I agree with the sentiment you are expressing, but I feel this is an incorrect assumption. There are a variety of physical access control solutions for ensuring that an attacker can not access your actual disk (not the least of which is an advanced case lock). The idea is to see an OS and physical measures work together to protect the data, as opposed to having physical measures to prevent the attacker from getting at the hard drive made useless by a recovery disk.
In short, I do not believe that it is a safe assumption that access to the cdrom drive and keyboard equates to access to the hard drive. In fact, I sit not too far from a large number of devices that permit me to use a keyboard and cd-rom, yet would not permit me to physically access their drives without a cutting torch.
The reason I don't like the logic is that it is never acceptable to me to address a vulnerability as insignificant, just because there is another vulnerability that may allow you to do the same thing. If so, then any vulnerability for which there is another vulnerability that achieves the same goals would be considered insignificant. Let's try this thoery:
"That root access telnet vulnerability is insignificant. If you can connect to a service running on the machine, then you could just use the root access Sendmail vulnerability. We shouldn't worry about the telnet vulnerability."
Frankly, I don't like that philosophy. I'm surprised by how widespread it is.
I did read the article, and, further, I thought about it. I am unwilling to accept the "it's a feature, not a bug" philosophy, simply because Mr. Mullen says so.
Is it a feature? Is it desired behavior? Perhaps we could answer this question by addressing whether an XP recovery console would perform similarly.
It doesn't. The XP console asks you to log in, provided there is an Administrator password set. If this is the desired behavior, why is it not present in the XP version?
As for me dismissing him as an apologist, I did nothing of the sort. I observed that he was one, but I hardly think that I dismissed him - rather, I went on to address his primary salient points. In truth, I do have a great deal of respect for him. However, when reading an article, I find it is often worthwhile to address any potential bias on the part of the writer - especially when he calls into question the journalistic integrity of others. If you believe that we should not consider Mr. Mullen's journalistic past, please explain why.
I'm not a fan of this "point", really. Security in light of physical access is a problem with many operating systems. Is it any less of a problem with XP, just because it is also a problem with OpenBSD?
I believe that all vendors need to consider physical access issues. OpenBSD has made a start, in the sense that you can at least disable the vulnerability to which you refer. I would like to see Microsoft make some progress as well. I'm not going to run around screaming that the sky is falling, but I will take note of the vulnerability, and as a customer, I will let my vendor know that I would like a solution.
Tim Mullen is probably the most notorious apologist for Microsoft in the security community. He is known far and wide for his articles (accompanying every notable security problem with a Microsoft product) which attempt to downplay exposure and combat anti-Microsoft hype.
In this particular case (as per his MO), Mr. Mullen attempts to downplay the threat involved in this situation by first declaring that it is desired behavior (it's a feature, not a bug), and then addressing the most poorly researched articles from a press that we all recognize can't get it's facts straight.
Sure. The press is often whack on this stuff. Sure, the Recovery Console is doing what it's intended to do. However, is what it's intended to do unacceptable? Is it still unacceptable, even though the press doesn't understand it?
Mullen's logic seems to be, "Hey, it's not a 10 on the panic scale, like some say it is, so it must not be on the panic scale at all."
Seventh graders in debate club recognize this logic as faulty.
Agreed. I have found berbee to be extremely knowledgeable. Though I have not recieved an audit from them myself, I have worked with a number of companies that have, and the work has been excellent. One of the advantages to this organization is that they don't have the same potential for conflict of interest that someone like ISS or Cisco may have. Here are some opinions on various others:
Cisco - potential conflict of interest, particularly if you are a Cisco shop (which you probably are, at least partly). The Cisco SPA team has been noted for their skill in the past, probably due to the addition of the Wheel Group team via aquisition. The Wheel Group guys were top-notch (great Fortune article on them from a few years back, if you want more details on them), but I don't know that many of them are still with Cisco.
ISS - absolutely not. Again, conflict of interest. ISS's consulting services are not a core competancy for them. It has been said that ISS has consulting services for the express purpose of moving more product. The mere possibility that this is true disqualifies, much like Cisco. Additionally, I have seen some terrible work from these guys - i.e. missing major weaknesses in policy like failure to enable lockouts on an NT domain.
