No, not impossible. There is a real world example of this system in use today. Take a look at www.zeroknowledge.net and also take a look at Chaums Digital Mixes paper, as well as the source code for the nym remailer, mix remailer, cypherpunk remailer, onion skin router and crowds proxy system.
The issues have indeed been dealt with quite effectiely to prevent even the middlemen from knowing what traffic is flowing thru them, where it is going and from whence it came. Python
As with Highlander II, there was no Dune Mini-Series. Dune fans will never speak of this wrinkle in the space-time continum. It simply never happened and if we say anything at all, we will whisper in soft voices "What the hell were they thinking?!" This mini-series was so bad, the only thing missing from it was Michael Ironsides to make it official.
I am a big Dune fan, and have read all the Dune books, so before anyone lays in on me to try and defend the mini-series, understand this: I know it could not be perfect, I did not expect perfection or even an absolute adherence to the book. I'm simply not that kind of fan. I really enjoyed the Directors cut of the original Dune movie (didn't think the theatrical release told the story well enough).
So, with that in mind, what I expected was a good telling of a great story, at the very least. Afterall, they had plenty of time to build the story up. Instead, I got a bad telling, by poorly cast actors, directed by someone who barely seemed to understand how to tell a story in an even midly interesting way. Frankly, unless you've read the book, I don't see how the mini-series could be even remotely interesting. Its almost as if the director worked long and hard to suck the life out of every scene in the series.
To say I was seriously disappointed with the series is an understatement. If I did not know what Dune was I would have changed the channel. And before anyone starts trying to defend it, I was not expecting perfection. I was expecting something dramatic - in the artistic sense. This adaption of Dune was almost lifeless!
I mean the final battle scene was so anti-climatic I half jokingly asked, "what just happened"? And the final climax with Paul killing Faed was also a yawner. Talk about sucking the life out of a fantastic story with poor casting, a lack of creative cinematography to capture the grandure of the Dune universe (although the space scenes were fairly impressive), weak CGI effects that caused my friends and I to heckle the scenes with an MST3Kish "fakey!" (you know, there is such a thing as filming someone besides a sound stage), lame costumes that looked totally out of place and so on.
I could go on and on, but at least the Directors cut of the original Dune movie, while imperfect and incomplete, was far truer to the heart and soul of the Dune story than this miniseries was. It had something the mini-series totally lacked: suspense. I'm not sure how the director of the mini-series pulled it off, but he managed to turn every suspensful or climactic part of the story into a boring overacted use of bad actors in totally inappropriate costumes (come on, what was with all the Japanese costumes!).
Frankly, as bad things go, the Mini-series ranks up there in the top ten. If MST were still being made, I could look forward to it being heckled and given a proper burial. Perhaps the SouthPark guys will give this stinker the ribbing it richly deserves.
This guys entire argument is a straw man! Linux will fragment... buyer beware! You mean like how Solaris is fragmented from BSD, IRIX, Tru64, HPUX, AIX and... of yes, Linux?
In short, so what. This is Sun FUD. Sun is clearly afraid of Linux and this is the best response they can come up with. Pathetic. Frame the argument in their own terms, and hope that everyone takes the bait and wants to argument the point about why Linux won't end up being fragmented. Python
Simply because you don't need the keys to play the music!. Once you decrypt the music, you don't need a key, and its the decrypted music that you can give to your friends. Thats why a personally encrypted music file buys you nothing. Eventually the music has to be decrypted, and once its decrypted you don't need the key anymore - and if thats what you use to identify the pirate, you're sunk.
Thats why the SDMI goons are using watermarks. They're trying to hide your idenity in the music file so if you give the song away, they can nail you. Aside from the obvious problem that all of the watermarking schemes were totally defeated, defeating the ability of the RIAA to track down the person that is distributing it, there is also the "so what?" problem. Simply explained it boils down to the fact that watermarks prove nothing.
Even if the watermark is intact, the information contained in it is not trusted for a whole host of reasons. If the watermark is trivial to forge, then it proves nothing. If the watermark can be overwritten with another watermark, it proves nothing. If the watermark isn't using a digital signature, validating its authenticity, it proves nothing. If the implementation of the signature scheme is flawed in any way (ie it can be forged), it proves nothing. If the keys are ever stolen (if the watermarking scheme is even using watermarks!), the watermarks prove nothing. The list goes on and on, but the bottomline here is that there are serious serious technical problems with watermarking. But it gets worse for the SDMI folks!
Even if the watermark survives all the technical and implementation attacks against it, it still doesn't prove anything. There is no trust in the model to absolutely verify the identity of the person that bought the music, short of a police state. What if your creditcard was stolen to by the music online? What if the person buying the music, in person, has a fake ID with your name and address on it? Furthermore, whats to say the song wasn't stolen? That your box wasn't broken into and so on. Or, what if you bought the song and gave it someone as a gift? The list goes on. The bottomline here is thats its circumstantial evidence at best.
What the SDMI folks are trying to create is a false sense of security in their constituency. And frankly, I think SDMI is rapidly becoming a set of technologies in search of a problem to solve. SDMI simply does not do what its creators claim it does, and the SDMI folks are too embarrassed to admit that they have wasted millions of dollars of the consitutencies money pursuing a ridiculously flawed idea.
Yep, I heard the same ad. It made me sick. Can you imagine your car manufacturer demanding that you prove you own your car? Whenever they want? Years after you bought it? Isn't it just a bit absurd that some private organization can demand that a company stop what it doing, lose money and business and prove that they bought the software they are using? Since when was it "guilty until proven innocent?"
Things have gotten out of hand and the BSAs behavior is a symptom, IMHO, of how out of wack copyright and other IP laws are. Python
On the other hand, this can also be a compelling argument for
free (open source, home-brewed, or abandonware) software.
Actually, this is an excellent case for ensuring that all your employees ONLY use open source software, or worst case, if you have to use licensed software, that you not allow employees to install whatever they want on their systems. Otherwise, the company may end having to pay for 100 copies of Quake3 that the developers installed on their workstations, amongst other things. It sucks, but hey, this is what happens when you have organizations like the BSA around. Don't these guys realize this just further strengthens the case for only using free software?
