Oh of course, I don't deny that at all but... realize these results will be used for years. Someone 10 years from now might dust off the study being written today and want to validate it. If discrepancies arise....then what?
Its a serious issue a bit unlike you see elsewhere. There is seldom a case for installing decade since obsolete software, and its not always easily peroformed, and if you haven't even captured all the versions of everything.
But more crucially to the point, this issue is something beyond the experience of researchers in most fields who use the tools and write papers. Its supposed to be beyond them, they have other things to focus on, but, its something we had to think about.
The disconnect of course, is that since they don't understand it, even if their instutution is archiving this, its unlikely they understand that their published procedures are missing the part of the setup that they were unaware of.
First: Did or could this code have produce this data? Second: Is it in error?
You can't fully answer the first without fully specifying the environment. Not even you can't prove it wrong, you can't defend yourself. "Oh you used a buggy version if this library" is an entirely different accusation from "Oh you fabricated these results and didn't publish the real code".
Both are potentially valid, but both are very very different in implication. Also, what if there is a bug identified in a library that may taint results? Without full specification how would you ever say what was effected by it? Shouldn't every published study that used it be flagged and the data rerun?
Even if nobody is doing that today, you can't ever do it without a full specification of the environment.
That sounds like a pretty weak test, but not a bad one. To my mind, this crosses one of my areas of expertise since, I have had his job as a professional sysadmin. I worked in a shop where, for better or worst, we decided that all free software we used on Solaris would be compiled from source.
This quickly became a huge mess as updates would sometimes bring changes and there was always the question "who built it last time and what options did they choose", so quickly we found a need to fix that, and I started scripting. (its where my competence with shell really began)
Once you have even solved the easy part, then you have to think about versions and dependencies.
In fact, later on we were getting involved in research computing, that wasn't my project but one of the topics that came up was... researchers will build this software, just like we are talking about, and use the data.,...now someone wants to audit it down the road....
What happens if the libraries have changed and the old code doesn't compile? What if there is an error in a calculation that was introduced by a particular library version being used?
The reality is, you write the code, but it gets run in an environment. That entire environment has the potential to have an effect, a full specification needs to capture at least some of that as well.
People having promiscuous sex should use condoms. Not in the interim while we are working for a cure for HIV, not until there are some better treatments for herpes. If you are engaging in sex with multiple partners, it will ALWAYS BE A GOOD IDEA.
The web is no different. As long as sites can cause local code execution, I don't care if its in a limited environment. I don't care if its in a restricted VM. These environments always end up having holes, and those holes, once widely distributed, will always create a viable market for attacking it. It will always be too high value of a target to trust.
I am ok with promiscuity up to a point. But as someone I know once said "just because I am easy, doesn't mean I am not picky"....but when you are engaging in more risky behaviour, the only sensible option is to slip it on, BEFORE you slip it in.....and install an ad blocker, or better yet, I don't like ad blockers per se....requestpolicy and noscript would be my general choice...and never ever use any of the "allow all" or "temporarily disable" buttons....ever. I would rather not browse a site than be hitting some strange raw.
I loved my TomTom until it was stolen from my car one night. Since then I just use my cell phone. I have the phone anyway, so there is no extra cost, and I always take it with me, there is no reason to leave it in the car at all.
Plus with a service like Waze, I can report speed entrapment points to other drivers, and see others reports, plus it has on many occasions saved my time by changing my route based on traffic. It seldom tells me to deviate from my normal route, so when it does, I listen, and it usually turns out to be a good thing.
I still like to have a tac, but I also like to have a manual clutch and gear shift as well.
But yah, the only tech I want in the car i have....mp3 player, built in, and my phone for gps...or as my long time gamer self likes to think of it...a minimap.
That it, I don't really even need the phone functions of my phone often.
> Blocking Tor doesn't do a damm thing for real security. It won't stop the "attacks". There are plenty of other avenues for malicious parties to use.
While mostly true, you do have to consider that exit nodes that are on your internal network are probably bad juju.
Personally, I am all for using tor, but I wouldn't want to see random users putting up exit nodes inside my network. Exit nodes really should be setup with a bit more care to make sure they can't be used to access internal hosts, especially if internal networks have public IPs, which while less common these days, is not unheard of.
