Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×

85 comments

Sorry! There are no comments related to the filter you selected.

back up again (5, Informative)

Trepidity (597) | about a year ago | (#43510729)

StackExchange appears to have put the question back up [stackexchange.com] , but remove from it the screenshots which the DMCA takedown demand claimed constituted copyright infringement.

The screenshots should be a pretty solid fair-use case, though, so even that part of the takedown demand is groundless.

Re:back up again (5, Insightful)

TemperedAlchemist (2045966) | about a year ago | (#43510895)

There needs to be heavy punitive measures against this sort of thing.

Re:back up again (5, Interesting)

Jeremiah Cornelius (137) | about a year ago | (#43511033)

There is no copyright "right" that is any equal to Human and Civil rights - including those of free speech.

There are two broad categories I like to use in describing laws and their application. Oppressive and Protective.

Oppressive law is mandated for the establishment and defence of Power.

Protective law seeks the institution and restoration of Justice.

DMCA is a prime example of oppressive law - and how tricky this distinction can be, as it masquerades itself as a measure for the protection of some natural right. In this case, the "rights" protected are - of course - merely a concession managed by the state, enacted through legislation and constitution.

Copyright in Universal Declaration of Human Rights (1)

tepples (727027) | about a year ago | (#43511573)

There is no copyright "right" that is any equal to Human and Civil rights - including those of free speech.

What document establishes the existence of "Human and Civil rights - including those of free speech" in more than one country? The Universal Declaration of Human Rights [un.org] , for example, mentions freedom of expression in article 19 but mentions copyright in article 27(2).

Re:Copyright in Universal Declaration of Human Rig (0)

Anonymous Coward | about a year ago | (#43512799)

1. Funny, how you conveniently omitted, that the paragraph right in front of that states the exact opposite: "(1) Everyone has the right freely to participate in the cultural life of the community, to enjoy the arts and to share in scientific advancement and its benefits."
2. This complete self-contradiction is yet another one of the many things that make this declaration such a ridiculous joke that nobody gives a shit about. How could you possibly follow that contradict themselves

3. This is NOT EVEN related to copyright! It talks about author's rights! You are aware that "copyright" is a DISTRIBUTOR's right, right? NOT an author's right! Not even remotely! It is actually the closest you can get to the opposite of an artist's right!

4. It also is solely a concept of ENGLISH-SPEAKING countries.
Germany has a completely different system! (Even though it appears many morons in the government and most citizens have been brainwashed into not knowing that anymore.)
Germany has Urheberrecht, which IS a author's right. Which is implicit. (This very text is "protected" right now. Without any need to state so explicitly.) And which you cannot sign away, not matter what you do, and no matter how much utterly retarded moron you and the criminal cokehead pieces of shit oppressing you want that!

6. What he was trying to say, is that
-- there are laws that say you can't harm somebody (No, the laws "protect" nobody! They are just a piece of paper. It's the people obeying it that protect people!)
-- and there are laws that say somebody can harm you!
And copyright is such a law that is there to make it legal for people to harm other people! It protects from no harm or loss whatsoever! (Lack of guaranteed profit is not "loss"! A copy is not harm! Especially not of something that publicly available in literally infinite abundance. Nothing is lost! Geez, why do I even have to explain this to UTTER MORONS LIKE YOU??)
7. So in all those places I, of course, use the term "right" loosely, since it is a harmful oppressive law, just as he stated and as I explained above.

So how about, when you don’t know shit, you keep your retarded mouth shut?
Noo... of course not. Since of course, you are by definition too fuckin. retarded for that!

Re:Copyright in Universal Declaration of Human Rig (0)

Anonymous Coward | about a year ago | (#43514013)

Fuck that,
Copyright laws are important. If I make a software, I WANT all the users to pay me for my creation. If you don't use it don't pay, make it yourself , it will only take you 20 weeks of coding. But if I made it , I should be paid by all the users.PERIOD. I don't care that it's bits and they could be copied easily. I have the moral right to decide who can use what I made.

Re:Copyright in Universal Declaration of Human Rig (2)

Ash Vince (602485) | about a year ago | (#43514335)

Fuck that,
Copyright laws are important. If I make a software, I WANT all the users to pay me for my creation. If you don't use it don't pay, make it yourself , it will only take you 20 weeks of coding. But if I made it , I should be paid by all the users.PERIOD. I don't care that it's bits and they could be copied easily. I have the moral right to decide who can use what I made.

