That must really suck if you're carrying around an old drive filled with nothing but truly random data.
Would having geeks often carrying entropy drives around create a DoS (and plausible deniability shield) against this kind of privacy invasion?
Anyway, as much as RIPA is already a horror, does it at least require that it be certain encryption is in use before a person can be punished for not handing over a password?
Oh, I didn't see that. The method they used here, this "self-propagating photopolymer waveguide prototyping" (mouthful), appears to be a kind of light-hardens-media 3D printing using collimated UV light and a photo mask. It's not actually laser light, but it's a related technique.
I guess I was suggesting another kind of 3D printing, the selective sintering.
Anyway, since this SPPWP technique is already 3D printing, GGP is being redundant.
The abstract has some cool pictures of the polymer matrix.
Speaking of small scale precision, I just read about a "2-photon" technique:
Finally, ultra-small features may be made by the 3D microfabrication technique of 2-photon photopolymerization. In this approach, the desired 3D object is traced out in a block of gel by a focused laser. The gel is cured to a solid only in the places where the laser was focused, due to the nonlinear nature of photoexcitation, and then the remaining gel is washed away. Feature sizes of under 100 nm are easily produced, as well as complex structures such as moving and interlocked parts.
Did a little looking into it and, though I'm generally a fan of DJB's wares, unpatched qmail does indeed have the problem of accepting all mail for configured domains, regardless of localpart (box) validity. Which means DSNs will be sent for bad addresses, and since SMTP provides no way of validating senders, backscatter occurs. This is the term for it, by the way.
I've seen plenty of spam using the mechanism. It's a real problem.
Patches are available. But, yeah, DJB's licensing made even patching problematic for the longest time. Thankfully, he's conceded on that point. Which suggests to me he's not dogmatic or unreasonable, just rigidly principled.
I run Postfix, too. Love it. The licensing limbo was part of my decision to go with Postfix, though there were a number of factors. But I still run DJB's tinydns and dnscache.
I think GP was referring to how inflexible DJB the person can be. But certainly their comment could be used to refer to the software as well.
Not only did DJB reject the design and development practices that left BIND such a threat but he also rejected a number of usual conventions around software management/installation/licensing. In his defense, he did it because he believed the conventions were bad. His own version of things makes sense and works well, but it's definitely weird if you're coming new to it.
A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability.
The term derives from the age of the exploit. A "zero day" attack occurs on or before the first or "zeroth" day of developer awareness, meaning the developer has not had any opportunity to distribute a security fix to users of the software.
In short, knowledge of the vulnerability exists with attackers before developers. Developers developers developers developers.
Could someone edit that, actually? s/distribute a security fix/address the vulnerability/ If the developer is unaware, they're neither analyzing, patching, notifying users, nor advising workarounds, let alone distributing security fixes.
It's interesting to see the range of reactions people have. This one, anger and condemnation, is pretty common. I always figured it was just a way to distance one's self from the pain rather than it being any kind of logical perspective.
I hadn't heard that there was Science behind it. Any links you have handy?
A child on their way home from the market is attacked by a leering brigand, only narrowly managing to escape. The child wails piteously for help as they race into the village square, and with dozens finally gathered reports, "I was attacked!" To which town drunk contemptuously spits, "Not your personal army!" The crowd hits him with their hats.
I wondered about the efficacy of SpamCop's facilitated reporting to abuse operators.
The other side of this coin, however, is that SpamCop themselves learn more about the reported emails/systems, and they run a DNSBL which could pick up those systems.
Analogous to large ESPs offering "delete spam" actions that teach their systems what's spam.
Wrong focus. While at first pass it may seem that blocking email based on country affiliation makes sense because of the ratio of spam/ham you get from them, you need to look at the meaning of the criterion you're using. Yes, there will be some correlation between governance and spam, but that correlation is loose, and the collateral damage is (theoretically) oppression by geography. These people already have screwed up governments, why make it harder for them to be global citizens?
There are other ways to block, based more directly on the spamminess of the systems. Even "... shutting down all domains that have a non-responsive/non-working abuse@ handler" is a better idea.
At first glance we see this is the personally efficient way to handle the situation. Block their mail and move on. But then we might wonder if we're being a little selfish, not engaging our computer skills to help out others, the many others who are negatively affected by this spam. A little altruism is generally recognized as a noble thing...
This could lead us to thinking about the systems that have been developed for reporting spam, how individuals have been empowered to spend little effort in reporting, and how, when summed, that individually trivial effort, of thousands and thousands of people, collectively makes powerful anti-spam effect.
Then maybe we complete the circle, realizing that we are the beneficiaries of these powerful anti-spam systems, that our time is greatly saved by these systems, and that we are not just being altruistic in our contributions, we are helping ourselves.
