That was actually one of my first thoughts when I heard they were adding this, but I watched the keynote address, and Apple made it clear during the initial announcement that they're not uploading any fingerprint data to their servers.
They don't need to store it on their servers when they essentially have direct access to your phone.
They further clarified afterwards that they aren't even storing the fingerprints on the local device at all. Just as good practice dictates that you store a hash of the user's password rather than the password itself, Apple is doing the same here with the fingerprint data. They store a local hash of the fingerprint rather than the fingerprint itself, then simply verify against the hash when authenticating the user.
How does that work with analog data like a fingerprint image? You can have 2 images that show the same fingerprint but slightly differently and have completely different hashes, don't they need to use image recognition algorithms to compare fingerprints? Wouldn't that require storing the image or some representation of it?
To add to that, here's the difference between people like us, and other people. I ran Windows XP for many years. I did so without any sort of malware protection software or scanner, and I didn't get infected (I know what you're thinking, and hold that thought). The one infection I had to clean up on that computer happened when my roommate decided to use IE on it to browse for porn. Cleaning up that infection revealed that it was in fact the only infection on the machine, and the only way it got there was because of a vulnerability in IE and a shady porn site or ad network (presumably). Other than that one circumstance involving my roommate, I could do whatever I wanted on that computer (including porn porn porn) and I didn't get infected. That's the difference between people like you and I and people like my roommate. You might not get infected by anything you download off Bittorrent, but you're an outlier.
The same can be said of any compiled, closed-source code. And corporations in the past have intentionally placed malware onto their official distributions; Such as the sony rootkit fiasco. Trusting someone just because they wear a suit and say they're your friend isn't much of a guarantee.
It's not because of what they wear or how they act, it's because of accountability. I know who they are, and I can point at them and lay the blame and responsibility at their feet. Not that that ever stopped a corporation, but you get my point.
The laws are so terribly complex that you can rest assured you're a criminal.
I know that I'm a criminal. I know that because I have been charged and convicted of a crime, and have seen the inside of a jail. I can't charge or convict someone whose name I don't know who deliberately made an attempt to damage my computer or data. If a company like Sony does it, they can and will (or should) be at least slapped for it. I doubt the punishment will fit the crime, but there is at least the possibility of punishment. That possibility doesn't exist when you don't even know what or who produced the code that you're running.
But your whole paragraph about criminality isn't even relevant to this discussion. I'm not talking about someone who ate an oversized fish, I'm talking about someone who has a specific goal and the means to try and infect or damage as many computers as possible. The software that those people write is not released by corporations (excluding certain Russian business networks, of course).
Perhaps. But many bittorrent sites have reputation services; And people talk to each other. Read the comments. Watch the forums.
I've watched "regular" people download off Bittorrent, they don't do that. Warnings against Bittorrent or porn malware in general are not aimed at people like you and I, and it's not us who typically suffer the consequences. That doesn't mean it isn't out there though.
So really... you're less likely to get malware from a piece of pirated software off some torrent site than you are just browsing for porn. It's a grossly exaggerated threat.
I'm not so sure about that. I watch a lot of porn.
Even so, regardless of how likely it is, when you're downloading pirated software you are basically executing unknown code from an unknown source. Porn infections at least require a vulnerability to exploit. Hell, the very nature of pirated software means that it has been modified with unknown code by someone with no accountability who is demonstrably willing to break the law. There are plenty of shady actors who see warez as a legitimate infection vector and wouldn't think twice about wrapping a popular application up with a nice payload and distributing it across their botnet to make it look like it has 100 different seeders.
Considering the probable userbase of the software (penetration testers), this shoudn't be too difficult for most users.
You would think, but never underestimate stupidity or laziness. He posted a comment on his article with an email that he received from someone with broken English who was asking him how to extract an archive that contained a space in the filename (cobaltstrike-Cracked-For BackTrack.tgz). Why ask the author of the software he's pirating instead of searching for the syntax online? Because that's how smart he is.
It's obvious why he is giving these directions - he is showing people how to add malware to his software so that any cracked software of his is suspect.
There are also several.sl files. These are Sleep files. Sleep is a simple scripting language I’ve worked on since 2002. I write in Sleep because I’m very efficient with it.
