You are, of course, correct not in any general sense. But feel free to enjoy your tiny semantic, pedantic victory. There are different forms of rights. There are natural ones, such as the right to self-defense embodied in the 2nd Amendment, and there are legally created ones, such as the right to ship products via motor carrier or the rights created by a contract.
Perhaps not a right, but there is a legal requirement that FedEx ship the product.
The US Congress, using its powers under the Commerce Clause, has created laws covering Interstate Commerce. Among those laws are ones defining motor carriers (49 U.S. Code section 13501), and requiring them to provide transportation "on reasonable request" (section 14101) according to tariffs which include the "rules, and practices" (section 13710). There is nothing in FedEx Ground's tariff which allow it to exclude the product in question, so they are legally required to ship it in accord with the published rates.
But there are laws covering motor carriers, including FedEx Ground. My understanding (lawyers feel free to step in) is that they must carry goods per their tariff, which does not prohibit the equipment in question.
A carrier providing transportation or service subject to jurisdiction under chapter 135 shall provide the transportation or service on reasonable request. In addition, a motor carrier shall provide safe and adequate service, equipment, and facilities.
" referring to metadata collection, that has been affirmed by a Supreme Court ruling that is 35 years old."
Uh, no.Smith v. Maryland was decided on two points.
First, the collection of very limited data which was specific to a single physical phone line, using a pen recorder which only captures a called phone number and time. The court placed significant weight on the limits of the data collected, saying:
"Indeed, a law enforcement official could not even determine from the use of a pen register whether a communication existed. These devices do not hear sound. They disclose only the telephone numbers that have been dialed - a means of establishing communication. Neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers." United States v. New York Tel. Co., 434 U.S. 159, 167 (1977). [442 U.S. 735, 742]
Given a pen register's limited capabilities, therefore,...
-442 U.S. 735
and continues to base its reasoning on those limits.
The government tries to use that to justify collecting "metadata" which includes MUCH more information, and which is collected in bulk against a large number of citizens. Unlike the wired phones in play with Smith, cell phones are much more effectively linked to specific individuals.
Second, the decision depended upon "no reasonable expectation of privacy" for the numbers dialed. It was in the days of the old Bell System, which didn't promise customers any level of privacy. Most, if not all, modern cell carriers have explicit privacy policies, from which customers DO gain a reasonable expectation of privacy for any information they provide to the carrier.
Your claim that modern activities have been "affirmed by a 35 year old case" are false at best, otherwise ignorant or deliberately misleading.
"Are you suggesting that the vendor will double the amount of capital investment in their electronics..."
No, I wouldn't think of blaming the vendor, when the issue is obviously that you have neither the knowledge nor skillset needed to understand how to do VPN deployments.
I got a bunch of Monster video and audio cables, with really nice machined, gold plated RCA ends. They're great, mostly because they were also free out of a dumpster in back of a Best Buy. (I was there looking for a large piece of cardboard for a project)
You're not only bad at statistics, but you're bad at logic, too. I never claimed impossibility. I simply challenged your claim that space-jumping technology is "very probable."
More to the exact point, you simultaneously claimed "that humanity overlook[ing] a blindingly simple technique for manipulating gravity" "isn't very probable," while claiming that a space-jumping fleet of invading space aliens is.
Your support for those claims consists of only "Well, if monkeys don't fly out of my butt, they could still fly out of someones!"
Which is probably the exact reason Telefonica wanted the same private key on all their managed CPE - who wants to manage a 250000 entry known_hosts file?
It shouldn't be a security issue. So what if they all have the same private key? It's very doubtful that those devices ever initiate connections, even less likely that private key is used for important authentication/authorization. It's probably only used so Telefonica can verify they're ssh'ing to one of their own devices before making changes.
On the other side, having a public key in authorized_keys increases security. As I pointed out, it eliminates a need for a whole bunch of support personnel to know a password which is good on many thousands of devices. The security of those devices (presumably owned by and the responsibility of Telefonica) is entirely dependent on Telefonica keeping the matching private key, well, private. One can picture, say, a Linux box with the private key installed (known/accessible to only a trusted few superusers) on which every support agent is given a user account from which they can ssh to manage the CPE. All ssh connections can be logged. Agent leaves? Delete their account - there's no worry about them taking a password which gives access to a bunch of customer routers.
