The problem is that "disrespect" is based on the perception, rather than the intent, and there's an inherent conflict of interest in a review setting (like in any quality-control process or collaborative effort).
I'm very passionate about what I do. It's part of what makes me good at what I do, because I actually care about doing a good job, rather than just hitting the magic "40" on my time card and getting a paycheck. I will not hesitate to call out anyone's stupid failures. Mistakes or lack-of-training issues are fine, and we will accept those and move on, but failure due to being inattentive or simply lazy is not acceptable, and anyone failing in such a way needs to be aware that they're not performing up to the standards expected of my team. Frankly, I don't care what gender you are (or aren't), or how old you are, or your socioeconomic status, or really any other factor than whether you do the job. In my opinion, I'm perfectly in compliance with any nondiscrimination policy, because I don't discriminate.
To someone else's perspective, though, they think I'm complaining because they're black, or Jewish, or young, or blonde, or whatever particular insecurity they want to call out, because they're too inattentive to understand that they were actually doing something wrong.
The moment discrimination is brought up, especially in an enterprise with a "Code of Conduct" that is venerated above producing quality results, it's no longer a discussion about the right way to actually do the job. It's a discussion about sensitivity, and framing discussion, and having nice polite conversations with 3 HR reps and two managers, at whatever time they can all fit a discussion into their schedules. By the time that discussion takes place, the same failures have been repeated three times, and now there's a quality-control issue that needs to be addressed. Of course, that actual process issue has now become "normal", and any further complaint about the failure is just more "harassment".
In the end, the person who noticed the original problem is punished, the problem persists, and weeks of effort are wasted on what could have been fixed in five minutes of candid discussion. There have been many cases where this process has itself been abused to attack anyone who dares to complain about someone who is more skilled at gaming the management than actually doing their job.
As an alternative to a flawed "Code of Conduct", I suggest simply an environment of open failures, along the following lines:
If you screw up and you realize it, tell the team.
If you see someone else screw up, tell them or the team lead.
If you are told you screwed up, you are responsible for finding the document that describes the process.
Calling out someone who is, in fact, correct according to the documentation is itself a screwup.
Anyone on the team may contribute to the documentation.
Every day that you work with this team, you are joining a team. Everyone here is useful in some manner, regardless of whether or not you know what that manner is. You do not have the right to question anyone's participation in this team, though you may question how they do it as described above.
In short, if you want to say someone's wrong, it had better be something that's either not yet documented, or the document supports your opinion. It's very difficult to put discrimination into writing without making it obvious, especially when it's a document that anyone else can fix. At the same time, encouraging people to admit their own mistakes prevents hero worship and excessive egos. It's much easier to take a complaint when you know that your competency is not also under attack.
My "small" environment at work produces 40GB of final product for every full build, every day. If we include intermediate products (which make troubleshooting much easier), it's pushing 120GB per build... and we're trying to ramp up to about 20 full builds each day. Quick computation estimates about 48TB per month at that rate.
Now, we don't need to keep old builds around forever... most of the time. We currently have about 15TB of data we can't get rid of for contract reasons, and have to protect in various inconvenient (offline, checksummed, archived) ways. All together, we have about 150 hard drives to keep track of, scattered around our environment in various places*.
Bigger drives would make my life easier.
* Let's not get into a discussion about architecture... management doesn't agree with the silly concepts like "best practices" that the sysadmins keep talking about.
I'll give it a 99% chance. That statistic is pretty generous to the 1% side, since in the past decade, I've pushed out every single MS update to about 1500 devices in total, and I've had 5 problems. That's not "5 updates caused problems," that's "I've had to fix problems 5 times that I can recall". Two stopped booting after an AV update, two ASUS systems had a nasty issue with a MS update, and a server once killed itself during an update and wouldn't reboot cleanly without some TLC.
Now, it takes some effort... I keep drivers updated, perform periodic maintenance, upgrade hardware as needed, and I keep the systems fully updated. As a sysadmin, that is my job. I can be sure that updates won't break my system, because my systems are nothing unusual. Of course, "nothing unusual" doesn't make headlines.
they have to patch for security but they have to accept patches which at the same time expose themselves to less privacy.
Like what, exactly? Is there a particular feature you have in mind, with whose privacy policy you don't agree?
The major complaint was that [Vista] broke many things that took a while for drivers to be updated.
...which were mostly broken due to the drivers abusing the old security model, but sure...
...Vista chirping to ask for every single permission was annoying to many. Also another major complaint was how many brand new systems were sold as "Vista Capable" when they could only use the most crippled version of Vista.
That UX problem is something I'll happily join in complaining about, but it's still wasn't a good excuse to stay with XP's wider attack surface. Similarly, Microsoft's sales tactics are another area for valid complaint, and have no bearing on whether it's acceptable to tell users to sabotage their own security.
If MS doesn't care about those things then why are they increasingly gathering more data about what their users do?
Because, in aggregate, they care about what their users as a group do. To illustrate with an example, I'll use a previous career of mine involving collecting very sensitive personally-identifiable medical data.
One of my company's goals was to identify insurance fraud being perpetrated by doctors (as opposed to anything the patient might do). To that end, we were interested in whether doctors were treating their patients "close enough" to how other doctors treated similar cases. If you have a broken leg, you can expect x-rays, a cast, some pain meds, and the like. Requiring 27 blood tests, a cranial MRI, and three weeks in an ICU with no other diagnosis? That's probably excessive, and would get the case flagged.
In order to perform the analysis, we had to collect everything about a patient's history with the doctor. Tests, prescriptions, visits... it all went into the collectors, but it was a lot of data. It all got boiled down to a score from 0 to 2. A perfect "1.0" meant the case was perfectly in line with treatment seen everywhere else. If there were multiple major directions for treatment, we'd see lower numbers, as the cases would have less factors in common. The doctor's scores would then be averaged, into their own score reflecting how closely they followed normal practices. Scores above or below magic thresholds were flagged to be sent to a review board, who would do their usual thing.
