It's illegal because the law, in this case the DMCA (http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act) specifically criminalizes the circumvention of a copyright measure. Sure this flies in the face of hypothetical fair use, for example, making backups of original games to protect the originals from damage. But he intentionally modified hardware put in place to enforce copyright, and therefore broke the law.
Modifying a car doesn't run afoul of the DMCA. The car is still legal to own and drive, is usable on the road if kept inside the legal speed limit and passes whatever vehicle inspections your local municipality imposes, and is usable on closed tracks and in legal racing situations and the like. Modifying a console so that it no longer handshakes with content to ensure the media is the original factory media; circumventing the console's ability to control access to copyrighted works (to quote the DMCA) breaks the law.
That's pretty funny, I used to hate on WD as well, until last month when we upgraded all the drives in our SAN to 1.5TB drives and pulled all 18 old WD 250GB drives. In three years, with about a grand total of 40min powered-off time, with constant reads and writes through nights, weekends and holidays, none failed.
Not exactly a real-world scenario relevant to desktop use or even a file server, but I thought it was interesting.
Many iPhone "2G"/first gen. hardware contracts are more than the approximately (maybe it's exactly?) 18 months it takes for your contract to be upgrade-eligible. The issue here is more the people who bought the iPhone first gen very late in it's life cycle, or bought into the 3G at all (since it's only been available for about 11 months.)
Seems people just feel confused and betrayed by Apple, because those who purchased iPhone 3G phones (myself included) adopted early, and also were first gen. customers as well. Many of the people in my situation feel screwed that they have to pay an upgrade fee while new adopters get in on the iPhone 3G-S goodness for free while we've been loyal customers all along. That said, I realize it doesn't really work that way.
I understand how subsidies work, and I realized that the iPhone 3G was released approximately 1 year after the iPhone "2G"/first gen., but maybe if I knew the iPhone would be updated again after only a year, I might not have purchased the iPhone 3G. Nevertheless, the iPhone 3G does suit my needs completely and will continue to do so until approximately January 2010 when I can upgrade to the iPhone 3G-S, or at that point, I could also just wait and see if the iPhone 4th gen is coming down the line at the one-year mark just like this one. And if so, I'll evaluate then if it's worth the additional 5 month wait.
I'm smack in the middle of the Philly metro area, and apparently, AT&T isn't offering coverage enough to suit the features of this phone to me either. Or NYC metro. Or anywhere in America, for that matter, at least for a while. MMS and tethering have been around for years and years, but one won't be ready at launch, and the other was totally glanced over and for now appears delayed without mention of availability time-frame.
I've never seen the rules one should follow when releasing a device that might end up in millions of hands, but I'm sure they include the following:
1) Don't use an unstable hack to enable a feature that a very large percentage of potential users will be counting on.
2) Don't base a feature on a cat-and-mouse game. Especially with the likes of Apple, who are really good at that particular game.
3) Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup. Jobs was bragging about patents in the iPhone announcement keynote, for Christ sake.
All that switching from RISC/PPC to x86_xx should change is "endianness." I hear passing worries of Intel chip-level vulnerabilities, but to my (admittedly limited to hitting up Google just now) knowledge is that these never really end up in mainstream exploits. Maybe, because there are plenty of much more easily exploitable vulnerabilities already known.
Again, not a security researcher or a system arch. expert myself, but what I've heard from those researching OS X vs. Windows vulnerabilities, Address Space Layout Randomization (ASLR) would make it much harder to exploit vulnerabilities on the Apple end. This feature appears to be slated for the next point release ("Snow Leopard") of Mac OS X. Essentially, the exploiter must try much harder to "find" the code planted in the target box's memory, when the vulnerability was exploited, in order to execute it.
It's so that when things happen, like a worm infection for example, they don't have to have a custom anti virus solution to take care of it. They can just use off the shelf Norton AV to clean up infections. Why spend precious tax dollars on a custom system when off the shelf stuff works even better?
And to me, it makes perfect sense to connect them to the internet, so that they can receive all the virus def. updates and WIndows patches as fast as possible.
Not to start a flame war or a vocal-minority thing here, but am I alone in having virtually no issues at all with iPhone's ActiveSync capability? I've been using it for work email since day one and haven't had a single issue.
What issues have you had?
Okay, both of those flaws you cite require user interaction. That doesn't constitute a "virus" or a "worm." That's a vulnerability. A vulnerability, I might add, never amounted to anything in the wild, and was patched quickly by Apple.
Not an apologist, flaws are flaws are flaws. But they aren't viruses. The distinction is important.
