I agree with you. I'd like to see the Ring data use agreement (explicit or implied by police request) and what the conditions are for when police can seek a search warrant from Ring over the objections of the subscriber. I'd also like to know what legal penalties there are for corporate and governmental misuse.
https://www.cbsnews.com/news/doorbell-cams-raise-privacy-fears-and-concerns-about-bias/


https://theintercept.com/2019/02/14/amazon-ring-police-surveillance/

My next question here would be "what's being nudged on the user?" ... that is, what is being unwittingly consented to when one clicks on the "agree" button of the licence agreement? ... my bet is that the language of said "agreement" is so obscure that maybe the devil himself is one of the (uncredited) witnesses....

 

If I were the Mayor, I'd never have it otherwise.

If I were the mayor, I'd insist that the city NOT have access without due process.

The articles finally loaded so that I could read them -- and the highly biased tone of them immediately became very readily apparent. It's interesting that they accused Amazon, repeatedly, of fear mongering and using disinformation and yet they engaged in it themselves, repeatedly. Time and time again they stated that police could request footage from homeowners without a warrant, implying that this is somehow different than the current situation and that the homeowner had to give it to them. I found just one place in the three articles where they finally acknowledged that it is only an informal request and the homeowner would have to voluntarily consent to grant them access, but immediately the article emphasized that the police wouldn't need a warrant to ask. Well, here's a bit of news for them -- the police have NEVER had to have a warrant to ask anyone to willingly turn over evidence. If a cop goes to the scene of a crime and notices that I'm standing there filming stuff or that my home or business has a surveillance camera that might have caught something, they can come up to me and ask if I would be willing to give them access to the imagery. They do NOT need any kind of warrant to ask. If I say no, which is my right, THEN they would have to obtain a warrant (which a judge might or might issue, depending on the specifics) to compel me to turn it over. The exact same thing applies here -- the police can contact the homeowner and ask for access to the Ring data and if the homeowner says no, which is their right, then they have to find a judge willing to issue a warrant if they want to get it.

 

https://eprint.iacr.org/2019/383.pdf

We systematically analyze WPA3 and EAP-pwd, find denial-ofservice and downgrade attacks, present severe vulnerabilities in all implementations, reveal side-channels that enable offline dictionary attacks, and propose design fixes which are being officially adopted. The WPA3 certification aims to secure home networks, while EAP-pwd is used by certain enterprise Wi-Fi networks to authenticate users. Both use the Dragonfly handshake to provide forward secrecy and resistance to dictionary attacks. In this paper, we systematically evaluate Dragonfly’s security.
...
We also analyze the complexity of using the leaked information to brute-force the password. For instance, bruteforcing a dictionary of size 1010 requires less than $1 in Amazon EC2 instances.
...
In light of our attacks, we believe that WPA3 does not meet the standards of a modern security protocol. Since EAP-pwd uses a close variant of WPA3’s Dragonfly handshake, it is affected by similar flaws. We believe that a more open design process would have avoided these weaknesses.
...
Finally, although WPA3 and its Dragonfly handshake have their flaws, we still consider it an improvement over WPA2.

 

https://eprint.iacr.org/2019/383.pdf

It still amazes me how often security-through-obscurity, either in the protocols themselves or in how they are developed, is used by people that damn-well should know better.

I can understand vendors that have no security background falling into the trap of thinking that they can and should roll their own in-house proprietary crypto protocols -- the notion that keeping everything secret can only improve security is an inherently appealing one and the extreme difficulty of designing and implementing good crypto is far from obvious.

But when it is continuously done by people for whom this is part of their profession...?

 

https://www.abc.net.au/news/2019-08...re-in-cash-could-make-you-a-criminal/11429230

 

OTOH......
It is reported (and easily believed) that Communist China has spent significant resources on "watching" over it's population. Reportedly, China leads the world in public surveillance cameras and facial recognition software. Not to mention very tight controls over Internet activities.

That known, (and while I certainly don't condone the invasion of privacy), we have a large number of foreigners in the USA at any given time. Many in exchange, sponsorship, visa programs that give them access to sensitive information and resources.

In case of conflict, who would be in the best position to determine the whereabouts of those potentially foreign assets?
And would the nation having the greater capability to know this be at an advantage in time of conflict?

 

https://www.abc.net.au/news/2019-08...re-in-cash-could-make-you-a-criminal/11429230

I'm afraid that's the road that most governments will be taking in a couple of decades. My friends tell me there's nothing to worry about, because the governing class itself will also be affected by said measures ... yeah, right ... I think our society is going to end up looking a lot more like Morloks and Eloi than a United Federation Of Planets...

 

Should have posted it. Recent report on China's Social Points program and the number of people prevented from buying air or train tickets because of it. Negative point scored for such things as spitting, smoking on the train, buying too many computer games, telephoning someone with too many negative points, buying too much alcohol, too many posts on social media, criticizing the government, etc. etc. etc. Let me also point out as was shown on my thread about a chinese vendor's post about the tariff war, that the chinese ARE reading posts about them on this forum and most likely have me in their "black book list".

https://www.theguardian.com/world/2...-could-interfere-in-other-nations-sovereignty

 

... buying too many computer games

... telephoning someone with too many negative points

Sorry, Sam ... I think you and me need some time off ...