The only issue would be if they used both sides of the same key pair on the device - then every device would have the info needed to get into any other device. That would be exceedingly stupid.
Why in the world would you add a device's public host key to the authorized key file?
Which authorized key file are you asking about?
One can picture an ISP, who has to securely support many installed devices, going to a manufacturer and saying: "Here, put this private key in the devices, so when we connect we know it's one of our devices. And put this public key in the authorized_key file, so we can can connect easily without every support agent needing to know a password which works on all those devices." So, there's one case where they might put a device's public key (some proxy-type device used by ISP support staff to manage the CPE devices) into the CPE devices.
"The host key pairs are NOT used to authenticate the incoming user."
Are you speaking with specific knowledge of the device in the article? Because, in a general sense, keys can be, and are used for ssh authentication.
AUTHORIZED_KEYS FILE FORMAT
AuthorizedKeysFile specifies the files containing public keys for public key authentication; if none is specified, the default is ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2.
The device at hand is said to run Dropbear, which is "Compatible with OpenSSH ~/.ssh/authorized_keys public key authentication." The article does not provide detail on how the keys are used/configured, only that they match on many thousands of devices.
What are you babbling on about? Most consumer NAT routers I've dealt with disable admin access from the "public" interface by default.
Take the TP-LINK TL-WR841N, currently shown as Amazon's "#1 Best Seller in Computer Routers":
Remote Management IP Address - This is the current address you will use when accessing your router from the Internet. This function is disabled when the IP address is set to the default value of 0.0.0.0...
Similarly with the #2 Asus RT-N66, but they don't even tell you how to do it in the manual, you have to search their FAQs or go wandering around the Advanced Settings/Firewall page to enable remote management.
So, what's this thing that "most people don't think of doing?" You mentioned trying to lock management to a specific PC on the "private" side. I pointed out that MAC addresses are easily spoofed, so that doesn't provide any real additional security from other devices also on the private network.
I get the distinct feeling that this whole thread is a joke from The Big Bang Theory, and Sheldon is upset that someone is questioning his science fiction heroes.
Slashdot Mirror
You are, of course, correct not in any general sense. But feel free to enjoy your tiny semantic, pedantic victory. There are different forms of rights. There are natural ones, such as the right to self-defense embodied in the 2nd Amendment, and there are legally created ones, such as the right to ship products via motor carrier or the rights created by a contract.
Perhaps not a right, but there is a legal requirement that FedEx ship the product.
The US Congress, using its powers under the Commerce Clause, has created laws covering Interstate Commerce. Among those laws are ones defining motor carriers (49 U.S. Code section 13501), and requiring them to provide transportation "on reasonable request" (section 14101) according to tariffs which include the "rules, and practices" (section 13710). There is nothing in FedEx Ground's tariff which allow it to exclude the product in question, so they are legally required to ship it in accord with the published rates.
He's obviously part of that Anonymous group, and on the watch list.
49 U.S. Code section 14101
Uh, no.Smith v. Maryland was decided on two points.
First, the collection of very limited data which was specific to a single physical phone line, using a pen recorder which only captures a called phone number and time. The court placed significant weight on the limits of the data collected, saying:
-442 U.S. 735
and continues to base its reasoning on those limits.
The government tries to use that to justify collecting "metadata" which includes MUCH more information, and which is collected in bulk against a large number of citizens. Unlike the wired phones in play with Smith, cell phones are much more effectively linked to specific individuals.
Second, the decision depended upon "no reasonable expectation of privacy" for the numbers dialed. It was in the days of the old Bell System, which didn't promise customers any level of privacy. Most, if not all, modern cell carriers have explicit privacy policies, from which customers DO gain a reasonable expectation of privacy for any information they provide to the carrier.
Your claim that modern activities have been "affirmed by a 35 year old case" are false at best, otherwise ignorant or deliberately misleading.
You're a net newbie, aren't you. Domain squatters are scum. Right there with spammers and con artists.
It's all very confusing. Are we supposed to support the domain squatter or the con artist?
OK, if you say so.
"Are you suggesting that the vendor will double the amount of capital investment in their electronics..."
