Tor exit node operator arrested in Russia (TorServers.net blog)
Though, the very nature of Bogatov case is a controversial one, as it mixes technical and legal arguments, and makes necessary both strong legal and technical expertise involved. Indeed, as a Tor exit node operator, Dmitry does not have control and responsibility on the content and traffic that passes through his node: it would be the same as accusing someone who has a knife stolen from her house for the murder committed with this knife by a stranger." The Debian Project made a brief statement.
Posted Apr 18, 2017 0:42 UTC (Tue)
by frostsnow (subscriber, #114957)
[Link] (34 responses)
>This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.
>blog.torservers.net uses an invalid security certificate. The certificate expired on 04/17/17 16:12. The current time is 04/17/17 17:35. Error code: SEC_ERROR_EXPIRED_CERTIFICATE
Workaround (insecure):
$ openssl s_client -connect 'blog.torservers.net:443'
Then type:
to retrieve the article.
Posted Apr 18, 2017 1:03 UTC (Tue)
by linuxrocks123 (subscriber, #34648)
[Link] (32 responses)
Since when does Firefox think it's its decision whether to let me connect to a website?
Posted Apr 18, 2017 1:48 UTC (Tue)
by simcop2387 (subscriber, #101710)
[Link] (31 responses)
Posted Apr 18, 2017 5:26 UTC (Tue)
by linuxrocks123 (subscriber, #34648)
[Link] (30 responses)
Posted Apr 18, 2017 7:53 UTC (Tue)
by tialaramex (subscriber, #21167)
[Link] (29 responses)
In practice what we know from observing users and from general human psychology is that even the experts will mostly just switch off safety devices that are annoying if that's easy, because humans don't value safety anywhere near as much as convenience, even though they're astonished by the consequences of that trade. Alas.
Posted Apr 18, 2017 8:54 UTC (Tue)
by linuxrocks123 (subscriber, #34648)
[Link] (25 responses)
I wouldn't necessarily trust the general population to know when and when not to override SSL errors, but I would certainly trust just about everyone on this site. I'd trust most of SoylentNews and Slashdot, even. Not that it matters, because, even if I didn't, people at our level will find a way. Ffs, the comment we're replying to is someone talking about how to type raw HTTP GET commands into openssl so you can save the HTML to a file and then point the browser at that file ... to override the SSL error. And thanks, btw, I learned something new from that, but it's also absurd that some browsers reduce us to having to do that.
You want to stop the clueless from overriding SSL errors for HSTS sites, make it a hidden option in about:config and be done with it. Don't get in the way of the significant population of people who know what they're doing.
Posted Apr 18, 2017 13:42 UTC (Tue)
by tialaramex (subscriber, #21167)
[Link] (20 responses)
The site's administrator specifically doesn't want you reading their site without HTTPS, that's the purpose of the HSTS setting. A web browser seems like exactly the right place to put that behaviour choice, if you want to subvert it through technical means you can, as shown, but there's no reason it would be the default.
Now, doubtless you'll protest that clicking through a warning isn't "the default", but alas because of a human cognitive defect it is. Anything that gets in the way of the task is dismissed. This isn't something special about the web, or computers, it happens in the real world too, most of those "low bridge" crashes happen that way, the driver is intellectually able to process the fact that their vehicle is too tall for the bridge, but their plan says they're going to drive under the bridge, only hitting the bridge will finally undo that plan.
The overarching philosophy is also important to a browser as opposed to something like curl that just fetches a single resource. What happens if an image link leads to an HSTS site with a defective certificate? Does the image load anyway? How is it indicated to you, the end user, that the image isn't actually trusted after all despite it seeming to be from an HTTPS URL? What if instead of an image it's Javascript? What if it's an Ajax endpoint?
In practice humans aren't interested in taking on the tremendous work implied by letting them, as you would, take the decision. So, they're just going to click "Yes / ignore / I don't care / fuck it, in for a penny in for a pound" and in practice the browser's policy becomes "We don't actually have security, we decided users would prefer to go without". So long as there are only a tiny minority opting out this even looks superficially safe - it's not worth targeting a few thousand Pale Moon users.
Posted Apr 18, 2017 23:46 UTC (Tue)
by linuxrocks123 (subscriber, #34648)
[Link] (19 responses)
I said in the comment I replied to to make it a hidden option in about:config. That takes a lot more doing to override than clicking through a warning, and it's SOP for the Mozilla projects to use about:config to hide "dangerous" settings.
