>If facebook received an NSL or warrant, it could trivially trigger this "ugly, obvious, risky" mechanism and read "secure" traffic, with little if any visible sign at the sender / recipient.
(cough/) how about bunches of messages randomly going missing?
1) Really, dude, go read my Twitter. I'll post this there.
2) It's not a backdoor. It has an off-switch. It would be a pain to exploit. It would be ugly, obvious and risky to exploit. If such snooping was sought, it would be done better..
I've criticised a Guardian article, entirely justifiably. As for the underlying issue, it's a design consideration for usability. I actually don't like it, but I respect the choice.
a) just check my twitter for proof - and my 4-digit Slashdot ID.:-)
b) i've built a reputation for 25 years, saying such things. Go dig up my USENET from 1991. Hasn't done me any harm that I care about, and it has done me measurable good when people see me commit to a set of values or a proposition with no "if", "and" or "but".
- for 2 or 3 weeks now, it's good to see it getting some press at last. Since my kindle no longer takes a full charge after these shenanigans, I am pressing for a full replacement of the Kindle, and a better solution for the cover.
Erm, well, I have been running a twice-daily
cronjob called "urlwatch" on my workstation
since - oooh, about 1997 - the guts of which are:
cat $cf |
while read url sig junk
do
test "$url" = "" && continue
if www diagwww -aceh "$url" >$tf 2>/dev/null
then
newsig=`md5
if [ "$sig" != "" ]
then
if [ $sig != $newsig ]
then
reminder $url $sig $newsig
fi
fi
sig="$newsig"
else
( echo ERROR $url ; cat $tf ; echo -- ) 1>&2
fi
echo $url $sig
done > $nf
...and I can probably dig-up corporate off-site
backups to prove it.
For those not familiar with my toolkit, the
script retrieves a URL, MD5's it, and mails me
a reminder-note when the signature changes due
to modification of content.
I would deem this to be an obvious idea, and
would happily support an effort to squash the
patent.
Can someone please remind me: was the original Pentium tune "Bing-Bong-Ding"?, or was it originally the full "Bing-Bong-Ding-Dong"? I ask, because I know it later evolved into:
"Bing-Bong-Ding-Dong-Myaaaaaaawwwww..."
...with special effects, etc, and was ondering with the new Pentium4 whether it would turn into the full Roadrunner-cartoon:
I REALLY wonder what the UK's "Trades Descriptions Act" will make of this little marketing gem.
IANAL, but there is a large body of UK law regarding what claims may be made for a product's ability, in the UK, and if "Windows" can be cited as a trademark tied to the x86 Windows software line, and this name can be implied to mean software *compatability* with the aforesaid, then the results *could* be a bit messy.
So what you are saying is; Since I can write a program to erease the files off of a Lunux box, that the writers of Lunux are to blame for my actions?
Possibly. If you delete your own files, that's your responsibility.
If you delete someone else's files in a malicious manner, I argue that it is (a) your fault for doing so, and (b) possibly the fault of the system administrator whose poor security management gave you the opportunity to do this.
In my book, it would not be the fault of the person who wrote the rm command.
This is ABSOLUTELY TRUE!!! All those weak little old ladies that have been exploited by scam artist are criminals and should be shot!
Nice attempt at irony, there; however in the case you cite, I would say that the cause of the problem is not the little old lady who gets mugged, scammed or whatever; instead I would lay the blame upon the local social conditions that lead to her getting scammed.
The cause of the opportunity to commit a crime is not necessarily from the victim's shortcomings; likewise in computer security - eg: if you design a password system that is prone to dictionary attack, in the face of the attack being obvious, then you should bear some of the responsibility/blame.
Next has to be the case of a program designed to gain entry into a system, but with no other use. Again, a user using such a program would be wrong. If this program has no 'good' use (unlike BO2K), then the programmer would also be wrong. An example here would be the program 'crack' for cracking Unix password - a tool written exclusively for that purpose.
Being as I am the author of Crack, and wrote it whilst I was employed as a Unix systems administrator, for the purpose of checking my password file before anyone else using similar/poorer tools could, and indeed because I shared it on those grounds - I disagree that this program has no "good" use, and would challenge you to find another example...
Who must be held responsible: The person that develops a software that will (or can) be used to illegal ends (like to break into a computer system, to illegaly monitor other users, a virus, etc), or the person that use it afterward?
Being the author of one such dual-use software package (the Crack password cracker) - I am astonished that the questioner has missed out one entire class of people, when trying to describe whom should take the blame.
