A settlement of 50 million for millions worth off damage done times 200 million class members, should be rejected by the court.
If their product does permanent damage to 200 million children's vision, they would be in a worse situation than the companies that used to exist that sold asbestos materials.
And a settlement that just pays each class member something worth less than $1 is not reasonable by any measure.
Recall from part 23 of the Federal rules of Civil procedure, pertaining to class actions:
(e) Settlement, Voluntary Dismissal, or Compromise.
The claims, issues, or defenses of a certified class may be settled, voluntarily dismissed, or compromised only with the court's approval.
(2) If the proposal would bind class members, the court may approve it only after a hearing and on finding that it is fair, reasonable, and adequate.
(5) Any class member may object to the proposal if it requires court approval under this subdivision (e); the objection may be withdrawn only with the court's approval.
How did they actually determine the product would inflict harm on people if released, if the technology had not actually ever inflicted any harm on any child?
Children participating in research studies are still people.....
The *correct* approach is to setup the arrest so that you don't arrest the guy and sieze the computer while the encrypted volume is not mounted. Instead, you keep him under surveillance, and when he has the truecrypt volume mounted, you storm in and arrest him before he can unmount it,
Kind of tough when your target is paranoid, and unmounting it just requires powering off the computer or hitting a panic button.
Secretly install a keylogger somewhere on his system to log the password for the truecrypt volume, and DON'T arrest the guy till you've got the passwords.
Kind of hard when the target is paranoid and boots his system from media he caries on him at all times, the OS volume itself is on a separate truecrypt volume, and highly secure to prevent adding unsafe executables
Secretly install software on his computer which, when any volume is mounted, starts to transfer the files over the Internet to a police file server.
ditto above
I've heard of research (seems like it was posted to/. a few years ago) that indicated it would be possible to pickup keystrokes made on a computer which was plugged into a wall power socket, by like tapping the lines outside the residence or something.
It was just research.
A truly paranoid target would have taken precautions against compromising emissions, and have filters in place, which he would verify before mounting the volume (while in his secure area: read, faraday cage).
Surveillance against such a paranoid target would also be extremely difficult. As seeing through walls is kind of hard, especially when they are electromagnetically shielded.
I make my hats out of lead, with special paint to mask the electromagnetic signature, not TIN.
The notion that 'TIN' would protect you from government mind control, eavesdropping, and other electromagnetic manipulation was a lie passed around -- actually TIN amplifies the effect, and makes the tin-hat wearers easier to track.
There are likely better materials to make your hats out of that are more effective, won't enable you to be tracked, and won't amplify the special signals....
I know the US government wants the citizens to think their standard is AES. Gives more credibility to the standard.
As for security measures under the most secret of government... who knows what the standard really is?? If they use something different from AES, or in addition to AES, or a modification to AES (such as special method of selection of key material to evade a certain vulnerability), I am sure they classify that top secret too.
The panacea of crypto standards for them would be one that has a backdoor when someone else uses it, but that when the government uses it, they get to pick a key that has certain properties that close the special avenues of attack completely....
I see... and since Bitlocker relies on a hardware TPM module, which is also used by DRM technology, the FBI employees can't break it without producing devices in violation of the DMCA's anticircumvention provisions, and going to jail... brilliant!
Worse, the people you subjected to the experience will know, and they will contact a lawyer to see if they can squeeze some money out of you somehow.
They will probably do this even if you didn't know about it, class action.
After all, your product still caused them the same amount of harm, they are entitled to recover the same reparation as they would be if you knew about it.
And your company was negligent in failing to conduct the most basic of safety studies to discover a widespread problem with the product that should have been discovered during design and earlier stages of development...
The only thing that might be different is the punitive damages, and the chance they will settle.
But if it becomes a major issue, there is a good chance they will start subpoena'ing witnesses, and questioning them.
They will be obliged to reveal even information collected under a NDA. There is a chance they will discover the company tried to cover it up....
The only way it makes sense to hide a study and not respond to it in the product design, is if the issue is believed to be so minor, nobody will notice, and the 'harm' of the product will never be proven.
A good example would be cell phones, and some people's belief that radiated energy might be related to cancer....
