No, it wasn't. The way the 4th amendment is worded, No soldiers can be quartered in any house without consent of the owner during peace times. During war, they may so long as it is done in a manner which was prescribed by law (So as long as the government passed a law with guidelines on how to do it, it is legal for soldiers to bed in a home without the consent of the owner)... At least that's how I read it...
No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law.
Now what's missing from this is that the investigators had a subpoena according to the article.
A subpoena is basically a "request for appearance/data to be used in court". Basically, if I subpoena you for information, that means that you must provide me with the data. The difference in this case, is that the data was taken (Which, according to US law, requires a warrant). Sure, you can be held in contempt of court if you don't abide by a subpoena, but they cannot use a subpoena to "take" data, it must be surrendered. That's what the 4th amendment protects...
But that's not what happened in this case. What actually happened was:
Alice sends Bob a message
Bob receives the message from his ISP
Government goes to Bob's ISP and demands a copy of the email
So in this particular case, Bob's 4th amendment right was violated, and the data was used against Alice. So the fact that Alice's rights weren't compromised in the fetching of the data is meaningless because someone's rights --namely Bob's-- were... And that's where this ruling becomes retarded. Not because Bob chose to disclose the contents, but because the government willfully violated Bob's rights to incriminate Alice...
But there is another flaw in your argument. Bob cannot go and post an email that Alice sent to him on Facebook (well, legally at least). Even though Alice doesn't have 4th amendment rights over Bob's copy, she still does hold copyright over the message. She granted him an implicit license to read the work when she sent it to him. She did not grant a license to show that email to anyone else...
Agreed. But the kicker here, is if EITHER PARTY uses ISP hosted email, then the message is fair game here. So even if I run my own email server, I still probably won't be protected... Yet another right bites the dust in the name of misunderstanding...
I wonder if the same could be said for people who get snail mail delivered to a Post Office Box? It's "delivered" via a third party (albeit one sanctioned by the government)... What about phone calls that go through an intermediary (Like VOIP or forwarding services)? What about telegrams? They all rely on the same concept that the message is delivered via an intermediary, so why aren't they "fair game" as well?
Agreed. And with the direct photo taking of checks, you are removing one of the layers of security that they have (the security paper they are printed on)... I wonder how much of an increase in check photoshoping, err I mean forging we'll see...
Nokia has already paid off its research costs many times over from the sale of cellphones
Sure, for those specific innovations. But R&D is an expensive, time consuming process that leads to many dead ends and few profitable results (if done in the Bell Atlantic method). So they do need to capitalize on the relatively few innovations that are profitable to pave the way for the vast number that are directly profitable (Consider that Bell invented basically DLP way back in the 1970's. Sure, it's a good innovation, but it never paid them profits, because it didn't become economically feasible for decades later).
I think personally software patents are stupid, because the barrier to entry into such a field are so small that it's very hard to realistically say "I'm the first one to ever come up with this idea" and prove it (After all, it could have been part of some student's senior research project in the 70's, but was never "published")... With technologies with a large barrier to entry (especially large barriers to research), patents offer some protection to companies that they can recoup their research costs. Consider the example of someone building computer algorithms for file system interaction. How many man-hours does it take to do that? Sure, there could be a fair number, but probably not man-decades... How many non-human resources are involved? Sure, you do have a few computers/servers/etc, but my guess is MAYBE $10k... Now, consider research into radio protocols for cellphone data. How many man-hours are involved there? Potentially many decades (if you have more 2 or 3 working for any significant amount of time). How many non-human resources? LOTS. FCC licenses, transmitting equipment, diagnostic equipment, potentially hundreds of thousands of dollars (if not millions of dollars). All dedicated (for that particular time at least) to the research. That's why patents exist... To give companies an incentive to do non-trivial innovation... The fact of the mater is (IMHO) for a large number of the software patents that I've seen, the innovation is trivial at best (If not already common knowledge)...
Crap.../. cut out part of my post. After "(The" should have been:
(The less than %1 percent difference from swapping a few KB of RAM would likely not be outside of the statistical error range for reading from RAM). Heck, I'd be surprised if it could reliably detect the 10ms it would take for a drive to seek and read a few KB off disk. It'd probably take several megabytes of continuously swapped data (Depending on quality of the system) or multiple segments of swapped data to detect swapping when reading multiple gigs of data from RAM. I'm not saying it's not possible to think that it swapped. I'm saying that it's MUCH harder to tell with any kind of accuracy.
