I was about to go kick off Sussen but it seems MMG Security have beaten me to it:
Created On:24-Dec-2004 01:24:29 UTC Last Updated On:26-Sep-2005 11:55:35 UTC Expiration Date:24-Dec-2006 01:24:29 UTC
They've just released on 26 September 2005; hopefully it's a fork of Nessus rather than an unimaginative name for a new project, but I suspect the latter.
Who the fsck are Tenable anyway? I haven't heard of them before today and with any luck I won't hear of them again. If they didn't like the license they should not have released their Intellectual Property under it, and then someone else would have and they wouldn't have enjoyed the free publicity. Have they not seen how well MySQL is doing off the back of an Open Source product? Sounds to me like the problem isn't with the license...
This raises an interesting question about vulnerability scanning though... who could really care less about the scanning engine or how long it takes - the patterns are where it's at; so long as we keep the patterns up to date security doesn't suffer at the hands of this greedy company.
Incidentally, I like the way they're still advertising Nessus as 'THE Open Source Vulnerability Scanner' on their site.
artists don't need to work for free; we just need to turn it around so as it's the artist rather that the distribution channel that's getting 90% of the profits. Previously it was expensive to record the music itself. This is no longer the case - friends of mine churn out HDTV ready content on a $1000 iMac! Nor is it expensive to package and distribute the music. I don't see why a distribution network can't exist that works on a 'cost plus ten' model, especially if that network were built on top of a peer-to-peer network.
Here's the clever part: if the artist is getting 90% of the profits then the *new* price of the track/album need only be around a 10th of the old price (11.11%) for them to get the same profit per sale, but all of a sudden our (typically fairly static) music budget can buy us almost an order of magnitude (9x) more music, which means more artists get a share in a big pot rather than a small handful getting a share in a small pot.
Everybody wins, except of course the dirty thieving 'legacy' recording industry; the same ones that said the VCR would destroy them yet who are now making billions each an every year from home video!
So a long privacy policy is a good privacy policy? I think not. 30 pages of lawyerspeak is for the birds - all privacy policies (at least the ones you have to click through to obtain some service) should fit on a page or less, else they aren't generally read.
You don't necessarily need to be Google to do this; for a popular enough company anyone could just use AdWords and monitor the stats. Of course just because someone's talking about a stock doesn't mean they're saying nice things about it!
Newsagents sued for encouraging piracy of books by selling pens and paper.
Seriously though, it's easy enough to argue that the primary use of Kazaa et al is piracy. However, were there enough appropriately licensed content (eg creative commons etc.) then this would be less clear. It would be a shame to lose the right to use peer to peer technology for 'legitimate' tasks, especially if projects like BitTorrent come under fire for the same reasons.
So what, it's ok to encourage people to donate money to anyone now? You've got to be kidding. If they can redirect people to Red Cross for now, why didn't they just do that from thestart - there is absolutely no need to handle the money themselves. Have people already forgotten about the SPAMs soliciting donations for the Asian Tsunami disaster? IMO PayPal aredoing the right thing, and there should be more done to prevent this type of 'helpfulness'.
PS this is not to detract from SomethingAwful's efforts, nor suggest that they had anything but the best intentions, but the benefactors of charity really need to be better protected from those lacking morals.
Bruce is right, code signing (at least in its present form) sucks. In fact trust in general sucks, and will until we come up with an intelligent way to assign it. So you want a 'whitelist'? By that you presumably think that the 'whitelist' of CAs rolled out with browsers works? It doesn't. Nor will telling 'safer' to consult it before running code.
Note: For one day only, you can get an ad-free version of Opera. Simply e-mail registerme@opera.com to obtain a registration code. This offer is valid from 12 a.m. Tuesday, August 30 to 12 a.m. Wednesday, August 31 2005 (PDT).