The bottom line is it's my machine, and the software on it is there to do my bidding. Software that intentionally goes against what I want to do is repugnant when it's because of DRM and is just as repugnant when it's because it thinks it knows better. FLOSS was founded on the principle of liberating users. Taking away users' agency is not what our community is about.
Posted Apr 19, 2017 0:02 UTC (Wed)
by mjg59 (subscriber, #23239)
[Link] (14 responses)
Indeed. That's why you have the source code, the right to modify that source code and the right to share your changes with others. But the authors of the upstream code have made a decision that offering the option that you want will hurt other users more than it will help them (eg: a large company manages to break SSL on an HSTS site. Support advises users to change something under about:config while it's being fixed. These users don't end up making an informed decision about security, and are now vulnerable to being MITMed in situations where they'd otherwise be protected), and that's a justifiable position for them to take.
Posted Apr 19, 2017 2:31 UTC (Wed)
by linuxrocks123 (subscriber, #34648)
[Link] (13 responses)
But, hey, I guess this will lead to more Pale Moon users, which would be a happy result. I'll even help by directing them to it in those help forums.
I still say shame on Firefox, though.
Posted Apr 19, 2017 2:47 UTC (Wed)
by pabs (subscriber, #43278)
[Link]
Posted Apr 19, 2017 3:29 UTC (Wed)
by mjg59 (subscriber, #23239)
[Link] (11 responses)
Posted Apr 19, 2017 6:36 UTC (Wed)
by linuxrocks123 (subscriber, #34648)
[Link] (10 responses)
Posted Apr 19, 2017 6:48 UTC (Wed)
by mjg59 (subscriber, #23239)
[Link] (9 responses)
Posted Apr 19, 2017 22:37 UTC (Wed)
by linuxrocks123 (subscriber, #34648)
[Link] (8 responses)
"Directing the hardware to do something blatantly unethical and illegal" != "Directing a browser to visit a website that's misconfigured"
You didn't answer my question about patching media players.
Posted Apr 19, 2017 22:51 UTC (Wed)
by mjg59 (subscriber, #23239)
[Link] (7 responses)
Posted Apr 20, 2017 2:59 UTC (Thu)
by linuxrocks123 (subscriber, #34648)
[Link]
Posted Apr 21, 2017 19:15 UTC (Fri)
by aggelos (subscriber, #41752)
[Link] (5 responses)
Does it? Life is short. Even those of us who can code, probably want to
For people who are more removed from programming as a daily practice, that is
To a large degree this is unavoidable. Those who do the work get to decide on
Which brings me to the actual point.
> That's the contract the community has, nothing more.
Programs are large and complicated. The legal possibility of maintaining your
This then is my point. The choice to not allow the user of the browser to
It is in one word, disempowering. And this matters because putting
But the argument (IIUIC) that "you have the source and the right to modify it
Geez this came out long.
[0] E.g. daunting and chaotic configurability or indifference to user issues,
Posted Apr 22, 2017 4:16 UTC (Sat)
by pabs (subscriber, #43278)
[Link] (3 responses)
Posted Apr 22, 2017 8:21 UTC (Sat)
by aggelos (subscriber, #41752)
[Link] (2 responses)
One characteristic of LWN is that, AFAIU, people look forward to reading it as part of their Thursday morning routine (or daily routine now), knowing that there's a minimal chance it'll get their pulse rate up. Perhaps I'm mistaken, but the editors seem to have settled (in practice; not saying they actually discussed this) on a "no original controversy" (akin to Wikipedia's "no original research") rule. There's something to be said for this (apparent) rule. While I'm sure position articles which are controversial for the current audience of LWN would drive hits (and links) up, it's not obvious to me that people would want to fund such a publishing venue. Linking to an article that people are not comfortable with is one thing, having LWN endorse it by (possibly paying for its) publication is quite another.
So while some of us would appreciate reading articles which challenge our world view on LWN, would we keep paying for it if it did that regularly and deliberately? Probably not. I have zero data on this (and would very much like to learn more about actual case or aggregate studies), but I suspect a smaller, slowly-growing, ideologically-homogeneous (more or less) reader base is better suited to a subscriber-based site than a larger, polarized (across any number of axes) one.
That said, I do think there's room for experimentation within the current subscription model without succumbing to trollumnism. Say, by considering views which are in opposition to the kernel's groupthink regarding abuse or critical of the LF (or actually, any views which our editors might be mildly uncomfortable with but think are relevant to LWN's audience). The way things are, I doubt outside contributors would feel comfortable approaching LWN with such articles. But every move towards diversity acts as positive feedback.
