While this law would be incredibly hard to enforce, maybe we shouldn't be so down on politicians actually doing something, anything at all, in favor of protecting privacy?
Not when the "something" is obviously unconstitutional. Besides, passing flawed laws that just because "something" has to be done tends to result in truly horrible laws and harms everyone.
Reading the bill, it is clear to me that this is plainly and clearly unconstitutional. They didn't even try to hide it. If it passes, it wouldn't survive the the courts.
Is that so? The only way I can access some of my medical information is via my work computer. Are you saying I have zero expectations of privacy to access my private medical data? I'm sure my company is not the only one that has many benefits that are only accessible via intranet services. IT has no right viewing any of that data.
In the US, anyway, Mindscrew is 100% correct. If you are using your employer's equipment, then the employer has every legal right to inspect the traffic you're generating and your use of the company's computer. You have zero expectation of privacy -- as I'm very sure the company makes clear in your onboarding documentation -- and if you expose sensitive personal information on their system, they are not legally in the wrong to look at it. (Things get into a legal gray area once we start talking about what they can actually do with that information).
My recommendation to you would be to fix the problem of having to use company equipment to look at your medical records. If you don't have your own computer and internet service, get one. If it doesn't work correctly, fix it. Or, at the very least, if you really must use your employer's computer for this sort of thing, use a VPN.
Not at all. My reaction had more to do with context than content. This is/. where the vast majority of readers are likely to already be reasonably familiar with these issues. I would not have the same response if the same article appeared in a less specialized forum. I was also not really criticizing its appearance here.
It does break SSL, SSL is meant to be point to point, this is a MITM attack.
Perhaps I'm splitting hairs here, but this is not a MITM attack on SSL. The SSL protocol in this situation is behaving just fine. This is a MITM attack on HTTPS, a layer higher than SSL.
The concept involved is the increase in the "surface area" of potential failure. If you've introduced a system that sits in the middle, decrypting communications, processing the communications, and re-encrypting them, you've also introduced quite a lot of things that can go wrong, and have increased the chances that something will.
In the global view, given how common these things are, is approaches inevitable that there will be security problems.
So don't do your private banking in a company environment.
Don't do private anything on company equipment.
What I do, though, is use my own equipment (phone or tablet) to do my private stuff, and I use an SSH tunnel to my home server for internet access, so that the company network never sees any traffic that it can decrypt. Not a solution for everybody, but it works well for me.
Which means there's always some amount of impact, since you can't guarantee that it's done perfectly. HTTPS inspection tools are engaging in a man-in-the-middle attack themselves, and are introducing a whole new attack surface. We don't just have to trust that the code itself is implemented perfectly, we also have to trust that the server running it is not compromised, or that a legitimate admin isn't engaging in some nefarious activity.
This negates a rather large portion of the strength (such as it is) of HTTPS in the first place: that there were only two parties handling unencrypted data, the sender and the receiver.
Yes, I understand. But the fact that the captions and the spoken words often differ limits the effectiveness of combining captions and lip reading to reduce the error in machine translations. It doesn't matter much why the captions and the spoken words differ.
When TV was first being introduced as a consumer product, one of the selling points of the idea was that people would be able to learn by watching it. If this works out as well as that, then the system will only be able to recognize when someone is uttering lines from commercials.
And if there is some "ads" or hidden product placement suggestions, then that might just be the cost of using this to improve productivity and quality of life.
I thought the cost was allowing Google to spy on you. That's already too high of a price for me, but putting ads on top of that makes it outrageously expensive.
Slashdot Mirror
In fairness, when a change comes with a loss of functionality, it's not so irrational to complain about it.
While this law would be incredibly hard to enforce, maybe we shouldn't be so down on politicians actually doing something, anything at all, in favor of protecting privacy?
Not when the "something" is obviously unconstitutional. Besides, passing flawed laws that just because "something" has to be done tends to result in truly horrible laws and harms everyone.
Reading the bill, it is clear to me that this is plainly and clearly unconstitutional. They didn't even try to hide it. If it passes, it wouldn't survive the the courts.
Teppies is correct, but my approach is a bit different. For safety, I tunnel all UDP traffic as well (not just DNS lookups) using a TCP wrapper.