My previous 2 employers both used public IPs on their internal networks (and each had their own class public B). So, by default, a tor exit node would constitute a hole in the firewall unless specifically setup to restrict access to "local" IPs.
Not unmanagaeble at all if you want to manage it, but, not something you want to leave in the hands of Bob in accounting.
Any design which requires perfect attention from the user to not break is a poor design. Every pad/stylus combo I ever tried only fit one way, looks like this has been a solved problem for a long time now.
I would fully agree with you, if sliding the stylus in backwards didn't break anything. However, if sliding it in backwards is destructive, it shouldn't be easy to do. That is bad design and no amount of blaming the user changes that.
This. Every single time I hear them try to make a case that we should feel safe because there are such strict controls. Yes, lots of controls that you can't see and will be audited only in secret. Strict controls to make sure that you will never know what we really did.
Once the apparatus for mass surveillance exists, its a matter of policy how its used, and that policy can change a lot more easily than building the system was. Its not a matter of a guiltless organization of trustworthy angels.
History is repleat with instances of people abusing access to the personal information of others. When I was a teenager, and Princess Di came to the hospital my mother worked for, there was quite a little scandal about people accessing her personal info, in the 90s. Fast forward 20 years, and the single most common reason for someone to be fired from the hospital? Improper records access.
What does the system red flag? Access to family members, access to people living on the same street, etc, all flagged, why? because its all been abused, many times over.
This right here. I don't see how anybody can look at the document and not fully understand that this means an individual should have the right to own and carry weapons, and in purposefully general terms. You would think that since all manner of weapon, sword, cannon, etc existed at the drafting, if there had been any intention of specificty at all, it would be there.
Nowhere does it even say "Oh, except huge fucking cannons like can split the sides of ships"....its just not there. Yet, it easily could have been there.
Except you don't have to blame them, they took responsibility.
Pretty sure what they have 'found out' is that paying for the fallout from the occasional freak occurrence and minor data loss is cheaper in the long run than buying more expensive hardware to gaurd against occurrences so rare that they end up on news sites.
You know I fully agree with you, but you also have to consider the...ehm.... meta game.
Some totalitarian nitwit at the NSA is going to have to follow these stories and comments, about them and has to read rants by people either calling for how they deserve it, like me, or reading backhanded insulting defenses, like yours.
Yes and no. I mean, I don't really know much one way or the other. However, legal troubles aside, the level of effort involved in his case, and many of the facts about how its been conducted DO make it look quite politically motivated; which, regardless of his innocence or guilt, is reason to look at the entire affair with a pretty jaundiced eye.
He may well be guilty, but, I honestly don't think that is the real reason for the prosecution, people more guilty of worst crimes get far less scrutiny. I honestly wouldn't even be shocked to find out the women involved worked for intelligence services to begin with and the entire deal was a setup, its not like they don't have a name for using pretty young women as agents.
And thats the problem, his big major enemies have no credibility at all and nothing can be put past them, because of long standing patterns of decietful behavior of which, this would all be pretty minor examples.
I call bullshit, because if they are cramming so many people onto a single plane that the weight of the passengers matters to safety, then the problem is 100% the airline cramming too many people on the plane. The weight of the passengers shouldn't matter by a very wide safety margin.
I was trying to argue for why he should have been doxed. Which, is my honest opinion on the matter. People like him deserve it for what they choose to do with their lives. In fact, deserve it specifically, its not something I would wish on most anyone else.
There is a rule in politics that I always agreed with. You don't bring the other guys sexuality into it, unless it makes him an actual hypocrite by his policy. So you don't mention a man is gay, even if he is, unless he comes out and gives a speech about how gays belong in prison. Makes sense right?
well.... This man argues everyone should be transparent.... I feel the author made a mistake in not doxing him completely and releasing his full name and phone number.
I hate this man, but maybe its just because I don't know EVERYTHING about him. Clearly he needs to be helped by releasing that information so I can come to understand him as a real human and not a threat to my privacy.
This is one of the few cases where doxing is not only justified, but, the moral imperative!
Actually....I have to say, I think in the US the real problem is inexperience. Not just on the part of car drivers but of bicyclists as well.