So while I can't claim it's a Great Idea for LWN to do that, it is for the LWN I want to subscribe to. It might even be a Good Idea when it comes to low-hanging fruit such as the topic of this subthread here :-)
Posted Apr 22, 2017 13:10 UTC (Sat)
by anarcat (subscriber, #66354)
[Link]
Sure, but then we're deep into off-topic territory, and you're making me want an article about journalism itself, even though I just started here. ;)
As a new contributor here, I understand what you are talking about, but I identify it more with my own nature than LWN itself: I assume certain topics are off the table, and just self censor, so far. I have yet to come across direct editorial interference in my work, in general. The only exception is one case where I have made a broad social statement that was for me a basic axiom ("large corporations are bad", more or less) but that for the general public may not be a given fact. Keeping that argument in place would have required an elaborate rationalization of the argument, which defeated its purpose: it was supposed to be an argument, not an axiom. :) The trick is that controversial topics are, by nature, harder to argue than well-established positions, which is why you are going to have trouble finding journalists argue those correctly.
Nevertheless, I am, generally, confident that I will be able to bring controversial topics here - and I believe I did a few times already. As a journalist, however, your duty is not to take sides but to reflect on a discussion or situation that is already happening between different parties. Sure, there are opinion pieces to be made, but even those, I feel, are stronger when they are backed by strong arguments. In that context, your comment is even more interesting because it brings nice sound bites I can quote in an article while keeping critical distance. ;)
And as pabs said, there's a "Write for us" button on the left column, try it out and be the media.
Posted Apr 24, 2017 17:53 UTC (Mon)
by Wol (subscriber, #4433)
[Link]
I miss Groklaw. But that had aggressive moderation. There were some wonderful off-topic conversations there. PJ just had this simple rule - you could argue anything you liked so long as you had the facts/argument to back yourself up, and you weren't offensive.
(This did cause a few problems, when English and American disagreed as to what was offensive ...)
Cheers,
Posted Apr 22, 2017 13:23 UTC (Sat)
by anarcat (subscriber, #66354)
[Link]
This is an off-topic but interesting debate. As a person that just enables HSTS yet sometimes has trouble visiting sites because of SSL compatibility problems, I certainly understand the frustration. While it is true that developers can fix that issue on their own, by basically forking a major web browser, that is no small feat of engineering. That software is a really complex piece of machinery, probably one of the most complex standalone pieces of software ever built. What is being proposed is to fork this to remove a limitation a site's author wanted to be configured. I believe this is being a little dishonest: there's nothing simple or easy about doing that kind of stuff. Some people *may* be able to do so, most people can't and basically nobody will.
The underlying problem here is that we have two different freedoms in conflict - one is the freedom of the website author to keep its content private to only the people that visit the site, ensuring better security for its users but also protecting itself from the liability of certain attacks. The other is the freedom for some of *those* users to disable those protections. Should users be able to disable such policies on their own? Maybe.
But why? In this case, it was to workaround a configuration problem on the server, which disabled the service. Should web browsers be modified to work around configuration problems on the server? My answer to this is an emphatic: oh please please please no. I would understand if there would be a more reasonable use case here, but there are legitimate technical reasons behind HSTS. If a websites shoots itself in the foot and (say) starts running on port 80 instead of port 443 because of a typo, should a browser start guessing and fallback to do SSL on port 80? No! We have standards for this, and HSTS was establish to say "I know what I'm doing, disable the site if i fuckup my ssl config". That's what torservers.net said, then they fucked up, and the site went down. Don't go blaming the browser for limiting your freedom then. The server admins did that. And now it's fixed.
So maybe now we can move on to free Bogatov already. The point of this news was not to satisfy your pet peeve about some weird technological corner of the internet. A fellow Debian Developer is in jail for enabling journalists and researchers to do anonymous work on the internet. Help him.
Posted Apr 19, 2017 1:28 UTC (Wed)
by tialaramex (subscriber, #21167)
[Link] (3 responses)
An about:config option would presumably be global, so the effect is "set this, and then you can ignore stuff by clicking through it" which is exactly what we already know doesn't work. But the facts have never impinged on projects like Pale Moon before and I don't see that changing.