"Security Theatre" techniques like the Leopard "OMG you downloaded that file from TEH INTERWEBS!" dialogs
I'm actually a big fan of this particular approach. I feel as though the real way to solve the malware problem as it exists today on all platforms is user education in best practices. Vista's UAC nag screen (because that's all it is) is useless. You are presented with a dialog that looks the same every time. The Leopard one you describe actually tells you "you've never run this before, it came from blahblah.com website," and most importantly, I think, "click this button right here to visit the website you got this program from and see for yourself "
I think on the whole, you end up with fewer yet more meaningful dialog messages in the Leopard user experience, usually leading to the user actually reading and heeding them.
Maybe I'm new to this, but the summary lead me to believe that the finders of this vulnerability were in the process of responsibly disclosing the details to affected software and hardware vendors. Wouldn't blabbing about it on slashdot be the opposite? Wouldn't he then be blasted for dumping dangerous details on the public?
It's not just about telling the vendors, I'd say it's also about giving them reasonable time to find a way to distribute the fix... Microsoft, Apple, and Linux distro makers can use their built-in software updater... but what if you're Linksys or Netgear? I'm glad it's not my job to work out the logistics of pushing out a firmware update to what, 80% of the userbase that doesn't know their router even had a web console...
I never suggested it be tossed out, I was detailing one specific situation. Of course any corporate desktop situation should be locked down sufficiently that AV can't be disabled by the user. I'm talking about the enormous amount of home users, using default XP and Vista installs that leave the primary user as admin.
Well, certainly social engineering is only a replacement for good old fashion 'sploits and the like in a very specific situation, say, a Myspace comment that looks like an embedded Youtube video, which, upon clicking, leads you to download a trojan with a full-featured friendly-looking installer that requests the user's antivirus be disabled before continuing.
Know-how and knowledge of real holes in existing code are the only way an internet worm, as apposed to a trojan, would spread. I remember slammer, and even worse, Blaster... I was a "tech" at Best Buy back then, Geeks before Geek Squad was rolled out to every store. Whole lotta overtime that week.
It was a rhetorical question. I understand the scope of the class, and in the scope of the class, the specific technical subject matter makes sense. I more meant in general terms, as a critique on the "malware industry." I should have been more specific.
Why bother trying to "penetrate antivirus software?" Just tell the user to kindly disable it else they'll be denied their dopey smiley emoticon pack or the privilege of having the Taco Bell dog read them their email or some shit.
Why bother working to evade potentially sophisticated technological security when you can go after the very very weakest link... the user?
I don't know why I'm replying to an AC, but you managed to miss his whole point about being unable to grep a dead tree. If you didn't know what grep meant and refused to take the 7 seconds and Google it, this basically means he's unable to perform some manner of a context search on a paper-on-the-table book the same way grep or Ctrl+F would allow him to do so on a computer. Searching for the exact syntax of a CSS command that contains the word 'border' inside of it is no fun when you're turning page after page. It'd be much easier to visit a page on the net and use ctrl+F to skim through.
The SDK would allow you to make such an app, but I'd be quite surprised if Apple blessed it for it's App store given the broad exclusive language of the App store terms of service.
Given how much more traffic I could generate on a computer vs. an iPhone, it'd probably fall under the "Generates disruptive amounts of bandwidth" exclude-from-store clause. Just speculation of course.
I too would love to see a tether-able iPhone from Apple. Until I see it from Apple, it should be available shortly from the unsupported avenue of 3rd-party development... jailbreaking and using one of the installer apps / repositories. iPhone s/w 2.0 has been jailbroken and it should just be hours/days before a public method is detailed and released. On iPhone h/w 1.x there were numerous proxy programs available. They worked by making an ad-hoc wifi connection with a laptop and entering some network settings on the computer.
I know, I want a solution from Apple too. But if it works the same way it did for iPhone h/w 1, it's good enough for me.
You know... all that stuff about one being an actual physical thing and other being an idea.
Oh so it's more like the war on drugs then?:)
"George Bush says 'we are losing the war on drugs'. Well you know what that implies? There's a war going on, and people on drugs are winning it! Well what does that tell you about drugs? Some smart, creative motherfuckers on that side." -Bill Hicks, RIP
...but the subject fails to mention, for whatever it's worth, that this is the same Lori Drew that's been all over the news for helping her daughter create a fake Myspace to lead a neighborhood 13 year old girl into thinking a boy liked her. Drew and her same-aged daughter (and apparently one other teen) perpetrated this farce and then pulled the rug out, making this teen girl think the boy no longer liked her. The girl subsequently committed suicide.
It seems that because of that, IMO, the feds are out to nail her on whatever they can, not because of a site's terms of use policy. Though this would set a terrifying precedent.
The iPhone 3G has A-GPS, or assisted GPS. It is a real, honest-to-God GPS receiver, but queries a database of known wifi hotspots and their locations in the event GPS lock can't be obtained.
Your iPod Touch does the latter already. It does not find you via the approximated location of your IP address.
Slashdot Mirror
It's illegal because the law, in this case the DMCA (http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act) specifically criminalizes the circumvention of a copyright measure. Sure this flies in the face of hypothetical fair use, for example, making backups of original games to protect the originals from damage. But he intentionally modified hardware put in place to enforce copyright, and therefore broke the law.