You are clearly an evil capitalist or a sock puppet for MPAA / RIAA / some other content conglomerate. There are no real people who believe in copyright law being applied to bits and bytes, especially not people who develop software since we are all communist hippies who think everything should be free.

Of course I actually agree with you though even though you may well be a troll :)

Re:Copyright in Universal Declaration of Human Rig (0)

Anonymous Coward | about a year ago | (#43514527)

No troll,
just an independent iOs developer trying to make a living on the appstore...

Oops. (1)

gottabeme (590848) | about a year ago | (#43515299)

Adam Savage: "Well there's your problem!"

Re: Oops. (0)

Anonymous Coward | about a year ago | (#43519505)

got em.

Re:Copyright in Universal Declaration of Human Rig (1)

Ash Vince (602485) | about a year ago | (#43523521)

No troll,
just an independent iOs developer trying to make a living on the appstore...

Good luck with that

Nonliteral copying (1)

tepples (727027) | about a year ago | (#43516473)

If you don't use it don't pay, make it yourself , it will only take you 20 weeks of coding.

George Harrison tried making music himself, and Bright Tunes Music still sued and won. Xio Software tried making software itself, and The Tetris Company still sued and won.

Re:Copyright in Universal Declaration of Human Rig (3, Insightful)

Jane Q. Public (1010737) | about a year ago | (#43516503)

"Fuck that, Copyright laws are important. If I make a software, I WANT all the users to pay me for my creation."

Copyright laws may be important, but they also need to be reasonable, and they also have to allow for "fair use". Anything else is a genuine crime against society.

A single screen cap out of a video, as part of a discussion about the product, is CLEARLY fair use, by U.S. law.

The problem here isn't the concept of copyright law. The problem here is greedy corporations and abusive laws like the DMCA.

Fair use; exclusive licensing (1)

tepples (727027) | about a year ago | (#43516461)

1. Funny, how you conveniently omitted, that the paragraph right in front of that states the exact opposite: "(1) Everyone has the right freely to participate in the cultural life of the community, to enjoy the arts and to share in scientific advancement and its benefits."
2. This complete self-contradiction is yet another one of the many things that make this declaration such a ridiculous joke that nobody gives a shit about. How could you possibly follow that contradict themselves

I see 27(2) as describing copyright and 27(1) as describing fair use.

This is NOT EVEN related to copyright! It talks about author's rights!

The French word for copyright is droit d'auteur which literally means right of author. It is intended as a culturally neutral way to refer to the concept of exclusive rights reserved to the author.

You are aware that "copyright" is a DISTRIBUTOR's right

The U.S. Constitution specifies that Congress grants exclusive rights "to authors and inventors". Are you referring to works of corporate authorship, or are you referring to standard form contracts in various parts of the publishing industry that require a permanent exclusive license?

Germany has Urheberrecht, which IS a author's right. Which is implicit. (This very text is "protected" right now. Without any need to state so explicitly.)

Likewise, the United States automatically grants copyright to the author of any work that has been fixed in a tangible medium. I am quoting you under fair use, and as the footer of this comment page reminds us ("Comments owned by the poster"), I have copyright on my own words too.

And which you cannot sign away, not matter what you do

Are authors also unable to grant an exclusive license under German law? And who owns the German author's rights in, say, Apple iOS?

retarded [...] cokehead [...] MORONS [...] you don’t know shit [...] retarded [...] retarded

I don't know why I even bother replying.

Re:back up again (1)

AmiMoJo (196126) | about a year ago | (#43514351)

Just to play Devil's advocate I suppose the proponents of the DMCA would argue that it protects their right to property. The fact that it is non-physical property is irrelevant, they still have a right to own and control it.

The mistake is to equate physical property with intellectual property, and even copyright doesn't try to do that in most countries. Still, that is their line and they appear to the sticking to it.

Re:back up again (1)

TemperedAlchemist (2045966) | about a year ago | (#43514485)

You have a right to protect your life too, but that doesn't mean you can go around putting everyone you think is reaching for a gun in a headlock.

Re:back up again (1)

Jeremiah Cornelius (137) | about a year ago | (#43516511)

The fallacy began with the introduction of the spurious concept: "Intellectual Property".

Copyright was introduced in the US with the Constitution in 1789. It was similarly afforded corollary recognition under Napoleon in France, sometime later.

