It mentions several categories of knives that are legally restricted in many jurisdictions. It then goes on to say that the promotion of swords and kitchen knives is allowed. Based on the OP's claims, it appears that utility pocket knives are allowed as long as they don't have assisted opening.
It's also not clear from this page that Google has a problem with the use of adwords to sell products not banned from advertising in a store that also sells products Google refuses to advertise.
The policy is completely clear: Knives that could best be described as weapons are not allowed. People do buy knives as weapons, but it's pretty rare for people to buy swords as weapons (instead they're decorative), so that difference is completely explainable.
Knives that could best be described as weapons are not allowed.
This is completely ambiguous. There are knives marketed as having been designed with input from various figures in the martial arts world or using terms like "tactical"; it's probably reasonably to say that those are designed, or at least marketed as weapons. Kitchen knives obviously aren't intended as weapons. Every other non-decorative knife on the market falls somewhere between those two points.
Google has evidently decided that assisted opening == weapon, but does not say so on its policy page. This decision is not consistent with the marketing of most assisted opening knives, nor with the opinions of knife enthusiasts. Of course, there are probably very few objective criteria one could use to determine if a pocket-size folding knife is intended to be a weapon.
I also reiterate that it is not clear from the page that selling an item banned from advertising (an assisted opening knife) on the same website as an item advertised on adwords that is allowed to be advertised on adwords (some other kind of knife that Google doesn't consider a weapon) is against the rules. Indeed, the main point of the complaint appears to be that larger adwords customers like Amazon and Walmart are doing exactly that.
I'm sure that a certain subset of people do buy knives as weapons, but I'd be surprised if it was even on the radar of total knife ownership reasons. Most buy knives for display or utility (dive, general utility, bolo/machete, etc.).
Every one of them could be used to kill someone, just like a crowbar.
I worry that most of the opposition to this bill is based on FUD that EFF is spreading. Having experience actually working in the security industry and knowing the limitations that this bill is trying to address, the ability of the government and private sector to work together to keep malicious groups out of their networks, I recognize the necessity and intentions of this bill.
This isn't about spying on Americans. This isn't SOPA with a new name. This isn't about stopping piracy or spying on your facebook profile. This bill is about letting government agencies share intelligence on network threats with private companies so those companies can protect their customers information. None of the agencies or companies involved want to share any private information about their citizens or customers. There are lots of lawyers involved in the process to ensure that doesn't happen.
I wonder if some of that exhaustion is also what leads people to not read the bill or understand the context and just assume it's another anti-piracy bill.
I understand what you're saying, but when legislation is proposed I look at what it very easily could enable, not just what it's written to be for. When I look at what's being proposed I see that the government is using its sovereign power to trade away my right to civil suit against a company in event of a data loss, in exchange to that company for it handing over private information (that very well can include customer information) without a warrant. In big broad, abstract ways this is to my benefit if it improves "cyber security" but it also removes some specific rights I have.
"None of the agencies or companies involved want to share any private information about their citizens or customers." The telcos have monetized their lawful intercept programs and receive bad publicity protection from the government by being legally entitled to keep it a secret. They now have a profit motive and the risk of bad publicity is low. And the civil liability immunity agreement (as I understand it) in CISPA will effectively act as a giant gift that only a sovereign power can grant, we'll offer you protection from being sued if you just hand over business data without a warrant.
If you want to talk about confusing, I watch C-SPAN constantly (it's an illness) and whenever anybody in the legislative or executive branch talks about "cyber security" they always talk about IP protection and "preventing a cyber pearl harbor" in the same breath. So if you want to blame somebody for the confusion start with the people proposing this legislation.
You are not allowed to make arguments that are directly rebutted by the facts. There were drafts of CISPA that were published in which the assets protected by the bill (which defines attacks in terms of the familiar C.I.A. triad) included "IP", which would have included things like the source code to operating system drivers. But the bill that got voted on included a series of amendments, all published, that neutered that language because of exactly that concern.
CISPA is simply not about the interests of rightsholders.
CISPA is simply not about the interests of rightsholders.