Maybe a mobile phone company's internal study suggested it at some point.
It would make sense to bury this, because the data is so conclusive, and it can always be easily and credibly argued that the product does no real (perceptible) harm at all.
So, you work for the NSA I take it, and want to make sure nobody believes the NSA's cryptology researches could have possibly found and exploiteded a critical (or designed-in) weakness of AES and other crypto?
Law enforcement has no way of knowing that "random data" isn't actually the password to something else?
Possibly a hard drive somewhere else, encrypted with a one-time pad, that no longer exists, or cannot be found by anywhere
It's like finding a pack of ammunition in a suspect's house, and deciding to arbitrarily hold them in jail, until they tell officers where their gun is.
The article in English mentions two encryption programs, one Truecrypt and the other unnamed.
Truecrypt might be the weak one that they'have already defeated, but the guy was smart and layered even stronger cryptography, that they can't beat, and don't want to name?
Another possibility is they are trying to break into a decoy file, which is truly random data, encrypted with an OTP from a hard drive that they never found.
They should not be trying brute-force against an AES key.
They should be working to find where the key materials is stashed. Nobody memorizes a 256-bit key.
It might be stored using a weaker symmetric crypto algorithim... then they should be trying to brute force the passphrase.
Or hold the guy in prison until he produces the evidence.
Assuming the contents of the hard drive is believed to contain evidence of a crime, committed by him, or someone else, he still has to produce that evidence, no?
I regret to inform you, that the UK government has recently begun conducting a review of 820 websites, and your web site is to be terminated immediately, due to excessive costs to the taxpayers.
The UK Central Office of Information recently revealed the high cost per visitor of £11.78 to our websites.
Your recent article linked to the BBC, making your web site part of ours. The BBC.CO.UK received nearly 100 million page views, referred by the slashdot.org page, costing the taxpayer £1 billion.
Therefore the Central Information Office has issued an order that slashdot.org be shut down immediately, as a cost saving measure. Please comply, or the ramifications could be dire.
At election time, if you feel so strongly about a candidate, that you're willing to go to the polls and put a check mark by their name, you shouldn't be hiding your name.
Stop being a coward, and let the local government publish the list of voters and everything they voted for.
The (evil) members of the public have a right to know who retaliation needs to be taken against, because they didn't vote the way they were supposed to (under threat of serious bodily injury, harm to family, etc)
Compromise of individual accounts does not leak information as badly as administration - there is a host of stuff an admin could do that an individual couldn't.
Every action an admin can do should be logged.
Excessively unusual admin activity should set off alerts -- there should be traps designed to quickly catch any admin abusing their access.
With respect to limiting access by IP address, again you are talking complete nonsense. It is feasible to do this on a whitelist that would enable access from anywhere, but would require an email or a phone call to set up.
Someone would have to answer that e-mail or phone call, it would be expensive, burdensome, and non-technical users would have difficulty communicating their IP address, which could change every 5 minutes or more often.
You think sending an e-mail or phone call is the least bit difficult for an intruder who stole information from an insider in the past?
Remember.. a compromise of Twitter relied on insider information, and access to admins' e-mail.
The best way to create a strong easy to remember password is via a phrase.
Those are not cryptographically strong passwords, in fact they are pretty weak. You might qualitatively think of those phrases as strong, but the entropy is low. Phrase-based passwords such as those are able to be guessed with an extended dictionary attack.
With respect to administrative controls, it is very easy to segment control and access in a system.
No.. it's possible to segment and control.
It is not easy to segment and control, without impeding people's ability to do their job.
I run a social media monitoring service, we have 3 basic types of user (Admin, Coordinator, Agent) but each one can have up to 30 options that define the precise controls and access they have. I am amazed that Twitter have not implemented a similar system.
If my team (3 guys) can implement this, anyone can. It is reasonable to expect. In fact it's totally sensible.
It is also not what the FTC wants them to do.
A system with 3 levels of access does not ensure every person has access to only the administrative functions they need, it does not satisfy the FTC's requirement.
The FTC is basically dictating a military-style security bureaucracy.
This goes beyond what access people have when they log into the website.