Frankly, I would just ensure that my operation was only using free software, and not do business with companies that support these jack-booted thug like tactics of the BSA. I don't care what their argument is, you simply do not play cop with your customers. Its BAD for business. As a business owner and a customer, I simply would not, and will not, stand for this sort of nonsense and we would never shake our customers down like this - if we ever wanted to do business with them again.
From now on, we're going to ask our vendors if they are part of the BSA and insist that if they are, that they sign a contract with us that precludes them from disrupting our operations with this sort of nonsense. And if they won't sign it, then we're taking our business elsewhere. I suggest others do the same. I intimately understand what is behind the BSA's arguments, but their methods are unacceptable IMHO.
In all my years with many software and hardware companies, we never had to resort to these scare tactics, or worse yet calling in the feds on our customers. We simply did business with companies that were willing to pay for our software, and we didn't worry about the ones that didn't. What company in their right mind would want to use software from Vendor X in the future if they had been treated like this?
Python
Re:The key problem with this ruling...
on
Anonymity
·
· Score: 2
You're mistaken. The scientologists have harassed scores of individuals for all manner of protected speech. The most vivid example of this was the scientologists "Operation Freakout" against Paulette Cooper. There are hundreds of other examples, but this one should suffice. Regardless, go read the following URLs:
If you are refering to me as the original poster, I do understand the differences. I run mixmaster and cpunk remailers, along with a ZKS freedom server. I have been doing so for many years (with Type I and Type II remailers).
A couple of issues to respond to. Every ZKS server is not on a carnivore monitored network nor are they in the US or canada or even run by companies in many cases. Many ZKS servers are run by private individuals, with no legal obligation to support Carnivore (under current law). So, it does not follow that all ZKS servers are or could be carnivore monitored. Additionally, reply blocks in the ZKS network *do* allow for latency time, so traffic analysis is not as straight forward as you might think. It still needs cover traffic and remixing, but its not as simple to defeat the model as you make it out to be.
Regardless, presenting an array of options to the end user is much better than just shoving the highest security solution at them. High security remailing is complicate and requires the users to understand how to use the remailer network in a secure manner. Which includes dummy (cover traffic) messages, remixing, long chains, rotating reply blocks and so on. ZKS is easy to use, setting up nyms to do re-mix is not a simple matter for most users.
Presenting the various options, in a limited slashdot posting, gives the user the option of finding out more and educating themselves. The post was not intended as a complex lesson on the pros and cons of the various technologies available for protecting your anonymity. Python
OR, you can get a paid for nym account with ZKS:
ZKS Freedom Net (They are taking applicants to beta test their Linux port now)
This takes care of having an anonymous bi-direction e-mail account that people can contact you through and will be secure from the attacks of a determined foe (be sure to change your reply blocks often though).
2) Publish the code somewhere publicly available, like the web or usenet.
The next problem is distributing your code. What you need is a means to publish the code anonymously.
Web
To contact sites like sourceforge anonymously, which provide you with a nice mechanism for releasing the code and storing it somewhere, you need a web anonymizer or an anonymous routing scheme like ZKS.
Several solutions exist to do this. In order of highest security:
Usenet is means of publishing your code that is even more resistant to censorship attacks than publishing the code on a website:
mail2news gateways. These allow you to post an e-mail message to usenet, preferably after you have anonymized it thru several remailers. Posting to usenet is an EXCELLENT mechanism for getting past the most determined censor. As long as you don't start spamming your distribution, and thereby driving your BI up, you can be pretty sure that your post will not get robo-canceled. If you want to be really fancy, you can encrypt the message, publish the password in another forum, and then post the conventionally encrypted message to aalt.anonymous.messages. This will defeat efforts to automatically find your post on usenet and then issue a third party cancel for it.
Here is a list of known mail2news gateways:
mail2news AT nym.alias.net
mail2news AT zedz.net
mail2news AT mixmaster.shinn.net
Send a message to one of the above e-mail addresses with "help" in the subject for instructions on how to use the gateways.
There are powerful societal reasons to keep information transfer as free (in all senses of the word) as possible. Unfortunately, these reasons don't translate well into the
language of capitalism. There is no way to say "a rising tide lifts all boats" in Capitalismese.
Actually, there is, and I haven't had to practice economics in almost 10 years, so please pardon the mental dust. Its called "input costs". Knowledge is an input in the manufacturing process, just like raw materials are. Generally its characterized as an externality, but it is an input cost that effects labor costs and make things more expensive - so there is a captialist argument to make right there. No capitalist wants to pay more if they don't have to, so the issue of rising costs is something that makes perfect sense to capitalists.:-)
To me, what this company is doing is creating an artifical shortage of a product, knowledge. Python
Re:the right to have an insecure-but-harmless syst
on
MAPS vs. ORBS
·
· Score: 2
Straw man argument. The Internet is not a neighborhood, its a collection of systems whose security posture DOES effect every other systems security posture. Witness Distributed DoS attacks for a good example.
Open relays are bad bad bad bad bad bad. There is no reason to run an open relay except out of laziness. SASL, pop before SMTP, authenticated SMTP, libwrap and lots of other methods exist, for free, to secure a relay and yet still make it possible for authorized personnel to use them.
We already tried the "Gee... lets just let everyone run their MTAs anyway they want" and it didn't work - we got spam. Then we tried asking please and that didn't work. Then we tried lists of known spam sources, and that didn't work. Then someone got the bright idea to scan for open relays so we could block them *before* the spammers started using them. It works wonderfully. Then someone got the bright idea to create a list of dial up users and that has worked out delightfully well too. Thanks to RBL, ORBS, DULS and other black lists we've managed to almost entirely wipe out our spam problem.
If you want to run an open relay, be my guest - its your business to run your box anyway you want. But I do not have to accept traffic from your relay just as no one is stopping anyone from blocking ORBS *to their systems*. No one is being forced to use ORBS either. But more to the point, sending e-mail to a box is NOT giggling its door knob. No one is trying to break into the open relay. Their just testing to see if it accepts mail to certain destinations and then making note of that. And intent MATTERS.