[ Fun fact: Pale Moon decided Let's Encrypt is untrustworthy because the lead developer of Pale Moon thinks a CA should be responsible for preventing phishing and malvertising. Also, some hard to follow logic whereby there's an "inherent lack of validation" in Let's Encrypt's validation system (I have a long rant about this, but basically Ballot 169 rules significantly tighten up validation for the Web PKI, three of the nine methods specified in Ballot 169 are modelled on how Let's Encrypt already worked when the ballot was written, those three Ballot 169 methods are basically like the ELI5 sketch of how Let's Encrypt does validation, they don't really capture the nuances, but at least they're an improvement on the total ignorance that reigned prior). You won't have noticed because "untrustworthy" for Pale Moon turns out to mean nothing whatsoever, Let's Encrypt certificates still work fine, not that it matters because presumably you'd just click through the errors anyway and press on. ]
Posted Apr 19, 2017 3:10 UTC (Wed)
by linuxrocks123 (subscriber, #34648)
[Link] (1 responses)
The about:config option could be a list of domains to ignore HSTS for, or any number of other things.
> [Pale Moon doesn't trust Let's Encrypt.]
Indeed, it appears Pale Moon doesn't trust Let's Encrypt. The reasons appear to be different than you describe, however; Moonchild's main beef appears to be with the fact that there is no way to get Let's Encrypt to generate a revocation for a fraudulently issued certificate. That sound bad; I hope they fix that, if that's true.
> You won't have noticed because "untrustworthy" for Pale Moon turns out to mean nothing whatsoever, Let's Encrypt certificates still work fine
There's some false information here. Let's Encrypt certificates do, indeed, work fine in Pale Moon, but that is because the Let's Encrypt intermediate certificates are cross-signed by IdenTrust; indeed, viewing a site using Let's Encrypt as its CA results in "Verified by: IdenTrust" in the security information.
However, I can assure you that it is not the case that Pale Moon trusts certificates without a chain of trust ending in a root certificate it trusts. I can also assure you that Pale Moon behaves differently when it doesn't trust a certificate. As with anyone else, I run into self-signed certificate errors and "THE CERTIFICATE EXPIRED YESTERDAY PANIC PANIC OMGWTFBBQ!" inanity on a semi-regular basis. Every time I do, Pale Moon displays a dramatic, full-page, really scary error message with a blood red background. It doesn't do this for trusted certificates, so it's easy to tell when Pale Moon doesn't trust something.
> not that it matters because presumably you'd just click through the errors anyway and press on.
I doubt you really think, given our conversation, that I would blindly click through a certificate error for a site I use regularly and then give that site my login information. Are personal attacks really necessary?
Posted Apr 19, 2017 18:58 UTC (Wed)
by tialaramex (subscriber, #21167)
[Link]
As with any other public CA, Let's Encrypt allows certificate problem reports, through which you could achieve revocation of a fraudulently issued certificate. However a certificate is not "fraudulently issued" just because you don't like who it was issued to or how they're using it, if Steve murders a woman in cold blood, then drives to the airport and boards a plane, neither his driving license nor his passport become "fraudulently issued" just because Steve is now a murderer. This is, by some irony, not so different from the muddled thinking that has the Russians persecuting a Tor node operator for the behaviour of Tor users.
But my main point wasn't this mundane lack of understanding, even though it ought to be enough for you not to want anything to do with somebody developing a web browser, we see the same failure to comprehend from all over. My point was that having decided this is untrustworthy Moonchild decided to do nothing whatsoever about it, so that the effect is exactly the same as if they hadn't made this silly declaration at all. You correctly diagnosed that the result is the certificates are trusted because they were cross-signed. But this isn't the end of the trail at all, stopping there tacitly accepts that these certificates and the CA are fine, but just you're going to make a song and dance.
As far as Pale Moon is concerned the Let's Encrypt CA is just a subCA for Identrust. Assuming that Pale Moon inherits most of the actual machinery of Mozilla's Firefox, this gives them three practical options to choose from. The most drastic is to demand IdenTrust fix this, or if they will not remove IdenTrust from their trust store for issuing subCA certificates to the untrustworthy Let's Encrypt. The next option is to add the cross-signed Let's Encrypt certs as explicitly distrusted in the Pale Moon package, this is how Firefox dealt with problems like DigiNotar early on. Finally the browser can be configured to restrict trust in some other way as a result of making a deal with Let's Encrypt, if they fix whatever troubles you, you'll trust certificates issued after some particular date.
In practice of course Let's Encrypt is ubiquitous at this point, so doing any of these things because of their misunderstanding about what it means for something to be "fraudulently issued" would be grossly disproportionate. But the situation today, in which they profess it is not "trustworthy" but in fact Pale Moon trusts it entirely is a joke.
Posted Apr 19, 2017 3:11 UTC (Wed)
by linuxrocks123 (subscriber, #34648)
[Link]
Posted Apr 24, 2017 15:46 UTC (Mon)
by gerv (guest, #3376)
[Link] (3 responses)
Also, did you know that when you override a cert error, you allow that cert for any SAN in it, not just the one you are connecting to? So if that cert is for www.securityblog.example.com and also www.paypal.com, you just allowed them to MITM you for paypal.com. This is more of a risk for self-signed than for expired, but I bet you didn't know it, nevertheless.