 

I was stunned when the chinese guy replied to the thread on the china vendors advertising post about the tariffs. It's a little world these days. My youngest daughter spent a year in South Korea teaching English and now does it via Skype as a private tutor and most of her clients are Chinese. So I have to tease her about training chinese spies.

 

I found this article extremely interesting, maybe even deserving its own thread. But maybe it's best posting it here, since there are a significant number of people watching this thread already:

https://www.scientificamerican.com/article/your-employer-may-be-spying-on-you-and-wasting-its-time/​

... when he observed certain interactions among them, he says, “there was something really weird”: he saw members of the most effective teams tended to eat in groups of 12, while employees from lower-performing teams usually ate in groups of four.

 

Number 1 thing to learn as a Project Manager. Do your job, put the Engineering Package together for bidding, answer questions that arise during construction. BUT *DON'T* "Birdog" the construction crew. The bid winner is the boss, not you. Leave them alone and the job will get done in a timely manner. After construction IF there are any deviations from the Engineering Specifications, it will be corrected by the Contractor. That does not preclude bringing any glaring deviations to the Construction Supervisors attention. But let the men do the job you hired them to do and leave them the hell alone to get it done.

 

Very interesting story on how the soviets kidnapped and forced the inventor of the theremin to develop a spying device for them, which was later gifted as a trojan horse to the US:

https://www.bbc.com/news/business-48859331​

The listening device was inside The Thing - and it was ingeniously simple, little more than an antenna attached to a cavity with a silver diaphragm over it, serving as a microphone. There were no batteries or any other source of power. The Thing did not need them.

​

 

Very interesting story on how the soviets kidnapped and forced the inventor of the theremin to develop a spying device for them, which was later gifted as a trojan horse to the US:

https://www.bbc.com/news/business-48859331​

Pretty ingenious and totally passive. It modulated a external fundamental RF source sent from a Soviet spy van outside the location to a higher frequency multiple for the transmitted signal.

 

https://edition-m.cnn.com/2019/09/2...chneier/index.html?r=https://edition.cnn.com/

Even so, these examples illustrate an important point: there's no escaping the technology of inevitable surveillance. You have little choice but to rely on the companies that build your computers and write your software, whether in your smartphones, your 5G wireless infrastructure, or your subway cars. And those systems are so complicated that they can be secretly programmed to operate against your interests.

 

https://edition-m.cnn.com/2019/09/21/opinions/chinese-spy-trains-are-not-a-credible-threat-schneier/index.html?r=https://edition.cnn.com/

I have spent the last week setting up a new email server for my business to replace the one that has been serving me faithfully for the past 15 years (also built by me).

I could save a heck of a lot of time by hosting my email with Google or any other email hosting service.

But I refuse to do so. I simply don't trust any third parties with my confidential data. And I know Google (and many other hosting providers) reads all the mail that goes through their network.

My associates think I'm nuts to expend the time and effort to roll my own, but at least I can see all the traffic that goes through my box, I can personally manage data encryption, and I know that -- if anything ever gets somewhere it ain't supposed to be -- I can only blame myself.

And I do the same with my web and file servers.

 

I have spent the last week setting up a new email server for my business to replace the one that has been serving me faithfully for the past 15 years (also built by me).

I could save a heck of a lot of time by hosting my email with Google or any other email hosting service.

But I refuse to do so. I simply don't trust any third parties with my confidential data. And I know Google (and many other hosting providers) reads all the mail that goes through their network.

My associates think I'm nuts to expend the time and effort to roll my own, but at least I can see all the traffic that goes through my box, I can personally manage data encryption, and I know that -- if anything ever gets somewhere it ain't supposed to be -- I can only blame myself.

And I do the same with my web and file servers.

And what email server software are you using? Or did you write your own code?

 

And what email server software are you using? Or did you write your own code?

Postfix SMTP and Dovecot IMAP on Ubuntu 18.04.

I didn't write the code -- but I can read it!

 

Postfix SMTP and Dovecot IMAP on Ubuntu 18.04.

I didn't write the code -- but I can read it!

Good solid secure software that I also use for my personal domain. I also run https://www.clamav.net/ to screen emails.

 

Good solid secure software that I also use for my personal domain. I also run https://www.clamav.net/ to screen emails.

It takes only an hour or two to set up a decent Postfix/Dovecot server. It takes about a week to make it bulletproof. I monitor the logs and write custom filters to weed out the attacks de jour.

Did you know that SSL certs are free, now, through Certbot (courtesy of the EFF)? And there's a certbot app in the Ubuntu distribution that makes provisioning them a cinch. The down-side is you are limited to 50 unique certificates per IP -- per week...