These are also available to the DoJ with a signed letter. No judge or court review required. It's called a "National Security Letter". This is what we should be fighting - laws that allow tools like this to exist with NO PUBLIC OVERSIGHT. FISA is bad enough in that it created a secret court to review warrant requests, but at least they're pretending to have a second party look things over. NSLs remove the FISA court entirely, resulting in a desk jockey saying "I need this" and getting it with no questions asked. The nastiest thing about NSLs is that there's a complete gag order on all discussion of the letter - only the requesting agency and the company know it is even done, and the company is not allowed to disclose the existence of the letter at all, and under no circumstances is allowed to tell the target.
One important difference: the things you list are wrongdoing by private companies. The scandals I listed are wrongdoing by Federal agencies or departments themselves.
Where do the folks like the Treasury Secretary come from? The industries they regulate. Government is where the rich go to rig the game. Once it's rigged, they go back into the private sector game they just rigged and profit. So a lot of the wrongdoing as actually done by the same cabal - they just move between public and private sectors as needed to maintain the illusion that the game isn't rigged.
This is a broad extension of gov't power that should piss off voters in both parties, and looks much more like actual wrongdoing right from the get-go.
The problem is that THIS IS NOW LEGAL under the Patriot Act. The only punishment for this kind of intrusion is political, not criminal. The talk shows are saying this is an over-reach - but in fact, this is nothing close to what a National Security Letter can gather without any court approval.
We should be pivoting from an attack on the President for allowing this to an attack on NSLs and the like that make this kind of gathering legal and standard practice.
In my reading, the DMCA cannot apply to any recording done before 2/15/1972. This includes both new rights, as well as safe harbor provisions. So anyone holding copyright on recordings older than that still has standing to sue lockers out of existence - they just have to do so in state court, not federal. Sounds like the RIAA found its workaround to the safe harbor provisions.
I note that this applies to recordings. This probably means that it's only usable by the record companies that own the masters, not the songwriters.
Why shouldn't I be able to stream on any device I own?
Because the device you have is not one that's locked down to Amazon's standards, and doesn't provide them with the consumer information they're looking for. Please purchase an approved device to enjoy your content better. I mean at all.
If that unimportant unsecured box has any value to you at all, I would suggest a test. If it's running a variant of UNIX, get and install iptables and csf/lfd. Let it run for a day (or a week- even better). See how many logins and hack attempts it registers. If the answer is none, then you win. Otherwise, you are under attack and didnt know better.
I run what would be considered an unimportant out of the way box myself. In fact, I've gotten scans and login attempts from all over the planet. This is for boxes that are in a hosting farm and for my home machine (no DynDNS or anything there).
If you have a device on the open internet, it's getting probed. Guaranteed. And if it's probed, and can be owned, it is. In fact, most professional and/or state-sponsored groups have toolsets that are set to scan/hack/add to botnet in one step, and they're let loose on multiple subnets to gather as big an army as possible (and I use the word Army intentionally).
China and Russia thank you for your small unsecured server that is now a full-blown botnet C&C server. Hope your customer doesn't mind their unknown software going slow.
The problem becomes when you open up your comment system to the world et al. If you have a never-ending expansion of the number of accounts that can post, then you have a never-ending expansion of the number of posts to check for this kind of behavior and ban/remove accounts and/or posts. That gets expensive quickly, and for site that have a low profit margin to begin with (if they have any profit at all), this is a business-breaker.
Why do you think politicians use nasty vile language to trash their opponents? It delivers both (a) the message that they are better, and (b) reinforces that with a visceral reaction from their audience. The problem become when they then have to sit down and work out a solution to a problem - the previous reaction of the audience makes their compromise seem unacceptable. So what we have in a two-party system is a race to abandon the middle. Anyone trying to reduce the level of nastiness is attacked by their opponent as weak and unprincipled, and therefore is voted out of office, leading to a more and more splintered society.