To our servers, the patient was a distinct patient for less than a minute, and their records were personally identifiable to them for three milliseconds. To the patient (who signed the privacy agreement), we collected everything about them, and could use it in any way whatsoever, even selling it to advertisers or third parties. It was a standard boilerplate agreement, pulled right from the pages of our lawyers' textbooks.
In Microsoft's case, there are similar pieces of information that it's just silly to not "collect": Windows version number, hardware profile, drivers... Then some basic "system configuration" like whether it's a domain system or not, or the username/email you logged in with, since that can impact a lot of deep-magic Windows functions. Of course, that all sounds terribly scary, but it's all the first things I check when I have to debug something. Then there's all the usual Internet-related information like your IP address whenever it makes any request. That's probably discarded at their load balancer, but might show up in a log somewhere, so they disclose it.
As in my case, I expect (and have heard corroboration from various MSFT engineers) that all of this data is quickly mangled and correlated to produce arbitrary pie charts in arbitrary reports, that eventually get turned into statements like "35% of users installed this security update wit
Eh..... (and we veer wildly off-topic, but it's to a more pleasant one)
I'm still kinda sour on Ubuntu for one main reason: It's heavy. Rightfully so, as its focus is on userland compatibility and hardware support, but it's always struck me as a bit of too much overkill for my (minimal) tastes.
For long-term stability, I think Debian still can't be beat, since that's its primary goal. It's very easy to have a minimal Debian install in a few hundred megabytes, and that can be trimmed down much more with some effort. Even when things change, Debian encourages modular config files, so it's very easy to just drop in the same old config files, and expect things to work. Unfortunately, its stability comes at the price of compatibility, as it's all too easy to fall into the situation of having an old system with old libraries and compilers and such, then you try to go add a new package and find that the latest compatible version is two years old. Sure, most core-system security issues are backported, but there's a lot of missing capability down that road.
Recently I've taken more to SuSE, which seems like a happy medium between the two. It's a bit more cutting-edge than Debian, but still not as packed-full as Ubuntu, and still has enough polish to be usable. I'm also a big fan of BTRFS, which is the preferred filesystem on SuSE, too... Unfortunately, SuSE is not as likely to be a supported OS for software packages as Debian or Red Hat, and it's just different enough from Red Hat to be troublesome.
I'd much prefer to see non-security updates completely branched off, but I can also understand Microsoft's reluctance to do that. It makes their testing and rollout far more complex. On the other hand, it's what GNU/Linux distros do all the time, with so few problems that they become news events when they do happen. It would seem to me that Microsoft should be able to spin up a boatload of Azure instances test every configuration, since they're pushing that cloud's capabilities so much...
The other major issue is that such things are often integrated. You can't have everyone get automatic AV updates without everyone having AV, so Defender became a standard feature. You can't have Defender without (and from here on I'm making up things I'm not ambitious enough to research).NET 4.5.0, so.NET is a standard feature. You can't have.NET 4.5.0 without (still making things up) Windows Management Tools, so that becomes standard, along with (still... you get the idea) PowerShell, and so on.
Unfortunately, there are always the slow-movers who will never add features. Then the question becomes one of support and sustainment. How long is a bare-minimal feature set considered a supported option? The Desktop Window Manager has been around for a decade now. It works, but if it were an optional feature, there'd still be folks using the old XP-era window manager, and they'd be complaining about not being able to run modern software. At some point, users have to upgrade, and Microsoft has chosen to make this a semi-annual event, essentially forcing the issue.
I'm not such a fan of the user feature integration, but generally have no strong feelings about it either way. My main complaint in this whole thread is against the folks who say things like "disable SmartScreen" or "turn off automatic reboots", or the worst one I've seen yet, "block all Microsoft servers in your firewall". Such advice looks wonderfully clever and seems like a great way to be in control of your system, but the end result is just more attack surface.
Oh, no... Feel free to bash Microsoft, but please do it in a way that doesn't make my life (as an infosec-heavy sysadmin) worse. Feel free to comment on Microsoft's business practices, compatibility, standards integration, charity/recruitment, UX/UI, SKU complexity, unwanted features, configurability, pricing, proprietary formats, data services, or the lack of any of the aforementioned, but please don't encourage people to expose themselves to risk just to "stick it to the man".
As I understand, LTSB does not actually include major security updates, but only patches to old implementations.
That means that when new attack mitigations are developed against whole classes of attacks (like when ASLR became the norm), they will be dropped into the mainline releases, but LTSB won't get them. Instead, LTSB would be reliant on a separate tool (like EMET) to implement those mitigations piecemeal, essentially leaving the attack surface almost as bad as it was at release.
LTSB is meant for appliances. If you have any flexibility in your environment at all, stick with the mainline.
I do actually support it professionally... My current day job is as a sysadmin with support duties for both Linux and Windows environments.
It's not like this update is a surprise... Microsoft announced it a while ago, and there has been a steady stream of news about it as it approaches a final state. That means about a week ago would be a good time to send out a warning to your users, saying "there's an update coming, and it'll be big. Here are the common issues reported with previous updates..."
Now, I'm all in favor of suggesting Microsoft should be responsible for making a perfect product that never causes issues, and as I said, you can hate Microsoft all you want... I'm just sick of seeing people suggesting that users go out of their way to ignore security best-practices, then whine about Windows having security problems.
Another Slashdot article about Windows, and we can already see the trolls crawling out with their complaints about privacy, breakage, licensing, and other such crap.
Look, you can hate on Microsoft all you want, but please stop pulling others into your dystopian fantasies. As a longtime Linux user, I'm a big fan of FLOSS, but it's not for everyone. Most folks don't care about their software's freedom, just as long as it keeps working.
Yes, that means updating. Keeping your systems patched and updated is the best way to reduce attack surface, regardless of what OS you use. Keeping old and familiar things is comfortable, but it's also keeping around the broken permissions model that Microsoft has been trying to improve since Windows Vista. Remember how much that broke? It was mostly because Vista had a decent security model, rather than the crap from XP.