Overriding SSL cert errors, particularly with the permanent flag checked, is a _bad_ idea.
Posted Apr 24, 2017 21:43 UTC (Mon)
by nix (subscriber, #2304)
[Link] (2 responses)
Posted Apr 24, 2017 22:38 UTC (Mon)
by nybble41 (subscriber, #55106)
[Link]
The router may be able to change any of the traffic passing through it, but that does not imply that it can present itself as an arbitrary properly authenticated HTTPS site... unless you accept its self-signed certificate without first checking that the certificate is limited to the router's admin domain. TLS is specifically designed to thwart MiTM attackers with exactly that ability to intercept and modify any of the participants' traffic.
Posted Apr 29, 2017 19:32 UTC (Sat)
by flussence (guest, #85566)
[Link]
Posted Apr 18, 2017 13:22 UTC (Tue)
by bandrami (guest, #94229)
[Link] (2 responses)
Seriously, this seems so obvious: there are two questions that TLS is trying to answer at once. I want to know
A) is the transport between me and the other party secure? and sometimes
For most traffic (where even a verified A isn't particularly trusted), A is the much more important question, and hand-wringing about B has prevented widespread adoption of simple techniques to solve A. Establish a secure channel, and we can then use that to negotiate authenticity.
Posted Apr 18, 2017 14:02 UTC (Tue)
by tialaramex (subscriber, #21167)
[Link]
In a current (late 2016, 2017) browser HTTP sites are affirmatively marked insecure if they seem to have content that you'd expect to be secured, such as a password dialog (really, you want asterisks on the screen, then you're going to send it plaintext over the Internet..?). In a modern (2015 onwards) browser new features don't work for HTTP at all, location services, integrated video conferencing, all that stuff is gated on HTTPS
Eventually (maybe 10 years from here) HTTP sites will all be marked affirmatively insecure, so yes, the browser will "complain". In hindsight this is how things should have worked from the outset, but I've met Tim and he's not exactly the sort of person to fully chase things through before putting them live, so by the time his Web was visible to the world it was too late.
Your A / B observation is very old, and we accepted the same rationale for SMTP (see below) but notice that A without B gives you nothing whatsoever in the fact of an active adversary. Now, many years ago people might have argued that active adversaries are extremely rare, maybe they don't even exist. But then Google & co inadvertently discovered that they not only exist, they're so common they think this is their network and they will fight very hard to sabotage it if given the opportunity. Such adversaries do not wish their existence to be widely known, if you've ever wondered why Google is so enthusiastic about transparency, that's why. Creatures that fear the light are not dangerous - so long as you stay out of the shade.
Now, for SMTP we were stuck with a problem. Like HTTP, SMTP is plaintext by default and there was a huge installed base of systems that only grok plaintext SMTP. To deploy anything at all it needed to seamlessly interoperate, otherwise you've got a flag day for email and that's not happening. So for SMTP we have "opportunistic encryption" where most clients will ignore the poor quality of certificates and encryption settings out there, because anything is better than nothing. But the result is pretty poor, an active adversary can snoop all the email pretty effectively, we know that in some countries this is happening today - and even a passive adversary can snoop a lot of email, a lot of the time. We have no idea how common that is. But it's a start, the ambition is to some day tighten things up, as happened previously for the Web PKI itself.
Posted Apr 18, 2017 14:21 UTC (Tue)
by cesarb (subscriber, #6266)
[Link]
You can't solve A without solving B. If you don't know whether the other party is who they claim to be, you don't know whether you are talking to the other party or to an eavesdropper. That is, if Alice can't authenticate Bob, she can't know whether the connection is going A -> B or A -> E -> B, where Eve is talking to Alice as if she were Bob, and talking to Bob as if she were Alice, repeating (and possibly modifying) the messages between them.
> Funny, I don't know of a single browser that complains about a plaintext connection, despite the fact that it's strictly worse than an HTTPS connection with a problematic certificate. Kind of makes the whole certificate verification paranoia seem like so much theater.
I know of one: recent versions of Firefox complain about plaintext connections with password form fields. The reason for not complaining is historical (plaintext connections came first and are still very widespread), but that's slowly beginning to change. Also, once users start trusting the "https://" as the sign of a "safe" connection, it becomes important to warn or block the connection in case it's compromised.