No, I wouldn't think of blaming the vendor, when the issue is obviously that you have neither the knowledge nor skillset needed to understand how to do VPN deployments.
That's a lengthy strawman argument. But you still fail, the cost of a router which can do an IPSec VPN is under $40.
If you think Uber is worth $40B, or Instagram worth $33B, I've got some tulip bulbs to sell you.
In exactly what way does requiring all information to go through a VPN (a solution offered by the GP) prevent any of those things?
What are you babbling about? Define your terms, if you can. Which is the host? Which is the client? WTF are you talking about?
How quaint. The Feds haven't taken the Constitution seriously for generations.
I got a bunch of Monster video and audio cables, with really nice machined, gold plated RCA ends. They're great, mostly because they were also free out of a dumpster in back of a Best Buy. (I was there looking for a large piece of cardboard for a project)
"And if we can't, then no one can, anywhere?"
You're not only bad at statistics, but you're bad at logic, too. I never claimed impossibility. I simply challenged your claim that space-jumping technology is "very probable."
More to the exact point, you simultaneously claimed "that humanity overlook[ing] a blindingly simple technique for manipulating gravity" "isn't very probable," while claiming that a space-jumping fleet of invading space aliens is.
Your support for those claims consists of only "Well, if monkeys don't fly out of my butt, they could still fly out of someones!"
Which is probably the exact reason Telefonica wanted the same private key on all their managed CPE - who wants to manage a 250000 entry known_hosts file?
It shouldn't be a security issue. So what if they all have the same private key? It's very doubtful that those devices ever initiate connections, even less likely that private key is used for important authentication/authorization. It's probably only used so Telefonica can verify they're ssh'ing to one of their own devices before making changes.
On the other side, having a public key in authorized_keys increases security. As I pointed out, it eliminates a need for a whole bunch of support personnel to know a password which is good on many thousands of devices. The security of those devices (presumably owned by and the responsibility of Telefonica) is entirely dependent on Telefonica keeping the matching private key, well, private. One can picture, say, a Linux box with the private key installed (known/accessible to only a trusted few superusers) on which every support agent is given a user account from which they can ssh to manage the CPE. All ssh connections can be logged. Agent leaves? Delete their account - there's no worry about them taking a password which gives access to a bunch of customer routers.
The only issue would be if they used both sides of the same key pair on the device - then every device would have the info needed to get into any other device. That would be exceedingly stupid.
Which authorized key file are you asking about?
One can picture an ISP, who has to securely support many installed devices, going to a manufacturer and saying: "Here, put this private key in the devices, so when we connect we know it's one of our devices. And put this public key in the authorized_key file, so we can can connect easily without every support agent needing to know a password which works on all those devices." So, there's one case where they might put a device's public key (some proxy-type device used by ISP support staff to manage the CPE devices) into the CPE devices.
Are you speaking with specific knowledge of the device in the article? Because, in a general sense, keys can be, and are used for ssh authentication.
The device at hand is said to run Dropbear, which is "Compatible with OpenSSH ~/.ssh/authorized_keys public key authentication." The article does not provide detail on how the keys are used/configured, only that they match on many thousands of devices.
Take the TP-LINK TL-WR841N, currently shown as Amazon's "#1 Best Seller in Computer Routers":
Similarly with the #2 Asus RT-N66, but they don't even tell you how to do it in the manual, you have to search their FAQs or go wandering around the Advanced Settings/Firewall page to enable remote management.
So, what's this thing that "most people don't think of doing?" You mentioned trying to lock management to a specific PC on the "private" side. I pointed out that MAC addresses are easily spoofed, so that doesn't provide any real additional security from other devices also on the private network.
What's this "machine ID" you speak of? The MAC address? It's pretty easy to configure the same MAC on a different machine.
Most people don't think of doing it that way because it's not a good way of doing it.
I get the distinct feeling that this whole thread is a joke from The Big Bang Theory, and Sheldon is upset that someone is questioning his science fiction heroes.
Logic fail. By the same logic, there's also a room of moneys with typewriters somewhere turning out all the great books.
You'll have to start by first finding some fundamental physics which allows superluminal travel. Sorry, but Star Trek physics doesn't count.
Please explain this space-jumping technology, and how you've determined that it probably exists.