Don't go turning off security features thinking you're protecting your privacy... you're really just increasing the time it takes for you to be protected against new threats. Microsoft doesn't care about the porn you watch or how many hours you spend on My Little Pony forums. They care about whether the worm infections causing havoc in Brazil all started from a website on a common domain, or use binaries with the same hashes.
Finally, please stop complaining that your hardware from 1994 doesn't work with the new updates. I'm terribly sorry that your vendor doesn't bother to support driver APIs less than a decade old, but it's time to move on. Those random bluescreens and lockups are usually not Microsoft's fault; it's that the third-party vendor doesn't think stability is enough of a priority to actually test their drivers.
With that all out of the way, let's all have a nice friendly conversation, eh? Anyone?
I'm curious what government contracts you've worked... Those comments don't reflect my experience in the field at all.
Government contracts are lucrative
Government contracts are indeed high-value, but they also carry far more restrictions than B2B contracts. You must have these demographics on your team, you must use these standards nobody else uses, and you must do all of this vetting and paperwork for your suppliers... Sure, the price tag is high, but the costs and logistics are high, too. I've seen far more profit per contract on B2B deals, where the client doesn't care how something's done, just so long as they don't have to do it themselves.
Selling to the government means that you WILL get paid
...as long as your product passes acceptance and hits milestones. Otherwise, you get a "stop work" order, and your project sits in limbo for a year while the lawyers try to figure out whose fault it is. Eventually, the budget gets cut, your company is accused of never delivering the product, and the whole matter is dropped (without payout), because the company wants to keep the client happy for future business.
you'll have a way to get your money, if only by not paying taxes in return to not getting paid (and if your country doesn't let you do that, well, find a better country).
Please clarify precisely what countries allow you to violate tax law to settle a contract dispute.
government don't go out of business and leave you sitting on raw materials for a contract that you suddenly can't sell anymore and they rarely cancel contracts.
That's adorable. Not only do they often cancel contracts at the whim of politicians, the requirements change in a heartbeat, and you're usually left holding the unused components. As an example, I was working a government contract when encryption requirements rolled out, just after the customer had approved designs including a SAN that didn't support on-disk encryption. A new part was spec'd, new designs approved... and $500K of equipment sits in a rack in a warehouse, with no customer willing to pay for it, because it no longer meets the contract requirements.
you simply don't have to deal with risks you're usually facing when dealing with private enterprises or (worse) consumers.
The risks are different, but there are still risks.
Yeah...... I used to assist* with organizing protests. We literally had a playbook for how to do civil disobedience. For the legal route (which was actually much more rarely a planned event), we'd try to make sure that the resulting cases couldn't be thrown out for other reasons before getting to the issue in question. For PR-focused events, we'd lean the other way, trying to arrange as many mitigating circumstances as possible and get as much media attention as possible, but minimizing the actual legal impact.
In at least one event, we actually even staged an arrest for the cameras. The actual law broken was something trivial like jaywalking, but the officer on duty was a good friend, and made a nice big show of his (perfectly valid and legal) arrest, shouting loudly and completely ignoring the news cameras who will always turn to capture something like that. That case went through the court, a small fine was paid, and the evil jaywalker paid their debt to society... and conveniently had given a few interviews to the news crew earlier that day, which naturally made their way to the TV screen that night.
* For what it's worth, I assisted minimally, and didn't get particularly involved. I was the sound guy for some of the pre- and post-protest discussions and meetings, so I heard the planning and the stories, but can't really claim much expertise beyond what I've said here.
That's almost completely separate from what I'm talking about.
Yes, copyright is a new concept. It's a recent idea that thought is valued like physical labor, mostly stemming from the printing press and other duplication mechanisms removing the traditionally inseparable connection between the creation of a concept and the production of a physical format.
Along with the creation of copyright, though, we quickly came up with the notion of applying licensing to copyright. Licensing had been around before in the form of trade marks and brands, mostly controlled by the state to show that the right palms had been greased for commerce to move. With copyright, licensing is the big exception: nobody can make a copy, except a licensee.
The laws and norms around licensing trace their history back to binding contracts, completely separately from copyright, and that's the part that is older. Having licenses as a general permission system was mostly tied to trade, where sea captains and caravan drivers would be hired to do business as agents of their sponsoring companies... but only so long as their license allowed.
Now, this idea of agency dates back to at least the Romans and the delegation that was necessary for their widespread empire, but it was all backed by a still-older legal power in a binding contract. The notion that you could sign an agreement and face legal consequences for breaking it is really the foundation there, and it comes with all of the thorny issues related to such things:
Who can enter a contract?
Can an agent cause someone else to be bound by a contract?
What formalities are required to make a contract?
Who has to know about the contract for it to be valid?
What are the consequences for breaking the agreement?
Who enforces those consequences?
Those questions are not new to copyright, or really even new to civilization. In fact, some of the oldest writing samples we've ever found have been contracts, promising to fulfill various trade agreements between vendors, or warning of consequences for offenses. They certainly don't look like modern contracts, but they met the standards of the day.
What is new in contracts is how widespread they've become. Nearly every commercial activity today is governed by a contract of some kind, whether in the form of usage agreements, employment terms, or even less-obvious things like bills of sale or marriages. This is a more modern development from just around the last century, mostly due to having more free labor, and establishing a legal system in England that allowed anyone (not just nobles or wealthy businessmen) to use the courts to resolve disputes.
With so much of modern law revolving around contracts, it's absurd to attempt to consider just "copyright" as itself, without also understanding the context of licensing, especially since the sentence you originally quoted was in reference to the GPL. Without copyright, the GPL would still be a legally-valid agreement for anyone who chose to abide by it, but there would be no reason one would have to agree to it.
Which in a case like this would have been exactly the right thing to do!
Why exactly would it be right in this case?
