paying for their site - get over it and find supplimentary income for your site.
In short, the consumer will gain more control, not less through the use of the right adstreaming software - for sure, there will be some dodgy companies, the same in any industry.
Everyone has a right to surf with no advertising. The flip side is that they have to find other ways to discover new products and services. Advertising is necessary to promote a new product/service and it is not an evil. The only part that is evil is that we do not have the power to turn it on or off at our will.
AdStreaming allows you to choose when you want to surf with adverts, and when not to. You can already choose not to receive ads from a certain industry, in the future you will be able to refuse adverts from certain companies, countries, or even block just that fscking 'punch the monkey' ad.:)
But for this to happen, more people need to make use of AdStreaming services, so that they become more attractive to advertisers than web site banner adverts.
I accept that it will be near impossible to remove all advertising from my online experience, but I have found that using AdStreaming services is certainly going about gaining my control back.
Cheers, rediguana
PS you will note that I haven't blatantly plugged any companies, nor listed URL's or referral id's. If you want to check some companies out, try searching for 'paid to surf' and you should be on your way. Open Directory will provide a good starting list. Unfortunately most are Windows only, with one supporting MacOS.:(
I did a couple of trips to Japan and North America last year, taking laptop and dig camera with me. Used ipass and it worked fine.
As a note for modem cables, found the best option was often just pulling the cable out of the phone and connecting it to the modem. Cause most phones have the same connector, which is also the same as the modem. Can't remember what its called though. This work in residences, motels and hotels in Japan, Canada, and seven states in the US. Of course, still take cables with you, also check lonely planet as they have some good information on the countries net connectivity also.
Why would companies want to change over? To them, the current DVD system is fine; ours would only provide advantages to us, not to them.
Sounds like a 'Why should I change from MSFT/NOVL/SUNW to Linux question?'
Because of mindshare. Because of benefits to us.
Linux has seen great popularity recently. It is because it has attracted a great deal of attention, debate, experimentation and usage.
In this example case, the companies would potentially want to change over because they could see that they may be left holding a dead dog, unless they embrace the future. But they won't even look at it until we present a reasoned arguement.
Remember that Linux wasn't viable for business until there was enough mindshare in the industry that 'Hey, Linux is OK', and commercial service and support was provided.
It is all about attracting the companies attention. But sometimes it may take informing other stakeholders about threats to their investments to really get the business's attention.
Of course they may decide that they want to stick with their beloved DVD player revenue stream. Insightful competitors may recognise oppourtunities in other players, or even, try to focus on selling the media themselves. But if you get other stakeholders thinking about what was put forward in the well-reasoned discussion, you may get other, larger stakeholders asking 'Whats up with this OSSD thing?'
The infrastructure must be commoditised, and that will only happen with a cheap and freely available solution.
But the DVD was only an example. Lets get back to the bigger picture.
When one learns to hack, one must first learn the rules and the tools. In code hacking, this amounts to learning the programming languages. Now, for hacking businesses we also have to learn the rules and tools. Because it is outside of our domain we may have to look differently. But they are there. As we learn the rules, we learn better what we can and can't do, and how to bend the Matrix to our making.
The DeCSS fiasco really overstepped the mark, broke the rules, and people are now paying for it. If we keep fighting DeCSS we will lose the war. Why? Because we are reacting to them. If we want to achieve something you have to be in control.
And how do we achieve some form of control? Playing within the rules. As soon as you break the rules, you forfeit all rights - that is what the DeCSS hackers are finding out.
Share prices are mostly based upon perception. The hack needs to take that into account. Going along and voting means very little - you're reacting to them. We have to make them react to us.
Who are they? The BB Execs/Directors and Institutional holdings.
If we proposed a motion we would easily be outvoted. So, the hack is never going to be a numbers game.
In New Zealand, we are entitled to register a proxy vote for companies we hold voting class shares in. That is, we can nominate any person to attend the meetings, vote and ask questions in general business.
There is no need to have a fund to manage the shares, we just have to nominate that X is our representative, and they are going to attend the meeting and act on behalf of us for our shareholding.
I imagine this should be possible in the US, without having to use the afore-mentioned fund manager.
Sample Hack. DVD - why not:)
The hack needs to be concerned, informative, and non-confrontational. Remember, we hold shares in the company and are not trying to destroy it, but make sure that our future returns are protected.;)
And DVD has never faced a bigger threat than now...
"Any other general business?"
"Mr Chairman, I would like to raise a matter that is of great concern to the stakeholders I represent."