Using your example, what if the police came around, checked the door on my house, found it open and then told me about it so I could lock it. I would call that a VALUABLE service. If my neighbor did the same thing, I would also call that a VALUABLE service. Still, the internet is not a collection of houses. Its a collection of interconnected machines whose security posture in interdependtly related to the security posture of the systems around it. Spam is possible because MTAs accept messages as part of a wholy untrusted model. Open relays contribute to this problem by making it possible for spammers to relay their junk thru insecure servers, which directly effects the systems which are secure. Blacklists help mitigate this problem, but a wholy reactive approach like the RBL only catches a fraction on the traffic. Proactive measures, like finding misconfigured and poorly managed relays - and dial up host lists - can prevent future spam from being accepted BEFORE the damage can be done.
Intent and perspective make all the difference in this. ORBS provides a valuable and useful service. If you don't want ORBS sending your MTA an e-mail message, then block traffic from ORBS. Better yet, if you run an open relay - close it and help make spam go away. -- Python
Not if the box is crashing because it doesn't implement an RFC correctly and the bug that is crashing it is really really stupid - and the intent of the person crashing it is to not crash it. I'm positive that Alan is not trying to crash your friends box. It sounds to me like an honest accident, caused by poorly written software that doesn't implement the RFC correctly.
That is NOT net abuse and I wish people would stop overusing this term. There is real net abuse and this is not it. An MTA that can not handle RFC compliant headers and is crashing because of it is not experiencing net abuse - it just buggy software that needs to be fixed. -- Python
Anyway, he doesn't "fix" the server because, except in terms of *ONE* person doing *ONE* thing, it *isn't broken*. It runs. It doesn't relay mail. It doesn't crash unless ORBS probes it. It doesn't open anyone up to any kind of security problems.
Except this person you know, because someone else could crash it and as someone else pointed out that with code that potentially sloppy, its probably go other problems (buffer overruns, etc) too. Having been probed by ORBS myself, and having personally written the MTA code to make smap not vulnerable to relay attacks as ORBS found that the venerable smap had in it, I have very little empathy for your friend. I understand and agree with his frustration, but I also know for a fact that ORBS is not doing anything that violates RFCs or should crash an MTA that can handle standard RFC complaint headers. In fact, this is the first time I've heard of an MTA crashing from a relay probe.
In a former life, I wrote the code for NetSonar (Ciscos vulnerability scanner) that looks for relay vulberabilities in MTAs and in all the vendor products we tested (granted, there are bound to be products we couldn't test) I never saw an MTA crash from a relay probe. Your friends MTA sounds really fubared to me. At the very least, it should motivate him or her to get it fixed. If a relay probe is crashing it, that MTA has other problems IMHO.
If someone found a bug in your system, and you couldn't easily fix it, would you agree that it was reasonable for your system to be taken down every so often, every time some guy wanted to take it down, and the guy is not only *allowed* to do this, but *encouraged*, because Slashdot readers unanimously agree that, if your server can be crashed, it's your own fault for running a crappy server?
No. If my server had that sort of a problem I would fix it or try to find something that works better. Nothing is perfect, but if a solution exists to solve the problem (eliminate the bug) I will take that anyday over complaining about the problem or hoping whatever is causing it will go away - especially if I have no control over what is causing it like your friend. No offense to this person your know, but I still don't understand why someone wouldn't fix that part of the problem they have direct control over. Perhaps its the engineer in me, buts thats always the first thing I start with. I prefer the solution I can make happen now, rather than having to rely on someone else to either do something for me or to stop doing something. Again, keep in mind that when ORBS found problems in my MTA I personally wrote the code to fix it. So my perspective is a tad biased in that I have the capability to fix the problem myself and I am inclined to solve problems technologically, when possible, rather than rely on someone elses actions or inactions to solve it for me.
DOS is DOS. It doesn't matter if the guys doing it claim to have white hats.
No, intent matters. When I was being paid to break into a large corporation *by that large corporation*, I was using strobe (no nmap in those days) to find open ports on a class B network. A simple three way handshake downed ALL of that companies RAS servers. A feature of those RAS servers was that each modem was bound to it own port (2000 and up) so an administrator could access each modem remotely via telnet. Neat feature... BUT... the vendor didn't design the telnet daemon well. If you opened the socket with TWH, and then tore it down (like a connect() scan does) the daemon should have released the port back to the modem - because the session was gone. Thats RFC complaint behavior. The vendor however did not design it that way, and all the modems got locked out because the modems were waiting for input from the telnet daemon - which was listening to a dead session that had been torn down. A stupid bug to be sure - and it DID deny service to that coporation. Was that a DOS? Technicall yes, but its was intended to be a DoS, nor should that RAS server have acted that way. The RAS server was BROKEN. There was no excuse for it to act that way and the vendor eventually fixed it.
So, my point is that intent matters. ORBS is, I'm sure, not trying to DoS your friends system. And, it sounds like your friends system is very very broken. It needs to be fixed, because what ORBS is probably doing - and from past experience does - should not crash an MTA. ORBS could stop. They do not have to test this system. The only argument they have for testing it is the belief that it could somehow magically turn into an open relay. It's not an open relay. It won't be. In fact, the most likely outcome of their behavior is that the MTA will be replaced - and the result might be open. If they leave him alone, everything is fine. Only one problem with that: Alan can't accept a world where he can't fuck with anyone he wants, any time he wants. If you like this, I only hope you have the honesty to still stand up for it when it's your box being crashed by some asshole with a net-abuse-friendly provider. -- Python
I still don't understand why your friend doesn't just fix his server so that it doesn't crash. That is certainly a more effective and final solution to his or her problem with ORBS, than trying to get ORBS to stop. What if it were some attacker having fun with your friends server and watching it go down all the time?
Regardless, your friend has total control over fixing his or her server and therefore would mitigate their problem immediately and finally. Its obvious your friends server has a serious problem, independent of ORBS, in that anyone could crash it. So again, given that the solution, fixing the server, is obvious, simple and within your friends grasp. Why would your friend continue to operate otherwise? -- Python
Napster is not publicly traded and does not have stockholders to answer to. If they did, this saga would have ended a long, long time before they had multiple, concurrent lawsuits piling up.