Microsoft produced a work eligible for copyright. They sell copies of that work. Lundgren made his own copies, distributed them, and benefitted from that distribution of someone else's work. Please tell me why, in very specific terms, it would be just to allow this act?
Jury nullification cannot be used to execute or imprison someone who by law might not have been punished.
Jury nullification can be used to allow offenses to go unpunished. It has been used in the past to allow racist murderers to go unpunished, leaving the victims' families with no recourse for justice. Here you suggest that it should be used to allow the looting of someone's contracted and paid-for labor. It is a power, and like any other power, it can be used for evil just as easily as it can for good.
It doesn't do anything to the law, though. It only nullifies the specific case. The whole premise of a law-abiding society is that the laws are predictable and fairly applied. Using jury nullification turns the legal system into a popularity contest, where the winners can get away with anything if they can convince enough jurors that they should be above the law.
If you want to get rid of a bad law, the best way to do that is to convince your representative to take up that cause, or even run for that position yourself.
As for civil disobedience, please recall that that's also still breaking the law, and folks still get arrested for it, and folks still go to jail for it, and only rarely do they ever see their preferred form of outcome. Usually, civil disobedience (at least, when coordinated by people who know what they're doing) is intended to be an opportunity to draw media attention to an issue, or to get a carefully-planned case in front of an appeals court with the ability to rule a law is unconstitutional. As a famous example, Rosa Parks' refusal to give up her bus seat sparked a popular media event, but the discriminatory law itself was actually overturned by the case stemming from the arrest and fining of Aurelia Browder.
If it's a specific law you don't trust, ask your representatives to have that law changed, either through a direct petition or through indirect activism. That's how the system is designed to work, in accordance with the Constitution. As the saying goes, there are the four boxes of liberty: soap, ballot, jury, and ammo. The third box is when the first two have failed completely.
Copyright laws refer to licensing, which in turn stems from contract law, which comes from common-law agreements, which have been enforceable since Babylon. Yes, copyright's a fairly new concept, but it's based on far older ideas.
Jury nullification is, by necessity, a complete undermining of the legal and judicial process. It is essentially taking the Constitutional architecture for our three branches of government, throwing it out the window, and saying "this mob will rule today". To ask a jury to nullify a case is to declare no confidence in the duly-elected representatives, judges, or attorneys involved.
It is the ultimate power of the people, as the judicial equivalent of a nuclear weapon. There is no return, no appeal, and no way to fix the harm caused by a jury nullifying inappropriately. It is a power that should be used when there is no other option that aligns with America's founding principles. If an executive branch starts persecuting religious leaders, nullification would be appropriate. If people are being prosecuted simply for meeting each other, nullification is appropriate. If someone is being tried for their thoughts rather than their actions, nullification would be appropriate.
I, for one, can't trust that someone promoting nullification can actually respect the law or its application. In the public eye, it's become seen as a minor anarchy; just a way to escape consequences for crimes against acceptable targets. After all, who cares if it's Microsoft, or Disney, or Monsanto being harmed? How bad can it be to remove legal protection from groups or people we don't like, anyway?
Now in this case, Lundgren violated the letter, spirit, and intent of the law. There are other (legal) routes to accomplish what he tried to do. Just because we happen to agree with the cause he champions is no reason to tear down the pillars of justice. It's just not worth the high cost.
As for the key codes, they're still usable with legally-produced media, like the small stack of old Windows disks I have on a bookshelf, or anything Microsoft (or its licensees) might still produce and sell.
I don't have mod points, so all I can do is agree.
The law (and the court) doesn't care about what society wants or doesn't want. It only cares about what's legal, and the law here is pretty clearly set against Lundgren. He copied other peoples' work without their permission, caused them harm (in the loss of a market for their work), and personally gained (even just fame) from it. Those aren't all necessary factors, but together they make a pretty damning case.
These are indeed the same considerations that give other licenses like the GPL its own legal power, held up by the legal framework of the past few thousand years. If Microsoft copies GPL software* without complying fully with the GPL, they are causing harm and their own gain without permission, and are just as open to a lawsuit as this "innovator".
* Note that with the Windows Subsystem for Linux coming into use, GPL violations become much more likely for anyone building a custom system using WSL and integrating open-source components. Be careful, and check your licenses, folks!
No arrests, no bad credit, no legal troubles in another state... It's a fresh start to adult life, just as soon as that identity turns 18 and stops raising the real big red flags on background checks. Usually for a job or credit account, the person running the check isn't actually dealing with the fraudster, so they're unlikely to notice that the guy who clearly looks middle-aged is claiming to be 20.
Unfortunately, the other common case is that it's often parents who honestly don't think they're doing anything wrong. They screwed up their own credit, but now they think they've learned their lesson, and since it's their own kid, the parents think they're doing good for the child, establishing credit history early. Then they often slip into old habits, thinking they have lots of time to pay back the credit and fix their kid's rating before the kid actually needs it. Then they forget the account altogether, and the kid is screwed.
This measurement is bullshit, and I expect it'll cause more harm than good.
Apparently 14% of Americans are on SNAP assistance. On the one hand, yes, that's terribly high and it'd be great to have every American be able to support themselves... but at the same time, it's pointing blame at Amazon for daring to offer low-paying jobs. Again, 14% of Americans are on food stamps. Those 14% are going to need help with or without working for Amazon, so I, for one, am at least glad they're employed and partially offsetting their expenses.
I'd be happy to see studies about how many folks are employed full-time and still need SNAP, or the impact of SNAP participation on economic recovery, or the like, but this seems like a hit piece against one company in particular. Apparently in Pennsylvania and Ohio, the SNAP participation rate lowers to only "around one in 10", but it's phrased like a bad thing to be better than the national average.
Overall, of five states that responded to a public records request for a list of their top employers of SNAP recipients, Amazon cracked the top 20 in four.
From TFS, a perfect example of poor research... How did this result compare to the lists of top employers of non-SNAP recipients, or the count of employees for each company? Amazon is a huge company, and they employ a lot of people. I expect they'll be on the top of a lot of lists.