For the aspiring cracker, Sleep is a welcome sight. Its files do not ship in a compiled form. They’re available as plaintext inside of the application archive. A plaintext file requires a special tool, called a text editor, to change its content. I recommend notepad.exe or pico. Linux hackers may use WINE to run notepad.exe. Type:
Further, Silent Circle have released select source code samples however journalists covering the company have assumed or been led to believe that their products is full open source peer reviewed - when it has not been - dishonest.
If you're going to accuse Silent Circle of being dishonest for leading journalists to believe that their products are 100% open source and peer reviewed, then either you need to show your sources for that claim or admit to just a bit of hyperbole that could be interpreted as FUD. The fact that they closed down their mail product rather than risk giving in to the NSA lends them a certain amount of credibility when we know that other major companies have been complicit in this for years without saying anything.
Maybe their mail product was already compromised, I don't know. I don't have any information on that so I'm not going to suggest that it is a possibility and risk sounding like I am trying to make people uncertain, or doubtful.
I'm not trying to attack your personally, this is a good and necessary discussion to have and I'm glad that there are so many more people paying attention to what government is doing today versus during the last election. It needs to continue.
Now if I could just find a credible organization with a sufficient lack of apathy to publish and support my essay about what the problems with government are and how to fix them. I was hoping the League Of Women Voters would help me out, but they appear completely uninterested.
It is much easier to simply backdoor something innocuous to get a foothold on the machine.
Right, in the XKeyscore presentation slides that were released, one of the example queries was "give me a list of all exploitable machines in country X."
Who is al Qaida to you? If you are not a Sunni Muslim that abides by their interpretation of Sharia, they consider you an enemy to capture, kill, enslave, or convert.
Then let them come here and try it. If the countries they are operating in don't want their version of civil life, then let those people stand up for themselves.
Where do you get the 200 figure from? The CNN article indicated that 120 fighters were already there, with another 150 on the way, and more to come. That article is from July. Are you purposefully understating the numbers to try and lend support to your position, or do you actually have a source for that figure? How about the rest of the rebels? We know for a fact that many of them are aligned with the Al-Nusra Front and Al-Qaeda in general, I assume those are part of your 50,000+ "rebels", right?
The world would have been much better off if the Obama administration would have done something useful years ago before the foreign fighters started showing up in numbers, but the American voters that showed up wanted "change."
Why is it the responsibility of the US to clean up everyone's mess? Why do the neighbors of Syria - Turkey, Iraq, Jordan, Lebanon, and Israel - get a free pass? Why is no one calling on Saudi Arabia to intervene? What about the Arab League, what are they doing, sending out letters? What about the UN? It's not the responsibility of the US, out of all countries, to go around policing the world. The Middle East needs to police itself, if they can't figure out how to live together in peace then let them kill each other until they figure it out.
There is no side worth supporting in Syria. The only group in Syria that by in large is composed of "good" people are the civilians that are not fighting the war. Both sides in the war have become tainted by their actions, and both sides have committed atrocities that people like you and me will probably never even hear about. There is absolutely no reason why the US should intervene at all if regional neighbors and countries are willing to just sit on the sidelines and wait this one out. If we have evidence that Assad has used chemical weapons, then like the nation of laws, justice, and due process that we are, we should make that evidence public and refer the case to the International Criminal Court. We don't have the right to assume the role of police officer, judge, jury and executioner and just do whatever the fuck we please. That's not the way we conduct our business in this country, and it is not the way we should conduct our business with other countries.
Axial tilt on planets is tought to be hugely influenced by colisions when they were forming.
And what, forming stars wouldn't go through similar processes? You realize that the major difference between a gas giant and a star is mass, right? It's not like they are completely different kinds of bodies, one of them just got so much mass that fusion started.
It makes sense that if all of the stars that formed the nebulae came from the same giant swirling cloud of gas, then the stars formed would tend to have angular momenta mostly aligned upon that same axis. When those stars explode later, the axis of the planetary nebula will be along this same axis.