Well, that's not necessarily true. The root kit could copy the ram to CPU cache eliminating the need to "swap" itself or the newly written data to disk. Or it could do the converse (When the kernel tries to write to the malware's ram segment, write that part to cache instead). That would eliminate the big time delay needed to swap. Besides, a modern drive with write through cache should be trivially slower than Ram for that part of swapped data anyway (assuming that nothing significant was written to disk after that swap). So even if it did swap that random memory segment (which it could do asynchronously on write, so you couldn't detect the write), when it went to read it the disk would find that most recent piece of data in the drives cache, and return it. Sure, there would be a delay to that (it's much slower than ram)... But you're forgetting two things. Since this whole process takes a non-trivial amount of time (Even just reading from memory would take between 1/3 of a second and 3/4 of a second (depending on the ram type used) at full bandwidth, without doing anything with the data), the extra 1 or 2 ms needed for the drive to return the value from cache would be barely noticeable (The And that's based on the assumption that this "black box" external monitor is not influencable by the kernel (meaning it's a dedicated piece of hardware, or on an external machine). If the external process is running on the computer being scanned, it becomes even easier to fool the system...
My whole point with my OP, is that claiming a "Guarantee" is foolish at best. It's only a marketing claim. Any engineer worth their pay wouldn't dare make such a claim, because ANYTHING can be worked around. It only matters how important it is to the bad guys. The only truly secure computer, is one that was never built in the first place. You can make a computer more secure, but someone with enough resources and determination will do what they want with it. All "security" does, is try to make it hard enough to deter all but the most motivated... And if you think ANY security measure is 100% fool proof, you should find another line of work...
Actually, I did read the article, and I still feel my original objection is valid. They admit in the Article that the program would read Ram through the kernel. So if a rootkit was installed, wouldn't it be able to defeat that (Which was the essence of my OP)? Not to mention that swapping ALL Ram to disk and filling it with "random" information would take a non-trivial amount of time (at least seconds, possibly tens of seconds depending on size of ram and speed of hardware). And is it possible that a legitimate program would want to access said memory in that time span? So I must know (at the risk of baiting), how was I not criticizing the article/technique?
Well, wouldn't this require ALL other processes to "sleep" while the check is performed? Sure, Ram is fast, but writing to 4gb of DDR3 would take around 1/3 of a second (excluding the time it took to generate that data and store the hash) considering the peak transfer rate of DDR3 is around 12800 MB/s (Using the best case)... So in reality, you're looking at well over 1/3 of a second (potentially into the seconds. And that's just for writing. You need to swap everything out first. So the whole process could take several seconds to complete. Now, if the computer is doing ANYTHING (GUI is active, servers are active), they'll either cause the memory to be paged back in (And hence be detected as malware), or (if this software blocks the paging attempt) stall waiting for it to page. So the computer would have a several second "pause" where it wouldn't react to anything (and possibly lose the inputs in that timespan, since memory can't be written to)... So that means this is useless on any kind of an active computer (Server, computer being used, computer with any kind of process that runs long term, etc)?
In theory, theory and reality are equivalent. In reality, they are quite different...
Seriously, how could this possibly work for ALL (including undocumented, and hereto unknown) threats? And if it does it by reading straight from RAM (through the kernel), wouldn't a rootkit be able to trivially defeat that?
I wouldn't match it. Not because I couldn't reach that speed, but because I chose not to. I prefer to take the time to make sure every cable is secure, that each screw goes in straight, not stripped and tight. I take the time to apply thermal grease and make sure it's applied well before carefully placing the heat sink so as not to disturb the grease... I take the time to power the computer up while the case is still apart and on the bench, so that I can verify that all components are working properly before buttoning it up. Sure, doing it fast is nice. It may take twice the time to get it together, but I wonder how much longer it would take you to figure out what's wrong when something doesn't work (including removing the case, and possibly removing components that are blocking the issue)...
Seriously. Rack mounted server? That was just a regular computer case (Sure, it could be rack mounted, but that kind defeats the point of a rack)... Where's the thermal paste? Not to mention the IDE hard drives (I thought SCSI at first, but that doesn't look like a u320 68 pin (or 80 pin) SCSI, so I can only assume it's IDE...
