I happen to like guns and shooting. It's a good point to understand the appeal of guns and also "the other side."
But there is a point you are leaving out that comes up if you talk to anyone who does treat firearms seriously: many people do not take those classes and/or do not treat guns safely. Go to a range on Sunday and that will be really clear. Or read the comment history by people who bring this up whenever guns come up in a general forum. Often they rightly end up complaining about safety of other gun owners in posts in more topic specific forums. But somehow, when it comes to a general audience, those issues get omitted.
Taking the class would give you a distinctly wrong impression about the responsibility of all gun owners. As does the suggestion to take the class.
Sorry, not to single you out specifically, it really is a good suggestion. But the net rhetorical effect of people making points like this is (and I think it's intentional) to skew the framing of the issue. Yes, you may be responsible, but with the exception of some people who would never heed your advice, people who want more regulation of firearms aren't worried about you. Guns don't kill people, some people with guns kill people.
But it gets to the heart of the matter of why responsible people who are pro gun rights feel like progressives aren't willing to consider productive compromises that address the real fundamental problems. Banning "assault weapons" would be largely ineffective. Requiring people to demonstrate basic safety as determined by an apolitical third party (National Guard in their state?) before being licensed would probably dramatically cut down on gun accidents and nobody would have to be afraid that their right to self-protection is being taken away from them.
I mean, isn't all this debate kind of moot drama in 2017?
If guns were meant to protect us from our government--well we already have an overtly anti-constitutional, criminal government with disproportionate powers residing in unelected individuals.
Oh but if we make guns illegal--well there already are too many unregistered that it would empower criminal interests, both economically from a black market, and from having relatively more firepower.
Ah but you just want to "save lives?" Well if you want to save people's lives isn't it easier to ignore all this bullshit and do something like go supply clean drinking water to an undeveloped part of the world?
> If guns were meant to protect us from our government--well we already have an overtly anti-constitutional, criminal government with disproportionate powers residing in unelected individuals.
You don't really believe that otherwise you would've left to one of the other hundreds of countries in the world, unless you believe all governments are criminal.
> Ah but you just want to "save lives?"
I'm interested in saving my own life if I'm ever in danger. I already have a brita filter.
Instead of using the NIST recommended curve points it uses self-generated basis points and then takes the output as an input to FIPS/ANSI X.9.31 PRNG, which is the random number generator used in ScreenOS cryptographic operations."
Looks like they feed the output through a standard CPRNG. Assuming it's true, that pretty much breaks the DUAL_EC attack because you can't use the output of the final CPRNG to recover the DUAL_EC state.
I wonder if that's going to be demonstrated to be a true statement, and further whether the tampering Juniper discovered will have disabled that second step.
It seems to be a true statement: Dual EC is used to seed a X9.31 generator with 3DES, where 8 bytes are the initial seed V, and the remaining 24 are K (cf. [1]). I don't see any other usage of Dual EC other than to self-test and to seed X9.31.
Oddly, you can disable the Dual EC seeding with the flag 'one-stage-rng'. But not the other way around.
I don't know, it makes little sense to me too. Maybe there's some subtle flaw somewhere, which I haven't spotted. Since subtlety doesn't seem to be a thing with the changes we've seen so far, I'm not sure what to think.
Except Chrome, which on every laptop I've ever used seems to decrease battery life by about a 1/3rd compared to Safari and is always marked as using significant power.
(Currently 10.9.5 with chrome 44 on a 2014 macbook air, but I've had the issue on newer computers at work)
This can be seen exceptionally when watching videos where some implementations prefer Flash. I often fall asleep to documentaries (maybe not a typical use case) and I've seen massive gains in battery life using Safari (using HTML5 video) vs. Chrome (using Flash). Granted, this isn't a fair comparison as one is using a "native" implementation and one is using Flash. But I've seen something like 250% gain in battery life – which sometimes means the difference between seeing the ending and not.
