If we are doing car analogies, I would say that Apple products are an automatic. You pay a premium for an auto transmission and sacrifice control. Additionally, replacement of these premium parts are expensive. They do, however, make life easier for the person who wants to mindlessly drive.
By ignoring robots.txt, archive.org would be gaining unauthorized access to a computer system as access was expressly denied as per the Robots Exclusion Standard.
To further disseminate the archived pages would be added infringements.
I think that they need to campaign site owners to modify their robots.txt and if need be, lobby for exclusions to the Computer Misuse Act.
We allow self driving cars on the road that may kill people and look the other way every time there is an accident, yet nail Microsoft to the wall for making a bad software design choice.
People aren't being forced to immediately forego their use of a more traditional motor vehicle in favour of an under-tested self-driving alternative.
Usb devices? The os, and therefore you, decides what happens when usb devices connect.
Nope. USB operates at a lower level than the OS. USB is capable of talking to other pieces of hardware without the OS's involvement (or knowledge). USB even has Direct Memory Access.
Usb is not a magic backdoor, unless your os is seriously flawed.
Yes it is. Many OSes even cooperate by providing APIs for forensic/diagnostic/recovery tools that operate via USB.
Most oses will not autoexec something on an usb stick, for example.
Most oses will not autoexec something on a valid USB stick. The BIOS will though. And just because something is connected via USB doesn't mean it has to tell the truth about what it is. The stick could present as a drive AND a keyboard, with the keyboard inputting commands to run a file on the drive.
The USB can be used to dump memory (and keys) using various methods, the simplest but least effective method is the Cold Boot Attack. DMA Attacks have become more straightforward with USB 3.1 as the controller now has DMA instead of just the PCI it is connected to.
How long before Zeynep comes out and says that the leaks are fake / inaccurate / technically void and urges the public to keep using WhatsApp; Calling those who stop using it idiots, fools, traitors, and scum.
Will she denounce Fox for reporting on it like she denounced The Guardian. You betcha.
A government, particularly one that is elected by the people, exists for the purpose of managing systems to improve the entities that they are governing and to protect the constituents.
Whether or not Kim Dotcom is likely innocent or guilty, this finding will neither improve NZ and completely fails in protecting at least one of its' citizens.
Despite any extradition treaty, NZ must protect their citizens.
Australia is guilty of similar neglect with the lack of assistance to Assange. Our government does not represent Australia or Australians and all policies are either self-serving or to the benefit of another nation (US & UK). There is continuous dumbing-down of political matters to the extent that constituents no longer identify treason when it is shoved in their face.
I use Java all the time, and I don't send a dime to Oracle. How is not using Java going to hurt them?
Oracle profit from Java Certification, Java Support, and Proprietary Java Extensions. While you may not use any of these, people working with your code in the future will likely require one or all of them.
The reasons for dumping Java are the same reasons for dumping VB6: Ethics, Pushing bad coding practices, Slow, Buggy, Increasing hostility toward customers, Out-dated.
When you're talking about a guy running two different companies, it might make some sense to specifically mention both of them by name in the first sentence or two.
First sentence of the summary:
To Jack Dorsey, running two high-profile companies -- Twitter and Square -- at the same time doesn't seem like a problem.
At the time of the post, the summary was different. I read it through twice trying to decipher the situation. It has been edited without a note.
The only things holding back tech, including AI, are patents and laws. The funny thing is AI is unlikely to give a second thought about either as the consequences are meaningless.
Why not Perl, Python or Ruby? These languages have had the same features and have been around even longer.
Those languages have indeed been around longer, but they don't have the same features. For starters, neither meet conditions b, c, or d. Neither of those languages are capable of system programming or have a secure web engine focus. Perl, and increasingly Ruby and Python have a strong presence for web apps but to the best of my knowledge have never been used (for good reason) for a web browser or web layout engine.
Additionally, none allow concurrent computing. With modern internet connections, the bottleneck is often at rendering. Concurrent computing should speed this up by at least an order of magnitude.
Servo, a prototype, has been in testing for some time with very promising results. This project is also headed up by Mozilla.
And why aren't they using Swift which is the de-facto best choice for next generation systems languages?
Rust a) has been around longer; b) was developed by Mozilla; c) focuses on security of web engines; and d) is strong enough for system programming.
Swift was a reaction to Rust, bringing some of the features and simplifying the Obj-C Syntax. It was designed with the Apple environment in mind and doesn't (officially) support windows. Swift as a choice makes zero sense as there is no real benefit as Mozilla is no longer trying to be hip.
