Here is the reference you asked for. I can forgive you for not realizing you had this right, given how seriously US/UK some EU and commonwealth nation states are ignoring and openly pissing on basic human rights.
Universal Declaration of Human Rights
A right to privacy is explicitly stated under Article 12 of the Universal Declaration of Human Rights:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.[14]
and they have the right to not do business with anyone they don't want to.
I am afraid you are wrong. Financial companies do not have the right to block payments to legal companies/individuals that they just do not happen to like. They have special permission by society to operate within our borders, so they damn well have to play by the rules. A good example is the recent Icelandic Supreme court win by wikileaks against the banking blockade. Apparently they are in the process of getting similar ruling in the EU, then they have stated they will then be suing for damages. It must have Mastercard and Visa worried, as they appear to be back-peddling from their illegal acts, and fast.
"It violates the competition laws and trade practice legislation of numerous EU states." . "The UN High Commissioner for Human Rights has openly criticized the financial blockade against WikiLeaks, as have the UN Special Rapporteur on the Promotion and Protection the Right to Freedom of Opinion and Expression and the Inter-American Commission on Human Rights Special Rapporteur for Freedom of Expression..."
Cold fjord (826450) writes "Snowden's handler..." is deceitfully supporting the new official narrative sound bite is that Snowden is a spy as apposed to a whistlblower. This is despite the fact that Snowden fits the very definition of a Whistblower in every respect, with no "grey area" in sight:
This narrative is being repeated by US military propaganda machine, which unfortunately also includes most of the worlds mass media corporations (I just watched a EU news presenter refer to Snowden as a spy in the same breath as feigning outrage over EU diplomat spying by the NSA).
It is unfortunate that shill accounts like cold fjord (826450) are being given increasing airtime on slashdot, with a long list of incorrect, misleading, and downright deceitful stories being promoted to the front page in this accounts name (with some infrequent light hearted ones sprinkled I for good cover/measure), all with the same or similar propaganda message. Not to mention the untold number of minion accounts used to harvest and mod up the posts.
My only question is, are the slashdot editors complicit? We have already seen multi million dollar propaganda software is up and running to manage accounts like Cold fjord (826450), what is the slashdot moderation system doing to counter such technological advances?
Outside source or not, we have a basic right to communicate over a secured connection, and so by extension the right to pay any legitimate company we like to provide said services to us.
But no, a world corporate duopoly Mastercard/Visa have decided that we no longer have that right. As citizens WE MUST revoke or at the very least impose hefty enough fines on these companies for abusing the privileges we gave them, by allowing them to sell their services into our respective countries. Arrogance, much.
Of course, those who organized this fiasco are the same ones who control our their politicians, so this basic and necessary wrist slapping will not occur, and so we continue our slide down the slippery slope...
In that case use your own VPN. Connect to the hotpost and tunnel back over your reisdential broadband connection.
Oh thank you for allowing us to use VPN on an "case by case" basis, if we have the technical skill and ability to set one up ourselves, that is. Silly me here I was thinking it was a basic right to communicate over a secured connection, and so by extension to pay any legitimate company we like to provide said services.
But no, a world corporate duopoly Mastercard/Visa have decided that we no longer have that right. As citizens we must revoke or at the very least impose hefty enough fines on these companies for abusing the privileges we gave them, to sell their services in our respective countries. Arrogance, much.
You are right about https redirects, my mistake thanks for the correction. They are just so common now it appears to be default browser behavior.
When I make a request to a https url I expect the information contained within that request (parts of the url other than the hostname, post data if any, cookies if any) to be sent over an encrypted and authenticated link. By the time I can "look for the padlock" the potentially private information has already been sent. So if the connection cannot be authenticated the browser MUST warn me* BEFORE it continues with the request.
