The website of the Swedish prosecutors contains a statement from Marianne Ny alongside some carefully-chosen facts about how and when someone could be extradited from Sweden to the USA . Apparently it can't be done if the UK doesn't agree to it as well.
The WAP standard defines three push content types:
* Service Indication (SI) - send a notification to the WAP client.
* Service Loading (SL) - cause the WAP client to load and execute a service.
* Cache Operations (CO) - invalidate content objects in the WAP client cache.
SL and CO content do not require user interaction, unlike SI.
Is it now? Well, then we must stick to just the tinfoil. We'll call it a "thermal coating" and brag about how green we are. Maybe we can redeem some carbon credits too?
The free wi-fi can stay, I assume? Or is there a law against that as well?
Mmm creativity. Step 1: Tinfoil, and lots of it. Metallic mesh for windows. If you're a mom-and-pop outfit, you may skip step 2.
Step 2: Just to be sure, jam the heck out of GPRS, 3G and 4G frequencies, provide free wi-fi on the premises but route wi-fi traffic through a filtering proxy. Make sure to also provide a micro-cell so you can filter SMS. If all else fails, start jamming voice traffic as well.
It would be quite the coincidence if some equivalent (say, Clifford Cocks' version) was being used to secure US.gov and.mil traffic when RSA was published, I think.
It's safer to assume that other cyphers were in use at that time. I don't know if they were better, of course.
I don't think I have enough fingers on my hands to count the number of times Al-Qaeda's "number 2 man" in some area has been captured. What is your point?
I see what you mean, I understand your point about large organizations, it is a good argument for why your theory may be true.
I will not concede that it is more probable than mine. I base my conviction on historical precedent.
Maybe that time the people saying "we need to make sure our government doesn't use weak crypto" won out against the others who wanted other governments to fall into that trap.
They probably didn't win, or they would have recommended a stronger algorithm, not a partial fix to a known insecure one.
Every punk with an AK from Kismayu to Karachi can go shoot up a road-sign for the lulz and claim the attack in the name of Al-Qaeda.
It's not like the rest of the "Al-Qaeda" would contradict him, or the US would hesitate a second to throw him into Gitmo if said shot-up sign happened to be found at the entrance of some American base.
For the record, anonops is quite well-structured - they have logistics in the form of programmers and ircops and website maintainers, they have a list of participating servers, an inner circle that decides on targets... it's not quite the merry little anarchy you seem to imply it is.
Anybody can be a member, for any amount of time. There are no central lists, no membership rosters.....in many ways the organization doesn't exist, it;s a "dis-organization."
That never stopped the United States from chasing Al-Qaeda all over the globe. It makes good sport for the hounds, really.
However, there are also foreign governments that demand the source exactly because they are afraid of the exact scenario you describe.
Certainly. However, those governments actually granted the privilege would be friendly governments and we both know that even with access to the code it is provably impossible to prove the absence of bugs (or malice, for that matter).
Years later it turned out that a complicated attack existed that would have considerably weakened RSA if it had not been for those NSA changes.
Proof positive that the attack was known to the NSA when they recommended the changes. Now, why would they recommend those changes, since they had zero interest in thwarting their own primary mission by proposing an unbreakable algorithm?
I believe we can safely(?) infer that the NSA already knew of another practical attack on RSA (maybe the timing-channel one, maybe something else) yet was reasonably sure that its adversaries did not.
Where are all the apps stored? I gather they run, at least in part, on the device, but are they permanent there, or just cached.
Local cache, with most of the heavy lifting done remotely.
Does the user have any choice about upgrades, or do they just happen, even if they break things?
No choice. There is no backward compatibility promise or guarantee.
Are these stored at Google, or are they on the developer's computers?
Google.
What happens when the server is down and I want to run my app? What happens when Company X goes out of business, but I've paid for that application -- does it still show up forever when I "sync to the cloud", or am I SOL.
It may be voodoo to you, but timing channel attacks are nothing new. In this case, it could be something as simple as ensuring that there is some sort of consistent relationship between a packet's padding and the time it took for encryption. Code might be written to look sane and secure but actually exploit some fatal design flaw in the RNG.
In 2004, Landon Curt Noll tested the FreeBSD 5.2.1 version of/dev/random and found that it was not a cryptographically strong random number generator because its output had multiple uniformity flaws according to the Billion bit test. Similar flaws were found in the Linux 2.4.21-20, Solaris 8 patch 108528-18, and Mac OS X 10.3.5 implementations of/dev/random.
why not do both, once you already have your grubby mitts in the source code repo? Anyway, I'll bet you dollars to doughnuts the NSA didn't install any backdoors into Windows (it's not like there aren't enough vulnerabilities already) - just a master key for the crypto.
Yes, I have made my judgment call. I have deleted my Amazon account a week ago (I doubt the loss of about 100 dollars a month will trouble them, but it's my money and I choose not to support assholes with it).
I have not bought a Kindle (although the tech is sweet) because I saw the potential for abuse the day it was launched.
I will not subsidize censorship. Maybe you shouldn't either.
Slashdot Mirror
I am undoing moderation to do this but...
The website of the Swedish prosecutors contains a statement from Marianne Ny alongside some carefully-chosen facts about how and when someone could be extradited from Sweden to the USA . Apparently it can't be done if the UK doesn't agree to it as well.
The WAP standard defines three push content types:
* Service Indication (SI) - send a notification to the WAP client.
* Service Loading (SL) - cause the WAP client to load and execute a service.
* Cache Operations (CO) - invalidate content objects in the WAP client cache.
SL and CO content do not require user interaction, unlike SI.