Mozilla is taking a risk and betting on the future of hostile internet - and users actually giving a shit about security.
Release 1 - the supply chain - a backdoor with backdoors.
In this release find a small sample of the 900GB of mere 'user accounts and basic contact information' recently liberated from Cellebrite.
The exploit techniques that Cellebrite employ are wrapped in various encryption schemes in an attempt to protect 'their' intellectual property. The custom routines for decrypting this lame ass protection are included in this release along with an accompanying sample.eas (DLL designed to target devices and applications) and.epr (bootloaders, exploits and shellcode) files.
The more discerning eye will notice that some of the Apple exploits bear a remarkable resemblance to those available to any teenager interested in the jailbreaking scene; perhaps not all those tax dollars have been wasted, the Blackberry epr is still worth a look at.
The ripped, decrypted and fully functioning python script set to utilize the exploits is also included within.
In this release find a small sample of files retrieved via the weaponized Cellebrite update service deployed on MS Windows based devices and desktops (SYSTEM privs) within the customer infrastructure.
Analysis of the compression and obfuscation employed by Cellebrite on products supplied to British MOD juxtaposed with the protection free versions supplied to SOCOM and others is also included within.
Don't the people who the software has been distributed to get to require the source code?
Yes. Code must be distributed with the software OR a written offer to provide the code must be distributed with the software.
Any person who has the software may then freely re-distribute it for a fee or for free. In this case, the written offer must still be honoured by the developer.The GPL renders it not illegal nor immoral to "leak" the software and every copy is legitimate. Hacking would still be a crime if it occurred but the copies would be legitimate.
My argument is: If Cellebrite have distributed software containing GPL'd code and not packaged the source or a written offer, then they are in breach of the GPL. If they have packaged the written offer, then it stands for anybody in possession of the software and if they don't honour a request then they are in breach of the GPL.
If these products are in breach of the GPL then it is likely that similar products from the same company are also in breach. This would allow a court to issue a 'motion to compel' to Cellebrite to produce the code for inspection. If these products are also found in breach, then they could be forced to stop distributing, face a financial penalty, and/or forced to release part or all of the code. It could also allow the public to get access to the software via a FOI request to the department using it. Tenuous, but within the realms of possibility and worth trying.
Don't the people who the software has been distributed to get to require the source code?
Besides the point that this was purchased with Public monies:
(from GNU's GPL FAQ
Does the GPL require that source code of modified versions be posted to the public?
No. Only to the users.
Does the GPL allow me to require that anyone who receives the software must pay me a fee and/or notify me?
No. You can charge people a fee to get a copy from you. You can't require people to pay you when they get a copy from someone else.
What does “written offer valid for any third party” mean in GPLv2?
People who did not get the binaries directly from you can still receive copies of the source code.
Does the GPL allow me to distribute copies under a nondisclosure agreement?
No.
Depending on the source, I feel that there is valid recourse here.
I doubt that I am misunderstanding the GPL as my livelihood depends on it.
I may be misunderstanding the terms of the situation or not adequately explaining myself.
It is my understanding that Cellebrite have distributed, through a sale or a lease, this software to law enforcement agencies on multiple ocassions. I may in fact be wrong and Cellebrite may have simply provided a service to decrypt the phones themselves - though this would break the chain of custody and create unreasonable liability. Your argument of internal use exemption would apply in the latter case.
According to Cellebrite's Wikipedia entry, it appears that they are indeed marketing and selling this as a product - distributing the software to law enforcement around the world.
If the code is never distributed, GPL does not have an effect.
Very good point.
Do we know if Cellebrite have merely provided a service or have in fact sold or licensed their wares? And, if this is an unknown, would the facts of the case be sufficient to also subpoena the details of the arrangement?
... it would appear Cellebrite favors "borrowing" code to create a product to sell...
If some of this code is GPL'd or similar, there is likely cause to sue, which at the least, should see the (legal) release of all source code. I'm sure even Microsoft, who has acquired Cyanogen, could sue for a monetary sum due to unfair competition and breach of licence.
It is also possible that the open-source community can ask the judge to subpoena the code of other products from the company for an audit into code that should be similarly released.
How serious this is depends on your threat model. If you are worried about the US government -- or any other government that can pressure Facebook -- snooping on your messages, then this is a small vulnerability. If not, then it's nothing to worry about.
This isn't 1997. Technology has way surpassed needing to highly compress things to the extent that they have little fidelity.
