It doesn't. It mandates the use of FIPS 140-2 validated components when doing business with or for the Federal Gov't.
Most people wouldn't even know if it was turned on. All it really does is set a configuration where when you use crypto all that is available to choose from is 3DES and AES. And for hashes, SHA-1 or SHA-2 suite. You can't use MD5, Blowfish, DES, or some proprietary crap the vendor is trying to pawn off to lock you in.
And it must be a validated implementation. That is, you can't code up your own version of AES in Javascript and use that. Yes, OpenSSL has a validated version and that is the core module used by almost everyone in FOSS land.
I'm having a hard time understanding why, of all the things gov't mandates, picking on THAT one as a bad example.
How you secure your house or car has little to no bearing on 990100% of your neighbors. How the electrical grid and power plant, sewer treatment system, municipal water system, natural gas pipelines and the like are totally different.
Damage to those can cause severe impacts to the community as a whole. The size of the community can vary depending on the system. For example your municipal water system could impact your city, whereas the power plant in your neighborhood could potentially bring down the entire regional electric grid.
Personal responsibility is a must, but it does not necessarily scale to community-wide services.
Not surprisingly? Do you have ANY clue on this subject at all?
What is wrong with mandating someone use a validated, tested algorithm and implementation instead of pulling one out of their ass and claiming their "proprietary solution" is superior?
The only thing turning off FIPS 140-2 compliance mode does is allow users to make stupid choices. FIPS mode prohibits that.
Well, the saying "the line between genius and insanity is thin" can probably be modified slightly here to something like "the line between awesome and steaming-pile-of-frustrating-monkey-shit is thin".
Is this still possible? Considering SHA-2 is really a take-your-pick suite of SHA-224, -256, -384 & -512, NIST could do the same with SHA-3 and create a family.
Hell, SHA-1 is still kosher according to FIPS 180-4 as of March 2012. I expect SHA-2 to hang around for many years to come.
I admit I have not been following the mailing lists and they might have nixed this idea totally. Thus, my question to you which is probably quicker than trying to dig thru the archives.
Iran represents monetary ideas that show that modern societies can work without interest based banking.
Ha ha ha ha ha! You think their banks work without interest? Semantic horseshit. The Islamic religious fanatics in charge are STEEPED in semantic horseshit.
Islamic "non-interest" banks simply calculate what the interest would be, then adds it on to the loan as a fee. You pay the same amount, but it is added in as a lump sum fee. Instead of a $100,000 loan w/5% interest on a $100,000 house, they buy the house for $100,00 then resell it to you for $200,000 on term. That isn't sinful interest, it is a blessed fee. Bankers are still bankers. TANSTAAFL.
Oh, and wagering on horse races is illegal because gambling is a sin. Except in Iran. When you place a bet on the ponies at the track, you're given a minuscule percentage of ownership of the horse for the duration of the race. Because betting on a horse you OWN isn't a sin. Only betting on OTHER animals is. Semantics.
Guess how they handle the "sin" of prostitution? You know how Islam allows you to have up to 3 wives? Well, if you only have 1 or 2 you can pop into the brothel and have the cleric "marry" you to one of the girls for the duration -- a few minutes to a couple of hours. This way she isn't a prostitute but your wife, and thus it isn't a sin. Instant divorce when you're done. They make Las Vegas look like pikers.
So feel free to go on and on about how Islamic banks have the answer to "fractional reserve banking" and the evils of usury but when you're done, look at it again and you'll see it is the same old pig just with a different wig.
Wow. 41 comments in and only a handful actually on topic. The rest just bitch about an analogy involving Apple or the proper use of the term "hacker". I guess Slashdot has totally given up on discussions relating to security.
For those (few) interested, here is the link to the original paper.
Semantics are at the root of many misunderstandings. Just like many fundamentalist Christians don't know the proper definition of "theory" and ignorantly deride evolution as "just a theory", you don't understand the Islam definition of peace.
It is "the peace of Allah". That is, peace for those who submit to the will of God. For those who don't submit... that's different. If you want "peace", then submit to God's will. The word "Islam" itself translates as "submission" -- as in submission to the will of God.
Actually very similar to the bumper stickers "Know Jesus, Know Peace; No Jesus, No Peace". Except many in the Middle East take a literal approach to the interpretation.
