> just one presidential hopeful — Democratic candidate Elizabeth Warren — uses domain-based message authentication, reporting, and conformance policy — or DMARC.
Another reason that Warren is my favorite of the democratic candidate right now. It's telling that the candidate with the most tech savvy is also the one proposing to break up the FAANGs for antitrust abuses.
I'm not at all clear what a break up means. How do you break up a monolithic single platform like Facebook? Maybe spin off the messaging stuff but who cares about that? Google is tricky too, you could separate ad-driven search from everything else, but then the everything else bits would just die. How would that benefit users?
Basically picking off bits of the edges of these services is just pointless, but splitting up the core service also seems crazy. It's like splitting up a car company by separating out the bit that makes the engines from the bit that makes the chassis.
I can see it with Amazon splitting AWS from the store, but in that case both would just do fine thank you very much. Again, I'm not seeing any material benefits to anybody. I suppose it's possible profits from the store would be prevented from subsidising AWS, which might benefit competition. This is the only one that makes a lick of sense but it's not really a big problem to fix IMHO.
So what are the actual proposals, or are they just vague pontificating at this stage?
> I'm not at all clear what a break up means. How do you break up a monolithic single platform like Facebook? Maybe spin off the messaging stuff but who cares about that?
Facebook's platform is already pretty well broken up: you have IG, WhatsApp, the core News Feed, Messenger.
Warren's argument isn't so much that breaking the big tech companies up would benefit consumers in itself, but that breaking them up would enable competing services to emerge (in the same way, she argues, that breaking up Microsoft enabled Facebook and Google to emerge).
It's easy to forget now but in 1998 Windows was pushing Active Desktop pretty hard and MSFT were making a big play to make the Internet something which you consumed via the Windows desktop and via Microsoft owned products.
It's not clear that competition neccesarily _would_ emerge from more constraints on large tech companies, but it's probably true that Facebook making a "WeChat" type play would not be a good thing for the Open Web or competition in any way.
> (in the same way, she argues, that breaking up Microsoft enabled Facebook and Google to emerge).
Is this a reference to the consent decree? Microsoft wasn't actually broken up, not that I recall. Nor did the consent decree permit Google to emerge - it was emerging anyway, and before the consent decree.
Facebook tried for years to compete with Snapchat and failed. Competition is obviously beneficial for substitute goods, but I don't think tech is there.
How is the amalgamation of Instagram, WhatsApp, Facebook.com, Facebook Messenger, Oculus, etc. a "monolithic single platform"?
I don't quite understand how you've come to your "who cares about that?"/"How would that benefit users?" stance. If you're genuinely curious about how preventing monopolies can benefit consumers/users, and not just being rhetorical, I suggest:
The problem with large tech markets is that they control every aspect of a single industry in of themselves, which allows them to define and change the market to suit themselves best. In the shortrun this is good for the user as Facebook can offer instagram, whatsapp, facebook, messenger, etc. for free- a price that competitors cannot beat with all those features at once.
On the other hand, now Facebook has all of our data and the bar to enter the market to compete with facebook also must apply to all the corollary markets- in other words, there's no qay to have equivalent services without paying the high cost Facebook demands (which is massive user data).
This is similar to when an oil company purchases the means to refine and produce the oil. So an ewuivalent separation would be breaking up the highly integratedness of all to benefit the market by increasing competition on every level of Facebook monolith.
Yes, infact, much of the arguments here is the arguments made when one broke up Standard Oil for example. "But how will this benefit the consumer" is one the biggest arguments against the breaking up Standard Oil.
The obvious targets are Instagram and WhatsApp, followed by splitting out the ad network, and any other functionality where Facebook unfairly competes with their customers and locks out competition.
WhatsApp & Instagram should be split out not only due to anti-competition, but for the protection of the general public. WhatsApp's founder(s?) walked away from almost $1bn because they couldn't look themselves in the mirror and keep working for Zucky after his blatant lies about not violating peoples' privacy with WhatsApp. That alone warrants investigation, since Money is the only thing Americans care about.
It's not that I'm a fan of Facebook, my usage of it is intentionally minimal and as a company they're appalling, but splitting off WhatsApp would make zero practical difference to the main harms they are perpetrating. It's like splitting off the confectionary stand at an oil company's gas stations. There might be some marginal benefits, sure, but it's not in any way addressing the material issues.
I really like Warren for her anti-trust message and her record of acting on behalf of consumers but I just can't get past a couple deal breakers that are a non-negotiable part of the DNC platform that she has to act toward as part of being a democrat senator and serious democratic presidential candidate. I wish politicians weren't so dependent on the national parties for funding their election campaigns. I would gladly vote for pre-senator Warren.