I would seriously hope that "sanctions" includes: (a) permanent disbarment in ALL states for the primary lawyers (and suspensions for the rest of the plaintiff lawyers), (b) disgorgement of all settlement income from all entities involved as it was obtained by the fraud, (c) reversal of all assignments of copyright as they were clearly made to further the fraud, (d) complete closure of all business entities involved after reassignment of copyright and disgorgement of income, and (e) the top people involved should be unable to open any more businesses of any kind ever, (f) referral to state attorneys general and DOJ prosecutors to bring criminal charges.
Not hoping for jail time, but a message needs to be sent to these law-twisting nasties and all their ilk that this is not acceptable and will be punished. You don't often hear of lawyers being punished, simply because they're "in the club". The law community needs to seriously start thinking about an internal purge of these types of lawyers.
From what I've read, they are trying to minimize the possible damage. The biggest change that these dismissals make is from an ONGOING fraud on the court, to a PAST defraud on the court. Using that rationality, however, you can then conclude that the only reason to drop the case(s) is that the allegations are true. If they were false, they'd simply fight the accusation and allow the other cases to proceed (probably continued pending outcome of the allegations).
I do note however that most (not all) the relevant cases were dropped without prejudice, meaning that if they survive, they plan on re-filing the cases. I seriously wonder if the top people involved are busy buying up land in a non-extradition country. The judge might include flight risk in his next order, and get their passports revoked.
So, taking pictures of the EXTERIOR of the dwelling from a drone is acceptable. Taking pictures of the INTERIOR is acceptable and lawful under the NH bill.
These laws are just plain dumb. We should be dealing with the trespass/stalking/harassment activities underlying this, not the act of photographing.
They are arguing for removal of sex and sexual situations from all discussions, unless there's (a) lots of warning, and (b) all discussion is "pro-consent and constructive". They also explicitly state that they believe that any audience WILL contain members that WANT TO RAPE (what do you think "is very unlikely that your audience has a uniformly, or even widely-held, negative opinion of harassment and assault" means?) and that your talk will trigger them to rape in the halls.
This is not a very constructive way to discuss anything. If this tactic was used for discussion of security holes, they would be advocating for the abolition of CERT public mailing lists, and revoking public notification requirements for successful hacks because it may cause people to be uncomfortable.
This topic is uncomfortable for people precisely because it is forbidden to talk about publicly in many circles. Security by obscurity never works, and the same can be said about taboo subjects like the combination of sex and drugs. The more you know, the more you can defend yourself. If you want to remain ignorant and present opportunities for others to harm you, that's your decision. Don't force me to remain ignorant because you want to be.
Can't say enough about mSecure - it's one of the few that do NOT require an online sync of any kind. It'll sync across a local LAN/WLAN without sending traffic to the Internet. Of course, it has integration with a few services for that too if you want. One downside for some folks - it's an application, not a Web Service. Another downside - it does cost money ($10 on iOS and/or Android, and $20 for the mac or Win version, no linux one). But it's been reliable as hell for me and my business.
Most of the signatures for each state are from people signing every petition (even if they don't live there). NJ has 161 signatures from people who live there out of 960 (determined by my unscientific "load page really long and use find" method). If they wanted to really make waves, they should introduce legislation at the state level directly instead of pussyfooting around signing petitions that will get a response of "asked and answered in 1865".
...and it's a sticky situation. The easiest thing to do might be to initiate a cost/benefit analysis of the current system vs another one, entirely based around the idea of cost (running the servers, maintenance costs if any, storage upgrades). Time spent on the system should only be included in the analysis if anyone is being paid. Make sure to include Bob (or even better, ask if he'd volunteer as the "systems expert"), and have him help choose alternatives for the comparison. If you do have an existing solution in mind, suggest it in VERY broad terms ("maybe compare it to some online services - Google Docs is one that I keep hearing about"). Make sure that there's a numbers person involved as well (accounting or something similar) to run the figures, so there's a reality check on it. Then, DROP IT. Get yourself out of the way, and let the process take its course. Once the final report is in, the rest of the board can make the determination which way to go. If they stick with Bob and his methods after an audit, then you really have a simple choice - work with it, or leave.
However, the web server access logs logged the passwords entered in plaintext.
So, in other words, they were stored in plaintext.