The better test would be to give all the parts set on the table along with all the screws. Then time from the first part picked up to the computer booting into a boot CD (to test that everything actually works). For bonus points, chose the parts from a bin (So they would have to select the proper CPU/Mobo combination, etc)...
but if there were, the company that produced it would be at fault.
Actually, not by what I explained before. IF the company did all testing that's customary (and not "cut corners"), and saw absolutely no evidence to the contrary, it would have absolutely no way of knowing if there was a fault. Nor could they be expected to know about that fault (After all, if they truly did all the proper research and testing, those kind of defects would have been found). So if you have an issue crop up in the real world, it's not negligence. Now, if it can be shown that additional testing would have discovered the issue (And that testing was not required or widely used at the time) then you could make a claim against the FDA, but the Pharma still acted in what was considered a safe and responsible manor. Sure, it sucks there were issues, but there ALWAYS can be issues and where would society be if you throw the book at anyone who'se involved in an accident?...
The reason the Vioxx was an issue is that the company had knowledge about the side-effects, and still chose to release the product. THAT's negligence. There's a BIG difference...
The difference is simple, negligence. Is a drug company that develops a vaccine --and spends decades testing it-- negligent because it had a hereto-unknown side effect? I don't think so. Is the drunk driver negligent? Absolutely. Is the manufacturer of a car negligent if one tire blows at highway speed and injures someone? A lot harder of a question. Was it caused by a defect in design or defect in manufacture? If not, it wasn't negligence. If so, did they know about it or --and this is the key point-- SHOULD they have known about it (basically were there standard (or at least commonly used) tests that could have found it? If not, I don't think it's negligence. It's a very dangerous idea to say that if a company wasn't negligent, they should still pay (I'm talking above and beyond a refund). That's the exact reason that healthcare costs are spiraling out of control. Not because THAT many doctors have been negligent, but because courts have found them guilty even though there was no negligence... That's not justice, that's punishing the innocent... It's a fine line, but it's a line that must be respected and defended...
Well, first off, yes, I could quit if I found it wrong. Secondly only the higher ups (the board, and VP's) could suffer criminally. Third, you would face the repercussions, just like Google would, because both are violating the laws of the land. The difference would be if you felt justified in breaking that law. With marijuana specifically, there are avenues open to exploration and a possible path to legality without just starting selling the product. With censorship, there's practically no alternative than defiance (how else would you plan on fighting it?)... So that's not really an apples to apples comparison...
For at least a few of these tablets, they are equating Linux with Android... So yes, it is designed for a touch screen interface (And multi-touch at that)...
But I do agree that taking something that was designed exclusively for use with a mouse and keyboard and slapping it on something with a touch screen is a recipe for disaster...
How are these clones? The iPad was announced what, 2.5 months ago? Doesn't it take significantly longer than that to engineer, design and develop a device to market? So if these were in the works long before the iPad was announced, how can then POSSIBLY be clones? Or is this just successful Apple marketing to instill the idea that if a "Major Player" is first to press (Which the iPad wasn't by the way), all others become imitators? That's like saying that Apple invented the smart phone, or that MS invented the home computer, or that Google invented online document editing and storage...
But what happens when the government is so powerful that the people can't conceivably fight back? They need someone larger to stand up for their interests. Be it a company or a country, the net affect is the same... I'm so tempted to invoke Godwin's Law here...
Minus the extra $25k per year that would otherwise be thrown away to the contract firm (or to the IT worker if independently contracted). So in the end, it works for a net win for the state (They could take that $12.5 million they just saved and push it towards the pension package, or reducing taxes, or paying off some of their debt, or something else useful)...
Which means that the process CANNOT be part of installing regular, good applications.
Actually here, I disagree. I think the issue with UAC is not that it's just something that the user has to click through, but because it displays information that's meaningless to the average user. What use is "Are you sure you want to run this program" when a user knows that clicking a program causes it to run? But if you popped up a dialog that spoke plain english about what the program is trying to do, I think the result would be different... Instead of asking "This program is requesting administrative rights", say the specific right it's asking to do "This programs wants to start itself every time windows starts, do you want to let it?". Or "This program wants to modify the windows login screen, do you want to let it?", or "This program is requesting access to your personal data, do you want to let it?", or "This program is requesting access to your music collection, do you want to let it?"...