It's interesting watching one's projected battery life climb from 40m to 1h 40m simply by swapping one application for another. However, it's unfortunate some websites prefer Flash-based implementations over their native counterparts. Although this trend seems to be shifting in favor of those that are native. And I assume the smart folks at Google are taking note. YouTube, for example, has done a particularly spectacular job at adding AirPlay functionality to their HTML5 player.
My guess is that native HTML5 is just h.264, and most modern systems have a hardware decoder that would be much more efficient at decoding than a software implementation. Flash video is a wrapper around a number of codecs, and if the codec isn't h.264, then you're doing software decoding, which is far less efficient.
There is currently no good browser for apple. Safari (8.0.8) struggles with HTML5. Firefox (40.0.2) struggles with video/media of any sort and bogs down with multiple tabs. Chrome (44.0.2403.157 (64-bit)) drains your battery. I'm on a MacBook Pro (10.10.5, 13-inch, Early 2015). They are all uniformly disappointing.
At least for me, that's partly because Chrome makes it _so_ easy to "overuse" it. I'm right now writing this comment in a window with 29 tabs open, I have three other chrome windows with 22, 17, and 14 tabs open respectively. It's sitting there at 42.3 in the Energy Impact column and 32.23 in the Avg column - but to be fair it's got a whole bunch of stuff going on (two separate gmail instances and a fair few other javascript-heavy webapps as well). I've probably go more bogomips going on in this one browser window that all the machines I learnt to program on were capable of between them...
Hmm… comparing that to the amount of tabs and windows I have open in Safari right now (which is actually pretty low for me since I usually have more than 250 tabs open) seems to make Chrome look even worse…
Specifically (running Safari v7.1 on OS X v10.9.5), I have 18 windows open containing 2, 18, 26, 16, 2, 12, 17, 13, 21, 6, 2, 2, 1, 1, 2, 1, 1, and 4 tabs for a grand total of 147 tabs. Oh, and I forgot to mention, it’s also downloading two files in the background right now. It’s showing up with 13.2 in the Energy Impact column and 4.47 in the Avg column.
(Oh, and since I already have it open, I may as well mention that Firefox 39.0 shows up as around 14.7 in the Energy Impact column (although it keeps spiking to 23.9 every few seconds) and 2.99 in the Avg column with 2 tabs open in 1 window with no downloads).
I'm at 47.91 average impact for FF 40.0 with uBlock Origin and Ghostery, no Flash installed. Doing local web development and poking around some news sites to read about all these market crashes. Only a few tabs open at a time for me.
If your a developer at Google that is looking for a 20% time project here is your opportunity! Make some fixes, write it up and post about it somewhere and we will up vote your story and give you sweet HN karma. :)
Dylan's comment requires a timer in both the key fob and in the car. The key fob to delay transmission of the challenge response, the car to check if there isn't too much delay in the challenge / response pair.
You really need a timer in the key fob, as the processor in the key fob is often so slow (for battery / cost reasons) that an extra couple clock cycles somewhere would throw off the timing enough to make it fail.
Cool trick in that one, the Prover(i.e. the key fob) does the distance measuring part of the challenge response protocol using analog only components. This means its response time is <1 nano second.
So you can do it with only the car having a good timer.
Not sure how they do it, but it has been done before as a research project http://css.csail.mit.edu/cryptdb/. One of the tricks it uses(though by no means the only) is to do a binary search in an index, it actually has the client decrypt a node and compare and then give the server the result.
Re-read their paper about mOPE. Very similar indeed. The difference is that in our case the server doesn't know the tree structure, with cryptdb it does.
Well, actually we don't use determenistic encryption, and the server knows nothing about ordering. It merely stores the trees and returns requested pieces (w/o knowing which piece is that or is it a piece of a tree at all).
I find some ideas in MIT mOPE paper similar though
I didn't ask whether you use deterministic encryption, I asked whether your variant of mOPE is deterministic. It's possible to use randomized encryption for the leaves of mOPE and still construct a deterministic OPF.
EDIT: Also, you say the server does not know the tree structure. Do you mean it doesn't know the structure until you query, or the structure is always obfuscated (including access patterns and search patterns)?
EDIT2: What is the round complexity of a single query in your protocol?
