Hijacking of foss community

[Martin_fr]

Yes, because once you've got privileged access to the landline infrastructure you know what cell the GSM 'phone is in

Off topic, but (with proper access) within a city you can triangulate the position down to 1 meter (IIRC, definitely less than 3meter) including altitude in buildings. Outside cities it's less exact.

[Joanna]

Those examples of privilege escalation only serve as proof that there is intent to compromise things not that other bad but more subtle things didn’t slip through. Did they ever identify the person who tried to put bad code into the Linux kernel?

I talked to the guy who had his access to git hub blocked but it was only his private repository. So I told him they don’t want to miss a chance to get some good free code even if it’s from a sanctioned country!

About encryption I’m sure it works if done properly but it seems like a honeypot in many cases. Send all your things you want nobody to know about using our cryptography 

  I’m willing to bet that encryption wouldn’t be allowed at all if it truly kept the government from snooping. If you write your own encryption that they don’t have the keys to you will probably get a visit from the authorities or your messages will be intercepted and stopped. I haven’t tried this experiment myself but I have heard stories from people I know.

Sure there are stories about Apple protecting privacy but we don’t really know if it’s true unless actually in a situation where it would be tested. Saying that they have great encryption and won’t give anyone your data certainly makes for a good marketing strategy for selling high end devices.
Even if your device were to have flawless encryption most people can be tricked or scared into divulging information.

That is an interesting discussion about how police can find the locations of phones yet there are also cases of spoofed phone numbers and police sending the swat team to the wrong address because of prank calls and sometimes killing the people who didn’t call them or have an emergency.

[skalogryz]

just an observation: the forum hijacked Joanna from IRC channels

[Joanna]

More distracted than hijacked....
 The irc channels get too quiet at certain times of day because there are no people in my time zone .
It sure would be nice to have more people in the same time zone as Asia and Australia..
Hint hint.. 

[PascalDragon]

Following dialogue (110 being the emergency-phone-no of the police in Germany --> 911 for Americans):
Me: "So, that's the Software when i call 110, then you can see where i am, see my phone-no, and the software already starts calculating the best/fastest path to my position?"
He: "Yep!"
Me: "And if i activate 'Don't send location', or if i activate 'suppress phone-no'?"
He just smiled at me, and shook his head: "eh eh.... You can do whatever you want on your smartphone, they know...... We know the protocols...."

Of course that is no problem. If you have an interface to the mobile network providers you can get the cell ID a phone is booked in (and also those close by). Thus you can a rather good estimate of the location.
And the suppression of the number also happens on the side of the network, not your phone.

Those examples of privilege escalation only serve as proof that there is intent to compromise things not that other bad but more subtle things didn’t slip through. Did they ever identify the person who tried to put bad code into the Linux kernel?

I don't know about the event back then, but there was one this year by a university who tried that as part of a research project and got themselves banned.

  I’m willing to bet that encryption wouldn’t be allowed at all if it truly kept the government from snooping. If you write your own encryption that they don’t have the keys to you will probably get a visit from the authorities or your messages will be intercepted and stopped. I haven’t tried this experiment myself but I have heard stories from people I know.

You're wrong. Encryption does keep the government from snooping otherwise e.g. the EU wouldn't work on laws regarding secure messengers like Signal in the name of the fight against child pornography.

[MarkMLl]

Those examples of privilege escalation only serve as proof that there is intent to compromise things not that other bad but more subtle things didn’t slip through. Did they ever identify the person who tried to put bad code into the Linux kernel?

In the older case, I believe I said "person unknown" and used a word such as "attempted". And I certainly attempted to make the point that it was detected because manipulation of the repository was noticed, not because of a line-by-line review.

About encryption I’m sure it works if done properly but it seems like a honeypot in many cases. Send all your things you want nobody to know about using our cryptography 

Which is why it's important that implementations should be studied by people who understand the potential problems.

I’m willing to bet that encryption wouldn’t be allowed at all if it truly kept the government from snooping. If you write your own encryption that they don’t have the keys to you will probably get a visit from the authorities or your messages will be intercepted and stopped. I haven’t tried this experiment myself but I have heard stories from people I know.

You might have noticed that multiple jurisdictions are attempting to get backdoored encryption adopted. As I've said, I think the preferable solution is for strong cryptography to be allowed but only between endpoints in the same jurisdiction, so if you want- for example- to move a large amount of money between countries it has to go via two banks. And I've already remarked that yes, if you try to use an unsanctioned algorithm or send an encrypted or coded message to an endpoint outside the jurisdiction then you'll have somebody hammering on your door. It's not good, but most of the alternatives are worse.

