Privacy, Government, Surveillance, and You.

I'd say the solution is to fix the government, not act as if it's the enemy. I'll be accused of idealism, of course, but sooner or later E2E will get broken, either by criminalizing it or via a mandatory backdoor. You can't play defense forever against the power of the state.

Which is why I don't trust this bill. Not because of my personal beliefs, but because of the people pushing it.

Edited by Fighteer on Jun 26th 2020 at 8:14:21 AM

Honestly, what happens then is End to End encryption will first resurface headquartered in more friendly regimes, even if it's barred from official application stores, and then presumably this sort of regime will then declare its utilisation illegal, because damn people for using the electronic equivalent of passing letters in sealed envelopes in person.

When a government is seeking to control the flow of information by crippling the ability of its own citizenry to say anything that they can't observe, you're on a neat path to autocracy. Given that snooping programs are already widespread, which is a large draw for why end-to-end encryption is used, it's a very short hop to also demanding that these backdoors simply be "shared" with security services and then there's no privacy at all, not just a matter of "only in exceptional criminal cases".

Once you introduce a back door or force transmitting the keys via a third party, it might as well be unsecured communication. Transport security is comparatively good but then you get opened up to man-in-the-middle attacks and the like, and it's inevitable that security against those will be banned and restricted too because that gets in the way as well so...

And yes, you're being idealistic, because your arguments for defeating encryption and central information repositories hinge on this being a world where these are not going to be instantly up for abuse. Which it is.

Edited by RainehDaze on Jun 26th 2020 at 2:46:36 PM

Once you feel that you have to hide your communications from your own government, the problem already exists. Encryption tools are not a solution; they are an escalation. Statistically, you are at far greater risk, personally and financially, from non-government actors snooping on your conversations anyway. With the government as guarantor of end-to-end security rather than an enemy of it, we'd be in much better shape.

Except the government isn't going to be a guarantor of End-to-End encryption, you're supporting the notion that it should cripple it, which leaves the security hole for all of those malign actors to seek out and exploit. I'm all ears for how you think a third party should retain the keys necessary to decrypt communication between two parties without leaving something to be exploited.

Also, you seem to have forgotten that I'm not in the USA and I have no reason to consider the US government to be my friend.

That bill has nearly zero chance of passing. Too many businesses depend on encryption to protect their information. It's throwing the baby out with the bathwater. And the House Dems will just laugh at it.

BTW—thank you Fighteer for sharing that information, which was fascinating. I'm generally on the other side of the coin: trying to bypass the efforts of various corporate entities to control and market our data. Seeing it from the other side is really informative.

Edited by DeMarquis on Jun 26th 2020 at 5:25:33 AM

Well, we don't market anyone's data, and we aren't interested in anyone's identity other than to prevent ban evasion, so I'd like to think TV Tropes is still on the good side of the privacy equation.

Anyway, on facial recognition, Ars Technica reports that the Detroit police chief cops to 96-percent facial recognition error rate. That is, 96 percent of the time their facial recognition software returns a false match. This came up due to a false arrest in a shoplifting case, made on the basis of facial recognition.

It is known that this software does a poorer job on black faces, and yet the DPD's own statistics show it being used almost exclusively on black suspects: 68 out of 70 times.

There is a growing movement to ban the use of this software by police.

Let me guess: False positives due to the false positive paradox/base rate fallacy?

Probably. People have been speaking up against this policy since they started it.

Ars Technica: Snapdragon chip flaws put >1 billion Android phones at risk of data theft

It might be time to put away your Android phones, or at least take extra care with them. The Qualcomm Snapdragon chipset has more than 400 known vulnerabilities, mostly centered around the digital signal processing, or DSP chips. The article says that "Qualcomm has released a fix for the flaws, but so far it hasn’t been incorporated into the Android OS or any Android device that uses Snapdragon[.]"

"Check Point said that Snapdragon is included in about 40 percent of phones worldwide. With an estimated 3 billion Android devices, that amounts to more than a billion phones. In the US market, Snapdragons are embedded in around 90 percent of devices."