It might be true, but how usefulness is it when dealing with society as a whole?. For the Puttman, it probably kicks in, but for a whole field like e.g. programing/computer science/IT, it almost certainly doesn't for the simple reason that the field isn't composed of anywhere near the top 0.001 percent of the population in terms of IQ.
> but for a whole field like e.g. programing/computer science/IT, it almost certainly doesn't for the simple reason that the field isn't composed of anywhere near the top 0.001 percent of the population in terms of IQ.
If programming requires significantly higher IQ than average, then if male and female IQ variance are disparate then males and females will be differently represented in the programming field.
It's not really an issue of 'kicking in'; in any normally-distributed function, differences in variance are always relevant, and can rapidly be more important than the mean the further one gets from the 50th percentile.
Summers's point was about the distribution at the extremes, not the average. He was addressing the lack of professors in STEM at places like Harvard which manifestly select for the far end of the bell curve. Right, wrong, or otherwise, that has almost nothing to do with the average case and even he contended that the best statistical evidence showed women and men were roughly equal.
So, unless one seriously thinks that the entire field of programming/IT/computer science as a whole requires that level of talent, Summer's point doesn't apply and there are certainly other reasons for the gender gap in computer science.
A survey (published in Science[1]) of ~1800 academics across 30 disciplines in the US saw a non-significant positive correlation between estimates of how selective a department is with graduate students and the female representation in that disciplines.
In other words a field that was more selective (as measured by the proportion of applicants being admitted) might have more women in it.
This evidence is is not compatible with any reasonable prediction from the "different high tail" theory.
The SIM card bit is actually I think a distraction. The real issue should be the means: the NSA/GCHQ intentionally targeted innocent/non government affiliated people's personal email and social networking.
That's different than collecting everyone'ss data and claiming you never look at it unless someone does something to loose their innocence. Orwellian nightmare that that is and probably bullshit, revelations along those lines are not surprising. The systematic targeting of the personal lives of random employees (at least of non-governmental/ non defense industry ones), is new.
No, that's actually the bread and butter of intelligence work. At least it was in HUMINT, if not in SIGINT. You identify individual(s) with access to what you need and then work on/with them. This is not surprising or even controversial (mind you, I am not in any way in favour of such things, just playing the devil's advocate a bit) at all. Hard evidence of dragnet, massive, all encompassing surveillance really is the new revelation that has come out of Snowden leaks including this one. Targeting of individuals (especially if they're foreigners) was always going on.
Personally, the biggest take away to this is the invasive targeting of completely innocent and ordinary people simply as a means to get access to things the NSA needed (sim Card keys). We have concrete evidence they nailed peoples personal email accounts and social networks merely as a means to an get crypto keys in mass. Sure, the potential mass surveillance is exceedingly problematic, but thats mainly problematic because of the potential for abuse. Abuse that we either assumed would happen or already had, but as far as I know there was little direct evidence of.
The absolute lowest bar for surveillance seems to be that a government doesn't use it to intentionally target innocent people/ those not in the game (hell, lets lower it even further to be only people the government themselves believe are innocent).[0]
That potentially allows dragnet collection of data if no one looks at it. It might allow hacking just a company's servers to get access to third party data. It probably allows you to spy on foreign heads of state (even if it's a boneheaded move). But it damn well doesn't allow you to go through the personal communications of people who you know have done nothing wrong and aren't even working for someone who has.
[0] This is precisely the woefully low bar Obama has been espousing : “The bottom line is that people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don’t threaten our national security and that we take their privacy concerns into account in our policies and procedures,”
I wonder how many years with of jail time Aaron Schwartz's prosecutors would be talking about if this'd been done by a mouthy kid instead of the NSA?
I wonder which non-US country, where the NSA's actions aren't made "legal" by secret FISA courts or acts of (US) Congress, will be the first to start throwing that kind of legal threat at NSA staff responsible for this?</wishful-thinking>
When you hold the Poisoned Chalice of Power you get to decide who is legally justified and who isn't. "Morals" doesn't even factor into things....unfortunately.