Ack. Quoting problems! The first paragraph is an (unnecessary) quote of Bengie's comment.
Is that so? The only way I can access some of my medical information is via my work computer. Are you saying I have zero expectations of privacy to access my private medical data? I'm sure my company is not the only one that has many benefits that are only accessible via intranet services. IT has no right viewing any of that data.
In the US, anyway, Mindscrew is 100% correct. If you are using your employer's equipment, then the employer has every legal right to inspect the traffic you're generating and your use of the company's computer. You have zero expectation of privacy -- as I'm very sure the company makes clear in your onboarding documentation -- and if you expose sensitive personal information on their system, they are not legally in the wrong to look at it. (Things get into a legal gray area once we start talking about what they can actually do with that information).
My recommendation to you would be to fix the problem of having to use company equipment to look at your medical records. If you don't have your own computer and internet service, get one. If it doesn't work correctly, fix it. Or, at the very least, if you really must use your employer's computer for this sort of thing, use a VPN.
I connect with my VPN without using DNS, and once connected, all traffic goes through the tunnel, including DNS lookups.
Not at all. My reaction had more to do with context than content. This is /. where the vast majority of readers are likely to already be reasonably familiar with these issues. I would not have the same response if the same article appeared in a less specialized forum. I was also not really criticizing its appearance here.
It does break SSL, SSL is meant to be point to point, this is a MITM attack.
Perhaps I'm splitting hairs here, but this is not a MITM attack on SSL. The SSL protocol in this situation is behaving just fine. This is a MITM attack on HTTPS, a layer higher than SSL.
The concept involved is the increase in the "surface area" of potential failure. If you've introduced a system that sits in the middle, decrypting communications, processing the communications, and re-encrypting them, you've also introduced quite a lot of things that can go wrong, and have increased the chances that something will.
In the global view, given how common these things are, is approaches inevitable that there will be security problems.
It's not actually breaking SSL, but it certainly does weaken HTTPS security.
So don't do your private banking in a company environment.
Don't do private anything on company equipment.
What I do, though, is use my own equipment (phone or tablet) to do my private stuff, and I use an SSH tunnel to my home server for internet access, so that the company network never sees any traffic that it can decrypt. Not a solution for everybody, but it works well for me.
Done perfectly, it's zero impact.
Which means there's always some amount of impact, since you can't guarantee that it's done perfectly. HTTPS inspection tools are engaging in a man-in-the-middle attack themselves, and are introducing a whole new attack surface. We don't just have to trust that the code itself is implemented perfectly, we also have to trust that the server running it is not compromised, or that a legitimate admin isn't engaging in some nefarious activity.
This negates a rather large portion of the strength (such as it is) of HTTPS in the first place: that there were only two parties handling unencrypted data, the sender and the receiver.
Yes, this.
My reaction to this story was "well, duh." Anyone who didn't already know this is someone who isn't familiar enough with the concepts involved.
Yes, I understand. But the fact that the captions and the spoken words often differ limits the effectiveness of combining captions and lip reading to reduce the error in machine translations. It doesn't matter much why the captions and the spoken words differ.
This is true. I once had a conversation with someone and was very surprised to later learn that the person was completely deaf. I had no clue.
Also consider how frequently the captions differ from the actual spoken words.
When TV was first being introduced as a consumer product, one of the selling points of the idea was that people would be able to learn by watching it. If this works out as well as that, then the system will only be able to recognize when someone is uttering lines from commercials.
Google, like all ad companies, probably really believes that advertising is itself relevant content that people want.
And if there is some "ads" or hidden product placement suggestions, then that might just be the cost of using this to improve productivity and quality of life.
I thought the cost was allowing Google to spy on you. That's already too high of a price for me, but putting ads on top of that makes it outrageously expensive.
Until a year or so ago, I assumed those annotations were ads and ignored them.
Yeah, but that comes with the downside that you have to use Chrome. Of course, Firefox increasingly has that downside itself, anyway.
That makes it even easier to make sure that websites can't make noise at me.
Yes. Or, if the definition of "ad" is getting too loose, then it's certainly "marketing".
Two assholes ruined it for everyone else... great.
Not really. A section of the law that was known to be overreaching and terribly flawed from the moment it was proposed ruined it for everyone else.