@stake - honestly, I haven't seen their work in a while, so I don't know if they have improved. However, as of roughly 2 years ago, they were terribly unorganized and extremely expensive. I recall an associate shouting about an exorbitant hourly fee to have a "Junior Engineer" (@stake's term, not mine) take a look at around 50 servers. Additionally, I have seen problems with sales people being less than responsive, and an unwillingness on the part of the technical contact to discuss their methods. If you are a big community booster, you may also question their questionable stance on full open disclosure (more here).
Foundstone - The skill level you can expect from these guys is solid. I have been pleased with the expertise and professionalism of technical contacts from Foundstone, and the management team is certainly very capable in the technical arena. However, there is a catch. In general, I think it is wise to stay away from anyone that sells a "certification" of your security. Business security certifications that are not a direct one-to-one reflection of an accepted standard (ISO/IEC 17799 for instance) tend to be packages designed to sell more services. Who knows what you may have to buy to maintain compliance? I don't, since the web page has only sparse vague comments on their methodology.
Bottom line is this: you want someone that is professional, has quality references, is free from conflicted interests, and most of all, is open with you about their methodology. You want someone that makes you feel comfortable, and treats your potential relationship as an opportunity to educate you and equip your staff to deal with security from an intelligent business decision standpoint. Berbee is not perfect, but I have seen the best blend of these elements in them.
Go to Amazon.com. Search for Bruce's new book, entitled "Secrets and Lies: Digital Security in a Networked World" ISBN 0471253111. Click on "See all editorial reviews..." Scroll down to find the posting by Bruce Schneier himself. Here he explains the change in his security approach. Then scroll back up to the top, click "Add to shopping cart", fill out an order, and wait for it to arrive. Actually read it. He explains even better in the actual book. You will be able to read it fairly easily, as it's not so complex as the first 10 pages of Applied Cryptography that you managed to fight through before deciding that it was just too hard, like reading bugtraq, and giving up on it.
Hell... There's no way I would have bought that iMac if I hadn't have intended to use it for audio work. Of course, now it runs Linux and serves web pages instead...
The soundcard out/in trick does not work. However, I have already hacked SDMI's method. It's a pretty simple hack. I will be informing the engineers of my hack. I am not interested in boycotting. Why? At DefCon in Las Vegas this year, I had a great conversation with Theo de Raadt. We were discussing the existance of zero-day exploits, and his relentless efforts to beat hackers to the punch with OpenBSD. My contention at the time was that if I have written a zero-day exploit, it is my own work, for which I am the original author, and I have the right to keep it a "trade secret" of sorts by not informing the public of the vulnerability. Theo didn't even have to think about my point (I assume he had heard it many times before). He just looked at me and said "Sure, the exploit is yours, and you can do what you want with it. But why be secret? Don't you want it to get fixed? Don't you want the technology to get better?" I guess that really struck me. There are many different types of hackers out there, and you can divide them up and classify them until you are blue in the face (check out a book called "Hackers: Crime in the Digital Sublime" by Paul A. Taylor), but I like to think of hackers as primarily falling into two categories. People that like to test the limits of the technology and push the envelope of the common body of knowledge, and people who just like to get what isn't theirs in a rebellious way. Theo pointed out that if you are any good at all, you will find more vulnerabilities. You will be able to exploit those new vulnerabilities. You will advance technology further, and you will start testing again each time it progresses. On the other hand, if you aren't any good, you may want to hold on to your exploit. You may fear that you won't be able to come up with anything that clever again. You may be disappointed when the vulnerability is fixed, because you can no longer exploit it for your own purposes. I think the problem here is that some of the Linux supporters don't really want the SDMI technology to get any better. They want the technology to be weak, and they want to be able to exploit it. They want the technology to fail. I understand this mentality, but for me, that is not what hacking is about. Keep in mind, that I do not want the cash prize either (it's always good to have money, but I am not going to wait for the contest to let them know what I have found). As for the very vague and uneducated "reasons" why the author of the article is opposed to this contest (read: opposed to the technology), he's pretty far off base. The SDMI technology does not prevent you from copying files. It does not prevent you from excercising your right to reasonable private use of the art. All it does is place a digital watermark