Only in a limited way though, the NSA can decide (or at least exert considerable influence over) what's legal in the US - but criminal actions in, say, The Netherlands or any other (non five eyes) country, cannot be "justified" or "excused" legally by another except those countries.
I guess a _lot_ of what goes in in state sponsored espionage happens outside the civilian legal system - at least in "major" countries - but surely there's scope for a criminal trial and civil damages case against NSA/GHCQ operatives when their espionage involves widespread network exploitation and privacy violation of corporate networks and staff. Crimes which would _clearly_ be aggressively prosecuted if committed by Anonymous Skript Kiddies or criminal credit card fraud gangs. Why shouldn't NSA agents be held just as accountable in this case by non US legal systems? Sure, root the embassy network and expect to be held diplomatically responsible if you get caught. Private companies and citizens though? Go to jail just like anybody else.
But if you've been following the Firstlook disclosures, and the response to it from different governments, you'll notice that they don't really want to hold anyone accountable - likely, they are all on it some way or another.
Ireland rushed to retroactively OK british spying. Germany ignored it (with some theatrical "I'm insulted" remarks from Merkel, but no real action).
The assumption that any government out there actually wants to enforce its laws with respect to mass spying against its people is not supported by facts.
> "the document presented in public as proof of an actual tapping of the mobile phone is not an authentic surveillance order by the NSA. It does not come from the NSA database.
> "There is no proof at the moment which could lead to charges that Chancellor Merkel's phone connection data was collected or her calls tapped."
Plenty of spies on all sides have been killed and jailed over the years. If a country can prove a specific person committed a crime. But that's a lot harder to do with tech crimes.
How do you think the world actually works? Do you think that any other intelligence operation this past century didn't target similar people?
Take a look at the cold war, most of the directly tasked targets of US and Soviet intelligence efforts were "small fish" with the right access, anything from a hotel employee to a secretary or a cook or even your hair dresses.
At least with this NSA thing they don't end up with 2 bullet holes at their back of the head at the bottom of a trash chute.
Spy agencies always have and always will operate in such manner really not sure why people still act in any sort of shock this is the most basic trade craft.
No they didn't. There are intelligence operation that you haven't heard of, and this is not an accident. Just because NSA is using brute force and does not care about the collateral damage it does not mean that all of the secret agencies should do the same or doing the same.
I am not concerned about that. It is bad practice to damage security for all because of few. This is all I am saying. It seems like a pretty bad idea to me.
Damage security? They didn't damage the security of the products because of this, if anything you should take of is just how easily these products can be compromised in such manner.
All the NSA did is to steal keys which they can then use to interdict cellular communications, it's not like they put in a weakness by design and then exploited it (which they might have done in other operations but that's a completely different story).
This thing is no different than the digital signatures on the driver used by Stuxnet ("oddly enough" both companies which were compromised were in the same industrial park just a across of a shared parking lot from each other ;)).
Sadly this level of operation is plausible to be committed not only by private intelligence agencies (which we had too many off already) but by crime organizations as well. I've seen case of corporate espionage which were more complex than this one.
Instead of huffing and puffing at the NSA the proper lesson to learn from this is that cellphone carriers should stop relying on SIM card manufacturers in China and India for their encryption.
Heck if the NSA can interdict equipment in transit to tamper with it, how hard would you think does the Chinese intelligence service has to work to go down the street and just demand the keys straight from the source?
It's about a good damn time that people start asking questions on who has access to the private keys which are used in so many day to day operations from the keys used to authenticate your cable modem to the keys in the card reader you swiped your card trough at your local coffee shop. The answer to this should force quite a few people to live in a hunting lodge in Montana for sure.
I in fact would be very surprised to find a single mass used commercial cryptosystem which is actually secure. Because which each and everyone of those the keys to the castle end up being in the hands of the lowest paid employees out there and business practices will always force availability and serviceability over security.
Everything can be compromised. It is just a matter of enough resources(money really). Finding a security bug and actively using it and do not expose it publicly is kind of damaging security because the bug can be used by other organizations as well. Writing Stuxnet is an entire different level. Actively deploying backdoors and compromise entire networks just to get to the target is a lot of collateral damage. Isn't it?