I think it would help if you named your dealbreakers. Imagine if in an OS discussion you said that you like Linux but won’t adopt it due to a couple of unspecified dealbreakers and just left it at that. Most people here would probably consider it borderline FUD.
“There is a huge difference between the guns of a sportsman or homeowner and high-powered assault weapons with 100-cartridge magazines, I grew up around guns and gun owners, and I will work to protect the rights of law-abiding citizens. But the law must reflect the reality that, in the wrong hands, guns can be used for violent crimes, disrupting communities and making families and neighborhoods less safe.” - Elizabeth Warren [1]
This seems like a perfectly reasonable thing for someone to say about gun control. It doesn't sound like she is trying to criminalize your possessions unless you already have a criminal record and/or possess a tool of mass murder. Although I guess there is potential her position has changed since that was from her Senate run in 2012. I couldn't find anything specific about gun control yet on her 2020 site.
Of course they can make a statement that makes it sound reasonable and defensible but look at the legislation they push. At the end of the day my right to keep and bear arms SHALL NOT BE INFRINGED and words like those leave a heck of a lot of space to infringe on my right to keep, let alone bear, said arms. Look at the "red flag laws" the DNC has been supporting in the past couple years. After Heller made handguns untouchable they were trying to go after rifles which are basically a rounding error as far as crime and violence goes. The DNC is hellbent on attacking the ability of citizens to keep and bear arms the way the RNC is hellbent on making abortions hard to get (I specifically chose this comparison because both of these positions are an asinine invasion of people's private business).
If you want to play the weasel word game my driveway has five "tools of mass murder" in it and Tractor Supply will happily sell me 40lb bags of oxidizers to accessorize them with.
The so called "high powered assault weapons" are so low powered that they are not allowed for hunting because they don't kill. (depends on the game of course, a rabbit doesn't need much, for a deer they are just barely powerful enough, for something bigger they don't have the power to kill)
100 round magazines are fun. Not practical, but I the art on my wall isn't practical either.
I'd put this in a different category than 2FA, password manager, or basic "watch out or phishing emails" training. All of those things can be enacted by the individual end-user if the organization doesn't enforce it. But it doesn't look like DMARC is something the individual can turn on or off--it's completely on their IT to set it up.
I'm not sure how easy it is to setup, either. Assuming they're paying for Office 365 or G-Suite for outlook/gmail on campaign domains, is that something that Microsoft and/or Google will turn on automatically for you?
To setup DMARC, you add a text record like _dmarc.example.com with content like "v=DMARC1; p=reject" (or perhaps a more permissive or canaried policy).
I am not sure if Google sets it up automatically. I have no memory of setting it up for my gsuite domain... but the record is there. I probably added it at some point though.
The advantage of DMARC against phishing is that people without access to your email server can't impersonate people in your organization. If you tried sending me an email with a "From: jon@jrock.us" header, it would be rejected by my server and I would never see it. This makes it much more difficult to spearphish someone. If you could send an email "this is your boss, look at the From: field, now click my link!", a lot of people would click that link. If the From: field is "spammer@phishing.invalid", you might think twice.
Wouldn't someone still be able to send mail from jon@jrơck.us and even have it pass DMARC and DKIM checks if they bought that domain? (last o being a ơ [ơ])
I wrote that fake address, I know where the defect is, and I can't spot the difference on my screen right now. It just looks like the other 50 specks of dirt on my laptop screen.
One common way to defend against a partial (or full) homograph attack is to have clients render IDNs as punycode. The downside is that it kinda pulls the plug on non-ascii domains. :-\
It has a reasonable workaround: check that all glyphs belong to the same writing system. That is, post.com should have all glyphs from Latin, почта.рф, all glyphs from Cyrillic, and ταχυδρομείο.ελληνικό must have all letters Greek. The fact that the Latin, Cyrillic, and Greek glyphs have same-looking glyphs like o or p is not dangerous if you can't mix them up.
That's a cool idea and will normally work, but won't prevent homograph attacks entirely. Identities can still be spoofed if they can be constructed entirely from glyphs in the intersection of two unicode blocks. E.g. `ΝΙΚΕ.ϹΟΜ` and `NIKE.COM`.
Yeah, I don't think DMARC helps with that. jon@jrơck.us won't key into the corporate directory, though, so someone should at least think something is amiss. (I thought my screen was dirty.)
Email security enforcement is not turned on automatically, but is relatively easy to set up for GSuite or Office365. Typically the easiest implementation is to create a DNS validation record. With that caveat, SPF and DKIM are easier to setup, because it's just creating a validation record. DMARC typically means that you're now getting 10-20 emails a day from major email providers all containing XML files that need to be analyzed. There aren't a ton of good solutions to analyze the contents of the XML files
Postmark has a free service that will handle the DMARC XML analysis for you, sending you a human-readable summary report once a week. (You don't have to be sending through Postmark to use it; I've been surprised at how many spammers attempt to spoof my personal domains.)
