Well, most of us want software patents eliminated. I've seen no real justification for allowing software patents.
The thing is, at least in the context of software patents, when you turn this guy's AMC question around, the question becomes downright silly. "If software patents were eliminated, do you think anyone would write software?" That's just an absurd question to ask, particularly given that most companies assumed that most software patents were not allowed until a key court decision (Sidney A. DIAMOND, Commissioner of Patents and Trademarks, Petitioner,
v.
James R. DIEHR, II and Theodore A. Lutton) changed that assumption in 1981. So the question becomes, "Why did anyone write software before 1981?"
And the answer requires us to dig a little deeper. Unlike most patentable works, software also has copyright protection. For any nontrivial piece of software, that should be enough to guarantee several years of revenue before anyone can usefully come up with a competing product, even if you do nothing but create the product and sit on your laurels without improving it at all.
Based on that, in the absence of compelling evidence to the contrary, it should be clear that in the software world, patents are simply an additional layer of unnecessary overhead, coupled with a corresponding minefield of uncertainty, having no redeeming value.
Why the hell is parent modded to -1? roman_mir is spot on. If I'm surfing a website and it wants to store information locally, the web browser should encrypt it for security reasons.
No, it really shouldn't. For 99% of sites, the user's ability to get to the data if the website goes belly-up without having to write code to extract a key from the user's keychain and decrypt the database trumps the need for encrypted local storage. For the remaining 1%, the site should use ephemeral session cookies that are not persisted to disk.
There's really not a valid use case for encrypted local storage that isn't better served by full-disk encryption.
XSS attacks are due to the programmer not escaping control characters in string literals.
No, not at all. They are very rarely caused by failure to escape < symbols and similar, because those sorts of mistakes are trivial to avoid. XSS attacks are usually caused by the programmer deciding to allow someone to write raw HTML. Sanitizing every attribute to ensure that it doesn't contain any JavaScript code is hard, and the techniques for doing so are often app-dependent, because only the web app developer knows how any custom attributes are going to get used.
SQL injection attacks, however, are caused by failing to escape things correctly.
What really sucks is when our front-end server, which escapes everything correctly, forwards an attacker's string to the back-end server, running a SQL DB, and they're not prepared for SQL injection. So then THAT team needs to get smacked for not parsing raw data before building up query strings.
Assuming your front-end and back-end servers are both web servers, then if your front-end server is escaping things, that's likely to be a flaw in your overall architecture. Content must be escaped differently depending on the context into which it will be inserted. To minimize bugs and security holes, you should quote strings when they are used. This means that data should be passed to the SQL library using parameterized queries so that it doesn't get quoted until right before it gets inserted into the database. If that insertion is being triggered by code running on a separate back-end server, then that back-end server should be doing the quoting, and the front-end server should be passing data do it in a form appropriate for the transfer (e.g. JSON), not pre-quoted for SQL insertion. Otherwise, the back-end server is implicitly trusting the front-end server to do the right thing, which is bad.
There is no excuse for new code using non-parameterized queries, and IMO, all existing code should be rewritten as soon as possible. Why? Because even the best programmers don't get quoting right every time. It is way too easy to make a mistake if you're doing it yourself. Just this past week, I did a security audit of a fairly sizable piece of software. I found that it was not using parameterized queries, and I rewrote all of the queries so that it did. In the process, despite the author's extensive efforts to protect everything properly, I still found a couple of security holes.
Incidentally, last time I tried them, the parameterized queries in PHP's PDO layer were still unsafe. I could pass an arbitrary string, and if I accidentally gave the parameter a PARAM_INT type, it would be passed directly to the database. I got a few syntax errors from SQL early on as a result. This at least suggests to me that if you use PARAM_INT without explicitly casting a user-provided value to an (int) in the query, there is the potential for an injection attack. I'm not sure if this has been fixed or not, but I found it quite disconcerting.
For this reason, for new code, I use an additional abstraction layer built on top of the parameterized queries that takes a parameterized query string and a set of arguments, but no list of types, then uses introspection to determine what the type flag should be. If it sees an integer, it provides an integer type. If it sees a string, it provides a string type. If it sees an array, it replaces the question mark in the query string with a parenthesized set of question marks, one per item in the array, then provides string or integer types individually for each item in the array.
With such a scheme, if you failed to cast something to an (int) properly somewhere, the worst failure you can get is a query execution failure, not an injection attack. And the array handling makes life a lot easier, too, eliminating dozens of places where you would otherwise have to roll your own loops to build up the query string, and potentially make mistakes in the process.