They are not publicly traded but they do have stockfolders to answer to. Napster is a privately held company, with private stock holders (several in fact), not the least of which is a large VC (Hummer Winblad) that is Chaired by a lawyer that used to work for the record industry. Does this mean Napster will settle with the RIAA? Possibly, given that Napster is a business, it has no revenue model presently and its shareholders, the people that pay Napsters bills are going to demand, if they havent already that Napster start making some money - so they can get a return on their investment. Now, given that Napsters largest investor is a VC with connections to the record industry it stands to reason that Napster will try to work out some amicable arrangement with the labels (RIAA). Its anyones guess if it will happen. mp3.com settled for a very similiar reason: Its good for business.
So, make no mistake, Napster is a business first and last. Its not an open source project. Its not a revolution. Its a business. NApsters marketing people can say what they want. They can claim they are a revolution. They can say they are here to save the world, or whatever they want you to hear. But ultimately at the end of the day, they have to pay their employees and answer to their shareholders just like any other business.
They have no revenue stream presently so they are absolutely at the mercy of their investors (also refered to as stock holders... thats what investors buy, stock in a privately held company) or they won't get anymore money from those investors. They have to do something, settle, create a new model or sometthing to make money, or they will simply go out of business. Keep in mind that even if Napster wins their lawsuit, they have to change something about their current model because they can't make any money at all doing what they are doing now. No business can survive without revenue.
Again with your "anti-trust" rant we see that you have little to no factual knowledge of the subject matter about which you are writing. The Big 5 record labels that are RIAA have existed for half a century without government prodding - and that harkens back to the 50s and 60s when there were literally no indie labels to speak of and they owned every avenue to distribute and publicize music available. If anything, the climate has gotten more competitive over the years, not less.
Actually, all the major labels were recently found to be engaging in illegal price fixing of CDs. Hardly a competitive climate when your so called competitors agree not to under cut your prices and instead illegally collude to keep prices at an artifically high level. Competition exists in markets without price fixing. The CD market was hardly competitive by anyones measure. -- Python
No, actually it does. The law states that software is in its own little universe now. Its not subject to any common sense restrictions like any other product. And thats wrong. But it explains why EULAs read as they do.
Its also kind of like the tragedy of the commons in some ways. All the other companies are doing it. Its giving them a competitive edge so it forces other companies to do likewise. And its also turning into an arms race as all these companies add clause after clause into their products to protect themselves and to gain leverage against other companies they compete or do business with. I hate to use a cliche here, but the bottom line is the bottom line. Its business. The only way to stop it, IMO, is to legislate, and by that I mean to undo the damage that is the UCITA and all the other stupid laws and decisions that have made software into this protected class of goods.
The issues at stake here are that none of these clauses are illegal and the whole concept of software as a protected class of goods has somehow been accepted in the vernacular of IP attorneys as "pretty darn good idea!" It goes back my point, all of the EULAs are written by and for other lawyers based on bad laws. What do you expect? The engineers had no say in this law. The consumers had no say in this law. Its all attorneys and REALLY big software companies that drove this, like AOL which happens to be headquartered in the first state to enact the UCITA: Virginia. Its like a nuclear arms race at this point. The new laws make all these clauses binding and legal, and the wacky new EULAs are driving each other to create more and more clauses to protect the interests of the company that produced that piece of software. The UCITA and other laws were not written to put the consumer first but rather to put business first and not to even consider what it might do to the consumers.
The solution is to change the law. Until that happens, you can complain all your want about EULAs, but they're just going to get worse. Maybe if you're lucky you might be able to shame a company into changing their EULA, but don't count on it. Since there is no law against them, they're perfectly legal and perfectly binding. And thats the problem. -- Python
This will probably not be a very popular opinion here, and before I spell out my opinion on why EULAs are as draconian as they are, and why you can expect them to stay that way for a LONG time I need to say this first: I do not like the UCITA. I think its a terrible law and I personally do not like most, if not all of the EULAs out there.
OK, with that disclaimer out of the way, here goes. EULAs are not written with the specific intent to harm the consumer or certainly to upset the end user. EULAs exist to protect companies intellectual property from other companies. Companies do steal technology and ideas from eahc other. Yes, I said steal. Its a cut throat world these days and some people will resort to any measures they can to get an edge. To a much smaller extent, some provisions in a EULA exist to protect those same companies from the incredibly litigous world we live in now, and the never ending stream of ridiculous lawsuits that customers bring against companies (ie, the McDonalds coffee case and others). Its a sign of the times basically.
Even the GPL contains provisions (the no warranty clause) that are there to protect the authors of the software from endusers. Now, some EULAs contain clauses which are down right absurd, but you have to look at the intent behind these clauses and who it is that is writing them: LAWYERS!
Its a catch 22 situation (much like the awful situtation with patents) where you need powerful laws and ridiculously strong EULAs to fight back against the equally powerful lawyers out there to protect a companies hard work. PErsonally, I think alot of the problems would be solved if all companies were required by law to open source all their software. That way, the issue of stealing code from one company would be mitigated because you could not keep it a secret any more. It would also make it easier to determine if a patent is really unique (peer review) and if the reverse engineering methods used were truly legit. It would also be better for consumers and business because you could make your software work with other software more easily.
In short, the whole situation, like patents, is feeding on itself and the only solution is not to expect companies to make their EULAs more friendly to end users, but to get the laws rewritten so many of the clauses in EULAs are illegal and to do something truly revolutionary, like make open sourcing a legal requirement for ALL software, if you want to see any real change.
Until something dramatic happens, expect the laws to get worse and worse and the EULAs to get more and more draconian. -- Python
This little missive from his speech just burns me up:
Anonymity must not be equated with privacy. As citizens, we have a right to privacy. We have no such right to anonymity.
I simply can not believe that depths to which some people will lie. Perhaps Seagrams is just ignorant of this, but as a US Citizen you do have a right to be anonymous. To speak anonymously, to buy things anonymously and yes, to even walk around, all day if you want, with a ski mask on to remain anonymous. You do have a right to anonymity. My guess is that Seagrams is saying this as part of a larger straw man argument to equate anonymity with criminal activity and hence to be able to dismiss it out of hand. Whatever the case, Edgar Bronfman, Jr., is totally and completely wrong. However, its this kind of thinking that is not only incorrect but its dangerous for us as citizens to dismiss his argument out of hand. Alot of people think this way, and alot of those people, like Mr. Bronfman, have tremendous power to change the laws so that anonymity can be restricted and to try and take that right away.