It sounds to me like invoking a very special, very peculiar and rare case to support the current status quo: That of communication of private data during initial handshake. How can a user be sending private information (credit card info in form post data for example) with an expectation of privacy on their part if they have not even accessed the webpage, ever, yet? They haven't even accessed the form/page yet want to send post-data securely to an unknown website without even verifying the CA cert? That does not make sense, seems very contrived to support current browser (mis)behavior. If the user never got the padlock notification on a form, if they have never connected to the website, if the webpage has not notified them that they have a CA issued cert and can expect high privacy - then they would not be sending any postdata or any other kind of data with any expectation of privacy in the initial handshake.
I support systems that allow encrypted but unauthenticated connections to be presented to the user in the same way as unencrypted connections but to maintain current security the https url scheme MUST NOT be used for such connections. Either a new url scheme should be allocated for such connections or a protocol should be used that can share the http url scheme.
We agree on the overall aim then, so it is just over the technicalities for delivering it. Unfortunately I am no expert in protocol or UI design so will refrain from suggesting solutions that are not well thought out and researched. I am however not so quick to say that https url scheme must not be used for such connections. Most browsers have implements big green lock icons, change the url bar color and other UI tricks try and convey a CA certified connection has been established (in part due to the research I presented earlier). They obviously do this and as the research shows because the httpS does not convey anything to the majority of users (indeed most browsers even hide the protocol in the url bar). This all adds to the argument of allowing https connection on a self signed cert without all the visual cues of a secure CA certified connection. What we gain by allowing that without "big scary" error messages is the ability for any website to provide encrypted connections all the time - a huge win for security on the internet.
Blindly serving up redirects from https to plain htttp is risky as it can reveal potentially private information in the url but as far as the protocol is concerned it's/.'s call to make that descision (just as it's/.'s call to take the information you posted over https and post it for the public to see) and/.'s identity was verified** before they got the chance to make that descision.
I agree it is risky, but it is so common now as to appear to be default behavior - which undermines the argument "When I make a request to a https url I expect the information contained within that reques to be sent over an encrypted and authenticated link". Most websites redirect https if they do not have it, so that requirement looks to be out of touch with how the protocol is actually being used. You also mention that the browsers leave it upto the websites to make the decision to redirect, and yet the browsers take away the decision of websites if they choose to use self signed certs. The error message
Worth pointing out that some of those same EU countries trying to impede and/or deny Snowdens asylum requests ("a centuries-old right in international law") are also responsible for allowing CIA extraordinary rendition of unknown prisoners via their air space without any due process, airplane checks (yes Spain, that includes you).
As usual, US officials and their acolytes who invoke "the law" to demand severe punishment for powerless individuals (Edward Snowden, Bradley Manning) instantly exploit the same concept to protect US political officials, their owners and their allies from the worst crimes: torture, warrantless eavesdropping, rendition, systemic financial fraud, deceiving Congress and the US public about their surveillance behavior. If you're spending your time calling for Ed Snowden's head but not James Clapper's, or if you're obsessed with Snowden's fabricated personality attributes (narcissist!) but apathetic about rampant, out-of-control NSA surveillance, it's probably worth spending a few moments thinking about what this priority scheme reveals.
The danger is that they could think that their connection is somehow more secure than plaintext.
It is a danger *only* if the browser is giving some indication of security. If the browser does not give any indication or expectation of privacy with self signed certs then there is no danger. Most browsers already do not show the protocol being used for plaintext (no http// display).
You cannot safely fix this without determining user intent, and even the user can't usually be trusted to determine their intent.
You can safely fix it by not giving any change to normal unencrypted experience. If they intended to use HTTPS to get real security but instead were presented with a self-signed certificate, and the browser defaulted into plain text view (no ssl icon or indication of security) then the user does not need any extra warning. Of important note: This is already the default behavior if you try to use https on a website that does not support it like slashdot - the browser defaults to plain text view without any warning, any error. If the browsers were truly so worried about this problem as you claim, then there would also popup big scary messages instead of the silent redirection from https to http.
They shouldn't just continue on blithely unaware -- which is exactly what will happen if you treat it as a normal unencrypted connection.
