Fluffeh writes:
A recent article by The Intercept showed how US and UK intelligence agencies have been impersonating the servers of companies like Facebook. In November, Der Spiegel noted that agencies created "bogus versions" of sites like Slashdot and LinkedIn to plant malware in targets' machines.
Copyright claims brought against the government must be filed in the US Court of Federal Claims, and the subject matter in question must have previously been registered with the Copyright Office-something companies don't typically do for their Web interfaces.
In contrast, under the Lanham Act, the government is expressly liable. The law clearly states, "As used in this paragraph, the term 'any person' includes the United States, all agencies and instrumentalities thereof, and all individuals, firms, corporations, or other persons acting for the United States and with the authorization and consent of the United States."
(Score: 5, Insightful) by Zyx Abacab on Tuesday March 25 2014, @11:41PM
I'm sure the government is liable for this in exactly the same way that Clapper was liable when he lied to Congress. Yes, the law was clearly and flagrantly broken, but so what? It's not there to punish those with power, only those without.
(Score: 4, Interesting) by Fluffeh on Wednesday March 26 2014, @12:07AM
It is rather a case where Clapper is an INDIVIDUAL working for the government, but in this case it is the GOVERNMENT ENTITIY that is held liable - meaning it cannot hide away by claiming "he did it... she did it... etc" the bucks stops at the front door, it is up to them to then work out internally who is at fault.
(Score: 3, Insightful) by Anonymous Coward on Wednesday March 26 2014, @12:24AM
National security, tovarisch. You are at fault. Off to Siberia!
(Score: 5, Insightful) by c0lo on Wednesday March 26 2014, @12:54AM
Well, even within the "golden rule" applicability (I expect Google or FB qualify into "the one who has the gold" category), seems they would still not qualify for monetary damages.
Says the FA:
This does nothing but demonstrate to me that the suggested approach (Lanham law) is only a gimmick meant to benefit the lawyers, the civil society doesn't have enough power against a govt agency ran amok. This is the real actual problem.
Which brings me to: applying any palliative solution comes with the risk of losing (loosing equally applicable) the focus from the actual problem so I'd rather not see this used Especially since using https only (or, at least, by default) is a technical solution which:
(Score: 0) by Anonymous Coward on Wednesday March 26 2014, @02:05AM
It sure would be nice if everything we did on the internet was https, however... A partial solution I guess.
(Score: 4, Interesting) by c0lo on Wednesday March 26 2014, @02:19AM
Within the context [xkcd.com] of the proposed solution (sue NSA for "spearphishing" and thus breaching the trademark), using https would be a deterrent by increasing the cost of the attack (even if not making it impossible).
Granted, I'd like to live in a world where the Internet is entirely Tor-ified and there's enough bandwidth to not feel a difference - but again, I'm surely not representative (as, for instance, I do prefer my games offline rather than MMO-ed).
(Score: 1) by cbiltcliffe on Saturday March 29 2014, @11:24PM
Using HTTPS to foil the NSA's monitoring would be absolutely useless.
When the NSA approaches a domestic CA with an NSL, requesting the CA to provide an SSL certificate with your website's name on it, then as far as any visitor is concerned, the NSA site *is* your website, right down to the 100% valid SSL certificate with your name on it.
(Score: 2) by c0lo on Sunday March 30 2014, @01:09AM
Which comes with a cost - note that I didn't say it cannot be done, I said "raising the cost for NSA of doing so".
Besides, I guess there exist CA in this world that aren't under US jurisdiction and I still can choose to host my web site outside US.
Also, the context of this discussion: what could Google or Facebook do if they would try something against NSA impersonating them? Now, question: suppose that Google or Facebook would choose to become CA-es for themselves, do you thing the major browsers would refuse to include the certificates they issue for themselves as "trusted"?
What is the cost of Google/Facebook doing so? Compare with the cost of suing NSA for a trademark breach.
What would be the cost for NSA to try twisting Google/Facebook's arms to allow NSA break the trust and setup a MitM?
(Score: 1) by cbiltcliffe on Sunday March 30 2014, @12:55PM
The fact that there are CAs outside the US, or you could host outside the US is completely and utterly irrelevant, due to the broken design of the CA/SSL system.
As long as a single CA exists inside the US that the NSA can coerce, then a certificate can be generated which is trusted by all major browsers, regardless of the fact that you've never used that CA yourself.
Your choice of CA isn't enforced - isn't even provided to the client - by the SSL negotiation. That's why the breach at DigiNotar a while back was so serious. It didn't just compromise DigiNotar's customers. It compromised the entire SSL system.