No, they were logged as plaintext. This means that all invalid attempts as well as valid ones are stored in the log. The master store that is being used to store and retrieve/compare the final password (or password hash) is not included in the log. There is insufficient data from the breach to determine whether the master store is encrypted or not.
Google's position is that the current patent regime is harmful to innovation. What's more effective in proving the argument than using the patent system to eliminate a competitor's entire product line (and saying it's "unlikely that consumers would experience much of an impact" to boot)?
Although I think it's a stroke of genius that Google s using the Motorola name to pull this off so they don't get the blame if this goes south in the press...
You're all not thinking clearly. The easiest thing for a counterfeiter to do is to simply duplicate the same serial number over and over. The QR code would only stop those that want to randomize their serial numbers. A copied note with a QR code will still validate all the way through the system. The bank would notice in the same way they do today - they check and make sure the serial numbers in the batch match the correct year and print facility (also on the bill), and then verify that there are no duplicate serial numbers with in the deposit.
What this would help stop (at least until the central private key is compromised) is "randomizing" of the serial numbers by counterfeiters. By using the serial number and signing it with a private key, it would at least increase the level of difficulty beyond that available to most counterfeiters. The resulting "pros" would need to get a copy of the private key in order to continue, which would involve conspiracy, hacking, bribery, or other methods to get it. Of course, those methods are just as effective now as they always have been.
Encryption is only as strong as the weakest link. In this case, the weakest link is probably the underpaid, stepped on, underappreciated staff of the central bank.
Ditto. Tried a few different hosts, and eventually settled on gandi.net - works like a charm! A little more expensive, but I like the option of having duplicated virtual hosts on two continents just in case of failure...
On top of that, you didn't read the TOS from GoDaddy. That allows *them* to turn your site off on a whim without prior notice. This might just be the hackers turning on the built-in kill switch for every GoDaddy site simultaneously.
Slashdot Mirror
Not true. All they need is a National Security Letter. It's entirely legal (if not politically sound).
These are also available to the DoJ with a signed letter. No judge or court review required. It's called a "National Security Letter". This is what we should be fighting - laws that allow tools like this to exist with NO PUBLIC OVERSIGHT. FISA is bad enough in that it created a secret court to review warrant requests, but at least they're pretending to have a second party look things over. NSLs remove the FISA court entirely, resulting in a desk jockey saying "I need this" and getting it with no questions asked. The nastiest thing about NSLs is that there's a complete gag order on all discussion of the letter - only the requesting agency and the company know it is even done, and the company is not allowed to disclose the existence of the letter at all, and under no circumstances is allowed to tell the target.
One important difference: the things you list are wrongdoing by private companies. The scandals I listed are wrongdoing by Federal agencies or departments themselves.
Where do the folks like the Treasury Secretary come from? The industries they regulate. Government is where the rich go to rig the game. Once it's rigged, they go back into the private sector game they just rigged and profit. So a lot of the wrongdoing as actually done by the same cabal - they just move between public and private sectors as needed to maintain the illusion that the game isn't rigged.
This is a broad extension of gov't power that should piss off voters in both parties, and looks much more like actual wrongdoing right from the get-go.
The problem is that THIS IS NOW LEGAL under the Patriot Act. The only punishment for this kind of intrusion is political, not criminal. The talk shows are saying this is an over-reach - but in fact, this is nothing close to what a National Security Letter can gather without any court approval.
We should be pivoting from an attack on the President for allowing this to an attack on NSLs and the like that make this kind of gathering legal and standard practice.
In my reading, the DMCA cannot apply to any recording done before 2/15/1972. This includes both new rights, as well as safe harbor provisions. So anyone holding copyright on recordings older than that still has standing to sue lockers out of existence - they just have to do so in state court, not federal. Sounds like the RIAA found its workaround to the safe harbor provisions.
I note that this applies to recordings. This probably means that it's only usable by the record companies that own the masters, not the songwriters.
Why shouldn't I be able to stream on any device I own?
Because the device you have is not one that's locked down to Amazon's standards, and doesn't provide them with the consumer information they're looking for. Please purchase an approved device to enjoy your content better. I mean at all.