And includes things like... the DBA must not have access to the data, they don't need that.
They are essentially mandating that Twitter would have to encrypt every piece of data, and make sure the server admins cannot have access
That's fine for a bank, or other institution.
But Twitter is a social networking website, basically all the personal details they store are public.
They really only have three pieces of information to keep private: (1) Passwords, (2) Private Tweets, and (3) E-mail addresses.
It is not reasonable that such a company have a huge security budget, and spend 90% of their development efforts on security.
And they have enough scalability issues without introducing ACL and Policy-Fu into all their web sites and backend systems.
That's like saying.. if you don't like the
government illegally spying on citizens, then move your ass to another country
Corporations and governments have a right to ignore their consumers' privacy, and anyone who actually notices and complains is just supposed to leave, just because most people haven't noticed yet?
But the difference, is with the unlimited SMS plan, you aren't billed for the message... whereas if it were in just an ordinary IP packet, you'd have to pay for a data plan and exhorbitant per-kilobyte data fees:)
A settlement of 50 million for millions worth off damage done times 200 million class members, should be rejected by the court.
If their product does permanent damage to 200 million children's vision, they would be in a worse situation than the companies that used to exist that sold asbestos materials.
And a settlement that just pays each class member something worth less than $1 is not reasonable by any measure.
Recall from part 23 of the Federal rules of Civil procedure, pertaining to class actions:
(e) Settlement, Voluntary Dismissal, or Compromise. The claims, issues, or defenses of a certified class may be settled, voluntarily dismissed, or compromised only with the court's approval.
(2) If the proposal would bind class members, the court may approve it only after a hearing and on finding that it is fair, reasonable, and adequate.
(5) Any class member may object to the proposal if it requires court approval under this subdivision (e); the objection may be withdrawn only with the court's approval.
How did they actually determine the product would inflict harm on people if released, if the technology had not actually ever inflicted any harm on any child?
Children participating in research studies are still people.....
Because the study also found the average person might be harmed by reading the report.
The specific harm, is it might cause them to falsely believe 3D display products are dangerous.
Ultimately leading to a serious mental condition: being less likely to buy 3D display products.
The *correct* approach is to setup the arrest so that you don't arrest the guy and sieze the computer while the encrypted volume is not mounted. Instead, you keep him under surveillance, and when he has the truecrypt volume mounted, you storm in and arrest him before he can unmount it,
Kind of tough when your target is paranoid, and unmounting it just requires powering off the computer or hitting a panic button.
Secretly install a keylogger somewhere on his system to log the password for the truecrypt volume, and DON'T arrest the guy till you've got the passwords.
Kind of hard when the target is paranoid and boots his system from media he caries on him at all times, the OS volume itself is on a separate truecrypt volume, and highly secure to prevent adding unsafe executables
Secretly install software on his computer which, when any volume is mounted, starts to transfer the files over the Internet to a police file server.
ditto above
I've heard of research (seems like it was posted to /. a few years ago) that indicated it would be possible to pickup keystrokes made on a computer which was plugged into a wall power socket, by like tapping the lines outside the residence or something.
It was just research. A truly paranoid target would have taken precautions against compromising emissions, and have filters in place, which he would verify before mounting the volume (while in his secure area: read, faraday cage).
Surveillance against such a paranoid target would also be extremely difficult. As seeing through walls is kind of hard, especially when they are electromagnetically shielded.
I make my hats out of lead, with special paint to mask the electromagnetic signature, not TIN. The notion that 'TIN' would protect you from government mind control, eavesdropping, and other electromagnetic manipulation was a lie passed around -- actually TIN amplifies the effect, and makes the tin-hat wearers easier to track.
There are likely better materials to make your hats out of that are more effective, won't enable you to be tracked, and won't amplify the special signals....
I know the US government wants the citizens to think their standard is AES. Gives more credibility to the standard.
As for security measures under the most secret of government... who knows what the standard really is?? If they use something different from AES, or in addition to AES, or a modification to AES (such as special method of selection of key material to evade a certain vulnerability), I am sure they classify that top secret too.