The personally efficient way to handle many things is this way, being helpful to the larger community that you are by nature a member of, and personally capitalizing on the beneficial effects of the economies of scale and other mass dynamics/synergistic effects.
This is where selfishness meets altruism. So, why not help others, when you are really helping yourself?
No offense, but you totally missed my premise the first time round, too. We'll have to figure out whether you're understanding me yet, though it doesn't look good.
So, what is it you think my premise is now? Something like "Privacy concerns have a place in situations of child abuse", it seems pretty clear to me. But let's dig a little deeper to see what that actually means.
What are "privacy concerns"? Is that when citizens like you and me petition elected officials to pass legislation to constrain or make illegal the unconstitutional gathering and use of non-public information about us? Or is it when a supervillain tries to keep his plot to murder thousands hidden?
Hopefully that last sentence will help to hint at what I'm talking about, the fact that privacy can be a more general, encompassing subject. I'll try to spell it out some more: When people discuss privacy, they're usually discussing it from the perspective of protecting their own privacy, or from the perspective of how privacy ought to be enforced legally or morally. But what actually is happening with privacy, whether it's something desired or something unwanted, is still the subject of privacy.
So, specifically regarding this case, one implication is that interaction between individuals grows easier and easier to record. This is a trend. Follow the trend out, and even consider the extreme. Eventually, nearly any social interaction you have could conceivably be recorded (regardless of moral outcome, in case anyone is still stuck on that idea). That is an implication for privacy.
You think that privacy implications trump the disclosure of obvious criminal child abuse
Who ever said that? Who ever said anything remotely like that?
Most people won't be able to see how this situation is (generally) privacy related, they'll be focused too narrowly. That's okay. But don't make wrong assumptions about what my stance is on the very specific issue of this man's right to privacy versus that girl's right to justice.
People were bound to read into what I said, even though I said nothing about that particular matter. Expectations and narrow focus make people troll themselves.
For those with the ability, I am prompting discussion of the more general implications of how democratized data capture affects everyone's privacy. And I can't stress strongly enough how this generalized trend is something we should be keeping our eyes on. Taken to the extreme, it means eventually that no one, whether acting evilly or good, will have any privacy at all. Discuss.
by going through the entire list of certificates and marking everyone of them as untrusted
That's fantastic. I never would have expected someone to try this.
the funny thing is, I've only had to create a dozen exceptions to that model
Oh, very interesting. Of course this technique wouldn't work for the average user, but it gives us some insight into possibilities.
Seems you've virtually rejected the CA model and instituted your own. Actually, you're probably now closer to a "decide for yourself whom to trust" model than the CA model. I wonder what kind of facilities/tools would make your endeavor easier. I'm thinking you're not very far from just popping over to a certificates-oriented model like the notary models of Perspectives and Convergence.
You're insightful. You see the problem clearly. Including the possible "team identification" urges.
And you're lashing out at them.
Take your insight to the next level? Look at how you're presenting your information. Are you just venting, or are you trying to effect change? If you were intentional about effecting change, would you still heartlessly condemn those you were trying to persuade?
Granted, the browser vendors set standards for accepting CAs. That's a barrier to keep out obviously bad CAs. But that's still just adding QA on hard drive production.
I still don't want to run a RAID 0 array with 600 hard drives, regardless of how high quality they are.
The CA model is broken. Always has been. Your browser comes with several hundred baked-in CAs, each with complete authority over what your browser thinks is a trustable connection. It's like a RAID 0 array with 600 drives. Just asking for trouble, huh? And it's hard or even impossible to tell when one of those drives is reading or writing bad data. Like the truism about hard drives, "hard drives just fail (so get backups)", CAs fail. Evidently.
Being a CA is a "race-to-the-bottom" business where vendors compete on price. Anyone can be a CA (go right ahead — get OpenSSL and google how), but to compete you have to aim for cheap and cheaper; the landscape is littered with shoddy and dodgy businesses, let alone organizations (e.g., governments) with other interests specifically prioritized over your security. Even if CAs were almost always well-run, you'd still have some rotten ones sitting at the tail of the bell curve. And, again, those failures have complete power over your browser's security.
I'm in contact with the company. We'll see how they want to proceed.
I am still going to report the incident. The NY AG is sending a complaint form for me to fill out. I had tried the DA, but I guess that's the wrong organization — they kept basically ignoring me.
Slashdot Mirror
How do I make Windows repair media without an optical drive?
That must really suck if you're carrying around an old drive filled with nothing but truly random data.
Would having geeks often carrying entropy drives around create a DoS (and plausible deniability shield) against this kind of privacy invasion?