As mentioned above, this is already the default if you punch in https on a website that does not support it. Unfortunately and in any case, research has shown repeatedly that people continue of anyway regardless (eg "Crying Wolf: An Empirical Study of SSL Warning Effectiveness"), which further strengthens the case for self signed certs being treated the same as plain text connections in every way.
At the end of the day, our data is being collected and stored en-mass. It is passing through unknown number of private companies like Booz Allen and other private third parties to the security apparatus, including unknown number of individuals who are all unaccountable in any meaningful way to how they use or abuse that data. The majority of internet traffic flows unencrypted, despite your claim that "no serious website will benefit at all from this, since they all can afford the small cost of a certificate". All the current extra "scary" warning on self signed certs is doing is effectively denying the larger part of internet traffic the ability to be encrypted - that is a much worse tradeoff than raising self signed certs to the level of plain text.
No it isnt that same, it is better. Unencrypted is already open all sorts of man-in-the-middle attacks by criminals, ISPs and three-letter agencies are already "quietly intercepting", and recording EVERYONES traffic. Making them go one step further an have to target individuals in order to replace a deluge of self signed security certificates is a big positive step. Also If self signed certs are never blessed with security icon by default then people will not fall for fraudulent fakes - because the browser would never be telling them they have a "secure for your bank traffic" type of connection with a self signed cert.
That is an "all or none" argument. If self signed certs look feel and behave the same as what unencrypted does now, then people have no reason to behave differently than they do with unencrypted. Sadly and as numerous researchers have shown (like this one - "Crying Wolf: An Empirical Study of SSL Warning Effectiveness") people quite happily transfer secure data over unencrypted connections in the current setup anyway. This further undermines your argument and the rational that treating self signed certs the same as plaintext is considered worse, especially given recent mass data passive collection revelations...
people have a higher expectation of security from SSL.
I think the GPs point was that it does not have to be a all or none - that you can have SSL of a self signed cert without the error message and without giving any "expectation of [high] security" (to quote GP "no full secure icon")
The rationale for the pop-up is that an unknown self-signed certificate is as bad as no encryption
In light of the Snowden revelations and subsequent fallout, this rational has very few legs to stand on. Unencrypted is less desirable than plain text. The only argument I have seen against this rational is that people may be lulled into a false sense of security if they believe self signed certs are as secure as CA issued ones, falling for MITM attacks for their bank traffic etc. The counter to that is that is simple and sensible: no, not if the browser does not try to tell them they have a top secure connection - and treats it like it is a plain text connection.
self-signed certificate is... totally open to a main-in-the-middle attack
The current SSL system is also totally open to a main-in-the-middle attacks by state sponsors, as has been reported here various times. And yes self signed certs are also very vulnerable to the same attack - but the point here is to encrypt the majority of data. State sponsers can always target but with blanket always on encryption they are unable to perform mass illegal capture and storage.... that is the point of not raising an error message on self signed certs.
Any way I cut these arguments, browsers appear to be in the wrong on this one - throw in cosy relationships with CAs, state departments etc and we could have a conspiracy here.
Now your going out on a limb. Stuxnet infected industrial machines (Siemens I believe) - not windows. The "magical backdoor" is just an private key for signing windows modules as "trusted". All windows machines accept any module as trusted if it is signed with that key. Bruce Scheier or others in his field assume such keys to be under the protection of Microsoft and therefore "safe" (i.e. not a back door for loading malicious spy modules onto any windows machine - which any agency can do when they have access to the key/s).
GP wrote: and no, there isn't a magical NSA backdoor in Windows either, get over it conspiracy fanboys
You are forgetting something. A pretty BIG BACK DOOR into windows that has been known and confirmed for some time now.
“...the result of having the secret key inside your Windows operating system “is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system“. The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards”
Agreed. Since when did some old guys ignorant opinion become news for nerds, especially when such opinions flow almost 24/7 in all major newspaper opinion sections... old guys or indoctrinated young-uns lamenting the loss of hierarchical information flow?
