Slashdot Mirror
Openness and Security on Campus
djeaux writes "The April issue of Syllabus includes an interview with Jeff Schiller, Network Manager at MIT, about openness and security in academic computing. Schiller has some interesting things to say about product liability for software, including an out for open source software and boils security down to a simple maxim: You must install patches. He also says that what makes security hard is that it's a 'negative deliverable.'"
For beginners, streaking has totally gotta come back in style.
I've found that my posts don't format quite right w/o a sig.
Security is simpler than that. Security requires fences, in the electronic world just as in the physical world.
those fences can be visible or invisible, incorporated or separated, But they will NEVER stop dis-honest people. No fence will categorically keep out all burglars. No computer security(short of pulling all the plugs) will keep everyone off your computer. Openness and security can co-exist ONLY when everyone is trustworthy.
Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
The Army reading list
I read in a magazine recently that a Microsoft exec said Windows users would be "much safer" if we all would just download software patches from Windows Update. According to the article, no one took him seriously.
Tech, life, family, faith: Give me a visit
It's only a 'negative deliverable' if it's on the company's negative agenda. Security isn't hard, TOTAL security, now that's a neg-a-tive.
Slashdot sucks
People have to accept security as a regular part of life. There are LOTS of negative deliverables we subscribe to in our lives, and pay quite handsomly for. Off of the top of my head, I think of auto insurance. I mean - yeah we see nothing making it better.... but we know very well the hell that may arise if we don't have it.
Nor would I applaud Automatic Update as a triumph for the end-user -- it delivers more than security fixes and can affect the stability of a machine. But the point about firewalls only being as good as the policy on employee laptops is a good one.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
But, I fear that the commercial interests in this game, if they felt that Congress was backing them into a situation where they would have to accept liability, my guess is they would strenuously lobby that liability applies to everything, including open source, in an attempt to kill off open source. So that's the conundrum.
That was a very insightful quotes regarding the worry I've been having off late. Given their way, lawyers, lobbyists, anti-opensource corporations and their political puppets will all rally to impose liability for software on the end-developer.
If such a development happens, we could very well see software developers forced to buy "malpractice insurance" like doctors/medical professionals - that alone will be enough to kill opensource software, not to mention the plethora of lawsuits and ugly frivoulous lawsuits which've plagued the US medical system and escalated medical costs.
And ust to play devil's advocate to his suggestion that free software developers not be held liable - since they're "giving away" their stuff: somebody could turn my anology around and make outrageous claims like "exempting voluntary software developers from liability is like encouraging quacks to pursue their medical endeavours".
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Of *course* you have to install patches. There is a bored 11 year old out there somewhere who thinks can prove he's "133t" by downloading a sploit off of packetstorm and owning your box.
:(
It doesn't matter that he has no knowledge of how to code a similar sploit himself, or that he could not admin your university WAN. It doesn't matter that university cut-backs mean you don't have enough money for a test LAN to make sure the latest buggy patches won't break business critical software/services or bring your servers to their knees. All that matters is that he can go on IRC and tell everyone how "k-rad 133t" he is.
Stupidity wants to be free!
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
It would be perfect to have an operating system that was secure out of the box (due to features built-in) like the worlds greatest personal firewall. However I just dont see this as being a likely solution. I think an operating system should have a basic firewall like XP or any linux distro. But to ask a software developer to focus a ton of time on making me a bullet proof firewall instead of making the OS more stable just doesnt make sense. As stated in the article there's only so much development time and then you have to get your product out the door or you're going to have some pissed off users. I would want (in the case of OSes) the comapny to spend the majority of their time making the OS stable and a little bit of firewall is nice. But i would much rather use another means of securing my network instead of using 2,000 personal firewalls.
See Sig! See Sig Zig! Zig Sig Zig!!!!!
Security is not really a negative deliverable but more of a thing that is not really noticable whether you have it or don't have it. That's more of a positive undeliverable if you ask me.
He also says that what makes security hard is that it's a 'negative deliverable.'"
I'm certain there are countless flaws in this idea. But hey, you don't post to slashdot without some risk of being shown what a moron you are right?