Anyway, as much as RIPA is already a horror, does it at least require that it be certain encryption is in use before a person can be punished for not handing over a password?
Oh, I didn't see that. The method they used here, this "self-propagating photopolymer waveguide prototyping" (mouthful), appears to be a kind of light-hardens-media 3D printing using collimated UV light and a photo mask. It's not actually laser light, but it's a related technique.
I guess I was suggesting another kind of 3D printing, the selective sintering.
Anyway, since this SPPWP technique is already 3D printing, GGP is being redundant.
The abstract has some cool pictures of the polymer matrix.
Speaking of small scale precision, I just read about a "2-photon" technique:
If you're imagining 3D printers printing at that resolution, why not just also pretend we can print with nickel?
Our Man Flint had a nice watch with a little T-shaped arm that telescoped out and tapped his wrist.
Did a little looking into it and, though I'm generally a fan of DJB's wares, unpatched qmail does indeed have the problem of accepting all mail for configured domains, regardless of localpart (box) validity. Which means DSNs will be sent for bad addresses, and since SMTP provides no way of validating senders, backscatter occurs. This is the term for it, by the way.
I've seen plenty of spam using the mechanism. It's a real problem.
Patches are available. But, yeah, DJB's licensing made even patching problematic for the longest time. Thankfully, he's conceded on that point. Which suggests to me he's not dogmatic or unreasonable, just rigidly principled.
I run Postfix, too. Love it. The licensing limbo was part of my decision to go with Postfix, though there were a number of factors. But I still run DJB's tinydns and dnscache.
I think GP was referring to how inflexible DJB the person can be. But certainly their comment could be used to refer to the software as well.
Not only did DJB reject the design and development practices that left BIND such a threat but he also rejected a number of usual conventions around software management/installation/licensing. In his defense, he did it because he believed the conventions were bad. His own version of things makes sense and works well, but it's definitely weird if you're coming new to it.
Different from my understanding. You're thinking of 0-day warez. Here, WP explains it pretty well:
In short, knowledge of the vulnerability exists with attackers before developers. Developers developers developers developers.
Could someone edit that, actually? s/distribute a security fix/address the vulnerability/ If the developer is unaware, they're neither analyzing, patching, notifying users, nor advising workarounds, let alone distributing security fixes.
It's interesting to see the range of reactions people have. This one, anger and condemnation, is pretty common. I always figured it was just a way to distance one's self from the pain rather than it being any kind of logical perspective.
I hadn't heard that there was Science behind it. Any links you have handy?
Sort of a manual Blue Frog.
A parable:
A child on their way home from the market is attacked by a leering brigand, only narrowly managing to escape. The child wails piteously for help as they race into the village square, and with dozens finally gathered reports, "I was attacked!" To which town drunk contemptuously spits, "Not your personal army!" The crowd hits him with their hats.
This is my hat off to you.
Oh, I see. It's not that the spam is harder to process than the ham, it's just that there's more of it.
That wasn't how I read Venezia's blog. I took him as saying that spam is harder per unit than regular mail to process.
Rather, his request is a thinly-veiled plea for vigilante/mass action from the Slashdot community. That kind of making them understand.
Like calling 1.800.861.6618 or emailing them at conseil@theumanage.com (ooh, that's the first time I've made a mailto link in a /. discussion — wonder if it'll work) or at conseil@www.cfcible.com, or just visiting their website a bunch.
Which could actually happen, I wouldn't be surprised. I stand by, curiously awaiting report of the results.
I wondered about the efficacy of SpamCop's facilitated reporting to abuse operators.
The other side of this coin, however, is that SpamCop themselves learn more about the reported emails/systems, and they run a DNSBL which could pick up those systems.
Analogous to large ESPs offering "delete spam" actions that teach their systems what's spam.
Wrong focus. While at first pass it may seem that blocking email based on country affiliation makes sense because of the ratio of spam/ham you get from them, you need to look at the meaning of the criterion you're using. Yes, there will be some correlation between governance and spam, but that correlation is loose, and the collateral damage is (theoretically) oppression by geography. These people already have screwed up governments, why make it harder for them to be global citizens?
There are other ways to block, based more directly on the spamminess of the systems. Even "... shutting down all domains that have a non-responsive/non-working abuse@ handler" is a better idea.
At first glance we see this is the personally efficient way to handle the situation. Block their mail and move on. But then we might wonder if we're being a little selfish, not engaging our computer skills to help out others, the many others who are negatively affected by this spam. A little altruism is generally recognized as a noble thing...
This could lead us to thinking about the systems that have been developed for reporting spam, how individuals have been empowered to spend little effort in reporting, and how, when summed, that individually trivial effort, of thousands and thousands of people, collectively makes powerful anti-spam effect.
