Slashdot Mirror
Reflections on Brilliant Digital: Single Points of 0wnership
nweaver writes "Some reflection on Brilliant Digital's plans shows that they have inadvertently created a Single Point of 0wnership: a single machine or small group of machines which, if succesfully attacked, can be used to gain effective control of the Internet. The implications are rather scary: Even if you never touched KaZaA, your systems may be affected if someone manages to attack Brilliant Digital's update service. Who needs a Warhol Worm?".Updated by HeUnique: use these instructions to remove the Brilliant part.
Here at work I pointed a couple of coworkers toward the previous articles on Kazaa. There response you might ask?
As long as I can get good download speed and have a large mp3 base what do I care?
Does this type of thinking occure elsewhere? I thought I worked with some bright people but they seem to think of their machines as black boxes and if they work great.
sigh.
If I were only smart enough to accomplish the things I dream about.. Or maybe too dumb to care.
MS has been doing this for years, many tools check for updates and install them.
I noticed Need for Speed Porsche did this too.
These friendly autopatchers could all be hacked.
This is a serious risk with new subscription based services too.
Maybe we could "attack" everyone with outlook express/IE patches, so we finally stop recieving all those self forwarding worms in our e-mail.
The difference is: we TRUST the owners of the root servers to keep their systems secure. The owner's of KaZaA don't have the same track record.
Ok, from what I understand, Kazaa is going to be attempting to get their users to give up their spare CPU cycles to help drive advertisements and other income-based projects for Kazaa?
Ok, not only would this concept be likely considered unwelcome even by casual Kazaa users, but think of all the other possibilities for an already heavily established (as those things go) P2P app like Kazaa...
In other words, they could try to get their users to share a distributed computing project working towards, say, the cure of a deadly disease or other medical project, then give ( or sell, which would be more likely) the results to whatever foundation would actually be able to use the data?
That way they could make money, a name for themselves, and generally the rest of humanity a bit happier.
Palaces, barricades, threats, meet promises
From the article the other day on root DNS servers.
Story
For the "internet" to be greatly affected multiple root servers must be brought down.
"The DNS is built so that eight or more of the world's 13 master root servers would have to fail before ordinary Internet users started to see slowdowns, according to John Crain, manager of technical operations for the Internet Corporation for Assigned Names and Numbers (ICANN)."
If I were only smart enough to accomplish the things I dream about.. Or maybe too dumb to care.
I think I understand their plan now:
1. Plant studip spamware on a gazillion computers worldwide
2. Head for a small island state somewhere in the middle of the Pacific Ocean and start blackmailing governments the world over by claiming to "0wn j00r 1nt4rw3b!". A gazillion children addicted to warez, pr0n and AIM complain to their respective parents, who demand action from their governments. Governments pay up.
3. Profit!
Then again, governments do have armies with guns and ships and stuff so things might get messy in the process. *shrug*
Interesting article. I think it effectively shows that Brilliant Digital -- along with just about 95% of our industry -- needs to learn that they can't just shove software down people's throats. Most interesting to these companies should be the legal liability questions raised.
I'd expect these companies to start adding stuff into their installation legalese with something to the effect of, "You agree not to reverse-engineer anything we might be doing with your computer. You agree to sit back and relax while we adjust the horizontal and vertical"..
perhaps the whole situation isn't as bad as it seems. having read the article, one would realize that the author only hypothesizes on whether or not the network is secure. brilliant could have implemented all the things that he questioned as insecure. this is not a review of their technology, but rather a blatant guess at how their technology will work.
With the ability to remotely control a user's computer built into Windows XP in order to provide "tech support", isn't a good portion of the world already vulnerable to a well-written worm? See "Remote Assistance" at http://www.microsoft.com/windowsxp/home/evaluation / eatures.asp.
libertarianswag.com
For the "internet" to be greatly affected multiple root servers must be brought down.
Or just one has to be hacked into and have the IP addresses rerouted. Really, do you think people check to make sure they're using https when they connect to "www.chase.com"?
You know, EULA or not... what Kazaa did is slimy. VERY slimy. They decieved people into installing something and giving up something they know people will not realize they are giving up. It is deception, whether it fits the legal definition or not.
