https://archive.is/v8Rk7
Readit Newsgsdofthewoods commented on Big Tech Says Spy Bill Turns Its Workers into Informants wired.com/story/iti-secti... · Posted by u/gsdofthewoods
gsdofthewoods commented on Ex-Google engineer charged with stealing trade secrets apnews.com/article/china-... · Posted by u/kiwicopple
This dystopian vision would require lighting the Fourth Amendment on fire and lead to widespread human rights violations of innocent people. Is corporate espionage a problem? Of course it is. Is it worth abandoning the principles of a free society for? Absolutely not.
So, if you don't do business in India, why follow the court order?
I understand Reuters taking down the article, but why would Lawfare or other blogs comply? What could an Indian court possibly do to someone entirely outside of their jurisdiction? It seems like the most appropriate response is "no, and we're going to publish the demand letters," which is exactly what techdirt did.
Let Rajat Khare - the guy who is likely behind Appin - file in a US (or EU, or wherever) court. In the US, at least, he'd have to provide some evidence that the article isn't true, which he probably can't.
Fuck Rajat Khare and Appin, the hacking company he almost certainly controls.
Reuters has many employees in India, and the Khare legal threats are issued by a US firm, Clare Locke, that describes its attorneys as "media assassins" [1] who have represented Russian oligarchs and people like Matt Lauer.
[1] https://www.thedailybeast.com/metoo-media-assassins-clare-lo...
I am a little confused by this. Firstly, Gizmodo is reporting on somebody else's investigation:
> A new joint investigation by The Markup and Wired...
And when I go to the page about actual investigation by The Markup [1]
> Our investigation stopped short of analyzing precisely how effective Geolitica’s software was at predicting crimes because only 2 out of 38 police departments provided data on when officers patrolled the predicted areas. Geolitica claims that sending officers to a prediction location would dissuade crimes through police presence alone. It would be impossible to accurately determine how effective the program is without knowing which predictions officers responded to and which ones they did not respond to.
Also, later in the article
> Plainfield officials said they never used the system to direct patrols.
Given all this, it's somewhat simplistic to say it's "pretty terrible at predicting crimes", even though that makes for a good clickbait headline. It seems that the software was intended to identify high-crime areas that to target for patrolling, which doesn't seem like a huge problem to me -- but it seems like the software was never actually used as intended in the first place.
----------------------------------------
[1] https://themarkup.org/prediction-bias/2023/10/02/predictive-...
The things you're citing are referring to two different investigations. One is the most recent one that only centered on Plainfield, NJ, which is what Gizmodo is reblogging. The one where they did not investigate Geolitica's effectiveness at predictions was a broader investigation in 2021.
gsdofthewoods commented on When your classmates threaten you with felony charges miles.land/posts/classmat... · Posted by u/epoch_100
I'm not a lawyer, but I am professionally interested in this weird branch of the law, and it seems like EFF's staff attorney went a bit out on a limb here:
* Fizz appears to be a client/server application (presumably a web app?)
* The testing the researchers did was of software running on Fizz's servers
* After identifying a vulnerability, the researchers created administrator accounts using the database activity they obtained
* The researchers were not given permission to do this testing
If that fact pattern holds, then unless there's a California law governing this that I'm not aware of --- and even then, federal supremacy moots it, right? --- I think they did straightforwardly violate the CFAA, contra the claim in their response.
At least three things mitigate their legal risk:
1. It's very clear from their disclosure and behavior after disclosing that they were in good faith conducting security research, making them an unattractive target for prosecution.
2. It's not clear that they did any meaningful damage (this is subtle: you can easily rack up 5-6 figure damage numbers from unauthorized security research, but Fizz was so small and new that I'm assuming nobody even contemplating retaining a forensics firm or truing things up with their insurers, who probably did not exist), meaning there wouldn't have been much to prosecute.
3. Fizz's lawyers fucked up and threatened a criminal prosecution in order to obtain a valuable concession fro the researchers, which, as EFF points out, violates a state bar rule.
I think the good guys prevailed here, but I'm wary of taking too many lessons from this; if this hadn't been "Fizz", but rather the social media features of Dunder Mifflin Infinity, the outcome might have been gnarlier.
Good analysis. One important caveat is that, while this may technically have been a CFAA violation, it's almost certainly not one the Department of Justice would prosecute.
Last year, the department updated its CFAA charging policy to not pursue charges against people engaged in "good-faith security research." [1] The CFAA is famously over-broad, so a DOJ policy is nowhere near as good as amending the law to make the legality of security research even clearer. Also, this policy could change under a new administration, so it's still risky—just less risky than it was before they formalized this policy.
[1] https://www.justice.gov/opa/pr/department-justice-announces-...
Every single government on Earth does. This is why you limit their power.
Apparently Germany is an exception. From the story:
> Representatives from Germany—a country that has staunchly opposed the proposal—said the draft law needs to explicitly state that no technologies will be used that disrupt, circumvent, or modify encryption. “This means that the draft text must be revised before Germany can accept it,” the country said.
gsdofthewoods commented on ICE Records Reveal How Agents Abuse Access to Secret Data wired.com/story/ice-agent... · Posted by u/mooreds
Here's the raw data linked in the article: [1] https://airtable.com/shrodU77cgvD2e8dc/tblwELYkSA0fNXgKF
I ask this question in good faith and out of pure ignorance - how do we know the first one we shot down was chinese?
China's government said it originated in China, but it denied that it intentionally flew over the US for surveillance purposes: https://www.cnbc.com/2023/02/03/china-tells-us-to-remain-coo...
gsdofthewoods commented on Twilio incident: What Signal users need to know support.signal.org/hc/en-... · Posted by u/input_sh
This info gives us an interesting opportunity to estimate the rate at which Signal is adding new users. They've been very tight-lipped (understandably) about their usage stats but anecdotally they seem to be an increasingly common presence on my friends' phones, even the non-techies.
As far as I can tell, Signal uses Twilio only to send SMS for phone number verification. Verification happens when a user registers a new number or changes the number on their existing account.
The rate at which Signal is adding new users could be calculated by:
1900 * (proportion of new registrants among SMS recipients) / (length of Twilio incident)
You could probably make some common-sense assumptions about the first variable. But I can't find any publicly available info on when Twilio was first compromised. Their press release only mentions that they discovered the intrusion on August 4, which is presumably close to the end date of the incident. Does anyone know what the estimated start of the incident might be?
Signal's SMS registration codes expire after a few minutes, so you wouldn't even need to know the duration of the incident. Let's be conservative and say the codes expire after 5 minutes (it's probably shorter), then Signal is registering 380 devices a minute.