Not my point. My point was to the effectiveness of the enforcement technique, not as to whether not what is being outlawed is right, wrong, good, bad, and so on. Attacking consumers to try and curtail demand or to try and limit the desire to be a producer, is a failed strategy.
This distinction gets a lot blurrier with CG and drawn porn, but from what I understand the cops tend to focus on real porn instead of the fake stuff....
The problem with viewing child porn online isn't so much with the viewer as it is with the producer. To produce real child porn you need real children, and that's exploitation pure and simple. If you pay for it, you're paying people to exploit children.
So in other words consumption is illegal because they're trying to target the producers. Well, since that tactic has worked so well with the War on Drugs, I guess it'll work here, too.
If at first you don't succeed, just keep trying, right? Hey, it's not their money these scumbag politicians are wasting each time they get their state(s) sued over these idiotic laws, right?
There is absolutely no reason for them to retain logs linking searches to IP addresses for even 18 seconds, let alone 18 months -- this isn't "improving Google" for any of their users, no matter how much they claim it is.
Keeping search history for logged-in users is one thing; I can see how some users could find that useful, just like browser history autocomplete. Perhaps they want to keep logs of non-logged-in users around for something like geographical targeting, but there's no reason they can't process out the IP information immediately, or on a quick rolling schedule such as every 24 hours. Or, just keep the/24 or/16 form of the IP address; that effectively anonymizes the data but still provides enough information for geo-targeting or other forms of aggregation. If they want to track the flow of requests (a user searched this, then that, clicked here, then...), they can use their cookie for that, or do something like generate a hash of each IP's hostname* and track requests by the hash.
"18-24 months, however, is about the right length of time that this data could be useful for the government for purposes of intelligence gathering or criminal prosecution, however.
* Hashing the IP itself is useless as there aren't enough IPs (4,294,967,296 in theory, much less in practice due to all the reserved/8s) to make reversing the hash back to the IP difficult. However, the domain of valid hostnames is incredibily large (any alphanumeric string up to 256 characters), such that one can be reasonably confident the hostname cannot be computed from the hash.
Telling people "anonymous proxies" are useful to protect themselves is dangerously misleading. It'll prevent the destination website from finding out what your IP address is (maybe -- if you're not leaking that information some other way), but it'll do absolutely nothing to undermine the extensive network-level snooping going on nowadays. Your packets are still in the clear, readable, and sniffable at any point on the network; they're just taking a little detour through someone else's server so the destination site sees their IP instead of yours. If you're worried about the AT&T/NSA thing, or that your connection is being monitored directly, this is completely useless.
I'd also not trust any of these companies like Anonymizer, the Cloak, &c.; who knows what they're doing with all the requests being forwarded through their servers?
Yes, if the government tried to prosecute someone for something discovered through this technique, it would be entered into evidence in a court proceeding and become public knowledge. But the government has more ways of going after people than through an open courtroom. For example, if they were using a backdoor in one of these drives for intelligence gathering, data gleaned from such would never make its way into a courtroom, and could still be used against someone in a variety of ways. I can't find the story about it now, but airport security in either the US or UK is now imaging people's laptops. Who knows what they're doing with that data?
Of course, very little stops the prosecutors from simply lying -- perhaps the defendant "just did something dumb that exposed his password," or perhaps "the password was simple enough to crack."
This is actually a good reason to not trust disk-level encryption -- if the data is going to the disk in the clear and you're relying on the disk to encrypt it, are you even sure it really got encrypted? It could be getting copied somewhere else on the disk, accidentally or intentionally, and you'd never know.
But if your OS is doing full-disk encryption for you, so that no data ever even travels down the IDE cable before it's been encrypted, this particular worry can be put to rest. Let the disk make sixteen different copies it, and a special one just for the FBI, for all the good it'll do.
Is the write-only memory that we're talking about volatile storage that'll blank when the power goes off, or just an otherwise-inaccessible part of the permanent media in the drive? In the latter situation, what's to prevent someone from taking the drive apart (forensic analysis) to circumvent whatever mechanisms that, under normal operating conditions, render that portion of the drive "write-only"?
Sounds like relying on a login prompt to protect your computer's data and forgetting someone with physical access to the device can just turn it off.
Who knows what this thing is doing inside? They're using AES-128 so you may not have to worry about the encryption algo being unsecure, but who's to say this thing isn't caching the password in some place you don't know about (but that the manufacturer and your country's authorities do)?
When a political label like right groups together everything from libertarians to fascists, and left everything from anarchists to communists (and in the U.S., what with our power-mad government generally being identified as right-wing, a lot of libertarians too), this shouldn't surprise people.
And it shouldn't surprise people that someone can be on the "right" but at the same time oppose capitalist businesses in favor of collectively-written Free Software. "Capitalism" is an ideological abstract that virtually all people identifying as "right" or "libertarian" support: It's an economic system based on free markets, free trade, freedom of choice in whom you do business with, competition, and so on.