No, in *radio* communications there is *NO* legal difference in receiving and decoding the signal.
The airwaves are public. You are fully allowed to received any signal that you can reach from your property or public property. Until the DMCA was enacted, you were legally able to unscramble to decode that signal to your heart's content.
Please understand this. At NO TIME was anyone EVER convicted of "pirating" satellite television for simply unscrambling a signal. THIS WAS LEGAL.
People were arrested for selling, manufacturing, distributing or importing prohibited equipment that did this. They were arrested for publishing information on how to do this (though I don't know if anyone was every convicted on this -- free speech and all). There were cases of running bulletin boards that discussed how to do this.
BUT NO ONE WAS EVER CONVICTED OF A CRIME OF RECEIVING OR UNSCRAMBLING A SIGNAL.
Until the DMCA (1998), this was essentially fully a legal right. There was nothing to charge people with.
Note: Pirating cable television is different. You had to physically attach to the cable. That is a crucial difference.
Ditto in intercepting old analog cellular communications. People were only ever charged with RECORDING the signals, not just intercepting them. The law instead went after the Radio Shack (and other) receivers, making it illegal to import, distribute or manufacture them -- but NOT illegal to OWN or USE them. Old sets were grandfathered in and fully legal to own and use. [47 CFR Part 15.37(f) -- implemented in 1994]
The communication content you are talking about in those packets are all based on public standards and commonly available tools.
You seem fixated on the need for equipment and knowledge, and that has nothing to do with it.
The law addresses only content protected by a method of ACCESS CONTROL, which simple protocols such as SMTP or POP3 are not.
Skype is encrypted communications and has an access control. Under the DMCA it is thus illegal to circumvent.
SSL-encrypted communications fall under the same law.
In short, I can listen to any damn thing I want. I can decode it all day long. I just can tell anyone. However, there is no law against me acting on the information I overhear as long as I don't disclose the information itself. (Insider Trading and the like notwithstanding.)
Please point me to an actual law -- preferably Federal, as I haven't chased down all 50 States -- that says the contrary.
And FYI, I was a telecom engineer for over a decade and spent the last 2-3 years supporting CALEA projects. I had several in depth conversations with lawyers specializing in this field as well as agents of several law enforcement agencies, both Federal and State/Local when seeking guidance on how EXACTLY to implement software wiretap solutions.
No, it is not nor was it EVER illegal to receive an in-the-clear satellite broadcast if you didn't subscribe. This is why "pay" channels were scrambled early on (hello HBO). This is why people used the big dishes (C-band). All the main feeds were unencrypted and available for the taking. The broadcasters had no legal recourse for in-the-clear broadcasts.
The airwaves belong to the public. While they are managed by the gov't to prevent chaos, if it is broadcast in the open it is fully legal to receive.
This is my point. It is NOT illegal to receive a signal in the public airwaves from public (or your own private) space. You may fully demodulate said signal, but it is illegal to circumvent ENCRYPTION.
You could make a case for what you're saying *if* the transmission required a patented codec to decode, and the hardware needed to decode it was under controlled distribution.
Wifi isn't such an animal. The 802.11 signal is a standard and you are covered by all patents when you purchase the receiving hardware -- a NIC, base station or your phone.
This is why a SECOND LAYER -- ENCRYPTION -- is needed for protection. Otherwise it is the legal equivalent of shouting in a public space. If I can hear you from your sidewalk, you have no expectation of privacy.
No, needing a technological device like a radio receiver doesn't matter. Not when it is a publicly available like a wifi receiver is.
If you set up a micro-FM transmitter in your home that reaches just outside to the street, I am fully within my legal rights to stand in the street with a portable radio and listen to what you transmit. You can scream that it wasn't intended for me all the time but that doesn't matter. THE AIRWAVES BELONG TO THE PUBLIC.
By the way, encryption in certain frequency bands such as Ham Radio is illegal. It *MUST* be in the clear, and ANYONE can purchase a receiver and listen legally.
The lock is a method of keeping people out, like ENCRYPTION. A plain signal radio broadcast is not. The signal is in public space. This is why satellite providers ENCRYPT their signals.
LISTENING to a radio signal ON PUBLIC PROPERTY is not the same as ENTERING a private house.