Here we see digital restrictions management being put to good use; I should be able to check out content and use it for a minimum period or until someone else wants it. Why not have a library with 95% of its virtual content checked out at any one time - it's not doing anyone any good on its virtual shelves. That said, it is proprietary DRM; we should all be getting behind open source implementations (weren't Sun working on something) because a world with open source DRM is clearly better than one with a myriad (or worse, monopoly) of proprietary system(s).
Of course ideally more work would have sensible licenses (creative commons et al), in which case DRM is unnecessary.
<rant>For once it's not some fat cat media company screwing the artist and consumer at the same time by maintaining artificially high prices for no purpose but to justify their own existence.</rant>
I find that a lot of the time where people are saying 'Linux' they mean to say (or at least should be saying) 'Open Source'. After all, Linux (as in the kernel itself) really is a small part of the whole system, and as and end user I'm not going to care whether my Gnome desktop, Firefox browser and OpenOffice.org productivity suite are running on a Linux, BSD or even OpenSolaris kernel!
I wonder about the utility of trademarking the term Linux - in reality rejecting a license application is going to be difficult at best, and to do so will go against the spirit of open source in general. My use of the term Linux is not necessarily going to appeal to everyone, and vice versa, but that shouldn't result in an application being denied; consider SpamLinux, PornSurfingLinux, BibleBashingLinux, etc.
Perhaps, but if I leave a body in the boot of my car then it's a lot more likely to be found than a file by a technician - unless the technician were browsing through files of course, which begs the question: why? Were I not capable of fixing my computers myself then I would certainly not expect a technician to be looking at anything but what they need to look at to carry out the task assigned. If in the course of doing that task however, they do discover something illegal then by all means report it - just like if I get you to service my car and forget to take the body out first.
IT people, it seems, tend to have a penchant for looking at (or at least wanting to have the ability to look at) things they shouldn't... maybe they're not unlike anyone else, only with more privileges?
I've been advocating this for years, but thought it was too late after the first share offering (T1) back in 1997 (after all, who wants a telco services company when you can own the infrastructure). A handful of us made a quick buck out of it, but those who participated in the second round (T2) weren't so lucky.
Aside from owning the copper (an extremely valuable asset, especially given the relatively low population density in Australia), Telstra provide a range of services - most notably mobiles (MobileNet) and Internet (BigPond, or as I prefer, LittlePuddle) and perhaps the most important of which is ADSL (both wholesale and retail). The issue they are addressing here is leveling the playing field, which would not have been necessary were it not for antics like selling (previously flaky, unreliable) ADSL retail cheaper than wholesale! (One could also speculate that the regular, extended outages were related to sustaining the golden goose (ISDN)).
And then there's the issue of their core competency: phone lines. In March 2000 we were paying $11.65 a month for line rental and something like 25c for untimed local calls. Now your average punter's paying the best part of 30 bucks a month for line rental and a bit less for locals. There's a bunch of capped call plans and other fluff but we're effectively paying a lot more for a service which (thanks to mobiles) we are using a lot less. Plenty of us were using the lines for Internet services and paying for an expensive, unnecessary dialtone.
This is where Australia really could have led the way - were this done properly all carriers (including the hypothetical Telstra retail/services division) would have had access to the copper for the same reasonable price (ideally inside $10/month) and could have offered combined voice/data services, and made a profit, for less than what we're paying now for line rental alone. As a bonus our essential infrastructure would not have ended up strapped to a bloated services company in a volatile market.
Still, it never ceases to amaze me that they've managed to sell us back something we already own, set the industry back a good 5 years while doubling or even tripling the cost of communications for your average Aussie in the process. It's like the Coca Cola company working out we'd pay more for water than we do for Coke itself!
The reality is that people have to use untrusted machines every once in a while, and even if you then change your password from the next trusted machine you have access to there is still a window of opportunity. If I must use credentials at a public terminal I make extensive use of cutting, copying and pasting, and typing over selected text so a key logger would see a password like 'secret' as a string like 'fsdjn392e9c3sD$r@90ejfndt'. This won't protect you from things like browser helper objects (BHOs), but it's better than nothing, and you can be sure there's plenty of other low hanging fruit for your adversary to pursue.