But a lot of purportedly capitalist businesses aren't very capitalist at all -- they use their power to dominate markets, limit choice, get laws passed favoring them, lock in consumers, destroy competition through anti-competitive practices, and so on. And things like Free Software may be collectively-written and therefore, to a lot of people, smack of socialism, but they offer a lot more choice to people, and there's little force that the author of any given OSS package could exert if everyone one day decided to up and go use something else.
So you end up with some people who can call themselves "capitalist" or "libertarian" (and hence they fall under the "right-wing" label) and yet not at all support corporations like Microsoft nor use their products -- people who see through the language and look at what the companies like this are actually doing.
Please, anyone but the EFF. You know, sometimes I think these organizations are founded or at least encouraged by the very groups they oppose, so they can put up a good show-fight and prevent the emergence of a real opposition.
Unless the law specifically named the sites to be restricted (which of course would not be possible)...
It would certainly be possible, except keeping the list up to date with new start-up sites would be impossible (a good thing), and having a law that specially designates individuals (including corporations -- legally, they're "people" too) and punitive actions to be taken specifically against them is perilously close to a bill of attainder, a type of law explicitly proscribed by name in the Constitution.
Lying about your age to get around this won't necessarily have the intended effect: these sites already try to segregate their minors from their adults, so if a twelve year-old claims to be twenty-five, he's not going to get to join his friends, go in their forums, and so on, nor will they be able to join him.
If the company takes reasonable efforts to simply block users from the states implementing these laws, they most likely can't be held responsible for any of it.
First, block IP ranges known to be entirely within the states.
Secondly, employ something similar to the "bump out" trick that's used to avoid COPPA liability: offer in your registration form the ability for people to select one of these proscribed states, but when they do, inform them the site is unavailable to them (only after they make a selection and submit a completed form), and set a cookie on their computer preventing them from trying to fill out the form again.
From a technological standpoint, the above is ludicrous and trivial to work around, but legally it's sufficient. (The law is often ludicrous and trivial to work around; this is a good thing.) Employing the "bump out" trick places the legal onus on the user, not on the site -- the site made a good faith effort at compliance, and if the user is trying to get around it, it is he who is breaking the law, not the site. Hear no evil, see no evil.
In addition to the above, on the "Sorry, we're not available in your state" page, make it clear to the user that the only reason it's not available is because the state has a law preventing the site from operating in its jurisdiction. This would raise awareness of the law and hopefully put pressure on the state to repeal it.
Of course, as was already pointed out, MySpace is owned by Rupert Murdoch, so the company is probably complicit in this whole thing. Expect to see a lot of self-righteous noise emanating from MySpace spokesmen (like the quotes in the article), and then watch as they "reluctantly" concede and go along with it.
There've been a lot of stories recently about the government using these social networking sites for data-mining and surveillance. The sudden "interest" that multiple state legislatures are suddenly, and virtually simultaneously, showing in these age-verification schemes is a lot more suspicious in light of that, now isn't it?
People are making comments like "Oh, this won't really matter in the long run, it's only Connecticut, blacklist their IP blocks," and so on. I wonder how long it will be until proposals are infesting every other state legislature.
As long as the encryption keys are available or can be made available, I don't see why logging the encrypted communication would be a problem. This sounds like a paranoid company worried about people emailing off trade secrets or somesuch; they're probably reading all your email communications too.
Come to think of it, this might be a pretty good way around data-retention laws -- retain everything, just like the government want, but it's encrypted, and the encryption keys are in the hands of the individual customers/clients/whatever. That would effectively prevent the situation where they can request a company hand over customer data without the customer's knowledge -- the only way the data they receive from the company would be remotely useful is if they also went after the customer himself in order to obtain the keys.
Most likely, but I've heard enough about administrative backdoors in products to be suspicious. Of course, those are just secret passwords, not decryption keys, so it's not the same issue. But I'd be very suspicious of BitLocker, that in non-corporate environments, your copy of the OS might come conveniently pre-configured with a recovery key that only the OEM knows about.
I would hope so. In fact the next sentence in the article was Mr Thompson saying that "sometimes people use file wiping utilities or other tools but often they are not configured properly. People accept the default settings, which can leave fragments of data." So, yeah. Idiocy is its own rewar^W punishment. But the article also mentioned earlier that this BitLocker supports a second "recovery" key, so who knows how secure it is even if you use it right?
We're seeing the same concerns with Vista as we saw with XP over the idea that built-in encryption features might frustrate law enforcement efforts. In practice XP has not proved to be a problem for computer forensics and we don't think Vista will be either," said Bill Thompson, director of professional development and training at Guidance Software.