I set up dmarc some years ago. The xml files are kind of a pain, but you really only need to look at them for a couple days or weeks, then you can remove the reporting address from your dmarc record, because once you're convinced the config is correct, there is no actionable information in the reports.
Try an online generator such as https://dmarcian.com/dmarc-record-wizard/ to create one. No affiliation, just a well done generator I have used that walks you through the process.
With domains registered at Google Domains it's very easy to enable. All domain registers do not support it. Mayor Pete uses GoDaddy and very easy to setup at that register as well.
I see this as a reflection of the candidates ability to find and listen to experts. I don't expect a candidate to understand how to do tech "right" - I'm in the industry and still get half of it wrong! However, when you're running a multi million dollar campaign you can afford to bring in experts to set this stuff up and audit your practices. In fact, I assume these candidates are already doing this and that if they are still not following some basic best practices it's because they are actively ignoring the experts they brought on to help them. That's what worries me. If they can't find or listen to these people now, what makes me think they'll be able to in office? (Related: "The internet is not a big truck...")
This stuff is easy to setup (in G suite you can do in in a hour or two if you know what needs to be done), but like most computer security best practices, the knowledge is out there but not well distributed, and not in the hands of the people who need to know it.
I enabled dmarc for my domain about a year ago enabling just reporting. So I get a dmarc report or two emailed to me daily. I have yet to actually check the reports.
Can anyone recommend a free or cheap service or something I can run myself to summarize dmarc reports?
>I see this as a reflection of the candidates ability to find and listen to experts.
The problem isn't finding experts. There's a lot of smart, well intentioned people in DC. (For example, everyone I met from 18F impressed me greatly, and nonprofit organizations like Mozilla have a presence in DC)
The problem is that both congressional offices and political campaigns are extremely hierarchical.
The culture in a political campaign or senate office is that junior staffers are supposed to be given orders and figure out how to implement them - not suggest different sets of orders.
It's easy to find experts, but not everyone does. Some politicians prefer loyalty to expertise. At least one candidate was able to overcome the hierarchy of her campaign and get basic email security.
I am sure i will get hundreds of downvotes for this but i still dont accept that the Russians targeted the DNC. Wikileaks says otherwise, the only people who examined the servers are a nakedly anti-Russian security outfit hired by the DNC and to date zero hard evidence has been presented this is true. There are so many holes in this narrative, and given the total lack of credibility the press has after the Russiagate collusion story we shouldnt also allow this piece to slip through as accepted fact.
I’m not sure the consensus is that WikiLeaks targeted the DNC (it’s not a hacking organization afaik). I believe that Russia targeted literally everyone and released DNC data through WikiLeaks.
I've read both those accounts. The Dutch intelligence bit is unrelated to the DNC; they claim the same outfit they were surveilling is involved. They did not observe the Russians hacking the DNC. Read the story carefully to see the timing.
As for Guccifer, the evidence indicates he operates out of CST (based on tweets and uploaded file timestamps), hardly where a Russian hacker would be situated.
These are both pretty weak as evidence, not what i'd call substantial.
And yet Wikileaks denial of them getting the emails from Russia without any proof whatsoever is somehow not weak? How would Wikileaks even verify that they were not dealing with a stooge of Russian intelligence?
Easy: they would have direct correspondence with the leaker and could easily validate it's a DNC insider. To be clear, I don't consider this to be strong evidence, I just consider it to be counterevidence that should cause us to be suspicious of the main narrative.
Meanwhile, of the above two articles, one (the Dutch intelligence bit) has nothing to do with the DNC. This leaves only a rather shady character, Guccifer 2.0, whose actions are pretty unprecedented in history: a hacker who announces what they did, seeks interviews, and crows on social media.
Why, exactly, would Russian intelligence set up such a persona? If their intent is to aid Wikileaks, why would they undermine the Wikileaks narrative that it was a leak, not a hack? Guccifer makes no kind of sense unless we believe that his entire purpose is to point the finger back at the Russians, as he quickly succeeded in doing.
Some of use bernie supporters were also called comrade and bernie was maligned for having had his honeymoon in Soviet. I hate Trump based on what i've seen him say first hand but of late I'm beginning to form an opinion that media blows things completely out of proportion and Russia Collusion is Iraq 2.0
Not even Mueller claims Trump collaborated. You are basing your claims on emotion, not evidence. You want Trump to be guilty, so he is, despite the facts.
Another reason that Warren is my favorite of the democratic candidate right now. It's telling that the candidate with the most tech savvy is also the one proposing to break up the FAANGs for antitrust abuses.