*Lending* someone a cell phone is not that same thing, since you don't have to lend anyone wifi equipment.
And as far as activity in the household not readily visible from outside...that is the point. Wifi is readily available outside the home. I can stand in the public street and pick up most signals.
You are broadcasting an open radio signal that reaches into public space. Sitting in that public space and LISTENING to it is, as far as I'm concerned (and I'm a paranoid libertarian), considered in plain view.
Traffic is encrypted for a reason. This is why SMTP, POP3 and all the other protocols have SSL options. I can't name one major provider that doesn't have an SSL options.
This is why we have "SSL Anywhere" as a program and use HTTPS for connecting to online banking.
If you want privacy, you must at least close your door or even your curtains. A cop can stand in the street and if you have a huge window and no curtains, if he can see a bag of pot on the table in plain view he can grab it.
Irrelevant. Roth contacted an editor himself, who acknowledged him as the primary source. The editor could make the change, having established to his satisfaction that the person was indeed the author.
Besides, if you're writing a report on The Human Stain, you should be reading The Human Stain, not Wikipedia.
Your internet communications are NOT in several layers of an envelope. They are like post cards, with several rows of addresses. There is no envelope. Everything is written on the outside. They are shouted to the world on open WiFi. Well...at least to the part of the world within radio reception.
I understand what you're saying about the 4th Amendment, but I can easily imagine a gov't agent back in the 1700s following a couple of people and listening as they have a discussion in public.
In all honesty, this is why I advocated WEP -- yes, WEP -- to people who couldn't use WPA. It was, from a legal perspective, a clean signal that my intent was the contents of the transmission were private.
Think of it like an interior, locked door. One of those cheap, hollow doors with a lock you can twist open if you try. The point of the door isn't to keep you out, but to let you know "you aren't supposed to be here unless invited in".
Damn well activate WEP and use the password "abcdabcd" or some such.
This is why my SSID at home is "private_keep_out" and why "No Trespassing" signs are needed.
I think this one falls squarely under the "plain view" doctrine.
This reminds me of the Rodney Dangerfield movie "Back to School".
The English professor gives and assignment to read and write and analysis on a Kurt Vonnegut novel. Dangerfield's character hires Kurt Vonnegut himself to write the analysis.
The professor, during fit of scorn, throws the paper at Dangerfield and yells "and you don't understand the first thing about what Vonnegut meant!"
Vonnegut himself has a non-speaking cameo where Dangerfield tells him he's stopping payment on the check and Vonnegut flips him off.
Your letters are in an envelope. Think "post cards" instead.
EVERYONE assumes those are read by postal employees. It is ingrained in our culture and was a casual joke used in many TV sitcoms that had post offices in them.
Hell, even one of the Infocom games featured a reference to it!
Remember the anthrax scares right after? There were at least half-a-dozen "ZOMG THERE IS WHITE POWDER ON THIS!" calls to police and the local news in the small town where I lived at the time.
While some people grumble and complain about the process, I've also encountered many people who believe what the TSA is doing is actually protecting them from terrorism.
More to the point, they honestly believe that there are terrorists right around the corner just waiting to blow them up. Not in an abstract but THEM, specifically. You know, it could happen anywhere so it could happen to YOU and it could happen HERE!
Their lives are so boring and mundane they get a thrill over the possibility that something important could happen to them or someone they know. Even if it is something like a terrorist attack, it makes them feel special. As if the town of Bumfuck, Nowhere was chosen special for a target.
It gives them something to gossip about. "What if..." It is essentially one of the same motivations that drives people to buy lottery tickets. They can dream "what if..." and not have to face the dull reality that is their life.
Slashdot Mirror
It doesn't. It mandates the use of FIPS 140-2 validated components when doing business with or for the Federal Gov't.
Most people wouldn't even know if it was turned on. All it really does is set a configuration where when you use crypto all that is available to choose from is 3DES and AES. And for hashes, SHA-1 or SHA-2 suite. You can't use MD5, Blowfish, DES, or some proprietary crap the vendor is trying to pawn off to lock you in.
And it must be a validated implementation. That is, you can't code up your own version of AES in Javascript and use that. Yes, OpenSSL has a validated version and that is the core module used by almost everyone in FOSS land.