Slashdot Mirror
A subpoena is basically a "request for appearance/data to be used in court". Basically, if I subpoena you for information, that means that you must provide me with the data. The difference in this case, is that the data was taken (Which, according to US law, requires a warrant). Sure, you can be held in contempt of court if you don't abide by a subpoena, but they cannot use a subpoena to "take" data, it must be surrendered. That's what the 4th amendment protects...
So in this particular case, Bob's 4th amendment right was violated, and the data was used against Alice. So the fact that Alice's rights weren't compromised in the fetching of the data is meaningless because someone's rights --namely Bob's-- were... And that's where this ruling becomes retarded. Not because Bob chose to disclose the contents, but because the government willfully violated Bob's rights to incriminate Alice...
But there is another flaw in your argument. Bob cannot go and post an email that Alice sent to him on Facebook (well, legally at least). Even though Alice doesn't have 4th amendment rights over Bob's copy, she still does hold copyright over the message. She granted him an implicit license to read the work when she sent it to him. She did not grant a license to show that email to anyone else...
Agreed. But the kicker here, is if EITHER PARTY uses ISP hosted email, then the message is fair game here. So even if I run my own email server, I still probably won't be protected... Yet another right bites the dust in the name of misunderstanding...
I wonder if the same could be said for people who get snail mail delivered to a Post Office Box? It's "delivered" via a third party (albeit one sanctioned by the government)... What about phone calls that go through an intermediary (Like VOIP or forwarding services)? What about telegrams? They all rely on the same concept that the message is delivered via an intermediary, so why aren't they "fair game" as well?
Agreed. And with the direct photo taking of checks, you are removing one of the layers of security that they have (the security paper they are printed on)... I wonder how much of an increase in check photoshoping, err I mean forging we'll see...
Sure, for those specific innovations. But R&D is an expensive, time consuming process that leads to many dead ends and few profitable results (if done in the Bell Atlantic method). So they do need to capitalize on the relatively few innovations that are profitable to pave the way for the vast number that are directly profitable (Consider that Bell invented basically DLP way back in the 1970's. Sure, it's a good innovation, but it never paid them profits, because it didn't become economically feasible for decades later).
I think personally software patents are stupid, because the barrier to entry into such a field are so small that it's very hard to realistically say "I'm the first one to ever come up with this idea" and prove it (After all, it could have been part of some student's senior research project in the 70's, but was never "published")... With technologies with a large barrier to entry (especially large barriers to research), patents offer some protection to companies that they can recoup their research costs. Consider the example of someone building computer algorithms for file system interaction. How many man-hours does it take to do that? Sure, there could be a fair number, but probably not man-decades... How many non-human resources are involved? Sure, you do have a few computers/servers/etc, but my guess is MAYBE $10k... Now, consider research into radio protocols for cellphone data. How many man-hours are involved there? Potentially many decades (if you have more 2 or 3 working for any significant amount of time). How many non-human resources? LOTS. FCC licenses, transmitting equipment, diagnostic equipment, potentially hundreds of thousands of dollars (if not millions of dollars). All dedicated (for that particular time at least) to the research. That's why patents exist... To give companies an incentive to do non-trivial innovation... The fact of the mater is (IMHO) for a large number of the software patents that I've seen, the innovation is trivial at best (If not already common knowledge)...
Just my $0.02...
Honestly, that's the kind of time range I'd expect it to be done in...
Crap... /. cut out part of my post. After "(The" should have been:
(The less than %1 percent difference from swapping a few KB of RAM would likely not be outside of the statistical error range for reading from RAM). Heck, I'd be surprised if it could reliably detect the 10ms it would take for a drive to seek and read a few KB off disk. It'd probably take several megabytes of continuously swapped data (Depending on quality of the system) or multiple segments of swapped data to detect swapping when reading multiple gigs of data from RAM. I'm not saying it's not possible to think that it swapped. I'm saying that it's MUCH harder to tell with any kind of accuracy.