Never were the rights of a trademark holder or author equated with the rights of real property, in these formulations. They were exclusive franchises for limited duration. Shakespeare, Moliere and Charles Brockden Brown are property of the public - a concept that advocates of "Intellectual Property" have so consistently eroded, as to make it nearly anathema. This, not for protection of a creator's rights, but rather to extend into perpetuity their own proprietary franchise for extracting rent [wikipedia.org] .

Re:back up again (5, Insightful)

Anonymous Coward | about a year ago | (#43511077)

Well, now everyone knows beyond a shadow of a doubt that "CipherCloud" is insecure, or else they wouldn't have tried to suppress the conversation. Since their whole business is as a security provider...

Re:back up again (0)

Anonymous Coward | about a year ago | (#43515015)

They are selling a fraud.

Re:back up again (1)

Billlagr (931034) | about a year ago | (#43521767)

Stories like this always just astonish me. Surely companies like this would realise by now, that by pulling this kind of stunt, they are essentially slashing their own wrists. Bullying their way into a legitimate discussion about their product by making questionable demands that screencaps be taken down just a) raises suspicion about the quality of their product, b) generates a lot of negative publicity and c) turns the very people that their product is targeted at against them! Striesand effect FTW

Re:back up again (0)

Anonymous Coward | about a year ago | (#43511269)

quite simple IMO, for false cases, impose the penalty that the accuser had wanted (if the accused refused to comply) on the accuser itself

Re:back up again (0)

Anonymous Coward | about a year ago | (#43513383)

There needs to be heavy punitive measures against this sort of thing.

Seeing as how they've just been slashdotted in a pretty negative light, heavy punitive measures may already be in effect. They're in a highly competitive space, and "invoked the DMCA" doesn't tend to move a company in the right direction in the minds of most nerds when they are looking at a list of possibilities and trying to decide which one to go with.

Re:back up again (1)

gnasher719 (869701) | about a year ago | (#43513693)

There needs to be heavy punitive measures against this sort of thing

Please explain why. There is a law in place that gives websites free harbour, while giving copyright holders a way to take down copyrighted materials that they own. And you say there should be heavy punitive measures against using your legal rights? If you put the material up then you can inform the website that you are not committing copyright infringement. Should there be heavy punitive measures against that as well?

Re:back up again (0)

Anonymous Coward | about a year ago | (#43513759)

Please take a moment to learn about such concepts as "fair use", "suppression of free speech" and how law is not always perfect and "using your legal rights" does not mean you're not doing anything wrong.

Re:back up again (3, Interesting)

analyst-cz (1386075) | about a year ago | (#43513929)

Being freelance data security consultant myself, seeing any (regardless of whether law-aligned or law-breaking) attempt to suppress discussion about security of some product/company initiated by producing/that company, it marks it as heavily suspect. This has nothing to do with the legality of the suppression act, rather with the suppression attempt itself.

Adding CipherCloud on blacklist of non-recommended products/companies for my clients. Point. Issue closed at....

Re:back up again (0)

Anonymous Coward | about a year ago | (#43515331)

The argument isn't against takedown notices, it's against takedown notices issued when there has in fact been no infringement. If you issue a takedown notice to my ISP for something I created myself, hell yes you should go to jail. The same should go for fair use; if you use copyright to abuse people, there should be a penalty.

Re:back up again (1)

Stolpskott (2422670) | about a year ago | (#43514101)

There needs to be heavy punitive measures against this sort of thing.

There ARE punitive measures against this sort of thing - they were added to counter concerns that content rights-holders would abuse the DMCA for just this sort of purpose.
Putting it in simple terms, the problem is that the person/organisation receiving the DMCA takedown has to (a) file an appeal against the takedown, and then in order for the punitive measures to kick in, they have to (b) prove that the organisation issuing the DMCA notice did so maliciously, knowing that they had no right to demand take-down of the subject material.
In other words, to avoid the punishment for falsely sending out DMCA notices, all the sender has to do is say "doh, silly me... sorry - I had no idea that I was not allowed to do that..."

Re:back up again (0)

Anonymous Coward | about a year ago | (#43514825)

What sort of thing? The posting of information or the the attack on people for posting of information?

...characterized as abusive... (5, Insightful)

fustakrakich (1673220) | about a year ago | (#43510759)

There is no other way to characterize the DMCA.. It was no accident.

Re:...characterized as abusive... (1)

Anonymous Coward | about a year ago | (#43510825)

DMCA is very useful for GPL enforcement!