Actually there were certain projects got pushed back like the IDEA from ETH Zurich or ECC from University of Washington and other potentially vulnerable alternatives were promoted. ECC btw. is pretty strong for a very long time, even today, if you don't use the backdoored version...
Eh? the NSA didn't pushed IDEA out, what pushed it is the fact that besides being actually substantially (esp. since 2013) less secure than AES and with poorer performance is that IDEA was a registered trademark and was under a full patent which meant implementing (prior to the patent expiration in 2012) was a nightmare.
I also hope that you don't insinuate that ECC was "invented" by UW since elliptic curve cryptography was known for quite a long time.
By the backdoor I assume you mean the whole NIST curves fiasco, well besides the fact that it was in use almost no where, if you speak to actual mathematicians you'll find out that it wasn't a big deal. The NIST curve was more about performance enchantment than backdooring, altough sadly for NIST and for the NSA it failed at providing both.
The big problems with ECC is that it's extremely susceptible to side channel attacks especially in embedded implementations, and that if you have the capability to use quantum computing for cryptanalysis then to break ECC you'll need only about 25-50% of the compute time/power than you would need to break RSA.
Also since ECC is asymmetric and quite resource consuming it's not really used in encryption as much as you think, sure it's good in any situation where you can use PKI but PKI is rarely used to encrypt actual data. The common uses of PKI are for authentication and initial key exchange data encryption whether it's in rest or in motion is usually based on symmetric encryption.
So I may have missed the details. I thought we knew they hacked Belgacom, but no one mentioned going through employee's personal email and social networks (though in light of this, we can assume they did). If they did mention it and I missed it, sure, nothing new. But the same entire thing then just applies to that instance too.
> While working to assess the extent of the infection at Belgacom, the team of investigators realized that the damage was far more extensive than they first thought. The [ed: NSA] malware had not only compromised Belgacom’s email servers, it had infected more than 120 computer systems operated by the company, including up to 70 personal computers.
I don't remember the reporting on the Belgacom hack mentioning that they were casually querying X-KEYSCORE as they reportedly did here to identify potential targets.
It is gradually recursing backward to "invasive targeting of completely innocent and ordinary people simply as a means to get access more innocent and ordinary people in order to ...etc"
It's worth remembering that some tools are only useful with lots of data about innocent people. Some forms of network analysis fall into this category, I believe.
Lets suppose it actually was a valid defense. But what does that have to do with going through the Facebook and personal email of individual employees to know who to target. That was done up close, in personal, by hand. By any definition, those people had their privacy specifically and intentionally violated by actual human analysts.
The end in this case being the ability to decrypt cellphone traffic. And what will that capacity be used for? Spying on foreign nations? Halting nonexistent terrorist plots? Further secret surveillance of American citizens?
If we judge the means by the ends, I do not believe that their end provides sufficient justification for their means. They appear to believe otherwise, however they fail to offer any evidence for their perspective; as an American, I am feeling ever more alienated from the organizations which were theoretically founded for our benefit.
Decrypting cellphone traffic is also a means. It's a means towards information and human connections and so on. That's the sort of stuff that can make or break an operation.
Did it? Has it? Unknown.
The trouble with intelligence is that it's only effective when done with secrecy and fairly broad latitude to operate. There are few easy answers here.
A fairly broad latitude? If the ends justify the means and yet the ends themselves are kept completely hidden, then the latitude, as you put it, is completely unconstrained. An intelligence agency operating under those principles can literally do anything claiming that it is for the greater good.
In short, it sounds like you are advocating for an agency which can take arbitrary extralegal action at its own discretion, without providing reason or explanation, and without providing any demonstrable benefit to anybody, because it's secret.
Frankly, I find the idea terrifying. I understand that intelligence agencies need some quantity of secrecy and some degree of latitude. Like you have repeatedly stated, there are no easy answers. But that doesn't mean we shouldn't ask the question. What the hell are these people doing, and should we let them continue? What is growing in our intelligence sector -- is it an institution that will be found to have brought the world benefit, like Bletchley Park, or will it be seen to have become a thin facade over a malignant, self-interested organization, potentially culminating in something like a secret police?