I can't imagine where you could live and see only five minutes without power per year. I've never seen that level of reliability anywhere I've lived:
I currently live in the heart of the Silicon Valley, and I've seen several multi-hour blackouts in the past decade, and one multi-day blackout. And I'm not including the rolling blackouts in that total. I'm only counting PG&E infrastructure failures. The joys of for-profit power companies....
Things were even worse in Santa Cruz, where we saw several hour-plus outages caused by storms in the two years I lived there.
And back in rural Tennessee, where the government provided power (TVA), we had very few outages caused by poorly maintained infrastructure, but you could count on at least one two-hour-plus outage per year, and usually several, resulting from storm damage to power lines, ice pulling tree limbs down on power lines, high tension lines slamming together in high winds and tripping breakers, etc.
Al Qaida was both guest in Afghanistan, and integrated into its military forces and government. Al Qaida's jihadis were organized up to brigade level and fighting along side the Taliban.
The U.S. military reportedly has a skinhead problem. Does that mean that the actions of skinheads should be considered to be on behalf of the United States government? Where do you draw the line? I'm not saying I disagree with you; I'm just playing devil's advocate here.
Social welfare spending is about twice what the defense budget is.
Except the vast majority of that spending—social security, medicare, and unemployment benefits—comes from money that the workers have paid in explicitly so that they could get it back when they retire or become unemployed. I don't consider any of that spending to be part of the federal budget as such. It's just an insurance company that happens to be run by the federal government.
And yet, if someone under 18 still manages to see you doing it, you can go to jail for exposing yourself in front of a minor. You do not have an expectation of privacy in a public place, and you never did.
That said, I do agree that there is a fine line between not expecting privacy if you get caught doing something stupid in public and expecting to be tracked continuously so that your every movement and every action can be scrutinized in the hopes of catching you doing something wrong.
Critical infrastructure in the U.S. has been exploding every other month for as long as I've been alive. Nobody asks why because we all know exactly why.
A purely capitalistic model is completely incapable of providing serious infrastructure, because there is no real room for infrastructure competition in most places, and because without competition to force the issue, corporations inherently cut corners at every possible opportunity (even where safety is concerned) because every dollar spent on infrastructure is a dollar in lost profit.
And government regulators don't want to regulate those industries to bring the anarchocapitalists back under control because then they won't have cushy jobs working as "consultants" and lobbyists for the industry when they decide to leave the public sector.
Nothing new here. Our infrastructure is falling apart because we stopped maintaining it back in the Reagan administration (or earlier) and never looked back.
Should the US have not gone to war with Japan after Pearl Harbor because more people died in automobile accidents?
Poor analogy. Responding to an act of war with a declaration of war is far different from responding to a non-government-sanctioned act by a handful of individuals with an undeclared war.
Shall we give up law enforcement since people die of heart disease? Stop arresting bank robbers because people die of the flu? Stop arresting rapists because people die of stroke?
Again, poor analogy. Normal law enforcement doesn't suck down half our federal budget (not counting trust funds). If we were spending half our country's income on arresting bank robbers or rapists, then the answer would be a resounding "yes"... well, not to stop it entirely, but certainly to scale it back by several orders of magnitude.
Depends on the steganography method used, and on how many images are sent using that method. If you're a spook and you see somebody suddenly sending lots of images to someone else, you might grow suspicious, at which point you'll start performing analysis to see if there are patterns emerging across the entire set of images, such as certain pixels that are always higher than the adjacent pixels by a certain amount. Granted, such patterns can just as easily be caused by sensor flaws, but some fairly primitive steganography techniques could be detectable in this way.
Second, because subpixel noise in cameras isn't random—it tends to obey a gaussian distribution, and thermal noise can vary considerably from frame to frame depending on the length of the exposure—when spread over a large enough number of sequential or nearly sequential photos taken by the same camera, the steganography might be detectable by using a model of the predicted levels of noise that the image sensor should produce for a shot of a given duration and the elapsed time since the previous shot. This won't tell you what is embedded in the image, but if you're lucky, it might tell you that with a high probability, something is embedded. Depending on the circumstances, that might be enough to get a warrant. Then again, it could just be Digimarc.