Re:...characterized as abusive... (2)

Jeremiah Cornelius (137) | about a year ago | (#43511041)

Are we this deep into a Slashdot thread, without ONE joke being made about "Homomorphic" Encryption?

Sheesh!

Re:...characterized as abusive... (3, Insightful)

fustakrakich (1673220) | about a year ago | (#43511305)

That would imply reading the article. But at least now I can understand the nature of the takedown.

Why, it looks like young men playing leapfrog.

Re:...characterized as abusive... (1)

egcagrac0 (1410377) | about a year ago | (#43514041)

Ordinarily, I'd be all like "Aren't there any girls?" but then I remembered where I am.

You can't spell "abusive government" without a D (-1)

Anonymous Coward | about a year ago | (#43512423)

Guess which political party the MAFIAA bought [opensecrets.org] in order to get the DMCA passed?

Yeah, the party that LOVES more and more government.

The very same party that by some crazy-ass "logic" thinks that the same government that runs the TSA should run health care for everyone.

Imagine that.

(How the hell can the Slashtards who rail against rampant government incompetence when the TSA is involved or when the Patriot Act or warrantless wiretaps are mentioned suddenly love handing over 1/6 of the economy and control of their health care decisions to the same bureaucrats? IT'S THE SAME OVERWEENING INCOMPETENT GOVERNMENT YOU FUCKING MORONS! IT ISN'T GOING TO MAKE ANYTHING BETTER BECAUSE IT NEVER HAS!)

Re:You can't spell "abusive government" without a (1)

Ash Vince (602485) | about a year ago | (#43514463)

Guess which political party the MAFIAA bought [opensecrets.org] in order to get the DMCA passed?

Yeah, the party that LOVES more and more government.

The very same party that by some crazy-ass "logic" thinks that the same government that runs the TSA should run health care for everyone.

Imagine that.

(How the hell can the Slashtards who rail against rampant government incompetence when the TSA is involved or when the Patriot Act or warrantless wiretaps are mentioned suddenly love handing over 1/6 of the economy and control of their health care decisions to the same bureaucrats? IT'S THE SAME OVERWEENING INCOMPETENT GOVERNMENT YOU FUCKING MORONS! IT ISN'T GOING TO MAKE ANYTHING BETTER BECAUSE IT NEVER HAS!)

It was passed unanimously which means some republicans voted for it too. This is especially true since they controlled the senate and the house of representatives in 1996 when it passed. http://en.wikipedia.org/wiki/Republican_Revolution [wikipedia.org]

If the GOP gave two shits about the DMCA they have had ample opportunities to change it since. They haven't because they don't give a shit. Maybe the only reason for the vast payments to the Democratic party that year is simply because they needed more buying off, the republicans were on side already.

Abusive DMCA (-1, Redundant)

Anonymous Coward | about a year ago | (#43510769)

The DMCA itself is abusive in every aspect. Stands to reason any DMCA takedown request could be characterized as abusive.

Abusive DMCA (0, Redundant)

Anonymous Coward | about a year ago | (#43510781)

The DMCA itself is abusive in every way. It stands to reason that any DMCA takedown "request" would be characterized as abusive.

We know how good CipherCloud is (5, Interesting)

Anonymous Coward | about a year ago | (#43510791)

If you have to go to such extremes to cover up what people are saying about your product, your product must really suck.

Re:We know how good CipherCloud is (2)

Stirling Newberry (848268) | about a year ago | (#43510881)

closer to "must be unsafe at any speed."

Re:We know how good CipherCloud is (0)

Anonymous Coward | about a year ago | (#43511481)

...so you're saying that safety does or does not depend on how fast the product is sucking?

Re:We know how good CipherCloud is (0)

Anonymous Coward | about a year ago | (#43512769)

What if the product goes from suck to blow?

Streisand effect, anyone? (5, Insightful)

bakuun (976228) | about a year ago | (#43510821)

Now I know to stay well clear of anything that has to do with Ciphercloud. I certainly wouldn't have seen the Stack exchange discussion (much less the fact that Ciphercloud feels that cryptanalysis is bad for them) if they didn't do what they did, though. Thanks, Ciphercloud!

Re:Streisand effect, anyone? (4, Funny)

Anonymous Coward | about a year ago | (#43511137)

It is generally sound practice to stay clear of anything that has the world "Cloud" in the name.

Cloud Strife, Dark Cloud, SoundCloud (3, Funny)

tepples (727027) | about a year ago | (#43511607)

It is generally sound practice to stay clear of anything that has the world "Cloud" in the name.