Slashdot Mirror
The problem is that "disrespect" is based on the perception, rather than the intent, and there's an inherent conflict of interest in a review setting (like in any quality-control process or collaborative effort).
I'm very passionate about what I do. It's part of what makes me good at what I do, because I actually care about doing a good job, rather than just hitting the magic "40" on my time card and getting a paycheck. I will not hesitate to call out anyone's stupid failures. Mistakes or lack-of-training issues are fine, and we will accept those and move on, but failure due to being inattentive or simply lazy is not acceptable, and anyone failing in such a way needs to be aware that they're not performing up to the standards expected of my team. Frankly, I don't care what gender you are (or aren't), or how old you are, or your socioeconomic status, or really any other factor than whether you do the job. In my opinion, I'm perfectly in compliance with any nondiscrimination policy, because I don't discriminate.
To someone else's perspective, though, they think I'm complaining because they're black, or Jewish, or young, or blonde, or whatever particular insecurity they want to call out, because they're too inattentive to understand that they were actually doing something wrong.
The moment discrimination is brought up, especially in an enterprise with a "Code of Conduct" that is venerated above producing quality results, it's no longer a discussion about the right way to actually do the job. It's a discussion about sensitivity, and framing discussion, and having nice polite conversations with 3 HR reps and two managers, at whatever time they can all fit a discussion into their schedules. By the time that discussion takes place, the same failures have been repeated three times, and now there's a quality-control issue that needs to be addressed. Of course, that actual process issue has now become "normal", and any further complaint about the failure is just more "harassment".
In the end, the person who noticed the original problem is punished, the problem persists, and weeks of effort are wasted on what could have been fixed in five minutes of candid discussion. There have been many cases where this process has itself been abused to attack anyone who dares to complain about someone who is more skilled at gaming the management than actually doing their job.
As an alternative to a flawed "Code of Conduct", I suggest simply an environment of open failures, along the following lines:
In short, if you want to say someone's wrong, it had better be something that's either not yet documented, or the document supports your opinion. It's very difficult to put discrimination into writing without making it obvious, especially when it's a document that anyone else can fix. At the same time, encouraging people to admit their own mistakes prevents hero worship and excessive egos. It's much easier to take a complaint when you know that your competency is not also under attack.
Or if you run a large project.
My "small" environment at work produces 40GB of final product for every full build, every day. If we include intermediate products (which make troubleshooting much easier), it's pushing 120GB per build... and we're trying to ramp up to about 20 full builds each day. Quick computation estimates about 48TB per month at that rate.
Now, we don't need to keep old builds around forever... most of the time. We currently have about 15TB of data we can't get rid of for contract reasons, and have to protect in various inconvenient (offline, checksummed, archived) ways. All together, we have about 150 hard drives to keep track of, scattered around our environment in various places*.
Bigger drives would make my life easier.
* Let's not get into a discussion about architecture... management doesn't agree with the silly concepts like "best practices" that the sysadmins keep talking about.
I'll give it a 99% chance. That statistic is pretty generous to the 1% side, since in the past decade, I've pushed out every single MS update to about 1500 devices in total, and I've had 5 problems. That's not "5 updates caused problems," that's "I've had to fix problems 5 times that I can recall". Two stopped booting after an AV update, two ASUS systems had a nasty issue with a MS update, and a server once killed itself during an update and wouldn't reboot cleanly without some TLC.
Now, it takes some effort... I keep drivers updated, perform periodic maintenance, upgrade hardware as needed, and I keep the systems fully updated. As a sysadmin, that is my job. I can be sure that updates won't break my system, because my systems are nothing unusual. Of course, "nothing unusual" doesn't make headlines.
they have to patch for security but they have to accept patches which at the same time expose themselves to less privacy.
Like what, exactly? Is there a particular feature you have in mind, with whose privacy policy you don't agree?
The major complaint was that [Vista] broke many things that took a while for drivers to be updated.
...which were mostly broken due to the drivers abusing the old security model, but sure...
...Vista chirping to ask for every single permission was annoying to many. Also another major complaint was how many brand new systems were sold as "Vista Capable" when they could only use the most crippled version of Vista.
That UX problem is something I'll happily join in complaining about, but it's still wasn't a good excuse to stay with XP's wider attack surface. Similarly, Microsoft's sales tactics are another area for valid complaint, and have no bearing on whether it's acceptable to tell users to sabotage their own security.
If MS doesn't care about those things then why are they increasingly gathering more data about what their users do?
Because, in aggregate, they care about what their users as a group do. To illustrate with an example, I'll use a previous career of mine involving collecting very sensitive personally-identifiable medical data.
One of my company's goals was to identify insurance fraud being perpetrated by doctors (as opposed to anything the patient might do). To that end, we were interested in whether doctors were treating their patients "close enough" to how other doctors treated similar cases. If you have a broken leg, you can expect x-rays, a cast, some pain meds, and the like. Requiring 27 blood tests, a cranial MRI, and three weeks in an ICU with no other diagnosis? That's probably excessive, and would get the case flagged.
In order to perform the analysis, we had to collect everything about a patient's history with the doctor. Tests, prescriptions, visits... it all went into the collectors, but it was a lot of data. It all got boiled down to a score from 0 to 2. A perfect "1.0" meant the case was perfectly in line with treatment seen everywhere else. If there were multiple major directions for treatment, we'd see lower numbers, as the cases would have less factors in common. The doctor's scores would then be averaged, into their own score reflecting how closely they followed normal practices. Scores above or below magic thresholds were flagged to be sent to a review board, who would do their usual thing.
To our servers, the patient was a distinct patient for less than a minute, and their records were personally identifiable to them for three milliseconds. To the patient (who signed the privacy agreement), we collected everything about them, and could use it in any way whatsoever, even selling it to advertisers or third parties. It was a standard boilerplate agreement, pulled right from the pages of our lawyers' textbooks.