Posted Apr 18, 2017 7:40 UTC (Tue)
by tialaramex (subscriber, #21167)
[Link]
It appears this site was previously using certificates from StartCom, the CA purchased by WoSign and which has subsequently been essentially distrusted (for new issuances) as a result of WoSigns behaviour, extensively documented on m.d.s.policy.
They switched to Let's Encrypt, but seem to have made some sort of mistake when setting things up, such that although a new certificate was obtained as scheduled 60 days after the initial one, it was not put into effect, presumably until they got lots of people complaining that their site no longer worked as intended when, a month later, the old one expired.
This type of failure seems to be relatively common, either from not actually reloading a web server after the config is updated, or from not updating the configured certificate at all (e.g. explicitly copying the new files on first use, but not arranging for them to be re-copied when the symlink are updated after a renewal). I haven't seen any one particular recurring goof, just a general pattern.
Unfortunately Let's Encrypt itself doesn't warn you so long as you obtain the newer certificate, you have to use a third party (there are lots, including free options) to monitor things and spot if your certificate seems almost expired, or of course you could hire administrators who are pro-active about such things.
Posted Apr 18, 2017 0:56 UTC (Tue)
by dfsmith (guest, #20302)
[Link] (21 responses)
I'm not sure the prosecution would see it that way. From their point of view they are accusing someone who had a knife taken from their house; but the there was a sign outside the house that said "free knives, no questions asked". Not that it makes any of this right (disclaimer: I've only read the LWN summary).
Posted Apr 18, 2017 2:40 UTC (Tue)
by fratti (guest, #105722)
[Link]
Posted Apr 18, 2017 5:36 UTC (Tue)
by dirtyepic (guest, #30178)
[Link] (18 responses)
Posted Apr 18, 2017 5:52 UTC (Tue)
by NightMonkey (subscriber, #23051)
[Link]
Posted Apr 18, 2017 13:51 UTC (Tue)
by gowen (guest, #23914)
[Link] (14 responses)
Posted Apr 18, 2017 15:54 UTC (Tue)
by gb (subscriber, #58328)
[Link] (3 responses)
As operating system is available to everyone without any restrictions - terrorists also may use it, so people working on let's say Linux really helping terrorists - by providing them means to run advanced technologies.
It is possible to extend that further by saying - authors of the message board helped terrorists by creating way for them to communicate.
Or further - people who allowed tor to operate in the country actually helped terrorists because they know that such situation is possible.
Or we can make it wider by saying that people who elected people who didn't pay attention that tor may be used as means of communications for the terrorists.
One could be very creative with finding responsible... Where is the line and why?
Posted Apr 18, 2017 16:14 UTC (Tue)
by liw (subscriber, #6379)
[Link] (2 responses)
If those who build free software help terrorists, how come those who make proprietary software aren't helping them?
This line of thinking really makes no sense.
Posted Apr 18, 2017 17:11 UTC (Tue)
by pizza (subscriber, #46)
[Link] (1 responses)
That's easy; the proprietary software's EULA says you can't use it for "bad things", and terrorists would never violate EULAs because violating contractual agreements is the worst, most morally repugnant thing that anyone could do.
Posted Apr 19, 2017 8:05 UTC (Wed)
by madhatter (subscriber, #4665)
[Link]
Posted Apr 18, 2017 17:02 UTC (Tue)
by nybble41 (subscriber, #55106)
[Link] (7 responses)
You left out a very important qualifier: > 3. In accordance with this Statute, a person shall be criminally responsible and liable for punishment for a crime within the jurisdiction of the Court if that person: ...
(c) For the purpose of facilitating the commission of such a crime, aids, abets or otherwise assists in its commission or its attempted commission, including providing the means for its commission; [emphasis added] In other words, your intent matters. You only become responsible for a crime under this portion of the statute if your purpose in providing the means for its commission was specifically "facilitating the commission of such a crime". If you are simply offering a tool to the public with no intent to facilitate any crime then you are not responsible for the crimes others may choose to commit using that tool. (Obligatory: IANAL, YMMV, etc.)
Posted Apr 19, 2017 9:52 UTC (Wed)
by nix (subscriber, #2304)
[Link] (6 responses)
But, nonetheless... if a criminal broke into your house to take the kitchen knives so as to murder somebody, you would almost certainly not be prosecuted: your intent in buying these knives was not to supply the criminal, the criminal could have broken into essentially any house -- and frankly these crimes are rare because they rarely bother: they probably have a set of kitchen knives themselves!
(So, by extension, to vitiate this situation, every machine should run a Tor exit node! Downsides: the intermediate state, in which everyone running it accepts the possibility of things like, well, this, happening to them... and damn ISP bandwidth charges.)
