 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott wrote:
>>> Well I guess if they showed he had used it every day for the last 5
>>> years
>>
>> Big Brother is watching? I'm not comfortable with where this is going...
>
> If you've just been arrested (and had your PC taken away) on suspicion
> of downloading child porn (or whatever), then I think the police could
> quite easily get records of your activity online, they may have even
> been spying on you already.
>
> It's then up to the jury what they think after all the facts have been
> presented. It's not going to look good if you conveniently "forgot" the
> password to work your computer the day it was confiscated, but you
> managed to work it fine for the last few years.
>
I don't think a jury would ever hear about it, in the USA. Quoting
lectlaw.com :
Civil contempt occurs when the contemnor willfully disobeys a court
order. This is also called indirect contempt because it occurs outside
the judge's immediate realm and evidence must be presented to the judge
to prove the contempt. A civil contemnor, too, may be fined, jailed or
both. The fine or jailing is meant to coerce the contemnor into obeying
the court, not to punish him, and the contemnor will be released from
jail just as soon as he complies with the court order.
http://www.lectlaw.com/def/c118.htm
What is glossed over in that nice quote is that, because it is not
'punishment' the court doesn't have to follow due process. That means no
trial by jury and no real chance to argue that you really did forget the
password.
Deniable encryption tries to get around this, but I'm waiting to see it
tested by an over zealous court. While it might be believable that the
person had turned over all of their keys, it could also be presented
that there is always one more key to turn over.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott wrote:
>>> they may have even been spying on you already.
>>
>> Regardless of the suspected crime type, I'm still not very comfortable
>> if the police could legally spy on anyone they want.
>
> How are they meant to catch people downloading illegal material without
> spying on you? Don't ISPs already report suspected illegal activity to
> the police?
>
>
There is a difference between the ISP scanning their own traffic logs in
accordance with their own terms of service, and the police requiring
that the ISP scan, log, and report everything directly to them.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> How are they meant to catch people downloading illegal material without
>> spying on you? Don't ISPs already report suspected illegal activity to
>> the police?
>
> There is a difference between the ISP scanning their own traffic logs in
> accordance with their own terms of service, and the police requiring
> that the ISP scan, log, and report everything directly to them.
Can't the police demand info from ISPs if they suspect some customers (or
users of a website they host) to be acting illegally? I'm not an expert at
the law in this area, but it seems like common sense says the police should
(and do) get this information if they need it to help convince someone of a
crime.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> Deniable encryption tries to get around this, but I'm waiting to see it
> tested by an over zealous court. While it might be believable that the
> person had turned over all of their keys, it could also be presented
> that there is always one more key to turn over.
Oh ok, I hadn't heard of deniable encryption before, I will look it up.
Another possibility is that your decryption key is stored on a USB stick,
and is far too long for you to possibly remember. After your PC has been
confiscated (before they realise it won't boot without the USB key) you can
destroy the USB stick.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott <sco### [at] laptop com> wrote:
> How are they meant to catch people downloading illegal material without
> spying on you?
How is the police meant to stop domestic violence without installing
surveillance cameras in all homes?
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Warp wrote:
> How is the police meant to stop domestic violence without installing
> surveillance cameras in all homes?
Kill all men?
--
Tim Cook
http://home.bellsouth.net/p/PWP-empyrean
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GFA dpu- s: a?-- C++(++++) U P? L E--- W++(+++)>$
N++ o? K- w(+) O? M-(--) V? PS+(+++) PE(--) Y(--)
PGP-(--) t* 5++>+++++ X+ R* tv+ b++(+++) DI
D++(---) G(++) e*>++ h+ !r--- !y--
------END GEEK CODE BLOCK------
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott wrote:
>>> How are they meant to catch people downloading illegal material without
>>> spying on you? Don't ISPs already report suspected illegal activity to
>>> the police?
>>
>> There is a difference between the ISP scanning their own traffic logs in
>> accordance with their own terms of service, and the police requiring
>> that the ISP scan, log, and report everything directly to them.
>
> Can't the police demand info from ISPs if they suspect some customers
> (or users of a website they host) to be acting illegally? I'm not an
> expert at the law in this area, but it seems like common sense says the
> police should (and do) get this information if they need it to help
> convince someone of a crime.
