Slashdot Mirror


User: swillden

swillden's activity in the archive.

Stories
0
Comments
18,006
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 18,006

  1. Your comment reinforces my point that this is a decision that should be made via public debate in legislative chambers, not by judges.

  2. Actually, the law has largely addressed those questions. If seeing into my bathroom window requires the use of some technology, then it's an invasion of privacy. This has mostly come out in cases around photographers trying to get photos of celebrities. If you can take photos through a person's window with a non-telephoto lens while standing on public property, then you're not doing anything wrong. If you use a telephoto lens or similar technology, then you are trespassing. The same would apply to laser microphones and any other technology that allows someone in public space to get more access to private space than an unaugmented human would have.

  3. The big difference is that spread around a large enough area, government surveillance is much closer to someone following you around with a camera all day than someone who just happens to catch you while photographing or video recording something else.

    You just restated what I said, without actually identifying what the difference is, or where the line is.

  4. Yes, this is the "sousveillance" approach. It definitely has its advantages. But there are disadvantages, too, such as the fact that every citizen can use it to track the movements of whoever they're interested in following. I'm not sure I want to live in such a completely transparent society, even though as a parent I think it would be convenient.

  5. One reasonably expects to be able to see any watchers as well as they see them in order to make a determination of how private the situation is.

    Do you really? You can attempt to determine if you're being watched, but you generally can't achieve the same level of assurance that you can in a private place. There can always be someone peering through a bush, or looking out through a window -- possibly from some distance away, with a telescope. And while it's true that if I use a telescope to look into your house through an unshaded window the law will probably view me as a peeping tom, I do not think it will do the same if you're in the middle of the street -- even if when you glance around you believe that you're unobserved.

    All of this really boils down to what a reasonable person would expect, and I don't think a reasonable person would expect to have privacy in the street, even if they don't happen to see any watchers.

    But I do think a reasonable person would expect not to have their every public movement recorded in a database for later searching and tracking. Actually, that seems unreasonable even if the cameras are plainly visible. So I think it's more about the database and the searchability than the ability of the person to see the watchers. But I also think it's sufficiently unclear that judges should avoid making law in this area.

  6. Re:Well, yes. on FBI Says Utility Pole Surveillance Cam Locations Must Be Kept Secret (arstechnica.com) · · Score: 5, Insightful

    If the public thinks they're an invasion of privacy, they are, by definition (since that indicates a public expectation of privacy), whether their location is disclosed or not.

    Maybe, maybe not. The principle that there is no expectation of privacy in public places is pretty firmly established in the law. The fact that some members of the public don't think so doesn't change that. If, in fact, a large majority of the public feels like they should have an expectation of privacy on a public street then perhaps you have an argument, but it's probably one that should be made via the relevant lawmaking bodies, not something that courts should take it upon themselves to change.

    I do think that this is an aspect of the law that we should think seriously about changing. The approach that has been established over the last century or so was eminently reasonable in the past because there were natural obstacles that limited the amount of surveillance that could be done. It had to be restricted only to high-value targets because it was very expensive, requiring lots of people to do the watching and recording.

    Technology has changed that. Today it's feasible to establish comprehensive 24x7 surveillance of large areas, and to record all of it for on-demand analysis. In the near future it will be possible to build AI search systems that can quickly scan huge masses of stored surveillance data to search for specific people, or highlight particular actions. This means that a quantitative difference in the amount of surveillance that can realistically be done created a qualitative difference in the sort of surveillance that can be done, and how it can be used and abused. A qualitative difference that arguably means that actions in a public place *should* carry some expectation of privacy, even if it's just that the expectation is that only people who are present will observe them. Well, plus those who happen to be there and record them for some specific purpose, and maybe those with whom they share those recordings.

    That last sentence highlights that this is a really sticky question. If I happen to be doing something in a public street, and someone else is taking video of their kid riding their bike for the first time, and they happen to include me in the frame, and they post that video on YouTube, have they invaded my privacy? I don't think so. Saying that they have basically eliminates the notion of a "public place" entirely.

    But clearly there is a difference when some large entity records all actions in a large area at all times and archives them all for later use. What, exactly is the difference? How, exactly, do we draw the line?