on the file that identifies it as belonging to whoever paid for it. It's like a digital name tag. This isn't an intrusive concept at all. I label all of my CDs. Granted, I do not label all of the MP3s I download from Napster, but I am not opposed to technology that would allow me to either. As for concerns that this technology is a violation of privacy (an infringement of rights that, in my mind, is absolutely not permissible under any circumstances), I just don't see it. Having an identifier on my files is not a violation of my privacy. The biggest threat to privacy I can see here is that whenever I download music, someone might be able to catalogue the music that I am interested in by tracking the music that I encode on the servers. This is not a problem with the SDMI technology. This problem exists all over. What about Amazon? Do you think that MP3.com or Napster couldn't be used for similar evils? The fact is, any time you set up an account on someone's server, and start shopping, you are running the risk of being monitored. That is where the potential for violation of privacy lies. So what is the real problem with SDMI? What is the REAL reason for wanting it to fail? We like our MP3s. We like Napster. We like violating copyright laws. I admit to downloading tons of copyrighted music from Napster (Napster tripled my day-to-day bandwidth requirements). We use Stream Ripper all the time to rip MP3s from streaming audio for our private collections. We like taking what is not ours and getting away with it. And some people fear that SDMI will make it difficult for us to do so, which is probably true. If that is the case, then you will want to hack the technology anyway. You will want to publish your hack so that you can liberate the audio warez traders as a whole. SDMI will become aware of your hack. They will fix it. What they are doing by offering this contest is avoiding the security practice that we have objected to in Microsoft products, amongst others. They are allowing the standard to be tested before it gets pushed out to tons of end users. I don't think this is WHY they are doing the contest. They are probably doing it for publicity, as many have already noted. However, a side effect is that they are actually giving people a crack at it. And I thank them for that opportunity. I want the technology to get better.
Heheheh... Ok, you get points for being hardcore. Problem here is, this company probably has some pretty significant evidence that they have original authorship (or at least one of their employees was the original author). It would be a hard and probably fruitless battle for the EFF (something they are used to). However, Anonymous Cowardly Guerrilla Commenter, if it makes you feel any better, this is my favorite slashdot reply to date. Just printed it and put it on my wall. Heheh... Guerrilla Software Freedom Fighters... heheh...
Although you may be forced to get involved in a patent that you are not at all behind, you may be able to take some comfort in the general protocol of patent ownership. The fact of the matter is, most company-owned patents of a software or hardware nature are generally not aggresively defended. On the contrary, most of the time, companies seek software and hardware patents as a defensive measure. There are some companies out there that have truly original patents on inventions that are widely used, and they aggresively pursue these patents. However, the most common use of software and hardware patents is to defend against aggressive patent holders. When a company contacts your company's legal department in an attempt to enforce a patent, your company would reference it's own collection of patents to see if there is something that they can counter-enforce. In the realm of overly general patents such as the one you are concerned about, your company may find something that it can use to counter-enforce. They then approach the aggressor with this counter-patent, and generally the other company either backs off, or is willing to find a compromise that is attractive to both parties. So if you are concerned about immoral enforcement of a patent that you are party to, you must first ask yourself if the patent is so broad as to actually include technology that is either A) damn similar to technology another company is using, or B) a technology that will foreseeably be widely implemented in various ways by other companies in your field. If so, then there is a good chance that this is a defensive patent, and you have little to worry about. If, on the other hand, your invention could possibly be a trade secret (it is totally revolutionary, and noone else is likely to come up with a similar technology without examining yours), then there is a strong possibility that this patent could be used aggressively. However, these sort of revolutionary patents are not common, and generally not seen as "a patent", so much as "the patent that is going to kick our competitors' asses and place us years ahead of the field". It's never fun to sign a patent that you think is sketchy, but if you are forced to, I hope these ideas will help set you on the path to enlightenment about what happens with that patent after you sign it. If you decide to try to fight the patent from within the company, I agree with several other posts here - it's wise to get a lawyer. And yes, a headhunter might be a good idea as well.