Slashdot Mirror
Not my point. My point was to the effectiveness of the enforcement technique, not as to whether not what is being outlawed is right, wrong, good, bad, and so on. Attacking consumers to try and curtail demand or to try and limit the desire to be a producer, is a failed strategy.
It's also unconstitutional in the US.
So in other words consumption is illegal because they're trying to target the producers. Well, since that tactic has worked so well with the War on Drugs, I guess it'll work here, too.
If at first you don't succeed, just keep trying, right? Hey, it's not their money these scumbag politicians are wasting each time they get their state(s) sued over these idiotic laws, right?
I'll bet it has. Make sure all that surveillance and control architecture is in place before people get to use it, right?
Ah, nice. Looks like I found the wrong page.
Looks like it is $109.95 now, and it's $10/mo extra for the five IPs.
There is absolutely no reason for them to retain logs linking searches to IP addresses for even 18 seconds, let alone 18 months -- this isn't "improving Google" for any of their users, no matter how much they claim it is.
Keeping search history for logged-in users is one thing; I can see how some users could find that useful, just like browser history autocomplete. Perhaps they want to keep logs of non-logged-in users around for something like geographical targeting, but there's no reason they can't process out the IP information immediately, or on a quick rolling schedule such as every 24 hours. Or, just keep the /24 or /16 form of the IP address; that effectively anonymizes the data but still provides enough information for geo-targeting or other forms of aggregation. If they want to track the flow of requests (a user searched this, then that, clicked here, then...), they can use their cookie for that, or do something like generate a hash of each IP's hostname* and track requests by the hash.
"18-24 months, however, is about the right length of time that this data could be useful for the government for purposes of intelligence gathering or criminal prosecution, however.
* Hashing the IP itself is useless as there aren't enough IPs (4,294,967,296 in theory, much less in practice due to all the reserved /8s) to make reversing the hash back to the IP difficult. However, the domain of valid hostnames is incredibily large (any alphanumeric string up to 256 characters), such that one can be reasonably confident the hostname cannot be computed from the hash.
Telling people "anonymous proxies" are useful to protect themselves is dangerously misleading. It'll prevent the destination website from finding out what your IP address is (maybe -- if you're not leaking that information some other way), but it'll do absolutely nothing to undermine the extensive network-level snooping going on nowadays. Your packets are still in the clear, readable, and sniffable at any point on the network; they're just taking a little detour through someone else's server so the destination site sees their IP instead of yours. If you're worried about the AT&T/NSA thing, or that your connection is being monitored directly, this is completely useless.
I'd also not trust any of these companies like Anonymizer, the Cloak, &c.; who knows what they're doing with all the requests being forwarded through their servers?
Yes, if the government tried to prosecute someone for something discovered through this technique, it would be entered into evidence in a court proceeding and become public knowledge. But the government has more ways of going after people than through an open courtroom. For example, if they were using a backdoor in one of these drives for intelligence gathering, data gleaned from such would never make its way into a courtroom, and could still be used against someone in a variety of ways. I can't find the story about it now, but airport security in either the US or UK is now imaging people's laptops. Who knows what they're doing with that data?
Of course, very little stops the prosecutors from simply lying -- perhaps the defendant "just did something dumb that exposed his password," or perhaps "the password was simple enough to crack."
This is how Linux's crypto-loop works. The CBC is run across only individual 512-byte blocks of the disk. I think they use the sector number as an IV.
This is actually a good reason to not trust disk-level encryption -- if the data is going to the disk in the clear and you're relying on the disk to encrypt it, are you even sure it really got encrypted? It could be getting copied somewhere else on the disk, accidentally or intentionally, and you'd never know.
But if your OS is doing full-disk encryption for you, so that no data ever even travels down the IDE cable before it's been encrypted, this particular worry can be put to rest. Let the disk make sixteen different copies it, and a special one just for the FBI, for all the good it'll do.
Of course, then you have to trust the OS...
I'd trust it -- if I were using it here in the US. (Why would the Chinese share their backdoors with our cops?)
Is the write-only memory that we're talking about volatile storage that'll blank when the power goes off, or just an otherwise-inaccessible part of the permanent media in the drive? In the latter situation, what's to prevent someone from taking the drive apart (forensic analysis) to circumvent whatever mechanisms that, under normal operating conditions, render that portion of the drive "write-only"?
Sounds like relying on a login prompt to protect your computer's data and forgetting someone with physical access to the device can just turn it off.
Who knows what this thing is doing inside? They're using AES-128 so you may not have to worry about the encryption algo being unsecure, but who's to say this thing isn't caching the password in some place you don't know about (but that the manufacturer and your country's authorities do)?
When a political label like right groups together everything from libertarians to fascists, and left everything from anarchists to communists (and in the U.S., what with our power-mad government generally being identified as right-wing, a lot of libertarians too), this shouldn't surprise people.