As I see it, there are three classes of people to be pilloried in this potential witch-hunt:
the tool authors,
the tool users, AND...
the people who created the weakness that the tool exploits
Me, I say it's a poor blaster that points only one way, and all tools (knives, saws, pointed sticks) can be used for good or ill - and so I lay the blame on the users, and also on the people who created the weakness.
This is something that can be sold to big business as a real solution.
...and trading floors and places where user-access hardware uptime is critical will love it; if your monitor dies, whip your smartcard out of your machine, plug it into the spare system in the next cubicle, and your session moves with you in seconds.
I suspect that this article is just a reflection of the age of the author; forgive me, I too remember the 70s/80s - albeit distantly - in the days when PCW and BYTE had more pages of signal than they did advertising noise, and computing was looking forward to its future.
Before the OOPS fad, before the 4GL fad, there were continual fads in the 80s that computing was going to change for the better; articles about compilers that would understand natural languages and produce programs on demand, that would do what we wanted without error. User interfaces that would make everything we wanted to do, simple and obvious.
This was the boom time of AI and GUI development in academia, and the mindset is propagated in hackers of a certain age, disposed to consider whatever hardware or software they are using as crud that will soon be surpassed by something much much better than they could imagine.
This is, of course, a caricature, but I hope that some of it is recognisable.
My point is: there are some people who will tar any existing technology as crap and invariably promise something better down the road; these people can be classified as:
1) visionaries 2) sci-fi writers 3) marketeers
...depending upon their remit; I suspect that Bob falls into one of the two former categories, suffering some sort of self-loathing that nothing has changed since his day.
I do not believe he falls into category 3 (which M$ excels at) where the remit is to prevent adoption of some technology which might undermine profits from some competing technology of their own.
There is a depressing tendency, amongst these people, to deride Linux for it's Unix heritage. They forget that the flipside of "old" includes "tried", "tested", and "well-understood enough to be robustly optimised to hell and back", all of which are also important features to most computer users.
Or, at least, the ones who don't think that one crash per week is acceptable.
Slashdot Mirror
>If facebook received an NSL or warrant, it could trivially trigger this "ugly, obvious, risky" mechanism and read "secure" traffic, with little if any visible sign at the sender / recipient.
(cough/) how about bunches of messages randomly going missing?
kindly go read this: https://whispersystems.org/blo...
My comeback is that corporations which are held to be super-smart-and-sneaky one moment should not be assumed to be bone stupid the next.
1) Really, dude, go read my Twitter. I'll post this there.
2) It's not a backdoor. It has an off-switch. It would be a pain to exploit. It would be ugly, obvious and risky to exploit. If such snooping was sought, it would be done better..
https://twitter.com/AlecMuffet...
I've criticised a Guardian article, entirely justifiably. As for the underlying issue, it's a design consideration for usability. I actually don't like it, but I respect the choice.
Oh, prove a negative, you mean?
>Not convincing
I'd love you to explain to me an even more plausible way to implement a backdoor than "write one, properly."
> by modifying the code
This is news?
>"So why should anyone believe they wouldn't invest in the effort to exploit this hole"
Because it would be cheaper and far more secure, convenient an scalable to build a _real_ back door.
>"provider can at any time decide that now they want to eavesdrop into this or that conversation"
and having hijacked one message in this scenario, what happens to the rest of the conversation? what happens to that message, too?
a) just check my twitter for proof - and my 4-digit Slashdot ID. :-)
b) i've built a reputation for 25 years, saying such things. Go dig up my USENET from 1991. Hasn't done me any harm that I care about, and it has done me measurable good when people see me commit to a set of values or a proposition with no "if", "and" or "but".
c) at least I'm funny. :-)
Because there are way better ways to drill holes in E2E than this, when in fact you own the codebase.
Currently, since July, I am employed by nobody. And loving it.
Previously to that I worked at Facebook, built their Tor onion, and build Facebook Messenger E2E crypto.
So, I'm competent to comment, and beholden to nobody :-P
i've been suffering this and writing it up at my blog:
http://dropsafe.crypticide.com/article/4633
- for 2 or 3 weeks now, it's good to see it getting some press at last. Since my kindle no longer takes a full charge after these shenanigans, I am pressing for a full replacement of the Kindle, and a better solution for the cover.
if anybody wants the real thing, drop me a line. usual anti-spam provisions apply.
cat $cf |
while read url sig junk
do
test "$url" = "" && continue
if www diagwww -aceh "$url" >$tf 2>/dev/null
then
newsig=`md5 if [ "$sig" != "" ]
then
if [ $sig != $newsig ]
then
reminder $url $sig $newsig
fi
fi
sig="$newsig"
else
( echo ERROR $url ; cat $tf ; echo -- ) 1>&2
fi
echo $url $sig
done > $nf
For those not familiar with my toolkit, the script retrieves a URL, MD5's it, and mails me a reminder-note when the signature changes due to modification of content.