    These issues are subtle, and these questions are not easy. I think courts should not be trying to decide them, so I think the court did the right thing in just applying existing precedent that there is no expectation of privacy in a public place.

  7. Re:Another one bites the dust on Microsoft Is Buying LinkedIn For $26.2 Billion (microsoft.com) · · Score: 1

    That was my first thought too -- a sudden realization that all things considered, I now trust Microsoft more than I do most tech companies, and if LinkedIn was going to be acquired, Microsoft was a better choice than, say, Google.

    I trust Microsoft more than I used to... but I think my trust in Microsoft is declining again. I would trust Google more. Part of that is probably the fact that I see how Google works from the inside, but more of it is my perception that Google has a culture of at least trying to do the right thing for users. I don't see that Microsoft has ever had that imperative, and the changes over the last few years that have increased my trust in the company were more or less forced on it. Now, it seems that MS has set its sights on becoming a targeted advertising giant and is going to become more data-hungry than Google... and less constrained by morality.

    That's all just my perception, of course. My preference is that LinkedIn would have remained independent. I have found it a useful tool and don't have any plans at the moment to back away from it, but I'll be watching.

  8. Re:Can change the battery and load custom roms unl on Obama Finally Ditches BlackBerry, Switches To Samsung Galaxy S4 (arstechnica.com) · · Score: 3, Informative

    Can change the battery and load custom roms unlike apple

    You can't load custom ROMs without losing the Knox features, I believe.

  9. Re: Clone is an exagerration on New Device Sold On The Dark Web Can Clone Up To 15 Contactless Cards Per Second (softpedia.com) · · Score: 1

    I actually mentioned the coprocessors :-)

    Though... I'm not aware of any devices that have HMAC-SHA256 or similar in a coprocessor. That's part of the reason why many protocols use AES or 3DES for what amounts to hashing, because it's much, much faster.

  10. Re:Chain of custody? Forensics? Anyone? on Assange: Wikileaks Will Publish 'Enough Evidence' To Indict Hillary Clinton (rt.com) · · Score: 3, Insightful

    Um, no....

    The defense asks, "where did you get these files?"

    Prosecution replies, "Wikileaks."

    Defense says, "motion to suppress."

    Judge rules, "granted."

    No, the judge would say "on what grounds?"

    The tortuous route by which the messages arrived in front of the court gives the defense grounds to argue that they could be forged/altered/whatever, and the burden of proof that they're real and accurate is on the prosecution, not the defense, but the mere fact that evidence hasn't been carefully controlled and preserved at every step doesn't automatically disqualify it. Police are careful to control evidence, but that's not because failing to do so automatically excludes it, it's just because it opens an avenue for the defense to question it.

  11. Re:Sources of Support on Assange: Wikileaks Will Publish 'Enough Evidence' To Indict Hillary Clinton (rt.com) · · Score: 1

    The Senate basically never ratifies treaties per the Constitutional process. That isn't to say that the US doesn't make legal, Constitutionally-valid, treaties, just that we rarely use that process.

    There are a few different kinds of international agreements/treaties we make:

    1. Sole executive agreements. These are international agreements that the president makes on his/her own, without the involvement of Congress. They're perfectly legal as long as they only commit the US to things that are wholly within the authority of the president. A common example is "Status of Forces Agreements" (SOFA) which are agreements with host governments related to how the US military operates within their countries. Because the president is Commander in Chief, telling the military how to operate is entirely within his/her authority.

    2. Congressional-executive agreements. These are agreements which the executive negotiates, committing the US to do various things which are beyond the scope of executive power, but they don't directly commit the country. Instead, they promise that Congress will enact laws that implement the terms of the treaty. They don't have any force until Congress does pass the relevant legislation by the normal majority of both houses plus the signature of the president, and thereafter are implemented as ordinary federal law.

    3. Actual treaties. These are negotiated by the executive and ratified by two thirds of Senate, per the Treaty Clause of the US Constitution.

    In practice, any agreement that can be implemented as a sole-executive agreement, is. Any agreement that goes beyond the authority of the executive is a congressional-executive agreement. In very rare cases the president might opt to go for an actual treaty, mostly if the House looks like it might not approve but 2/3 of the Senate will (which obviously isn't very common).

