Exactly. People often forget that Congress can only exercise a limited domain of enumerated powers. The big one is regulating Interstate Commerce, which is already huge because of how interconnected the country is today, and is even bigger because of creative stretching of its reach (did you know that the Civil Right's Act's ban on discrimination by businesses is within Congress's Interstate Commerce power, because somebody might patronize your business from out of state?).
Anyway, I suspect Bob Hacker has a strong case that such a law as applied to himself would be beyond the scope of Interstate Commerce. Until he tries to sell or make his OS widely available, at least.
Given how broadly the commerce clause has been interpreted I don't think we can rely on that to save us here. Criminalizing Bob publishing his OS on GitHub is still too authoritarian for my liking.
Just off the top of my head, something like "physical hardware with web access sold in the US without an ID check at the checkout counter must include this feature in its preinstalled OS" would be a better way to write the law in my opinion. Plenty of ways around it if you're a hobbyist or for some reason really don't want to comply, but a big enough hassle that all the major commercial OS providers would probably find it easiest to just include the feature. (Especially since this is a feature most parents would probably appreciate anyway.)
why do you think any court in MAGA America would allow this?
we know, for sure, that Clarence Thomas takes bribes. You think Facebook wouldn't cut him a check? Ditto for plenty of other Trump-installed justices on all levels.
If your child needs a helmet to use the internet, as the politicians announcing HR8250 seem to think[1], Apple or whomever is free to offer that as a feature. There is no need for this to be legislated, especially when the legislation does not work in open source environments.
[1] Not hyperbole. They said that. It was an analogy, but one that highlights how ignorant of the technology the authors of these bills are.
It means you have the option to not save transcripts in the first place, or have a deletion schedule. There's no tampering because there was no evidence to tamper with. Authorities show up after the fact.
In theory you can have the same on incognito sessions (never stored, that's part of what Italian privacy regulator forced on OpenAI to do) and same for right to deletion as per GDPR.
This is like cutting off your nose to spite your face.
"Meta bad, so government good" is an oversimplified model that will cause you to wake up and suddenly realize everything has changed for the worse anyway.
Most hackers actually keep their promises if paid the ransom, nowadays.
It sounds perverse but the incentives require it: if payment didn't bring resolution, no one would pay. As a result, all of the big gangs avoid scamming.
That was the state of play in 2015 as well. In the absence of a claim from the group otherwise, I wouldn't be surprised if they simply couldn't get it to stop (on a technical level.)
Way back when, it was a pretty common screwup to accidentally saturate the nodes you were packeting from. So then your C&C couldn't get them to respond, either. Oops.
Seems like there is an achilles heel for this business model: A "good guy" could start hacking companies, demand ransom while pretending to be one of the gangs, and then deliberately continuing the attack after the ransom is paid. Precisely to destroy this business model. The gangs would be fuming but there would be nothing they could do? Apart from trying to track down the "good guy" or introducing some sort of (cryptography based or whatever) proof-system that a hack was made by them?
"Chaotic good" guy, yes, but it's easy to know what groups hacked a company because the groups have their own blogs with known addresses and published victim lists.
If someone claiming to be LockBit hacked you, and you're not on the LockBit blog within a week, it's probably not really LockBit.
>Most hackers actually keep their promises if paid the ransom, nowadays.
I don't think that's actually true, or at least is certainly cannot be taken for granted. Instead, it appears ransom has followed more of the path of Silicon Valley VCs:
.It sounds perverse but the incentives require it: if payment didn't bring resolution, no one would pay. As a result, all of the big gangs avoid scamming.
What you're describing is the expected Game Theory outcome over long periods in an iterated game. This works as long as the payment amount is towards the <salary> side of the potential payment spectrum, where each payment may well be decent money for the work the ransomers put in but not so much that they don't need new ransoms. The problem comes if/when the absolute amount of payment moves from "salary" to the "Exit"/"Retirement" side of the spectrum, ie, heads into what VC would call "Unicorn" status. At some level of money it reaches the point where the ransomers need never work again in their lives, it's enough money to get out of the risky business and live off of it indefinitely. It's now no longer an iterated game but a single game, and in single games defection can be rewarded. It no longer matters if reputation is burned, on the contrary it might be the moment to cash all accumulated rep in.
I think in general, both on the bright and dark sides, this sort of "phase change" in a given market space is worth trying to keep an eye out for because it can result in significantly changed behavior "out of nowhere" that can head in ugly directions very fast.
This is the one thing that risks getting the law struck down by a court.
reply