That is an interesting discussion about how police can find the locations of phones yet there are also cases of spoofed phone numbers and police sending the swat team to the wrong address because of prank calls and sometimes killing the people who didn’t call them or have an emergency.

Yes, but there's "police" and "police". "Police" are there for rapid response, and don't necessarily have the time or the ability to mine the infrastructure. "Security Services" have both time and ability and it's part of their job, BUT they need to be supervised properly... don't ask for my opinion of most politicians.

MarkMLl

[Zvoni]

Following dialogue (110 being the emergency-phone-no of the police in Germany --> 911 for Americans):
Me: "So, that's the Software when i call 110, then you can see where i am, see my phone-no, and the software already starts calculating the best/fastest path to my position?"
He: "Yep!"
Me: "And if i activate 'Don't send location', or if i activate 'suppress phone-no'?"
He just smiled at me, and shook his head: "eh eh.... You can do whatever you want on your smartphone, they know...... We know the protocols...."

Of course that is no problem. If you have an interface to the mobile network providers you can get the cell ID a phone is booked in (and also those close by). Thus you can a rather good estimate of the location.
And the suppression of the number also happens on the side of the network, not your phone.

PD, of course it's not a problem if you have access to the Interface.
I wanted to point out "perceived" vs. "real" privacy of the "Standard"-User

I remember being on a business-trip to China (Shanghai), where i was booked into a first-class hotel (paid by the company).
Color me surprised when i saw a sign above the reception-desk: "We accept WeChat-Payment" (followed by a phone-number) --> For those who don't know: WeChat is a messenger like WhatsApp, but with a lot more functions (digital wallet and what not)

I asked my boss if they are for real, since i am/we are pretty sure that chinese government is reading along with whatever you say/do in WeChat (Backdoor!)
His answer: "So what? As long as you don't make a donation to "Free Tibet" what can happen to you?"

I agree with Mark regarding backdoors, that as long as it is used for the proper purpose and under correct supervision and jurisdiction, the "Standard"-user shouldn't have a problem with it.

Currently, there is another discussion here on the forum i'm of two minds about it: Allowing/installing a Sub-Forum for arab speaking/writing Users.
I won't take odds on bets, if we allow/install that, that we wouldn't get flagged by american government to keep an eye on us.... (and i know that this is a provocative statement from me!)

EDIT: If i remember correctly (and correct me if i'm wrong!): there was some boolahoo some 20-25 years ago, when Microsoft offered the US-Government a discount for Windows for the US to use Windows on their computers. The Government declined as long as MS didn't provide the source-code for Windows.
From a Government's POV it makes sense to not install/use anything they don't have full control of, on the other hand, if they did get the source-code (as sloppy as it is), they also did get the knowledge where the loopholes/backdoors were/are

[MarkMLl]

PD, of course it's not a problem if you have access to the Interface.
I wanted to point out "perceived" vs. "real" privacy of the "Standard"-User

...which has been the issue ever since the "phone phreaking" in the USA (and in the UK, if you know where to look) in the 1960s: once you know the "true name" by which something is identified, you have enormous control... particularly if that  obscurity is the only security.

I agree with Mark regarding backdoors, that as long as it is used for the proper purpose and under correct supervision and jurisdiction, the "Standard"-user shouldn't have a problem with it.

I don't think it's a backdoor issue so much as an endpoint issue. And for all of their complaints about the behaviour of China, the Americans have been pushy about insisting that compnies engaged in military contracts have All-American directors etc.

EDIT: If i remember correctly (and correct me if i'm wrong!): there was some boolahoo some 20-25 years ago, when Microsoft offered the US-Government a discount for Windows for the US to use Windows on their computers. The Government declined as long as MS didn't provide the source-code for Windows.
From a Government's POV it makes sense to not install/use anything they don't have full control of, on the other hand, if they did get the source-code (as sloppy as it is), they also did get the knowledge where the loopholes/backdoors were/are

But in that timeframe a number of universities had the source for research purposes, so the issue was likely to be more a question of "what do you want to do with it" than anything else.

MarkMLl

[Joanna]

Backdoors interfere with what I believe is a fundamental right of property ownership. When I buy something whatever it may be I don’t want other parties having control over it.  There is a man named Cory doctorow who Discusses this topic extensively. Your printer should not be allowed to decide that you aren’t allowed to use ink made by companies that don’t gouge you etc.

The example of stopping terrorists and people who exploit children by not letting them have secure messaging is hard to disagree with and definitely triggers some knee jerk emotions ..

But in reality the surveillance is applied to everyone without probable cause and then who knows what will happen to it ? Several possible uses include monetization , preventing political dissent. Blackmail, “Accidentally “ losing control of it because of a data breach and having it go who knows where..