So would Final Fantasy VII characters [wikipedia.org] , PS2 games [wikipedia.org] , and replacements for the old MP3.com [wikipedia.org] be part of your "generally" or part of the exception?

Re:Cloud Strife, Dark Cloud, SoundCloud (0)

Anonymous Coward | about a year ago | (#43511663)

I don't know anything about the latter two, but regarding Cloud Strife, yes.

Busted Wide Open as Shit in the Comments (5, Informative)

Khyber (864651) | about a year ago | (#43510867)

One guy comes right in with an answer that pretty much blows CC's false BS claims out of the water.

That's why the DMCA was invoked, to hide their criminal lying. That's why the images were removed, because all it took was a look at the images to figure out their bullshit.

I wonder how their customers would react... (0)

Anonymous Coward | about a year ago | (#43512377)

Now that CipherCloud is exposed, I wonder how their clients would react.
There are some real companies on that list, if they haven't lied about those as well, then there are a few companies that need to seriously question their decision making process (which obviously did not include a real security evaluation).
I'd be surprised if these customers would stay on board after being manipulated and mislead.

Obsecurity (0)

Anonymous Coward | about a year ago | (#43510879)

Classic example of trying to convince someone that obsecurity is security... Strenght of encryption is in algorithm used and keys used to encrypt things. Since pretty much all usable and resonably secure algorithm are patented and there for public knoledge allready, i really dont understand this DMCA takedown crap..

Security credibility DEPENDS on peer review (5, Insightful)

Opportunist (166417) | about a year ago | (#43510921)

The question whether something promoted as "secure" actually is depends highly on exactly this: Someone coming and trying to break it. It's not like any other software product you use, where you, the user, can easily tell whether it does its job or not. You use some word processing software, you can instantly check whether it does what YOU want it to do (even if it happens to fail in some other department, you'll easily be able to tell whether it does what YOU want). You use some game, you can easily tell whether it gives you what you wanted in it.

Security software ... not quite. Whether it delivers what it promises isn't something you can check as the average user. Because, as the average user, you don't "use" it. Even as the person responsible for security in a company, you hardly have the time nor necessarily the knowledge to test it thoroughly. And before someone pipes in with "but if you can't break through bad security, you fail at your job", be aware that the job description for CISO hardly includes doing pen tests. If anything, you order them from companies who have the time and money to keep current with security issues.

So the question whether a product is good or snake oil highly depends on peer review, on people going out and hammering it. If you now go out of your way to keep people from just doing that, well, how should I judge such a move? This is much like a scientist publishing a breakthrough in anti-gravity, while at the same time forbidding everyone to attempt to reproduce his results.

That's about as much credibility is left after such a move.

Re:Security credibility DEPENDS on peer review (5, Insightful)

Takatata (2864109) | about a year ago | (#43511157)

100% agreement. That's on user side. I am a freelancing software developer. The only project offers I strictly refuse are projects which involve cryptographic tasks. I just can't deliver. I am self-taught and did learning on the job in many projects. When I get the task to put a rotating green cube on the screen, I know the job is done when I see a rotating green cube on the screen. Even if I never did any 3D graphics before. Cryptographics? In a few hours I could conjure up cryptographic algorithms, which encrypt text in a way I could not decrypt myself in a 1000 years. Too bad I can never be sure that a cryptographic expert could read my encryption almost like plain text. Odds are that exactly something like that would happen.

Re:Security credibility DEPENDS on peer review (3, Interesting)

Opportunist (166417) | about a year ago | (#43511299)

Allow me to let you in on a secret: A good portion of people writing "security" software don't really understand it either. You can tell when you review it. There is a fair lot of cargo cult programming going on, coupled with the use of libraries without first reviewing them or understanding their inner working or at least knowing to what degree it is self-sealing or how far you have to sanitize the input. This by itself is not yet a huge problem, as long as the libraries themselves work flawlessly, they are well and completely documented (and that documentation actually gets read) and they are being used correctly. And those things are more often than not a real problem.

Now couple this with programmers using a lot of copy/pasting to get their programs written, often from rather dubious and not reviewed sources (you know the kind, where self proclaimed experts exchange their ideas what programming is like...), possibly copying snippets that were by no means MEANT to be secure or sanitized, and I guess I needn't go into detail.

Re:Security credibility DEPENDS on peer review (3, Insightful)

Takatata (2864109) | about a year ago | (#43511319)

Allow me to let you in on a secret: A good portion of people writing "security" software don't really understand it either. [...]