I'm realistic... most people do not know or care of the difference, but they should.
So my question is...
What can we realistically do in order to force a bit more honesty in software providers?
DDoS attacks could kill major backbones.
Need for Speed isn't installed on 10 million PCs. And, unlike Kazaa (I refuse to type that #$%@ capitalization), it's probably not running more or less 24/7 on a good percentage of those boxes.
True, windowsupdate.microsoft.com is a big fat target too, but at least that was designed primarily with security in mind, and AFAIK it hasn't been hacked yet in the 4 years since it was introduced. Also, Windows Update will NOT install anything without your explicit consent. (Now, as for Windows Media... it says right in the EULA that MS reserves the right to update your codecs without your permission, at the very least...)
I think that MS Windows and MS IE are installed on millions of PCs.
They may not be mostly on high speed connections, but who cares, there are just so many of them it could cause HUGE messes.
But I thought they were on the FastTrack...nevermind.
If I were part of Brilliant Digital, I would be bracing myself for lawsuits. The first DoS attack that comes from someone taking control of their trojans will open them up for big legal liability.
No matter how many "We will not be held responsible" statements they have in their license agreement, they won't be held harmless from the damage done to a third party.
When you think about it, any program that automatically goes out and updates itself could be a problem if a blackhat is able to fool the client into installing the blackhat's update.
The race isn't always to the swift... but that's the way to bet!
As such, all three proposed usages: Secure and secret storage, secure and secret computation, and secure content delivery, are all inherently flawed.
This is all to true. Therefore, given Brilliant digital's wicked corporate pedigree, we conclude that they must have a secret, sinister master plan that they're not telling us about.
They've been clever enough to use evil plans as a smokescreen - the plans they've described are just wicked enough that you might believe that they really are brilliant digital's brilliant evil plan. This means that the real evil plan must be extra... brilliant.
Basically, we can divide the possible real evil plans into three categories:
1) Defense related. They're going to hack into NORAD, and hold the world hostage from skull island. The fact that this is physically impossible (because NORAD isn't connected to the public 'net, and so on) never stops Dr. Evil, so it shouldn't be a hindrance for Brilliant Digital.
2) Biblical. Enumerate the billion secret names of god, conjure forth their lord and master, Satan himself. You all saw Warlock, right? Like that.
3) Astrononomical. I know that if I had the computing power of fiteen million consumer level CPU's at my disposal, I'd use it to pull the moon into the earth. 'nuff said.
Either way, we're talking countdown to doomsday, here, and only one man can stop them. I hope Brilliant Digital CEO Kevin Bermeister's mistress is played by Zhang Ziyi; she is so hot.
The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
...for slashdotting his own site
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
So you want security through obscurity?
/. place the story on the front page, Nicholas Weaver is essentially forcing the people behind Brilliant Digital to fix their security problems ASAP.
If this guy figured it out, don't you think there's at least a moderate chance, that some |33 h@x0r figured it out as well?
By going public, and as a neat bonus having
If they chose not to do anything, Brilliant can't claim, that they didn't know about it, if/when some |33 h@x0r hijacks 2 million computers and wreaks havoc on every single US government site just for fun, and they will (at the very least should) be held accountable as aiding and abetting terrorist activities, by not fixing the problems when they had the chance.
Security through obscurity is like not telling the world about AIDS. There's no cure for AIDS, so there's no need to tell people to be carefull, because that would not cure AIDS.
We do not live in the 21st century. We live in the 20 second century.
How does it affect me, when I haven't installed the program?
The answer to this question is painfully simple: You are connected to and attempting to use the same network. Internet users, slashdot readers especially, should appreciate the effect that(tens/hundreds of) thousands of "other people" can have on such a network.
" You're telling me that if they get hacked, the entire Internet is at the mercy of the hackers. Why is that?"
Because, the actions of millions of compromised machines have the ability to bring internet traffic to a standstill. millions of boxes, spread throught the world all participating in a coordinated DoS attack, would be, as the article states, "unstoppable"
Comments should be like skirts. Short enough to keep your attention, but long enough to cover the subject
Actually, I would hope this does happen. Why? Because it would put the frightners on FUTURE SPYWARE being installed and FORCE a GOOD SELF-DISCLOSURE POLICY STANDARD.
