Embracing and extending, sure... that's sort of the point of an extension (plugin) to a product. One could even argue that that's the point of allowing additional drivers in a kernel.
Ten hours of work? What are you doing, re-soldering everything on the motherboard? It takes all of an hour to build a computer from parts, if you have the parts there, then another hour or two to install an OS (unless you're a masochistic Gentoo user like me).
Evil virus removal, where reformatting is not an option: a few hours' labor.
Dead $part: new parts, 5 minutes to install.
What could you possibly be doing to a computer that requires both replacement parts and ten hours of labor? Or are you driving halfway to Canada to buy that replacement RAM?
I'm not judging all mechanics based on those few I've visited. I'm just saying I'm quite wary about what they try to sell me.
Jiffy Lube tried to get me to buy expensive oil which a friend's mechanic brother later told me would actually have been worse for my engine. They also tried to get me to replace brand new windshield wipers that I had installed myself just days earlier.
On the other hand, the windshield rock chip repair guy gave me a free chip repair because I had had him fix four or five other chips in the previous six months.
Now, I understand that a business has to make money. But when two different official dealerships try to rip me off in the several-hundred-dollar sort of way, it makes me lose respect for the industry. (As for why I still had the dealership do the $2000 repair, it was my dad's car, and he was paying for that one. He prefers dealerships to other mechanic shops for reasons which he has never mentioned. You'll note that when it was my wallet at stake, I went for a second opinion.)
Agreed. My first programming job was part-time; I was hired at $10/hr, and I had to practically demand a raise to $12/hr in a lengthy e-mail in which I pointed out all the valuable things I had already contributed to the company.
Several months later he told us to tell our friends he was looking to hire entry-level peons (who would do less work than we were currently doing) and that they'd start at $12/hr.
We definitely got the "I don't respect you" vibe from that.
No, wages did not dictate my behavior in the company, but they definitely affected how I perceived my employer.
I also noted that his response to "a chipset failure" was to replace the RAM.
I don't think "chipset" means what he thinks it means.
Also, a faulty power switch probably wouldn't cause a bluescreen, it would just make the machine power cycle instantly, without giving windows time to record any sort of error... and even if it did have time, there wasn't technically an error to report;)
Once, I took my car to a dealer in for general maintenance at my dad's request (he owned the car), then went shopping while I waited. The tech called me on my cell saying "um... you'd better come look at this." Turns out all sorts of fun things were breaking (i.e. visible cracks, missing bearings, leaks, broken engine brackets, etc.). Oh, and it was going to cost $3000. Some expert haggling by my dad over the phone got the price down to a more palatable $2000.
So no, they weren't lying, but they wanted to charge an arm and a leg, and we had to twist their arms to get them to be reasonable.
Another time, I took in the same car (via a tow truck) to another dealer because it refused to start. I was told they needed to replace the entire electrical system of the car, and that it would cost $800. I asked if there was another way to get the car working cheaper, even temporarily, and I was told "No".
Well I wanted a second opinion, so I had another tow truck take my car back home. The tow truck driver, upon hearing why I wasn't having the dealership repair the car, said he'd take a look when we got to my apartment. The verdict?
"Replace this wire here, and get a new clamp for this wire here. Clean the terminals, then reattach the wires. Should run you like $25, and you'll be good as new."
The car works fine, a year later.
So you'll forgive us if we're wary of dealerships.
The medical industry gets in huge trouble when data gets leaked that has just a name and what medicine they're taking. Names are treated as PII, even when the name is "John Smith" and nobody could ever possibly identify an individual based on "John Smith", because there are zillions of them.
Similarly, no company should publish information that includes IP addresses. That's all I'm saying.
if youre doing something you want to keep a secret but cant be bothered to use a proxy, why then should legislation be enacted to protect you?
If you're doing something in real life you want to keep a secret (e.g. you don't want everyone to know you have a nasty disease) but can't be bothered to figure out a way to get the medicine legally without revealing your identity, why then should legislation be enacted to protect you? (It already does, by the way.)
