At a brief glance, Scratch looks like it's generally aimed at a young and inexperienced audience. For kids who graduate from that and want to try out some more advanced concepts, take a look at the game MindRover. I first ran across it because it was tagged as the spiritual successor to my beloved old Robot Odyssey. (How many of us cut our teeth on that one?) MindRover doesn't directly teach object-oriented programming, but it takes little insight for an educator to relate one to the other, giving young learners that much-needed concrete example to help them grasp OOP's trickier concepts.
You have the choice of, A: Patching immediately, costing you a few hours of time from a couple of your employees or B: Hoping that it won't be a big risk effectively betting a few hours of time against the possibility of a huge security breach and the corresponding bad press that comes with that.
Not that simple. Developing a patch does not fix a security hole. Releasing a patch does not fix a security hole. Applying a patch fixes a security hole, if all goes well. When you combine the fact that the number of holes in existence is multiplied by the number of installations, with the fact that the development team very rarely has any power over when patches are actually applied, security through obscurity doesn't look so cut-and-dried naïve versus publicizing your holes by releasing patches.
Notice that the person who posted the argument in the article never said they leave holes unpatched to save "a few hours of time". He didn't say they left holes unpatched at all. He said that they prioritized based on severity and publicity—who wouldn't? And he said that patches for unknown holes were developed, tested, and not released until they were needed. This gives them the advantage of not alerting the malicious user community that there are holes they can exploit if they act more quickly than the users who have to apply the patches. But it also means that when the time comes for them to release the patch, they know it's been patiently tested, not kneejerked out the door. I'd rather have no patch for an unknown hole that's not likely to be exploited than a patch that's going to make my software buggy.
The only downside to this is that you have to trust the developers to correctly assess the risk of leaving unknown holes unpatched. If they think a hole is unlikely to be randomly spotted and will only do minimal damage if it is, but script kiddies spot it in a week and manage to get remote root access from it, yes they screwed up by not patching it right away. Mistakes like that can be made the same way the mistakes that created the hole in the first place were made. But you have to make such judgments just to prioritize the holes, regardless of what you intend to do with them. And there certainly isn't anybody more qualified to make those judgments than the developers who discovered the hole.
Is that any more clear without the 'thought bump' in the middle? Participant agrees not to 'issue or release any articles, advertising, publicity or other matter relating to this Agreement or mentioning or implying the name of Google'
Thank you for pointing out the egregious and apparently unanimous misunderstanding of this clause. You're right that it's not as restrictive as it was made out to be. Don't dismiss it completely, however. A blog posting could easily be interpreted falling into the category of an "article", so mentioning in a blog that you're a Google employee could conceivably be interpreted as a breach of contract.
why do they need these governments to sign on? Can't they just, you know, sell them to people?
Because the laptops are intended for the education of children. For the vast majority of the world's nations, that's a government responsibility, not a personal responsibility.
That's the simple, pat answer, but there's more to it. That the laptops would be put into large-scale (preferably unanimous) use from the top down has been a core concept of the project from the beginning, and it's influenced some of the design considerations. The methods of collaboration (which is fundamental), and the networking model itself, are based on the assumption that there will be multiple XO machines in a small area. If you try to sell these things piecemeal at $175 each (at first) to private citizens who both have heard of it and can afford it, in a dozen different countries, you'll be lucky to ever have more than a couple of them in the same location. On the other hand, if you're Nicholas Negroponte and you leverage your and your family's schmooze points with various national officials, you can persuade the ministries of education to purchase and deploy them as an official program. Then you'll always have multiple machines in a classroom.
In fact, you might even have—wait for it—one laptop per child.
My gauge must be broken completely, because I still can't spot the sarcasm in the parent. It's an over-the-top viewpoint, in my opinion, but within the realm of plausibility for an OS aficionado. Add to that the fact that a missing address bar is a very legitimate security and usability concern, and the post seemed fairly serious to me. If it was sarcasm, the point dheera was trying to make completely escapes me.