I was thinking the same thing, but now I'm not so sure. We have at least 8 decent points of data in our solar system for orbital bodies like stars orbiting the center of gravity. Among the 8 planets, 3 of them (Me, V, J) have an axial tilt of less than 4 degrees, 4 of them (E, Ma, S, N) have an axial tilt between 23 and 29 degrees, and one of them (U) is damn near sideways. In other words, our planets are all over the place. So it would seem to make some sense if the stars orbiting the galactic center were also all over the place on their axial tilt, so it wouldn't make sense that the bipolar nebulae are all oriented in the same direction. I wonder how many nebulae this includes though. If it is roughly half of them then that would seem to be in line with our solar system.
What I'm saying is that if you don't want your files to be seen, then you encrypt them outside of the browser before uploading them. If you're encrypting them in the browser then that's a vulnerability. The browser can encrypt the already-encrypted file if it wants to, if anyone decrypts it they're just going to get another encrypted file back.
As far as I can tell there isn't any other way to do it. If Javascript needs access to that encryption key then of course it is possible to send that key anywhere else. It sounds like there is some client-side encryption that takes place before sending files, and that encryption code presumably comes from Mega, and that encryption code uses your private key, so of course the encryption code has access to the key. How could it encrypt otherwise? The browser doesn't natively support that process, that is what would have to change in order for this to not be an issue. The promise by Mega not to store your keys is the only thing that users have, because if they are running Mega's encryption code client-side then there is nothing stopping Mega from getting your keys, or unencrypted data, or whatever else, other than their promise not to.
NSA/FBI/local bobby want to see what you've been using Mega for? Slip in a one time bit of Javascript to a page delivered by Mega, and it's all theirs for the reading.
Again, the onus is on Mega to stop that from happening, but they can only protect their own servers. If someone wants to intercept and decrypt your traffic and change the data to add new code (a man-in-the-middle attack), then that is still a threat. It's always going to be a threat as long as organizations like the NSA are capable of decrypting that SSL traffic.
Otherwise, this is not an issue that has a solution with today's browser implementations. Maybe Mega can produce their own version of Firefox or a Webkit-based browser that will natively implement their encryption without exposing the keys to Javascript, but then you would have to trust that software, don't you? It's all about trust. If you don't trust Mega, then don't use it.
For example, there is no Right to drive a motor vehicle in the US, nor is there a Right to fly on an airplane.
Really? That's weird. I could swear that 49 U.S.C. section 40103 says that "A citizen of the United States has a public right of transit through the navigable airspace."
Ah, a well-thought-out rebuttal. Now you can attempt to prove his statement wrong while we argue about what the word "hardly" means in the context that it was used.
We need a whole hell of a lot more than an elevator to leave Earth. An elevator just gets you into space cheaply. That's the easy part. There's no reason to work on an elevator if we can't then travel to and colonize another place. Considering that each possible destination comes with its own massive set of challenges for permanently living there, I seriously doubt that there is anyone alive today who will witness the first permanent settlement on another rock.
It just seemed like a really weird question to ask. We are trying to address the reality of sea levels rising and he pops in with a question about whether or not a space elevator is cheaper. No, colonizing another planet is not cheaper.
Well, yes, that's a true statement, although neither of those are realistic options for a city vehicle. There is other work being done on self-driving cars that does not require them to slow down or stop to take pictures and allows them to drive safely at speed. There was an article about work that Nissan is doing just yesterday, and Google's cars have been in the news as well. The point is that the work being done on the rover meets completely different requirements than what are needed for cars that drive on city streets.
a much larger and more powerful neighboring country
That certainly doesn't apply to the US. It's doubtful that it would apply to Russia, the only candidate would be China. Moreover, if a large and powerful country gets taken over by a loony dictator, however you think that might possibly happen without the armed forces or public trying to stop it, and they start threatening their neighbors, then the UN would have something to say about that. A nuke isn't necessary.
Slashdot Mirror
That was actually one of my first thoughts when I heard they were adding this, but I watched the keynote address, and Apple made it clear during the initial announcement that they're not uploading any fingerprint data to their servers.
They don't need to store it on their servers when they essentially have direct access to your phone.