Not everyone has the technical expertise to use a proxy. Don't act like it's the most trivial thing in the world to do - the idea is to protect the people who use technology but don't know everything about it.
But that's exactly my point - it can identify you personally, when combined with other information.
Your home address doesn't identify you personally, unless you live alone (and even then it might not). How about you publish that?
I'm not saying it should be treated the same as a Social Security number, but IP addresses should at the very least be treated with care, because when combined with other data, IP addresses can help identify specific people.
DHCP is largely a red herring. Yes, my cable modem gets its IP address via DHCP. I've only ever had one address, though, in the two months I've had internet service here. I use DHCP within my own network, but three machines get static IPs for routing rule purposes. The laptops get dynamic addresses, but they're almost always the *same* addresses.
Well they are, even though they don't by themselves identify an individual:
"information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."
Put in another light, how many people use your external IP address at home in a day?
By itself, and IP address cannot usually be used to identify a particular person. But when combined with other data, it can be used to that end - and it should therefore be treated as PII.
Just as companies should not publish lists of street addresses (even without zip codes) to which they have sold their line of sexually transmitted disease medication, those same companies should not publish lists of IP addresses which have been used to visit their STD FAQ website.
That's true, but that's not the purpose of PII privacy rules. PII privacy rules do not only aim to protect only information that by itself identifies a person, they also aim to protect information that can identify a specific person when combined with other information.
In my earlier example, both zip codes and street addresses should be considered PII, even though by themselves they do not identify any particular person.
Privacy law and criminal law are unrelated; just because something is protected under PII law doesn't mean it can be used by itself to convict someone of a crime.
Yes, but if someone gets stabbed in your backyard (your IP address is used nefariously), and a trail of bloody footprints leads into your house (access logs don't show external access), and a warranted search turns up the murder weapon (they find your botnet control scripts in ~alistar/evilplottotakeovertheworld/), point three just doesn't matter anymore;)
Under certain circumstances it may be possible to prove a link between IP and PII.
That's exactly why we should default to thinking of IP addresses as PII, because it can be used to identify people when used in conjunction with other information (depending on that other information).
The point of PII privacy rules aren't to protect information that by itself identifies a specific person, it's to protect information that can be used to find out something else that identifies a specific person.
PII is not "any information that by itself identifies a specific person". PII is any information that, in conjunction with other information, can be used to identify a specific person. An IP address does not, by itself, identify a specific person, but when combined with logs or other information, an IP address can be quite specific. I'll give examples below, using your questions as starting points. (It's not relevant that some of the solutions require the cooperation of another entity.)
If someone launched an attack from that one box, which of the 200 students is responsible?
The one whose account logs have "./myevilattack -target whitehouse.gov" in them.
If I leave my windows PC on, and someone breaks into it (they break into my house etc..) am I all of a sudden responsible?
Unless you can show that you weren't the one doing it, then the only thing to go off of is your word; in that case, yes, you would most likely be held responsible (at least in a civil case).
If my car runs over an old lady in the street, this does not imply I was at the wheel.
It does if the circumstances are right. For example, I never lend my car to anyone, ever; if my car runs over someone, chances are quite high that I was at the wheel. The only evidence to the contrary would be my word, so unless I have an alibi that can verify my whereabouts at the time, then the police would have no reason to believe anyone else was driving.
By itself, a license plate number or an IP address aren't necessarily personally identifiable information, but when combined with other information, they can lead one to identify specific individuals. Therefore, they are both PII (or at least, they can be, and thus should be treated as if they always are, from a privacy standpoint).
Something is PII if it can be used in conjunction with something else to identify a person. So, for example, by itself, a zip code is nearly useless. Similarly, a street address by itself is (usually) useless. However, when used together you can suddenly identify a household; thus, they're both PII.
There's actually a good reason for this. Company A releases a list of zip codes where it sells Something Embarrassing. Months or years later, Distributor B releases a list of street addresses (without zip codes) to which it has delivered products from Company A.