How about having DSL/Cable companies give an incentive to customers whose computers do not become infected during the blitz of mass email worms and trojans. Something like a few bucks off of your ISP bill to free software. Some kind of incentive for NOT getting infected besides the fact that you don't have anything on your computer.
It would benefit them in that it lowers their costs and increases their reliability if hundreds to thousands of their customers aren't sending DOS, etc.
Of course, there are issues such as privacy implications (how would they know you're infected or not) to hardware costs for the ISP.
My stance is that you're essentially playing baseball in your heighbors yard. He won't change the way you play the game, or change the rules necessarily, but he sure is going to limit how far you can hit the ball. Like the green monster at Fenway.
I think firewall's more precisely NATs have their place in addition to patching your system.
I think it would be irresponsible of a network/system administrator to NOT keep their systems up to date with the latest patches and fixes, along with using SSH and similiar tools.
But at the same time I believe in having a firewall, though I do agree it will not solve all of your problems.
I don't believe in just patching your systems. I work at a top west coast university, and the academic computing department's attitude it to make the entire network open, and just secure the boxes. Well that's nice in fantasy land, but the truth is, is that this is an administrative nightmare. I work in the administrative computing and we see the result of NOT having a firewall and patching only.
From experience, that doesn't work either. You need a comprehensive approach that uses both firealls and patches.
>> You must install patches.
in the "real world", when there is a security
threat, such as a gas leak, you call the repair
person, who fixes it.
This is the equivalent of "install patches"
Note that there is a level of confidence in
calling the repair person, that they won't
paste adds all over your living room, or install
a wire-tap on your phone line, or a spycam
in your bedroom.
unfortunately, in the computer world, all too
often the "patches" are used as trojans.
they change user settings, put in spyware,
brake working code, etc
so, ppl are hesitant to apply patches, with
good reason.
Comment removed based on user account deletion
Okay, so I get it, I must install patches. But can I still keep getting all my software from Kazaa,Warez sites, and unsolicited emails with exe attachments?
Yes, installing patches does help security, but what also creates more bugs and holes? Patches. I think the key here is that you want your patch to make less holes than your code orignally had. At least this way, no one knows where they are right off the bat.
"Instant gratification takes too long." - Carrie Fisher
``JS: The reason it doesn't crash all that often is because system software developers took some time and effort to make that the case. If they would take the time and effort to make it be secure, it would be secure.''
No. More secure, but not secure. For one thing, things will be overlooked. For another, there will always be things that were not known to be security holes at the time, but that will later turn out to be such.
``JS: I think Linux is much more secure than a lot of the other stuff that's out there, because so many people look at the source code--not everyone looks at it, but enough people do, so that problems get fixed earlier, rather than later.''
Many people look at the sources, but do they find the vulnerabilities? See also above.
In short, nothing is going to give you guaranteed security. Having said that, crackers will only go so far to break a system, so absolute security isn't even required. This makes any security measure useful, including firewalls (which JS argues against).
As a closing remark, despite these minor points, I found the article a very good read; JS seems to have his heart in the right place. Heh, it makes me frown every time people say "security" and mean "restrictions" (see also MicroSoft and Trusted Computing).
Please correct me if I got my facts wrong.
they make the Girls Dorm open source
I attend the University of Alabama in Huntsville, an engineering/research institution with enrollment around 15k. The Network Services people around here aren't really concerned about the value of openness to academia; in fact, most of their security is directed inward, against the students who have to use the machines.
For instance, the "start" button on every lab computer has been disabled--people only have access to the icons on the desktop. Furthermore, right-click context menus have been disabled.
On some public computers, even access to the address bar in IE is disabled--all you can do is follow the links from the homepage in IE.
When I took a Mathematica class in the physics lab, we used a heavily neutered version of Windows NT, with file permissions set unusably tight. Browsers would crash on startup because they didn't have write access to their cache files, virtual memory was disabled (!), and the like.
Network Services also has banned the use of BitTorrent on campus, causing consternation among people wanting to download contraband like, uh, Mandrake images.
This is the same campus where average packet loss on ResNet is 20-30%. Students play games over dialup because it's faster and more stable than ResNet.
When I first read the title I wondered what the heck OpenNess was. I almost went to sourceforge and searched for it.
Just ask the Duke Nukem: Forever people. They could teach us a thing or two in this area.