In Microsoft's case, there are similar pieces of information that it's just silly to not "collect": Windows version number, hardware profile, drivers... Then some basic "system configuration" like whether it's a domain system or not, or the username/email you logged in with, since that can impact a lot of deep-magic Windows functions. Of course, that all sounds terribly scary, but it's all the first things I check when I have to debug something. Then there's all the usual Internet-related information like your IP address whenever it makes any request. That's probably discarded at their load balancer, but might show up in a log somewhere, so they disclose it.
As in my case, I expect (and have heard corroboration from various MSFT engineers) that all of this data is quickly mangled and correlated to produce arbitrary pie charts in arbitrary reports, that eventually get turned into statements like "35% of users installed this security update wit
Eh..... (and we veer wildly off-topic, but it's to a more pleasant one)
I'm still kinda sour on Ubuntu for one main reason: It's heavy. Rightfully so, as its focus is on userland compatibility and hardware support, but it's always struck me as a bit of too much overkill for my (minimal) tastes.
For long-term stability, I think Debian still can't be beat, since that's its primary goal. It's very easy to have a minimal Debian install in a few hundred megabytes, and that can be trimmed down much more with some effort. Even when things change, Debian encourages modular config files, so it's very easy to just drop in the same old config files, and expect things to work. Unfortunately, its stability comes at the price of compatibility, as it's all too easy to fall into the situation of having an old system with old libraries and compilers and such, then you try to go add a new package and find that the latest compatible version is two years old. Sure, most core-system security issues are backported, but there's a lot of missing capability down that road.
Recently I've taken more to SuSE, which seems like a happy medium between the two. It's a bit more cutting-edge than Debian, but still not as packed-full as Ubuntu, and still has enough polish to be usable. I'm also a big fan of BTRFS, which is the preferred filesystem on SuSE, too... Unfortunately, SuSE is not as likely to be a supported OS for software packages as Debian or Red Hat, and it's just different enough from Red Hat to be troublesome.
It's never easy, is it?
Let's go ahead and add that to the list, then...
I'd much prefer to see non-security updates completely branched off, but I can also understand Microsoft's reluctance to do that. It makes their testing and rollout far more complex. On the other hand, it's what GNU/Linux distros do all the time, with so few problems that they become news events when they do happen. It would seem to me that Microsoft should be able to spin up a boatload of Azure instances test every configuration, since they're pushing that cloud's capabilities so much...
The other major issue is that such things are often integrated. You can't have everyone get automatic AV updates without everyone having AV, so Defender became a standard feature. You can't have Defender without (and from here on I'm making up things I'm not ambitious enough to research) .NET 4.5.0, so .NET is a standard feature. You can't have .NET 4.5.0 without (still making things up) Windows Management Tools, so that becomes standard, along with (still... you get the idea) PowerShell, and so on.
Unfortunately, there are always the slow-movers who will never add features. Then the question becomes one of support and sustainment. How long is a bare-minimal feature set considered a supported option? The Desktop Window Manager has been around for a decade now. It works, but if it were an optional feature, there'd still be folks using the old XP-era window manager, and they'd be complaining about not being able to run modern software. At some point, users have to upgrade, and Microsoft has chosen to make this a semi-annual event, essentially forcing the issue.
I'm not such a fan of the user feature integration, but generally have no strong feelings about it either way. My main complaint in this whole thread is against the folks who say things like "disable SmartScreen" or "turn off automatic reboots", or the worst one I've seen yet, "block all Microsoft servers in your firewall". Such advice looks wonderfully clever and seems like a great way to be in control of your system, but the end result is just more attack surface.
In that case, I recommend Debian.
Oh, no... Feel free to bash Microsoft, but please do it in a way that doesn't make my life (as an infosec-heavy sysadmin) worse. Feel free to comment on Microsoft's business practices, compatibility, standards integration, charity/recruitment, UX/UI, SKU complexity, unwanted features, configurability, pricing, proprietary formats, data services, or the lack of any of the aforementioned, but please don't encourage people to expose themselves to risk just to "stick it to the man".
As I understand, LTSB does not actually include major security updates, but only patches to old implementations.
That means that when new attack mitigations are developed against whole classes of attacks (like when ASLR became the norm), they will be dropped into the mainline releases, but LTSB won't get them. Instead, LTSB would be reliant on a separate tool (like EMET) to implement those mitigations piecemeal, essentially leaving the attack surface almost as bad as it was at release.
LTSB is meant for appliances. If you have any flexibility in your environment at all, stick with the mainline.
Really makes /. users look like bearded babies whining about anything not FLOSS.
I mean, to be fair, that's generally an accurate depiction... When I shave, I look like I'm 25 again.
I still drink like I'm 25, but that's mostly because I deal with infosec.
I do actually support it professionally... My current day job is as a sysadmin with support duties for both Linux and Windows environments.
It's not like this update is a surprise... Microsoft announced it a while ago, and there has been a steady stream of news about it as it approaches a final state. That means about a week ago would be a good time to send out a warning to your users, saying "there's an update coming, and it'll be big. Here are the common issues reported with previous updates..."
Now, I'm all in favor of suggesting Microsoft should be responsible for making a perfect product that never causes issues, and as I said, you can hate Microsoft all you want... I'm just sick of seeing people suggesting that users go out of their way to ignore security best-practices, then whine about Windows having security problems.
Another Slashdot article about Windows, and we can already see the trolls crawling out with their complaints about privacy, breakage, licensing, and other such crap.
Look, you can hate on Microsoft all you want, but please stop pulling others into your dystopian fantasies. As a longtime Linux user, I'm a big fan of FLOSS, but it's not for everyone. Most folks don't care about their software's freedom, just as long as it keeps working.
Yes, that means updating. Keeping your systems patched and updated is the best way to reduce attack surface, regardless of what OS you use. Keeping old and familiar things is comfortable, but it's also keeping around the broken permissions model that Microsoft has been trying to improve since Windows Vista. Remember how much that broke? It was mostly because Vista had a decent security model, rather than the crap from XP.