They further clarified afterwards that they aren't even storing the fingerprints on the local device at all. Just as good practice dictates that you store a hash of the user's password rather than the password itself, Apple is doing the same here with the fingerprint data. They store a local hash of the fingerprint rather than the fingerprint itself, then simply verify against the hash when authenticating the user.
How does that work with analog data like a fingerprint image? You can have 2 images that show the same fingerprint but slightly differently and have completely different hashes, don't they need to use image recognition algorithms to compare fingerprints? Wouldn't that require storing the image or some representation of it?
cracked by a reputable organization
Subtle, but funny nonetheless.
To add to that, here's the difference between people like us, and other people. I ran Windows XP for many years. I did so without any sort of malware protection software or scanner, and I didn't get infected (I know what you're thinking, and hold that thought). The one infection I had to clean up on that computer happened when my roommate decided to use IE on it to browse for porn. Cleaning up that infection revealed that it was in fact the only infection on the machine, and the only way it got there was because of a vulnerability in IE and a shady porn site or ad network (presumably). Other than that one circumstance involving my roommate, I could do whatever I wanted on that computer (including porn porn porn) and I didn't get infected. That's the difference between people like you and I and people like my roommate. You might not get infected by anything you download off Bittorrent, but you're an outlier.
The same can be said of any compiled, closed-source code. And corporations in the past have intentionally placed malware onto their official distributions; Such as the sony rootkit fiasco. Trusting someone just because they wear a suit and say they're your friend isn't much of a guarantee.
It's not because of what they wear or how they act, it's because of accountability. I know who they are, and I can point at them and lay the blame and responsibility at their feet. Not that that ever stopped a corporation, but you get my point.
The laws are so terribly complex that you can rest assured you're a criminal.
I know that I'm a criminal. I know that because I have been charged and convicted of a crime, and have seen the inside of a jail. I can't charge or convict someone whose name I don't know who deliberately made an attempt to damage my computer or data. If a company like Sony does it, they can and will (or should) be at least slapped for it. I doubt the punishment will fit the crime, but there is at least the possibility of punishment. That possibility doesn't exist when you don't even know what or who produced the code that you're running.
But your whole paragraph about criminality isn't even relevant to this discussion. I'm not talking about someone who ate an oversized fish, I'm talking about someone who has a specific goal and the means to try and infect or damage as many computers as possible. The software that those people write is not released by corporations (excluding certain Russian business networks, of course).
Perhaps. But many bittorrent sites have reputation services; And people talk to each other. Read the comments. Watch the forums.
I've watched "regular" people download off Bittorrent, they don't do that. Warnings against Bittorrent or porn malware in general are not aimed at people like you and I, and it's not us who typically suffer the consequences. That doesn't mean it isn't out there though.
So really... you're less likely to get malware from a piece of pirated software off some torrent site than you are just browsing for porn. It's a grossly exaggerated threat.
I'm not so sure about that. I watch a lot of porn.
Even so, regardless of how likely it is, when you're downloading pirated software you are basically executing unknown code from an unknown source. Porn infections at least require a vulnerability to exploit. Hell, the very nature of pirated software means that it has been modified with unknown code by someone with no accountability who is demonstrably willing to break the law. There are plenty of shady actors who see warez as a legitimate infection vector and wouldn't think twice about wrapping a popular application up with a nice payload and distributing it across their botnet to make it look like it has 100 different seeders.
Considering the probable userbase of the software (penetration testers), this shoudn't be too difficult for most users.
You would think, but never underestimate stupidity or laziness. He posted a comment on his article with an email that he received from someone with broken English who was asking him how to extract an archive that contained a space in the filename (cobaltstrike-Cracked-For BackTrack.tgz). Why ask the author of the software he's pirating instead of searching for the syntax online? Because that's how smart he is.
It's obvious why he is giving these directions - he is showing people how to add malware to his software so that any cracked software of his is suspect.
There are also several .sl files. These are Sleep files. Sleep is a simple scripting language I’ve worked on since 2002. I write in Sleep because I’m very efficient with it.
For the aspiring cracker, Sleep is a welcome sight. Its files do not ship in a compiled form. They’re available as plaintext inside of the application archive. A plaintext file requires a special tool, called a text editor, to change its content. I recommend notepad.exe or pico. Linux hackers may use WINE to run notepad.exe. Type:
wine notepad.exe
Well done, sir.