Here are some references to back my assertions on anonymity:
Actually, gun violence has been steadily declining for over 10 years. Most gun violence, over 85% is felon on felon gun violence. That is, previously convicted felons shooting other previously convicted felons.
So the lion share of gun crime is being conducted by, and perpetrated against criminals. Hardly a terrible swath of violence aimed at innocents. Furthermore, millions of crimes are prevented every year by lawful gun owners in the USA. -- Python
Actually, aside from this post, I can indeed say that I was totally and completed unaffected. So you are wrong, a Linux user can say in all truthfulness that they were, are and continue to be totally, absolutely and smugly unaffected by this virus. -- Python
Well, at least you didn't gross people out with the recipie for the chocolate "field pudding" from the hot chocolate mix, creamer, sugar, and water.....
Yeah... we wouldn't want to do anything that would make that fighting force effective or anything. Lets just make it fun and let people do whatever they want in the military! To hell with following orders or doing any of that corrupt military "stuff". Lets hang out and talk the enemy out of killing us.
Bah... such nonsense. You don't know how lucky you are to have people with common sense running the military. Its all fine and dandy to talk about how great it would be if the military weren't so... we'll militaristic, but then the military wouldn't be able to fight wars and do the things we pay them to do now would they?
Use your head here. War is about closing with the enemy and destroying him (or her) thru shock force, fire and maneuver. All of that requires absolute and complete order and discipline, and you don't get that with some cool, democratic mob. -- Python
Slashdot Mirror
The issues have indeed been dealt with quite effectiely to prevent even the middlemen from knowing what traffic is flowing thru them, where it is going and from whence it came.
Python
I am a big Dune fan, and have read all the Dune books, so before anyone lays in on me to try and defend the mini-series, understand this: I know it could not be perfect, I did not expect perfection or even an absolute adherence to the book. I'm simply not that kind of fan. I really enjoyed the Directors cut of the original Dune movie (didn't think the theatrical release told the story well enough).
So, with that in mind, what I expected was a good telling of a great story, at the very least. Afterall, they had plenty of time to build the story up. Instead, I got a bad telling, by poorly cast actors, directed by someone who barely seemed to understand how to tell a story in an even midly interesting way. Frankly, unless you've read the book, I don't see how the mini-series could be even remotely interesting. Its almost as if the director worked long and hard to suck the life out of every scene in the series.
To say I was seriously disappointed with the series is an understatement. If I did not know what Dune was I would have changed the channel. And before anyone starts trying to defend it, I was not expecting perfection. I was expecting something dramatic - in the artistic sense. This adaption of Dune was almost lifeless!
I mean the final battle scene was so anti-climatic I half jokingly asked, "what just happened"? And the final climax with Paul killing Faed was also a yawner. Talk about sucking the life out of a fantastic story with poor casting, a lack of creative cinematography to capture the grandure of the Dune universe (although the space scenes were fairly impressive), weak CGI effects that caused my friends and I to heckle the scenes with an MST3Kish "fakey!" (you know, there is such a thing as filming someone besides a sound stage), lame costumes that looked totally out of place and so on.
I could go on and on, but at least the Directors cut of the original Dune movie, while imperfect and incomplete, was far truer to the heart and soul of the Dune story than this miniseries was. It had something the mini-series totally lacked: suspense. I'm not sure how the director of the mini-series pulled it off, but he managed to turn every suspensful or climactic part of the story into a boring overacted use of bad actors in totally inappropriate costumes (come on, what was with all the Japanese costumes!).
Frankly, as bad things go, the Mini-series ranks up there in the top ten. If MST were still being made, I could look forward to it being heckled and given a proper burial. Perhaps the SouthPark guys will give this stinker the ribbing it richly deserves.
Python
In short, so what. This is Sun FUD. Sun is clearly afraid of Linux and this is the best response they can come up with. Pathetic. Frame the argument in their own terms, and hope that everyone takes the bait and wants to argument the point about why Linux won't end up being fragmented.
Python
Thats why the SDMI goons are using watermarks. They're trying to hide your idenity in the music file so if you give the song away, they can nail you. Aside from the obvious problem that all of the watermarking schemes were totally defeated, defeating the ability of the RIAA to track down the person that is distributing it, there is also the "so what?" problem. Simply explained it boils down to the fact that watermarks prove nothing.
Even if the watermark is intact, the information contained in it is not trusted for a whole host of reasons. If the watermark is trivial to forge, then it proves nothing. If the watermark can be overwritten with another watermark, it proves nothing. If the watermark isn't using a digital signature, validating its authenticity, it proves nothing. If the implementation of the signature scheme is flawed in any way (ie it can be forged), it proves nothing. If the keys are ever stolen (if the watermarking scheme is even using watermarks!), the watermarks prove nothing. The list goes on and on, but the bottomline here is that there are serious serious technical problems with watermarking. But it gets worse for the SDMI folks!
Even if the watermark survives all the technical and implementation attacks against it, it still doesn't prove anything. There is no trust in the model to absolutely verify the identity of the person that bought the music, short of a police state. What if your creditcard was stolen to by the music online? What if the person buying the music, in person, has a fake ID with your name and address on it? Furthermore, whats to say the song wasn't stolen? That your box wasn't broken into and so on. Or, what if you bought the song and gave it someone as a gift? The list goes on. The bottomline here is thats its circumstantial evidence at best.
What the SDMI folks are trying to create is a false sense of security in their constituency. And frankly, I think SDMI is rapidly becoming a set of technologies in search of a problem to solve. SDMI simply does not do what its creators claim it does, and the SDMI folks are too embarrassed to admit that they have wasted millions of dollars of the consitutencies money pursuing a ridiculously flawed idea.
--
Python
Things have gotten out of hand and the BSAs behavior is a symptom, IMHO, of how out of wack copyright and other IP laws are.