Posted Apr 19, 2017 17:12 UTC (Wed)
by zlynx (guest, #2285)
[Link]
And yes, we're surrounded every day by potential weapons.
Posted Apr 20, 2017 22:28 UTC (Thu)
by jschrod (subscriber, #1646)
[Link] (4 responses)
Do you cook? I mean "cook" as in "standing for hours in your kitchen and preparing a menu of several courses", in contrast to "heating something in the micro oven" or "throwing some super-market pasta in boiling water". If yes, how do you do that without a proper set of sharp and pointy knifes?
I'm not a native English speaker, so I don't know some terms. In German, it's called "parieren". Online dicts tell me "to parry" might be a good translation. It means to get rid of the tendons [sinews? fibers?], superfluous fat, and subcutaneous "Silberhaut" [silver skin?] below the skin of an animal or fish. Take a rabbit, or take a leg from some game -- you need to get the silver skin off, otherwise, while cooking, it will turn into stuff (either slimy or chewy) that doesn't fit to your meal. Same if you want to poach a turbot -- better to take of that skin and the subcutaneous fat parts, first. (In my part of the world, most fish is farmed and thus has more fat than wild fishes.) And for parring that stuff, you need the sharp point of a sharp knife, neither skewer nor fork will do. After poking into the meat or the fish, you need to immediatly start to cut, something you can do only if the knife has both a sharp point and a sharp edge.
Best, Joachim
PS: Btw, I belong to the folks how regularly sharpen their kitchen knifes on whetstone. No sharpening steel comes close. As weapons, the edges of my knifes are more dangerous than the points. They simply cut, neither strength nor pressure needed -- as it should be with a good kitchen knife.
PPS: I'm sure there are more appropriate English terms for the stuff that I want to tell you. Blame dict.leo.org for not finding better ones... ;-)
Posted Apr 20, 2017 23:38 UTC (Thu)
by bronson (subscriber, #4806)
[Link]
This discussion reminds me of one of my favorite exercises from C Traps and Pitfalls (the book, not the paper). Something like, "A chef's knife is dangerous and easily misused. Design a knife that corrects this. What are some advantages and drawbacks of your redesigned knife?"
Posted Apr 22, 2017 14:48 UTC (Sat)
by nix (subscriber, #2304)
[Link] (2 responses)
Posted Apr 26, 2017 11:40 UTC (Wed)
by paulj (subscriber, #341)
[Link] (1 responses)
Posted Apr 26, 2017 19:42 UTC (Wed)
by nix (subscriber, #2304)
[Link]
Posted Apr 19, 2017 18:45 UTC (Wed)
by xorbe (guest, #3165)
[Link] (1 responses)
Posted Apr 19, 2017 19:13 UTC (Wed)
by bronson (subscriber, #4806)
[Link]
Posted Apr 18, 2017 17:11 UTC (Tue)
by dfsmith (guest, #20302)
[Link] (1 responses)
You may recall the San Bernardino shooting in 2015. The neighbor gave his weapons to the shooter. The law in the US saw him as having some culpability in the subsequent actions of the shooter.
Had the weapons been stolen from him, then I doubt Marquez would have been prosecuted on that charge. (Unless the weapons were readily accessible, which is a different complaint.)
While the link to this Tor operator is specious (weapons have one purpose whereas knives and Tor have other utilities; knowledge of intent) the law says there is a difference between stolen, given and sold.
Posted May 1, 2017 18:21 UTC (Mon)
by JanC_ (guest, #34940)
[Link]
Also, buying something for someone else, with that other person's money, is not the same as giving something away.
Posted Apr 24, 2017 4:05 UTC (Mon)
by andrey.turkin (guest, #89915)
[Link]
Posted Apr 19, 2017 2:08 UTC (Wed)
by Chipz (guest, #82248)
[Link]
Tor exit node operator arrested in Russia (TorServers.net blog)
GET /20170414/tor-exit-node-operator-arrested-in-russia-a-solidarity-tor-relay-challenge-launched.html HTTP/1.1
Host: blog.torservers.net
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
spend what (little) time remains outside work and (other?) social obligations
for personal fulfillment and gratification. Even when driven by larger concerns
(e.g. helping produce a healthy body of free software), one's time is arguably
better spent on what they enjoy doing, as that normally leads to more work, of
higher quality. Unless there's a critical mass of developers who would maintain
a minimal fork, carrying local modifications and eternally playing catch-up
with upstream is a losing game. That is without taking into account
considerations about ease of deployment and the implausibility of always having
time and motivation to spend on merging with upstream, rebuilding, etc
when some vital fix comes along (time which would normally be spent by your
friendly package maintainer).
