Stories
Slash Boxes
Comments

Dev.SN ♥ developers

Gov Liable if it Fakes Your Website

posted by mrcoolbp on Tuesday March 25 2014, @11:30PM   Printer-friendly
from the drinking-and-spying dept.

Fluffeh writes:

A recent article by The Intercept showed how US and UK intelligence agencies have been impersonating the servers of companies like Facebook. In November, Der Spiegel noted that agencies created "bogus versions" of sites like Slashdot and LinkedIn to plant malware in targets' machines.

Copyright claims brought against the government must be filed in the US Court of Federal Claims, and the subject matter in question must have previously been registered with the Copyright Office-something companies don't typically do for their Web interfaces.

In contrast, under the Lanham Act, the government is expressly liable. The law clearly states, "As used in this paragraph, the term 'any person' includes the United States, all agencies and instrumentalities thereof, and all individuals, firms, corporations, or other persons acting for the United States and with the authorization and consent of the United States."

 
This discussion has been archived. No new comments can be posted.
Gov Liable if it Fakes Your Website | Log In/Create an Account | Top | 1000 moderator points   | 17 comments | Search Discussion
Display Options Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Insightful) by c0lo on Wednesday March 26 2014, @12:54AM

    by c0lo (156) on Wednesday March 26 2014, @12:54AM (#21338)

    Yes, the law was clearly and flagrantly broken, but so what? It's not there to punish those with power, only those without.

    Well, even within the "golden rule" applicability (I expect Google or FB qualify into "the one who has the gold" category), seems they would still not qualify for monetary damages.
    Says the FA:

    Wakefield explained that in most of these scenarios, the goal would be injunctive relief—that is, a court order getting the government to stop its behavior—rather than money damages.
    Traditionally under trademark law, monetary damages are calculated as the profits gained by the infringer, which are presumed to be equal to the damages suffered by the trademark owner. This metric wouldn't be applicable in cases of government snooping, so the best available remedy in such a scenario would be for a court order that the government simply stop the practice.

    This does nothing but demonstrate to me that the suggested approach (Lanham law) is only a gimmick meant to benefit the lawyers, the civil society doesn't have enough power against a govt agency ran amok. This is the real actual problem.

    Which brings me to: applying any palliative solution comes with the risk of losing (loosing equally applicable) the focus from the actual problem so I'd rather not see this used Especially since using https only (or, at least, by default) is a technical solution which:

    1. is cheaper for raising the cost of impersonation/MitM for the attacker (certainly much cheaper than paying a lawyer)
    2. acts as an preemtive countermeasure - as opposed to invoking Lanham law, which comes as a reaction
    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Interesting=1, Informative=1, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 0) by Anonymous Coward on Wednesday March 26 2014, @02:05AM

    by Anonymous Coward on Wednesday March 26 2014, @02:05AM (#21358)

    It sure would be nice if everything we did on the internet was https, however... A partial solution I guess.

    • (Score: 4, Interesting) by c0lo on Wednesday March 26 2014, @02:19AM

      by c0lo (156) on Wednesday March 26 2014, @02:19AM (#21366)

      It sure would be nice if everything we did on the internet was https, however...

      Within the context [xkcd.com] of the proposed solution (sue NSA for "spearphishing" and thus breaching the trademark), using https would be a deterrent by increasing the cost of the attack (even if not making it impossible).
      Granted, I'd like to live in a world where the Internet is entirely Tor-ified and there's enough bandwidth to not feel a difference - but again, I'm surely not representative (as, for instance, I do prefer my games offline rather than MMO-ed).

  • (Score: 1) by cbiltcliffe on Saturday March 29 2014, @11:24PM

    by cbiltcliffe (1659) on Saturday March 29 2014, @11:24PM (#23029)

    Using HTTPS to foil the NSA's monitoring would be absolutely useless.
    When the NSA approaches a domestic CA with an NSL, requesting the CA to provide an SSL certificate with your website's name on it, then as far as any visitor is concerned, the NSA site *is* your website, right down to the 100% valid SSL certificate with your name on it.

    • (Score: 2) by c0lo on Sunday March 30 2014, @01:09AM

      by c0lo (156) on Sunday March 30 2014, @01:09AM (#23058)

      requesting the CA to provide an SSL certificate with your website's name on it

      Which comes with a cost - note that I didn't say it cannot be done, I said "raising the cost for NSA of doing so".
      Besides, I guess there exist CA in this world that aren't under US jurisdiction and I still can choose to host my web site outside US.

      Also, the context of this discussion: what could Google or Facebook do if they would try something against NSA impersonating them? Now, question: suppose that Google or Facebook would choose to become CA-es for themselves, do you thing the major browsers would refuse to include the certificates they issue for themselves as "trusted"?
      What is the cost of Google/Facebook doing so? Compare with the cost of suing NSA for a trademark breach.
      What would be the cost for NSA to try twisting Google/Facebook's arms to allow NSA break the trust and setup a MitM?

      • (Score: 1) by cbiltcliffe on Sunday March 30 2014, @12:55PM

        by cbiltcliffe (1659) on Sunday March 30 2014, @12:55PM (#23195)

        The fact that there are CAs outside the US, or you could host outside the US is completely and utterly irrelevant, due to the broken design of the CA/SSL system.
        As long as a single CA exists inside the US that the NSA can coerce, then a certificate can be generated which is trusted by all major browsers, regardless of the fact that you've never used that CA yourself.
        Your choice of CA isn't enforced - isn't even provided to the client - by the SSL negotiation. That's why the breach at DigiNotar a while back was so serious. It didn't just compromise DigiNotar's customers. It compromised the entire SSL system.