Python
Actually, this is an excellent case for ensuring that all your employees ONLY use open source software, or worst case, if you have to use licensed software, that you not allow employees to install whatever they want on their systems. Otherwise, the company may end having to pay for 100 copies of Quake3 that the developers installed on their workstations, amongst other things. It sucks, but hey, this is what happens when you have organizations like the BSA around. Don't these guys realize this just further strengthens the case for only using free software?
Frankly, I would just ensure that my operation was only using free software, and not do business with companies that support these jack-booted thug like tactics of the BSA. I don't care what their argument is, you simply do not play cop with your customers. Its BAD for business. As a business owner and a customer, I simply would not, and will not, stand for this sort of nonsense and we would never shake our customers down like this - if we ever wanted to do business with them again.
From now on, we're going to ask our vendors if they are part of the BSA and insist that if they are, that they sign a contract with us that precludes them from disrupting our operations with this sort of nonsense. And if they won't sign it, then we're taking our business elsewhere. I suggest others do the same. I intimately understand what is behind the BSA's arguments, but their methods are unacceptable IMHO.
In all my years with many software and hardware companies, we never had to resort to these scare tactics, or worse yet calling in the feds on our customers. We simply did business with companies that were willing to pay for our software, and we didn't worry about the ones that didn't. What company in their right mind would want to use software from Vendor X in the future if they had been treated like this?
Python
http://www.xenu.net
http://www.lisatrust.net/
Python
A couple of issues to respond to. Every ZKS server is not on a carnivore monitored network nor are they in the US or canada or even run by companies in many cases. Many ZKS servers are run by private individuals, with no legal obligation to support Carnivore (under current law). So, it does not follow that all ZKS servers are or could be carnivore monitored. Additionally, reply blocks in the ZKS network *do* allow for latency time, so traffic analysis is not as straight forward as you might think. It still needs cover traffic and remixing, but its not as simple to defeat the model as you make it out to be.
Regardless, presenting an array of options to the end user is much better than just shoving the highest security solution at them. High security remailing is complicate and requires the users to understand how to use the remailer network in a secure manner. Which includes dummy (cover traffic) messages, remixing, long chains, rotating reply blocks and so on. ZKS is easy to use, setting up nyms to do re-mix is not a simple matter for most users.
Presenting the various options, in a limited slashdot posting, gives the user the option of finding out more and educating themselves. The post was not intended as a complex lesson on the pros and cons of the various technologies available for protecting your anonymity.
Python
1) E-mail
Setup a nym account with one or more of various nym servers out there:
nym.alias.net
redneck.gacracker.org
OR, you can get a paid for nym account with ZKS:
ZKS Freedom Net (They are taking applicants to beta test their Linux port now)
This takes care of having an anonymous bi-direction e-mail account that people can contact you through and will be secure from the attacks of a determined foe (be sure to change your reply blocks often though).
2) Publish the code somewhere publicly available, like the web or usenet.
The next problem is distributing your code. What you need is a means to publish the code anonymously.
Web
To contact sites like sourceforge anonymously, which provide you with a nice mechanism for releasing the code and storing it somewhere, you need a web anonymizer or an anonymous routing scheme like ZKS.
Several solutions exist to do this. In order of highest security:
ZKS Freedom Net
CROWDS
Anonymizer
Usenet:
Usenet is means of publishing your code that is even more resistant to censorship attacks than publishing the code on a website:
mail2news gateways. These allow you to post an e-mail message to usenet, preferably after you have anonymized it thru several remailers. Posting to usenet is an EXCELLENT mechanism for getting past the most determined censor. As long as you don't start spamming your distribution, and thereby driving your BI up, you can be pretty sure that your post will not get robo-canceled. If you want to be really fancy, you can encrypt the message, publish the password in another forum, and then post the conventionally encrypted message to aalt.anonymous.messages. This will defeat efforts to automatically find your post on usenet and then issue a third party cancel for it.
Here is a list of known mail2news gateways:
mail2news AT nym.alias.net
mail2news AT zedz.net
mail2news AT mixmaster.shinn.net
Send a message to one of the above e-mail addresses with "help" in the subject for instructions on how to use the gateways.
Python
Actually, there is, and I haven't had to practice economics in almost 10 years, so please pardon the mental dust. Its called "input costs". Knowledge is an input in the manufacturing process, just like raw materials are. Generally its characterized as an externality, but it is an input cost that effects labor costs and make things more expensive - so there is a captialist argument to make right there. No capitalist wants to pay more if they don't have to, so the issue of rising costs is something that makes perfect sense to capitalists. :-)
To me, what this company is doing is creating an artifical shortage of a product, knowledge.
Python
Open relays are bad bad bad bad bad bad. There is no reason to run an open relay except out of laziness. SASL, pop before SMTP, authenticated SMTP, libwrap and lots of other methods exist, for free, to secure a relay and yet still make it possible for authorized personnel to use them.
We already tried the "Gee... lets just let everyone run their MTAs anyway they want" and it didn't work - we got spam. Then we tried asking please and that didn't work. Then we tried lists of known spam sources, and that didn't work. Then someone got the bright idea to scan for open relays so we could block them *before* the spammers started using them. It works wonderfully. Then someone got the bright idea to create a list of dial up users and that has worked out delightfully well too. Thanks to RBL, ORBS, DULS and other black lists we've managed to almost entirely wipe out our spam problem.
If you want to run an open relay, be my guest - its your business to run your box anyway you want. But I do not have to accept traffic from your relay just as no one is stopping anyone from blocking ORBS *to their systems*. No one is being forced to use ORBS either. But more to the point, sending e-mail to a box is NOT giggling its door knob. No one is trying to break into the open relay. Their just testing to see if it accepts mail to certain destinations and then making note of that. And intent MATTERS.
Using your example, what if the police came around, checked the door on my house, found it open and then told me about it so I could lock it. I would call that a VALUABLE service. If my neighbor did the same thing, I would also call that a VALUABLE service. Still, the internet is not a collection of houses. Its a collection of interconnected machines whose security posture in interdependtly related to the security posture of the systems around it. Spam is possible because MTAs accept messages as part of a wholy untrusted model. Open relays contribute to this problem by making it possible for spammers to relay their junk thru insecure servers, which directly effects the systems which are secure. Blacklists help mitigate this problem, but a wholy reactive approach like the RBL only catches a fraction on the traffic. Proactive measures, like finding misconfigured and poorly managed relays - and dial up host lists - can prevent future spam from being accepted BEFORE the damage can be done.