If that unimportant unsecured box has any value to you at all, I would suggest a test. If it's running a variant of UNIX, get and install iptables and csf/lfd. Let it run for a day (or a week- even better). See how many logins and hack attempts it registers. If the answer is none, then you win. Otherwise, you are under attack and didnt know better.
I run what would be considered an unimportant out of the way box myself. In fact, I've gotten scans and login attempts from all over the planet. This is for boxes that are in a hosting farm and for my home machine (no DynDNS or anything there).
If you have a device on the open internet, it's getting probed. Guaranteed. And if it's probed, and can be owned, it is. In fact, most professional and/or state-sponsored groups have toolsets that are set to scan/hack/add to botnet in one step, and they're let loose on multiple subnets to gather as big an army as possible (and I use the word Army intentionally).
China and Russia thank you for your small unsecured server that is now a full-blown botnet C&C server. Hope your customer doesn't mind their unknown software going slow.
The problem becomes when you open up your comment system to the world et al. If you have a never-ending expansion of the number of accounts that can post, then you have a never-ending expansion of the number of posts to check for this kind of behavior and ban/remove accounts and/or posts. That gets expensive quickly, and for site that have a low profit margin to begin with (if they have any profit at all), this is a business-breaker.
Why do you think politicians use nasty vile language to trash their opponents? It delivers both (a) the message that they are better, and (b) reinforces that with a visceral reaction from their audience. The problem become when they then have to sit down and work out a solution to a problem - the previous reaction of the audience makes their compromise seem unacceptable. So what we have in a two-party system is a race to abandon the middle. Anyone trying to reduce the level of nastiness is attacked by their opponent as weak and unprincipled, and therefore is voted out of office, leading to a more and more splintered society.
I would seriously hope that "sanctions" includes:
(a) permanent disbarment in ALL states for the primary lawyers (and suspensions for the rest of the plaintiff lawyers),
(b) disgorgement of all settlement income from all entities involved as it was obtained by the fraud,
(c) reversal of all assignments of copyright as they were clearly made to further the fraud,
(d) complete closure of all business entities involved after reassignment of copyright and disgorgement of income, and
(e) the top people involved should be unable to open any more businesses of any kind ever,
(f) referral to state attorneys general and DOJ prosecutors to bring criminal charges.
Not hoping for jail time, but a message needs to be sent to these law-twisting nasties and all their ilk that this is not acceptable and will be punished. You don't often hear of lawyers being punished, simply because they're "in the club". The law community needs to seriously start thinking about an internal purge of these types of lawyers.
From what I've read, they are trying to minimize the possible damage. The biggest change that these dismissals make is from an ONGOING fraud on the court, to a PAST defraud on the court. Using that rationality, however, you can then conclude that the only reason to drop the case(s) is that the allegations are true. If they were false, they'd simply fight the accusation and allow the other cases to proceed (probably continued pending outcome of the allegations).
I do note however that most (not all) the relevant cases were dropped without prejudice, meaning that if they survive, they plan on re-filing the cases. I seriously wonder if the top people involved are busy buying up land in a non-extradition country. The judge might include flight risk in his next order, and get their passports revoked.
exterior bad, interior good. I cant type today.
So, taking pictures of the EXTERIOR of the dwelling from a drone is acceptable. Taking pictures of the INTERIOR is acceptable and lawful under the NH bill.
These laws are just plain dumb. We should be dealing with the trespass/stalking/harassment activities underlying this, not the act of photographing.
They are arguing for removal of sex and sexual situations from all discussions, unless there's (a) lots of warning, and (b) all discussion is "pro-consent and constructive". They also explicitly state that they believe that any audience WILL contain members that WANT TO RAPE (what do you think "is very unlikely that your audience has a uniformly, or even widely-held, negative opinion of harassment and assault" means?) and that your talk will trigger them to rape in the halls.
This is not a very constructive way to discuss anything. If this tactic was used for discussion of security holes, they would be advocating for the abolition of CERT public mailing lists, and revoking public notification requirements for successful hacks because it may cause people to be uncomfortable.