>A lot of software, particularly on PCs, was designed in the days before networks.
hrmm... Windows comes to mind
I'd just suggest that the users computer serves the white-hat worm for a day or two (kind of like a Bit Torrent), and then automatically deletes it.
Is that a bad idea?
The Philosophy of Liberty | lewrockwell.com
(Airplane II: The Sequel)
It is always possible to make security problems at the design level, like forgetting to check an account balance before allowing a withdrawal in bank software, but humans are very good at thinking in those ways, and those kinds of problems are rare.
---------
Create a WAP server
You put as many "locked doors" as possible in the way of a potential intruder so that each time the intruder is faced with a new "door", he or she may simply decide your system is no longer worth the effort and give up trying to get in.
Patches are the "last locked door" - in other words, once you've definitely decided that you need to run a specific application on the Internet, you make sure that it's updated to the latest version.
However, prior to that, you've already ensured the application is configured correctly, that the box it's running on has security permissions locked down, that the box is behind a firewall and probably a NAT box also for good measure.
Not to mention some good system logging and alarming going on so you have the best chance of shutting the box down when someone does get in.
In security, only the paranoid survive...
Gentoo Linux - another day, another USE flag.
the article a few weeks ago about building a backpack hotspot are becoming more important today...
what a great way to share all your files easily to friends and others while avoiding the IT cops and Mind police....
As long as you set up your active directory forest correctly, you can leave certain areas open and secure others. I cannot believe they didn't immediately think of an MS solution to a security problem.
Great ideas often receive violent opposition from mediocre minds. - Albert Einstein
He states that the patches are not done, that they don't have a firewall, that the users are too important (stuck up?) to follow his lead --- and does not tell us how he deals with those issues! The interviewer really failed to ask the correct questions.
I want to know how they are dealing with those issues! How can you "protect" a wide open environment with a large number of unpatched systems? What tools does he use? Or, has he simply written off the whole thing?
For every problem there is a solution that is simple, obvious and wrong.
You understood openness correctly, but mis-understood security. A safe is secure, even if 500 people know the combo... as long as those people are trustworthy.
Interesting point.
But using the same example, what if an outsider pretended to be someone that one of those 50 people knew, found out details from that person, and used it to trick one of the other 50 people, etc...
One thing that struck me about American culture in general is that people seem to be a lot more trusting, and despite what a lot of Americans think, it IS a lot more of an open society than (probably most) other parts of the world.
Coming from South Africa to study in the US (between 1999 and 2001) was an eye-opening experience. I don't know how much things have changed since the 9-11 incident and so on, but back then I was amazed at how open and helpful people were, for example, getting student visas, a social security number, a driver's license at the DMV...all very smooth, despite the fact that I was a complete forgeiner. In South Africa, it is often more difficult to get basic things like licenses and so forth processed as a citizen than it was to get them done as a forgein student in the USA! I don't know if it's just a different outlook people in the USA have, but dealing with South African bureaucracy has become even more painful since I returned to South Africa, remembering how comparitively smooth everything was in the US.
The same with campus security. I'm fairly sure that if someone wanted to be underhanded, they could fairly easily socially engineer situations to break security systems.
It has been done and it was done so poorly that it caused a bigger problem because the damn thing was spreading so quickly that it was taking up all the bandwidth and causing the machines it patched to essentially not be able to get online because of all the damn packets it was sending out.
At my university we require students to run an antivirus software (we provide if they dont have) and to keep their machine patched and secured and if they dont well they will quickly be taken off the network once their machine gets infected with a worm or is hacked and we recieve an outside complaint. They then get all mad that we took them offline and we have to go through expplaining to them that they agreed when signing up for our resnet service they would do the following and they violated the agreement. We charge them a 25 dollar reconnect fee which includes us taking their machine in, or going out there, and cleaning it up and securing it , as well as educating them on how to keep their machine secure.
The other day at work I had a kid yelling at me that we cant just take him off the network without warning. The reason we had taken him off was because his machine was sending spam to aol address and recently aol has been blocking all email from our domain because of it. I said to him because of you everyone on this campus can now no longer send emails to their friends at aol and we have to contact aol once we are done with your machine and get off their blacklist. That shut him up.