A crafty person could find suitable overlaps of zip code and street address in those two data sets, and find out that it's highly probably that Senator Palpatine of 123 Main Street in the 00032 postal area purchased Something Embarrassing.
Granted, my example is somewhat contrived, but it would not be difficult to come up with others.
For another example, even anonymized data can be PII. Remember when AOL released its "anonymized" search data, and specific individuals could be identified using that data?
Re:I would disagree with the premise.
on
P.I.I. In the Sky
·
· Score: 1
Actually if the police know that a murderer is in a specific bar with the murder weapon, but they don't know who it is specifically, it's pretty likely that they're going to lock the place down and search everyone (perhaps after obtaining a quick warrant), or at the very least they're going to question everyone.
Re:I would disagree with the premise.
on
P.I.I. In the Sky
·
· Score: 1
You don't even need to change the hardware to change MAC addresses. IIRC Linux can spoof any MAC address you want, if you set it up; at least, the two Linux-based router firmwares I've used let you do that. I'm assuming this is a Linux thing and not a router-specific thing.
Have you seen some of the earlier attempts at LotR movies? I'll be generous and call them "interesting" (in an abstract sense). One in particular attempted to combine real-life and cartoon in a style vaguely similar to the ever-popular Chronicles of Narnia movies (not the new ones), but they did it orders of magnitude worse on the crap-o-meter, and if memory serves, they didn't make enough money on the first one to make another to finish the story.
You already do, but since everyone is a descendant of Adam, and there are far more people than Bible purchases, you're getting paid a fraction of a cent (rounded down to the nearest cent, of course).
(Nitpick: If I write a book about George Bush, Bush's children do not get royalties for that work. My children, however, would. Thus, Adam's children wouldn't get royalties for Genesis, but Moses' children would...)
Slashdot Mirror
Embracing and extending, sure... that's sort of the point of an extension (plugin) to a product. One could even argue that that's the point of allowing additional drivers in a kernel.
But extinguish? Hardly.
Ten hours of work? What are you doing, re-soldering everything on the motherboard? It takes all of an hour to build a computer from parts, if you have the parts there, then another hour or two to install an OS (unless you're a masochistic Gentoo user like me).
Evil virus removal, where reformatting is not an option: a few hours' labor.
Dead $part: new parts, 5 minutes to install.
What could you possibly be doing to a computer that requires both replacement parts and ten hours of labor? Or are you driving halfway to Canada to buy that replacement RAM?
I'm not judging all mechanics based on those few I've visited. I'm just saying I'm quite wary about what they try to sell me.
Jiffy Lube tried to get me to buy expensive oil which a friend's mechanic brother later told me would actually have been worse for my engine. They also tried to get me to replace brand new windshield wipers that I had installed myself just days earlier.
On the other hand, the windshield rock chip repair guy gave me a free chip repair because I had had him fix four or five other chips in the previous six months.
Now, I understand that a business has to make money. But when two different official dealerships try to rip me off in the several-hundred-dollar sort of way, it makes me lose respect for the industry. (As for why I still had the dealership do the $2000 repair, it was my dad's car, and he was paying for that one. He prefers dealerships to other mechanic shops for reasons which he has never mentioned. You'll note that when it was my wallet at stake, I went for a second opinion.)
Agreed. My first programming job was part-time; I was hired at $10/hr, and I had to practically demand a raise to $12/hr in a lengthy e-mail in which I pointed out all the valuable things I had already contributed to the company.
Several months later he told us to tell our friends he was looking to hire entry-level peons (who would do less work than we were currently doing) and that they'd start at $12/hr.
We definitely got the "I don't respect you" vibe from that.
No, wages did not dictate my behavior in the company, but they definitely affected how I perceived my employer.
Bruce doesn't need you to bring him your computer to gain access... he already has it.
Or in my case, replace that second 3 with:
4. Give up and say "dunno... maybe try acupuncture?"
(Also, since I'm in the U.S., precede it with "empty your pockets since your insurance company decided to call it a pre-existing condition".)