It doesn't help that you usually won't be able to change the password backends, but for things like mail you can, if you run your own servers. I'd like to think there were a challenge response token that's affordable for single user installations - I've seen something like this before but if anyone has any suggestions...
Incidentally, there's a fair bit of work being done in the area of endpoint analysis, which is usually in the form of an agent which scans the machine for suspect registry entries, processes, files, etc. and applies corporate policies like OS and patch level, virus scanner health, firewall status, etc. before allowing access to a trusted resource (eg a VPN). There will be interesting things to come in this area but I suspect it will be an arms race for some time (think virus scanners, anti spyware, etc.) and there's always the question of how much trust you can attribute to code running on an untrusted platform. If it weren't for the potential for abuse (think digital restrictions management) this is where technologies like Trusted Computing Base are useful.
Now if only banks would stop seeing fraud as a cost centre and actually start doing something serious about curtailing it then we wouldn't need to be having this discussion. In Ireland for example rabodirect equip users with a digipass (http://www.rabodirect.ie/security/digipass/digipa ss.asp) which is used for two factor authentication and signing of transactions. There's other mechanisms being considered, like text message challenges, sequence based tokens, etc. but in the mean time plenty will suffer - fortunately the more clueful will manage to be reimbursed but you can bet there will be plenty of expense borne by the others.
Rubbish. This affects us all, unless you happen to live under a rock with no TV, radio, internet, etc. If nothing else, ordinary people become criminals under legislation required by the FTA - do you really need more justification?
I recently attended The US-Australia Free Trade Agreement and Intellectual Property - A Symposium which was hosted by the Baker & McKenzie Cyberspace Law and Policy Centre, UNSWLaw Faculty. You can find the transcript here, and mp3 sound files here, here, and here. It was a most interesting presentation, although in some ways I think it missed important 'features' of the FTA. Features which affect us all like most of Chapter 17, especially the introduction of DMCA like laws. More time was spent discussing mostly irrelevant issues like the 'protection' of information that may otherwise be cached by ISPs. The site is a good resource nonetheless - it's just unfortunate that people don't know what's good for them and are more interested in irrelevant news than items which will actually make a difference to them.
I am somewhat bemused that despite sitting on something like 28% of the world's uranium, us Aussies don't have a reactor of our own (with the exception of the Lucas Heights HIFAR reactor opened in 1958). We even bitch about mining the stuff, the proceeds of which could be used to deal with real threats to the surrounding environment, like cane toads. We make over 10% of the world's supply of computer grade doped silicon, yet we bitch about upgrading the reactor facility too. Hopefully with some debate people will start pulling their heads out of their asses and making it happen before we end up with some serious problems on our hands. Before long chernobyl et al will end up being the most catastrophic events we've ever experienced - not because of the local effects but because of the resulting widespread misconception about nuclear power. Yes, where there are more plants nuclear fuel necessarily is more available so there is a greater need for security. However those linking the increased use of nuclear energy with foolish nuclear enabled governments and terrorists ought to spend more time worrying about who's got the weapons, why, who pays and what they are (or aren't) doing to protect them.
I routinely use anonymous proxies in order to secure the 'last mile' part of my browsing with SSL - the part I care about the most (I don't care all that much about what someone on the other side of the world sees - it's more those at this end - eg employees - that I'm concerned about). I've written to PayPal and left a voicemail so as to confirm whether or not I too am at risk of business disruption courtesy these short sighted policies. I think I'd best just get me a merchant account.
Slashdot Mirror
more Claria shananigans on the way then?
I was about to go kick off Sussen but it seems MMG Security have beaten me to it:
Created On:24-Dec-2004 01:24:29 UTC
Last Updated On:26-Sep-2005 11:55:35 UTC
Expiration Date:24-Dec-2006 01:24:29 UTC
They've just released on 26 September 2005; hopefully it's a fork of Nessus rather than an unimaginative name for a new project, but I suspect the latter.