    And, of course, the executive is also free to make whatever non-binding agreements it likes. The other parties to the agreement must understand, however, that non-binding agreements are exactly that -- non-binding.

    The Republicans who are griping understand all of this, they're just using it to make political hay over an agreement they dislike (I'm not too sure about it myself, actually). Which is fine, though the disingenuousness is obnoxious.

  12. Re: Clone is an exagerration on New Device Sold On The Dark Web Can Clone Up To 15 Contactless Cards Per Second (softpedia.com) · · Score: 1

    Maybe. Maybe not.

    Remember that these chips are extremely low power low speed.

    They have to perform usually a cryptograhic hash of some input they are passed with their secret key. The algorithm used is not a fully secure algorithm like what would be used in https, it's not NIST approved etc. They are custom algorithms designed to be done by a very simple processor very quickly and are orders of magnitude easier than AES or SHA.

    Incorrect. Card cryptograms are generated with either 3DES or AES. You can see full details here: https://www.emvco.com/specific.... Specifically, you want to look at Annex A of EMV 4.3, Book 2, "Security and Key Management".

    Note that many of the card issuing networks define their own variations on the EMV specifications, but they all comply with the general framework, algorithms, etc.

    As for the nature of the processors, most contactless smart card chips today are 32-bit CPUs running at around 40 Mhz, with several KiB of RAM and a few hundred KiB to a MiB of flash. They're low powered in comparison to the desktops and laptops we use today, but they're far more powerful than the high end computers I started with. They're even orders of magnitude more powerful than their predecessors which were in use when the EMV specifications were written, and those earlier generations could handle it. So today's are clearly perfectly capable of executing AES or 3DES operations in a short period of time... particularly since they all include dedicated coprocessors for that purpose. The coprocessors aren't necessary from a performance or power consumption perspective, they're used to defeat side channel attacks, but they do make the cryptographic operations faster and cheaper.

  13. Re:Omar Saddiqui Mateen? on World Reacts To The Worst Mass Shooting In U.S. History (cnn.com) · · Score: 1

    As someone who once fired at a very large wild pig with a .22 bolt action I can see why the ban is in place. Right tool for the job kids.

    By ".22 bolt action" I assume you're referring to a .22LR. That's vastly different from .223 Remington. The diameter of the bullet is very nearly the same, but the .223 carries an order of magnitude more energy, and the bullets are roughly 2X as massive. .223 creates a much larger and deeper wound channel.

  14. Re:Omar Saddiqui Mateen? on World Reacts To The Worst Mass Shooting In U.S. History (cnn.com) · · Score: 1

    ".22 caliber rifle" probably refers to .22LR, which is a rimfire and very low-powered. I believe all states prohibit hunting of big game with rimfire ammunition. .220 swift is centerfire.

  15. Re:Omar Saddiqui Mateen? on World Reacts To The Worst Mass Shooting In U.S. History (cnn.com) · · Score: 4, Informative

    Replying to my own post, it turns out that there are 10 states that don't allow hunting big game with a .223: Colorado, Connecticut, Illinois, Iowa, Massachusetts, Virginia, Ohio, New Jersey, Washington, and West Virginia.

  16. A customer finding a company good for them as an individual is drastically different then a company being good for a general population. Therein lies the problem. You are confusing individual good with common good.

    Individual good multiplied by a sufficiently large number of individuals common good. That's not to say there may not be other negatives associated with it, but the mere fact that common people find a good or service sufficiently attractive that they're willing to give their money for it is, by definition, a common good.

  17. Re:Omar Saddiqui Mateen? on World Reacts To The Worst Mass Shooting In U.S. History (cnn.com) · · Score: 1

    Let me guess. You do your "hunting" with an AR-15, right?

    An AR-15 is a little light (though usable) for deer or other big game, but it's a great varmint rifle. Light, accurate, and very configurable. If you do use it to hunt big game you have to be a little more careful with shot placement than you would with a high-powered rifle, but it certainly can do the job and is a lot more comfortable to carry and shoot than a heavier rifle.