We have a secret police now: what else do you call an organization that secretly collects information against the nation's own citizens to be secretly passed along for 'parallel construction'? That kept this policy itself a secret? Theoretically it's as a byproduct of foreign intelligence-gathering, not a primary function, but this frog feels the pot to be plenty hot already.
I agree, except for "now". That's clear from Bamford's books. For example, federal charges against the Weather Underground Organization were dropped in late 1973 after a screwup in parallel construction. In 1973, hardly any civilians had ever heard of the NSA (aka "No Such Agency") and they wanted to keep it that way.
Can you please provide your definition of intelligence?
I would argue that theoretically, a government (or other entity) could use intelligence but use it within a set of moral and/or ethical guidelines that uses a system of checks and balances.
Intelligence is the dirty-but-necessary stuff that makes it possible to accurately guide diplomacy, economic policy, trade, and military action to achieve the desired goals of a nation-state for a minimum of cost. It includes internal security.
Generally, intelligence cannot operate openly, even under a strict set of guidelines. Further, there will always be situations where efficacy runs into guidelines and something has to give. Would you be willing to violate the privacy of one person to prevent an attack that would kill five thousand? How about a dozen people's privacy? A hundred? A thousand? A million?
As I understand it, those aren't purely theoretical questions in the world of intelligence.
Would you be willing to violate the privacy of one person to prevent an attack that would kill five thousand?
Why don't we skip the suggestive "thought experiments" and look at some facts instead.
A grand total of 3467 people in the USA have been killed by terror attacks since 1970[1].
In the same timeframe 2091 americans were killed by lightning strike[2] and roughly 102.000.000 died of old age.
Please explain how these numbers justify the NSA's yearly budget of $75 billion dollars, and their documented, ongoing violation of millions of people's privacy.
No. Otherwise police departments would be unable to do anything and would cease to exist. Police operations vary in secrecy but even the most secret eventually stop being so, as there is a need to actually prosecute.
The idea that "spys gonna spy" is one we need to start collectively challenging. Why do we need these organisations at all? If NSA/GCHQ were wound up and their technical specialists re-allocated 80% to domestic law enforcement for computer forensics purposes, and 20% to a new dedicated counter-intel-only organisation, would the sky fall? I doubt it.
It's interesting because last I checked Obama/NSA were saying they don't collect content, only metadata (that harmless, harmless metadata [1]). If that's the case, why were they so interested in the SIM key?!
Because they were useful for targeted surveillance? Not that I agree with the means or the scope, but there's an above board explanation for the desire to get the keys . Suppose you have a handful of phones in Pakistan or Iran you need access to very covertly (e.g. some rogue guy in the ISI where getting caught snooping has major consequences). The least risky way to access his communications is to get the keys. The least risky way to do that is to get them from the broadest source possible(to obscure who you're really interest in) and the one most removed from your target. So there's a legit reason to want the keys, even if your only targeting a few legit targets.
But the means of doing so is truly questionable, even given all their assertions about trust us and we don't look at everyones stuff.
But there is a point you are leaving out that comes up if you talk to anyone who does treat firearms seriously: many people do not take those classes and/or do not treat guns safely. Go to a range on Sunday and that will be really clear. Or read the comment history by people who bring this up whenever guns come up in a general forum. Often they rightly end up complaining about safety of other gun owners in posts in more topic specific forums. But somehow, when it comes to a general audience, those issues get omitted.
Taking the class would give you a distinctly wrong impression about the responsibility of all gun owners. As does the suggestion to take the class.
Sorry, not to single you out specifically, it really is a good suggestion. But the net rhetorical effect of people making points like this is (and I think it's intentional) to skew the framing of the issue. Yes, you may be responsible, but with the exception of some people who would never heed your advice, people who want more regulation of firearms aren't worried about you. Guns don't kill people, some people with guns kill people.