The point of using open formats is to preserve things as best as possible, without chance of having a licence revoked or the licensing company folding. Transcoding from MP3 to the next generation's favourite format would greatly reduce quality and OGG has options for both lossy and lossless compression where needed. MP3 LAME VBR is quite decent but fewer devices support it than support OGG which greatly exceeds the quality with minimal filesize increase. I haven't got a single device that can't play OGG and have all my music in.FLAC (or.WAV). Even browsers support OGG (with the exception of the OS extensions known as IE and Safari).
If they would simply the crappy CC licenses....then more people would be able to use their content.
The alternative is returning to the old method of finding a contact for the content which normally involves a whois lookup and several phone calls, then hoping the entity is big enough to have licence terms drafted.
Having licenses named things like BY-NC-ND means you simply cannot use the content without doing research.
Even then, it can still be impossible to use content because of morass of words in the mess that Lessig made the decision to create instead of just making something simple.
Morass of words!? CreativeCommons' most complicated licence weighs in at 87 lines. Microsoft's most basic licence for Win 10 Retail weighs in at 191 lines and only covers one product
We had to stop distributing CC learning materials since our lawyers couldn't guarantee that we wouldn't get sued since BY-SA isn't clear on what in the hell it requires.
Firstly, no lawyer, ever, can guarantee you won't get sued - regardless of which licencing scheme you are using. Secondly, if your lawyers can't decipher a BY-SA, then you need better lawyers. Thirdly, if it was true that the CC licence was an unreasonable risk, you knew who the creator was (BY) and could have simply contacted them for clarification or an alternative licence - as your lawyers should have.
Overall, you appear to be attempting a FUD campaign (or are a giant pansy). I publish and redistribute plenty of CC works without much difficulty in the interpretation of, or fear of, the associated words or pictures.
Slashdot Mirror
If we are doing car analogies, I would say that Apple products are an automatic. You pay a premium for an auto transmission and sacrifice control. Additionally, replacement of these premium parts are expensive. They do, however, make life easier for the person who wants to mindlessly drive.
By ignoring robots.txt, archive.org would be gaining unauthorized access to a computer system as access was expressly denied as per the Robots Exclusion Standard.
To further disseminate the archived pages would be added infringements.
I think that they need to campaign site owners to modify their robots.txt and if need be, lobby for exclusions to the Computer Misuse Act.
Here comes the new media...
Our government is going through a major innovation frenzy at the moment in the hope of inventing the steam engine.
We allow self driving cars on the road that may kill people and look the other way every time there is an accident, yet nail Microsoft to the wall for making a bad software design choice.
People aren't being forced to immediately forego their use of a more traditional motor vehicle in favour of an under-tested self-driving alternative.
Usb devices? The os, and therefore you, decides what happens when usb devices connect.
Nope. USB operates at a lower level than the OS. USB is capable of talking to other pieces of hardware without the OS's involvement (or knowledge). USB even has Direct Memory Access.
Usb is not a magic backdoor, unless your os is seriously flawed.
Yes it is. Many OSes even cooperate by providing APIs for forensic/diagnostic/recovery tools that operate via USB.
Most oses will not autoexec something on an usb stick, for example.
Most oses will not autoexec something on a valid USB stick. The BIOS will though. And just because something is connected via USB doesn't mean it has to tell the truth about what it is. The stick could present as a drive AND a keyboard, with the keyboard inputting commands to run a file on the drive.
The USB can be used to dump memory (and keys) using various methods, the simplest but least effective method is the Cold Boot Attack. DMA Attacks have become more straightforward with USB 3.1 as the controller now has DMA instead of just the PCI it is connected to.
How long before Zeynep comes out and says that the leaks are fake / inaccurate / technically void and urges the public to keep using WhatsApp; Calling those who stop using it idiots, fools, traitors, and scum.
Will she denounce Fox for reporting on it like she denounced The Guardian. You betcha.
A spook in geeks clothing.
A government, particularly one that is elected by the people, exists for the purpose of managing systems to improve the entities that they are governing and to protect the constituents.
Whether or not Kim Dotcom is likely innocent or guilty, this finding will neither improve NZ and completely fails in protecting at least one of its' citizens.
Despite any extradition treaty, NZ must protect their citizens.
Australia is guilty of similar neglect with the lack of assistance to Assange. Our government does not represent Australia or Australians and all policies are either self-serving or to the benefit of another nation (US & UK). There is continuous dumbing-down of political matters to the extent that constituents no longer identify treason when it is shoved in their face.