Finally, there's the question of the randomness of the source material (or, more to the point, the lack thereof). If the base image is at the native sensor resolution of the camera, the nature of the image sensors themselves could potentially be exploited to detect some types of steganography. In a real-world image sensor (except for Foveon sensors), there's no such thing as a pixel; there are only subpixels that produce a value for a single color. The camera must combine these values (a process called "demosaicing") to compute the color for a pixel in the final image. Because the subpixels that make up a pixel are not physically on top of one another, the camera typically computes the estimated value for the color at a given physical point on the sensor by combining adjacent subpixel values in differing percentages. For example, if the green subpixel is chosen as the "center" of the pixel and the red subpixel is to the left and the blue is above, it might mix a bit of the red from the "pixel" to its right and a bit of the blue from the "pixel" below it. (This explanation is overly simplistic, but you get the basic idea.)
Unfortunately for steganographers, the way that particular cameras construct a pixel value from adjacent subpixel values is predictable and well understood. If a steganographic technique does not take that into consideration, it is highly likely that, given knowledge of the camera and its particular mixing algorithm, the steganographic data can be detected simply by determining whether there is any plausible set of subpixel values that could result in the final computed pixel values for the entire image. For that matter, given that most of the algorithms for subpixel blending are straightforward, even without knowledge of the particular camera, it is highly likely that steganography can be detected, because portions of the image that contain no hidden data will likely only be producible by a single algorithm, and portions of the image that contain hidden data likely will not be.
Those are just a couple of types of analysis off the top of my head that might potentially be used against some types of steganography, given some types of source material, etc. It is entirely possible that there are steganographic techniques that are resistant to these sorts of analysis, and there are likely many other interesting types of analysis that I have not mentioned. I have not kept up with steganographic research personally, so I can't say with any certainty.
So, either by inclination or by instruction, Snowden would likely be found guilty in a trial by peers. Rare is it to find 12 people willing to stand up to the uniformed justicars and oppose the entire system.
It only takes one to hang a jury in a capital case. So what you're saying is that fewer than 8% of Americans would be willing to stand up for justice. If true, that's the saddest thing I've ever heard.
Whether the law was just or not, or the illegal actions the law were protecting are inconsequential to the court case.
Legally, yes. Morally, no. Anyone who would vote to execute this guy over doing something morally right will go down in history with the same level of contempt as the members of the crowd who demanded the crucifixion of Christ. Same level of heinousness. Most sane and rational people will recognize that. So basically, the government would have to either pad the jury with either sociopaths or convict him in a military tribunal, and even the latter isn't a guaranteed success.
At some point, McCarthy went up against the wrong people, and started pointing fingers at national heroes (the military), at which point his influence disintegrated pretty quickly. McCarthy was censured, and his name is now synonymous with government tyranny in the U.S. Also, he died in office just a couple of years later. There wan't much of an opportunity to charge him, and there wasn't really much of a point.
Besides, no national hero was tried, convicted, and assassinated as a result of the McCarthy hearings.
I was absolutely certain that McCain would continue those programs (illegal wiretapping, Gitmo, etc.), whereas there was at least some small possibility that Obama might have actually fulfilled his campaign promises to dismantle them.
By the second election, I was reasonably certain that both Romney and Obama would continue those programs, and no other viable candidates were running.
I was absolutely certain that Romney—a person who made his fortune by buying companies, stripping them bare, laying off the staff, and outsourcing jobs to other countries while continuing to trade on the brand's reputation—was the worst possible choice for President during an economic downturn, even if Obama wasn't a great choice.
It had nothing to do with "total s**t that Obama's people threw at Romney" and everything to do with Romney seeming instantly untrustworthy from the very first minute. By contrast, Obama struck me as someone who was unlikely to be able to keep his promises, but not entirely because he didn't want to. My opinion of him has gradually degraded, mind you, but Romney immediately struck me as a stereotypical used car salesman.
There's only one right answer to that question: "No, I'm going to run against them." Anything short of intelligent people deciding that they're fed up with morons running our country and deciding to run against them on a campaign promise of being smarter than a turnip is a copout.
This is one step away from becoming a watergate like scenario. And surely in the future many watergate like scenarios!
No, this is way, way worse than Watergate. This is bordering on McCarthy hearings levels of unethical and unconstitutional behavior—a wildly unpopular government tangent that injures a whole lot of people in its wake, that continues only because stopping now would make the government look even worse, and because the lust for power among all involved is insatiable.
Here's the big problem with the government charging this guy: the vast majority of educated people with high IQ, put in the same situation as Snowden, either would have done exactly the same thing or would have resisted solely out of fear of the consequences. They'll be very hard pressed to find any jury remotely resembling his peers who would even be open to the possibility of convicting him, much less who would actually do it.