I grew up riding a bike. I learned to ride a bicycle living on the longest main road in one of the most densly populated cities in the US (we compete with burroughs of NYC for density). I had no bike lanes and city busses passing me going 35 at 2 feet away. I learned to navigate rotaries....but...nobody was riding back then. It was something kids or the occasional DUI convict did.
Now bikes are everywhere and some of them are clueless.
Just the other day I stopped for a pedestrian entering the crosswalk on the right. Bicyclist next to me completely ignored this and almost creamed a 70 year old woman entering the road, just kept right on going. The woman had to step back to avoid being hit and still was brushed.
A few months back I was in heavy traffic approaching a crosswalk. I saw a bicyclist on the side street across the road. He was approaching at about 25 MPH, and what did he do when he got to the intersection? He scooted over to the crosswalk and crossed the street at full speed making me slam on my brakes to avoid him.
But I don't think the problem is bikes so much as, we never had so many people using them, people are new. Compare them to young car drivers and its clear what the issue is. I remember being both a shitty bicyclist and shitty driver. Its just growing pains, we don't need technological solutions, we need people to get used to new situations, and that takes time.
So maybe you missed it but....that doesn't make me feel better, in fact, I find the idea of the mass application of something so new as a pretty frightening prospect.
I have trouble poking technical holes here since, fundamentally the idea of using a hash table is somewhat sound, its used all the time for UUIDs, theres plenty of uniqueness right? I guess maybe we can rule out collisions for the most part....hell maybe pair the hash with a file size?
If we are talking such tried and true technology and not some recently invented "photo hash" that I wouldn't have any faith in the uniqueness of....
but then the implications of just having such a system means things can be injected into it. What do you do when the file you search for comes up blocked as CP? Do you investigate further or do you run away screaming? What happens when a hash gets added that shouldn't be there? Will they keep a library of original files to really check against?
Drop a key, and the internet is effectively censored.....is not how I envision the net I want to live on.
I think the hard thing is making the leap into a situation that appears to cut you off from something you have now. That cable bill is a certainty that comes with a certainty. Ditching it means losing that... and there is ample evidence that people tend to optimize for avoiding loss more than for gain.
In fact, with a little careful choice of scenarios its actually quite easy to demonstrate that majority opinion can be influenced simply by presentation of the same facts in terms of gains or losses. People consistently choose the option that is presented as minimizing losses.
I had this issue for a long time with my cell phone. I had unlimited talk and data for a long time. Even after I realized it was silly, I wanted it "just in case". I still have unlimited talk but, we crushed the data down to the minimum.... between my wife and I we were not even using that! I realized if we had that and went over every other month, we would still make out...so we switched finally, but it took me a while to be comfortable with it.
This is very true but, it does beg the question of, why can they do and why can they do it?
We all know security through obscurity is no real security at all, especially in a wide spread system. So, nearly everyone is a walking broadcaster now, putting out trackable EM pulses....awesome. Isn't the elephant in the room really the implications of that?
So the Israeli's built it and said "governments only". Even if that worked, it means the devices can be made. $2 million makes sense over developing your own right? But if it wasn't available, if they can build it, so can others.
But in the end, many of its capabilities really come down to the fact that any notion of phone security has been crippled out of existance by regulations designed to ensure that the government can break all privacy...so we get to have nothing but a thin veneer of privacy and security to assuage their paranoia.
With the fact that they are talking about....connecting directly to the internet.... Seems they could have done this with a sniffer.
Just read some logs, there are all manner of automated attacker out there searching for prey. Run sshd, you will begin getting root login attempts pretty quickly, and the party don't stop.
Yes, looking for attacks coming down the inter-tube is like looking for bacteria in a pond. Yah, its there, lots and lots of it. That is hardly a newsworthy result.
No I think you missed my point.... these issues are fundamentally not only the same but, center around the same regulations. Back in the 90s you could obtain, anywhere in the world, RSA code. Yet it was still restricted the same way.
This is a long standing pattern of stupid which has not appreciably changed in more than 30 years. You should, in fact, expect it.
> Since you can buy fiber optic gyroscopes on Alibaba for under USD$20, I think issue of US-centric export controls is moot.
You would think that since you could transmit RSA in an email and international implementations already existed, they would have become moot for those purposes long before they did.
