Great idea for the FTC to do this, and very appropriate. The breach business is getting out of hand.
Unfortunately, in a situation like this, it is common, if not habitual, for organizations to be compliant with the standard, or the government rules, and rest there. Those standards, such as PCI in this case, should be regarded as the minimum they have to do, not the maximum.
This was done... Many years ago,probably mid-70s, I bought a kit to make the windshield wipers on my Saab 99 intermittent... The kit probably cost $15 at the time...
Well, it's not *impossible*, but it is pretty unlikely. If you have a patent in the US, it protects only against infringement in the US. And when you say "approved", that's slightly unusual terminology. If the patent was granted by the USPTO, then please say that (or alternately, the patent was "issued.")
The original description makes it sound as if the invention isn't really a stand-alone thing, but something which needs to be "incorporated" into other, existing products. Is that right? Hard to advise you without knowing a little more. Please post patent (or application) number.
Wow. Can you give any more specific details? I believe the Pave Paws radar used a pair of 7600s that were modded to be a single systems, but was unaware of any 6600s.
Actually, that's not true. Prior to 1970, I used at least 3 different pieces of software which maintained detailed change histories on source files which were (mostly) assembler source files, but in some cases were a higher level language like FORTRAN. All 3 systems allowed deleting an update (and thus restoring the lines which that update had deleted), and at least 2 of the 3 let a mod change multiple source files. It was all batch, but the capabilities were there. Two were provided by a computer manufacturer (Control Data) and the third was home-brew.
What possible reason is there for the passport office to need to expose this information outside the agency?
How can it possibly be worth the risk, even if there is some minor function which they outsourced to the fraudsters.
The gummint ought to be forced to do an analysis of the risk and value before the outsource a function which provides this kind of access to the data of citizens. Private companies might do well also to do it.
I was describing something that happened in a machine that was built before the world settled on 8-bit bytes. The machine had 36-bit words, and each word had an address. The 6-bit nibbles were not addressable. It was 32,768 (2**15) words of 36 bits. Equivalent to a little over 100K bytes!
This problem is remarkably similar to a problem I encountered in the memory of a 7094 (old IBM computer) which had a core memory which stored 36-bit words. The memory was supposed to work by operating on 6 bits at a time at 200 nanosecond intervals. The reason for this was to avoid creating a magnetic field that was too strong. The problem occurred when the timing was off due to failure of a component and two of the intervals overlapped. This meant that when one attempted to store a word with 35 1s, the field created was strong enough to store 36 1s. We wrote a diagnostic to demo the problem, and with that the engineers were able to isolate and fix the problem in short order.
"why perpetuate the myth that Google "drops products without warning/reason"?
Well, you're right... that's a bit unfair. There's usually some warning, and occasionally even a reason. But relying on their stuff is indeed somewhat risky.
Hmm..... sounds a lot like prior restraint, doesn't it? Someone leaks some information that the gummint doesn't want known, and so the press can't publish the leak? This is pretty scary...
I don't understand how trucks, which require much more fuel, and more driver time per load, have so thoroughly replaced railroads for long hauls. Making trucks more efficient is a fine idea, but it's only nibbling at the edges. Why not go back to trains for medium to long distances?
I think perhaps someone already did notice some prior art. It looks like 155 claims - the first 155 - were already deleted, though it's not clear if it was the Patent Office or the applicant that did that. I bet there's a good story behind that.
One other question: Is it clear what "fixing" ECPA means? Do you have a specific proposal? Or is it just that a warrant is needed to examine "mail", regardless of how long it's been stored, whether it's in flight or stored.
Everyone talks about "immigration reform" but I think there's a very wide spectrum of what that means...
Thank you for you informative response. I've signed the whitehouse.gov petition. And here and elsewhere, I encourage everyone reading to write to their Congresscritters and demand reform, rather than posting here. Eventually, they'll get the message.
It's a lot more than just the ECPA that needs change and being added to our laws. The NSA seems to me to be out of control. Let's reduce their budget in a major way!
It's data. It happens not to be complete - there's more, namely the audio of the call.
Intelligence agencies have been doing traffic analysis on this sort of data -- just who is communicating with whom - for at least 70 years. For NSA to refer to it as "only metadata" is the height of hypocrisy.
IANAL, and I don't play one on TV, but it seems pretty clearly a violation of a web site's copyright to do this. A web page is a visual work, and at least for any country that is party to the Bern Convention (this includes the US and most or all of Europe), a page is copyright even if it doesn't say so. So for the hotel or ISP to modify the page, especially when it is being paid to do so, seems a clear violation. Some web site should make a big stink (lawsuit!) about this and put an end to the practice. I think it wouldn't be a difficult case to win, particularly with all the other copyright enforcement actions going on (MPAA, etc.).