I would deem this to be an obvious idea, and would happily support an effort to squash the patent.
- alec
"Bing-Bong-Ding-Dong-Myaaaaaaawwwww..."
"Bing-Bong-Ding-Dong-Myaaaaaaawwwww-THUD!"
"Bing-Bong-Ding-Dong-Myaaaaaaawwwww-ooh!-ahh!"! "c h]!"
"Bing-Bong-Ding-Dong-Myaaaaaaawwwww-Bwaahahahahah
"Bing-Bong-Ding-Dong-Myaaaaaaawwwww-[Grind]-[Crun
IANAL, but there is a large body of UK law regarding what claims may be made for a product's ability, in the UK, and if "Windows" can be cited as a trademark tied to the x86 Windows software line, and this name can be implied to mean software *compatability* with the aforesaid, then the results *could* be a bit messy.
- alec
Possibly. If you delete your own files, that's your responsibility.
If you delete someone else's files in a malicious manner, I argue that it is (a) your fault for doing so, and (b) possibly the fault of the system administrator whose poor security management gave you the opportunity to do this.
In my book, it would not be the fault of the person who wrote the rm command.
Nice attempt at irony, there; however in the case you cite, I would say that the cause of the problem is not the little old lady who gets mugged, scammed or whatever; instead I would lay the blame upon the local social conditions that lead to her getting scammed.
The cause of the opportunity to commit a crime is not necessarily from the victim's shortcomings; likewise in computer security - eg: if you design a password system that is prone to dictionary attack, in the face of the attack being obvious, then you should bear some of the responsibility/blame.
Being as I am the author of Crack, and wrote it whilst I was employed as a Unix systems administrator, for the purpose of checking my password file before anyone else using similar/poorer tools could, and indeed because I shared it on those grounds - I disagree that this program has no "good" use, and would challenge you to find another example...
Being the author of one such dual-use software package (the Crack password cracker) - I am astonished that the questioner has missed out one entire class of people, when trying to describe whom should take the blame.
As I see it, there are three classes of people to be pilloried in this potential witch-hunt:
Me, I say it's a poor blaster that points only one way, and all tools (knives, saws, pointed sticks) can be used for good or ill - and so I lay the blame on the users, and also on the people who created the weakness.
This is something that can be sold to big business as a real solution.
see http://www.sun.com/products/sunray1/ for pictures and info.
- alec (who works for sun but still thinks it's a neat piece of kit)
http://www.bletchleypark.org.uk/
all the details are there.
>And any process that takes ten years will
>get to its destination way, way too late.
Don't tell George Lucas.
- alec
I suspect that this article is just a reflection
of the age of the author; forgive me, I too
remember the 70s/80s - albeit distantly - in the
days when PCW and BYTE had more pages of signal
than they did advertising noise, and computing
was looking forward to its future.
Before the OOPS fad, before the 4GL fad, there
were continual fads in the 80s that computing
was going to change for the better; articles
about compilers that would understand natural
languages and produce programs on demand, that
would do what we wanted without error. User
interfaces that would make everything we wanted
to do, simple and obvious.
This was the boom time of AI and GUI development
in academia, and the mindset is propagated in
hackers of a certain age, disposed to consider
whatever hardware or software they are using as
crud that will soon be surpassed by something
much much better than they could imagine.
This is, of course, a caricature, but I hope
that some of it is recognisable.
My point is: there are some people who will tar
any existing technology as crap and invariably
promise something better down the road; these
people can be classified as:
1) visionaries
2) sci-fi writers
3) marketeers
...depending upon their remit; I suspect that
Bob falls into one of the two former categories,
suffering some sort of self-loathing that nothing
has changed since his day.
I do not believe he falls into category 3
(which M$ excels at) where the remit is to
prevent adoption of some technology which
might undermine profits from some competing
technology of their own.
There is a depressing tendency, amongst these
people, to deride Linux for it's Unix heritage.
They forget that the flipside of "old" includes
"tried", "tested", and "well-understood enough
to be robustly optimised to hell and back",
all of which are also important features to
most computer users.
Or, at least, the ones who don't think that
one crash per week is acceptable.
- alec