Slashdot Mirror
Oh of course, I don't deny that at all but... realize these results will be used for years. Someone 10 years from now might dust off the study being written today and want to validate it. If discrepancies arise....then what?
Its a serious issue a bit unlike you see elsewhere. There is seldom a case for installing decade since obsolete software, and its not always easily peroformed, and if you haven't even captured all the versions of everything.
But more crucially to the point, this issue is something beyond the experience of researchers in most fields who use the tools and write papers. Its supposed to be beyond them, they have other things to focus on, but, its something we had to think about.
The disconnect of course, is that since they don't understand it, even if their instutution is archiving this, its unlikely they understand that their published procedures are missing the part of the setup that they were unaware of.
Also there are two different questions:
First: Did or could this code have produce this data?
Second: Is it in error?
You can't fully answer the first without fully specifying the environment. Not even you can't prove it wrong, you can't defend yourself. "Oh you used a buggy version if this library" is an entirely different accusation from "Oh you fabricated these results and didn't publish the real code".
Both are potentially valid, but both are very very different in implication. Also, what if there is a bug identified in a library that may taint results? Without full specification how would you ever say what was effected by it? Shouldn't every published study that used it be flagged and the data rerun?
Even if nobody is doing that today, you can't ever do it without a full specification of the environment.
That sounds like a pretty weak test, but not a bad one. To my mind, this crosses one of my areas of expertise since, I have had his job as a professional sysadmin. I worked in a shop where, for better or worst, we decided that all free software we used on Solaris would be compiled from source.
This quickly became a huge mess as updates would sometimes bring changes and there was always the question "who built it last time and what options did they choose", so quickly we found a need to fix that, and I started scripting. (its where my competence with shell really began)
Once you have even solved the easy part, then you have to think about versions and dependencies.
In fact, later on we were getting involved in research computing, that wasn't my project but one of the topics that came up was... researchers will build this software, just like we are talking about, and use the data.,...now someone wants to audit it down the road....
What happens if the libraries have changed and the old code doesn't compile? What if there is an error in a calculation that was introduced by a particular library version being used?
The reality is, you write the code, but it gets run in an environment. That entire environment has the potential to have an effect, a full specification needs to capture at least some of that as well.
People having promiscuous sex should use condoms. Not in the interim while we are working for a cure for HIV, not until there are some better treatments for herpes. If you are engaging in sex with multiple partners, it will ALWAYS BE A GOOD IDEA.
The web is no different. As long as sites can cause local code execution, I don't care if its in a limited environment. I don't care if its in a restricted VM. These environments always end up having holes, and those holes, once widely distributed, will always create a viable market for attacking it. It will always be too high value of a target to trust.
I am ok with promiscuity up to a point. But as someone I know once said "just because I am easy, doesn't mean I am not picky"....but when you are engaging in more risky behaviour, the only sensible option is to slip it on, BEFORE you slip it in.....and install an ad blocker, or better yet, I don't like ad blockers per se....requestpolicy and noscript would be my general choice...and never ever use any of the "allow all" or "temporarily disable" buttons....ever. I would rather not browse a site than be hitting some strange raw.
I loved my TomTom until it was stolen from my car one night. Since then I just use my cell phone. I have the phone anyway, so there is no extra cost, and I always take it with me, there is no reason to leave it in the car at all.
Plus with a service like Waze, I can report speed entrapment points to other drivers, and see others reports, plus it has on many occasions saved my time by changing my route based on traffic. It seldom tells me to deviate from my normal route, so when it does, I listen, and it usually turns out to be a good thing.
I still like to have a tac, but I also like to have a manual clutch and gear shift as well.
But yah, the only tech I want in the car i have....mp3 player, built in, and my phone for gps...or as my long time gamer self likes to think of it...a minimap.
That it, I don't really even need the phone functions of my phone often.
> Blocking Tor doesn't do a damm thing for real security. It won't stop the "attacks". There are plenty of other avenues for malicious parties to use.
While mostly true, you do have to consider that exit nodes that are on your internal network are probably bad juju.
Personally, I am all for using tor, but I wouldn't want to see random users putting up exit nodes inside my network. Exit nodes really should be setup with a bit more care to make sure they can't be used to access internal hosts, especially if internal networks have public IPs, which while less common these days, is not unheard of.