I wonder if a similar case can be made for organizations like health clubs that show TV programs at the wrong aspect ratio, making people look as if they're 20% fatter (wider) than they actually are...
Here's an idea/meme: Create a way to describe both the password rules and storage policy for a web site in a few characters. Then encourage sites to put those characters next to the "Enter Password" box on their site. The intended effect is to make users aware of the rules of the site, and ultimately to force them to improve their policy. Here's an example of what I mean:
0 means "we store your password in the clear" 1 means "we encrypt your password using standard techniques" 2 means "we one-way encrypt your password and store only the encrypted value" 3 means "we one-way encrypt your password with salt, and store only encrypted, salted value" 4 means "3 and also we have an effective means in place to prevent repeated guessing by an external agent"
(some sort of time-delay for bad guesses, getting progressively longer, or something similar..)
(Any more needed?)
and maybe use a letter for the password policy:
A means "password has a short maximum length" (8?) and silly constraints on what characters must be present" C means "No restriction on password length, but some constraints on characters".... Z means "Password can be arbitrarily long and include any character you can type."
So 0A would be a disaster, and the goal would be to move sites toward 4Z. And you'd see what the site does every time you log on (assuming, of course, that they're honest, but this would be easily auditable..) Even people who didn't understand what the specifics mean could be educated to know that closer to 4Z is better. (This is just an example... I'm sure a better encoding is possible...)
It is hard enough to know if I should trust my child, and I raised him. He doesn't tell me much. App developers tell me less, and some of them are devious. This is not a good security model. And Google knows better.
I don't want to cast aspersions (or worse!) on your experts, but in my experience most of those people (especially architects) never go back to see how what they built is working out, what they did wrong, what could be improved in their next project, etc. I'm sure there are some who do, but it certainly is not standard practice, so you're wise to ask the slashdot crowd for real experience.
Slashdot Mirror
Great idea for the FTC to do this, and very appropriate. The breach business is getting out of hand.
Unfortunately, in a situation like this, it is common, if not habitual, for organizations to be compliant with
the standard, or the government rules, and rest there. Those standards, such as PCI in this case, should be
regarded as the minimum they have to do, not the maximum.
This was done... Many years ago,probably mid-70s, I bought a kit to make the windshield wipers on my
Saab 99 intermittent... The kit probably cost $15 at the time...
Well, it's not *impossible*, but it is pretty unlikely. If you have a patent in the US, it protects only
against infringement in the US. And when you say "approved", that's slightly unusual terminology.
If the patent was granted by the USPTO, then please say that (or alternately, the patent was "issued.")
The original description makes it sound as if the invention isn't really a stand-alone thing, but something
which needs to be "incorporated" into other, existing products. Is that right? Hard to advise you without
knowing a little more. Please post patent (or application) number.
Wow. Can you give any more specific details? I believe the Pave Paws radar
used a pair of 7600s that were modded to be a single systems, but was unaware of
any 6600s.
Where is this? (What city?)
Actually, that's not true. Prior to 1970, I used at least 3 different pieces of
software which maintained detailed change histories on source files which
were (mostly) assembler source files, but in some cases were a higher level
language like FORTRAN. All 3 systems allowed deleting an update (and
thus restoring the lines which that update had deleted), and at least 2 of the
3 let a mod change multiple source files. It was all batch, but the capabilities
were there. Two were provided by a computer manufacturer (Control Data)
and the third was home-brew.
As good and impressive as this is, in 2012, there was a "chain" of 60 people, 30 kidneys,
transplanted... It's quite amazing.
http://www.nytimes.com/2012/02...
What possible reason is there for the passport office to need to expose this information outside the agency?
How can it possibly be worth the risk, even if there is some minor function which they outsourced to the
fraudsters.
The gummint ought to be forced to do an analysis of the risk and value before the outsource a function
which provides this kind of access to the data of citizens. Private companies might do well also to do it.
I was describing something that happened in a machine that was built before the world settled
on 8-bit bytes. The machine had 36-bit words, and each word had an address. The 6-bit
nibbles were not addressable. It was 32,768 (2**15) words of 36 bits. Equivalent
to a little over 100K bytes!
This problem is remarkably similar to a problem I encountered in the memory of a 7094 (old
IBM computer) which had a core memory which stored 36-bit words. The memory was supposed
to work by operating on 6 bits at a time at 200 nanosecond intervals. The reason for this was to avoid
creating a magnetic field that was too strong. The problem occurred when the timing was off due
to failure of a component and two of the intervals overlapped. This meant that when one attempted
to store a word with 35 1s, the field created was strong enough to store 36 1s. We wrote a
diagnostic to demo the problem, and with that the engineers were able to isolate and fix the problem
in short order.