Secondly, I would like to add a few more questions to this line: How might a closed company like SCO establish/maintain a market advantage over an equally well-developed open project without attacking the open nature of the competition? In other words, how will SCO compete with an equally well-developed Linux (when there is one) without pointing out weaknesses in the open model?
For instance, Microsoft seems to have battled Linux by attacking it's open nature. SUN, however, embraces open development, and seems to be succeeding against Linux in the server market by virtue of the assertion (whether or not it is correct) that SUN is more well suited for high-impact enterprise situations, and that Linux cannot handle the load that Solaris can. What is SCO's angle? Do you think that the advantages can be maintained in the face of an army of programmers? If so, how?
At any rate, I wish you luck, and I anticipate your further excellent contributions to computing.
Well, no. Dictionary.com provides us this as an optional definition of "system": "A network of structures and channels, as for communication, travel, or distribution." My understanding is that there are multiple such networks within the realm of Iridium. Let us for instance hope that they are not running their entire business off of, say, a single X25 LAN. How is Local Management and Positioning information transmitted? You seem to be asserting that this is done in-band from an Iridium phone (only one system). Thanks for the smartass comment, but I am still looking for an answer to my question.
This simply appears to be an issue of government (albeit possibly not yours) regulating Internet content. This is an issue for anyone concerned with Internet freedoms and privacy. Some related information that would be nice to see might be HOW the government acheives access to the identities of webmasters, as well as who else might have this same sort of access. I realize that there is a large number of people that cannot understand why someone would need to post something anonymously, but think of it as being required to state your social security number before speaking in any public forum. It is simply not necessary, and a bit alarming. Your concerns about the business aspects are valid, but I think it may be hasty to assume that your stated concern is the only uncomfortable angle to this issue.
It seems that this is still very similar to American policy. The Digital Millenium Copyright Act (DMCA) tells us that if an American admin has something on their server that is a legal problem, the admin can be held responsible. I suppose the question now is whether anonymous hosting services will still exist in France. If I had the money, I would certainly provide this service, knowing full well that I may get in trouble for a client's content. I would just be very careful how I went about it. Any word from French providers yet?
Rumor has it that a technology that will allow us to do this properly is being developed by a company called Veda Labs. I have heard from circumcampfire discussions that they will support the Big Three platforms (Win, Mac, Unix), and that they will be able to to encode for a specific user on the fly. Unfortunately I don't have any details at this point, as their web site is rather sparse. It would be much appreciated if a Veda Labs representative would post and provide more information. It seems to me, however, that without some rather serious ties to the Open Source community, warez pups, and music industry giants alike, this plan will be difficult to implement. People like free stuff. They seem willing to participate in underground distribution rings of illegally copied material so long as the material is freely distributed, in digital format, and reasonably difficult to track (thus providing extensive ease of acquisition with low potential consequence). I just know that I love music. I love computers. I will always seek ways to combine them. I am not alone.
My first box was a ][e, and I have long held a soft spot for Apple, but I didn't think they could give me what I need... A desktop machine that has the strengths of UNIX without it's greatest weakness - crappy environment. MacOS is comfortable, user-friendly, and stunning. I used to follow that comment with the common gripes about MacOS - bad process management, bad filesystem, no preemptive multitasking, no strong network technology, etc etc... But all of these things have been "fixed" in MacOSX, and if it can do what it claims it can do, then I will be it's biggest supporter. I will still run true UNIX for my servers, and I will be an Open Source programmer until I die, but it would be nice to finally look back on Windows and laugh. The question is... can MacOS go from being the world's most aggravating popular OS to the world's smoothest? I have my doubts and my hopes all balled up in a question that may be even more important - WHEN DO WE GET TO TRY IT OUT?
Slashdot Mirror
I agree with the sentiment you are expressing, but I feel this is an incorrect assumption. There are a variety of physical access control solutions for ensuring that an attacker can not access your actual disk (not the least of which is an advanced case lock). The idea is to see an OS and physical measures work together to protect the data, as opposed to having physical measures to prevent the attacker from getting at the hard drive made useless by a recovery disk.