My previous 2 employers both used public IPs on their internal networks (and each had their own class public B). So, by default, a tor exit node would constitute a hole in the firewall unless specifically setup to restrict access to "local" IPs.
Not unmanagaeble at all if you want to manage it, but, not something you want to leave in the hands of Bob in accounting.
When they personally own them, and only then ever.
I don't see what is so hard about that.
Any design which requires perfect attention from the user to not break is a poor design. Every pad/stylus combo I ever tried only fit one way, looks like this has been a solved problem for a long time now.
I would fully agree with you, if sliding the stylus in backwards didn't break anything. However, if sliding it in backwards is destructive, it shouldn't be easy to do. That is bad design and no amount of blaming the user changes that.
This. Every single time I hear them try to make a case that we should feel safe because there are such strict controls. Yes, lots of controls that you can't see and will be audited only in secret. Strict controls to make sure that you will never know what we really did.
Once the apparatus for mass surveillance exists, its a matter of policy how its used, and that policy can change a lot more easily than building the system was. Its not a matter of a guiltless organization of trustworthy angels.
History is repleat with instances of people abusing access to the personal information of others. When I was a teenager, and Princess Di came to the hospital my mother worked for, there was quite a little scandal about people accessing her personal info, in the 90s. Fast forward 20 years, and the single most common reason for someone to be fired from the hospital? Improper records access.
What does the system red flag? Access to family members, access to people living on the same street, etc, all flagged, why? because its all been abused, many times over.
There is no way I trust these promises.
This right here. I don't see how anybody can look at the document and not fully understand that this means an individual should have the right to own and carry weapons, and in purposefully general terms. You would think that since all manner of weapon, sword, cannon, etc existed at the drafting, if there had been any intention of specificty at all, it would be there.
Nowhere does it even say "Oh, except huge fucking cannons like can split the sides of ships"....its just not there. Yet, it easily could have been there.
Except you don't have to blame them, they took responsibility.
Pretty sure what they have 'found out' is that paying for the fallout from the occasional freak occurrence and minor data loss is cheaper in the long run than buying more expensive hardware to gaurd against occurrences so rare that they end up on news sites.
You know I fully agree with you, but you also have to consider the...ehm.... meta game.
Some totalitarian nitwit at the NSA is going to have to follow these stories and comments, about them and has to read rants by people either calling for how they deserve it, like me, or reading backhanded insulting defenses, like yours.
All in all, its just win all over.
Yes and no. I mean, I don't really know much one way or the other. However, legal troubles aside, the level of effort involved in his case, and many of the facts about how its been conducted DO make it look quite politically motivated; which, regardless of his innocence or guilt, is reason to look at the entire affair with a pretty jaundiced eye.
He may well be guilty, but, I honestly don't think that is the real reason for the prosecution, people more guilty of worst crimes get far less scrutiny. I honestly wouldn't even be shocked to find out the women involved worked for intelligence services to begin with and the entire deal was a setup, its not like they don't have a name for using pretty young women as agents.
And thats the problem, his big major enemies have no credibility at all and nothing can be put past them, because of long standing patterns of decietful behavior of which, this would all be pretty minor examples.
I call bullshit, because if they are cramming so many people onto a single plane that the weight of the passengers matters to safety, then the problem is 100% the airline cramming too many people on the plane. The weight of the passengers shouldn't matter by a very wide safety margin.
I was trying to argue for why he should have been doxed. Which, is my honest opinion on the matter. People like him deserve it for what they choose to do with their lives. In fact, deserve it specifically, its not something I would wish on most anyone else.
There is a rule in politics that I always agreed with. You don't bring the other guys sexuality into it, unless it makes him an actual hypocrite by his policy. So you don't mention a man is gay, even if he is, unless he comes out and gives a speech about how gays belong in prison. Makes sense right?
well.... This man argues everyone should be transparent.... I feel the author made a mistake in not doxing him completely and releasing his full name and phone number.
I hate this man, but maybe its just because I don't know EVERYTHING about him. Clearly he needs to be helped by releasing that information so I can come to understand him as a real human and not a threat to my privacy.
This is one of the few cases where doxing is not only justified, but, the moral imperative!
Actually....I have to say, I think in the US the real problem is inexperience. Not just on the part of car drivers but of bicyclists as well.