Most (if not all) phones support WAP these days.
Is it now? Well, then we must stick to just the tinfoil. We'll call it a "thermal coating" and brag about how green we are. Maybe we can redeem some carbon credits too?
The free wi-fi can stay, I assume? Or is there a law against that as well?
Mmm creativity.
Step 1: Tinfoil, and lots of it. Metallic mesh for windows. If you're a mom-and-pop outfit, you may skip step 2.
Step 2: Just to be sure, jam the heck out of GPRS, 3G and 4G frequencies, provide free wi-fi on the premises but route wi-fi traffic through a filtering proxy. Make sure to also provide a micro-cell so you can filter SMS. If all else fails, start jamming voice traffic as well.
Step 3: Profit!
But of course, again that is mostly speculation.
Aye, but good fun, no?
It would be quite the coincidence if some equivalent (say, Clifford Cocks' version) was being used to secure US .gov and .mil traffic when RSA was published, I think.
It's safer to assume that other cyphers were in use at that time. I don't know if they were better, of course.
I don't think I have enough fingers on my hands to count the number of times Al-Qaeda's "number 2 man" in some area has been captured. What is your point?
I see what you mean, I understand your point about large organizations, it is a good argument for why your theory may be true.
I will not concede that it is more probable than mine. I base my conviction on historical precedent.
Maybe that time the people saying "we need to make sure our government doesn't use weak crypto" won out against the others who wanted other governments to fall into that trap.
They probably didn't win, or they would have recommended a stronger algorithm, not a partial fix to a known insecure one.
Every punk with an AK from Kismayu to Karachi can go shoot up a road-sign for the lulz and claim the attack in the name of Al-Qaeda.
It's not like the rest of the "Al-Qaeda" would contradict him, or the US would hesitate a second to throw him into Gitmo if said shot-up sign happened to be found at the entrance of some American base.
For the record, anonops is quite well-structured - they have logistics in the form of programmers and ircops and website maintainers, they have a list of participating servers, an inner circle that decides on targets... it's not quite the merry little anarchy you seem to imply it is.
Anybody can be a member, for any amount of time. There are no central lists, no membership rosters.....in many ways the organization doesn't exist, it;s a "dis-organization."
That never stopped the United States from chasing Al-Qaeda all over the globe. It makes good sport for the hounds, really.
However, there are also foreign governments that demand the source exactly because they are afraid of the exact scenario you describe.
Certainly. However, those governments actually granted the privilege would be friendly governments and we both know that even with access to the code it is provably impossible to prove the absence of bugs (or malice, for that matter).
Years later it turned out that a complicated attack existed that would have considerably weakened RSA if it had not been for those NSA changes.
Proof positive that the attack was known to the NSA when they recommended the changes. Now, why would they recommend those changes, since they had zero interest in thwarting their own primary mission by proposing an unbreakable algorithm?
I believe we can safely(?) infer that the NSA already knew of another practical attack on RSA (maybe the timing-channel one, maybe something else) yet was reasonably sure that its adversaries did not.
That (as they say) is all.
Code audit? Whose code audit? Which part of "Microsoft worked with the NSA on every version of Windows after 3.1" didn't you understand?
There are few organizations which have been allowed a peek into "the" Windows source code. How can you tell they didn't get the sanitized version?
Where are all the apps stored? I gather they run, at least in part, on the device, but are they permanent there, or just cached.
Local cache, with most of the heavy lifting done remotely.
Does the user have any choice about upgrades, or do they just happen, even if they break things?
No choice. There is no backward compatibility promise or guarantee.
Are these stored at Google, or are they on the developer's computers?
Google.
What happens when the server is down and I want to run my app? What happens when Company X goes out of business, but I've paid for that application -- does it still show up forever when I "sync to the cloud", or am I SOL.
SOL.
But as to companies complying. Do you really think that part of a companies advertising campaign is "We support all government requested back doors!"
Umm... yes, actually.
They're probably full of holes in both design and implementation, really. For instance, SHA-1 is used in both IKEv1 and v2.
It may be voodoo to you, but timing channel attacks are nothing new. In this case, it could be something as simple as ensuring that there is some sort of consistent relationship between a packet's padding and the time it took for encryption. Code might be written to look sane and secure but actually exploit some fatal design flaw in the RNG.
In 2004, Landon Curt Noll tested the FreeBSD 5.2.1 version of /dev/random and found that it was not a cryptographically strong random number generator because its output had multiple uniformity flaws according to the Billion bit test. Similar flaws were found in the Linux 2.4.21-20, Solaris 8 patch 108528-18, and Mac OS X 10.3.5 implementations of /dev/random.
why not do both, once you already have your grubby mitts in the source code repo? Anyway, I'll bet you dollars to doughnuts the NSA didn't install any backdoors into Windows (it's not like there aren't enough vulnerabilities already) - just a master key for the crypto.
Yes, I have made my judgment call. I have deleted my Amazon account a week ago (I doubt the loss of about 100 dollars a month will trouble them, but it's my money and I choose not to support assholes with it).
I have not bought a Kindle (although the tech is sweet) because I saw the potential for abuse the day it was launched.
I will not subsidize censorship. Maybe you shouldn't either.
It's already being done. There is no such thing as an "edition" with e-books. They are modified at the whim of the publisher.
What capital? Last I checked, BitTorrent distribution was free (as in beer).
What you are suggesting is illegal in the US under the DMCA and may be illegal in other jurisdictions.
That's more like it! See you in Borispol.
What, no PDA this time? I was hoping for a Droid.
Well it looks exactly like the sets in STALKER, so there's that at least.
No true Scotsmen, eh?