Intent and perspective make all the difference in this. ORBS provides a valuable and useful service. If you don't want ORBS sending your MTA an e-mail message, then block traffic from ORBS. Better yet, if you run an open relay - close it and help make spam go away.
--
Python
That is NOT net abuse and I wish people would stop overusing this term. There is real net abuse and this is not it. An MTA that can not handle RFC compliant headers and is crashing because of it is not experiencing net abuse - it just buggy software that needs to be fixed.
--
Python
Except this person you know, because someone else could crash it and as someone else pointed out that with code that potentially sloppy, its probably go other problems (buffer overruns, etc) too. Having been probed by ORBS myself, and having personally written the MTA code to make smap not vulnerable to relay attacks as ORBS found that the venerable smap had in it, I have very little empathy for your friend. I understand and agree with his frustration, but I also know for a fact that ORBS is not doing anything that violates RFCs or should crash an MTA that can handle standard RFC complaint headers. In fact, this is the first time I've heard of an MTA crashing from a relay probe.
In a former life, I wrote the code for NetSonar (Ciscos vulnerability scanner) that looks for relay vulberabilities in MTAs and in all the vendor products we tested (granted, there are bound to be products we couldn't test) I never saw an MTA crash from a relay probe. Your friends MTA sounds really fubared to me. At the very least, it should motivate him or her to get it fixed. If a relay probe is crashing it, that MTA has other problems IMHO.
If someone found a bug in your system, and you couldn't easily fix it, would you agree that it was reasonable for your system to be taken down every so often, every time some guy wanted to take it down, and the guy is not only *allowed* to do this, but *encouraged*, because Slashdot readers unanimously agree that, if your server can be crashed, it's your own fault for running a crappy server?
No. If my server had that sort of a problem I would fix it or try to find something that works better. Nothing is perfect, but if a solution exists to solve the problem (eliminate the bug) I will take that anyday over complaining about the problem or hoping whatever is causing it will go away - especially if I have no control over what is causing it like your friend. No offense to this person your know, but I still don't understand why someone wouldn't fix that part of the problem they have direct control over. Perhaps its the engineer in me, buts thats always the first thing I start with. I prefer the solution I can make happen now, rather than having to rely on someone else to either do something for me or to stop doing something. Again, keep in mind that when ORBS found problems in my MTA I personally wrote the code to fix it. So my perspective is a tad biased in that I have the capability to fix the problem myself and I am inclined to solve problems technologically, when possible, rather than rely on someone elses actions or inactions to solve it for me.
DOS is DOS. It doesn't matter if the guys doing it claim to have white hats.
No, intent matters. When I was being paid to break into a large corporation *by that large corporation*, I was using strobe (no nmap in those days) to find open ports on a class B network. A simple three way handshake downed ALL of that companies RAS servers. A feature of those RAS servers was that each modem was bound to it own port (2000 and up) so an administrator could access each modem remotely via telnet. Neat feature... BUT... the vendor didn't design the telnet daemon well. If you opened the socket with TWH, and then tore it down (like a connect() scan does) the daemon should have released the port back to the modem - because the session was gone. Thats RFC complaint behavior. The vendor however did not design it that way, and all the modems got locked out because the modems were waiting for input from the telnet daemon - which was listening to a dead session that had been torn down. A stupid bug to be sure - and it DID deny service to that coporation. Was that a DOS? Technicall yes, but its was intended to be a DoS, nor should that RAS server have acted that way. The RAS server was BROKEN. There was no excuse for it to act that way and the vendor eventually fixed it.
So, my point is that intent matters. ORBS is, I'm sure, not trying to DoS your friends system. And, it sounds like your friends system is very very broken. It needs to be fixed, because what ORBS is probably doing - and from past experience does - should not crash an MTA. ORBS could stop. They do not have to test this system. The only argument they have for testing it is the belief that it could somehow magically turn into an open relay. It's not an open relay. It won't be. In fact, the most likely outcome of their behavior is that the MTA will be replaced - and the result might be open. If they leave him alone, everything is fine. Only one problem with that: Alan can't accept a world where he can't fuck with anyone he wants, any time he wants. If you like this, I only hope you have the honesty to still stand up for it when it's your box being crashed by some asshole with a net-abuse-friendly provider.
--
Python
Regardless, your friend has total control over fixing his or her server and therefore would mitigate their problem immediately and finally. Its obvious your friends server has a serious problem, independent of ORBS, in that anyone could crash it. So again, given that the solution, fixing the server, is obvious, simple and within your friends grasp. Why would your friend continue to operate otherwise?
--
Python
They are not publicly traded but they do have stockfolders to answer to. Napster is a privately held company, with private stock holders (several in fact), not the least of which is a large VC (Hummer Winblad) that is Chaired by a lawyer that used to work for the record industry. Does this mean Napster will settle with the RIAA? Possibly, given that Napster is a business, it has no revenue model presently and its shareholders, the people that pay Napsters bills are going to demand, if they havent already that Napster start making some money - so they can get a return on their investment. Now, given that Napsters largest investor is a VC with connections to the record industry it stands to reason that Napster will try to work out some amicable arrangement with the labels (RIAA). Its anyones guess if it will happen. mp3.com settled for a very similiar reason: Its good for business.
So, make no mistake, Napster is a business first and last. Its not an open source project. Its not a revolution. Its a business. NApsters marketing people can say what they want. They can claim they are a revolution. They can say they are here to save the world, or whatever they want you to hear. But ultimately at the end of the day, they have to pay their employees and answer to their shareholders just like any other business.
They have no revenue stream presently so they are absolutely at the mercy of their investors (also refered to as stock holders... thats what investors buy, stock in a privately held company) or they won't get anymore money from those investors. They have to do something, settle, create a new model or sometthing to make money, or they will simply go out of business. Keep in mind that even if Napster wins their lawsuit, they have to change something about their current model because they can't make any money at all doing what they are doing now. No business can survive without revenue.