I used to teach in the School of Business at Florida State University, my wife taught in Education at FSU.
The School of Education had their lab computers locked down so hard, you had to login as a certain user to use the scanner, then logoff and login as a different user to use Photoshop. This is the way it was for almost every application. The lab assistant had to do the login for you. Many things were broken as in the above posting. This was all to keep the lab assistant from having to fix so many "broken" lab computers.
The School of Business on the other hand, had a generic image of the lab computers and very little security. When a lab computer got fouled up, they simply boot from a floppy and start the copy down of the network image and walk away. Takes them about 3 minutes of their time to redo a computer.
Who actually had less maintenance?
- I live the greatest adventure anyone could possibly desire. - Tosk the Hunted
JS: There is one good technique, and it's the only one that's effective. No firewall, no port blocking--none of that will work. The solution is that you must install patches.
I definatly need to send that to the net admins here at school. I can surf the web, read e-mail, and use instant messaging. Thats about it. Everything else is restricted on a dorm-to-dorm basis. So I can play games with people from my building but my friends on the other side of campus are shit outta luck.
-caf
1. "Install Patches" - Good idea for admins/unis/companys, but Joe User just doesn't get it. But then again, why should he have to? To many the computer is just another entertainment device, like his TV, DVD player, or a stereo. Joe User would likely prefer a simpler closed black box than the tremendous amount of freedoms (and consequent dangers) that his PC gives him now.
Why should Joe User have to invest hours of his leisure time ministering to and babying some hunk of metal that he uses for email and getting stock quotes?
The industry's constant preoccupation with blaming Joe User for security problems/viruses/everything is unfair.
If Joe User can't handle the daily coddling of his PC, then by god, make it easier for him! And make a tidy profit in the process. Give him a webtv like device that doesn't suck. Create more secure protocols and applications. Create automatic update methods, and damn all the tinfoil nerds' protests. They aren't buying these types of products anyway. Resist the urges to spy/sell out/coerce/etc. your customers. Build a better, simpler mousetrap and stop blaming your customers for the sad state of modern computing as it pertains to security. You can blame Joe User for blabbing his password, nothing more.
2. Liability - Sorely, sorely lacking in the software world. Computer applications NEED to come with liability attached to the person or company that puts it out there. You claim it does x,y,z? Fine, it better do all three.
What other industry can make such wonderfull and grandiose claims in their advertising, yet be held completely unaccoutable for their outright lies to the consumer?
If I am paying for something based on the claims of what it can do, as presented to me by the salesman, the ads, a website, or whatever, those claims need to be accurate, or the company should be held liable.
Why has this not occured? Why is it that liability is so much a part of so many other industries, yet software companys can continue to just ignore it, based on some imaginary EULA that they spit out.
Introduce liablity to the software world, and yes, you will have a massive exit stage left by many developers. Good riddance. To get quality software, the possibility, no the *threat* of actually being held responsible for your claims needs to be present.
Liability would also shed some light on just how unsecure, unstable, and unpredictable consumer software and hardware is, as companys would fall all over themselves to drop their inferior product lines for fear of being sued. Maybe Joe User would finally realize what a jumbled mess of crap a typical PC is when he sees that vendors won't back up their own products if faced with possible liablity.
Maybe I'm visiting the wrong web sites, but it's great to hear these things from someone who's been on the cusp of network administration from the beginning.
S: So education is a part of this?
JS: Education is a part of this, both for the people who own personal computers and work with the data and for the people running these systems.
I can vouch for the end part of the article for sure, as I'm sure many Slashdot readers can. Right now I'm doing an Information Security Risk Assessment as part of a graduate level class that I'm taking. Fortunately, for the K-12 schools on which we perform these assessments we cover user education as part of an overall Information Security program. Also, it gives us the chance to see user education and awareness from their point of view, which helps us make the case for having user awareness training. A lot of end users don't realize that having a weak password is like giving away the key to your organization (or school in this case). I'll give you two guesses as to the biggest topic that we've discussed with the school corp. and the first one doesn't count ;)
You would not believe how woefully inadequate schools are when it comes to an Information Security Program. If you have the opportunity to help a school out, do it. It will help you learn something, help the school better themselves, and better the community by protecting the little ones' information.