Oh silly me, it is news for nerds since Washington Post stepped out of line. All part of the discredit the messenger(s) campaign. Carry on then...
“...the result of having the secret key inside your Windows operating system “is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system“. The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards”
sick of the shenanigans pulled by the current government, (sometimes pulled by only a minister here or there, without the consensus of his own party
Please. If you have to pass unpopular/shady/questionable policies and laws, always always set it up as one individuals doing and claim - "its not the parties policy" - they acted alone. This is standard politics, fall on your sword type devotion to the party - preserve its good name. Please dont be fooled by the massive sleight of hand (well, sleight of mouth/marketing)...
All part of damage control - got to raise public opinion quick smart. You have no idea how many talking points have been written in the last week or so for the media employees (talk show and news anchors etc) to sprout off over in the next few days/months. Muddy, confuse, distract... ahh, propaganda...
I wish they'd go after the NSA with as much fervor. But I guess it's easier to punish an individual.
The authorities (up to and including the president) that we the people have invested with power are the ones who gave the NSA free reign and get out of jail free cards. Free from the inconveniences of law, transparency or meaningful oversight (no matter how much their media campaign speeches try to say otherwise - look at the facts).
The only way "they" would go after this is if third party candidates had a clean sweep into power based on issues like this. Fortunately for "them" - most media channels are complicit/owned and will fight to distract, muddy or otherwise diffuse and public rage about this (and any other) issues...
Now, if only the population at large would flock to use such tools on election day... but as it is, the village keeps voting time and again for one of the two village liars who both just happen to be backed by the biggest landowner(s) in town - to everyone's long term detriment. Oh and the town message billboard happens to be controlled by the said landowners. We have not progressed very far politically, it would seem...
Slashdot Mirror
Here is the reference you asked for. I can forgive you for not realizing you had this right, given how seriously US/UK some EU and commonwealth nation states are ignoring and openly pissing on basic human rights.
Universal Declaration of Human Rights
A right to privacy is explicitly stated under Article 12 of the Universal Declaration of Human Rights:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.[14]
[14] United Nations. (1948). Universal Declaration of Human Rights. Retrieved October 7, 2006 from http://www.un.org/Overview/rights.htm
and they have the right to not do business with anyone they don't want to.
I am afraid you are wrong. Financial companies do not have the right to block payments to legal companies/individuals that they just do not happen to like. They have special permission by society to operate within our borders, so they damn well have to play by the rules. A good example is the recent Icelandic Supreme court win by wikileaks against the banking blockade. Apparently they are in the process of getting similar ruling in the EU, then they have stated they will then be suing for damages. It must have Mastercard and Visa worried, as they appear to be back-peddling from their illegal acts, and fast.
"It violates the competition laws and trade practice legislation of numerous EU states." . "The UN High Commissioner for Human Rights has openly criticized the financial blockade against WikiLeaks, as have the UN Special Rapporteur on the Promotion and Protection the Right to Freedom of Opinion and Expression and the Inter-American Commission on Human Rights Special Rapporteur for Freedom of Expression..."
/sarcasm
How is it anything other than pure whistleblowing to disclose secret documents proving that top government officials have been systematically deceiving the public about vital matters and/or skirting if not violating legal and Constitutional limits?
This narrative is being repeated by US military propaganda machine, which unfortunately also includes most of the worlds mass media corporations (I just watched a EU news presenter refer to Snowden as a spy in the same breath as feigning outrage over EU diplomat spying by the NSA).
It is unfortunate that shill accounts like cold fjord (826450) are being given increasing airtime on slashdot, with a long list of incorrect, misleading, and downright deceitful stories being promoted to the front page in this accounts name (with some infrequent light hearted ones sprinkled I for good cover/measure), all with the same or similar propaganda message. Not to mention the untold number of minion accounts used to harvest and mod up the posts.
My only question is, are the slashdot editors complicit? We have already seen multi million dollar propaganda software is up and running to manage accounts like Cold fjord (826450), what is the slashdot moderation system doing to counter such technological advances?