"A couple of months ago, a small group of dedicated engineers, software developers and security experts banded together with the goal of creating an open source, hardware and software solution for the distribution of digital media.
Their goal is to provide one secure, free and recognised standard for the physical distribution of large quantities of digital media.
This system, once complete, will not have any zoning issues, will use publicly available secure encryption algorithms, and all the required source will be available for implementation on any hardware/software platform that there is time, interest and intent.
There will be no licensing fees for this distribution system.
Already a large number of small entertainment companies have pledged not only support for the Open Source Storage Device (OSSD), but have also provided much capital required for the ongoing development of this solution.
George Lucas has been quoted as saying 'We finally have a secure digital solution that we trust - Star Wars II will be one of the first OSSD discs released.'
This is hot on the heals of the popularity of MP4, which has now steamrollen over SDMI, providing an open source, yet secure solution for digital media management. And with the plethora of different devices available for playback these days, MP4 runs on almost everything.
We have some questions that we would like to ask, as we are extremely concerned that this could have a drastic effect on our DVD player revenues, along with associated products namely the music, movies and software you sell.
1/ Do you perceive OSSD to be a threat to our DVD business? 2/ What actions have you taken to mitigate and prepare for the introduction of OSSD? 3/ Have you considered adopting OSSD? 4/ What effect upon our returns do you think the introduction of OSSD will have?
I note that DVD associated revenue has jumped in the most recent quarter to 15% of all quarterly revenue. We believe that OSSD is a significant risk to future cashflow and returns.
Slashdot Mirror
But whats the point? Any agency can still get around it.
Fact of the matter is that motherboard manufacturers will have to adopt a standard to include the chips on the keyboard and motherboard. Do you think they're gonna try and piss off the government by doing it?
Just goes to show that encryption (and by association digital signatures) isn't the silver bullet everyone thinks it is. I am scared of the day that a government accepts digital signatures as legally binding.
Bruce Schneier makes some excellent points in Secrets and Lies about the difference between having your computer digitally sign a document, and you physically signing a document. There is a huge difference when you consider all the different ways that you can convince the user to sign documents they didn't intend to.
If two men in a boat can sail up to the side of a miltary vessel and blow a fucking great hole in it, I'm sure that if anyone that dedicated wanted to, they could make a real mess of the Internet. But physical damage is going to be reasonably easy to fix as most major net nodes should have disaster recovery plans in place.
To really make a mess, why not write a nice virus or worm that would be much harder to react to and recover from.
Of course the ultimate would be to combine a few pieces into one large puzzle :- mass client infections, Root DNS DDOS attacks, email hijinks, and take out a few key cables/bottlenecks with backhoes. The trick is to create cascading failures that individually could be fixed, but the presentation of all problems at the same time makes the response and recovery that much more difficult.
Best Practice dictacts that anti-virus and firewall vendors get hit as well, just to highlight the point.
Keyboard loggers are an easy way to get around encryption, and we've got a product of our own which apparently has been very popular with the US TLA's - KeyGhost.
When I say we, I say we as a Kiwi, not as someone from KeyGhost. That might have been a little ambiguous. I don't work for them.
Cheers
rediguana
Who's next? As someone else has mentioned, it will be the UKUSA countries (US,UK,Canada,Australia,NZ). And it won't stop with a change of government. These alliances and treaties have been going for 50+ years now, I hardly think a change of govt in one of the member countries will affect a change in the SIGINT treaties. For example here in NZ, this change is coming in under the Labour govt, the least likely to implement it. National are far more likely to keep the alliance running smoothly, as they are the more conservative country when it comes to international politics.
As to the SIS being thugs? Yeah well thats true. But remember that everyone makes mistakes and that we only hear about their mistakes. We often don't hear when they are successful, for that would advertise sources etc that they have. And odds are it won't be the SIS going through the offending computer, but the GCSB. And they will be pretty smart. They trade places with other UKUSA orgs to learn tips and tricks and this includes rotational trips to the NSA. Odds are you won't notice them.
Do we need this legislation? Probably, as long as we have trusted people to supervise the proper use of the granted powers. Currently there is little protection against cracking into computers - I think you'd only get caught on wire fraud - so the law does need to be updated. Pedophiles and terrorists don't deserve the right to hide behind technology. OTOH individuals are entitled to protect their information and communication. We know this arguement, and I'm not going to bring it up here. We do need good oversight and clear reporting and control by elected officals though to ensure proper use of this tool should it be implemented.