In short, I do not believe that it is a safe assumption that access to the cdrom drive and keyboard equates to access to the hard drive. In fact, I sit not too far from a large number of devices that permit me to use a keyboard and cd-rom, yet would not permit me to physically access their drives without a cutting torch.
The reason I don't like the logic is that it is never acceptable to me to address a vulnerability as insignificant, just because there is another vulnerability that may allow you to do the same thing. If so, then any vulnerability for which there is another vulnerability that achieves the same goals would be considered insignificant. Let's try this thoery:
"That root access telnet vulnerability is insignificant. If you can connect to a service running on the machine, then you could just use the root access Sendmail vulnerability. We shouldn't worry about the telnet vulnerability."
Frankly, I don't like that philosophy. I'm surprised by how widespread it is.
Agreed, and excellent point.
I'll do my fifty percent, and I will continue to ask for theirs.
I did read the article, and, further, I thought about it. I am unwilling to accept the "it's a feature, not a bug" philosophy, simply because Mr. Mullen says so.
Is it a feature? Is it desired behavior? Perhaps we could answer this question by addressing whether an XP recovery console would perform similarly.
It doesn't. The XP console asks you to log in, provided there is an Administrator password set. If this is the desired behavior, why is it not present in the XP version?
As for me dismissing him as an apologist, I did nothing of the sort. I observed that he was one, but I hardly think that I dismissed him - rather, I went on to address his primary salient points. In truth, I do have a great deal of respect for him. However, when reading an article, I find it is often worthwhile to address any potential bias on the part of the writer - especially when he calls into question the journalistic integrity of others. If you believe that we should not consider Mr. Mullen's journalistic past, please explain why.
I'm not a fan of this "point", really. Security in light of physical access is a problem with many operating systems. Is it any less of a problem with XP, just because it is also a problem with OpenBSD?
I believe that all vendors need to consider physical access issues. OpenBSD has made a start, in the sense that you can at least disable the vulnerability to which you refer. I would like to see Microsoft make some progress as well. I'm not going to run around screaming that the sky is falling, but I will take note of the vulnerability, and as a customer, I will let my vendor know that I would like a solution.
Here's a sample of Mr. Mullen's "unbiased" approach to Microsoft security:
http://www.securityfocus.com/columnists/127
Tim Mullen is probably the most notorious apologist for Microsoft in the security community. He is known far and wide for his articles (accompanying every notable security problem with a Microsoft product) which attempt to downplay exposure and combat anti-Microsoft hype.
In this particular case (as per his MO), Mr. Mullen attempts to downplay the threat involved in this situation by first declaring that it is desired behavior (it's a feature, not a bug), and then addressing the most poorly researched articles from a press that we all recognize can't get it's facts straight.
Sure. The press is often whack on this stuff. Sure, the Recovery Console is doing what it's intended to do. However, is what it's intended to do unacceptable? Is it still unacceptable, even though the press doesn't understand it?
Mullen's logic seems to be, "Hey, it's not a 10 on the panic scale, like some say it is, so it must not be on the panic scale at all."
Seventh graders in debate club recognize this logic as faulty.
The Last Chase?
The commentary is actually up now.
Here is a link to the proposed legislation, via the Freeside blog:
Proposed bill
Freeside is promising an analysis of the bill as well, but it's not up yet.
Wow. You are a Marxist.
They're not talking about the speed of light, but the speed of light transmission. Slightly less spectacular, to say the least.
Agreed. I have found berbee to be extremely knowledgeable. Though I have not recieved an audit from them myself, I have worked with a number of companies that have, and the work has been excellent. One of the advantages to this organization is that they don't have the same potential for conflict of interest that someone like ISS or Cisco may have. Here are some opinions on various others:
Cisco - potential conflict of interest, particularly if you are a Cisco shop (which you probably are, at least partly). The Cisco SPA team has been noted for their skill in the past, probably due to the addition of the Wheel Group team via aquisition. The Wheel Group guys were top-notch (great Fortune article on them from a few years back, if you want more details on them), but I don't know that many of them are still with Cisco.