Attack vectors include malicious app installations and specially crafted video content, and aside from limiting one's app downloads to the Google Play Store (which is not a perfect guarantee anyway), there's little an end-user can do to detect or prevent attacks.

Ars Technica: “Protest app” Bridgefy is full of flaws that threaten users everywhere

The Bridgefy app, created by a Twitter co-founder, uses mesh network technology to allow messaging between users even when cell networks are overloaded or jammed, and claims to use end-to-end encryption to ensure privacy. It boasts 1.7 million installations.

Researchers notified the company in April that the app contains serious security flaws that can allow attackers to impersonate users, perform man-in-the-middle attacks, decrypt conversations, identify users on the network, and even completely crash it. These flaws are because the app is based on a platform that was never designed with security in mind.

Among other things:

• It transmits user IDs in plain-text, letting anyone on the network see who's talking to whom and impersonate their public keys.
• It uses an obsolete encryption protocol that can easily be defeated with common tools.
• A specially crafted .zip file can be sent that crashes the app for everyone on a network. The app cannot be recovered and must be reinstalled.

The developers are currently working on a completely new version built on the Signal protocol.

Edited by Fighteer on Aug 24th 2020 at 8:31:08 AM

Ars Technica: iOS 14 privacy settings will tank ad targeting business, Facebook warns

Allow me to get out the World's Smallest Violin here for Facebook, whose aggressive ad targeting has been the source of many consumer complaints and even lawsuits. In a nutshell, Apple's upcoming iOS 14 will add notifications whenever any app accesses the device's IDFA code (a random, unique identifier allowing the device to be tracked across apps) and give the user the option to block it.

Facebook believes that this will effectively kill its mobile advertising efforts. To which I bring out the aforesaid violin. However, it will have significant repercussions on apps that rely on ad integration with platforms like Facebook, as they could see huge revenue declines from impressions.

Okay, I missed this because I kind of expected hardware flaws to be in the computer thread and not a privacy and surveillance thread, but-

Not sure that "Buy a new phone" is normally a good response to "snapdragon processor has security flaw". 'Take care', yes, 'seek out new phone model immediately', bit too expensive.

Honestly, I'm not surprised yet another processor family has security flaws. Hopefully the patches do come quickly... well, it doesn't bother me because I don't have a snapdragon processor, but still.

I suppose that makes Apple currently the largest set of processors to not be broken into in some way AFAIK? No doubt people are going to go looking for them, though.

I generally think of hacking as a privacy issue, but I can certainly cross-post to the computer thread if you think it would be helpful.

Those Qualcomm chips are in 90 percent of Android smartphones in the U.S., reportedly, so it's a pretty big deal, and people using them should be warned. Even more importantly, we need a backlash against device makers if they don't move quickly to patch these sorts of flaws.

I'm not taking a position in the iOS vs. Android war; the facts will speak for themselves. I would expect Apple to rapidly address any equivalent issue in its chips and be angry if it did not.

Edited by Fighteer on Aug 27th 2020 at 8:22:58 AM

It's a genuine question, because I know that Intel's had some massive security holes, so has AMD even if some of those have been by proxy. Via chips weren't exempt either—though I think that one required physical access? So that adds Qualcomm processors to the list. Which leaves Apple as the main group that hasn't yet had a hardware-level securit flaw with its CPUs published.

Well, ignoring if we go back in time and consider Cyrix etc.

Ars Technica: New Windows exploit lets you instantly become admin. Have you patched?

Okay, clickbait title. This is pretty serious, though. A newly discovered exploit allows an attacker who has LAN access to instantly gain administrator rights to your Active Directory domain controller. It's not an issue for home PCs unless they are connected to a domain, but for business and educational environments, it's a critical problem.

The good news is that Microsoft has released a patch in August. The bad news is that enterprise users are often very slow to perform domain controller updates.

Details: The exploit targets the Netlogon protocol, and allows someone with no authentication to gain administrative credentials as long as they can establish TCP connections. This usually means being inside a network's firewall, such as with local access. For example, an insider could run the exploit, or an outsider who enters an office and plugs into an Ethernet socket.