Re ISP/Telcos role. Remember that NZ is a fantastic testbed for new technology. We currently have one of the largest VoIP installations in the world completed by Cisco (outside of CSCO itself). With the potential for VoIP, don't you think we would also make a great testbed for signal analysis testing of this new tech? Also, everyone knows that the Internet is an untrusted medium and should be treated as such, you should already assume that your ISP/Telco is logging and analysing your traffic. You'd be foolish not too, which means that the ISP/Telco role potentially changes little. Your traffic is travelling over a commercial service, and they have control. Don't like it? Get off our pipes, they'll say. Oh, and the Southern Cross Cable? Half owned by New Zealand Telecom, and a quarter owned each by Optus Cable and MCI Worldcom, it is going to carry a large amount of data between Australasia and North America. Odds are it will carry much of the South Pacific data. Of course they want to legalise access to this bandwidth.
It comes down to this. Use a firewall. Use special machines to access the net. Dumb them down. Remove the services that aren't required. Companies should completely segregate their trade secrets and critical info anyway, so the excuse of crackers using the proposed systems to perform industrial espionage just doesn't cut it. The corporate secrets shouldn't be on Internet connected machines anyway. This mirrors to individuals also. Keyboard loggers are an easy way to get around encryption, and we've got a product of our own which apparently has been very popular with the US TLA's - KeyGhost.
But most of all, ensure accountability and responsibility of the organisations involved. They better not criminalise the tools though - that would be going way too far.
Cheers
rediguana
This big dome complex is in the South Island near Blenheim (picture from GCSB web site) monitors satelitte traffic over our part of the globe. The North Island station (picture from GCSB website) is for high frequency South Pacific traffic.
For a description of the roles each of these stations play, once again, try looking on the GCSB web site.
Cheers
rediguana
Ads already take up over a third of my screen real estate, but companies are paying me for it. And so they should.
I think you are right about them being very hard to ignore, but for a different reason. I think they will be hard to ignore because they will actually be relevant. But not only will they be relevant, but the consumer will have more control.
The new AdStreaming industry (banner ads downloaded via software bars on your desktop, for which you get a cut of the advertising revenue) with companies such as AllAdvantage provide the potential to turn advertising around.
I have been experimenting with a number of AdStreaming services for 3 months now and it has been an interesting experience. I know my treatment of banner ads has changed.
In the past I may have looked and clicked on banner ads on web sites every once in a while, but since I am now being paid to have ads displayed on my desktop, I refuse to click on any banner adverts that are on my desktop without permission. I will now only pay credence to any ads for which I am paid for my time. So sorry, Andover, but I don't care what ads you have, I won't click on them.
AdStreaming software is becoming supportive of the consumer, and it may well become even more so. I know of one company that has already built a cookie-blocker into it which allows you complete control over cookies. What would be cool is a company including a banner ad blocker proxy. I didn't give a web site permission to take up my real estate, so I am going to block your advertising. I will only allow advertising that comes through software of my choice, which I get remuneration for. For any web site owners that bitch about advertising paying for their site - get over it and find supplimentary income for your site.
In short, the consumer will gain more control, not less through the use of the right adstreaming software - for sure, there will be some dodgy companies, the same in any industry.
Everyone has a right to surf with no advertising. The flip side is that they have to find other ways to discover new products and services. Advertising is necessary to promote a new product/service and it is not an evil. The only part that is evil is that we do not have the power to turn it on or off at our will.
AdStreaming allows you to choose when you want to surf with adverts, and when not to. You can already choose not to receive ads from a certain industry, in the future you will be able to refuse adverts from certain companies, countries, or even block just that fscking 'punch the monkey' ad. :)
But for this to happen, more people need to make use of AdStreaming services, so that they become more attractive to advertisers than web site banner adverts.
I accept that it will be near impossible to remove all advertising from my online experience, but I have found that using AdStreaming services is certainly going about gaining my control back.
Cheers, rediguana
PS you will note that I haven't blatantly plugged any companies, nor listed URL's or referral id's. If you want to check some companies out, try searching for 'paid to surf' and you should be on your way. Open Directory will provide a good starting list. Unfortunately most are Windows only, with one supporting MacOS. :(
I did a couple of trips to Japan and North America last year, taking laptop and dig camera with me. Used ipass and it worked fine.
As a note for modem cables, found the best option was often just pulling the cable out of the phone and connecting it to the modem. Cause most phones have the same connector, which is also the same as the modem. Can't remember what its called though. This work in residences, motels and hotels in Japan, Canada, and seven states in the US. Of course, still take cables with you, also check lonely planet as they have some good information on the countries net connectivity also.