"why perpetuate the myth that Google "drops products without warning/reason"?
Well, you're right... that's a bit unfair. There's usually some warning, and occasionally even a reason.
But relying on their stuff is indeed somewhat risky.
Hmm..... sounds a lot like prior restraint, doesn't it? Someone leaks some information
that the gummint doesn't want known, and so the press can't publish the leak? This is
pretty scary...
I don't understand how trucks, which require much more fuel, and more driver time per load, have
so thoroughly replaced railroads for long hauls. Making trucks more efficient is a fine idea, but
it's only nibbling at the edges. Why not go back to trains for medium to long distances?
I think perhaps someone already did notice some prior art. It looks like 155 claims - the first 155 - were
already deleted, though it's not clear if it was the Patent Office or the applicant that did that. I bet there's a
good story behind that.
One other question: Is it clear what "fixing" ECPA means? Do you have a specific proposal? Or is it
just that a warrant is needed to examine "mail", regardless of how long it's been stored, whether it's
in flight or stored.
Everyone talks about "immigration reform" but I think there's a very wide spectrum of what that
means...
Thank you for you informative response. I've signed the whitehouse.gov petition. And here and
elsewhere, I encourage everyone reading to write to their Congresscritters and demand reform,
rather than posting here. Eventually, they'll get the message.
It's a lot more than just the ECPA that needs change and being added to our laws. The NSA seems to me
to be out of control. Let's reduce their budget in a major way!
It's data. It happens not to be complete - there's more, namely the audio of the call.
Intelligence agencies have been doing traffic analysis on this sort of data -- just who is
communicating with whom - for at least 70 years. For NSA to refer to it as "only metadata"
is the height of hypocrisy.
Note that IBM did the same thing with about 1000 of its patents, more than 10 years ago. And shortly
thereafter, followed up with another 1000 or so.
You want he shoulda said irregardful?
IANAL, and I don't play one on TV, but it seems pretty clearly a violation of a web site's copyright to do this. A web page
is a visual work, and at least for any country that is party to the Bern Convention (this includes the US and most or all of Europe),
a page is copyright even if it doesn't say so. So for the hotel or ISP to modify the page, especially when it is being paid to do so,
seems a clear violation. Some web site should make a big stink (lawsuit!) about this and put an end to the practice. I think it wouldn't
be a difficult case to win, particularly with all the other copyright enforcement actions going on (MPAA, etc.).
I wonder if a similar case can be made for organizations like health clubs that show TV programs at the wrong aspect ratio, making
people look as if they're 20% fatter (wider) than they actually are...
Here's an idea/meme: Create a way to describe both the password rules and storage policy for a web site in a few characters.
Then encourage sites to put those characters next to the "Enter Password" box on their site. The intended effect is to make users
aware of the rules of the site, and ultimately to force them to improve their policy. Here's an example of what I mean:
0 means "we store your password in the clear"
1 means "we encrypt your password using standard techniques"
2 means "we one-way encrypt your password and store only the encrypted value"
3 means "we one-way encrypt your password with salt, and store only encrypted, salted value"
4 means "3 and also we have an effective means in place to prevent repeated guessing by an external agent"
(some sort of time-delay for bad guesses, getting progressively longer, or something similar..)
(Any more needed?)
and maybe use a letter for the password policy:
A means "password has a short maximum length" (8?) and silly constraints on what characters must be present" ....
C means "No restriction on password length, but some constraints on characters"
Z means "Password can be arbitrarily long and include any character you can type."
So 0A would be a disaster, and the goal would be to move sites toward 4Z. And you'd see what the site does
every time you log on (assuming, of course, that they're honest, but this would be easily auditable..) Even people
who didn't understand what the specifics mean could be educated to know that closer to 4Z is better. (This is just
an example... I'm sure a better encoding is possible...)
It is hard enough to know if I should trust my child, and I raised him. He doesn't
tell me much. App developers tell me less, and some of them are devious. This is not
a good security model. And Google knows better.
The heading says 50,000, which is pretty crazy.. but all of the text refers to numbers more like 5,000....
I don't want to cast aspersions (or worse!) on your experts, but in my experience most of those
people (especially architects) never go back to see how what they built is working out, what they did
wrong, what could be improved in their next project, etc. I'm sure there are some who do, but it certainly
is not standard practice, so you're wise to ask the slashdot crowd for real experience.