Well, that's not necessarily true. The root kit could copy the ram to CPU cache eliminating the need to "swap" itself or the newly written data to disk. Or it could do the converse (When the kernel tries to write to the malware's ram segment, write that part to cache instead). That would eliminate the big time delay needed to swap. Besides, a modern drive with write through cache should be trivially slower than Ram for that part of swapped data anyway (assuming that nothing significant was written to disk after that swap). So even if it did swap that random memory segment (which it could do asynchronously on write, so you couldn't detect the write), when it went to read it the disk would find that most recent piece of data in the drives cache, and return it. Sure, there would be a delay to that (it's much slower than ram)... But you're forgetting two things. Since this whole process takes a non-trivial amount of time (Even just reading from memory would take between 1/3 of a second and 3/4 of a second (depending on the ram type used) at full bandwidth, without doing anything with the data), the extra 1 or 2 ms needed for the drive to return the value from cache would be barely noticeable (The
And that's based on the assumption that this "black box" external monitor is not influencable by the kernel (meaning it's a dedicated piece of hardware, or on an external machine). If the external process is running on the computer being scanned, it becomes even easier to fool the system...
My whole point with my OP, is that claiming a "Guarantee" is foolish at best. It's only a marketing claim. Any engineer worth their pay wouldn't dare make such a claim, because ANYTHING can be worked around. It only matters how important it is to the bad guys. The only truly secure computer, is one that was never built in the first place. You can make a computer more secure, but someone with enough resources and determination will do what they want with it. All "security" does, is try to make it hard enough to deter all but the most motivated... And if you think ANY security measure is 100% fool proof, you should find another line of work...
Actually, I did read the article, and I still feel my original objection is valid. They admit in the Article that the program would read Ram through the kernel. So if a rootkit was installed, wouldn't it be able to defeat that (Which was the essence of my OP)? Not to mention that swapping ALL Ram to disk and filling it with "random" information would take a non-trivial amount of time (at least seconds, possibly tens of seconds depending on size of ram and speed of hardware). And is it possible that a legitimate program would want to access said memory in that time span? So I must know (at the risk of baiting), how was I not criticizing the article/technique?
Well, wouldn't this require ALL other processes to "sleep" while the check is performed? Sure, Ram is fast, but writing to 4gb of DDR3 would take around 1/3 of a second (excluding the time it took to generate that data and store the hash) considering the peak transfer rate of DDR3 is around 12800 MB/s (Using the best case)... So in reality, you're looking at well over 1/3 of a second (potentially into the seconds. And that's just for writing. You need to swap everything out first. So the whole process could take several seconds to complete. Now, if the computer is doing ANYTHING (GUI is active, servers are active), they'll either cause the memory to be paged back in (And hence be detected as malware), or (if this software blocks the paging attempt) stall waiting for it to page. So the computer would have a several second "pause" where it wouldn't react to anything (and possibly lose the inputs in that timespan, since memory can't be written to)... So that means this is useless on any kind of an active computer (Server, computer being used, computer with any kind of process that runs long term, etc)?
In theory, theory and reality are equivalent. In reality, they are quite different...
Seriously, how could this possibly work for ALL (including undocumented, and hereto unknown) threats? And if it does it by reading straight from RAM (through the kernel), wouldn't a rootkit be able to trivially defeat that?
I wouldn't match it. Not because I couldn't reach that speed, but because I chose not to. I prefer to take the time to make sure every cable is secure, that each screw goes in straight, not stripped and tight. I take the time to apply thermal grease and make sure it's applied well before carefully placing the heat sink so as not to disturb the grease... I take the time to power the computer up while the case is still apart and on the bench, so that I can verify that all components are working properly before buttoning it up. Sure, doing it fast is nice. It may take twice the time to get it together, but I wonder how much longer it would take you to figure out what's wrong when something doesn't work (including removing the case, and possibly removing components that are blocking the issue)...
Seriously. Rack mounted server? That was just a regular computer case (Sure, it could be rack mounted, but that kind defeats the point of a rack)... Where's the thermal paste? Not to mention the IDE hard drives (I thought SCSI at first, but that doesn't look like a u320 68 pin (or 80 pin) SCSI, so I can only assume it's IDE...
The better test would be to give all the parts set on the table along with all the screws. Then time from the first part picked up to the computer booting into a boot CD (to test that everything actually works). For bonus points, chose the parts from a bin (So they would have to select the proper CPU/Mobo combination, etc)...
