Yeah POCSAG is not encrypted here in the UK. You can still see all the emergency information from around the country unencrypted in realtime. They even broadcast the details of the emergency and a lot of times it's not nice. You do/did get some bird watching sightings though!

This is still the case today in the US, plenty of pager systems run POCSAG or near equivalents. There is no conditional access or encryption of any kind. Receiving such signals is notionally criminal, but I'm unaware of any prosecutions for such a thing.

[dead]

> For that to be in anyway useful for those companies (as a means to spy on their competitors), they'd have to be actively looking into the information to derive intelligence. Not really practical without some serious engineering, which would leave tons of evidence. It's not worth it. That's just not how these companies operate.

Was thinking about this as well. What evidence would it realistically leave? I mean - they are sending the uri's by default so no client side reverse engineering is needed. They say plainly they are doing this.

Yes, it's a lot of traffic.

IP spaces are well known. Easy to filter for corporate traffic. From there, it's a smorgasbord of internal URI's to dig through - anything with no domain name, or host.(companyname).com traffic. Also easy.

Maybe this ends up in a big data lake queryable by certain groups, but not anyone likely to spill the beans. NDA covers you there. This is not New York Times level corporate subterfuge. It's almost certainly not legal - and this is the important thing - the regulators haven't had the gumption to prosecute anti-competitive behavior in earnest since the 70's or earlier. What Microsoft went through in the 90's in retrospect was antitrust litigation with kid gloves on.

This armchair analyst sees no downside to such practices. Risk, but so little it doesn't matter.

Sure, insiders could spill the beans and violate their NDA's, but who the fuck is going to do more than levy a slap on the wrist for something too difficult to explain to Congress in a way that gets them to care?

Now, I think if you actually put your hands on the browsing history of congressmen harvested in this way, and put it into the public domain, you're going to get a bunch of regulators to all of a sudden care about antitrust enforcement again.

That's what we have AI for. This type of thing is no longer a manual or manually-automated process.

I mean, realistically, yes. But you'd be surprised sometimes pretty technical folks who just use whatever is installed when their work machine for whatever reason runs Windows.

Indeed. And they are trying to find sneaky ways to get you to back up more and more data there.

They do have privacy policies which say they won't sell that data, or use it for advertising or anything other than delivering the service. But - who knows if that is true? There's no oversight. And if they get caught breaking that privacy policy, who has the appetite these days to do anything meaningful in terms penalties? Nobody.

Why? I thought we are now clear on OpSec?

Dani DaOrtiz is one of the best at that. He sells instructions for all his tricks, but he's so good at performing them that they still feel like magic even if you know what he's doing. His appearance on Fool Us¹ is a series of excellent examples of that. He palms a card onto the box, and Teller's reaction when he misses it happening is astonishment because it's such a simple move to spot but done so well Teller missed it despite looking for such moves. That continues as the act goes on, until both Penn & Teller are left experiencing only the joy of the performance & awe at Dani's skill. None of the techniques are ones they don't know about, but Dani does them so well they didn't even try to figure out everything he did, since they knew they'd have to guess what he'd actually done! Penn later described Dani as "the best card magician who has ever lived"².

The best magic tricks tend to be the ones where knowing the secret doesn't ruin the trick, but instead changes it to a show about the skill of the performer. Nobody complains about "spoilers" at a virtuoso's concert, the joy of the performance & the skill of the performer are not ruined by knowing the music beforehand. I think the same can apply to magic, to books, to movies, etc. You can re-read a really good book, or re-watch a really good movie, and the experience won't be ruined by knowing the ending. It'll be different, but not worse. With magic the awe shifts from "how is that possible?" to "how did that person manage to put in the effort to do that so well‽".

¹https://www.youtube.com/watch?v=5_KcQt0z-eE

²https://www.youtube.com/watch?v=NdxT3BL_Iik

I think I respect Penn and Teller as magicians more since they reveal how some of their tricks work, and yeah the sheer amount of skill required is for some of their tricks is impressive.

I also liked watching The Masked Magician share some behind the scenes of tricks, and even knowing how it's done doesn't make the trick any less impressive.

You should hide the secret if it’s ugly, but you can expose if it’s beautiful (and it’s your trick!)

Correct. That is what almost all geostationary satellites are. If you want encryption, do it at the application layer.

Really depends on what the satellite does, and even for purely "dumb pipe" satellites you'll need some telemetry for stationkeeping, repositioning etc.

Practically, you'll also want to be able to reconfigure spot beam to backhaul mappings or even cross-connect some spot beams to cut satphone-to-satphone voice latency in half etc.

That's not even considering constellations like Iridium that do actual packet switching in space.

That seldom works. Simple repeaters transmit the strongest signal they get and can be easily hijacked by a rogue ground transmitter. This is the main reason simple repeaters on orbit went out of fashion in the 1980s.

They could compress then encrypt before transmitting it over a radio link.

Who currently gets fired due to engineering malpractice? It would be the same thing if there was actual certifications and engineering sign-offs in cybersecurity or other critical areas of development.