Outside source or not, we have a basic right to communicate over a secured connection, and so by extension the right to pay any legitimate company we like to provide said services to us.
But no, a world corporate duopoly Mastercard/Visa have decided that we no longer have that right. As citizens WE MUST revoke or at the very least impose hefty enough fines on these companies for abusing the privileges we gave them, by allowing them to sell their services into our respective countries. Arrogance, much.
Of course, those who organized this fiasco are the same ones who control our their politicians, so this basic and necessary wrist slapping will not occur, and so we continue our slide down the slippery slope...
In that case use your own VPN. Connect to the hotpost and tunnel back over your reisdential broadband connection.
Oh thank you for allowing us to use VPN on an "case by case" basis, if we have the technical skill and ability to set one up ourselves, that is. Silly me here I was thinking it was a basic right to communicate over a secured connection, and so by extension to pay any legitimate company we like to provide said services.
But no, a world corporate duopoly Mastercard/Visa have decided that we no longer have that right. As citizens we must revoke or at the very least impose hefty enough fines on these companies for abusing the privileges we gave them, to sell their services in our respective countries. Arrogance, much.
When I make a request to a https url I expect the information contained within that request (parts of the url other than the hostname, post data if any, cookies if any) to be sent over an encrypted and authenticated link. By the time I can "look for the padlock" the potentially private information has already been sent. So if the connection cannot be authenticated the browser MUST warn me* BEFORE it continues with the request.
It sounds to me like invoking a very special, very peculiar and rare case to support the current status quo: That of communication of private data during initial handshake. How can a user be sending private information (credit card info in form post data for example) with an expectation of privacy on their part if they have not even accessed the webpage, ever, yet? They haven't even accessed the form/page yet want to send post-data securely to an unknown website without even verifying the CA cert? That does not make sense, seems very contrived to support current browser (mis)behavior. If the user never got the padlock notification on a form, if they have never connected to the website, if the webpage has not notified them that they have a CA issued cert and can expect high privacy - then they would not be sending any postdata or any other kind of data with any expectation of privacy in the initial handshake.
I support systems that allow encrypted but unauthenticated connections to be presented to the user in the same way as unencrypted connections but to maintain current security the https url scheme MUST NOT be used for such connections. Either a new url scheme should be allocated for such connections or a protocol should be used that can share the http url scheme.
We agree on the overall aim then, so it is just over the technicalities for delivering it. Unfortunately I am no expert in protocol or UI design so will refrain from suggesting solutions that are not well thought out and researched. I am however not so quick to say that https url scheme must not be used for such connections. Most browsers have implements big green lock icons, change the url bar color and other UI tricks try and convey a CA certified connection has been established (in part due to the research I presented earlier). They obviously do this and as the research shows because the httpS does not convey anything to the majority of users (indeed most browsers even hide the protocol in the url bar). This all adds to the argument of allowing https connection on a self signed cert without all the visual cues of a secure CA certified connection. What we gain by allowing that without "big scary" error messages is the ability for any website to provide encrypted connections all the time - a huge win for security on the internet.
Blindly serving up redirects from https to plain htttp is risky as it can reveal potentially private information in the url but as far as the protocol is concerned it's /.'s call to make that descision (just as it's /.'s call to take the information you posted over https and post it for the public to see) and /.'s identity was verified** before they got the chance to make that descision.
I agree it is risky, but it is so common now as to appear to be default behavior - which undermines the argument "When I make a request to a https url I expect the information contained within that reques to be sent over an encrypted and authenticated link". Most websites redirect https if they do not have it, so that requirement looks to be out of touch with how the protocol is actually being used. You also mention that the browsers leave it upto the websites to make the decision to redirect, and yet the browsers take away the decision of websites if they choose to use self signed certs. The error message
As usual, US officials and their acolytes who invoke "the law" to demand severe punishment for powerless individuals (Edward Snowden, Bradley Manning) instantly exploit the same concept to protect US political officials, their owners and their allies from the worst crimes: torture, warrantless eavesdropping, rendition, systemic financial fraud, deceiving Congress and the US public about their surveillance behavior. If you're spending your time calling for Ed Snowden's head but not James Clapper's, or if you're obsessed with Snowden's fabricated personality attributes (narcissist!) but apathetic about rampant, out-of-control NSA surveillance, it's probably worth spending a few moments thinking about what this priority scheme reveals.