I use Java all the time, and I don't send a dime to Oracle. How is not using Java going to hurt them?
Oracle profit from Java Certification, Java Support, and Proprietary Java Extensions. While you may not use any of these, people working with your code in the future will likely require one or all of them.
The reasons for dumping Java are the same reasons for dumping VB6: Ethics, Pushing bad coding practices, Slow, Buggy, Increasing hostility toward customers, Out-dated.
When you're talking about a guy running two different companies, it might make some sense to specifically mention both of them by name in the first sentence or two.
First sentence of the summary:
To Jack Dorsey, running two high-profile companies -- Twitter and Square -- at the same time doesn't seem like a problem.
At the time of the post, the summary was different. I read it through twice trying to decipher the situation. It has been edited without a note.
The only things holding back tech, including AI, are patents and laws. The funny thing is AI is unlikely to give a second thought about either as the consequences are meaningless.
Why not Perl, Python or Ruby? These languages have had the same features and have been around even longer.
Those languages have indeed been around longer, but they don't have the same features. For starters, neither meet conditions b, c, or d. Neither of those languages are capable of system programming or have a secure web engine focus. Perl, and increasingly Ruby and Python have a strong presence for web apps but to the best of my knowledge have never been used (for good reason) for a web browser or web layout engine.
Additionally, none allow concurrent computing. With modern internet connections, the bottleneck is often at rendering. Concurrent computing should speed this up by at least an order of magnitude.
Servo, a prototype, has been in testing for some time with very promising results. This project is also headed up by Mozilla.
links are dead ;( any workign ones ?
Google "Backdoorz". Expecting a re-release in the next few days. Hopefully on Pastebin but may be elsewhere.>/p>
And why aren't they using Swift which is the de-facto best choice for next generation systems languages?
Rust a) has been around longer; b) was developed by Mozilla; c) focuses on security of web engines; and d) is strong enough for system programming.
Swift was a reaction to Rust, bringing some of the features and simplifying the Obj-C Syntax. It was designed with the Apple environment in mind and doesn't (officially) support windows. Swift as a choice makes zero sense as there is no real benefit as Mozilla is no longer trying to be hip.
Mozilla is taking a risk and betting on the future of hostile internet - and users actually giving a shit about security.
Link to dumps
Release 1 - the supply chain - a backdoor with backdoors.
In this release find a small sample of the 900GB of mere 'user accounts and basic contact
information' recently liberated from Cellebrite.
The exploit techniques that Cellebrite employ are wrapped in various encryption schemes .eas (DLL designed to target devices and applications) and .epr
in an attempt to protect 'their' intellectual property. The custom routines for
decrypting this lame ass protection are included in this release along with an
accompanying sample
(bootloaders, exploits and shellcode) files.
The more discerning eye will notice that some of the Apple exploits bear a remarkable
resemblance to those available to any teenager interested in the jailbreaking scene;
perhaps not all those tax dollars have been wasted, the Blackberry epr is still worth
a look at.
The ripped, decrypted and fully functioning python script set to utilize the exploits
is also included within.
Download links:
https://mega.nz/#!sZUkSbDT!l74...
https://mega.nz/#!0d9zBQLI!DdK...
Coming soon.....
Release 2 - watching the watchers - pivot to win.
In this release find a small sample of files retrieved via the weaponized Cellebrite
update service deployed on MS Windows based devices and desktops (SYSTEM privs) within
the customer infrastructure.
Analysis of the compression and obfuscation employed by Cellebrite on products supplied to
British MOD juxtaposed with the protection free versions supplied to SOCOM and others is
also included within.
@FBI Be careful in what you wish for.
Don't the people who the software has been distributed to get to require the source code?
Yes. Code must be distributed with the software OR a written offer to provide the code must be distributed with the software.
Any person who has the software may then freely re-distribute it for a fee or for free. In this case, the written offer must still be honoured by the developer.The GPL renders it not illegal nor immoral to "leak" the software and every copy is legitimate. Hacking would still be a crime if it occurred but the copies would be legitimate.
My argument is: If Cellebrite have distributed software containing GPL'd code and not packaged the source or a written offer, then they are in breach of the GPL. If they have packaged the written offer, then it stands for anybody in possession of the software and if they don't honour a request then they are in breach of the GPL.