Perhaps the most disturbing part of all this is that they're charging him with espionage, which is a capital crime. If they manage to get him back to the U.S., charge him, convict him in a kangaroo court (a military tribunal is probably the only way it could go down that way), and sentence him to the death penalty, I'd give better than 2:1 odds on a march on D.C. that would make the Watts riots look like a pride parade. You just don't sentence someone to death who has become a hero to some two-thirds of America's under-thirty population unless you want a civil war on your hands faster than you can say, "Oh, f**k, maybe that wasn't such a good idea."
Such a risk is something that the administration needs to start thinking about right now; ironically, the best way for the administration to save face would be to publicly charge him and ask for extradition while privately asking the Chinese government to not do so. As long as nobody leaks that communiqué, of course... which someone really should, if only to prove beyond all doubt that the emperor has no clothes.
As for me, if they manage to extradite Snowden, I plan to schedule a vacation for the week of the verdict so that I'll be just about as far from our nation's capital as humanly possible. Like Madagascar.
Not quite right. The prosecution can appeal an acquittal if they have evidence that the acquittal was the result of jury tampering or bribery by the defense, because the defendant was not really in jeopardy at the first trial.
Ah, but tackling that problem from the top down is infeasible because the people in power won't voluntarily give it up. Tackling it from the bottom up—making it so that some aspects of the power grab become infeasible—might actually have more success.
How is this rolling the ball too far the other way? All this bill does is prevent criminal prosecution for violation of any terms of use that are unsupported by technical barriers. A civil suit might be appropriate in those cases, but downloading a bunch of files from a web server, regardless of what the terms of use say, is not a criminal act; it is the use of a server to do precisely what it was designed to do, in precisely the way that it was intended to be used. Only the quantity of said downloads were unintended.
No, this is precisely the right balance. Copyright violations (redistributing) are an entirely unrelated issue and are not affected by the proposed legislation.
Maybe it should. After all, the broken justice system is the reason that we have more people in prison per capita than any other civilized nation on Earth. A complete collapse might just force some much-needed reform in a lot of areas.
Nothing wrong with a last minute request if it was unavoidable. However, if you had time to report it before, you should have done that. If you know it's not urgent, don't pretend it is, because we can tell, and we will remember your lies.
Pretty much. Or, in the Snowden case, if you had the opportunity to get a proper search warrant to do things the right way, you should have done that.
<sarcasm>But you'd be a superhero. We could call you Rectum Man. "My plants were all dying for lack of fertilizer, and I didn't know what to do. But then Rectum Man came to help. Thank you, Rectum Man!" Everyone needs 12 more anuses. Everyone.</sarcasm>
What it comes down to is best summarized by this obligatory XKCD. Just s/standards/programming languages/g. Alternatively, s/standards/web frameworks/g. And so on. This is why we have Perl, PHP, Python, Ruby, and whatever else has come out since I stopped bothering to pay attention. Instead of improving what's out there, everybody wants to create the cool new thing. This inevitably results in lots of low-quality code.
Ah, but the latest programming language is buggy crap because the senior people aren't pushing to improve it and the junior people lack the skills. It's a Catch-22/chicken-and-egg sort of problem.
What discontinued Adobe product are you talking about? It's a serious question.
I was personally affected by Adobe discontinuing FrameMaker for Mac and Premiere for Mac. Alternatively, by some definition, Adobe discontinued nearly all of their apps. You can't buy them anymore; you have to rent them, because Adobe discontinued their entire Creative Suite. At least for me, that's not a viable upgrade path, particularly from a company who has bitten me by discontinuing products not once, but twice.
IMO, running it through a regular expression shouldn't untaint it, either, unless that happens to be a regular expression specifically designed to quote strings properly for output. But yes.
The biggest problem is that young white hat hackers are few and far between. We don't spend nearly enough time in college courses learning about proper security, and as a result, folks come out of school not knowing it. By the time they actually "get" security, most of them are well on their way to retirement, and they aren't always keeping up with the latest programming languages. Unfortunately, most web technology development tends to be done by people straight out of school, because it is a cutting-edge field that is constantly evolving. The result is that the people who understand security often don't understand the web tech, and the people who understand the web tech often don't understand security.
IMO, any college that does not require at least a semester of computer security (ideally, two) for a BS degree is doing their students a disservice. It is a crucial subject for anyone who has any interest in writing software, and it is an area where competent engineers are seriously in demand.
The appalling thing is THAT NONE OF THESE PLUGINS WERE EVER AUDITED.