Who the fsck are Tenable anyway? I haven't heard of them before today and with any luck I won't hear of them again. If they didn't like the license they should not have released their Intellectual Property under it, and then someone else would have and they wouldn't have enjoyed the free publicity. Have they not seen how well MySQL is doing off the back of an Open Source product? Sounds to me like the problem isn't with the license...
This raises an interesting question about vulnerability scanning though... who could really care less about the scanning engine or how long it takes - the patterns are where it's at; so long as we keep the patterns up to date security doesn't suffer at the hands of this greedy company.
Incidentally, I like the way they're still advertising Nessus as 'THE Open Source Vulnerability Scanner' on their site.
This is the best news I've heard all day - I can't even get Xen 3.0 from Xen, so I guess they've thrown in TimeTravel 1.0 as well.
Australia led the way instead of being the global village idiot. I wonder what effect (if any) this will have on xbox-linux etc.
artists don't need to work for free; we just need to turn it around so as it's the artist rather that the distribution channel that's getting 90% of the profits. Previously it was expensive to record the music itself. This is no longer the case - friends of mine churn out HDTV ready content on a $1000 iMac! Nor is it expensive to package and distribute the music. I don't see why a distribution network can't exist that works on a 'cost plus ten' model, especially if that network were built on top of a peer-to-peer network.
Here's the clever part: if the artist is getting 90% of the profits then the *new* price of the track/album need only be around a 10th of the old price (11.11%) for them to get the same profit per sale, but all of a sudden our (typically fairly static) music budget can buy us almost an order of magnitude (9x) more music, which means more artists get a share in a big pot rather than a small handful getting a share in a small pot.
Everybody wins, except of course the dirty thieving 'legacy' recording industry; the same ones that said the VCR would destroy them yet who are now making billions each an every year from home video!
So a long privacy policy is a good privacy policy? I think not. 30 pages of lawyerspeak is for the birds - all privacy policies (at least the ones you have to click through to obtain some service) should fit on a page or less, else they aren't generally read.
You don't necessarily need to be Google to do this; for a popular enough company anyone could just use AdWords and monitor the stats. Of course just because someone's talking about a stock doesn't mean they're saying nice things about it!
Newsagents sued for encouraging piracy of books by selling pens and paper.
Seriously though, it's easy enough to argue that the primary use of Kazaa et al is piracy. However, were there enough appropriately licensed content (eg creative commons etc.) then this would be less clear. It would be a shame to lose the right to use peer to peer technology for 'legitimate' tasks, especially if projects like BitTorrent come under fire for the same reasons.
So what, it's ok to encourage people to donate money to anyone now? You've got to be kidding. If they can redirect people to Red Cross for now, why didn't they just do that from thestart - there is absolutely no need to handle the money themselves. Have people already forgotten about the SPAMs soliciting donations for the Asian Tsunami disaster? IMO PayPal aredoing the right thing, and there should be more done to prevent this type of 'helpfulness'.
PS this is not to detract from SomethingAwful's efforts, nor suggest that they had anything but the best intentions, but the benefactors of charity really need to be better protected from those lacking morals.
For a second there I thought someone had actually made an ActiveX installer for Firefox. Pity. *That* would be newsworthy.
Bruce is right, code signing (at least in its present form) sucks. In fact trust in general sucks, and will until we come up with an intelligent way to assign it. So you want a 'whitelist'? By that you presumably think that the 'whitelist' of CAs rolled out with browsers works? It doesn't. Nor will telling 'safer' to consult it before running code.
That's getting pretty close to the point where tdma stops working isn't it? Then again, don't most of you use cdma in the US?
And this, people, is why we shouldn't be relying on proprietary formats. Just because we can use them today doesn't mean we can tomorrow.
fsck me, that's a low UID!
keep up the good work hans.