I'm having a hard time understanding why, of all the things gov't mandates, picking on THAT one as a bad example.
How you secure your house or car has little to no bearing on 990100% of your neighbors. How the electrical grid and power plant, sewer treatment system, municipal water system, natural gas pipelines and the like are totally different.
Damage to those can cause severe impacts to the community as a whole. The size of the community can vary depending on the system. For example your municipal water system could impact your city, whereas the power plant in your neighborhood could potentially bring down the entire regional electric grid.
Personal responsibility is a must, but it does not necessarily scale to community-wide services.
Not surprisingly? Do you have ANY clue on this subject at all?
What is wrong with mandating someone use a validated, tested algorithm and implementation instead of pulling one out of their ass and claiming their "proprietary solution" is superior?
The only thing turning off FIPS 140-2 compliance mode does is allow users to make stupid choices. FIPS mode prohibits that.
What's your issue?
Well, the saying "the line between genius and insanity is thin" can probably be modified slightly here to something like "the line between awesome and steaming-pile-of-frustrating-monkey-shit is thin".
Then your statement makes more sense.
Is this still possible? Considering SHA-2 is really a take-your-pick suite of SHA-224, -256, -384 & -512, NIST could do the same with SHA-3 and create a family.
Hell, SHA-1 is still kosher according to FIPS 180-4 as of March 2012. I expect SHA-2 to hang around for many years to come.
I admit I have not been following the mailing lists and they might have nixed this idea totally. Thus, my question to you which is probably quicker than trying to dig thru the archives.
Iran represents monetary ideas that show that modern societies can work without interest based banking.
Ha ha ha ha ha! You think their banks work without interest? Semantic horseshit. The Islamic religious fanatics in charge are STEEPED in semantic horseshit.
Islamic "non-interest" banks simply calculate what the interest would be, then adds it on to the loan as a fee. You pay the same amount, but it is added in as a lump sum fee. Instead of a $100,000 loan w/5% interest on a $100,000 house, they buy the house for $100,00 then resell it to you for $200,000 on term. That isn't sinful interest, it is a blessed fee. Bankers are still bankers. TANSTAAFL.
Oh, and wagering on horse races is illegal because gambling is a sin. Except in Iran. When you place a bet on the ponies at the track, you're given a minuscule percentage of ownership of the horse for the duration of the race. Because betting on a horse you OWN isn't a sin. Only betting on OTHER animals is. Semantics.
Guess how they handle the "sin" of prostitution? You know how Islam allows you to have up to 3 wives? Well, if you only have 1 or 2 you can pop into the brothel and have the cleric "marry" you to one of the girls for the duration -- a few minutes to a couple of hours. This way she isn't a prostitute but your wife, and thus it isn't a sin. Instant divorce when you're done. They make Las Vegas look like pikers.
So feel free to go on and on about how Islamic banks have the answer to "fractional reserve banking" and the evils of usury but when you're done, look at it again and you'll see it is the same old pig just with a different wig.
When it stops being a valid complaint, we'll be glad to give it up.
An honest scan report from a major anti-virus vendor. Was it flagged as spyware/advertising trojan?
Wow. 41 comments in and only a handful actually on topic. The rest just bitch about an analogy involving Apple or the proper use of the term "hacker". I guess Slashdot has totally given up on discussions relating to security.
For those (few) interested, here is the link to the original paper.
http://www.trendmicro.com/us/security-intelligence/research-and-analysis/index.html#spotlight-articles
Semantics are at the root of many misunderstandings. Just like many fundamentalist Christians don't know the proper definition of "theory" and ignorantly deride evolution as "just a theory", you don't understand the Islam definition of peace.
It is "the peace of Allah". That is, peace for those who submit to the will of God. For those who don't submit... that's different. If you want "peace", then submit to God's will. The word "Islam" itself translates as "submission" -- as in submission to the will of God.
Actually very similar to the bumper stickers "Know Jesus, Know Peace; No Jesus, No Peace". Except many in the Middle East take a literal approach to the interpretation.
Sigh... sorry. I've been following the various laws regarding this for years as it is both a personal and professional interest to me.
Thanks.
No, in *radio* communications there is *NO* legal difference in receiving and decoding the signal.