Does this surprise anyone? There's a good reason why WordPress systems are popular targets for hacking....
That said, to some degree, I blame the language designers for not being more aggressive at forcing people to upgrade their old-style SQL queries to use a more modern, parameterized syntax.
If you really want the web to be more secure, we should:
Eliminate the PHP/Perl/Python mysql extensions. Force everyone to rewrite their software with either mysqli or PDO. Period.
Add tainted data tracking into the language runtime for PHP, Perl, Python, etc. This means:
All data coming from outside the code itself (from all files, from GET/POST request fields, etc.) is marked as tainted.
String concatenation of tainted data with untainted data results in tainted data.
Variable substitution of tainted data inside a string results in a tainted string.
Taint is preserved across function calls, such as explode/implode.
Data can only become untainted by casting it to a numeric type. (No, mysql_real_escape_string should not untaint anything. That function is a hack. You shouldn't be using it in production code.)
All mysqli and PDO functions/methods should throws an exception if a tainted string is passed as a format argument.
When the language is running in a web server, all output to stdout (to a browser) should similarly throw an error unless the taint type matches the current Content-Type value. For example, if the headers say Content-Type: text/html, then input from an HTML file is not tainted. Input from a database or text file should have to be either quoted for output or sanitized through your choice of sanitizer functions, tailored for various purposes (e.g. an anti-XSS sanitizer).
And so on. These changes would go very, very far towards eliminating SQL injection attacks and XSS. The fact that such protection schemes are both incomplete and disabled by default in most programming languages suggests to me that security is not a high enough priority.
IMO taint protection should be part of the default configuration when running in a web server environment. If there are bugs that make that impossible, then those should be the absolute highest priority bugs on the plates of the language engineers.
In the meantime, everyone should add taint_error_level = E_ERROR to your php.ini file, etc.
Well, most of us want software patents eliminated. I've seen no real justification for allowing software patents.
The thing is, at least in the context of software patents, when you turn this guy's AMC question around, the question becomes downright silly. "If software patents were eliminated, do you think anyone would write software?" That's just an absurd question to ask, particularly given that most companies assumed that most software patents were not allowed until a key court decision (Sidney A. DIAMOND, Commissioner of Patents and Trademarks, Petitioner, v. James R. DIEHR, II and Theodore A. Lutton) changed that assumption in 1981. So the question becomes, "Why did anyone write software before 1981?"
And the answer requires us to dig a little deeper. Unlike most patentable works, software also has copyright protection. For any nontrivial piece of software, that should be enough to guarantee several years of revenue before anyone can usefully come up with a competing product, even if you do nothing but create the product and sit on your laurels without improving it at all.
Based on that, in the absence of compelling evidence to the contrary, it should be clear that in the software world, patents are simply an additional layer of unnecessary overhead, coupled with a corresponding minefield of uncertainty, having no redeeming value.
No, it really shouldn't. For 99% of sites, the user's ability to get to the data if the website goes belly-up without having to write code to extract a key from the user's keychain and decrypt the database trumps the need for encrypted local storage. For the remaining 1%, the site should use ephemeral session cookies that are not persisted to disk.
There's really not a valid use case for encrypted local storage that isn't better served by full-disk encryption.
No, not at all. They are very rarely caused by failure to escape < symbols and similar, because those sorts of mistakes are trivial to avoid. XSS attacks are usually caused by the programmer deciding to allow someone to write raw HTML. Sanitizing every attribute to ensure that it doesn't contain any JavaScript code is hard, and the techniques for doing so are often app-dependent, because only the web app developer knows how any custom attributes are going to get used.
SQL injection attacks, however, are caused by failing to escape things correctly.
Assuming your front-end and back-end servers are both web servers, then if your front-end server is escaping things, that's likely to be a flaw in your overall architecture. Content must be escaped differently depending on the context into which it will be inserted. To minimize bugs and security holes, you should quote strings when they are used. This means that data should be passed to the SQL library using parameterized queries so that it doesn't get quoted until right before it gets inserted into the database. If that insertion is being triggered by code running on a separate back-end server, then that back-end server should be doing the quoting, and the front-end server should be passing data do it in a form appropriate for the transfer (e.g. JSON), not pre-quoted for SQL insertion. Otherwise, the back-end server is implicitly trusting the front-end server to do the right thing, which is bad.