Further, Silent Circle have released select source code samples however journalists covering the company have assumed or been led to believe that their products is full open source peer reviewed - when it has not been - dishonest.
If you're going to accuse Silent Circle of being dishonest for leading journalists to believe that their products are 100% open source and peer reviewed, then either you need to show your sources for that claim or admit to just a bit of hyperbole that could be interpreted as FUD. The fact that they closed down their mail product rather than risk giving in to the NSA lends them a certain amount of credibility when we know that other major companies have been complicit in this for years without saying anything.
Maybe their mail product was already compromised, I don't know. I don't have any information on that so I'm not going to suggest that it is a possibility and risk sounding like I am trying to make people uncertain, or doubtful.
I'm not trying to attack your personally, this is a good and necessary discussion to have and I'm glad that there are so many more people paying attention to what government is doing today versus during the last election. It needs to continue.
Now if I could just find a credible organization with a sufficient lack of apathy to publish and support my essay about what the problems with government are and how to fix them. I was hoping the League Of Women Voters would help me out, but they appear completely uninterested.
It is much easier to simply backdoor something innocuous to get a foothold on the machine.
Right, in the XKeyscore presentation slides that were released, one of the example queries was "give me a list of all exploitable machines in country X."
Who is al Qaida to you? If you are not a Sunni Muslim that abides by their interpretation of Sharia, they consider you an enemy to capture, kill, enslave, or convert.
Then let them come here and try it. If the countries they are operating in don't want their version of civil life, then let those people stand up for themselves.
100% Iranian backed Assad regime* versus 200 Taliban / 50,000+ Syrian rebels.
Where do you get the 200 figure from? The CNN article indicated that 120 fighters were already there, with another 150 on the way, and more to come. That article is from July. Are you purposefully understating the numbers to try and lend support to your position, or do you actually have a source for that figure? How about the rest of the rebels? We know for a fact that many of them are aligned with the Al-Nusra Front and Al-Qaeda in general, I assume those are part of your 50,000+ "rebels", right?
The world would have been much better off if the Obama administration would have done something useful years ago before the foreign fighters started showing up in numbers, but the American voters that showed up wanted "change."
Why is it the responsibility of the US to clean up everyone's mess? Why do the neighbors of Syria - Turkey, Iraq, Jordan, Lebanon, and Israel - get a free pass? Why is no one calling on Saudi Arabia to intervene? What about the Arab League, what are they doing, sending out letters? What about the UN? It's not the responsibility of the US, out of all countries, to go around policing the world. The Middle East needs to police itself, if they can't figure out how to live together in peace then let them kill each other until they figure it out.
There is no side worth supporting in Syria. The only group in Syria that by in large is composed of "good" people are the civilians that are not fighting the war. Both sides in the war have become tainted by their actions, and both sides have committed atrocities that people like you and me will probably never even hear about. There is absolutely no reason why the US should intervene at all if regional neighbors and countries are willing to just sit on the sidelines and wait this one out. If we have evidence that Assad has used chemical weapons, then like the nation of laws, justice, and due process that we are, we should make that evidence public and refer the case to the International Criminal Court. We don't have the right to assume the role of police officer, judge, jury and executioner and just do whatever the fuck we please. That's not the way we conduct our business in this country, and it is not the way we should conduct our business with other countries.
Axial tilt on planets is tought to be hugely influenced by colisions when they were forming.
And what, forming stars wouldn't go through similar processes? You realize that the major difference between a gas giant and a star is mass, right? It's not like they are completely different kinds of bodies, one of them just got so much mass that fusion started.
It makes sense that if all of the stars that formed the nebulae came from the same giant swirling cloud of gas, then the stars formed would tend to have angular momenta mostly aligned upon that same axis. When those stars explode later, the axis of the planetary nebula will be along this same axis.