I know. But I don't have to add to bad software. And as self-taught freelancer I have to be a little bit more aware of my reputation. Taking cryptographic related task would be a lose/lose situation for everyone.

Re:Security credibility DEPENDS on peer review (1)

psych0sis (1459509) | about a year ago | (#43520497)

Thank you for being responsible, and knowing your limits as a software author. We *don't* need ore bad code in the world.

Slight nuance (4, Interesting)

Anonymous Coward | about a year ago | (#43511333)

Cryptographics? In a few hours I could conjure up cryptographic algorithms, which encrypt text in a way I could not decrypt myself in a 1000 years. Too bad I can never be sure that a cryptographic expert could read my encryption almost like plain text. Odds are that exactly something like that would happen.

You have a healthy respect for cryptography, and that's good. However, I will point out that many standard crypto algorithms have test suites. If your crypto implementation yields the expected result for all the test cases, then you can be reasonably certain that your implementation is correct rather than having self-canceling bugs on encrypt/decrypt.

However, then you have to ask yourself *why* you are reimplementing a standard crypto algorithm when there are multitudinous well-tested libraries available for such.

Of course, this neglects implementation concerns like timing attacks, improperly secured key material, etc... which one would hope that the standardized, well-tested implementation libraries have already addressed insofar as possible.

Re:Slight nuance (2)

Takatata (2864109) | about a year ago | (#43511473)

Of course, this neglects implementation concerns like timing attacks, improperly secured key material, etc...

Exactly. If it was only calling some functions in a lib, I would not worry much. But there are just too many boundary conditions I simply don't know. Would I be able to learn? Perhaps. Would it pay? Probably not. I'd have to be more alert to changes in security related technologies than I have to be in most other areas. This would only make sense if I totally focus on security and cryptography related stuff. And before I get really high paying jobs I'd have to make a name of myself with this kind of work. Difficult for a freelancer in my position. And for me a bit boring, too. I like to have projects in constantly changing companies and areas.

Re:Slight nuance (1)

Anonymous Coward | about a year ago | (#43511651)

Of course, this neglects implementation concerns like timing attacks, improperly secured key material, etc...

Exactly. If it was only calling some functions in a lib, I would not worry much. But there are just too many boundary conditions I simply don't know. Would I be able to learn? Perhaps. Would it pay? Probably not. I'd have to be more alert to changes in security related technologies than I have to be in most other areas. This would only make sense if I totally focus on security and cryptography related stuff. And before I get really high paying jobs I'd have to make a name of myself with this kind of work. Difficult for a freelancer in my position. And for me a bit boring, too. I like to have projects in constantly changing companies and areas.

You can use library implementations of a cipher, with library methods for handling padding and initialisation vectors, etc, and still be vulnerable e.g. predictable initialisation vectors, block swapping and padding oracle attacks. Cryptography implementations are only a very small part of the problem; you also need to know how to use it appropriately, which modes of operation are appropriate and secure for your use case, etc.

Short of actually training to be a cryptographer, it is best to leave it to someone reputable who makes their living doing exactly that.

Re:Slight nuance (0)

Anonymous Coward | about a year ago | (#43532563)

Look at this discussion of attacking 1Password [hashcat.net] for an example of poor use of a crypto library. The guy from the company behind this keychain tool genuinely wants to make it safe but they have made critical mistakes in their usage that leave it painfully vulnerable. When they get it right I'd consider them but right now they have too much to learn to trust them.

Re:Security credibility DEPENDS on peer review (0)

Anonymous Coward | about a year ago | (#43513427)

Excellent post. Something to consider before you refuse the next encryption project that comes your way is that, like the philosopher who refuses to be king, you have one of the most important qualifications for the task. If ciphercloud had hired you instead of whoever did their implementation, they would almost certainly not be in the pickle that they find themselves in now, because you would have convinced them of the importance of having the implementation be peer-reviewed and reviewable.

Re:Security credibility DEPENDS on peer review (0)

Anonymous Coward | about a year ago | (#43512185)

Completely agree.

However, in ciphercloud's case there's no need for much review. As the comments in StackExchange show, a simple chosen plaintext attack would easily help an attacker to build a dictionary. As they 'encrypt' each word into a single AES block with no salt, this means that you'd be able to read the text outright after injecting 10,000 words or so. Very little work for a short script. No need for any background in cryptoanalysis, all you need to crack ciphercloud is some common sense.