Same thing happened at my previous job. Taking out the video card is now my first diagnostic test for the "won't POST" problem.
I also noted that his response to "a chipset failure" was to replace the RAM.
I don't think "chipset" means what he thinks it means.
Also, a faulty power switch probably wouldn't cause a bluescreen, it would just make the machine power cycle instantly, without giving windows time to record any sort of error... and even if it did have time, there wasn't technically an error to report ;)
Make that "So forgive us if we're wary of car mechanics."
Once, I took my car to a dealer in for general maintenance at my dad's request (he owned the car), then went shopping while I waited. The tech called me on my cell saying "um... you'd better come look at this." Turns out all sorts of fun things were breaking (i.e. visible cracks, missing bearings, leaks, broken engine brackets, etc.). Oh, and it was going to cost $3000. Some expert haggling by my dad over the phone got the price down to a more palatable $2000.
So no, they weren't lying, but they wanted to charge an arm and a leg, and we had to twist their arms to get them to be reasonable.
Another time, I took in the same car (via a tow truck) to another dealer because it refused to start. I was told they needed to replace the entire electrical system of the car, and that it would cost $800. I asked if there was another way to get the car working cheaper, even temporarily, and I was told "No".
Well I wanted a second opinion, so I had another tow truck take my car back home. The tow truck driver, upon hearing why I wasn't having the dealership repair the car, said he'd take a look when we got to my apartment. The verdict?
"Replace this wire here, and get a new clamp for this wire here. Clean the terminals, then reattach the wires. Should run you like $25, and you'll be good as new."
The car works fine, a year later.
So you'll forgive us if we're wary of dealerships.
The medical industry gets in huge trouble when data gets leaked that has just a name and what medicine they're taking. Names are treated as PII, even when the name is "John Smith" and nobody could ever possibly identify an individual based on "John Smith", because there are zillions of them.
Similarly, no company should publish information that includes IP addresses. That's all I'm saying.
if youre doing something you want to keep a secret but cant be bothered to use a proxy, why then should legislation be enacted to protect you?
If you're doing something in real life you want to keep a secret (e.g. you don't want everyone to know you have a nasty disease) but can't be bothered to figure out a way to get the medicine legally without revealing your identity, why then should legislation be enacted to protect you? (It already does, by the way.)
Not everyone has the technical expertise to use a proxy. Don't act like it's the most trivial thing in the world to do - the idea is to protect the people who use technology but don't know everything about it.
But that's exactly my point - it can identify you personally, when combined with other information.
Your home address doesn't identify you personally, unless you live alone (and even then it might not). How about you publish that?
I'm not saying it should be treated the same as a Social Security number, but IP addresses should at the very least be treated with care, because when combined with other data, IP addresses can help identify specific people.
DHCP is largely a red herring. Yes, my cable modem gets its IP address via DHCP. I've only ever had one address, though, in the two months I've had internet service here. I use DHCP within my own network, but three machines get static IPs for routing rule purposes. The laptops get dynamic addresses, but they're almost always the *same* addresses.
Would you be equally happy with a pharmaceutical company who publishes a list of Viagra purchases by IP address, if yours was on the list?
This isn't really about criminal law, this is about privacy.
Well they are, even though they don't by themselves identify an individual:
"information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."
Put in another light, how many people use your external IP address at home in a day?
By itself, and IP address cannot usually be used to identify a particular person. But when combined with other data, it can be used to that end - and it should therefore be treated as PII.
Just as companies should not publish lists of street addresses (even without zip codes) to which they have sold their line of sexually transmitted disease medication, those same companies should not publish lists of IP addresses which have been used to visit their STD FAQ website.
That's true, but that's not the purpose of PII privacy rules. PII privacy rules do not only aim to protect only information that by itself identifies a person, they also aim to protect information that can identify a specific person when combined with other information.
In my earlier example, both zip codes and street addresses should be considered PII, even though by themselves they do not identify any particular person.
Privacy law and criminal law are unrelated; just because something is protected under PII law doesn't mean it can be used by itself to convict someone of a crime.