I was thinking the same thing, but now I'm not so sure. We have at least 8 decent points of data in our solar system for orbital bodies like stars orbiting the center of gravity. Among the 8 planets, 3 of them (Me, V, J) have an axial tilt of less than 4 degrees, 4 of them (E, Ma, S, N) have an axial tilt between 23 and 29 degrees, and one of them (U) is damn near sideways. In other words, our planets are all over the place. So it would seem to make some sense if the stars orbiting the galactic center were also all over the place on their axial tilt, so it wouldn't make sense that the bipolar nebulae are all oriented in the same direction. I wonder how many nebulae this includes though. If it is roughly half of them then that would seem to be in line with our solar system.
What I'm saying is that if you don't want your files to be seen, then you encrypt them outside of the browser before uploading them. If you're encrypting them in the browser then that's a vulnerability. The browser can encrypt the already-encrypted file if it wants to, if anyone decrypts it they're just going to get another encrypted file back.
Indeed. If you want to store encrypted files, then encrypt them locally before uploading them.
As far as I can tell there isn't any other way to do it. If Javascript needs access to that encryption key then of course it is possible to send that key anywhere else. It sounds like there is some client-side encryption that takes place before sending files, and that encryption code presumably comes from Mega, and that encryption code uses your private key, so of course the encryption code has access to the key. How could it encrypt otherwise? The browser doesn't natively support that process, that is what would have to change in order for this to not be an issue. The promise by Mega not to store your keys is the only thing that users have, because if they are running Mega's encryption code client-side then there is nothing stopping Mega from getting your keys, or unencrypted data, or whatever else, other than their promise not to.
NSA/FBI/local bobby want to see what you've been using Mega for? Slip in a one time bit of Javascript to a page delivered by Mega, and it's all theirs for the reading.
Again, the onus is on Mega to stop that from happening, but they can only protect their own servers. If someone wants to intercept and decrypt your traffic and change the data to add new code (a man-in-the-middle attack), then that is still a threat. It's always going to be a threat as long as organizations like the NSA are capable of decrypting that SSL traffic.
Otherwise, this is not an issue that has a solution with today's browser implementations. Maybe Mega can produce their own version of Firefox or a Webkit-based browser that will natively implement their encryption without exposing the keys to Javascript, but then you would have to trust that software, don't you? It's all about trust. If you don't trust Mega, then don't use it.
For example, there is no Right to drive a motor vehicle in the US, nor is there a Right to fly on an airplane.
Really? That's weird. I could swear that 49 U.S.C. section 40103 says that "A citizen of the United States has a public right of transit through the navigable airspace."
Ah, a well-thought-out rebuttal. Now you can attempt to prove his statement wrong while we argue about what the word "hardly" means in the context that it was used.
We need a whole hell of a lot more than an elevator to leave Earth. An elevator just gets you into space cheaply. That's the easy part. There's no reason to work on an elevator if we can't then travel to and colonize another place. Considering that each possible destination comes with its own massive set of challenges for permanently living there, I seriously doubt that there is anyone alive today who will witness the first permanent settlement on another rock.
It just seemed like a really weird question to ask. We are trying to address the reality of sea levels rising and he pops in with a question about whether or not a space elevator is cheaper. No, colonizing another planet is not cheaper.
Well, yes, that's a true statement, although neither of those are realistic options for a city vehicle. There is other work being done on self-driving cars that does not require them to slow down or stop to take pictures and allows them to drive safely at speed. There was an article about work that Nissan is doing just yesterday, and Google's cars have been in the news as well. The point is that the work being done on the rover meets completely different requirements than what are needed for cars that drive on city streets.
I forget, how does "the Space Elevator" address sea level rise? Do we just put all of the water on the elevator?
Right, I want a car that stops periodically to take pictures before driving at walking speed over any perceived obstacle.
a much larger and more powerful neighboring country
That certainly doesn't apply to the US. It's doubtful that it would apply to Russia, the only candidate would be China. Moreover, if a large and powerful country gets taken over by a loony dictator, however you think that might possibly happen without the armed forces or public trying to stop it, and they start threatening their neighbors, then the UN would have something to say about that. A nuke isn't necessary.
So you actually think anyone has time to build nuclear weapons, from scratch, when they are suddenly needed?
When is a nuclear weapon suddenly needed?
The only time a nuclear weapon has been used in war it was in fact built from scratch.