I feel sorry for their customers, who paid big money for no protection at all. They should ask for their money back. Actually, if they bought this company's snake-oil without testing it first and evaluating alternatives then they had it coming...

Re:Security credibility DEPENDS on peer review (1)

Opportunist (166417) | about a year ago | (#43514781)

Well, "peer review" isn't limited to reviews by people who know at least as much if not more about a matter as the person being reviewed. But you're right, if someone who has only a passing knowledge in the subject can debunk it as snake oil, something's REALLY wrong.

And before you go all "they had it coming" on those buying into their solution, be aware that the average IT guy in a company is nothing but a manager. Hell, I'm slowly turning into one. I just don't have the time anymore to keep on the "edge" of security development, with lots of other things breathing down my neck I simply can't really spend my days hunting down the latest info about 0day exploits anymore. Though I usually wait 'til the peer reviews are in, there's little I can myself really do when it comes to bludgeoning a system 'til it croaks.

It's kinda sad when you start hiring the company you once worked for 'cause it's not only cheaper than doing it yourself, but more important they are still where they can actually tell between go and no go.

"Per word" encryption + unencrypted punctuation. (1)

girlinatrainingbra (2738457) | about a year ago | (#43512419)

Re:Security credibility DEPENDS on peer review
.
And this review pretty much shows that CipherCloud only performs
-- "per word" encryption into a limited range
-- uses the same separator code-word to delimit each new encrypted word
-- does no encryption on punctuation marks
-- leaves itself wide open to word-frequency attacks

And the image is a very necessary way to show it, though each reader could go to the ciphercloud web site and try it out themselves.
.
Strangely, I can see their point of view of DMCA'ing the use of a complete copyrighted image, but I can also see the "fair use" point of view. At least the commentary and text on stackexchange has been restored. And the utter uselessness of ciphercloud's approach has been Barbra Streisanded [wikipedia.org] out into the open rather than being hidden away in the way they expected the DMCA takedown notice to effect.
.
i don't see how "per word" encryption can be homomorphic, though. Well, any more than applying homomorphic encryption per word. blech.

Re:"Per word" encryption + unencrypted punctuation (4, Funny)

maugle (1369813) | about a year ago | (#43512543)

Maybe they meant "homeopathic" encryption. The worse the encryption scheme, the safer your data is!

Re:"Per word" encryption + unencrypted punctuation (1)

Opportunist (166417) | about a year ago | (#43514791)

OMFG, that's great. May I use that phrase? I can well need it from time to time in meetings.

Probably not secure then. (5, Insightful)

Jeremy Erwin (2054) | about a year ago | (#43510963)

Look elsewhere--the only thing that should be obscure about a crypto system is the key.

On a positive note (1)

Anonymous Coward | about a year ago | (#43510977)

If Ciphercloud invokes DMCA on enough content, it will be difficult to determine the original message from "[image removed due to DMCA request]"

here are some of the links in the dmca notice (4, Informative)

Adult film producer (866485) | about a year ago | (#43511015)

Re:here are some of the links in the dmca notice (1)

djsmiley (752149) | about a year ago | (#43511037)

The last link is laughable - their 5 minute tour starts with a 5minute and 58 second video.....

Re:here are some of the links in the dmca notice (1)

Behrooz Amoozad (2831361) | about a year ago | (#43511513)

Then even a kid can use a simple dictionary attack or something to defeat the whole encryption. It just needs some time and emacs:)

Re:here are some of the links in the dmca notice (1)

Behrooz Amoozad (2831361) | about a year ago | (#43511709)

Oh, I meant a word frequency attack.

Anyway (2)

Impy the Impiuos Imp (442658) | about a year ago | (#43511017)

DMCA, in theory, is to stop people copying around the Internet the hard work creative efforts of people. It's not to stop a screenshot of something being discussed.

Re:Anyway (2)

dougmc (70836) | about a year ago | (#43511081)

Perhaps, but in practice it doesn't matter what it was *intended* to do, only what the wording allows it to be *used* to do. And in this case, it's being used in an attempt to block unfavorable discussions.

That said, the original discussion's use would almost certainly fall within fair use, so they could just respond to the DMCA request and get their stuff put back up, putting the ball back into the court the company sending the request. And having no case, they should drop it. Still abusive, but at least the damage is minimized.

I do wish the DMCA had provisions to punish for obviously invalid invocations of it, however.