The commenter to which you are replying did not make that assertion. The mention of IP was an attempt to identify the source of the confusion between cybersecurity and IP rights, not about CISPA specifically. Here's what the parent comment actually claimed:
When I look at what's being proposed I see that the government is using its sovereign power to trade away my right to civil suit against a company in event of a data loss, in exchange to that company for it handing over private information (that very well can include customer information) without a warrant. In big broad, abstract ways this is to my benefit if it improves "cyber security" but it also removes some specific rights I have....
And the civil liability immunity agreement (as I understand it) in CISPA will effectively act as a giant gift that only a sovereign power can grant, we'll offer you protection from being sued if you just hand over business data without a warrant.
The bill is clearly not about rightsholders, so it is intellectually dishonest to suggest that there is a legitimate concern about power grabs by rightsholders in it. "I watch C-SPAN religiously and they're always talking about IP rights" is not a substitute for reading the bill.
I disagree, but I don't think this subthread is important enough to litigate. If he wants to chime in and say "I absolutely am not saying CISPA is part of a scheme that will increase the powers of rightsholders", I'll apologize for mischaracterizing him.
I absolutely am not saying CISPA is part of a scheme that will increase the powers of "rightsholders." I don't see that in there. I was referring to the "spying" claim of the parent post of my first response.
My concern is with limiting of my right to civil suit against a corporation, and my fear that the bartering of these rights for information bypasses legal constraints on information collecting by government and law enforcement.
Do you think it is reasonable that an auto insurance company that operates under DPPA, or a classroom management service that operates under FERPA, or credit agency operating under FCRA, or nationwide bank under RFPA, or for that matter any online service managing information that could be considered stored communications --- do you think it is reasonable that these organizations should incur either the risk of a class action lawsuit or the expense of tens of thousands of dollars of legal review simply in order to push a worm signature or botnet identification or DDOS netflow information to a public clearinghouse? In other words, do you think it is in the public interest for you to retain the right to sue these kinds of companies to vindicate your theoretical privacy interest in network security data shared in good faith?
Thanks to Declan Mccullagh downthread for making my arguments about CISPA more vivid by citing all the privacy regs CISPA interacts with. :)
Oh: by the way: if I understand you correctly, you're not at all concerned that CISPA is a backdoor attempt to enable copyright enforcement, and by rebutting that idea earlier, I mischaracterized your point. I apologize for doing that. CISPA makes me jumpy.
> If you want to talk about confusing, I watch C-SPAN constantly (it's an illness) and whenever anybody in the legislative or executive branch talks about "cyber security" they always talk about IP protection and "preventing a cyber pearl harbor" in the same breath.
The trouble is that the effective, worthwhile and highly damaging cyberattacks all involve IP, in some way or another. There's not much value in taking down Coca-Cola's internal network. Stealing their M&A strategies or product roadmaps can be extremely lucrative/damaging (I recall seeing estimates that billions have been lost as a result).
No they don't. I think it is extremely confusing to talk about theft of data at the same time as talking about someone hacking a nuclear power plant to go into meltdown or something. When people say things like "cyber pearl harbor" at that time they could be talking about a DDOS that makes it impossible to do online banking or they could be talking about an attack on SCADA systems at a power plant that takes out power for a city. It really drives me nuts because either everybody in government talking about it is a poor thinker or they are intentionally being vague.
I have no idea what this comment is even trying to articulate. You suggest two kinds of "cyber attacks", one which cause power plants to malfunction and the other that attacks online banking. I am not sure what you think this distinction demonstrates about online security.
On the one hand, the attacks on power plants that you allude to are possible. Utilities have been networked and electronically controlled since the 1970s. Nobody builds networks on telephony or X.25 anymore; it's all IP. IP connectivity to insanely sensitive systems leaks routinely; moreover, application-level data sharing between Internet-connected systems and supposedly air-gapped backend systems is extremely common.
On the other hand, the "less serious" attacks you allude to are very very bad. Google and Hotmail aren't national utilities. But they are attacked by state actors because dissident organizations use them to communicate. For that matter, the Internet backbone is a collection of computers sharing information using a decades-old routing protocol for which policy is controlled by regular expressions.