I grew up riding a bike. I learned to ride a bicycle living on the longest main road in one of the most densly populated cities in the US (we compete with burroughs of NYC for density). I had no bike lanes and city busses passing me going 35 at 2 feet away. I learned to navigate rotaries....but...nobody was riding back then. It was something kids or the occasional DUI convict did.
Now bikes are everywhere and some of them are clueless.
Just the other day I stopped for a pedestrian entering the crosswalk on the right. Bicyclist next to me completely ignored this and almost creamed a 70 year old woman entering the road, just kept right on going. The woman had to step back to avoid being hit and still was brushed.
A few months back I was in heavy traffic approaching a crosswalk. I saw a bicyclist on the side street across the road. He was approaching at about 25 MPH, and what did he do when he got to the intersection? He scooted over to the crosswalk and crossed the street at full speed making me slam on my brakes to avoid him.
But I don't think the problem is bikes so much as, we never had so many people using them, people are new. Compare them to young car drivers and its clear what the issue is. I remember being both a shitty bicyclist and shitty driver. Its just growing pains, we don't need technological solutions, we need people to get used to new situations, and that takes time.
So maybe you missed it but....that doesn't make me feel better, in fact, I find the idea of the mass application of something so new as a pretty frightening prospect.
I have trouble poking technical holes here since, fundamentally the idea of using a hash table is somewhat sound, its used all the time for UUIDs, theres plenty of uniqueness right? I guess maybe we can rule out collisions for the most part....hell maybe pair the hash with a file size?
If we are talking such tried and true technology and not some recently invented "photo hash" that I wouldn't have any faith in the uniqueness of....
but then the implications of just having such a system means things can be injected into it. What do you do when the file you search for comes up blocked as CP? Do you investigate further or do you run away screaming? What happens when a hash gets added that shouldn't be there? Will they keep a library of original files to really check against?
Drop a key, and the internet is effectively censored.....is not how I envision the net I want to live on.
I think the hard thing is making the leap into a situation that appears to cut you off from something you have now. That cable bill is a certainty that comes with a certainty. Ditching it means losing that... and there is ample evidence that people tend to optimize for avoiding loss more than for gain.
In fact, with a little careful choice of scenarios its actually quite easy to demonstrate that majority opinion can be influenced simply by presentation of the same facts in terms of gains or losses. People consistently choose the option that is presented as minimizing losses.
I had this issue for a long time with my cell phone. I had unlimited talk and data for a long time. Even after I realized it was silly, I wanted it "just in case". I still have unlimited talk but, we crushed the data down to the minimum.... between my wife and I we were not even using that! I realized if we had that and went over every other month, we would still make out...so we switched finally, but it took me a while to be comfortable with it.
This is very true but, it does beg the question of, why can they do and why can they do it?
We all know security through obscurity is no real security at all, especially in a wide spread system. So, nearly everyone is a walking broadcaster now, putting out trackable EM pulses....awesome. Isn't the elephant in the room really the implications of that?
So the Israeli's built it and said "governments only". Even if that worked, it means the devices can be made. $2 million makes sense over developing your own right? But if it wasn't available, if they can build it, so can others.
But in the end, many of its capabilities really come down to the fact that any notion of phone security has been crippled out of existance by regulations designed to ensure that the government can break all privacy...so we get to have nothing but a thin veneer of privacy and security to assuage their paranoia.
With the fact that they are talking about....connecting directly to the internet.... Seems they could have done this with a sniffer.
Just read some logs, there are all manner of automated attacker out there searching for prey. Run sshd, you will begin getting root login attempts pretty quickly, and the party don't stop.
Yes, looking for attacks coming down the inter-tube is like looking for bacteria in a pond. Yah, its there, lots and lots of it. That is hardly a newsworthy result.
No I think you missed my point.... these issues are fundamentally not only the same but, center around the same regulations. Back in the 90s you could obtain, anywhere in the world, RSA code. Yet it was still restricted the same way.
This is a long standing pattern of stupid which has not appreciably changed in more than 30 years. You should, in fact, expect it.
> Since you can buy fiber optic gyroscopes on Alibaba for under USD$20, I think issue of US-centric export controls is moot.
You would think that since you could transmit RSA in an email and international implementations already existed, they would have become moot for those purposes long before they did.