The danger is that they could think that their connection is somehow more secure than plaintext.
It is a danger *only* if the browser is giving some indication of security. If the browser does not give any indication or expectation of privacy with self signed certs then there is no danger. Most browsers already do not show the protocol being used for plaintext (no http// display).
You cannot safely fix this without determining user intent, and even the user can't usually be trusted to determine their intent.
You can safely fix it by not giving any change to normal unencrypted experience. If they intended to use HTTPS to get real security but instead were presented with a self-signed certificate, and the browser defaulted into plain text view (no ssl icon or indication of security) then the user does not need any extra warning. Of important note: This is already the default behavior if you try to use https on a website that does not support it like slashdot - the browser defaults to plain text view without any warning, any error. If the browsers were truly so worried about this problem as you claim, then there would also popup big scary messages instead of the silent redirection from https to http.
They shouldn't just continue on blithely unaware -- which is exactly what will happen if you treat it as a normal unencrypted connection.
As mentioned above, this is already the default if you punch in https on a website that does not support it. Unfortunately and in any case, research has shown repeatedly that people continue of anyway regardless (eg "Crying Wolf: An Empirical Study of SSL Warning Effectiveness"), which further strengthens the case for self signed certs being treated the same as plain text connections in every way.
At the end of the day, our data is being collected and stored en-mass. It is passing through unknown number of private companies like Booz Allen and other private third parties to the security apparatus, including unknown number of individuals who are all unaccountable in any meaningful way to how they use or abuse that data. The majority of internet traffic flows unencrypted, despite your claim that "no serious website will benefit at all from this, since they all can afford the small cost of a certificate". All the current extra "scary" warning on self signed certs is doing is effectively denying the larger part of internet traffic the ability to be encrypted - that is a much worse tradeoff than raising self signed certs to the level of plain text .
No it isnt that same, it is better. Unencrypted is already open all sorts of man-in-the-middle attacks by criminals, ISPs and three-letter agencies are already "quietly intercepting", and recording EVERYONES traffic. Making them go one step further an have to target individuals in order to replace a deluge of self signed security certificates is a big positive step. Also If self signed certs are never blessed with security icon by default then people will not fall for fraudulent fakes - because the browser would never be telling them they have a "secure for your bank traffic" type of connection with a self signed cert.
That is an "all or none" argument. If self signed certs look feel and behave the same as what unencrypted does now, then people have no reason to behave differently than they do with unencrypted. Sadly and as numerous researchers have shown (like this one - "Crying Wolf: An Empirical Study of SSL Warning Effectiveness") people quite happily transfer secure data over unencrypted connections in the current setup anyway. This further undermines your argument and the rational that treating self signed certs the same as plaintext is considered worse, especially given recent mass data passive collection revelations...
people have a higher expectation of security from SSL.
I think the GPs point was that it does not have to be a all or none - that you can have SSL of a self signed cert without the error message and without giving any "expectation of [high] security" (to quote GP "no full secure icon")
The rationale for the pop-up is that an unknown self-signed certificate is as bad as no encryption
In light of the Snowden revelations and subsequent fallout, this rational has very few legs to stand on. Unencrypted is less desirable than plain text. The only argument I have seen against this rational is that people may be lulled into a false sense of security if they believe self signed certs are as secure as CA issued ones, falling for MITM attacks for their bank traffic etc. The counter to that is that is simple and sensible: no, not if the browser does not try to tell them they have a top secure connection - and treats it like it is a plain text connection.
self-signed certificate is... totally open to a main-in-the-middle attack
The current SSL system is also totally open to a main-in-the-middle attacks by state sponsors, as has been reported here various times. And yes self signed certs are also very vulnerable to the same attack - but the point here is to encrypt the majority of data. State sponsers can always target but with blanket always on encryption they are unable to perform mass illegal capture and storage.... that is the point of not raising an error message on self signed certs.