Again with your "anti-trust" rant we see that you have little to no factual knowledge of the subject matter about which you are writing. The Big 5 record labels that are RIAA have existed for half a century without government prodding - and that harkens back to the 50s and 60s when there were literally no indie labels to speak of and they owned every avenue to distribute and publicize music available. If anything, the climate has gotten more competitive over the years, not less.
Actually, all the major labels were recently found to be engaging in illegal price fixing of CDs. Hardly a competitive climate when your so called competitors agree not to under cut your prices and instead illegally collude to keep prices at an artifically high level. Competition exists in markets without price fixing. The CD market was hardly competitive by anyones measure.
--
Python
Its also kind of like the tragedy of the commons in some ways. All the other companies are doing it. Its giving them a competitive edge so it forces other companies to do likewise. And its also turning into an arms race as all these companies add clause after clause into their products to protect themselves and to gain leverage against other companies they compete or do business with. I hate to use a cliche here, but the bottom line is the bottom line. Its business. The only way to stop it, IMO, is to legislate, and by that I mean to undo the damage that is the UCITA and all the other stupid laws and decisions that have made software into this protected class of goods.
The issues at stake here are that none of these clauses are illegal and the whole concept of software as a protected class of goods has somehow been accepted in the vernacular of IP attorneys as "pretty darn good idea!" It goes back my point, all of the EULAs are written by and for other lawyers based on bad laws. What do you expect? The engineers had no say in this law. The consumers had no say in this law. Its all attorneys and REALLY big software companies that drove this, like AOL which happens to be headquartered in the first state to enact the UCITA: Virginia. Its like a nuclear arms race at this point. The new laws make all these clauses binding and legal, and the wacky new EULAs are driving each other to create more and more clauses to protect the interests of the company that produced that piece of software. The UCITA and other laws were not written to put the consumer first but rather to put business first and not to even consider what it might do to the consumers.
The solution is to change the law. Until that happens, you can complain all your want about EULAs, but they're just going to get worse. Maybe if you're lucky you might be able to shame a company into changing their EULA, but don't count on it. Since there is no law against them, they're perfectly legal and perfectly binding. And thats the problem.
--
Python
OK, with that disclaimer out of the way, here goes. EULAs are not written with the specific intent to harm the consumer or certainly to upset the end user. EULAs exist to protect companies intellectual property from other companies. Companies do steal technology and ideas from eahc other. Yes, I said steal. Its a cut throat world these days and some people will resort to any measures they can to get an edge. To a much smaller extent, some provisions in a EULA exist to protect those same companies from the incredibly litigous world we live in now, and the never ending stream of ridiculous lawsuits that customers bring against companies (ie, the McDonalds coffee case and others). Its a sign of the times basically.
Even the GPL contains provisions (the no warranty clause) that are there to protect the authors of the software from endusers. Now, some EULAs contain clauses which are down right absurd, but you have to look at the intent behind these clauses and who it is that is writing them: LAWYERS!
Its a catch 22 situation (much like the awful situtation with patents) where you need powerful laws and ridiculously strong EULAs to fight back against the equally powerful lawyers out there to protect a companies hard work. PErsonally, I think alot of the problems would be solved if all companies were required by law to open source all their software. That way, the issue of stealing code from one company would be mitigated because you could not keep it a secret any more. It would also make it easier to determine if a patent is really unique (peer review) and if the reverse engineering methods used were truly legit. It would also be better for consumers and business because you could make your software work with other software more easily.
In short, the whole situation, like patents, is feeding on itself and the only solution is not to expect companies to make their EULAs more friendly to end users, but to get the laws rewritten so many of the clauses in EULAs are illegal and to do something truly revolutionary, like make open sourcing a legal requirement for ALL software, if you want to see any real change.
Until something dramatic happens, expect the laws to get worse and worse and the EULAs to get more and more draconian.
--
Python
I simply can not believe that depths to which some people will lie. Perhaps Seagrams is just ignorant of this, but as a US Citizen you do have a right to be anonymous. To speak anonymously, to buy things anonymously and yes, to even walk around, all day if you want, with a ski mask on to remain anonymous. You do have a right to anonymity. My guess is that Seagrams is saying this as part of a larger straw man argument to equate anonymity with criminal activity and hence to be able to dismiss it out of hand. Whatever the case, Edgar Bronfman, Jr., is totally and completely wrong. However, its this kind of thinking that is not only incorrect but its dangerous for us as citizens to dismiss his argument out of hand. Alot of people think this way, and alot of those people, like Mr. Bronfman, have tremendous power to change the laws so that anonymity can be restricted and to try and take that right away.
Here are some references to back my assertions on anonymity:
McIntyre v. Ohio
Flood Control on the Information Ocean: Living With Anonymity, Digital Cash, and Distributed Databases
Talley v. California
--
Python
So the lion share of gun crime is being conducted by, and perpetrated against criminals. Hardly a terrible swath of violence aimed at innocents. Furthermore, millions of crimes are prevented every year by lawful gun owners in the USA.
--
Python
It must be the gun control!
--
Python
Actually, aside from this post, I can indeed say that I was totally and completed unaffected. So you are wrong, a Linux user can say in all truthfulness that they were, are and continue to be totally, absolutely and smugly unaffected by this virus.
--
Python
Thanks, but this is something I want to hear from RMS as well.
--
Python
If you link a proprietary, closed source program, against a GPL'ed library, do you have to open the source to the proprietary program?
--
Python
YUMMMMMMMMMMMMM.... Ranger pudding.... aaaaaaahhhhhhh..... (drools...)
I lived off that stuff.
Former 11B3G and 11A(G). (Infantry: Enlisted and Officer, Ranger.)
--
Python
Bah... such nonsense. You don't know how lucky you are to have people with common sense running the military. Its all fine and dandy to talk about how great it would be if the military weren't so... we'll militaristic, but then the military wouldn't be able to fight wars and do the things we pay them to do now would they?
Use your head here. War is about closing with the enemy and destroying him (or her) thru shock force, fire and maneuver. All of that requires absolute and complete order and discipline, and you don't get that with some cool, democratic mob.
--
Python