The airwaves are public. You are fully allowed to received any signal that you can reach from your property or public property. Until the DMCA was enacted, you were legally able to unscramble to decode that signal to your heart's content.
Please understand this. At NO TIME was anyone EVER convicted of "pirating" satellite television for simply unscrambling a signal. THIS WAS LEGAL.
People were arrested for selling, manufacturing, distributing or importing prohibited equipment that did this. They were arrested for publishing information on how to do this (though I don't know if anyone was every convicted on this -- free speech and all). There were cases of running bulletin boards that discussed how to do this.
BUT NO ONE WAS EVER CONVICTED OF A CRIME OF RECEIVING OR UNSCRAMBLING A SIGNAL.
Until the DMCA (1998), this was essentially fully a legal right. There was nothing to charge people with.
Note: Pirating cable television is different. You had to physically attach to the cable. That is a crucial difference.
Ditto in intercepting old analog cellular communications. People were only ever charged with RECORDING the signals, not just intercepting them. The law instead went after the Radio Shack (and other) receivers, making it illegal to import, distribute or manufacture them -- but NOT illegal to OWN or USE them. Old sets were grandfathered in and fully legal to own and use. [47 CFR Part 15.37(f) -- implemented in 1994]
The communication content you are talking about in those packets are all based on public standards and commonly available tools.
You seem fixated on the need for equipment and knowledge, and that has nothing to do with it.
The law addresses only content protected by a method of ACCESS CONTROL, which simple protocols such as SMTP or POP3 are not.
Skype is encrypted communications and has an access control. Under the DMCA it is thus illegal to circumvent.
SSL-encrypted communications fall under the same law.
As far as I can determine, the State laws all revolve around DISCLOSING information gathered by eavesdropping -- not the act of eavesdropping itself.
http://www.ncsl.org/issues-research/telecom/electronic-surveillance-laws.aspx
In short, I can listen to any damn thing I want. I can decode it all day long. I just can tell anyone. However, there is no law against me acting on the information I overhear as long as I don't disclose the information itself. (Insider Trading and the like notwithstanding.)
Please point me to an actual law -- preferably Federal, as I haven't chased down all 50 States -- that says the contrary.
And FYI, I was a telecom engineer for over a decade and spent the last 2-3 years supporting CALEA projects. I had several in depth conversations with lawyers specializing in this field as well as agents of several law enforcement agencies, both Federal and State/Local when seeking guidance on how EXACTLY to implement software wiretap solutions.
I am very interested in this subject.
No, it is not nor was it EVER illegal to receive an in-the-clear satellite broadcast if you didn't subscribe. This is why "pay" channels were scrambled early on (hello HBO). This is why people used the big dishes (C-band). All the main feeds were unencrypted and available for the taking. The broadcasters had no legal recourse for in-the-clear broadcasts.
The airwaves belong to the public. While they are managed by the gov't to prevent chaos, if it is broadcast in the open it is fully legal to receive.
This is my point. It is NOT illegal to receive a signal in the public airwaves from public (or your own private) space. You may fully demodulate said signal, but it is illegal to circumvent ENCRYPTION.
You could make a case for what you're saying *if* the transmission required a patented codec to decode, and the hardware needed to decode it was under controlled distribution.
Wifi isn't such an animal. The 802.11 signal is a standard and you are covered by all patents when you purchase the receiving hardware -- a NIC, base station or your phone.
This is why a SECOND LAYER -- ENCRYPTION -- is needed for protection. Otherwise it is the legal equivalent of shouting in a public space. If I can hear you from your sidewalk, you have no expectation of privacy.
No, needing a technological device like a radio receiver doesn't matter. Not when it is a publicly available like a wifi receiver is.
If you set up a micro-FM transmitter in your home that reaches just outside to the street, I am fully within my legal rights to stand in the street with a portable radio and listen to what you transmit. You can scream that it wasn't intended for me all the time but that doesn't matter. THE AIRWAVES BELONG TO THE PUBLIC.
By the way, encryption in certain frequency bands such as Ham Radio is illegal. It *MUST* be in the clear, and ANYONE can purchase a receiver and listen legally.
The lock is a method of keeping people out, like ENCRYPTION. A plain signal radio broadcast is not. The signal is in public space. This is why satellite providers ENCRYPT their signals.
