If Flock truly believed that the domain name infringes on their trademark, they would file an ICANN UDRP complaint instead of Cloudflare and Hetzner abuse reports.
But they don't, because the former would require them to perjure themselves, and the latter just requires them to lie to a hosting company.
Cloudflare would have to bring that suit since they were the ones defrauded. The site owners probably can't sue Cloudflare because of their contract. So the site owners probably have to go basic "tortious interference" and be ready to show actual damages.
No, if the site owners have been harmed by Flock + Cyble knowingly filing a false takedown notice then they can sue Flock + Cyble. If Cloudflare's reputation has also been harmed then they could sue Flock + Cyble as well.
The "resulting damages" is pretty small though, they just had to move off of cloudflare. I'm not sure it would be worth it, especially if the other side doesn't end up paying their legal costs.
False accusation of criminal behavior is defamation and in many US states such accusations are assumed to be damaging. No evidence of damage is needed.
Knowingly filing false DMCA claims will also perjure them.
However, ICANN has a whole procedure they follow where complaints are fact-checked, whereas DMCA takedowns put an unreasonable burden on hosting providers that requires immediate action, and many hosting providers will take such action automatically to protect themselves.
I doubt they care about perjury. They care about results, and the DMCA gets them exactly that.
The phishing reports are interesting, providers aren't necessarily required to act as fast on those. Although, I suspect companies like Cloudflare who get used by countless phishers will probably also set up some kind of automated anti phishing system.
>Knowingly filing false DMCA claims will also perjure them.
You are confusing false claims with filing DMCA requests on behalf of someone you don't have permission from.
>and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed
> But they don't, because the former would require them to perjure themselves, and the latter just requires them to lie to a hosting company.
Doesn't stop anyone with DMCA... DMCA is coming up on almost three decades of being a law, and requires statements made under penalty of perjury.
However many millions (likely billions) of DMCA takedowns issued, who knows how many false/bad faith... I wonder how many have led to prosecutions for perjury, even when filing tens of thousands, en masse...
No need to wonder, the answer is simple. Starts with a "Z" and ends in "ero".
Those take on the order of months to go through. Even if they did so, you wouldn't notice until much later. Meanwhile cloudflare and hetzner are faster. If you want to reduce harm by taking down a site you can't just let it stay up for weeks while the ICANN process plays out.
As a youngster, I frequented a laser tag place that issued you an iButton when you registered for a game, containing your player name. When you got into the arena, you would tap the iButton to the laser gun to sign in, so the system knew which gun was in use by which player.
The time is ripe for ALPR-based sousveillance. If these types of countermeasures are outlawed, legislators and police could use a reminder that the legal principle that enables Flock imperils their privacy just as much as ours.
What does this mean exactly? Pretty much any reasonably modern ALPR system also records make/model/type/color of vehicle along with the plate reading these days. Obviously some are better at this than others, but even my Unifi cameras do this these days.
The “secret sauce” of Flock is the extensive nature of the camera network and database correlation.
A license plate is just a start. Flock’s Vehicle Fingerprint® tech turns footage into evidence that solves cases by pinpointing vehicles by make, color, type, and unique characteristics like decals, bumper stickers, and accessories. This capability proved to be instrumental in a recent case in Catoosa, OK where police were able to track down the suspect connected to a mass murder after their vehicle was spotted by a Flock camera."
So we need color changing cars and we need to make changes to stickers, wheels, and accessories more frequently. It will be like the characters in cyberpunk novels with the odd face paint and stickers that they can change so as to frustrate facial recognition.
“… any substance, reflective matter, illuminated device, spray coating, covering, or other material that can be dynamically altered so that it interferes with the legibility or detectability of a vehicle/license plate pair (“fingerprint”) – or with the ability of a device to determine the vehicle fingerprint and to record it … shall be illegal.”
Color, make, model, body damage, panels that are a different color to the rest of the body, wheels, decals, bumper stickers, tow hitches, roof racks, etc., so even if they can't read your plate they can try to build a vehicle identity, and when they do get a plate capture, they can retroactively apply that to all other sightings of the vehicle.
Can you elaborate a bit about what you mean by "the blessing of a CA"?
I agree that it's true that you need a certificate to do TLS, but importantly Let's Encrypt isn't interested in what you do with your certificate, just that you actually control the domain name. See: https://letsencrypt.org/2015/10/29/phishing-and-malware.html
Their policy today is to grant certificates liberally. There is no technical guarantee that this remains the case indefinitely, only a political one. I don't doubt the sincerity of this guarantee, but I wish I didn't have to rely on it.
A big factor is that they are serving so many certs, with only a tiny amount of funding. Anything beyond the most basic pre-written list of blocked domain names is infeasible. Analyzing the content of every single domain would increase their resource needs by several orders of magnitude. That's reasonably close to a technical guarantee, if you ask me.
> That's reasonably close to a technical guarantee, if you ask me.