Don't go turning off security features thinking you're protecting your privacy... you're really just increasing the time it takes for you to be protected against new threats. Microsoft doesn't care about the porn you watch or how many hours you spend on My Little Pony forums. They care about whether the worm infections causing havoc in Brazil all started from a website on a common domain, or use binaries with the same hashes.
Finally, please stop complaining that your hardware from 1994 doesn't work with the new updates. I'm terribly sorry that your vendor doesn't bother to support driver APIs less than a decade old, but it's time to move on. Those random bluescreens and lockups are usually not Microsoft's fault; it's that the third-party vendor doesn't think stability is enough of a priority to actually test their drivers.
With that all out of the way, let's all have a nice friendly conversation, eh? Anyone?
I'm curious what government contracts you've worked... Those comments don't reflect my experience in the field at all.
Government contracts are lucrative
Government contracts are indeed high-value, but they also carry far more restrictions than B2B contracts. You must have these demographics on your team, you must use these standards nobody else uses, and you must do all of this vetting and paperwork for your suppliers... Sure, the price tag is high, but the costs and logistics are high, too. I've seen far more profit per contract on B2B deals, where the client doesn't care how something's done, just so long as they don't have to do it themselves.
Selling to the government means that you WILL get paid
...as long as your product passes acceptance and hits milestones. Otherwise, you get a "stop work" order, and your project sits in limbo for a year while the lawyers try to figure out whose fault it is. Eventually, the budget gets cut, your company is accused of never delivering the product, and the whole matter is dropped (without payout), because the company wants to keep the client happy for future business.
you'll have a way to get your money, if only by not paying taxes in return to not getting paid (and if your country doesn't let you do that, well, find a better country).
Please clarify precisely what countries allow you to violate tax law to settle a contract dispute.
government don't go out of business and leave you sitting on raw materials for a contract that you suddenly can't sell anymore and they rarely cancel contracts.
That's adorable. Not only do they often cancel contracts at the whim of politicians, the requirements change in a heartbeat, and you're usually left holding the unused components. As an example, I was working a government contract when encryption requirements rolled out, just after the customer had approved designs including a SAN that didn't support on-disk encryption. A new part was spec'd, new designs approved... and $500K of equipment sits in a rack in a warehouse, with no customer willing to pay for it, because it no longer meets the contract requirements.
you simply don't have to deal with risks you're usually facing when dealing with private enterprises or (worse) consumers.
The risks are different, but there are still risks.
Yeah...... I used to assist* with organizing protests. We literally had a playbook for how to do civil disobedience. For the legal route (which was actually much more rarely a planned event), we'd try to make sure that the resulting cases couldn't be thrown out for other reasons before getting to the issue in question. For PR-focused events, we'd lean the other way, trying to arrange as many mitigating circumstances as possible and get as much media attention as possible, but minimizing the actual legal impact.
In at least one event, we actually even staged an arrest for the cameras. The actual law broken was something trivial like jaywalking, but the officer on duty was a good friend, and made a nice big show of his (perfectly valid and legal) arrest, shouting loudly and completely ignoring the news cameras who will always turn to capture something like that. That case went through the court, a small fine was paid, and the evil jaywalker paid their debt to society... and conveniently had given a few interviews to the news crew earlier that day, which naturally made their way to the TV screen that night.
* For what it's worth, I assisted minimally, and didn't get particularly involved. I was the sound guy for some of the pre- and post-protest discussions and meetings, so I heard the planning and the stories, but can't really claim much expertise beyond what I've said here.
That's almost completely separate from what I'm talking about.
Yes, copyright is a new concept. It's a recent idea that thought is valued like physical labor, mostly stemming from the printing press and other duplication mechanisms removing the traditionally inseparable connection between the creation of a concept and the production of a physical format.
Along with the creation of copyright, though, we quickly came up with the notion of applying licensing to copyright. Licensing had been around before in the form of trade marks and brands, mostly controlled by the state to show that the right palms had been greased for commerce to move. With copyright, licensing is the big exception: nobody can make a copy, except a licensee.
The laws and norms around licensing trace their history back to binding contracts, completely separately from copyright, and that's the part that is older. Having licenses as a general permission system was mostly tied to trade, where sea captains and caravan drivers would be hired to do business as agents of their sponsoring companies... but only so long as their license allowed.
Now, this idea of agency dates back to at least the Romans and the delegation that was necessary for their widespread empire, but it was all backed by a still-older legal power in a binding contract. The notion that you could sign an agreement and face legal consequences for breaking it is really the foundation there, and it comes with all of the thorny issues related to such things:
Those questions are not new to copyright, or really even new to civilization. In fact, some of the oldest writing samples we've ever found have been contracts, promising to fulfill various trade agreements between vendors, or warning of consequences for offenses. They certainly don't look like modern contracts, but they met the standards of the day.
What is new in contracts is how widespread they've become. Nearly every commercial activity today is governed by a contract of some kind, whether in the form of usage agreements, employment terms, or even less-obvious things like bills of sale or marriages. This is a more modern development from just around the last century, mostly due to having more free labor, and establishing a legal system in England that allowed anyone (not just nobles or wealthy businessmen) to use the courts to resolve disputes.
With so much of modern law revolving around contracts, it's absurd to attempt to consider just "copyright" as itself, without also understanding the context of licensing, especially since the sentence you originally quoted was in reference to the GPL. Without copyright, the GPL would still be a legally-valid agreement for anyone who chose to abide by it, but there would be no reason one would have to agree to it.
Which in a case like this would have been exactly the right thing to do!
Why exactly would it be right in this case?
Microsoft produced a work eligible for copyright. They sell copies of that work. Lundgren made his own copies, distributed them, and benefitted from that distribution of someone else's work. Please tell me why, in very specific terms, it would be just to allow this act?
Jury nullification cannot be used to execute or imprison someone who by law might not have been punished.