The Likelihood is high that it will end up in the possession of people who will exploit it to commit fraud or identify theft. Just collecting all possible data on everyone just in case you want something to use against them at some future date does not sound like a good idea.
The only true way to keep data secure is not collect it to begin with in my opinion.

Although I definitely prefer opensource software to closed source I am always a bit skeptical and sometimes worry that everyone expects that someone else is auditing it. I am not sure how feasible it is to audit already approved code just in case.

There is a good chance that this forum is already being data mined guessing from the number of views versus the number of people talking

[MarkMLl]

Backdoors interfere with what I believe is a fundamental right of property ownership.

Communication is not property. To employ the sort of sort of glib argument beloved by Cory Doctorow, "free speech" and "free beer" are distinct.

When I buy something whatever it may be I don’t want other parties having control over it.  There is a man named Cory doctorow who Discusses this topic extensively. Your printer should not be allowed to decide that you aren’t allowed to use ink made by companies that don’t gouge you etc.

In which case you should read the small print very carefully before each purchase, and make sure that your jurisdiction prevents companies rewriting the contract that they consider binds you on the fly.

But in reality the surveillance is applied to everyone without probable cause and then who knows what will happen to it ? Several possible uses include monetization , preventing political dissent. Blackmail, “Accidentally “ losing control of it because of a data breach and having it go who knows where..

Which is why the legislators and administrators within a jurisdiction need to be kept on a tight leash.

The Likelihood is high that it will end up in the possession of people who will exploit it to commit fraud or identify theft. Just collecting all possible data on everyone just in case you want something to use against them at some future date does not sound like a good idea.

And speaking personally, I'd prefer that such things were handled by a well-regulated infrastructure rather than by some quango pushing a monitoring app onto my 'phone.

MarkMLl

[Joanna]

I don’t know about communication not being “property”. It is most certainly intellectual property or should be.

My communications intended to be private should not be shared with third parties no matter how much they feel entitled to be nosy. I don’t speak for everyone of course. There plenty of people who willingly put hackable cameras connected to the Internet into their homes for the enjoyment of voyeurs.

My computer is certainly my property and I do not knowingly consent To have back doors if any sort put on it. Any policies that deviate from this principle are fundamentally just wrong.
Consumers should not have to navigate through many pages of fine print written in legalese that puts the blame on them for consenting.

 I was listening to a video where Edward Snowden was talking about people are manipulated into consenting to things they shouldn’t consent to and it ended with him saying I will not press ok to continue. I found it pretty profound because most people really don’t consider the long term consequences of their actions they just do what is most expedient in the short term.

Well regulated infrastructure sounds great but that depends upon the intentions of those regulating it. People in charge don’t always care about the best interests of those that they rule if history serves as any precedent.

I can’t imagine how legislators could be kept on a “short leash” when there is a revolving door between government officials and the personnel of the industries that they are supposedly regulating.

Another thing I should mention is this trend of insecure operating systems that allow computers to be controlled remotely by people that their owners didn’t intend can have serious consequences especially with large dangerous things connected to the internet like dams and power plants as well as facilitating ransomware attacks.

[PascalDragon]

Currently, there is another discussion here on the forum i'm of two minds about it: Allowing/installing a Sub-Forum for arab speaking/writing Users.
I won't take odds on bets, if we allow/install that, that we wouldn't get flagged by american government to keep an eye on us.... (and i know that this is a provocative statement from me!)

We core developers of both FPC and Lazarus are Europe-centric. We honestly don't care what the US thinks about other countries. Also we already have a Russian section, so an Arabic one can't be worse considering the general attitude regarding Russia...

[lucamar]

Also we already have a Russian section, so an Arabic one can't be worse considering the general attitude regarding Russia...

And afterwards we could open a Chinese one, to complete the triumvirate

Frankly speaking, *not* opening an Arabic section (or a Swahili one, for that matter) just because what someone in the USA might think ... that would really be "hijacking the community". And completely defeating the purpose of this forum.

[dbannon]

> Frankly speaking, *not* opening an Arabic section (or a Swahili one, for that matter) just because what someone in the USA might think ... that would really be "hijacking the community". And completely defeating the purpose of this forum

Well said !

Davo

[Kays]

[…]
Me: "And if i activate 'Don't send location', or if i activate 'suppress phone-no'?"
He just smiled at me, and shook his head: "eh eh.... You can do whatever you want on your smartphone, they know...... We know the protocols...."

[…] And the suppression of the number also happens on the side of the network, not your phone.

Also, in Germany it’s illegal (for phone carriers) to implement effective suppression of your number when calling the emergency services, § 102 (8) TKG, or facilitate suppression of position data, § 98 (3) TKG. Public (pay)phones even have to ensure their number and position are transmitted in any case, § 108 (1) 3 TKG.