They should learn to use a typical OS right from the start so they can accomplish real work with the capable computers that they have. It should be made easy for them to learn Perl or C++ and run 5 copies of xterm alongside 2 different browsers for development.
In God's name, why? That proposal goes fundamentally against the entire philosophy of OLPC. They're giving capable computers to school children not so they can "accomplish real work" (shudder), or even so they can "learn to use a typical OS", but simply so they can learn, explore, create, collaborate in general. This machine is targeted at the next generation of world citizens, not the next generation of office drones or elite hackers. Most OS simplifications have been made so that the user doesn't have to think about how it works or how its behavior compares to other platforms, OSes, or applications—not because it's the most the hardware can handle.
If I had an OLPC in a third-world country I'd just download xubuntu and use it.
Of course you would, but you're not a six-year-old child who's never been within fifty miles of a computer before, are you? Step into those shoes for a moment, and then think about whether you feel restricted by Sugar's multitasking model. I'll bet you're already having too much fun creating songs with TamTam to worry about it.
And for those students who develop a deeper interest in technology and want to explore the other possibilities of their hardware, as you said, other OSes will surely run on it. I'd imagine there will be plenty of websites dedicated to that once these things start to see real use. Always remember that Sugar itself is an OS with design goals that are very specific and very different from existing general-purpose systems.
I absolutely understand security concerns arising from the lack of a visible address bar in the browser, though I haven't yet tried Sugar out for myself. That sort of thing raises some tricky questions about Internet safety in general. However, I think those questions are better handled by the local administrators of Mesh Portals, which if I understand correctly are the only way for an XO laptop to get onto the Internet. When there is no portal on your Mesh, the address bar really does become wasted space for most purposes.
You are reverse-engineering closed-source software/quote.
And as the analysis report on the Gozi Trojan that was posted yesterday pointed out, this applies to deconstructing new malware. Without the ability to comprehend the ASM in the debugger, the analysts would have had to be content with a "black-box" behavioral analysis rather than a dissection.
The only issue I can see is that unless there was significant system lag, you would have no idea to even scan your system.
Which would be unlikely if the thing is well-engineered. All it's doing is skimming each POST and generating a new one of its own. Presumably it's happening asynchronously, so there probably wouldn't be any noticeable performance difference. Like they said in the article, it could send up red flags if you had a very smart and paranoid network traffic analysis system, but that's not happening in a home network scenario.
Notice that the reason SecureWorks caught wind of this thing in the first place was because someone saw their online accounts get hijacked and put their PC under the microscope. It wasn't until about a month later that any of the major antivirus vendors started recognizing it specifically.
What kind of customer would pay for access to such a broad set of data? That's one of the points the article is trying to make, as a sea change in this sort of malware: Because the data is so broad and voluminous, the providers could have a quite varied customer base. It's been commoditized. Data mined from this store could be of use to unscrupulous folks ranging from simple carders, to account drainers, to mob bosses, to terrorists. Notice that the data was not just credentials for banking and shopping sites, but included access to law enforcement and other government applications. Wanna steal a car and un-report it as stolen the next day? This might not be a bad place to start.
Monster of an article, so I don't blame anyone for not catching the details on this. What it boils down to is that IE exploits are the main propagation vector of Gozi, but its actual performance of nastiness does not necessarily rely on IE. Once it's installed and running, it will intercept and leak to its "mothership" any and all HTTP POSTs that go through WinSock2, no matter what browser they come from, because it manages to register itself as a "Layered Service Provider" sitting between the browser and the socket. Unfortunately, I do not know which browsers make use of WinSock2 and its LSP functionality, and which don't. It would have been nice to mention that in the article as an aside.
Another way IE is specifically involved is that Gozi does some extra sniffing inside IE's JavaScript engine to get data that's being sent AJAX-style rather than through normal POSTs.
Identity theft is hardly petty to the victim, however, it [...] takes tremendous amounts of work to clear up, even when you are lucky enough to not get stuck with the bill.