If these products are in breach of the GPL then it is likely that similar products from the same company are also in breach. This would allow a court to issue a 'motion to compel' to Cellebrite to produce the code for inspection. If these products are also found in breach, then they could be forced to stop distributing, face a financial penalty, and/or forced to release part or all of the code. It could also allow the public to get access to the software via a FOI request to the department using it. Tenuous, but within the realms of possibility and worth trying.
Don't the people who the software has been distributed to get to require the source code?
Besides the point that this was purchased with Public monies:
(from GNU's GPL FAQ
Does the GPL require that source code of modified versions be posted to the public?
No. Only to the users.
Does the GPL allow me to require that anyone who receives the software must pay me a fee and/or notify me?
No. You can charge people a fee to get a copy from you. You can't require people to pay you when they get a copy from someone else.
What does “written offer valid for any third party” mean in GPLv2?
People who did not get the binaries directly from you can still receive copies of the source code.
Does the GPL allow me to distribute copies under a nondisclosure agreement?
No.
Depending on the source, I feel that there is valid recourse here.
Microsoft are just getting efficient. They have simply skipped "Embrace".
You misunderstand the GPL.
I doubt that I am misunderstanding the GPL as my livelihood depends on it.
I may be misunderstanding the terms of the situation or not adequately explaining myself.
It is my understanding that Cellebrite have distributed, through a sale or a lease, this software to law enforcement agencies on multiple ocassions. I may in fact be wrong and Cellebrite may have simply provided a service to decrypt the phones themselves - though this would break the chain of custody and create unreasonable liability. Your argument of internal use exemption would apply in the latter case.
According to Cellebrite's Wikipedia entry, it appears that they are indeed marketing and selling this as a product - distributing the software to law enforcement around the world.
If the code is never distributed, GPL does not have an effect.
Very good point.
Do we know if Cellebrite have merely provided a service or have in fact sold or licensed their wares? And, if this is an unknown, would the facts of the case be sufficient to also subpoena the details of the arrangement?
... it would appear Cellebrite favors "borrowing" code to create a product to sell ...
If some of this code is GPL'd or similar, there is likely cause to sue, which at the least, should see the (legal) release of all source code. I'm sure even Microsoft, who has acquired Cyanogen, could sue for a monetary sum due to unfair competition and breach of licence.
It is also possible that the open-source community can ask the judge to subpoena the code of other products from the company for an audit into code that should be similarly released.
How serious this is depends on your threat model. If you are worried about the US government -- or any other government that can pressure Facebook -- snooping on your messages, then this is a small vulnerability. If not, then it's nothing to worry about.
support old formats like MP3 or MPEG
This isn't 1997. Technology has way surpassed needing to highly compress things to the extent that they have little fidelity.
The point of using open formats is to preserve things as best as possible, without chance of having a licence revoked or the licensing company folding. Transcoding from MP3 to the next generation's favourite format would greatly reduce quality and OGG has options for both lossy and lossless compression where needed. MP3 LAME VBR is quite decent but fewer devices support it than support OGG which greatly exceeds the quality with minimal filesize increase. I haven't got a single device that can't play OGG and have all my music in .FLAC (or .WAV). Even browsers support OGG (with the exception of the OS extensions known as IE and Safari).
Save the investigation. Look here.
If they would simply the crappy CC licenses....then more people would be able to use their content.
The alternative is returning to the old method of finding a contact for the content which normally involves a whois lookup and several phone calls, then hoping the entity is big enough to have licence terms drafted.
Having licenses named things like BY-NC-ND means you simply cannot use the content without doing research.
Ten seconds at Creative Commons Licences should be adequate research
Even then, it can still be impossible to use content because of morass of words in the mess that Lessig made the decision to create instead of just making something simple.
Morass of words!? CreativeCommons' most complicated licence weighs in at 87 lines. Microsoft's most basic licence for Win 10 Retail weighs in at 191 lines and only covers one product
We had to stop distributing CC learning materials since our lawyers couldn't guarantee that we wouldn't get sued since BY-SA isn't clear on what in the hell it requires.
Firstly, no lawyer, ever, can guarantee you won't get sued - regardless of which licencing scheme you are using. Secondly, if your lawyers can't decipher a BY-SA, then you need better lawyers. Thirdly, if it was true that the CC licence was an unreasonable risk, you knew who the creator was (BY) and could have simply contacted them for clarification or an alternative licence - as your lawyers should have.
Overall, you appear to be attempting a FUD campaign (or are a giant pansy). I publish and redistribute plenty of CC works without much difficulty in the interpretation of, or fear of, the associated words or pictures.