Finally, if you run a startup and happen to say something I disagree with, such as "I think CISPA is a power grab by the content industry", I could today very easily push you off the Internet with a trivial DDoS attack. The people who extorted online casinos with DDoS botnets were not rocket surgeons. When I attack you for disagreeing me online, and you call your ISP, guess what you're going to hear? "You're on your own". It is always very weird for me to see people on Hacker News, a hub for online startup news, downplaying the severity of DOS attacks. I've spent a decent chunk of my career in DOS mitigation and it is not remotely a solved problem.
I think the government has a legitimate interest in protecting against computer attacks on public infrastructure that could result in death, and I see a place in there for government involvement. To a lesser degree there is a legitimate interest for government regarding IP theft. But I think how the government is involved and what powers they have, are different for these two scenarios. I understand that they overlap. CISPA is going to give government a much expanded jurisdiction and I don't think the restrictions are fine-grained enough.
You give EFF too much credit. The ACLU, the American Library Association, the Center for Democracy and Technology, the Competitive Enterprise Institute and the Liberty Coalition (both libertarian/conservative groups -- the latter includes Bob Barr and Grover Norquist's Americans for Tax Reform), Reporters Without Borders, etc. sent a letter yesterday to Congress opposing CISPA.
I'm not sure why you think the very smart lawyers and legislative counsel at the ACLU, the ALA, etc. are incapable of reaching their own conclusions about the relative merits of legislation.
I hope you're right that CISPA isn't about spying on Americans. The problem is that, as written, it allows precisely that, with the cooperation of the same companies that have opened their networks to the FedGov in the past. If the wildcard language trumping all state and federal privacy laws were deleted, I think a lot of the (informed) opposition would vanish.
BTW, there were "lots of lawyers involved in the process" of creating SOPA. Look how that turned out. I'd be far more comforted if there we had fewer lawyers and more technologists involved. :)
What are the current barriers to agencies sharing intelligence with private companies? Can you give an anonymized/abstract example, where the FBI/etc might have actionable info about a 'cyber threat', and under current law can't pick up the phone or send an email warning private companies?
Primarily the barrier from government to company was that much of the valuable info was classified. The Obama executive order on cybersecurity created a mechanism to bypass this barrier that is similar to what was in CISPA.
So why pass CISPA now? To remove the barrier in the other direction, from company to government. Right now there are interpretations of certain federal laws that say that companies cannot share threat data with the government. In addition, public companies fear shareholder lawsuits if they were to disclose publicly that they have been hacked.
In an ideal world you would have a virtuous cycle, where one company stops a threat, sends the critical threat info the government, which shares it with every other company--all basically in real time. That would prevent, or at least reduce, the issue now where one exploit works again and again and again at different companies.
Whether it is possible to do this while adequately protecting privacy is the issue. I'm not a lawyer but it seems to me like it should be doable if the language in the bill is done right.
>In an ideal world you would have a virtuous cycle, where one company stops a threat, sends the critical threat info the government, which shares it with every other company--all basically in real time.
But why does the government need the information at all? Why not have a private consortium of companies who share threat information under NDA (or, for that matter, just allow it to be published), and craft appropriate legislation to allow that?
CISPA allows exactly that to happen! Any "Cyber security provider" can collect and share information (on a voluntary, opt-in basis) under the act. Moreover, the largest repository of threat information --- netflow traces, botnet identification, &c --- is housed inside the USG, which is prevented from sharing that information. That's the other problem CISPA solves.
Did you read the bill? I'm not asking in an accusatory way; I'm wondering where you got your information from, so I can read it too.
Reading bills is usually a headache because they keep changing. Cue Pelosi's idiotic comment about having to pass the law so we can know what's in it. This one seems to be no exception: The original bill is talking about intellectual property, people complained about it, they removed that in later versions. EFF is complaining about how it doesn't put limits on what the federal government can do with the information, so they added some limits, but they're overly broad. (What does "national security" even mean? Because it's pretty plausible it's going to be read as "whatever the National Security Agency or Department of Homeland Security does with it.") I mean it's good that they're taking criticism into account and making modifications, but it seems like a really weird bill, and I think it's a good thing that it's getting a lot of scrutiny.