The panacea of crypto standards for them would be one that has a backdoor when someone else uses it, but that when the government uses it, they get to pick a key that has certain properties that close the special avenues of attack completely....
I see... and since Bitlocker relies on a hardware TPM module, which is also used by DRM technology, the FBI employees can't break it without producing devices in violation of the DMCA's anticircumvention provisions, and going to jail... brilliant!
s/<conclusive/inconclusive/;
Worse, the people you subjected to the experience will know, and they will contact a lawyer to see if they can squeeze some money out of you somehow.
They will probably do this even if you didn't know about it, class action.
After all, your product still caused them the same amount of harm, they are entitled to recover the same reparation as they would be if you knew about it.
And your company was negligent in failing to conduct the most basic of safety studies to discover a widespread problem with the product that should have been discovered during design and earlier stages of development...
The only thing that might be different is the punitive damages, and the chance they will settle.
But if it becomes a major issue, there is a good chance they will start subpoena'ing witnesses, and questioning them.
They will be obliged to reveal even information collected under a NDA. There is a chance they will discover the company tried to cover it up....
The only way it makes sense to hide a study and not respond to it in the product design, is if the issue is believed to be so minor, nobody will notice, and the 'harm' of the product will never be proven.
A good example would be cell phones, and some people's belief that radiated energy might be related to cancer....
Maybe a mobile phone company's internal study suggested it at some point. It would make sense to bury this, because the data is so conclusive, and it can always be easily and credibly argued that the product does no real (perceptible) harm at all.
There must be some IT positions that don't have all that though.
This is why IT workers need unions though...
Unplanned overtime and crunch times should be illegal.
And "on call duty" is just normal work, and should be considered as such.
Being available to be called during certain times is work.
The FBI has not solved the P=NP problem, either
Or implemented practical cold fusion
Or developed a practical AIDS vaccine
Or found the cure to cancer
Or solved world hunger
Or stopped the oil spill
They failed to do all these things.
Sorry... no you cannot.. 6 bits can only represent 63 characters.
The uppercase and lowercase letters + numbers alone are 62 characters.
There are 92 characters on the keyboard. And you need at least 7 bits.
zxcvbnm,./ZXCVBNM?asdfghjkl;'ASDFGHJKL:"qwertyuiop[]QWERTYUIOP{}`1234567890-=~!@#$%^&*()_+
So, you work for the NSA I take it, and want to make sure nobody believes the NSA's cryptology researches could have possibly found and exploiteded a critical (or designed-in) weakness of AES and other crypto?
Law enforcement has no way of knowing that "random data" isn't actually the password to something else?
Possibly a hard drive somewhere else, encrypted with a one-time pad, that no longer exists, or cannot be found by anywhere
It's like finding a pack of ammunition in a suspect's house, and deciding to arbitrarily hold them in jail, until they tell officers where their gun is.
If you have ammo, you must have a gun, right??
A person can only be held in jail on contempt of court if there is a chance they will produce the evidence.
TFA says:
The article in English mentions two encryption programs, one Truecrypt and the other unnamed.
Truecrypt might be the weak one that they'have already defeated, but the guy was smart and layered even stronger cryptography, that they can't beat, and don't want to name?
Another possibility is they are trying to break into a decoy file, which is truly random data, encrypted with an OTP from a hard drive that they never found.
They should not be trying brute-force against an AES key.
They should be working to find where the key materials is stashed. Nobody memorizes a 256-bit key.
It might be stored using a weaker symmetric crypto algorithim... then they should be trying to brute force the passphrase.
Or hold the guy in prison until he produces the evidence.
Assuming the contents of the hard drive is believed to contain evidence of a crime, committed by him, or someone else, he still has to produce that evidence, no?
, the "vocal" nerds will be drowned out by people who just want cute shit.
" The user's going to pick dancing pigs over security every time." --Bruce Schneier
That's no problem, since bugs are frequently found in SSL implementations.
SSL is a complicated protocol, not a simple one, and it's prone to discovered (and undiscovered) programming errors.
I regret to inform you, that the UK government has recently begun conducting a review of 820 websites, and your web site is to be terminated immediately, due to excessive costs to the taxpayers.