Jury nullification can be used to allow offenses to go unpunished. It has been used in the past to allow racist murderers to go unpunished, leaving the victims' families with no recourse for justice. Here you suggest that it should be used to allow the looting of someone's contracted and paid-for labor. It is a power, and like any other power, it can be used for evil just as easily as it can for good.
It doesn't do anything to the law, though. It only nullifies the specific case. The whole premise of a law-abiding society is that the laws are predictable and fairly applied. Using jury nullification turns the legal system into a popularity contest, where the winners can get away with anything if they can convince enough jurors that they should be above the law.
If you want to get rid of a bad law, the best way to do that is to convince your representative to take up that cause, or even run for that position yourself.
As for civil disobedience, please recall that that's also still breaking the law, and folks still get arrested for it, and folks still go to jail for it, and only rarely do they ever see their preferred form of outcome. Usually, civil disobedience (at least, when coordinated by people who know what they're doing) is intended to be an opportunity to draw media attention to an issue, or to get a carefully-planned case in front of an appeals court with the ability to rule a law is unconstitutional. As a famous example, Rosa Parks' refusal to give up her bus seat sparked a popular media event, but the discriminatory law itself was actually overturned by the case stemming from the arrest and fining of Aurelia Browder.
If it's a specific law you don't trust, ask your representatives to have that law changed, either through a direct petition or through indirect activism. That's how the system is designed to work, in accordance with the Constitution. As the saying goes, there are the four boxes of liberty: soap, ballot, jury, and ammo. The third box is when the first two have failed completely.
Copyright laws refer to licensing, which in turn stems from contract law, which comes from common-law agreements, which have been enforceable since Babylon. Yes, copyright's a fairly new concept, but it's based on far older ideas.
I'm okay with that.
Jury nullification is, by necessity, a complete undermining of the legal and judicial process. It is essentially taking the Constitutional architecture for our three branches of government, throwing it out the window, and saying "this mob will rule today". To ask a jury to nullify a case is to declare no confidence in the duly-elected representatives, judges, or attorneys involved.
It is the ultimate power of the people, as the judicial equivalent of a nuclear weapon. There is no return, no appeal, and no way to fix the harm caused by a jury nullifying inappropriately. It is a power that should be used when there is no other option that aligns with America's founding principles. If an executive branch starts persecuting religious leaders, nullification would be appropriate. If people are being prosecuted simply for meeting each other, nullification is appropriate. If someone is being tried for their thoughts rather than their actions, nullification would be appropriate.
I, for one, can't trust that someone promoting nullification can actually respect the law or its application. In the public eye, it's become seen as a minor anarchy; just a way to escape consequences for crimes against acceptable targets. After all, who cares if it's Microsoft, or Disney, or Monsanto being harmed? How bad can it be to remove legal protection from groups or people we don't like, anyway?
Now in this case, Lundgren violated the letter, spirit, and intent of the law. There are other (legal) routes to accomplish what he tried to do. Just because we happen to agree with the cause he champions is no reason to tear down the pillars of justice. It's just not worth the high cost.
Yes, the courts have determined that open-source software is still valuable.
As for the key codes, they're still usable with legally-produced media, like the small stack of old Windows disks I have on a bookshelf, or anything Microsoft (or its licensees) might still produce and sell.
I don't have mod points, so all I can do is agree.
The law (and the court) doesn't care about what society wants or doesn't want. It only cares about what's legal, and the law here is pretty clearly set against Lundgren. He copied other peoples' work without their permission, caused them harm (in the loss of a market for their work), and personally gained (even just fame) from it. Those aren't all necessary factors, but together they make a pretty damning case.
These are indeed the same considerations that give other licenses like the GPL its own legal power, held up by the legal framework of the past few thousand years. If Microsoft copies GPL software* without complying fully with the GPL, they are causing harm and their own gain without permission, and are just as open to a lawsuit as this "innovator".
* Note that with the Windows Subsystem for Linux coming into use, GPL violations become much more likely for anyone building a custom system using WSL and integrating open-source components. Be careful, and check your licenses, folks!
A minor's identity is a blank slate.
No arrests, no bad credit, no legal troubles in another state... It's a fresh start to adult life, just as soon as that identity turns 18 and stops raising the real big red flags on background checks. Usually for a job or credit account, the person running the check isn't actually dealing with the fraudster, so they're unlikely to notice that the guy who clearly looks middle-aged is claiming to be 20.
Unfortunately, the other common case is that it's often parents who honestly don't think they're doing anything wrong. They screwed up their own credit, but now they think they've learned their lesson, and since it's their own kid, the parents think they're doing good for the child, establishing credit history early. Then they often slip into old habits, thinking they have lots of time to pay back the credit and fix their kid's rating before the kid actually needs it. Then they forget the account altogether, and the kid is screwed.
Apparently the lack of licensing agreements would be a major point...
This measurement is bullshit, and I expect it'll cause more harm than good.
Apparently 14% of Americans are on SNAP assistance. On the one hand, yes, that's terribly high and it'd be great to have every American be able to support themselves... but at the same time, it's pointing blame at Amazon for daring to offer low-paying jobs. Again, 14% of Americans are on food stamps. Those 14% are going to need help with or without working for Amazon, so I, for one, am at least glad they're employed and partially offsetting their expenses.
I'd be happy to see studies about how many folks are employed full-time and still need SNAP, or the impact of SNAP participation on economic recovery, or the like, but this seems like a hit piece against one company in particular. Apparently in Pennsylvania and Ohio, the SNAP participation rate lowers to only "around one in 10", but it's phrased like a bad thing to be better than the national average.
Overall, of five states that responded to a public records request for a list of their top employers of SNAP recipients, Amazon cracked the top 20 in four.
From TFS, a perfect example of poor research... How did this result compare to the lists of top employers of non-SNAP recipients, or the count of employees for each company? Amazon is a huge company, and they employ a lot of people. I expect they'll be on the top of a lot of lists.