If you want me to go through it and complain about it, I can do that…
>CISPA allows exactly that to happen!
Not exactly. First of all, publication seems very much not to be the idea. Half the the bill is talking about security clearances and the like, and how if you get "cyber threat information" from the feds (presumably even if they got it from other private sector entities) then it could still be classified and you can't publish it. And I don't see anything in the bill about the information becoming automatically declassified once a patch is available, so that's not going to be good for full disclosure. Plus, if I get this super secret threat information, now how do I e.g. submit a patch to the Linux kernel or OpenSSH to address it without impermissibly letting the cat out of the bag? Have they thought this one through?
But my original point was not that private entities could share information too, the point was, why should we want the federal government to have it? There is a real concern that they would use vulnerability information to advance their stupid "cyberwar" nonsense and then accidentally loose the network equivalent of the black plague, or use vulnerabilities to spy on people and expand their warrantless surveillance of the world population. I can see why they might be able to use the information to patch their own systems, but I would be a lot happier to see a specific restriction that disallows anyone from using any information received under these provisions for offensive or surveillance purposes.
>Moreover, the largest repository of threat information --- netflow traces, botnet identification, &c --- is housed inside the USG, which is prevented from sharing that information. That's the other problem CISPA solves
I don't think that's the part people have a problem with. It's not the information coming out of the government (assuming it really is technical information and not anything that identifies individuals or impinges on privacy), rather it's the information going back into it to feed proto-Skynet.
But let's talk about some of the other crazy things.
1) It seems like a major part of the legislation is the grant of immunity for entities that share information. Which is a really very strange thing. Why do these entities need to be exempted from all state and federal laws? Can we not identify the specific ones that are problematic and then fix them? Certainly at least identifying them would be useful. I'm not really comfortable with the idea of exempting companies from prosecution for, say, polluting the water supply or murdering bystanders when they're reporting or responding to cybersecurity vulnerabilities. And if we can't even identify the laws we're concerned about, that seems like a problem more in need of our attention than this.
2) Why are individuals explicitly excluded from qualifying as "protected entities" or "self-protected entities" that would otherwise qualify them for the immunity provision? Are Microsoft and its employees for some reason more deserving of immunity than e.g. Moxie Marlinspike, or any random schmuck who finds and wants to report a security vulnerability?
3) There is a whole list of things under "protection of sensitive personal documents" like library circulation records and medical records. First of all, how is any of that sort of thing the sort of thing that should qualify for this in the first place? But never mind that. If those things would otherwise qualify, shouldn't we then be concerned about a lot of other stuff that isn't on the list, like browsing history, search history, financial records, purchasing history, location data, etc.?
4) The section on liability for wrongful disclosure by the federal government is pretty extreme. I'm not happy with it as a taxpayer. So if the federal government screws up (it's been known to happen) and releases a vulnerability e.g. in some financial software that causes a trillion dollars in damages to other countries, the U.S. taxpayer is on the hook for that to any person adversely affected, not because they had any responsibility for the vulnerability but only because the government disclosed it? No thank you. How about instead we put some some personal liability on the government employee(s) who actually made the wrongful disclosure.
5) The bill does a lot of talking about the U.S. federal government and not a lot of talking about state governments or foreign governments. It looks like they may qualify as entities however, and if they don't then that's weird (because what if I want to share threat information with my city or state or Canada or something?). But then we're exempting state governments and foreign governments from all state and federal laws for "decisions made based on cyber threat information identified, obtained, or shared under this section"? What???
This is where I reiterate my concern that we're exempting them from laws against things like murder, kidnapping, wiretapping, espionage, terrorism, etc. Granted the exemption requires acting in "good faith" -- but that's putting a lot of work behind two fuzzy words.