It would kill EVERY SPYWARE ON THE PLANET.
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
c|net has an article on removing this stuff, and kazaa will still work afterwords. Not much info besides goto add/remove programs and remove b3d, but at least they list what files should be removed.
"Karma can only be portioned out by the cosmos." -Homer Simpson
no, no, no. You're missing the point.
If I compromise and poison D.ROOT-SERVERS.NET, it remains poisoned until the next push (twice daily). Anyone who does a DNS lookup, on average, refers to D.ROOT-SERVERS.NET once out of every 13 lookups, and therefore is subject to poisoning 1 out of 13 lookups. You'd never know, except when goatse shows up on your screen instead of microsoft.com ;)
There is no system in place (at least, publicly known) whereby the root servers (or other major internet sites) compare the root servers' databases. They are simply trusted as "correct."
Poisoning the master (A.ROOT-SERVERS.NET) would be even more disasterous, since, on the next push, it would corrupt the remaining 12.
Similar end games exist for poisoning the trusted certifying authorities (root CAs) for RSA certificates. In the end, you have to trust something, and that something needs to be secure.
Just to make people aware that the trojan is also distributed with other FastTrack browsers such as Grokster. It is not just confined to KaZaa. I've never downloaded or installed KaZaa but I am running Grokster (with the spyware removed and dummy cydoor dll in place) and I was infected as well. If you're running Grokster check out your Windows directory. If there's a folder in there called BDE and you aren't running the Borland Databse Engine then you're infected as well.
Input error. Replace user and press any key to continue.
What about the Red Hat Network? I subscribe 'cause it makes my job as admin SOOOO much easier - but the RHN largely consists of servers with BIG, FAT PIPES.
(Who'd use RHN over a modem line!?!?)
Seems like this also might be an excellent point from which to launch a big DDOS attack, no? How closely does RH watch their servers?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
The A.ROOT is the master of them all. That's the one that they _really_ worry about, and the one referred to in that article (with all the security, etc.)
If it gets corrupted, even accidentally, the results would be disasterous. Although, I'm sure as soon as they realized it's been hosed, they'd cancel the next push (to the other root servers, keeping them "sane") and take the A.ROOT offline.
The A.ROOT is updated manually by Verisign engineers, after (I'm sure) meticulously checking the new database for errors. There's no room for a cronjob here. The database is generated on several other computers housed in that secure facility, compiling the changes from the various ICANN registrars around the world. Each registrar's changes are checked for consistency and compliance (the .au registrar can't change .com entries, etc.)
cheers.
kazaa is on *millions* of computers. that is infinitely more bandwidth and computing power than most script kiddies ever get access to with their ddos attacks. if someone executes a successful hijack of all those machines, they arent going to be taking down an irc network... they are going to go from backbone to backbone, and more than likely, successfully flood them
Time for some tasty Shiner Bock!
I'm not terribly surprised that the Windows Update site was hacked; I know Microsoft's security holes perhaps a bit too well (see my other post to this story.) What I meant was that to my knowledge, Windows Update has never been "taken over" in the manner described in the article.
if they get access to 1, 10, 15, or 20 kazaa clients for hijacking, why couldnt they get the other millions that are out there. i would be willing to bet that someone from almost every isp on earth has downloaded kazaa... at least one of their customers has it... so when it starts going into ddos mode, you going to ban everyone's isp out there? or just a few million IPs? neither one sounds workable to me.
if someone actually pulls this off, they more than likely wont attack individual websites, they will attack major providers, with millions of attacks, from IPs scattered around the globe, and more than likely from many many many ISPs
Time for some tasty Shiner Bock!
Early 90's, the (usenet) world was shocked by the fact that somebody abused the network to send spam.
Early 00's, the (slashdot) world is shocked by the fact that people don't care about installing spyware / trojaned software.