Re:Anyway (1)

number11 (129686) | about a year ago | (#43511179)

Perhaps, but in practice it doesn't matter what it was *intended* to do, only what the wording allows it to be *used* to do. And in this case, it's being used in an attempt to block unfavorable discussions.

That said, the original discussion's use would almost certainly fall within fair use, so they could just respond to the DMCA request and get their stuff put back up, putting the ball back into the court the company sending the request.

They could indeed respond to the DMCA request and get their stuff put back up. But then, potentially, lawyers get involved. And when lawyers get involved, it gets very very expensive. Maybe the EFF or the ACLU will take your case, but they don't have the staff or money (donate [eff.org] today [aclu.org] !) to take every case, so they might not be able to, in which case you'll have to hire your own.

Re:Anyway (1)

dougmc (70836) | about a year ago | (#43511379)

The EFF and ACLU are only going to take cases that they think are going to have large impacts -- set precedent, get widely publicized, etc. They just don't have the resources.

You are correct, of course. Of course, by responding to the DMCA and getting your stuff put back up, you're telling them exactly who they should hassle legally. And even without a case, they can cause a lot of grief. Which is part of why I wish there was a penalty for bogus claims.

Re:Anyway (1)

jbolden (176878) | about a year ago | (#43512861)

I do wish the DMCA had provisions to punish for obviously invalid invocations of it, however.

It does. Things like fraudulent claims of ownership are punishable. The thing is this isn't obvious invalid. It is very likely invalid. There is a bar it just is much further along.

Besides generally you want people to be able to object in an official way rather easily and that's all a DMCA claim is, an on the record objection.

The Streisand effect strikes again (2)

Bogtha (906264) | about a year ago | (#43511105)

I just poked around the Stack Exchange API, and it seems several CipherCloud questions have been catapulted into the hottest questions in that site's history.

DMCA + generic "defamation" C&D (1)

BillX (307153) | about a year ago | (#43511529)

It's not only a DMCA request; there is also a traditional cease-and-desist lawyer letter tacked onto the end, ordering StackExchange to ban a particular user and remove the actual (user-written) text of specific posts, via the usual bluster ("false and misleading", "defamation", "lanham act",...).

Talk about Shooting yourself in the foot (1)

fast turtle (1118037) | about a year ago | (#43512097)

These folks are idiots for issuing a DMCA in regards to their own material. Guess who wont be in business much longer.

"Trust in the cloud" (0)

Anonymous Coward | about a year ago | (#43512403)

Their logo is very ironic. They claim to provide "trust in the cloud", it even says that on their logo.
I wouldn't trust this company to make me a sandwich, let alone "encrypt" my sensitive data.

What a bunch of liars...

Funny (0)

Anonymous Coward | about a year ago | (#43512751)

Freedom of speech is unbreakable and defamation cases in America are a myth, riiiiight.

All you New Democrat Canadians may want to protest (0)

Anonymous Coward | about a year ago | (#43512965)

CipherCloud's "success" stories [ciphercloud.com] includes the New Democratic Party of Canada. There are also a few other businesses that should really know better.

Do not judge us from what we show! (2)

fgrieu (596228) | about a year ago | (#43513435)

The taken-down images, and the promotional video around 2:53
http://pages.ciphercloud.com/AnyAppfiveminutesdemo.html?aliId=1 [ciphercloud.com]
make it clear that in these promotional materials, identical plaintext leads to identical ciphertext.

Ciphercould's DMCA takedown notice
http://meta.crypto.stackexchange.com/a/258/555 [stackexchange.com]
rebuts that as wrong ("Ciphercloud's product is not deterministic"), with a key point at the beginning of page 3:
"[detractor] implies that what was perceived from a public demo is Ciphercould's product offering".

Ciphercould's position is: you misjudged us from what we have shown, which is not the real thing.

Could have answered themselves (1)

emilv (847905) | about a year ago | (#43513653)

If they were doing secure encryption they could have just answered the question themselves. Since they instead went for silencing the critique, I guess the security of CipherCloud most be pretty bad.

Website down (0)

Anonymous Coward | about a year ago | (#43514727)

It appears that CipherClouds website is down. Hmm.

Witch hunt? (0)

Anonymous Coward | about a year ago | (#43521853)

Oh come on folks.... Don't you think there is a witch hunt on this company? How bad can their software be ? Lots of users are using it, hasn't been hacked yet. It is easy to say their stuff sucks, but do you have proof? So someone messed up and pulled a dcma... So what? Prove that the software is insecure!!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>