The whole immunity thing seems like a huge kludge that doesn't address the underlying problem, which is really the Aaron Swartz problem. Some laws are unnecessarily complicated, overly broad or poorly drafted such that liability under them is arbitrary and unreasonable, but instead of carefully fixing the bad laws individually, we just throw them all away in this one specific case and let anyone else subjected to their continuing insanity fend for themselves.
* Bills start as draft language. The draft is circulated so that organizations like ACLU can point out things like "this bill gives too much deference to content rightsholders". The bill's authors then say, "that's not at all the intent of the bill" and then fix the language. It is very weird to complain about this, since it's the system actually working in the public interest. So, sorry, you're going to have to keep reading the bill. Also: CISPA is tiny. You can read it inside of 5 minutes. It isn't PPACA, the bill Pelosi commented on.
* I don't think software vulnerabilities are the best or most likely example of information that will be shared from the USG to the private sector under CISPA, but to the extent it is, you can simply assume that a (say) OpenSSH bug disclosed under CISPA to (say) Facebook is going to be patched immediately. I am a vulnerability researcher; that's my profession. It is a near-consensus among vulnerability researchers that the sooner vulnerability data is published, the safer we all are. I find it difficult to be concerned that CISPA might get OpenSSL flaws published faster. If that happens, great.
* If organizations don't want to share vulnerability information with the USG, they don't have to. CISPA is entirely opt-in. Moreover: vulnerabilities are a bad example of information CISPA enables sharing for. Companies can already lawfully share vulnerabilities with the USG. There is a whole cottage industry of small companies that sell vulnerabilities to the intelligence services. To the extent that your concerns about CISPA involve trafficking in privacy-harming exploit code (a very legitimate concern in general), you are (respectfully) ill informed about the current state of cybersecurity regulation.
* The reason CISPA preempts existing privacy laws and provides protection from liability is because there are lots of different privacy regulations on the books that make it difficult for companies operating in certain verticals to share any data without expensive legal review. If you deal with classroom data, you've got FERPA. If you have driver records, you have DPPA. CISPA does not repeal DPPA or HIPAA or FERPA; instead, it simply says that as long as companies are dealing in good faith with attack data --- "cyber threat information", a term the bill goes to some lengths to define --- they can reasonably assume they won't get sued for violating HIPAA by sharing that attack data.
* Individuals are exempted as private entities to protect individual privacy. The intent of that definition as stated by the bill's authors was to prevent CISPA from being interpreted as a mechanism for ISPs and the USG to enter into agreements to track individual customers. See "Myths and Facts About CISPA" at the House Intelligence Committee page. So: you have that concern exactly backwards.
* I don't have any response to your concern that the USG should not be liable for negligence in publishing sensitive data. I see it as a good thing that the bill creates accountability for the handling of the data, and wish there was more accountability in the bill, not less.
There are other questions in your comment that I didn't address because I didn't understand them, sorry.
The admin should be logging in as a standard user with sudo access and using sudo for any administrative tasks anyway. This minimizes how much code is running priviledged, it also allows his actions to be audited because they're all logged.
Additionally, if he's using key-based authentication, that key should still be encrypted so it can't be stolen and used by someone with unauthorised access to his filesystem. So he still has to remember the password to unlock his key when he fires up ssh-agent.
The participating entry-nodes (proxies?) could be systematically determined with a scanner
How, exactly? Measuring the run-time of packets and comparing to the expected run-time? I suspect this could be masked by the proxy, but I'm not sure.
You have to trust the people running the entry nodes
You can encrypt the payload independently and then re-encrypt it for the HTTPS tunnel. But as with any proxy, they know the ultimate destination for your traffic, even if they can't get at the data itself.
If your path requires a participating station for the proxy-connection to succeed, just measure successful and unsuccessful proxy-connections against different network paths and logically determine which paths have participating nodes and which don't. Compare the results and expand your search until you narrow down which hops in your path are required for a success.
While I agree that it is a problem that the US has a large and growing prison population, I don't think it's a fair comparison to the conditions being described in these camps in NK.
US prisoners are afforded many more human rights than the prisoners in these camps. They are fed and housed humanely. They are also given a fair trial as defined by the constitution before they are incarcerated and they serve specific prison terms with options for parole.