The UK Central Office of Information recently revealed the high cost per visitor of £11.78 to our websites.
Your recent article linked to the BBC, making your web site part of ours. The BBC.CO.UK received nearly 100 million page views, referred by the slashdot.org page, costing the taxpayer £1 billion.
Therefore the Central Information Office has issued an order that slashdot.org be shut down immediately, as a cost saving measure. Please comply, or the ramifications could be dire.
At election time, if you feel so strongly about a candidate, that you're willing to go to the polls and put a check mark by their name, you shouldn't be hiding your name.
Stop being a coward, and let the local government publish the list of voters and everything they voted for.
The (evil) members of the public have a right to know who retaliation needs to be taken against, because they didn't vote the way they were supposed to (under threat of serious bodily injury, harm to family, etc)
Compromise of individual accounts does not leak information as badly as administration - there is a host of stuff an admin could do that an individual couldn't.
Every action an admin can do should be logged. Excessively unusual admin activity should set off alerts -- there should be traps designed to quickly catch any admin abusing their access.
With respect to limiting access by IP address, again you are talking complete nonsense. It is feasible to do this on a whitelist that would enable access from anywhere, but would require an email or a phone call to set up.
Someone would have to answer that e-mail or phone call, it would be expensive, burdensome, and non-technical users would have difficulty communicating their IP address, which could change every 5 minutes or more often.
You think sending an e-mail or phone call is the least bit difficult for an intruder who stole information from an insider in the past?
Remember.. a compromise of Twitter relied on insider information, and access to admins' e-mail.
The best way to create a strong easy to remember password is via a phrase.
Those are not cryptographically strong passwords, in fact they are pretty weak. You might qualitatively think of those phrases as strong, but the entropy is low. Phrase-based passwords such as those are able to be guessed with an extended dictionary attack.
With respect to administrative controls, it is very easy to segment control and access in a system.
No.. it's possible to segment and control. It is not easy to segment and control, without impeding people's ability to do their job.
I run a social media monitoring service, we have 3 basic types of user (Admin, Coordinator, Agent) but each one can have up to 30 options that define the precise controls and access they have. I am amazed that Twitter have not implemented a similar system.
If my team (3 guys) can implement this, anyone can. It is reasonable to expect. In fact it's totally sensible.
It is also not what the FTC wants them to do.
A system with 3 levels of access does not ensure every person has access to only the administrative functions they need, it does not satisfy the FTC's requirement.
The FTC is basically dictating a military-style security bureaucracy.
This goes beyond what access people have when they log into the website. And includes things like... the DBA must not have access to the data, they don't need that.
They are essentially mandating that Twitter would have to encrypt every piece of data, and make sure the server admins cannot have access
That's fine for a bank, or other institution. But Twitter is a social networking website, basically all the personal details they store are public.
They really only have three pieces of information to keep private: (1) Passwords, (2) Private Tweets, and (3) E-mail addresses.
It is not reasonable that such a company have a huge security budget, and spend 90% of their development efforts on security.
And they have enough scalability issues without introducing ACL and Policy-Fu into all their web sites and backend systems.
That's like saying.. if you don't like the government illegally spying on citizens, then move your ass to another country
Corporations and governments have a right to ignore their consumers' privacy, and anyone who actually notices and complains is just supposed to leave, just because most people haven't noticed yet?
They asked you in the Terms of Service you agreed to when you used the Android Market for the first time.
That's bullshit. They didn't ask you for specific permission to delete this particular application immediately before performing the action.
Google's actions are a much more adverse serious privacy violation, than the security researcher's.
I'm afraid not... after The Copyright Term Extension Act of 2023, (aka Sonny Bono II Act), copyright will get extended to 300 years.
Bluray will be obsolete by then, and you won't be able to find a player.
And your mobile provider will eventually notice, and ask you WTH is with all the text messages? (Before disconnecting you)
Meanwhile, all the seeds of the torrent will wander off, as everyone (except you) has finished downloading the file...
But the difference, is with the unlimited SMS plan, you aren't billed for the message... whereas if it were in just an ordinary IP packet, you'd have to pay for a data plan and exhorbitant per-kilobyte data fees :)