Then maybe we complete the circle, realizing that we are the beneficiaries of these powerful anti-spam systems, that our time is greatly saved by these systems, and that we are not just being altruistic in our contributions, we are helping ourselves.
The personally efficient way to handle many things is this way, being helpful to the larger community that you are by nature a member of, and personally capitalizing on the beneficial effects of the economies of scale and other mass dynamics/synergistic effects.
This is where selfishness meets altruism. So, why not help others, when you are really helping yourself?
Huh. Half my incoming spam is nixed at HELO.
And, arguably, the load for spam analysis is undertaken whether the message is spam or ham.
I've seen Paul Venezia articles linked before. I can't remember if it had a similar level of dubiousness, but I'm wondering now.
No offense, but you totally missed my premise the first time round, too. We'll have to figure out whether you're understanding me yet, though it doesn't look good.
So, what is it you think my premise is now? Something like "Privacy concerns have a place in situations of child abuse", it seems pretty clear to me. But let's dig a little deeper to see what that actually means.
What are "privacy concerns"? Is that when citizens like you and me petition elected officials to pass legislation to constrain or make illegal the unconstitutional gathering and use of non-public information about us? Or is it when a supervillain tries to keep his plot to murder thousands hidden?
Hopefully that last sentence will help to hint at what I'm talking about, the fact that privacy can be a more general, encompassing subject. I'll try to spell it out some more: When people discuss privacy, they're usually discussing it from the perspective of protecting their own privacy, or from the perspective of how privacy ought to be enforced legally or morally. But what actually is happening with privacy, whether it's something desired or something unwanted, is still the subject of privacy.
So, specifically regarding this case, one implication is that interaction between individuals grows easier and easier to record. This is a trend. Follow the trend out, and even consider the extreme. Eventually, nearly any social interaction you have could conceivably be recorded (regardless of moral outcome, in case anyone is still stuck on that idea). That is an implication for privacy.
I hope that clears things up.
Who ever said that? Who ever said anything remotely like that?
Most people won't be able to see how this situation is (generally) privacy related, they'll be focused too narrowly. That's okay. But don't make wrong assumptions about what my stance is on the very specific issue of this man's right to privacy versus that girl's right to justice.
People were bound to read into what I said, even though I said nothing about that particular matter. Expectations and narrow focus make people troll themselves.
For those with the ability, I am prompting discussion of the more general implications of how democratized data capture affects everyone's privacy. And I can't stress strongly enough how this generalized trend is something we should be keeping our eyes on. Taken to the extreme, it means eventually that no one, whether acting evilly or good, will have any privacy at all. Discuss.
Please note that this incident involves privacy implications.
Discuss.
That's fantastic. I never would have expected someone to try this.
Oh, very interesting. Of course this technique wouldn't work for the average user, but it gives us some insight into possibilities.
Seems you've virtually rejected the CA model and instituted your own. Actually, you're probably now closer to a "decide for yourself whom to trust" model than the CA model. I wonder what kind of facilities/tools would make your endeavor easier. I'm thinking you're not very far from just popping over to a certificates-oriented model like the notary models of Perspectives and Convergence.
You're insightful. You see the problem clearly. Including the possible "team identification" urges.
And you're lashing out at them.
Take your insight to the next level? Look at how you're presenting your information. Are you just venting, or are you trying to effect change? If you were intentional about effecting change, would you still heartlessly condemn those you were trying to persuade?
Granted, the browser vendors set standards for accepting CAs. That's a barrier to keep out obviously bad CAs. But that's still just adding QA on hard drive production.
I still don't want to run a RAID 0 array with 600 hard drives, regardless of how high quality they are.
The CA model is broken. Always has been. Your browser comes with several hundred baked-in CAs, each with complete authority over what your browser thinks is a trustable connection. It's like a RAID 0 array with 600 drives. Just asking for trouble, huh? And it's hard or even impossible to tell when one of those drives is reading or writing bad data. Like the truism about hard drives, "hard drives just fail (so get backups)", CAs fail. Evidently.
Being a CA is a "race-to-the-bottom" business where vendors compete on price. Anyone can be a CA (go right ahead — get OpenSSL and google how), but to compete you have to aim for cheap and cheaper; the landscape is littered with shoddy and dodgy businesses, let alone organizations (e.g., governments) with other interests specifically prioritized over your security. Even if CAs were almost always well-run, you'd still have some rotten ones sitting at the tail of the bell curve. And, again, those failures have complete power over your browser's security.
The model is inherently faulty.
I'm in contact with the company. We'll see how they want to proceed.
I am still going to report the incident. The NY AG is sending a complaint form for me to fill out. I had tried the DA, but I guess that's the wrong organization — they kept basically ignoring me.