Yeah, the most appalling thing in this article to me is how much trouble "Campbell" had getting his money back from Schwab, when apparently they already knew that a scammer had been arrested trying to withdraw it in Brussels. And this was over $100,000, hardly "petty" by any personal finance standards. The details are slightly foggy and rather unconfirmed, but it really sounds like Schwab tried to sweep this under the rug in the hopes it would just go away. Call me naïve, but shouldn't that be illegal? Just like mandatory suspected abuse reporting for certain workers with children, shouldn't financial institutions be required to either make good on funds lost to suspected theft or press an investigation (preferably both)?
Of course, I can see the other side, which is that most identity theft can ultimately be traced back to some form of user carelessness, so why implement a policy that would not encourage users to build their own savvy. Not to mention the already-mentioned lack of investigatory resources in the first place. But still, what you end up with is the same thing that used to always happen with IT security flaws: When discovered and brought to the responsible party's attention, they would rather try to preserve both their security and the public (and shareholder) trust through an obstinate obscurity.
Let's be clear about a very important point in this article: It does not say that there were RFID tags in the coins. I quote: "...details of the incidents were classified. As a result, the type of transmitter in play -- and its ultimate purpose -- remain a mystery. However, tiny tracking tags, known as RFIDs, are commonly placed in everything..."
Thus, it's only an unimaginative guess that the coins contained RFID. So the second half of the article, where security experts speculate on the purpose and effectiveness of RFID embedded in coins falls just short of making stuff up. It may or may not have anything to do with the actual events.
You probably can't even perform it. So, distribution through BT is not going to happen.
An understandable misunderstanding of musical copyright. To make a long story short, what the IMF have acquired the rights to is not Mozart's music, which has been in the public domain for a very long time now. Without controlling the copyrights of the musical works themselves, one can't control performances. (Or the creation of new recordings, print publications, or video synchronizations of them, while we're at it.)
IMF only holds the rights to specific editions of the notation. That's a print copyright, not a musical copyright, but it does give them the right to control the duplication/distribution of the scores themselves. Which could explain the iffiness of BitTorrent: I haven't looked at their download license, but they are definitely within their rights to deny downloaders the right to redistribute by any means.
Here's something I find interesting, and maybe somebody slightly more knowledgeable about score publication legalities can help me out. Hasn't it been legal all along for someone to create a new collection of Mozart scores and make it available under some sort of public license? I guess they'd have to be able to demonstrate that they didn't base it on any existing edition, which would probably be pretty hard (I'm sure SCO would sue them), not to mention its usefulness would depend upon whether musicians trusted its quality.
Not likely. The article is placing this fossil around 16 mya (million years ago), while New Zealand was as isolated from all other landmasses as it is today by 60 mya at the latest. Unless that hunting bird had a range as wide as the Tasman Sea (about 2,000 km), it couldn't have gone off-shore to get mammals.
ultimately evolution is something which happens over millions of years, so it's unlikely to see any other real notes / changes in my lifetime
The length of time it takes natural selection to shift the predominate traits in a population depends on a number of things, including the (in)stability of its habitat, how "important" whatever changes occur are to the organisms' survival and reproduction, and the length of the species' generation. Yes, we've generally seen noticeable changes take many thousands, if not millions of years, but it's not a foregone conclusion. Take, for example, the classic peppered moth. An entire population underwent a dramatic change in coloration in less than one hundred years, due to a sudden and perilous change in their habitat from industrial pollution.
This is horrible reporting. None of the actual facts or quotes in the article supports the claim that the subject felt like he had "seen" anything, which is how the author characterizes it in the first sentence. And they completely overlook the quite significant question of, "Was the subject blind from birth?"
If other states have laws comparable to Washington's, or if a federal law is enacted, yes. From a quick glance at Ben Edelman's State Spyware Legislation page, it looks like most states have something, but a lack of consistency could gum up the use of out-of-state precedents.