Be afraid, be very afraid.
bash$
The internet has been relatively insecure since day one. It's no one particular company's fault or one particular person's fault. The internet protocols weren't originally designed to prevent massive DDoS attacks. It wasn't designed to be particularly secure on the individual machines because when it was originally created, the network was secure by the fact that every computer on it was known. The number of computers didn't extend into the thousands, probably until the 90s, and even then, it was about 98% educational institutes, DOD, and companies.
Any competent programmer, familiar with several TCP/IP protocols, and TCP/IP programming, could easily bring the internet to a grinding halt. The fact that it hasn't happened in years (1988 with Robert Morris' infamous internet worm) is what astounds me.
Come on. Look at the page. There are no banner ads or images. It's all handwritten HTML, totaling up to less than 8K of static content! The guy probably designed the page to withstand a slashdotting. Control-V posts are helpful in some cases. Like when the site requires "free registration", or when people are actually bitching they can't read it and you have it in your cache. If this particular Control-V gets modded up, it's proof that the moderator hasn't even tried to read the article.
I have seen TrendMicro's PC-Cillin d/l executables before.
So, while Brilliant Digital is out of line and while Weaver makes good points, the reality is that this threat has been around for a very long time.
For that matter, have you considered what might happen if someone 0wns the Akamai system?
Linux is UNIX.
You are blatantly ignoring the context of "How does it affect me". The intended context is: Does it directly compromise my system and my data? The context you address is: Does it affect remote resources that I'm accustom to having access to?
The article summary implies the former: direct compromise of a system. ("Even if you never touched KaZaA, your systems may be affected if someone manages to attack Brilliant Digital's update service.") If it's actually implying the latter remote resource issue, then it's irresposible reporting.
And, I agree with the first poster. There's no evidence to suggest that assuming control of Kazaa machines gives access to non-Kazaa machines.
So, basically, they inadvertnatly created a cluster that can be hit and effectively screw everybody over. /. points to this report and hypes the reward for the attack.
:^)
Then this guy announces that he's found the cluster and that the reward for hitting these servers is beyond that previously imagined by HaX0rs.
The
Are we just begging for the |33 to attack?
Quit wasting your time on Slashdot and get back to writing those IIS security patches.
Why would you expect that? Recall that Windows Update got infected with Code Red, even though a security fix was available a month earlier...
To within half a percent, pi seconds is a nanocentury. -- Tom Duff
Since installing Ximian is "conveniently" performed by running "lynx -source http://go-gnome.org | sh" (as root, of course), what happens when someone registers go-gnom.org or similar typos? (Credit to my brother for thinking of that one.)
Now I did issue the above command, but ensured that the DNS records were compliant and my local DNS server reported the same distant end IP as the authoritative one for the domain, but I doubt many folks do the same.
Also, when installing packages via RedCarpet (again, has to be done as root), what are the cryptographic signatures checked against? (Note: I haven't even researched this. Just typing off the top of my head...) I would hope that the proper response from GPG is hard-coded in the red-carpet binary...
Basically, I think that a lot of new update technologies are vulnerable to this - from windowsupdate.microsoft.com as mentioned in the article to more trusted (by this community, anyway) sites. Semi-automatic updating is great, but it still takes people at the keyboard to think before they do something. Not likely to see a widespread change in that mentality for some time to come.
Erm... It meant exactly what it said.
Actually, I thought it was quite amusing (in a poignant kinda way)...
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
For the "internet" to be greatly affected multiple root servers must be brought down.
DON'T WORRY! If the DNS servers go donw, you can just fire up your friendly MSN Explorer on your Windows XP box, and serf on over to Netsol.com. Then select the tab names "Whois" and type in the wesite that you want - you the can ge the IP address of your favorite Microsoft website.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Well, the guy is most certainly smarter than me. I do respect him. However, rant is rant, despite the velvet on the emperor's robe. The whole text is nothing more than a rant, and conjecture. I hope his thesis papers are not written this way. It is sad when people, with good intentions, discredit themselves in this way. People don't know what they don't know. and nobody knows anything about Brilliant's sneak-ware. For him to create a thought-experiment of what he believes to be true(or false), and rant about it, doesn't afford him any credibility. So until he actually disassembles the Kazza sneakware, there is nothing to write about. The only good part of the text is his questions to ask about Kazza. The rest is hot air.