>
>
In the USA, no, they can not just demand the information. They can ask
the ISP any way they want, but without a warrant, the ISP is not
required to turn over anything. Without a warrant* a cop asking for
something is doing just that, asking. The requirements to get a warrant
is 'probable cause', which is another loaded term because it has a
pretty strict legal meaning. Basically, the cop would have to show a
judge that there was already some evidence that someone committed a
crime before they could get a search warrant to invade that person's
privacy. Getting a search warrant for an ISPs logs would involve showing
some evidence that someone using the ISP did something illegal, and
would probably need to be more specific like what person committed what
possible crime over what time frame.
The trick, though, is that the ISP really had no reason not to turn over
your information. Because they own the data, and the terms of service
usually allow them to, they can turn over the information to the police
with out your consent. But they are not required to. If the police
asked, on a daily basis, for all information regarding all customers,
how long would it take for the ISP to just start ignoring them until the
police brought a warrant? An ISP might even require a warrant before any
information is handed over.
*Not counting such nice modern laws like the Patriot Act and the option
to get a warrant after the search using the stuff obtained in the search
as justification.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Sun, 14 Oct 2007 20:19:00 -0400, Warp wrote:
> Jim Henderson <nos### [at] nospamcom> wrote:
>> > Optimally only the person who knows the root password has direct
>> > access
>> > to the computer.
>
>> This is certainly true for servers. Unfortunately, we also have these
>> things called "users" who use computers. ;-)
>
> Users should only use the computer remotely. Just give the users a
> dummy "multimedia" PC with no valuable information stored in it and
> which HD can be reset to default each night. (That's what they do at the
> university here.)
We could do terminal server - how about just dumb terminals?
That's not really the reality of how computers are used these days - I
travel occasionally, not having files on my laptop would cripple my
ability to do work. A not insignificant amount of the population works
that way.
> Networked file systems exist for a reason.
Yes, mostly for recovery. If a desktop is compromised, the network
filesystem can also be compromised. It's not as easy, but it's certainly
possible.
Why? Because users do stupid things with passwords. They leave access
cards in their desks, etc, etc, etc.
But even more significantly, social engineering attacks lead to more
compromise of data than any technical hacking does.
I've only been working with data security for about 15 years, with my
first environment being an academic computer lab at a university,
though. ;-)
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Jim Henderson <nos### [at] nospamcom> wrote:
> We could do terminal server - how about just dumb terminals?
VT100 rules.
(Ok, I have never actually used a VT100 terminal. I have used a VT220 one,
though. Back then it was enough to do everything you had to do... :) )
> But even more significantly, social engineering attacks lead to more
> compromise of data than any technical hacking does.
I read recently about a test they did somewhere (I don't remember if
it was done in Finland or the US). It's surprising how many people will
write their account name and password on a paper questionnaire simply
because the questionnaire asks for them.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Mon, 15 Oct 2007 12:30:42 -0400, Warp wrote:
> Jim Henderson <nos### [at] nospamcom> wrote:
>> We could do terminal server - how about just dumb terminals?
>
> VT100 rules.
>
> (Ok, I have never actually used a VT100 terminal. I have used a VT220
> one,
> though. Back then it was enough to do everything you had to do... :) )
I think I have used a VT100 terminal. Orange phosphor type screen, IIRC.
:-)
Jim
>> But even more significantly, social engineering attacks lead to more
>> compromise of data than any technical hacking does.
>
> I read recently about a test they did somewhere (I don't remember if
> it was done in Finland or the US). It's surprising how many people will
> write their account name and password on a paper questionnaire simply
> because the questionnaire asks for them.
Yep, but even worse than that is that help desk personnel will tend to
reset passwords for anyone who says they are the person calling in.
Call one:
"Hi, I'm Joe Smith, and I can't seem to get in with my username - isn't
it jsmith?"
"No, it's johnsmith, no spaces, all lowercase."
"Huh, I could've sworn it was jsmith, must've been thinking about a
different system. I'm in now, thanks!"
Followed by a second call to a different tech:
"Hi, I'm Joe Smith, just got back from vacation and I've forgotten my
password, can you reset it for me?"
"Sure, no problem - it's now 'password', and you'll be forced to change
it on your next login."
"Thanks, appreciate it."
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