even less of an option. Paying someone to maintain local changes forever and
learning what I'm sure seems like a very technical procedure for having your
own copy of a popular program is something few people would be prepared to do
(perhaps rightly so).
the direction and even the minor implementation choices. Let's not pretend
there's an option though. This 'option' is only a theoretical possibility for
professional developers. Consider: every developer probably has 100-odd things
they'd like to be different in the programs they regularly use, yet they have
investigated, coded up and pushed for the inclusion of a patch for, like, five
of those? Closer to two?
own fork is meaningless as a solution. What can and does work is listening to
people and taking their needs into consideration. Yes, the weighing of
conflicting needs is usually done by the developers or their employers, which
tends to bias the process in various ways[0]. This is inescapable. There
is a fundamental assymetry between the role of user and developer. It is
hardly news that the legal status of a piece of free software primarily
empowers developers and entities (or people) with large financial resources.
When it comes to users though, their agency is only preserved in their
interaction with the developers of the software they use. That is, in the
structure and decision-making processes we build around our projects. The
license is not enough.
bypass the certificate check in the presence of HSTS is one that throws user
agency out the window. It is a choice some of us would have made too, and
could easily justify it in terms of second-order effects that are beneficial
for the users. This does not change the fact that the software is working
against the will of the user and is rubbing this in the user's face (that is in
contrast with most UIs which direct the user by omission).
machinery under the control of its users is what free software is about. It is
about control. That control is rightly limited to make for a more useful system
(e.g. access checks, proper implementation of a network protocol etc). Yet
those serve to *enable* the user to communicate. Whereas examples such as
obeying CRDA and refusing to accept a certificate work in the opposite
direction. There is a good argument to be made that this is justified because
of the second order effects. All well and good.
and distribute modifications, so user agency is preserved" does not, in
general, hold water. One can easily think of instances where
user-disempowering choices have been less than justified. If users do not
feel in control of their own system when using free software, then its value
compared to proprietary software is diminished. And that, i.e. less user
adoption and investment, has its own second-order effects too.
to take two cliched cases.
disabling HSTS
disabling HSTS
disabling HSTS
Can I go a bit meta? I'm not sure articles diverging from the open source orthodoxy are a great idea for LWN (but see below).
disabling HSTS
Wol
disabling HSTS
Freedom is being able to make decisions that affect mainly you. Power
is being able to make decisions that affect others more than you. If
we confuse power with freedom, we will fail to uphold real freedom.
-- Richard Stallman
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
disabling HSTS
B) is the other party who he or she claims to be?
disabling HSTS
disabling HSTS
>
> A) is the transport between me and the other party secure? and sometimes
> B) is the other party who he or she claims to be?
>
> For most traffic (where even a verified A isn't particularly trusted), A is the much more important question, and hand-wringing about B has prevented widespread adoption of simple techniques to solve A. Establish a secure channel, and we can then use that to negotiate authenticity.
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
Knives à la carte
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
it doesn't make me criminally responsible for your actions.
Except in many jurisdictions and circumstances, providing the means by which a crime takes place is absolutely a crime. For example, the Article 25 of the Rome Statute assigns criminal responsibility to anyone who "... aids, abets or otherwise assists in its commission or its attempted commission, including providing the means for its commission" (my emphasis).
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
> for just as well?
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
Do you cook? I mean "cook" as in "standing for hours in your kitchen and preparing a menu of several courses", in contrast to "heating something in the micro oven" or "throwing some super-market pasta in boiling water". If yes, how do you do that without a proper set of sharp and pointy knifes?
Sharpness is essential, but I've never used the point for anything, except to accidentally stab myself in the hand once when the knife slipped.
I'm not a native English speaker, so I don't know some terms. In German, it's called "parieren". Online dicts tell me "to parry" might be a good translation. It means to get rid of the tendons [sinews? fibers?], superfluous fat, and subcutaneous "Silberhaut" [silver skin?] below the skin of an animal or fish.
I just call it defatting (if there's a special word for it, I'm not posh enough to know it), and I don't need a sharp point for that, I just need an end: you hook the end under the tendons and subcutaneous fat and pull upwards to extract it. The end doesn't need to be sharp, and actually being sharp is a negative because it has a tendency to cut the damn tendon rather than pulling it. I'd almost rather have a hook on the end. :)
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
https://www.nytimes.com/interactive/2015/12/17/us/documen...
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)
Tor exit node operator arrested in Russia (TorServers.net blog)