It isn't a lie if you belive it.
....too bad I can't mark this one as insightful... 'cause you're right. I hadn't really looked at it that way.
We do tend to idealize the past beyond its reality. Still... apathy harms.
Automagic updates are all well and good, as long as there's good authentication, preferably good encryption, and at least some amount of "Hey, User, you want to install this?" with the default being [Yes], not no, and of course a pointer to more information.
Brilliant here has (apparently?) done away with all three. They just do it (like Nike), and from the sound of the article, they are not even very secure about the way they do it.
The reassuring thing (for the moment) is that so far these tactics of behind-the-scenes trojans have been confined to leaf nodes - to my knowledge, no routers etc. have had this kind of shit happen to them. As long as the major routing backbones of the internet never become 0wned, there's a modicum of hope for restoring order to the network (banning IPs at the fringes of the backbones until they shape up?) should an emergency occur (banning IPs always scared me, so I don't necessarily like that solution, but it's the easiest and the one that jumped to mind first. I'm sure people more clever than I can think of better ones).
OTOH, 1M fringe nodes can, as the article says, be unstopable. If somebody were truly evil and wrote a decentralized worm (never called home, only talked with other copies of itself), it would be incredibly hard to stop such a beast, and the DDOS commands could be given in an anonymous, untrackable way (can anybody imagine the worms playing Dining Cryptographers? ^_^) [Dining Cryptographers would be anonymous as long as the line wasn't tapped. And I'm sure with some good encryption over the links, it'd be anonymous for all practical purposes anyway.]
Y'know, as bad as it'd be, I'd want to see such a worm (just it's source, I *swear* - I'm not about to go risking the internet's well-being - you have to admit it'd be an interesting read). Maybe the vx community has something similar as a proof of concept?
-Knots
Anarchy$ dd if=/dev/random of=~/.signature bs=120 count=1
Today everyone, no matter how smart, is submerged in a tide of information. The only way to survive and get anything out of it is to filter it. But how should one construct the filters???
Don't pat yourself on the back too hard, just because you understand computers. There's a lot more to this civilization than computers. And the rest is just as important.
All I've been able to do is demarcate a small area that I try to understand, and try to find other people that I trust to understand other areas for me. I don't know of a better method, even though that one is clearly flawed. Note that this is the same technique that almost all people adopt.
One of the critical flaws in the process is:
How does one choose trustworthy authorities? I sure don't have an answer. The best I can do is pick people that I don't know to be wrong for reasons that are unknown or unacceptable to me. This isn't great, but it's something. One of the good points about this system is that it distributes authority (I see centralized authority as inherently evil: consider that the central authority will have the same limitations [mentioned above] as anyone else, and the people that the central authority chooses to trust will have every motivation to give self-serving advice [as long as they aren't caught at it.])
I think we've pushed this "anyone can grow up to be president" thing too far.
The Brilliant client gets executable code downloaded from the Brilliant servers and download of the code is under the control of the servers, not the client. If someone got control of the Brilliant servers they could download code to your machine that either used your access or exploited a security hole to gain admin access and completely compromise your machine. It could then set up a server like Back Orifice and wait for orders.
Scenarios like that are one reason I refuse to install software that does things under the control of someone else's servers. I can control my machine and what I do, I can't control their servers and what they do, and if I don't have control I have no way of insuring that nothing happens that breaks security.
I say hit 'em, and hit 'em hard...let them know what we think.
To paraphrase Malcolm X,
We didnt land on your advertising, you crammed your advertising down our throats without asking, bitches
Beer, now there's a temporary solution -- Homer Jay S.
Instead of following HeUnique's instructions to get rid of Kazaa's spyware, try this:
;P
DON'T INSTALL IT TO BEGIN WITH.
tempest303, continuing his crusade to troll people that think fair use means never paying for media.
The Free desktop that Just Works
There's no need to take over the Brilliant servers. An attacker should be able to do it all from any suitably modified Brilliant client.
If someone writes an effective Brillant-based attack, it might contaminate most of the clients in a very short period of time. And most of them woudn't even notice, until it was too late.