I attend Northern Michigan University. We have a campus resnet that has live IP's and DNS names My_Tower_for_example and if you go look port 80 is open, 8080, and 22, but port 21 and the samba port and the nfs port are closed. that and they have blocked ping packets on campus, so i would ping google for you but i can't but it probably would be in the neiborhood of 500ms+ which is jsut a little bit higher than one would expect for a collage campus. some of the biuldings on campus are behind NAT as well. so i guess over all it's not the worse system but there are some odd things that happen.
:-)
We also have very few if any computer labs on campus because the school "provides" us with laptops to use, running a cripled(as in rdesktop does not work) version of Winblows XP.
p.s. please be nice to that server it's a 100mhz pentium.....
All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
Some university administrations are concerned with protecting the rest of the Net from their students; others think that interferes too much with legitimate research. Some other poster commented that their university's policies are to be "open", but they block incoming Port 80 and Port 25 to student residence networks - meaning that students can't run their own web servers or mail servers, which is distinctly *not* openness.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It is just a bad practice to upgrade to each and every patch released by a vendor.
For server side and data center machines, patches usually result in more problems since they break things that already work.
It's common practice in the mainframe world to skip every other patch/upgrade as well as let patches age for a while before applying (to avoid getting an untested in the field patch).
Desktop users are more able to get and apply patches since their reliability requirements are much lower.
--I just read his autobiography a month or so again, very interesting. The gist of it is, before the era of large malpractice awards, the insurance companies were absolute scumbags when it came to legitimate medical malpractice claims. Human beings were actually really screwed bad and it was brushed off, ignored, justice wasn't being done, and the med establishment was hunky dory with that. They screwed up, weren't self policing enough of their own colleagues. Generally speaking of course, But that really was it. Spence and a few others finally cracked it, on blatantly obvious cases that the doctors and insurance companies chose to fight, rather than just cutting a much smaller check to the victims of the malpractice. The juries awarded the verdicts,partly to reimburse the victims (or next of kin unfortunately) and partly to SEND A MESSAGE to those big corps and shaky docs to not screw people over. they still kept trying, so they got pushed hard back, and now it's a mess. Based on verifiable data and the disgust they felt at those corporations, the juries did it, just folks like thee and me. IF the insurance companies and med establishment hadn't been such outright dinks, most likely it never would have gotten so bad. I realise it has see sawed now, but originally, they brought it on themselves. I am no fanboy of the law profession, I tend to think they make life a lot more complicated and expensive than it needs to be, but sometimes there IS no other remedy to try and get some relief*. It's hard as heck to be joe paycheck and get screwed over by megacorp and even think about fighting it in court. Default in 99% of the cases with joe paycheck against some corp is the corp will never admit they are wrong, EVEN when they know full well they are. That's been proven over and over again, and they use that ridiculous ruling allowing corps to be treated as almost blameless "persons" to hide behind.. Some balance is needed, and it's not *all* one side or the other is the complete bad guy. There's A-"profit is the ultimate king, whatever it takes" business plan, then there's B- "we at XYZ corp are in business to make money,and we will, but our policy is honesty and we do not engage in unethical behavior or lying".
If these big corps would just buy a single clue with the zillions they make and adopt business plan B over A, they might avoid a lot of problems down the road.
As to software, this is an easy question. If it's for-profit, it should be held to useability standards, same as any other product. If it's free, then, ya take your chances and get what ya pay for. I see no reason whatsoever that a company like microsoft is able to make hundreds of billions over the years, yet they incur no liability when their software is so blatantly hideous that it costs inncoent purchasers and other folks on the net actual folding money and lotsa time to fix their stuff. It has never computed for me anyway. There should be, at the very least, some sort of minimum threshold security model before selling software that accesses the net. It should be built in and functional. What they have had traditionally was profits first, and down the list at job 73 or something was "oh ya, have joe check on the security thing after his break, will ya?" That's nuts. I am especially incensed that any of my tax dollars have gone to support them, especially the last few years when it was obvious even to non computer users that their stuff was seriously borked when it came to security.
*Mr. Subliminal says "dueling". It worked for thousands of years.