  18. Re:Omar Saddiqui Mateen? on World Reacts To The Worst Mass Shooting In U.S. History (cnn.com) · · Score: 1

    In most states it is illegal to hunt deer with an AR-15 in it's standard .22 caliber because it is not considered powerful enough and therefor is inhumane.

    What states are those? All of those I'm familiar with require centerfire cartridges with expanding bullets, which the AR-15 satisfies as long as you use softnose bullets.

  19. The problem with capitalism is that a company can be successful even if it's bad for everyone.

    Utter nonsense. The fundamental strength of capitalism is that if a company isn't sufficiently good for its customers and suppliers, it will fail (barring government interference to prop it up).

    There are negatives associated with capitalism, mostly around its tendency to ignore any costs it can externalize, but the one you claim is absolutely not one of them.

  20. Re:Nest temperature display is backwards on Nest's Time At Alphabet: A 'Virtually Unlimited Budget' With No Results (arstechnica.com) · · Score: 1

    I have a Nest thermostat. It displays in large the temperature you set it to instead of the current room temperature.

    It displays both. I suppose I see why some people might like the large one to be the actual temperature, but I've never once been bothered by this in the two years I've had them. Partly that's because my thermostats are both in hallways and if you're close enough to see them at all you can easily read both numbers, but mostly I think it's because when I look at the thermostat what I mostly want to know is what temperature its set to.

    What I want to know is the big number. That's perfect.

    I have a pretty good sense of the current temperature based on feel, but what really matters with respect to the current temperature isn't the numeric value, it's whether I'm too hot or too cold. Since I know what target temperature will make me comfortable, what I care about when looking at the thermostat isn't the current temperature, it's the target temperature, and whether or not the HVAC is currently actively working to move toward that temperature. How long it will take to get to that temperature is also nice to know, and also displayed by the Nest.

    I guess to be very specific, what I usually care about when I look at the thermostat is "What have my kids set that thing to now?".

    I don't have any objection to making it configurable to better serve people who have different needs, but I prefer the display as is. If it were to be changed, I'd like it to add more information about what it's going to do in the future, such as when the next temperature setting change is coming, or maybe information about predicted outside temperatures over the next few hours.

  21. Re:this kind of thing is usually a DDoS on Apple Offers No Explanation for 7-Hour Outage (nbcnews.com) · · Score: 1

    Do I need to go on an NSA rant about how anything you transmit over the internet is compromised?

    In practice, what does that mean to the average person? I fully agree that we should take political action to stop NSA spying, on principle and as a precaution against future abuses, but it has zero impact on my personal security if the NSA reads everything I write, and that is the case for the vast majority of people. So when it comes to figuring out how to manage my data, I'm going to focus on what actually matters. More than anything, that's the probability that the data will be lost due to user error, device failure or catastrophe (house fire, etc.). For the subset of my data that's actually a little sensitive, e.g. my financial information, I also want good access control in addition to reliability.

    Seriously, if you have to choose between reliable data which the NSA may look at and unreliable data, which do you choose? And that's not a false dichotomy, that is the choice faced by most people, because they don't have the knowledge required to make sure their data doesn't get lost or destroyed.

  22. Re:Where is the outrage for smartphones?!? on FTC Has Serious Concerns About IoT Security and Privacy (onthewire.io) · · Score: 1

    Can someone please explain to me where the hell the outrage is for vendors who stop supporting smartphones well before their useful life?

    Sure.

    It doesn't exist because the vast majority of smartphone buyers simply don't care. Many expect to replace their phone every other year or so (or more often as the devices get broken), and most of the cost-conscious don't care because in practice the security issues don't affect them. Sure, in theory their old, unpatched devices are horribly unsecure, but in the real world nothing bad actually happens because of it. The real problems that affect users are things like SMS fraud and ransomware, which have little to nothing to do with security vulnerabilities.

    So, the only people who get outraged are geeks and pundits, and no one pays much attention to them. The FTC pays attention to worries about IoT devices because they're in the future which makes it easy to worry that the problems will be horrendous. Smartphone security issues are in the present, and in terms of real-world impact they're pretty minimal so no one gets too worked up.