Brilliant isn't exactly a tech-savvy company, either. Their previous business was producing hip-hop videos. They have 18 employees. Plus one software consultant. (Read their SEC filing.) They have no track record of producing secure systems. They make no claim that their product is secure against external takeover. And they don't have enough assets that if they screw up, they'll be able to pay for the damage.
If you have responsibility for any computers that do anything important, scan them all for this program immediately, remove it, and block it at your firewall.
It's possible that the Brilliant "projector" is so secure that it can't be used as a pathway for an attack. But without independent verification of its security, it has to be viewed as highly dangerous. All it takes is a buffer overflow and some carefully crafted "ad content" to use this as a virus distribution system.
Some of the same potential vulnerabilities apply to other peer-to-peer systems. Netnews/NNTP, for example. But Netnews is typically run on UNIX machines under its own userid, so even if an exploit in it exists, it can be contained within the Netnews world. And it's a mature system; the obvious holes were plugged long ago. Most of the other peer-to-peer systems, like Gnutella and Freenet, are pull-type systems; they only bring in content when the client asks for it in response to a user request. That slows down propagation and associates it with specific content, like an ordinary virus. But Brilliant, from their description of what they do, pushes automatically and peer to peer. That's much more dangerous.
lol.... I actually know what your talking about... and yes.. I have read GEB... I took a psychology class or two before I dropped out. Anyways, what is so "self descriptive" about the text? I'd like to hear what somebody, who doesn't know me personally, has to say about what I write. Well, from a psyc perspective anyways.
BTW- I wouldn't totally disagree with you, just curious. I know that I probably fullfill my own prophecy from time to time, but I didn't think I was describing myself each time I talk about other people.
It isn't a lie if you belive it.
I did. (For the lazy .)
Pretty amazing. It's great to have relevant data like that, and I appreciate that he will not remove the page; however, it screams "script kiddie" to me -- detailed instructions on how to create the "protocol" and forms of attack for the worm writer, along with relevant source code.
The next step: write a worm which can travel back in time and infect computers prior to the worm existing.
(There was a great series of books starting with "Red Limit Freeway" (forgot the author) which had a "map cube" of the universe which only existed in a loop -- the (older) main character gave it to the (younger) main character. Neat plot device.)
(PS Cool /. fortune currently "If you can survive death, you can probably survive anything." Relevant both to time travel and to the "lifetime" of the worm.)
I feel fantastic, and I'm still alive.
You forgot Bird 4: whoever does this is tracked down, fined a huge amount of money and given a long jail sentence, and is hit with a civil suit or two from the users whose they machines they toasted.
I can understand your desire to demonstrate that quietly installing software like this will not be tolerated, but it's not really the Kazaa users' fault. All they've done is fail to read an EULA properly. If that were a crime, we'd all be in trouble...
Cheers,
Tim
It's official. Most of you are morons.
All I can figure is what they're *really* planning is the world's best porn-harvesting tool.
Genius.
Er, uhm. Is he talking about Microsoft here, or the Kaza people??
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
The root DNS servers aren't all *run* by one company. They are all run by a variety of voluteers who work for different companies and can't be said to have the same opinion of Verisign or whoever is governing the TLDs these days.
When I was a kid, we only had one Darth.
They got a very bad press from the lemmings, and the lemmings clearly just thought they were another bunch of lemmings with their own cliff. Since most people get their data from the Lemming Press (TM), they assumed that they might as well follow the blind man in front of them, rather than another, probably blind, man somewhere else.This is not surprising. America was founded by a bunch of rebels, and lets face it, they are mainstream lemmings now!
The main difference between now and "the good old days" is that there is no longer anywhere you can go that is out of reach of lemming based civilisation. Even the Taliban's rather foolish attempt failed, and lets face it, they were armed and dangerous. You wont get far with a VW bus and some magic mushrooms today - but at least you can download "The Greatful Dead" with Kazaa.
Anybody know if "The Furry Freak Brothers" and Fat Freddies Cat" comics are available online?
Sent from my ASR33 using ASCII
That's so comforting! Err, no it's not.