Indeed. I was glad the article at least briefly mentioned this dilemma, but I fear it's more dangerous and more difficult to solve than they would like to admit. Basically what we have here is a shift that parallels the move from traditional television to reality television, with similar motivations: cheaper than paying professional talent, no unions to deal with, and the viewer finds it more... "visceral", or something. But there's another, less concrete thought that might be behind this. Consider that when The Boston Globe employs people like Mike Barnicle and Patricia Smith who fabricate their reporting, they have the option of hanging them out to dry, and they still don't get out of it without a little egg on their collective face. When falsified content slips through that came from someone who is not employed, possibly not even paid, and virtually anonymous, what can they do besides shrug and say, "Oops. Well, we won't take content from that disposable email address any more." And I'll wager that they find that diluted liability almost as comforting as the lower monetary costs.
That said, I do agree that Citizen Journalism is a Good Thing, since professional journalists who passed their required ethics courses in college can't be everywhere at once. But Journalistic Integrity is just as Good a Thing. Suspicion and skepticism should always have honored places in the production and consumption of news, and I'm personally suspicious and skeptical when my news is coming from people who have no credentials.
Slashdot Mirror
At a brief glance, Scratch looks like it's generally aimed at a young and inexperienced audience. For kids who graduate from that and want to try out some more advanced concepts, take a look at the game MindRover. I first ran across it because it was tagged as the spiritual successor to my beloved old Robot Odyssey. (How many of us cut our teeth on that one?) MindRover doesn't directly teach object-oriented programming, but it takes little insight for an educator to relate one to the other, giving young learners that much-needed concrete example to help them grasp OOP's trickier concepts.
Not that simple. Developing a patch does not fix a security hole. Releasing a patch does not fix a security hole. Applying a patch fixes a security hole, if all goes well. When you combine the fact that the number of holes in existence is multiplied by the number of installations, with the fact that the development team very rarely has any power over when patches are actually applied, security through obscurity doesn't look so cut-and-dried naïve versus publicizing your holes by releasing patches.
Notice that the person who posted the argument in the article never said they leave holes unpatched to save "a few hours of time". He didn't say they left holes unpatched at all. He said that they prioritized based on severity and publicity—who wouldn't? And he said that patches for unknown holes were developed, tested, and not released until they were needed. This gives them the advantage of not alerting the malicious user community that there are holes they can exploit if they act more quickly than the users who have to apply the patches. But it also means that when the time comes for them to release the patch, they know it's been patiently tested, not kneejerked out the door. I'd rather have no patch for an unknown hole that's not likely to be exploited than a patch that's going to make my software buggy.
The only downside to this is that you have to trust the developers to correctly assess the risk of leaving unknown holes unpatched. If they think a hole is unlikely to be randomly spotted and will only do minimal damage if it is, but script kiddies spot it in a week and manage to get remote root access from it, yes they screwed up by not patching it right away. Mistakes like that can be made the same way the mistakes that created the hole in the first place were made. But you have to make such judgments just to prioritize the holes, regardless of what you intend to do with them. And there certainly isn't anybody more qualified to make those judgments than the developers who discovered the hole.
Thank you for pointing out the egregious and apparently unanimous misunderstanding of this clause. You're right that it's not as restrictive as it was made out to be. Don't dismiss it completely, however. A blog posting could easily be interpreted falling into the category of an "article", so mentioning in a blog that you're a Google employee could conceivably be interpreted as a breach of contract.
Because the laptops are intended for the education of children. For the vast majority of the world's nations, that's a government responsibility, not a personal responsibility.
That's the simple, pat answer, but there's more to it. That the laptops would be put into large-scale (preferably unanimous) use from the top down has been a core concept of the project from the beginning, and it's influenced some of the design considerations. The methods of collaboration (which is fundamental), and the networking model itself, are based on the assumption that there will be multiple XO machines in a small area. If you try to sell these things piecemeal at $175 each (at first) to private citizens who both have heard of it and can afford it, in a dozen different countries, you'll be lucky to ever have more than a couple of them in the same location. On the other hand, if you're Nicholas Negroponte and you leverage your and your family's schmooze points with various national officials, you can persuade the ministries of education to purchase and deploy them as an official program. Then you'll always have multiple machines in a classroom.
In fact, you might even have—wait for it—one laptop per child.