I wont pretend that accountability in the physical engineering world is all smiles and rainbows but at least there are actual laws dictating responsibilities, certification and other real consequences for civil engineers. When a Professional Engineer in Canada signs-off (seal) on work they are legally assuming responsibility which means the practitioner could be held accountable in the event of professional misconduct or incompetence regarding the engineering work. There is no reason but corporate greed and corruption why there isn't similar legislation in North America for cybersecurity or software engineering where you have professional bodies certify people to be legally obligated to sign-off on work (and refuse work that isn't up to standards).

But this would require introducing actual legislation which god-forbid how could we do such a thing to the poor market! It would stifle their innovation at leaking everyone's data.

There's no reason we couldn't extend the same existing system of licensure [1] that professional engineers require.

Sure maybe its overkill for someone stringing together a python app, but if you're engineering the handling of any actual personal information then this work ought to be overseen by qualified, licensed and accountable professionals who are backed by actual laws.

[1]https://en.wikipedia.org/w/index.php?title=Regulation_and_li...

If you fire people for stuff they didn’t maliciously introduced you will end up with no people to work with.

Imagine jailing doctors for every patient that died you would be out of doctors quite soon.

>this must mean the consequences of such a breach has either not produced any visible damage

Yeah lets say you were carrying unencrypted frames for Bills Burger Hut.

The largest extent of the damage might be sniffing some smtp credentials or something. Bill sends some spam messages, never figures out how it was done but their IP reputation is always in the toilet.

Lets then say instead of Bills Burger Hut, you are carrying traffic for critical mineral and food industries. The attacker isnt a scammer, but a hostile nation state. Customer never realises, but theres a large, long term financial cost because (TOTALLY NOT CHINA) is sharing this data with competitors of yours overseas, or preparing to drop your pants in a huge way for foreign policy reasons.

No one gets fired until after the worst case long term damage, and even then probably not.

In fact, the likely outcome is that the burden gets moved to the customer for L2 encryption and the cowboy never changes.

Or, the entity being damaged is not the decision maker and has no power to hold the decision maker responsible.

End user license agreements are a huge part of the problem. Ideally users could sue if our data is leaked - and the threat of being sued would put pressure on companies to take security more seriously. Ie, it would become a business concern.

Instead we're constantly asked to sign one-sided contracts ("EULAs") which forbid us from suing. If a company's incompetence results in my data being leaked on the internet, there's no consequences. And not a thing any of us can do about it.

Or the damage is diffuse whereas the costs of preventing the breach would be concentrated. Or the connection between the damage and the breach is difficult to prove.

Depending on the spot beam size, the only thing you'd always learn is the ground station's rough geographic location.

Anything else could be masked by metadata encryption, rotating lower layer identifiers, and cover traffic. Not sure if any actual protocols do that though.

It would not be perfect, but it wouldn't be purposefully shooting oneself in the foot.

> Panasonic told us that enabling encryption could incur a 20–30% capacity loss.

Wow, I guess they're still betting on customers sending tons of redundant data up/down that they can shave off via compression? That's such a 90s modem thing to do. ("Faster than 56 kbit/s!!")

Space-faring electronics aren't exactly cost-sensitive - the cost of a cluster of crypto-accelerated CPUs or rad-hardened FPGAs is peanuts compared to the human and launch costs that go into these satellites.

Wireguard uses ChaCha20, which to my knowledge neither has nor requires HW acceleration to be fast.

I don't know if you've ever tried to actually use in flight wifi, but any traffic not subject to inspection is heavily throttled to the point of being unusable.

ESNI is also a technology in search of a problem. It does not provide any meaningful security benefits.

Yes they are trying to be cheeky, but missing the mark.

Pine Gap is a large facility for collecting data coming down from our own satellites.

Foreign satellite collection in Australia happens at two other facilities: https://en.wikipedia.org/wiki/Shoal_Bay_Receiving_Station https://en.wikipedia.org/wiki/Australian_Defence_Satellite_C...

You'd have a long walk to get to Menwith Hill.

No, that was after, and it made it easy, but before google many people said there was no point "because their site wasnt sensitive". Those people didn't care about let's encrypt or how easy it was, they just didn't find a reason to do it. Google gave them a monetary reason to do it.

I have a more cynical view of the reason.

It is to protect commercial interests, I don't think that Google cares about the NSA looking at your personal data.

Google cares a lot about protecting the personal data they get from you, so that they and no one else can get it, at least not for free.

Because let's get real, 99% of the time, why do you need encryption? The reason is commercial activity. It is really important to protect your credit card number, otherwise no one would trust e-commerce. For paid service to work, you need to authenticate, and it means encryption, no paywall means no authentication and much less need for encryption. And even with "free" services, you need encryption to protect the account that shouldn't even be required in the first place. As for general communication, my guess is that hackers and governments alike are more interested in financial data than in casual conversation.

So by pushing TLS everywhere, Google is actually pushing for a more commercial, less open web. That it helps with general privacy (except against Google itself) is just a happy accident.