There is no excuse for new code using non-parameterized queries, and IMO, all existing code should be rewritten as soon as possible. Why? Because even the best programmers don't get quoting right every time. It is way too easy to make a mistake if you're doing it yourself. Just this past week, I did a security audit of a fairly sizable piece of software. I found that it was not using parameterized queries, and I rewrote all of the queries so that it did. In the process, despite the author's extensive efforts to protect everything properly, I still found a couple of security holes.
Incidentally, last time I tried them, the parameterized queries in PHP's PDO layer were still unsafe. I could pass an arbitrary string, and if I accidentally gave the parameter a PARAM_INT type, it would be passed directly to the database. I got a few syntax errors from SQL early on as a result. This at least suggests to me that if you use PARAM_INT without explicitly casting a user-provided value to an (int) in the query, there is the potential for an injection attack. I'm not sure if this has been fixed or not, but I found it quite disconcerting.
For this reason, for new code, I use an additional abstraction layer built on top of the parameterized queries that takes a parameterized query string and a set of arguments, but no list of types, then uses introspection to determine what the type flag should be. If it sees an integer, it provides an integer type. If it sees a string, it provides a string type. If it sees an array, it replaces the question mark in the query string with a parenthesized set of question marks, one per item in the array, then provides string or integer types individually for each item in the array.
With such a scheme, if you failed to cast something to an (int) properly somewhere, the worst failure you can get is a query execution failure, not an injection attack. And the array handling makes life a lot easier, too, eliminating dozens of places where you would otherwise have to roll your own loops to build up the query string, and potentially make mistakes in the process.
I can't imagine where you could live and see only five minutes without power per year. I've never seen that level of reliability anywhere I've lived:
The U.S. military reportedly has a skinhead problem. Does that mean that the actions of skinheads should be considered to be on behalf of the United States government? Where do you draw the line? I'm not saying I disagree with you; I'm just playing devil's advocate here.
Except the vast majority of that spending—social security, medicare, and unemployment benefits—comes from money that the workers have paid in explicitly so that they could get it back when they retire or become unemployed. I don't consider any of that spending to be part of the federal budget as such. It's just an insurance company that happens to be run by the federal government.
And yet, if someone under 18 still manages to see you doing it, you can go to jail for exposing yourself in front of a minor. You do not have an expectation of privacy in a public place, and you never did.
That said, I do agree that there is a fine line between not expecting privacy if you get caught doing something stupid in public and expecting to be tracked continuously so that your every movement and every action can be scrutinized in the hopes of catching you doing something wrong.
Critical infrastructure in the U.S. has been exploding every other month for as long as I've been alive. Nobody asks why because we all know exactly why.
A purely capitalistic model is completely incapable of providing serious infrastructure, because there is no real room for infrastructure competition in most places, and because without competition to force the issue, corporations inherently cut corners at every possible opportunity (even where safety is concerned) because every dollar spent on infrastructure is a dollar in lost profit.
And government regulators don't want to regulate those industries to bring the anarchocapitalists back under control because then they won't have cushy jobs working as "consultants" and lobbyists for the industry when they decide to leave the public sector.
Nothing new here. Our infrastructure is falling apart because we stopped maintaining it back in the Reagan administration (or earlier) and never looked back.
Poor analogy. Responding to an act of war with a declaration of war is far different from responding to a non-government-sanctioned act by a handful of individuals with an undeclared war.
Again, poor analogy. Normal law enforcement doesn't suck down half our federal budget (not counting trust funds). If we were spending half our country's income on arresting bank robbers or rapists, then the answer would be a resounding "yes"... well, not to stop it entirely, but certainly to scale it back by several orders of magnitude.
Depends on the steganography method used, and on how many images are sent using that method. If you're a spook and you see somebody suddenly sending lots of images to someone else, you might grow suspicious, at which point you'll start performing analysis to see if there are patterns emerging across the entire set of images, such as certain pixels that are always higher than the adjacent pixels by a certain amount. Granted, such patterns can just as easily be caused by sensor flaws, but some fairly primitive steganography techniques could be detectable in this way.
Second, because subpixel noise in cameras isn't random—it tends to obey a gaussian distribution, and thermal noise can vary considerably from frame to frame depending on the length of the exposure—when spread over a large enough number of sequential or nearly sequential photos taken by the same camera, the steganography might be detectable by using a model of the predicted levels of noise that the image sensor should produce for a shot of a given duration and the elapsed time since the previous shot. This won't tell you what is embedded in the image, but if you're lucky, it might tell you that with a high probability, something is embedded. Depending on the circumstances, that might be enough to get a warrant. Then again, it could just be Digimarc.