Any way I cut these arguments, browsers appear to be in the wrong on this one - throw in cosy relationships with CAs, state departments etc and we could have a conspiracy here.
The "magical untraceable backdoor" is just an private key for signing windows modules as "trusted". It is not that hard to understand.
Now your going out on a limb. Stuxnet infected industrial machines (Siemens I believe) - not windows. The "magical backdoor" is just an private key for signing windows modules as "trusted". All windows machines accept any module as trusted if it is signed with that key. Bruce Scheier or others in his field assume such keys to be under the protection of Microsoft and therefore "safe" (i.e. not a back door for loading malicious spy modules onto any windows machine - which any agency can do when they have access to the key/s).
GP wrote: and no, there isn't a magical NSA backdoor in Windows either, get over it conspiracy fanboys
You are forgetting something. A pretty BIG BACK DOOR into windows that has been known and confirmed for some time now.
“...the result of having the secret key inside your Windows operating system “is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system“. The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards”
Agreed. Since when did some old guys ignorant opinion become news for nerds, especially when such opinions flow almost 24/7 in all major newspaper opinion sections... old guys or indoctrinated young-uns lamenting the loss of hierarchical information flow?
Oh silly me, it is news for nerds since Washington Post stepped out of line. All part of the discredit the messenger(s) campaign. Carry on then...
“...the result of having the secret key inside your Windows operating system “is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system“. The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards”
A whole lot of other corrupt dishonest Aussie politicians to go... they have had their fair go at it, mate.
sick of the shenanigans pulled by the current government, (sometimes pulled by only a minister here or there, without the consensus of his own party
Please. If you have to pass unpopular/shady/questionable policies and laws, always always set it up as one individuals doing and claim - "its not the parties policy" - they acted alone. This is standard politics, fall on your sword type devotion to the party - preserve its good name. Please dont be fooled by the massive sleight of hand (well, sleight of mouth/marketing)...
Unfortunately, your right - and it looks set to get worse there: Corruption Checklist - New Zealand .
They are cryptanalysts after all - always writing and thinking in codes...
All part of damage control - got to raise public opinion quick smart. You have no idea how many talking points have been written in the last week or so for the media employees (talk show and news anchors etc) to sprout off over in the next few days/months. Muddy, confuse, distract... ahh, propaganda...
I wish they'd go after the NSA with as much fervor. But I guess it's easier to punish an individual.
The authorities (up to and including the president) that we the people have invested with power are the ones who gave the NSA free reign and get out of jail free cards. Free from the inconveniences of law, transparency or meaningful oversight (no matter how much their media campaign speeches try to say otherwise - look at the facts).
The only way "they" would go after this is if third party candidates had a clean sweep into power based on issues like this. Fortunately for "them" - most media channels are complicit/owned and will fight to distract, muddy or otherwise diffuse and public rage about this (and any other) issues...
I see you left Britain off that list, as it should be. Even the majority of its press is cowed and subservient these days. Should probably strike off Australia as well it is well on the way down the slippery slope, NZ is on the knife edge... Oh, and forget Sweden while your at it - what a corrupt, shady country it has become.
"Obama's actions are often quite different than his rhetoric"... like any politician. That is why websites like the Political Memory by La Quadrature du Net are so interesting and give real hope for change: Believe what they have done, not what they say they did (or will do).
Now, if only the population at large would flock to use such tools on election day... but as it is, the village keeps voting time and again for one of the two village liars who both just happen to be backed by the biggest landowner(s) in town - to everyone's long term detriment. Oh and the town message billboard happens to be controlled by the said landowners. We have not progressed very far politically, it would seem...