    If we as a society want our smartphones to be supported for longer, we're going to have to be willing to pay for it, because phone manufacturers (other than Apple) are already operating on razor-thin margins. I can see three ways it could happen:

    1) OEMs could increase the price of devices across the board. Since the additional cost would be widely distributed, the per-unit increase would be pretty small. However, this would mean that all of the users who don't care about long-term support would be subsidizing those who do. It would also mean that manufacturers who don't do this would have a competitive advantage over those who do because, again, the vast majority of smartphone users don't care.

    2) Governments could mandate long-term support. That would effectively impose a tax on users who don't care about long-term support in order to subsidize those who do.

    3) OEMs could offer long-term support contracts to the users who care about them. I don't know for sure, but I suspect the number of such users would be small enough that the support contracts would be expensive. Perhaps enough that it would make more sense for users to want the support to simply buy a new device.

    In any case, in the current situation, the way you get support is by buying a new device every other year.

  23. Re:barcode on Olympic Athletes To Sport Visa's New Payment Ring In Rio (engadget.com) · · Score: 1

    but doing so requires a larger antenna (roughly the size of a credit card, conveniently enough).

    You should look into the yubikey neo. They're significantly smaller than a credit card and include nfc as well as usb connectivity for u2f. Powered passively by the reader.

    Duh. I have some of them. Somehow I never bothered to think about how they could work with such small antennas. I'll have to ask the Yubikey engineers next time I talk to them.

  24. Re:this kind of thing is usually a DDoS on Apple Offers No Explanation for 7-Hour Outage (nbcnews.com) · · Score: 1

    Local data is always better than remote data

    In what way? Reliability of local data managed by a typical user is generally much worse than that of well-managed remote data. You talk about security, but fail to define what you're securing the data against. Depending on the threat model there are pros and cons, but I'd say that in the case of the typical person their data is more secure against theft and/or leakage when it's stored in a professionally-managed data center behind a good authentication system.

    There are advantages to local data, but cloud storage also has significant advantages. There is no one perfect option for all situations, and for many situations cloud storage is better. It facilitates multi-device access, is resilient against device loss or damage and enables collaboration. It can have availability problems, but those can be mitigated with local caching.

    All of my important data lives primarily in the cloud, automatically synced to multiple devices. Should the cloud servers become permanently unavailable, I still have local copies, but I strongly expect the real failure modes to be in the other direction -- my local copies may get destroyed, deleted, etc., but the cloud copies will be safe. And for the average user who doesn't think carefully about how to manage their data, good remote storage is an order of magnitude safer and more reliable.

  25. Re:barcode on Olympic Athletes To Sport Visa's New Payment Ring In Rio (engadget.com) · · Score: 2

    I don't think a ring can carry a large enough antenna to draw power from the terminal

    http://nfcring.com// Those draw power from nfc terminals. Wireless payments are done via NFC, they just use one time tokens. Old tech been around quite some time. They inject them into animals even.

    NFC (which is a mobile phone technology) is actually a combination of two protocols, contactless smart cards, which use a variant of the T=1 protocol to communicate between a smart chip and a terminal, and RFID, which in which the tags have no processing power. RFID tags have very low power requirements and can operate with a tiny antenna.

    Those NFC rings you linked are just passive RFID tags that transmit a fixed code when powered by a field. They don't contain a microprocessor, and couldn't get enough power passively to run one because they can't contain a sufficiently-large antenna. Actually, though, you're probably right that that's what they're using in Rio. Such "dumb" technology would not work for a general-purpose payment scheme, but it works fine for small, closed systems. If that's what they're using, they don't have any sort of single-use tokens; it's the same value on every usage (much like a magstripe, though not the same content).

    More general solutions (including NFC and smart card payment solutions) use smart card protocols to communicate, and require a microprocessor in the payment token. Those can be powered passively by the reader field, but doing so requires a larger antenna (roughly the size of a credit card, conveniently enough). In phones they're generally powered by the device battery, though. NFC payments are *not* just one-time tokens. They may use limited-use tokens (sometimes single-use, sometimes more) but those tokens aren't simply transmitted, they're actually cryptographic keys (usually triple DES, though some systems have moved to AES) which are used to create a cryptographic message authentication code.