Here we see digital restrictions management being put to good use; I should be able to check out content and use it for a minimum period or until someone else wants it. Why not have a library with 95% of its virtual content checked out at any one time - it's not doing anyone any good on its virtual shelves. That said, it is proprietary DRM; we should all be getting behind open source implementations (weren't Sun working on something) because a world with open source DRM is clearly better than one with a myriad (or worse, monopoly) of proprietary system(s).
Of course ideally more work would have sensible licenses (creative commons et al), in which case DRM is unnecessary.
<rant>For once it's not some fat cat media company screwing the artist and consumer at the same time by maintaining artificially high prices for no purpose but to justify their own existence.</rant>
I find that a lot of the time where people are saying 'Linux' they mean to say (or at least should be saying) 'Open Source'. After all, Linux (as in the kernel itself) really is a small part of the whole system, and as and end user I'm not going to care whether my Gnome desktop, Firefox browser and OpenOffice.org productivity suite are running on a Linux, BSD or even OpenSolaris kernel!
I wonder about the utility of trademarking the term Linux - in reality rejecting a license application is going to be difficult at best, and to do so will go against the spirit of open source in general. My use of the term Linux is not necessarily going to appeal to everyone, and vice versa, but that shouldn't result in an application being denied; consider SpamLinux, PornSurfingLinux, BibleBashingLinux, etc.
when it's in the best interests of those selling the 'cure' to blow it out of proportion.
Perhaps, but if I leave a body in the boot of my car then it's a lot more likely to be found than a file by a technician - unless the technician were browsing through files of course, which begs the question: why? Were I not capable of fixing my computers myself then I would certainly not expect a technician to be looking at anything but what they need to look at to carry out the task assigned. If in the course of doing that task however, they do discover something illegal then by all means report it - just like if I get you to service my car and forget to take the body out first.
IT people, it seems, tend to have a penchant for looking at (or at least wanting to have the ability to look at) things they shouldn't... maybe they're not unlike anyone else, only with more privileges?
I've been advocating this for years, but thought it was too late after the first share offering (T1) back in 1997 (after all, who wants a telco services company when you can own the infrastructure). A handful of us made a quick buck out of it, but those who participated in the second round (T2) weren't so lucky.
Aside from owning the copper (an extremely valuable asset, especially given the relatively low population density in Australia), Telstra provide a range of services - most notably mobiles (MobileNet) and Internet (BigPond, or as I prefer, LittlePuddle) and perhaps the most important of which is ADSL (both wholesale and retail). The issue they are addressing here is leveling the playing field, which would not have been necessary were it not for antics like selling (previously flaky, unreliable) ADSL retail cheaper than wholesale! (One could also speculate that the regular, extended outages were related to sustaining the golden goose (ISDN)).
And then there's the issue of their core competency: phone lines. In March 2000 we were paying $11.65 a month for line rental and something like 25c for untimed local calls. Now your average punter's paying the best part of 30 bucks a month for line rental and a bit less for locals. There's a bunch of capped call plans and other fluff but we're effectively paying a lot more for a service which (thanks to mobiles) we are using a lot less. Plenty of us were using the lines for Internet services and paying for an expensive, unnecessary dialtone.
This is where Australia really could have led the way - were this done properly all carriers (including the hypothetical Telstra retail/services division) would have had access to the copper for the same reasonable price (ideally inside $10/month) and could have offered combined voice/data services, and made a profit, for less than what we're paying now for line rental alone. As a bonus our essential infrastructure would not have ended up strapped to a bloated services company in a volatile market.
Still, it never ceases to amaze me that they've managed to sell us back something we already own, set the industry back a good 5 years while doubling or even tripling the cost of communications for your average Aussie in the process. It's like the Coca Cola company working out we'd pay more for water than we do for Coke itself!
