2
points
secalex
Joined 2,505 karma
- IANAL and this is not legal advice, but you probably fine reverse engineering a mobile app and intercepting your own network traffic. He was doing ok until he started enumerating IDs in their database, at which point he started venturing into the territory that got weev 3.5 yrs.
https://www.wired.com/2013/03/att-hacker-gets-3-years/
I am not endorsing this interpretation of the CFAA, but this kid needs a lawyer.
- Agreed. I've been doing this for 25+ years and personally know a dozen people who have been threatened and several who have been sued or faced potential prosecution for legitimate security research. I've experienced both situations!
That doesn't make it right, and the treatment of the researcher here was completely inappropriate, but telling young researchers to just go full disclosure without being careful about documentation, legal advice and staying within the various legal lines is itself irresponsible.
- Here is the actual paper: https://stacks.stanford.edu/file/druid:kh752sm9123/ml_traini...
- The CEO is sanctioned, which makes dealing with the company complicated.
https://sanctionssearch.ofac.treas.gov/Details.aspx?id=34596
- They aren't talking about general purposed datacenters, but satellite uplink stations. These new constellations of low-Earth orbit (LEO) internet satellites (like Starlink) can network with each other but eventually need to downlink into a big terrestrial dish where the traffic meets a fiber backbone. It's position in the southern hemisphere, middle of the Atlantic and political stability (still part of keeping the sun from setting on the British Empire) would make this an interesting place for downlink stations.
Not a ton of jobs, but some CapEx for construction and probably a couple dozen people year-round.
- A regression means that PhotoDNA scanning was working, and then stopped working correctly. This happened in the last several months, well after Mr. Musk's takeover.
I think it is good that they fixed it. That is why we directly reached out to them to help address the issue before we published. I think it is bad that they cut off our API access and are threatening academic researchers with lawsuits.
- We use Microsoft's PhotoDNA scanning service on all images we intake for research, which has access to hash banks collected by NCMEC, a government-sponsored clearinghouse on child exploitation, and the Tech Coalition, the private group coordinating child safety work between major platforms.
- This is an incorrect reading of our report. Twitter has scanned for CSAM using PhotoDNA for years, and is an early member of the Tech Coalition of companies working on this issue.
What we discovered is that, since Musk's takeover, that Twitter's CSAM scanning failed and was not noticed by Twitter. They fixed it several weeks after we notified them, and then shut off our API access to prevent further research.
- Hi, I'm one of the authors of the report. You have pretty significantly misread it.
> You might as well say, "Private unmonitored housing and properties implicitly allow the trading of CSAM."
The issue with Telegram is that they explicitly disallow the posting of "illegal pornography" on public channels, but not privately. We are not calling for any additional monitoring, but private Telegram groups (which are not E2EE, btw) turn out to be a centerpiece of the commercialization of online child sexual abuse.
> Going to ban cash then too?
Nope. The paper makes no recommendations around banning gift card platforms, but we do think they might want to take steps when teenagers are publicly linking to their payment wallets next to a price list that includes bestiality videos or content created when the child was pre-pubescent.
> This article is shallow, ignorant self promotion of their dept. to get more funding. It's almost offensive how they're exploiting chldren's safety for this purpose.
Thanks for reading!
- Here is the detailed report (PDF): https://stacks.stanford.edu/file/druid:jd797tp7663/20230606-...
- 28 points
- To nitpick the nitpick, Stanford actually is held to some Constitutional standards, thanks to California's Leonard Law, which requires private universities to provide the same free speech protections as public universities. It does not incorporate the 6th Amendment, but to the extent that this system can be used to suppress constitutionally protected speech acts it could run afoul of California's specific requirements.
The law: https://web.archive.org/web/20090430235943/http://www.leginf...
Some analysis: https://academeblog.org/2020/06/27/stanford-and-the-legacy-o...
- The advertising ASN does not share any upstream peers. So it might not be a hijack, but it is an interesting event and could be related to the conflict.
Untangling ISPs that have operated in both countries or with subsidiaries is going to get messy while infrastructure is also getting destroyed.
- You can contribute to our attempts to find the bad router card here: https://twitter.com/alexstamos/status/1336099461622157312
Almost certainly 12.242.117.22
- It's called scalable video coding. The source sends multiple streams of packets depending on their upstream, and the more streams you get the higher quality the resulting video. Each client can tell the server which streams they want to subscribe to, which are then picked apart and multiplexed per the needs of each receiving client.
- The default mode is not E2EE. The same key is used by all participants and is distributed by Zoom's servers. In this mode, all features are available, including the ones that require a cloud service (like 1-800 number support).
If a meeting is set to E2EE, then a bunch of features are turned off and the keys come from the host* and are sent to the other attendees enveloped with their public keys. Zoom's infrastructure never sees the keys, only the encrypted content packets that are relayed to all the participants.
- In both the "normal" case and in situations where end-to-end encryption is enabled, the audio and visual streams are individually encrypted with AES-GCM-256 using a key derived from a shared per-meeting key. The difference is that in the normal case, the per-meeting key is stable for the entire meeting and is available to Zoom (as is needed for POTS bridge, cloud recordings, etc...). When the meeting is E2EE, the key is generated by the host, distributed to the other attendees, and rotated as the meeting participants change.
Details: https://github.com/zoom/zoom-e2e-whitepaper/blob/master/zoom...
- 2 points
Communications with an AI system do not involve a human so are not protected by ECPA or the SCA and get less protection. This is controversial and some people have called on ECPA/SCA to be extended to cover AI services. That means a warrant would be necessary to get your OpenAI history, not just a subpoena.