Until the feds show up like:
Okay, either you block these domains, or you're going to jail:
politician-x-did-something-bad.com
politician-y-is-corrupt.com
country-z-did-crimes-against-humanity.com
political-opposition-party-w-homepage.com
blog-that-mentions-any-of-the-above.com
... (rest of the list that works for 10 or 100'000 domains)
I complained about the centralization that reminds me of Cloudflare in another place, but in general the more distributed this sort of infra is, the better. Both for technical reasons, as well as political ones. In general, one can plan around potential risks like "Okay, what if I assume that this infra of mine is actually running in Russia and the govt hates me and I need to migrate."
VPSes and domains are pretty easy to move across country borders (e.g. moving from NameCheap to INWX and from something like AWS to Hetzner, at least for simple setups), less so when you don't control the CA.
Yes, but that's still a pre-defined list. They can't say "block every website mentioning politician x doing bad things from getting a cert", because that'd be impossible to validate.
The feds are left playing whack-a-mole, and getting the right paperwork to block each new domain popping up is probably going to take a few weeks. Besides, at that point they could also force the .com operator to do the same, could they not?
I do agree that it would be better if LE was more distributed, though. Having a legally-independent second nonprofit running the same software in Switzerland or something would prevent LE from turning into a massive target for the US government.
Why would the feds bother with let’s encrypt in this situation when it would make way more sense to just go to ICANN and get the domain names unregistered. They already do that all the time.
It's absolutely new. No HTML5 features were restricted to secure origins only pre-LE. Today, many are. Google was able to push these requirements in large part due to Let's Encrypt's success making secure origins ubiquitous.
This isn't to say that these two things are unrelated: Mozilla obviously knew about Let's Encrypt and we considered it an important complement for this kind of policy, and at least some people at Chrome knew about LE, though I'm not sure how it played into their thinking. However, it's not as simple as "LE happened and then people started pushing for secure origins for new features".
A lot of thd new APIs have to do with accessing hardware. Camera, Microphone, Serial ports (currently experimental) etc.
Given how easy a MITM attack to injection JavaScript or HTML into insecure pages is, a world where insecure pages had access to hardware makes that hardware very vulnerable.
Even though all you'd be doing is reading some random blog etc.
To those who still think serving HTTP is some sort of principled stand, just be aware that injecting malware onto your page at delivery time is pretty trivial. Quite honestly, and I mean this in a constructive way, it doesn't signal "principles" it signals "incompetence".
Kinda hear you, but DNS is a defacto requirement as well. Neither DNS (common TLDs) nor any of the major cert vendors I'm aware of ask you your site's business before issuing.
RIRs don't prohibit out-of-region use of IP addresses or ASNs registered in their region. The country an IP is registered in is not necessarily the country it's being used in.
If I buy a $1000 bond with a 1 year duration and 2% coupon for $950, realizing $70 of net income from it over the following year ($20 coupon payments, $50 "extra" principal return), has the government paid $20 or $70 of interest?
I'm not sure there's a significant difference in practice, but technically the $50 would be part of the bond's debt principal, not interest.
A bond with a face value of $1000 means the government has $1000 of debt regardless of what is paid for the bond.
The coupon payments represent the "interest" on that debt - the $20 coupon means the government is paying $20 of interest per year.
Paying below face value doesn’t make the difference "interest." It simply means investors are buying the bond at a discount, so the government receives less cash upfront in exchange for repaying the full $1,000 at maturity. Bonds differ from traditional loans in that their market price can fluctuate, but the debt obligation remains fixed at the face value.
In practice, the government's accounting labels the discount as an "interest expense", so it still gets captured as interest in the budget.
That's a reasonable interpretation from the Treasury's perspective. But if you ask the IRS, I've realized all $70 as interest income ($50 as OID, which they consider a form of interest).
(And yes, coupons pay 2x yearly, but they are quoted on an annual basis; I would receive two $10 payments.)
Yes, secondary sellers can claim capital losses. But they typically go for a discount even at the primary Treasury auction, so there's still more than $20 of total profit after netting across holders.
Only allowing government repurchase makes the system vulnerable to corruption - make a backroom deal with a government official and extract a promise not to buy, then declare at $1. A system where anyone can purchase the property at the declared value is more robust.
It should be noted that SFMTA, the alleged victim of this website, uses a network of 400+ Flock ALPR cameras to track the movement of every vehicle in the region. They're able to do this not because of some special agency authority, but because it's legal for anyone to surveil public areas.
It might be fair, but is it a good idea? What you are doing is justifying something you wouldn't agree with because it targets people belonging to an organization doing the thing you don't agree with. That is can be problematic because
1. They now can say 'well it is done to us why can't we do it to others' instead of engaging with real arguments about using ALPR flock cameras to track people
2. You assume that a person working for an organization is automatically complicit in the decisions of that organization and is therefore fair to be targeted by systems you don't want targeted at yourself -- this is fine when in war or other struggles deemed worthy of placing aside normal human morality temporarily, but is this one of those?
3. This type of thing can turn into a race to the bottom where each side escalates compromises of their basic value systems
But they don't, because the former would require them to perjure themselves, and the latter just requires them to lie to a hosting company.
reply