And it shouldn't surprise people that someone can be on the "right" but at the same time oppose capitalist businesses in favor of collectively-written Free Software. "Capitalism" is an ideological abstract that virtually all people identifying as "right" or "libertarian" support: It's an economic system based on free markets, free trade, freedom of choice in whom you do business with, competition, and so on.
But a lot of purportedly capitalist businesses aren't very capitalist at all -- they use their power to dominate markets, limit choice, get laws passed favoring them, lock in consumers, destroy competition through anti-competitive practices, and so on. And things like Free Software may be collectively-written and therefore, to a lot of people, smack of socialism, but they offer a lot more choice to people, and there's little force that the author of any given OSS package could exert if everyone one day decided to up and go use something else.
So you end up with some people who can call themselves "capitalist" or "libertarian" (and hence they fall under the "right-wing" label) and yet not at all support corporations like Microsoft nor use their products -- people who see through the language and look at what the companies like this are actually doing.
Please, anyone but the EFF. You know, sometimes I think these organizations are founded or at least encouraged by the very groups they oppose, so they can put up a good show-fight and prevent the emergence of a real opposition.
It would certainly be possible, except keeping the list up to date with new start-up sites would be impossible (a good thing), and having a law that specially designates individuals (including corporations -- legally, they're "people" too) and punitive actions to be taken specifically against them is perilously close to a bill of attainder, a type of law explicitly proscribed by name in the Constitution.
Lying about your age to get around this won't necessarily have the intended effect: these sites already try to segregate their minors from their adults, so if a twelve year-old claims to be twenty-five, he's not going to get to join his friends, go in their forums, and so on, nor will they be able to join him.
If the company takes reasonable efforts to simply block users from the states implementing these laws, they most likely can't be held responsible for any of it.
First, block IP ranges known to be entirely within the states.
Secondly, employ something similar to the "bump out" trick that's used to avoid COPPA liability: offer in your registration form the ability for people to select one of these proscribed states, but when they do, inform them the site is unavailable to them (only after they make a selection and submit a completed form), and set a cookie on their computer preventing them from trying to fill out the form again.
From a technological standpoint, the above is ludicrous and trivial to work around, but legally it's sufficient. (The law is often ludicrous and trivial to work around; this is a good thing.) Employing the "bump out" trick places the legal onus on the user, not on the site -- the site made a good faith effort at compliance, and if the user is trying to get around it, it is he who is breaking the law, not the site. Hear no evil, see no evil.
In addition to the above, on the "Sorry, we're not available in your state" page, make it clear to the user that the only reason it's not available is because the state has a law preventing the site from operating in its jurisdiction. This would raise awareness of the law and hopefully put pressure on the state to repeal it.
Of course, as was already pointed out, MySpace is owned by Rupert Murdoch, so the company is probably complicit in this whole thing. Expect to see a lot of self-righteous noise emanating from MySpace spokesmen (like the quotes in the article), and then watch as they "reluctantly" concede and go along with it.
There've been a lot of stories recently about the government using these social networking sites for data-mining and surveillance. The sudden "interest" that multiple state legislatures are suddenly, and virtually simultaneously, showing in these age-verification schemes is a lot more suspicious in light of that, now isn't it?
People are making comments like "Oh, this won't really matter in the long run, it's only Connecticut, blacklist their IP blocks," and so on. I wonder how long it will be until proposals are infesting every other state legislature.
As long as the encryption keys are available or can be made available, I don't see why logging the encrypted communication would be a problem. This sounds like a paranoid company worried about people emailing off trade secrets or somesuch; they're probably reading all your email communications too.
Come to think of it, this might be a pretty good way around data-retention laws -- retain everything, just like the government want, but it's encrypted, and the encryption keys are in the hands of the individual customers/clients/whatever. That would effectively prevent the situation where they can request a company hand over customer data without the customer's knowledge -- the only way the data they receive from the company would be remotely useful is if they also went after the customer himself in order to obtain the keys.
Most likely, but I've heard enough about administrative backdoors in products to be suspicious. Of course, those are just secret passwords, not decryption keys, so it's not the same issue. But I'd be very suspicious of BitLocker, that in non-corporate environments, your copy of the OS might come conveniently pre-configured with a recovery key that only the OEM knows about.
- TrueCrypt for Windows
- Cryptoloop for Linux
Not sure what's out there for OSX. Their standard FileVault supports a recovery password so it goes in the same boat as BitLocker in my opinion.I would hope so. In fact the next sentence in the article was Mr Thompson saying that "sometimes people use file wiping utilities or other tools but often they are not configured properly. People accept the default settings, which can leave fragments of data." So, yeah. Idiocy is its own rewar^W punishment. But the article also mentioned earlier that this BitLocker supports a second "recovery" key, so who knows how secure it is even if you use it right?
From "Vista encryption 'no threat' to computer forensics":