My gauge must be broken completely, because I still can't spot the sarcasm in the parent. It's an over-the-top viewpoint, in my opinion, but within the realm of plausibility for an OS aficionado. Add to that the fact that a missing address bar is a very legitimate security and usability concern, and the post seemed fairly serious to me. If it was sarcasm, the point dheera was trying to make completely escapes me.
In God's name, why? That proposal goes fundamentally against the entire philosophy of OLPC. They're giving capable computers to school children not so they can "accomplish real work" (shudder), or even so they can "learn to use a typical OS", but simply so they can learn, explore, create, collaborate in general. This machine is targeted at the next generation of world citizens, not the next generation of office drones or elite hackers. Most OS simplifications have been made so that the user doesn't have to think about how it works or how its behavior compares to other platforms, OSes, or applications—not because it's the most the hardware can handle.
If I had an OLPC in a third-world country I'd just download xubuntu and use it.Of course you would, but you're not a six-year-old child who's never been within fifty miles of a computer before, are you? Step into those shoes for a moment, and then think about whether you feel restricted by Sugar's multitasking model. I'll bet you're already having too much fun creating songs with TamTam to worry about it.
And for those students who develop a deeper interest in technology and want to explore the other possibilities of their hardware, as you said, other OSes will surely run on it. I'd imagine there will be plenty of websites dedicated to that once these things start to see real use. Always remember that Sugar itself is an OS with design goals that are very specific and very different from existing general-purpose systems.
I absolutely understand security concerns arising from the lack of a visible address bar in the browser, though I haven't yet tried Sugar out for myself. That sort of thing raises some tricky questions about Internet safety in general. However, I think those questions are better handled by the local administrators of Mesh Portals, which if I understand correctly are the only way for an XO laptop to get onto the Internet. When there is no portal on your Mesh, the address bar really does become wasted space for most purposes.
Which would be unlikely if the thing is well-engineered. All it's doing is skimming each POST and generating a new one of its own. Presumably it's happening asynchronously, so there probably wouldn't be any noticeable performance difference. Like they said in the article, it could send up red flags if you had a very smart and paranoid network traffic analysis system, but that's not happening in a home network scenario.
Notice that the reason SecureWorks caught wind of this thing in the first place was because someone saw their online accounts get hijacked and put their PC under the microscope. It wasn't until about a month later that any of the major antivirus vendors started recognizing it specifically.
Monster of an article, so I don't blame anyone for not catching the details on this. What it boils down to is that IE exploits are the main propagation vector of Gozi, but its actual performance of nastiness does not necessarily rely on IE. Once it's installed and running, it will intercept and leak to its "mothership" any and all HTTP POSTs that go through WinSock2, no matter what browser they come from, because it manages to register itself as a "Layered Service Provider" sitting between the browser and the socket. Unfortunately, I do not know which browsers make use of WinSock2 and its LSP functionality, and which don't. It would have been nice to mention that in the article as an aside.
Another way IE is specifically involved is that Gozi does some extra sniffing inside IE's JavaScript engine to get data that's being sent AJAX-style rather than through normal POSTs.
Yeah, the most appalling thing in this article to me is how much trouble "Campbell" had getting his money back from Schwab, when apparently they already knew that a scammer had been arrested trying to withdraw it in Brussels. And this was over $100,000, hardly "petty" by any personal finance standards. The details are slightly foggy and rather unconfirmed, but it really sounds like Schwab tried to sweep this under the rug in the hopes it would just go away. Call me naïve, but shouldn't that be illegal? Just like mandatory suspected abuse reporting for certain workers with children, shouldn't financial institutions be required to either make good on funds lost to suspected theft or press an investigation (preferably both)?
Of course, I can see the other side, which is that most identity theft can ultimately be traced back to some form of user carelessness, so why implement a policy that would not encourage users to build their own savvy. Not to mention the already-mentioned lack of investigatory resources in the first place. But still, what you end up with is the same thing that used to always happen with IT security flaws: When discovered and brought to the responsible party's attention, they would rather try to preserve both their security and the public (and shareholder) trust through an obstinate obscurity.