ISS - absolutely not. Again, conflict of interest. ISS's consulting services are not a core competancy for them. It has been said that ISS has consulting services for the express purpose of moving more product. The mere possibility that this is true disqualifies, much like Cisco. Additionally, I have seen some terrible work from these guys - i.e. missing major weaknesses in policy like failure to enable lockouts on an NT domain.
@stake - honestly, I haven't seen their work in a while, so I don't know if they have improved. However, as of roughly 2 years ago, they were terribly unorganized and extremely expensive. I recall an associate shouting about an exorbitant hourly fee to have a "Junior Engineer" (@stake's term, not mine) take a look at around 50 servers. Additionally, I have seen problems with sales people being less than responsive, and an unwillingness on the part of the technical contact to discuss their methods. If you are a big community booster, you may also question their questionable stance on full open disclosure (more here).
Foundstone - The skill level you can expect from these guys is solid. I have been pleased with the expertise and professionalism of technical contacts from Foundstone, and the management team is certainly very capable in the technical arena. However, there is a catch. In general, I think it is wise to stay away from anyone that sells a "certification" of your security. Business security certifications that are not a direct one-to-one reflection of an accepted standard (ISO/IEC 17799 for instance) tend to be packages designed to sell more services. Who knows what you may have to buy to maintain compliance? I don't, since the web page has only sparse vague comments on their methodology.
Bottom line is this: you want someone that is professional, has quality references, is free from conflicted interests, and most of all, is open with you about their methodology. You want someone that makes you feel comfortable, and treats your potential relationship as an opportunity to educate you and equip your staff to deal with security from an intelligent business decision standpoint. Berbee is not perfect, but I have seen the best blend of these elements in them.
Read the manifesto here..
/.ing for starters...
Vote with your
Go to Amazon.com. Search for Bruce's new book, entitled "Secrets and Lies: Digital Security in a Networked World" ISBN 0471253111. Click on "See all editorial reviews..." Scroll down to find the posting by Bruce Schneier himself. Here he explains the change in his security approach. Then scroll back up to the top, click "Add to shopping cart", fill out an order, and wait for it to arrive. Actually read it. He explains even better in the actual book. You will be able to read it fairly easily, as it's not so complex as the first 10 pages of Applied Cryptography that you managed to fight through before deciding that it was just too hard, like reading bugtraq, and giving up on it.
Hell... There's no way I would have bought that iMac if I hadn't have intended to use it for audio work. Of course, now it runs Linux and serves web pages instead...
The soundcard out/in trick does not work. However, I have already hacked SDMI's method. It's a pretty simple hack. I will be informing the engineers of my hack. I am not interested in boycotting. Why? At DefCon in Las Vegas this year, I had a great conversation with Theo de Raadt. We were discussing the existance of zero-day exploits, and his relentless efforts to beat hackers to the punch with OpenBSD. My contention at the time was that if I have written a zero-day exploit, it is my own work, for which I am the original author, and I have the right to keep it a "trade secret" of sorts by not informing the public of the vulnerability. Theo didn't even have to think about my point (I assume he had heard it many times before). He just looked at me and said "Sure, the exploit is yours, and you can do what you want with it. But why be secret? Don't you want it to get fixed? Don't you want the technology to get better?" I guess that really struck me. There are many different types of hackers out there, and you can divide them up and classify them until you are blue in the face (check out a book called "Hackers: Crime in the Digital Sublime" by Paul A. Taylor), but I like to think of hackers as primarily falling into two categories. People that like to test the limits of the technology and push the envelope of the common body of knowledge, and people who just like to get what isn't theirs in a rebellious way. Theo pointed out that if you are any good at all, you will find more vulnerabilities. You will be able to exploit those new vulnerabilities. You will advance technology further, and you will start testing again each time it progresses. On the other hand, if you aren't any good, you may want to hold on to your exploit. You may fear that you won't be able to come up with anything that clever again. You may be disappointed when the vulnerability is fixed, because you can no longer exploit it for your own purposes. I think the problem here is that some of the Linux supporters don't really want the SDMI technology to get any better. They want the technology to be weak, and they want to be able to exploit it. They want the technology to fail. I understand this mentality, but for me, that is not what hacking is about. Keep in mind, that I do not want the cash prize either (it's always good to have money, but I am not going to wait for the contest to let them know what I have found). As for the very vague and uneducated "reasons" why the author of the article is opposed to this contest (read: opposed to the technology), he's pretty far off base. The SDMI technology does not prevent you from copying files. It does not prevent you from excercising your right to reasonable private use of the art. All it does is place a digital watermark on the file that identifies it as belonging to whoever paid for it. It's like a digital name tag. This isn't an intrusive concept at all. I label all of my CDs. Granted, I do not label all of the MP3s I download from Napster, but I am not opposed to technology that would allow me to either. As for concerns that this technology is a violation of privacy (an infringement of rights that, in my mind, is absolutely not permissible under any circumstances), I just don't see it. Having an identifier on my files is not a violation of my privacy. The biggest threat to privacy I can see here is that whenever I download music, someone might be able to catalogue the music that I am interested in by tracking the music that I encode on the servers. This is not a problem with the SDMI technology. This problem exists all over. What about Amazon? Do you think that MP3.com or Napster couldn't be used for similar evils? The fact is, any time you set up an account on someone's server, and start shopping, you are running the risk of being monitored. That is where the potential for violation of privacy lies. So what is the real problem with SDMI? What is the REAL reason for wanting it to fail? We like our MP3s. We like Napster. We like violating copyright laws. I admit to downloading tons of copyrighted music from Napster (Napster tripled my day-to-day bandwidth requirements). We use Stream Ripper all the time to rip MP3s from streaming audio for our private collections. We like taking what is not ours and getting away with it. And some people fear that SDMI will make it difficult for us to do so, which is probably true. If that is the case, then you will want to hack the technology anyway. You will want to publish your hack so that you can liberate the audio warez traders as a whole. SDMI will become aware of your hack. They will fix it. What they are doing by offering this contest is avoiding the security practice that we have objected to in Microsoft products, amongst others. They are allowing the standard to be tested before it gets pushed out to tons of end users. I don't think this is WHY they are doing the contest. They are probably doing it for publicity, as many have already noted. However, a side effect is that they are actually giving people a crack at it. And I thank them for that opportunity. I want the technology to get better.
Heheheh... Ok, you get points for being hardcore. Problem here is, this company probably has some pretty significant evidence that they have original authorship (or at least one of their employees was the original author). It would be a hard and probably fruitless battle for the EFF (something they are used to). However, Anonymous Cowardly Guerrilla Commenter, if it makes you feel any better, this is my favorite slashdot reply to date. Just printed it and put it on my wall. Heheh... Guerrilla Software Freedom Fighters... heheh...
Although you may be forced to get involved in a patent that you are not at all behind, you may be able to take some comfort in the general protocol of patent ownership. The fact of the matter is, most company-owned patents of a software or hardware nature are generally not aggresively defended. On the contrary, most of the time, companies seek software and hardware patents as a defensive measure. There are some companies out there that have truly original patents on inventions that are widely used, and they aggresively pursue these patents. However, the most common use of software and hardware patents is to defend against aggressive patent holders. When a company contacts your company's legal department in an attempt to enforce a patent, your company would reference it's own collection of patents to see if there is something that they can counter-enforce. In the realm of overly general patents such as the one you are concerned about, your company may find something that it can use to counter-enforce. They then approach the aggressor with this counter-patent, and generally the other company either backs off, or is willing to find a compromise that is attractive to both parties. So if you are concerned about immoral enforcement of a patent that you are party to, you must first ask yourself if the patent is so broad as to actually include technology that is either A) damn similar to technology another company is using, or B) a technology that will foreseeably be widely implemented in various ways by other companies in your field. If so, then there is a good chance that this is a defensive patent, and you have little to worry about. If, on the other hand, your invention could possibly be a trade secret (it is totally revolutionary, and noone else is likely to come up with a similar technology without examining yours), then there is a strong possibility that this patent could be used aggressively. However, these sort of revolutionary patents are not common, and generally not seen as "a patent", so much as "the patent that is going to kick our competitors' asses and place us years ahead of the field". It's never fun to sign a patent that you think is sketchy, but if you are forced to, I hope these ideas will help set you on the path to enlightenment about what happens with that patent after you sign it. If you decide to try to fight the patent from within the company, I agree with several other posts here - it's wise to get a lawyer. And yes, a headhunter might be a good idea as well.