LISTENING to a radio signal ON PUBLIC PROPERTY is not the same as ENTERING a private house.
And your arguments aren't really on target.
*Lending* someone a cell phone is not that same thing, since you don't have to lend anyone wifi equipment.
And as far as activity in the household not readily visible from outside...that is the point. Wifi is readily available outside the home. I can stand in the public street and pick up most signals.
You are broadcasting an open radio signal that reaches into public space. Sitting in that public space and LISTENING to it is, as far as I'm concerned (and I'm a paranoid libertarian), considered in plain view.
Traffic is encrypted for a reason. This is why SMTP, POP3 and all the other protocols have SSL options. I can't name one major provider that doesn't have an SSL options.
This is why we have "SSL Anywhere" as a program and use HTTPS for connecting to online banking.
If you want privacy, you must at least close your door or even your curtains. A cop can stand in the street and if you have a huge window and no curtains, if he can see a bag of pot on the table in plain view he can grab it.
Okay, damn it. I have to rent the movie again. That was probably a 10-year old memory.
Irrelevant. Roth contacted an editor himself, who acknowledged him as the primary source. The editor could make the change, having established to his satisfaction that the person was indeed the author.
Besides, if you're writing a report on The Human Stain, you should be reading The Human Stain, not Wikipedia.
I disagree with your characterization.
Your internet communications are NOT in several layers of an envelope. They are like post cards, with several rows of addresses. There is no envelope. Everything is written on the outside. They are shouted to the world on open WiFi. Well...at least to the part of the world within radio reception.
I understand what you're saying about the 4th Amendment, but I can easily imagine a gov't agent back in the 1700s following a couple of people and listening as they have a discussion in public.
In all honesty, this is why I advocated WEP -- yes, WEP -- to people who couldn't use WPA. It was, from a legal perspective, a clean signal that my intent was the contents of the transmission were private.
Think of it like an interior, locked door. One of those cheap, hollow doors with a lock you can twist open if you try. The point of the door isn't to keep you out, but to let you know "you aren't supposed to be here unless invited in".
Damn well activate WEP and use the password "abcdabcd" or some such.
This is why my SSID at home is "private_keep_out" and why "No Trespassing" signs are needed.
I think this one falls squarely under the "plain view" doctrine.
This reminds me of the Rodney Dangerfield movie "Back to School".
The English professor gives and assignment to read and write and analysis on a Kurt Vonnegut novel. Dangerfield's character hires Kurt Vonnegut himself to write the analysis.
The professor, during fit of scorn, throws the paper at Dangerfield and yells "and you don't understand the first thing about what Vonnegut meant!"
Vonnegut himself has a non-speaking cameo where Dangerfield tells him he's stopping payment on the check and Vonnegut flips him off.
Your letters are in an envelope. Think "post cards" instead.
EVERYONE assumes those are read by postal employees. It is ingrained in our culture and was a casual joke used in many TV sitcoms that had post offices in them.
Hell, even one of the Infocom games featured a reference to it!
That would be self-correcting in the long run, for what I think would be obvious reasons.
Honestly, what Class Action suit hasn't resulted in a windfall for the lawyers involved and a token payment for any plaintiffs?
Fuck the lawyers.
Remember the anthrax scares right after? There were at least half-a-dozen "ZOMG THERE IS WHITE POWDER ON THIS!" calls to police and the local news in the small town where I lived at the time.
While some people grumble and complain about the process, I've also encountered many people who believe what the TSA is doing is actually protecting them from terrorism.
More to the point, they honestly believe that there are terrorists right around the corner just waiting to blow them up. Not in an abstract but THEM, specifically. You know, it could happen anywhere so it could happen to YOU and it could happen HERE!
Their lives are so boring and mundane they get a thrill over the possibility that something important could happen to them or someone they know. Even if it is something like a terrorist attack, it makes them feel special. As if the town of Bumfuck, Nowhere was chosen special for a target.
It gives them something to gossip about. "What if..." It is essentially one of the same motivations that drives people to buy lottery tickets. They can dream "what if..." and not have to face the dull reality that is their life.
It's really sad.
As far as I can tell, they go "poof" into the ether. SMS is the UDP of the cell phone world. No guarantees, no confirmation.