Crap, good point. I did a quick read of the spec sheet when I posted, albeit too quick... http://www.atmel.com/dyn/resources/prod_documents/8271S.pdf
Now that I re-read it, it was not relevant... I guess I was sleeping at the time...
Not to mention that the Arduino contains a boot-loader...
Sure, the DIY part is cool, but to say that this was a difficult feat isn't very accurate...
Actually, not by what I explained before. IF the company did all testing that's customary (and not "cut corners"), and saw absolutely no evidence to the contrary, it would have absolutely no way of knowing if there was a fault. Nor could they be expected to know about that fault (After all, if they truly did all the proper research and testing, those kind of defects would have been found). So if you have an issue crop up in the real world, it's not negligence. Now, if it can be shown that additional testing would have discovered the issue (And that testing was not required or widely used at the time) then you could make a claim against the FDA, but the Pharma still acted in what was considered a safe and responsible manor. Sure, it sucks there were issues, but there ALWAYS can be issues and where would society be if you throw the book at anyone who'se involved in an accident?...
The reason the Vioxx was an issue is that the company had knowledge about the side-effects, and still chose to release the product. THAT's negligence. There's a BIG difference...
The difference is simple, negligence. Is a drug company that develops a vaccine --and spends decades testing it-- negligent because it had a hereto-unknown side effect? I don't think so. Is the drunk driver negligent? Absolutely. Is the manufacturer of a car negligent if one tire blows at highway speed and injures someone? A lot harder of a question. Was it caused by a defect in design or defect in manufacture? If not, it wasn't negligence. If so, did they know about it or --and this is the key point-- SHOULD they have known about it (basically were there standard (or at least commonly used) tests that could have found it? If not, I don't think it's negligence. It's a very dangerous idea to say that if a company wasn't negligent, they should still pay (I'm talking above and beyond a refund). That's the exact reason that healthcare costs are spiraling out of control. Not because THAT many doctors have been negligent, but because courts have found them guilty even though there was no negligence... That's not justice, that's punishing the innocent... It's a fine line, but it's a line that must be respected and defended...
Well, first off, yes, I could quit if I found it wrong. Secondly only the higher ups (the board, and VP's) could suffer criminally. Third, you would face the repercussions, just like Google would, because both are violating the laws of the land. The difference would be if you felt justified in breaking that law. With marijuana specifically, there are avenues open to exploration and a possible path to legality without just starting selling the product. With censorship, there's practically no alternative than defiance (how else would you plan on fighting it?)... So that's not really an apples to apples comparison...
For at least a few of these tablets, they are equating Linux with Android... So yes, it is designed for a touch screen interface (And multi-touch at that)...
But I do agree that taking something that was designed exclusively for use with a mouse and keyboard and slapping it on something with a touch screen is a recipe for disaster...
How are these clones? The iPad was announced what, 2.5 months ago? Doesn't it take significantly longer than that to engineer, design and develop a device to market? So if these were in the works long before the iPad was announced, how can then POSSIBLY be clones? Or is this just successful Apple marketing to instill the idea that if a "Major Player" is first to press (Which the iPad wasn't by the way), all others become imitators? That's like saying that Apple invented the smart phone, or that MS invented the home computer, or that Google invented online document editing and storage...
But what happens when the government is so powerful that the people can't conceivably fight back? They need someone larger to stand up for their interests. Be it a company or a country, the net affect is the same... I'm so tempted to invoke Godwin's Law here...
Minus the extra $25k per year that would otherwise be thrown away to the contract firm (or to the IT worker if independently contracted). So in the end, it works for a net win for the state (They could take that $12.5 million they just saved and push it towards the pension package, or reducing taxes, or paying off some of their debt, or something else useful)...
Actually here, I disagree. I think the issue with UAC is not that it's just something that the user has to click through, but because it displays information that's meaningless to the average user. What use is "Are you sure you want to run this program" when a user knows that clicking a program causes it to run? But if you popped up a dialog that spoke plain english about what the program is trying to do, I think the result would be different... Instead of asking "This program is requesting administrative rights", say the specific right it's asking to do "This programs wants to start itself every time windows starts, do you want to let it?". Or "This program wants to modify the windows login screen, do you want to let it?", or "This program is requesting access to your personal data, do you want to let it?", or "This program is requesting access to your music collection, do you want to let it?"...