Finally, there's the question of the randomness of the source material (or, more to the point, the lack thereof). If the base image is at the native sensor resolution of the camera, the nature of the image sensors themselves could potentially be exploited to detect some types of steganography. In a real-world image sensor (except for Foveon sensors), there's no such thing as a pixel; there are only subpixels that produce a value for a single color. The camera must combine these values (a process called "demosaicing") to compute the color for a pixel in the final image. Because the subpixels that make up a pixel are not physically on top of one another, the camera typically computes the estimated value for the color at a given physical point on the sensor by combining adjacent subpixel values in differing percentages. For example, if the green subpixel is chosen as the "center" of the pixel and the red subpixel is to the left and the blue is above, it might mix a bit of the red from the "pixel" to its right and a bit of the blue from the "pixel" below it. (This explanation is overly simplistic, but you get the basic idea.)
Unfortunately for steganographers, the way that particular cameras construct a pixel value from adjacent subpixel values is predictable and well understood. If a steganographic technique does not take that into consideration, it is highly likely that, given knowledge of the camera and its particular mixing algorithm, the steganographic data can be detected simply by determining whether there is any plausible set of subpixel values that could result in the final computed pixel values for the entire image. For that matter, given that most of the algorithms for subpixel blending are straightforward, even without knowledge of the particular camera, it is highly likely that steganography can be detected, because portions of the image that contain no hidden data will likely only be producible by a single algorithm, and portions of the image that contain hidden data likely will not be.
Those are just a couple of types of analysis off the top of my head that might potentially be used against some types of steganography, given some types of source material, etc. It is entirely possible that there are steganographic techniques that are resistant to these sorts of analysis, and there are likely many other interesting types of analysis that I have not mentioned. I have not kept up with steganographic research personally, so I can't say with any certainty.
It only takes one to hang a jury in a capital case. So what you're saying is that fewer than 8% of Americans would be willing to stand up for justice. If true, that's the saddest thing I've ever heard.
No, I'm not. A recent poll shows 60% of Americans in the 18-29 age group feel that Snowden did a public service. Their words, not mine. The fact that older Americans tend to lean the other way is immaterial. The 60-and-over crowd are rarely the ones who take up arms.
Legally, yes. Morally, no. Anyone who would vote to execute this guy over doing something morally right will go down in history with the same level of contempt as the members of the crowd who demanded the crucifixion of Christ. Same level of heinousness. Most sane and rational people will recognize that. So basically, the government would have to either pad the jury with either sociopaths or convict him in a military tribunal, and even the latter isn't a guaranteed success.
At some point, McCarthy went up against the wrong people, and started pointing fingers at national heroes (the military), at which point his influence disintegrated pretty quickly. McCarthy was censured, and his name is now synonymous with government tyranny in the U.S. Also, he died in office just a couple of years later. There wan't much of an opportunity to charge him, and there wasn't really much of a point.
Besides, no national hero was tried, convicted, and assassinated as a result of the McCarthy hearings.
I voted for Obama because:
It had nothing to do with "total s**t that Obama's people threw at Romney" and everything to do with Romney seeming instantly untrustworthy from the very first minute. By contrast, Obama struck me as someone who was unlikely to be able to keep his promises, but not entirely because he didn't want to. My opinion of him has gradually degraded, mind you, but Romney immediately struck me as a stereotypical used car salesman.
There's only one right answer to that question: "No, I'm going to run against them." Anything short of intelligent people deciding that they're fed up with morons running our country and deciding to run against them on a campaign promise of being smarter than a turnip is a copout.
No, this is way, way worse than Watergate. This is bordering on McCarthy hearings levels of unethical and unconstitutional behavior—a wildly unpopular government tangent that injures a whole lot of people in its wake, that continues only because stopping now would make the government look even worse, and because the lust for power among all involved is insatiable.
Here's the big problem with the government charging this guy: the vast majority of educated people with high IQ, put in the same situation as Snowden, either would have done exactly the same thing or would have resisted solely out of fear of the consequences. They'll be very hard pressed to find any jury remotely resembling his peers who would even be open to the possibility of convicting him, much less who would actually do it.
Perhaps the most disturbing part of all this is that they're charging him with espionage, which is a capital crime. If they manage to get him back to the U.S., charge him, convict him in a kangaroo court (a military tribunal is probably the only way it could go down that way), and sentence him to the death penalty, I'd give better than 2:1 odds on a march on D.C. that would make the Watts riots look like a pride parade. You just don't sentence someone to death who has become a hero to some two-thirds of America's under-thirty population unless you want a civil war on your hands faster than you can say, "Oh, f**k, maybe that wasn't such a good idea."