This whole scam is possible because MicroShaft designed an operating system they could push on. You know, no real user accounts, IE and Outlook running as "Administrator" and other stupid stuff like that. Everyone told them it was wrong to connect machines of that nature to the internet and that they should change their practices to the best available. They chose to sell adverts instead, so they made sure they own your machine. The results are that any interested third party can own your M$ machine at anytime.
What part of the M$ EULA don't you understand? The intent is clear enough with revocation possible at anytime. All else beyond that is lagnape.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
That's all well and fine, but what if somebody is able to put malicious code on the real servers, in the binaries we download in a man-in-the-middle-attack, then we would all be in deep trouble.
I always check the signatures of software I download, but it doesn't mean anything other than that somebody signed it.
We need to contract the PGP web of trust, folks, so that there are few hops between users and and those who sign the software we use, so that we can really check if the signature belongs to a person we trust.
I'm in Oslo, Norway, I'd love to exchange signatures with anybody I can meet face to face, so if somebody happens to be close, drop me a note.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
The only good part of the text is his questions to ask about Kazza. The rest is hot air.
And not to mention a heaping helping of FUD.... gloom and doom predictions based on nothing but conjecture. The exact same stuff we jump down MS and other companies' throats about; it's trolling from them, but from this guy its supposed to be insightful?
I wonder why he didn't point to up2date or any of the other various Linux updating utilities as examples of single points of failure? The impression I got was that he simply has an axe to grind, and picked his favorite enemies (Microsoft's mentioned, natch) as targets.
NO CARRIER
Heh... very true. My bad! (I live with a "mass media" [read: mass comm] major, so my vocabulary is all warped. ;)
The Free desktop that Just Works
Thank you... exactly... your so correct. I think you jsut found a new fan..
It isn't a lie if you belive it.
I agree the article is mostly rant with little, if any, empirical observation. However, discounting someone simply because of their educational status or occupation, especially in the computer biz, is something only a fool would do.
Some of the best and brightest have no degree and nondescript occupations. In fact, given my extensive experience with college students I'd hazard a guess that getting a degree, especially in computer science, is absolutely no indication of skill or inborn talent whatsoever.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
It's certainly valid to point out that not all our new knowledge is in some sense valuable. But, literacy is at unprecedently high levels. Although there is no way to measure "wisdom" (not too sure what you mean by that, BTW), it would seem highly plausible to infer that it increased along with literacy, since there is an obvious link between capacity to read and capacity to get informed.
As for your second point, life in the third world actually has, in many ways, been getting progressively better in the past decades. The UN food aid organization says the number of starving people (defined as 55% calorie intake above subsistence) has decreased from 917 million in 1970 to 792 million in 1997, despite a population increase of over a billion. Of course, 792 million is still nothing to cheer about, but it is better than before, which was my point. Life expectancy in the developing world has also gone from 53 in 1970 to 65 now (despite AIDS which has brought it down). I don't have any facts on education, though, but I'd be very surprised if it had gone down.
This is a bit off-topic to the discussion, but since you brought it up, I don't see what's wrong with people working for "pitiful money." Nobody's forcing people in the third world to work in sweatshops. They want to work there, because having no work and starving is worse. We should encourage business in the third world, because stimulating their economy is the only way they'll ever get out of poverty.
That is true.... but I don't doubt his smarts... in fact.. I bet he is very smart.. just a bit to passionate about the issue.
It isn't a lie if you belive it.
If you permit your computer and a UC Davis network connection to be used for unauthorized commercial use, such use will be a violation of the campus acceptable use policy (PPM 310-16, Exhibit A). We advise you to respond negatively to a Kazaa, or Kazaa affiliate request to use your computer and UC Davis network connection for commercial use that has not been authorized by the University of California.
A violation of the campus acceptable use policy could result in the temporary or permanent loss of access privileges or the modification of those privileges. Violators may be subject to disciplinary action up to and including dismissal or expulsion under applicable University policies and collective bargaining agreements. Violators may be referred to their sponsoring advisor, supervisor, manager, dean, vice chancellor, Student Judicial Affairs, or the Misuse of University Resources Coordinating Committee or other appropriate authority for further action.