This topic is uncomfortable for people precisely because it is forbidden to talk about publicly in many circles. Security by obscurity never works, and the same can be said about taboo subjects like the combination of sex and drugs. The more you know, the more you can defend yourself. If you want to remain ignorant and present opportunities for others to harm you, that's your decision. Don't force me to remain ignorant because you want to be.
Can't say enough about mSecure - it's one of the few that do NOT require an online sync of any kind. It'll sync across a local LAN/WLAN without sending traffic to the Internet. Of course, it has integration with a few services for that too if you want. One downside for some folks - it's an application, not a Web Service. Another downside - it does cost money ($10 on iOS and/or Android, and $20 for the mac or Win version, no linux one). But it's been reliable as hell for me and my business.
Most of the signatures for each state are from people signing every petition (even if they don't live there). NJ has 161 signatures from people who live there out of 960 (determined by my unscientific "load page really long and use find" method). If they wanted to really make waves, they should introduce legislation at the state level directly instead of pussyfooting around signing petitions that will get a response of "asked and answered in 1865".
...and it's a sticky situation. The easiest thing to do might be to initiate a cost/benefit analysis of the current system vs another one, entirely based around the idea of cost (running the servers, maintenance costs if any, storage upgrades). Time spent on the system should only be included in the analysis if anyone is being paid. Make sure to include Bob (or even better, ask if he'd volunteer as the "systems expert"), and have him help choose alternatives for the comparison. If you do have an existing solution in mind, suggest it in VERY broad terms ("maybe compare it to some online services - Google Docs is one that I keep hearing about"). Make sure that there's a numbers person involved as well (accounting or something similar) to run the figures, so there's a reality check on it. Then, DROP IT. Get yourself out of the way, and let the process take its course. Once the final report is in, the rest of the board can make the determination which way to go. If they stick with Bob and his methods after an audit, then you really have a simple choice - work with it, or leave.
However, the web server access logs logged the passwords entered in plaintext.
So, in other words, they were stored in plaintext.
No, they were logged as plaintext. This means that all invalid attempts as well as valid ones are stored in the log. The master store that is being used to store and retrieve/compare the final password (or password hash) is not included in the log. There is insufficient data from the breach to determine whether the master store is encrypted or not.
Google's position is that the current patent regime is harmful to innovation. What's more effective in proving the argument than using the patent system to eliminate a competitor's entire product line (and saying it's "unlikely that consumers would experience much of an impact" to boot)?
Although I think it's a stroke of genius that Google s using the Motorola name to pull this off so they don't get the blame if this goes south in the press...
You're all not thinking clearly. The easiest thing for a counterfeiter to do is to simply duplicate the same serial number over and over. The QR code would only stop those that want to randomize their serial numbers. A copied note with a QR code will still validate all the way through the system. The bank would notice in the same way they do today - they check and make sure the serial numbers in the batch match the correct year and print facility (also on the bill), and then verify that there are no duplicate serial numbers with in the deposit.
What this would help stop (at least until the central private key is compromised) is "randomizing" of the serial numbers by counterfeiters. By using the serial number and signing it with a private key, it would at least increase the level of difficulty beyond that available to most counterfeiters. The resulting "pros" would need to get a copy of the private key in order to continue, which would involve conspiracy, hacking, bribery, or other methods to get it. Of course, those methods are just as effective now as they always have been.
Encryption is only as strong as the weakest link. In this case, the weakest link is probably the underpaid, stepped on, underappreciated staff of the central bank.
Ditto. Tried a few different hosts, and eventually settled on gandi.net - works like a charm! A little more expensive, but I like the option of having duplicated virtual hosts on two continents just in case of failure...
On top of that, you didn't read the TOS from GoDaddy. That allows *them* to turn your site off on a whim without prior notice. This might just be the hackers turning on the built-in kill switch for every GoDaddy site simultaneously.
The SSN was never intended to be a secret number, just unique.
WRONG. SSN + Date of Birth is the unique combination. It's amazing to me how much this is forgotten/ignored.
Remember folks - ROT13 is NOT encryption (no matter what your auditors say)...