The reality is that people have to use untrusted machines every once in a while, and even if you then change your password from the next trusted machine you have access to there is still a window of opportunity. If I must use credentials at a public terminal I make extensive use of cutting, copying and pasting, and typing over selected text so a key logger would see a password like 'secret' as a string like 'fsdjn392e9c3sD$r@90ejfndt'. This won't protect you from things like browser helper objects (BHOs), but it's better than nothing, and you can be sure there's plenty of other low hanging fruit for your adversary to pursue.
a ss.asp) which is used for two factor authentication and signing of transactions. There's other mechanisms being considered, like text message challenges, sequence based tokens, etc. but in the mean time plenty will suffer - fortunately the more clueful will manage to be reimbursed but you can bet there will be plenty of expense borne by the others.
It doesn't help that you usually won't be able to change the password backends, but for things like mail you can, if you run your own servers. I'd like to think there were a challenge response token that's affordable for single user installations - I've seen something like this before but if anyone has any suggestions...
Incidentally, there's a fair bit of work being done in the area of endpoint analysis, which is usually in the form of an agent which scans the machine for suspect registry entries, processes, files, etc. and applies corporate policies like OS and patch level, virus scanner health, firewall status, etc. before allowing access to a trusted resource (eg a VPN). There will be interesting things to come in this area but I suspect it will be an arms race for some time (think virus scanners, anti spyware, etc.) and there's always the question of how much trust you can attribute to code running on an untrusted platform. If it weren't for the potential for abuse (think digital restrictions management) this is where technologies like Trusted Computing Base are useful.
Now if only banks would stop seeing fraud as a cost centre and actually start doing something serious about curtailing it then we wouldn't need to be having this discussion. In Ireland for example rabodirect equip users with a digipass (http://www.rabodirect.ie/security/digipass/digip
Rubbish. This affects us all, unless you happen to live under a rock with no TV, radio, internet, etc. If nothing else, ordinary people become criminals under legislation required by the FTA - do you really need more justification?
I recently attended The US-Australia Free Trade Agreement and Intellectual Property - A Symposium which was hosted by the Baker & McKenzie Cyberspace Law and Policy Centre, UNSW Law Faculty. You can find the transcript here, and mp3 sound files here, here, and here. It was a most interesting presentation, although in some ways I think it missed important 'features' of the FTA. Features which affect us all like most of Chapter 17, especially the introduction of DMCA like laws. More time was spent discussing mostly irrelevant issues like the 'protection' of information that may otherwise be cached by ISPs. The site is a good resource nonetheless - it's just unfortunate that people don't know what's good for them and are more interested in irrelevant news than items which will actually make a difference to them.
I am somewhat bemused that despite sitting on something like 28% of the world's uranium, us Aussies don't have a reactor of our own (with the exception of the Lucas Heights HIFAR reactor opened in 1958). We even bitch about mining the stuff, the proceeds of which could be used to deal with real threats to the surrounding environment, like cane toads. We make over 10% of the world's supply of computer grade doped silicon, yet we bitch about upgrading the reactor facility too. Hopefully with some debate people will start pulling their heads out of their asses and making it happen before we end up with some serious problems on our hands. Before long chernobyl et al will end up being the most catastrophic events we've ever experienced - not because of the local effects but because of the resulting widespread misconception about nuclear power. Yes, where there are more plants nuclear fuel necessarily is more available so there is a greater need for security. However those linking the increased use of nuclear energy with foolish nuclear enabled governments and terrorists ought to spend more time worrying about who's got the weapons, why, who pays and what they are (or aren't) doing to protect them.
I routinely use anonymous proxies in order to secure the 'last mile' part of my browsing with SSL - the part I care about the most (I don't care all that much about what someone on the other side of the world sees - it's more those at this end - eg employees - that I'm concerned about). I've written to PayPal and left a voicemail so as to confirm whether or not I too am at risk of business disruption courtesy these short sighted policies. I think I'd best just get me a merchant account.