Such a risk is something that the administration needs to start thinking about right now; ironically, the best way for the administration to save face would be to publicly charge him and ask for extradition while privately asking the Chinese government to not do so. As long as nobody leaks that communiqué, of course... which someone really should, if only to prove beyond all doubt that the emperor has no clothes.
As for me, if they manage to extradite Snowden, I plan to schedule a vacation for the week of the verdict so that I'll be just about as far from our nation's capital as humanly possible. Like Madagascar.
Not quite right. The prosecution can appeal an acquittal if they have evidence that the acquittal was the result of jury tampering or bribery by the defense, because the defendant was not really in jeopardy at the first trial.
Ah, but tackling that problem from the top down is infeasible because the people in power won't voluntarily give it up. Tackling it from the bottom up—making it so that some aspects of the power grab become infeasible—might actually have more success.
How is this rolling the ball too far the other way? All this bill does is prevent criminal prosecution for violation of any terms of use that are unsupported by technical barriers. A civil suit might be appropriate in those cases, but downloading a bunch of files from a web server, regardless of what the terms of use say, is not a criminal act; it is the use of a server to do precisely what it was designed to do, in precisely the way that it was intended to be used. Only the quantity of said downloads were unintended.
No, this is precisely the right balance. Copyright violations (redistributing) are an entirely unrelated issue and are not affected by the proposed legislation.
Maybe it should. After all, the broken justice system is the reason that we have more people in prison per capita than any other civilized nation on Earth. A complete collapse might just force some much-needed reform in a lot of areas.
Pretty much. Or, in the Snowden case, if you had the opportunity to get a proper search warrant to do things the right way, you should have done that.
<sarcasm>But you'd be a superhero. We could call you Rectum Man. "My plants were all dying for lack of fertilizer, and I didn't know what to do. But then Rectum Man came to help. Thank you, Rectum Man!" Everyone needs 12 more anuses. Everyone.</sarcasm>
What it comes down to is best summarized by this obligatory XKCD. Just s/standards/programming languages/g. Alternatively, s/standards/web frameworks/g. And so on. This is why we have Perl, PHP, Python, Ruby, and whatever else has come out since I stopped bothering to pay attention. Instead of improving what's out there, everybody wants to create the cool new thing. This inevitably results in lots of low-quality code.
Ah, but the latest programming language is buggy crap because the senior people aren't pushing to improve it and the junior people lack the skills. It's a Catch-22/chicken-and-egg sort of problem.
I was personally affected by Adobe discontinuing FrameMaker for Mac and Premiere for Mac. Alternatively, by some definition, Adobe discontinued nearly all of their apps. You can't buy them anymore; you have to rent them, because Adobe discontinued their entire Creative Suite. At least for me, that's not a viable upgrade path, particularly from a company who has bitten me by discontinuing products not once, but twice.
IMO, running it through a regular expression shouldn't untaint it, either, unless that happens to be a regular expression specifically designed to quote strings properly for output. But yes.
The biggest problem is that young white hat hackers are few and far between. We don't spend nearly enough time in college courses learning about proper security, and as a result, folks come out of school not knowing it. By the time they actually "get" security, most of them are well on their way to retirement, and they aren't always keeping up with the latest programming languages. Unfortunately, most web technology development tends to be done by people straight out of school, because it is a cutting-edge field that is constantly evolving. The result is that the people who understand security often don't understand the web tech, and the people who understand the web tech often don't understand security.
IMO, any college that does not require at least a semester of computer security (ideally, two) for a BS degree is doing their students a disservice. It is a crucial subject for anyone who has any interest in writing software, and it is an area where competent engineers are seriously in demand.
Does this surprise anyone? There's a good reason why WordPress systems are popular targets for hacking....
That said, to some degree, I blame the language designers for not being more aggressive at forcing people to upgrade their old-style SQL queries to use a more modern, parameterized syntax.
If you really want the web to be more secure, we should:
And so on. These changes would go very, very far towards eliminating SQL injection attacks and XSS. The fact that such protection schemes are both incomplete and disabled by default in most programming languages suggests to me that security is not a high enough priority.
IMO taint protection should be part of the default configuration when running in a web server environment. If there are bugs that make that impossible, then those should be the absolute highest priority bugs on the plates of the language engineers.
In the meantime, everyone should add taint_error_level = E_ERROR to your php.ini file, etc.