At my campus streaking is a common, and welcome in the event called "First Rain". The first rainy day of the acedemic year, people go streaking through campus. It's great fun to both watch (for its curiosity) and participate in.
My little company tries to make money selling software, but I'll tell you what, I sure can't afford to shoulder liability for our mistakes. If you make me liable, I'm out of business. You use my software at your own risk, and if for some reason it becomes impossible for me to say that to you, I'm through.
The other thing that makes me laugh is "indemnification." I'm running around "indemnifying" multi-billion dollar corporations against lawsuits from people who might claim that our code violates their patents or their intellectual property. If I refuse to sign the indemnification clause, I don't get their business, it's as simple as that.
Obviously, one nuisance lawsuit from some asshole somewhere means that I'm finished. Probably they'll come after my personal property, too, and I'll die penniless in some gutter. What can I do? I'm screwed.
It's time to reform the whole goddamn tort system, because I can tell you, it's really no fun at all out here, trying to sell software, when who knows what jackass is going to emerge from some closet somewhere and claim to have patented the "if" statement.
Welcome to the insanity. Move your money to the Cook Islands while you still can. Me, I don't have enough to bother at this point.
Anyone even reasonable familiar with the details can say that 3DES is more secure than DES. DES's keyspace is too small and has been so for several years.
That said, the algorithm behind DES and hence 3DES has withstood 3 decades of scrutiny. It is optimally strong against differential cryptanalysis because the IBM designers figured out that attack (which was already known by NSA). The linear attack is theortically, but not practically better.
Like them or not, NSA and their british counterparts are pretty good at what they do (e.g. they came up with RSA's asymmetric cypher a decade before RSA did).
Is Blowfish 'better'? I have no idea. What I do know is that more *competent* eyes have reviewed (3)DES and AES than Blowfish.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
In general, the MIT "firewalls are false security" mantra is a good thing, particularly at MIT where there is a high concentration of bright and inquisitive people. You can never count on the black- and grey-hats being on the other side of your fire wall. You have to assume that the networks on both sides of your firewall are hostile. Each host must be a castle unto itself. This is simply a much more robust security model than "keep the bad guys over there".
On the other hand, shortly before MS started covering IIS on WindowsUpdate, the house had a rash of IIS exploits and RPC exploits. I asked for advice about setting up an OpenBSD firewall to only allow outgoing connections from most machines (and knocking holes in the firewall for MIT Network Security's vulnerability scanners). The response I got was basically "If you have to ask, we won't help you. Just patch everything and it will be fine." They didn't seem to realize that a sophmore can't just run around the house pestering everyone to keep their machines up to date. Basically, my powers were limited to waiting for problems and then finding the offender and saying "MIT is threatening to cut the entire house off from the Internet in two hours unless you do what I say now!". Sure, I send out reminders and heads up emails, but when they didn't listen and got compromised I would invariably be the one to do their OS reinstall because if I didn't, half of them would just put the compromised machine back online without fixing anything.
This last year, MIT actually stepped out of the ivory tower and did some port-based filtering (firewalling) when tons of students came back from Summer to take their computers out of storage. Many of the students would get compromised while updating, even if they patched as soon as connecting the machine to the Internet.
I think they also permanently firewall off their MS Windows-Athena computer cluster. (side note: the internal code name for the project to modify Windows to work with the rest of the Athena network was Pismere -- Latin for horse piss)
I also pestered MIT for about a month after RedHat released the ptrace bug kernel fix and they hadn't pushed the fix out to the official RedHat-Athena packages. Their position was that local root exploits weren't a problem since MIT gives the root password to most of the machines to students who ask. I pointed out that many departments and individual students set up machines so that absolutely anyone with an Athena account could SSH in as a normal user. There had been no warning emailed out that RedHat-Athena machines were still vulnerable to the ptrace local root exploit. Most of these machines owners assumed that the problem had been taken care of by RedHat-Athena's daily automatic updates. It was by sheer luck that I looked at the file modification date on my friend's kernel and realized the modification date was long before the ptrace vulnerability had been discovered. After all, I had already checked that it was up to date on all of the patches MIT put out for RedHat-Athena.
In short, MIT netowrk security policy is a strange patchwork of opinions.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.