The actual flaw is in the AES-CFB8 cryptography protocol, which Windows did not implement correctly (of course). The exploit sends carefully crafted messages containing strings of zeroes in specific fields.

If you regularly update your PC, you aren't personally vulnerable, but make sure your IT folks know about this.

Ars Technica: Facebook warns privacy rules could force it to exit European market

On the surface, you might read the title of the article and say, "So what? Evil Facebook has no respect for privacy, kill it." However, this one isn't quite so straightforward. A new regulation enacted by Ireland's Data Protection Commission (DPC), which has jurisdiction over Facebook because its EU operations are headquartered in Dublin, would block the company from transferring any data about EU citizens to data centers hosted in the U.S. and would force it to stop storing any such data in the U.S.

The justification for the regulation is the inability of Facebook to adequately shield its users' privacy from the U.S. government under existing U.S. law. Facebook argues that the rule has violated its due process (as the same person is both investigating and issuing the ruling) and will be enacted too rapidly for it to respond adequately, potentially forcing it to shut down operations in Europe entirely.

Frankly, given the immense harm that Facebook has done to the Internet politics discourse, I would probably celebrate.

Also. Facebook argues that the rule has violated its due process (as the same person is both investigating and issuing the ruling) is the normal way the non-adversarial justice system operates, not everywhere are judges merely referees.

According to the article, the European standard is for those to be different people.

I'm not taking a side, just noting that the sudden termination of all Facebook and Instagram service in Europe would have a significant impact: on businesses as well as consumers.

Edited by Fighteer on Sep 22nd 2020 at 3:23:32 PM

Also on the spread of disinformation.

No idea if they’d terminate UK operations as well, this is probably a giant bluff anyway.

Edited by Silasw on Sep 22nd 2020 at 7:26:16 PM

Well, they have a point, so Ireland should abide by the procedural standard, and come to the exact same conclusion.

Ars Technica: Boom! Hacked page on mobile phone website is stealing customers’ card data

If you are thinking of getting anything from Boom! Mobile (boom.us), don't. The company's website is running a script that intercepts and steals customers' credit card and other data. It is not clear how the script got there but the website is running an old version of PHP with known security flaws. The company still hasn't fixed its site and hasn't responded to messages.

While peeps have advised me to avoid CU as a source unless necessary, there's an interview with the guy who investigated the Zhenhua leaks.

Edited by Ominae on Oct 6th 2020 at 12:10:24 PM

A Guardian article on the same topic:

"About 2.4 million people are included in the database, assembled mostly based on public open-source data such as social media profiles, analysts said. It was compiled by Zhenhua Data, based in the south-eastern Chinese city of Shenzhen.

Internet 2.0, a cybersecurity consultancy based in Canberra whose customers include the US and Australian governments, said it had been able to recover the records of about 250,000 people from the leaked dataset, including about 52,000 Americans, 35,000 Australians and nearly 10,000 Britons. They include politicians, such as prime ministers Boris Johnson and Scott Morrison and their relatives, the royal family, celebrities and military figures."

Report: If re-elected, Trump will immediately fire FBI Director Christopher Wray Why am I posting this in this thread? Because this is just another step towards what I honestly feel is Trump's end game here. By replacing Wray with a syncophant who will be more than happy to arrest Trump's political enemies, he will make it that much easier to go against anybody who says a bad word about him. Sure, it may start with high-ranking and elected officials but it would certainly evolve into Trump's FBI arresting journalists, then public anti-Trump organizers (such as BLM leaders), then any schmo (like me, or you) for criticizing him.

And before you say it, no, he doesn't need to arrest every single person who is critical of Trump, because that would be impossible, but just enough to scare everybody else into self-censoring themselves and/or falling in line.

All the more reason to vote him out tomorrow.

Edited by speedyboris on Nov 2nd 2020 at 8:09:30 AM

Who knew Big Brother's all watching eye...would have hands so small?