First off, interesting post.
Secondly, I would like to add a few more questions to this line: How might a closed company like SCO establish/maintain a market advantage over an equally well-developed open project without attacking the open nature of the competition? In other words, how will SCO compete with an equally well-developed Linux (when there is one) without pointing out weaknesses in the open model?
For instance, Microsoft seems to have battled Linux by attacking it's open nature. SUN, however, embraces open development, and seems to be succeeding against Linux in the server market by virtue of the assertion (whether or not it is correct) that SUN is more well suited for high-impact enterprise situations, and that Linux cannot handle the load that Solaris can. What is SCO's angle? Do you think that the advantages can be maintained in the face of an army of programmers? If so, how?
At any rate, I wish you luck, and I anticipate your further excellent contributions to computing.
Well, no. Dictionary.com provides us this as an optional definition of "system": "A network of structures and channels, as for communication, travel, or distribution." My understanding is that there are multiple such networks within the realm of Iridium. Let us for instance hope that they are not running their entire business off of, say, a single X25 LAN. How is Local Management and Positioning information transmitted? You seem to be asserting that this is done in-band from an Iridium phone (only one system). Thanks for the smartass comment, but I am still looking for an answer to my question.
Are there any other sites you know of that provide detailed techinical information regarding the workings of Iridium satellite systems?
This simply appears to be an issue of government (albeit possibly not yours) regulating Internet content. This is an issue for anyone concerned with Internet freedoms and privacy.
Some related information that would be nice to see might be HOW the government acheives access to the identities of webmasters, as well as who else might have this same sort of access.
I realize that there is a large number of people that cannot understand why someone would need to post something anonymously, but think of it as being required to state your social security number before speaking in any public forum. It is simply not necessary, and a bit alarming. Your concerns about the business aspects are valid, but I think it may be hasty to assume that your stated concern is the only uncomfortable angle to this issue.
It seems that this is still very similar to American policy. The Digital Millenium Copyright Act (DMCA) tells us that if an American admin has something on their server that is a legal problem, the admin can be held responsible. I suppose the question now is whether anonymous hosting services will still exist in France. If I had the money, I would certainly provide this service, knowing full well that I may get in trouble for a client's content. I would just be very careful how I went about it. Any word from French providers yet?
Rumor has it that a technology that will allow us to do this properly is being developed by a company called Veda Labs. I have heard from circumcampfire discussions that they will support the Big Three platforms (Win, Mac, Unix), and that they will be able to to encode for a specific user on the fly. Unfortunately I don't have any details at this point, as their web site is rather sparse. It would be much appreciated if a Veda Labs representative would post and provide more information. It seems to me, however, that without some rather serious ties to the Open Source community, warez pups, and music industry giants alike, this plan will be difficult to implement. People like free stuff. They seem willing to participate in underground distribution rings of illegally copied material so long as the material is freely distributed, in digital format, and reasonably difficult to track (thus providing extensive ease of acquisition with low potential consequence). I just know that I love music. I love computers. I will always seek ways to combine them. I am not alone.
My first box was a ][e, and I have long held a soft spot for Apple, but I didn't think they could give me what I need... A desktop machine that has the strengths of UNIX without it's greatest weakness - crappy environment. MacOS is comfortable, user-friendly, and stunning. I used to follow that comment with the common gripes about MacOS - bad process management, bad filesystem, no preemptive multitasking, no strong network technology, etc etc... But all of these things have been "fixed" in MacOSX, and if it can do what it claims it can do, then I will be it's biggest supporter. I will still run true UNIX for my servers, and I will be an Open Source programmer until I die, but it would be nice to finally look back on Windows and laugh. The question is... can MacOS go from being the world's most aggravating popular OS to the world's smoothest? I have my doubts and my hopes all balled up in a question that may be even more important - WHEN DO WE GET TO TRY IT OUT?