Yes, but if someone gets stabbed in your backyard (your IP address is used nefariously), and a trail of bloody footprints leads into your house (access logs don't show external access), and a warranted search turns up the murder weapon (they find your botnet control scripts in ~alistar/evilplottotakeovertheworld/), point three just doesn't matter anymore ;)
Under certain circumstances it may be possible to prove a link between IP and PII.
That's exactly why we should default to thinking of IP addresses as PII, because it can be used to identify people when used in conjunction with other information (depending on that other information).
The point of PII privacy rules aren't to protect information that by itself identifies a specific person, it's to protect information that can be used to find out something else that identifies a specific person.
PII is not "any information that by itself identifies a specific person". PII is any information that, in conjunction with other information, can be used to identify a specific person. An IP address does not, by itself, identify a specific person, but when combined with logs or other information, an IP address can be quite specific. I'll give examples below, using your questions as starting points. (It's not relevant that some of the solutions require the cooperation of another entity.)
If someone launched an attack from that one box, which of the 200 students is responsible?
The one whose account logs have "./myevilattack -target whitehouse.gov" in them.
If I leave my windows PC on, and someone breaks into it (they break into my house etc..) am I all of a sudden responsible?
Unless you can show that you weren't the one doing it, then the only thing to go off of is your word; in that case, yes, you would most likely be held responsible (at least in a civil case).
If my car runs over an old lady in the street, this does not imply I was at the wheel.
It does if the circumstances are right. For example, I never lend my car to anyone, ever; if my car runs over someone, chances are quite high that I was at the wheel. The only evidence to the contrary would be my word, so unless I have an alibi that can verify my whereabouts at the time, then the police would have no reason to believe anyone else was driving.
By itself, a license plate number or an IP address aren't necessarily personally identifiable information, but when combined with other information, they can lead one to identify specific individuals. Therefore, they are both PII (or at least, they can be, and thus should be treated as if they always are, from a privacy standpoint).
Something is PII if it can be used in conjunction with something else to identify a person. So, for example, by itself, a zip code is nearly useless. Similarly, a street address by itself is (usually) useless. However, when used together you can suddenly identify a household; thus, they're both PII.
There's actually a good reason for this. Company A releases a list of zip codes where it sells Something Embarrassing. Months or years later, Distributor B releases a list of street addresses (without zip codes) to which it has delivered products from Company A.
A crafty person could find suitable overlaps of zip code and street address in those two data sets, and find out that it's highly probably that Senator Palpatine of 123 Main Street in the 00032 postal area purchased Something Embarrassing.
Granted, my example is somewhat contrived, but it would not be difficult to come up with others.
For another example, even anonymized data can be PII. Remember when AOL released its "anonymized" search data, and specific individuals could be identified using that data?
Actually if the police know that a murderer is in a specific bar with the murder weapon, but they don't know who it is specifically, it's pretty likely that they're going to lock the place down and search everyone (perhaps after obtaining a quick warrant), or at the very least they're going to question everyone.
You don't even need to change the hardware to change MAC addresses. IIRC Linux can spoof any MAC address you want, if you set it up; at least, the two Linux-based router firmwares I've used let you do that. I'm assuming this is a Linux thing and not a router-specific thing.
Read this post, I think it answers your question.
Have you seen some of the earlier attempts at LotR movies? I'll be generous and call them "interesting" (in an abstract sense). One in particular attempted to combine real-life and cartoon in a style vaguely similar to the ever-popular Chronicles of Narnia movies (not the new ones), but they did it orders of magnitude worse on the crap-o-meter, and if memory serves, they didn't make enough money on the first one to make another to finish the story.
You already do, but since everyone is a descendant of Adam, and there are far more people than Bible purchases, you're getting paid a fraction of a cent (rounded down to the nearest cent, of course).
(Nitpick: If I write a book about George Bush, Bush's children do not get royalties for that work. My children, however, would. Thus, Adam's children wouldn't get royalties for Genesis, but Moses' children would...)