Cheers
Sounds like a 'Why should I change from MSFT/NOVL/SUNW to Linux question?'
Because of mindshare. Because of benefits to us.
Linux has seen great popularity recently. It is because it has attracted a great deal of attention, debate, experimentation and usage.
In this example case, the companies would potentially want to change over because they could see that they may be left holding a dead dog, unless they embrace the future. But they won't even look at it until we present a reasoned arguement.
Remember that Linux wasn't viable for business until there was enough mindshare in the industry that 'Hey, Linux is OK', and commercial service and support was provided.
It is all about attracting the companies attention. But sometimes it may take informing other stakeholders about threats to their investments to really get the business's attention.
Of course they may decide that they want to stick with their beloved DVD player revenue stream. Insightful competitors may recognise oppourtunities in other players, or even, try to focus on selling the media themselves. But if you get other stakeholders thinking about what was put forward in the well-reasoned discussion, you may get other, larger stakeholders asking 'Whats up with this OSSD thing?'
The infrastructure must be commoditised, and that will only happen with a cheap and freely available solution.
But the DVD was only an example. Lets get back to the bigger picture.
When one learns to hack, one must first learn the rules and the tools. In code hacking, this amounts to learning the programming languages. Now, for hacking businesses we also have to learn the rules and tools. Because it is outside of our domain we may have to look differently. But they are there. As we learn the rules, we learn better what we can and can't do, and how to bend the Matrix to our making.
The DeCSS fiasco really overstepped the mark, broke the rules, and people are now paying for it. If we keep fighting DeCSS we will lose the war. Why? Because we are reacting to them. If we want to achieve something you have to be in control.
And how do we achieve some form of control? Playing within the rules. As soon as you break the rules, you forfeit all rights - that is what the DeCSS hackers are finding out.
Cheers
RedIguana
Cheers
Share prices are mostly based upon perception. The hack needs to take that into account. Going along and voting means very little - you're reacting to them. We have to make them react to us.
Who are they? The BB Execs/Directors and Institutional holdings.
If we proposed a motion we would easily be outvoted. So, the hack is never going to be a numbers game.
In New Zealand, we are entitled to register a proxy vote for companies we hold voting class shares in. That is, we can nominate any person to attend the meetings, vote and ask questions in general business.
There is no need to have a fund to manage the shares, we just have to nominate that X is our representative, and they are going to attend the meeting and act on behalf of us for our shareholding.
I imagine this should be possible in the US, without having to use the afore-mentioned fund manager.
Sample Hack. DVD - why notThe hack needs to be concerned, informative, and non-confrontational. Remember, we hold shares in the company and are not trying to destroy it, but make sure that our future returns are protected. ;)
And DVD has never faced a bigger threat than now...
"Any other general business?"
"Mr Chairman, I would like to raise a matter that is of great concern to the stakeholders I represent."
"A couple of months ago, a small group of dedicated engineers, software developers and security experts banded together with the goal of creating an open source, hardware and software solution for the distribution of digital media.
Their goal is to provide one secure, free and recognised standard for the physical distribution of large quantities of digital media.
This system, once complete, will not have any zoning issues, will use publicly available secure encryption algorithms, and all the required source will be available for implementation on any hardware/software platform that there is time, interest and intent.
There will be no licensing fees for this distribution system.
Already a large number of small entertainment companies have pledged not only support for the Open Source Storage Device (OSSD), but have also provided much capital required for the ongoing development of this solution.
George Lucas has been quoted as saying 'We finally have a secure digital solution that we trust - Star Wars II will be one of the first OSSD discs released.'
This is hot on the heals of the popularity of MP4, which has now steamrollen over SDMI, providing an open source, yet secure solution for digital media management. And with the plethora of different devices available for playback these days, MP4 runs on almost everything.
We have some questions that we would like to ask, as we are extremely concerned that this could have a drastic effect on our DVD player revenues, along with associated products namely the music, movies and software you sell.
1/ Do you perceive OSSD to be a threat to our DVD business?
2/ What actions have you taken to mitigate and prepare for the introduction of OSSD?
3/ Have you considered adopting OSSD?
4/ What effect upon our returns do you think the introduction of OSSD will have?
I note that DVD associated revenue has jumped in the most recent quarter to 15% of all quarterly revenue. We believe that OSSD is a significant risk to future cashflow and returns.
Thank you for allowing us to raise our concerns."
How would that hack go?
Cheers
RedIguana
Cheers