Let's be clear about a very important point in this article: It does not say that there were RFID tags in the coins. I quote: "...details of the incidents were classified. As a result, the type of transmitter in play -- and its ultimate purpose -- remain a mystery. However, tiny tracking tags, known as RFIDs, are commonly placed in everything..."
Thus, it's only an unimaginative guess that the coins contained RFID. So the second half of the article, where security experts speculate on the purpose and effectiveness of RFID embedded in coins falls just short of making stuff up. It may or may not have anything to do with the actual events.
You probably can't even perform it. So, distribution through BT is not going to happen.
An understandable misunderstanding of musical copyright. To make a long story short, what the IMF have acquired the rights to is not Mozart's music, which has been in the public domain for a very long time now. Without controlling the copyrights of the musical works themselves, one can't control performances. (Or the creation of new recordings, print publications, or video synchronizations of them, while we're at it.)
IMF only holds the rights to specific editions of the notation. That's a print copyright, not a musical copyright, but it does give them the right to control the duplication/distribution of the scores themselves. Which could explain the iffiness of BitTorrent: I haven't looked at their download license, but they are definitely within their rights to deny downloaders the right to redistribute by any means.
Here's something I find interesting, and maybe somebody slightly more knowledgeable about score publication legalities can help me out. Hasn't it been legal all along for someone to create a new collection of Mozart scores and make it available under some sort of public license? I guess they'd have to be able to demonstrate that they didn't base it on any existing edition, which would probably be pretty hard (I'm sure SCO would sue them), not to mention its usefulness would depend upon whether musicians trusted its quality.
Another huge difference mammal competition can make to bird evolution is the fact that there have always been a lot of wily egg-eating mammals.
Not likely. The article is placing this fossil around 16 mya (million years ago), while New Zealand was as isolated from all other landmasses as it is today by 60 mya at the latest. Unless that hunting bird had a range as wide as the Tasman Sea (about 2,000 km), it couldn't have gone off-shore to get mammals.
ultimately evolution is something which happens over millions of years, so it's unlikely to see any other real notes / changes in my lifetime
The length of time it takes natural selection to shift the predominate traits in a population depends on a number of things, including the (in)stability of its habitat, how "important" whatever changes occur are to the organisms' survival and reproduction, and the length of the species' generation. Yes, we've generally seen noticeable changes take many thousands, if not millions of years, but it's not a foregone conclusion. Take, for example, the classic peppered moth. An entire population underwent a dramatic change in coloration in less than one hundred years, due to a sudden and perilous change in their habitat from industrial pollution.
This is horrible reporting. None of the actual facts or quotes in the article supports the claim that the subject felt like he had "seen" anything, which is how the author characterizes it in the first sentence. And they completely overlook the quite significant question of, "Was the subject blind from birth?"
If other states have laws comparable to Washington's, or if a federal law is enacted, yes. From a quick glance at Ben Edelman's State Spyware Legislation page, it looks like most states have something, but a lack of consistency could gum up the use of out-of-state precedents.
Indeed. I was glad the article at least briefly mentioned this dilemma, but I fear it's more dangerous and more difficult to solve than they would like to admit. Basically what we have here is a shift that parallels the move from traditional television to reality television, with similar motivations: cheaper than paying professional talent, no unions to deal with, and the viewer finds it more... "visceral", or something. But there's another, less concrete thought that might be behind this. Consider that when The Boston Globe employs people like Mike Barnicle and Patricia Smith who fabricate their reporting, they have the option of hanging them out to dry, and they still don't get out of it without a little egg on their collective face. When falsified content slips through that came from someone who is not employed, possibly not even paid, and virtually anonymous, what can they do besides shrug and say, "Oops. Well, we won't take content from that disposable email address any more." And I'll wager that they find that diluted liability almost as comforting as the lower monetary costs.
That said, I do agree that Citizen Journalism is a Good Thing, since professional journalists who passed their required ethics courses in college can't be everywhere at once. But Journalistic Integrity is just as Good a Thing. Suspicion and skepticism should always have honored places in the production and consumption of news, and I'm personally suspicious and skeptical when my news is coming from people who have no credentials.