Modifying a car doesn't run afoul of the DMCA. The car is still legal to own and drive, is usable on the road if kept inside the legal speed limit and passes whatever vehicle inspections your local municipality imposes, and is usable on closed tracks and in legal racing situations and the like. Modifying a console so that it no longer handshakes with content to ensure the media is the original factory media; circumventing the console's ability to control access to copyrighted works (to quote the DMCA) breaks the law.
That's pretty funny, I used to hate on WD as well, until last month when we upgraded all the drives in our SAN to 1.5TB drives and pulled all 18 old WD 250GB drives. In three years, with about a grand total of 40min powered-off time, with constant reads and writes through nights, weekends and holidays, none failed.
Not exactly a real-world scenario relevant to desktop use or even a file server, but I thought it was interesting.
Many iPhone "2G"/first gen. hardware contracts are more than the approximately (maybe it's exactly?) 18 months it takes for your contract to be upgrade-eligible. The issue here is more the people who bought the iPhone first gen very late in it's life cycle, or bought into the 3G at all (since it's only been available for about 11 months.)
Seems people just feel confused and betrayed by Apple, because those who purchased iPhone 3G phones (myself included) adopted early, and also were first gen. customers as well. Many of the people in my situation feel screwed that they have to pay an upgrade fee while new adopters get in on the iPhone 3G-S goodness for free while we've been loyal customers all along. That said, I realize it doesn't really work that way.
I understand how subsidies work, and I realized that the iPhone 3G was released approximately 1 year after the iPhone "2G"/first gen., but maybe if I knew the iPhone would be updated again after only a year, I might not have purchased the iPhone 3G. Nevertheless, the iPhone 3G does suit my needs completely and will continue to do so until approximately January 2010 when I can upgrade to the iPhone 3G-S, or at that point, I could also just wait and see if the iPhone 4th gen is coming down the line at the one-year mark just like this one. And if so, I'll evaluate then if it's worth the additional 5 month wait.
I'm smack in the middle of the Philly metro area, and apparently, AT&T isn't offering coverage enough to suit the features of this phone to me either. Or NYC metro. Or anywhere in America, for that matter, at least for a while. MMS and tethering have been around for years and years, but one won't be ready at launch, and the other was totally glanced over and for now appears delayed without mention of availability time-frame.
I've never seen the rules one should follow when releasing a device that might end up in millions of hands, but I'm sure they include the following:
1) Don't use an unstable hack to enable a feature that a very large percentage of potential users will be counting on.
2) Don't base a feature on a cat-and-mouse game. Especially with the likes of Apple, who are really good at that particular game.
3) Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup. Jobs was bragging about patents in the iPhone announcement keynote, for Christ sake.
All that switching from RISC/PPC to x86_xx should change is "endianness." I hear passing worries of Intel chip-level vulnerabilities, but to my (admittedly limited to hitting up Google just now) knowledge is that these never really end up in mainstream exploits. Maybe, because there are plenty of much more easily exploitable vulnerabilities already known.
Again, not a security researcher or a system arch. expert myself, but what I've heard from those researching OS X vs. Windows vulnerabilities, Address Space Layout Randomization (ASLR) would make it much harder to exploit vulnerabilities on the Apple end. This feature appears to be slated for the next point release ("Snow Leopard") of Mac OS X. Essentially, the exploiter must try much harder to "find" the code planted in the target box's memory, when the vulnerability was exploited, in order to execute it.
It's so that when things happen, like a worm infection for example, they don't have to have a custom anti virus solution to take care of it. They can just use off the shelf Norton AV to clean up infections. Why spend precious tax dollars on a custom system when off the shelf stuff works even better?
And to me, it makes perfect sense to connect them to the internet, so that they can receive all the virus def. updates and WIndows patches as fast as possible.
Not to start a flame war or a vocal-minority thing here, but am I alone in having virtually no issues at all with iPhone's ActiveSync capability? I've been using it for work email since day one and haven't had a single issue. What issues have you had?
Okay, both of those flaws you cite require user interaction. That doesn't constitute a "virus" or a "worm." That's a vulnerability. A vulnerability, I might add, never amounted to anything in the wild, and was patched quickly by Apple. Not an apologist, flaws are flaws are flaws. But they aren't viruses. The distinction is important.
That would be called a "flash," and it would be a "feature." :) I'd be perfectly fine with it.
"Security Theatre" techniques like the Leopard "OMG you downloaded that file from TEH INTERWEBS!" dialogs
I'm actually a big fan of this particular approach. I feel as though the real way to solve the malware problem as it exists today on all platforms is user education in best practices. Vista's UAC nag screen (because that's all it is) is useless. You are presented with a dialog that looks the same every time. The Leopard one you describe actually tells you "you've never run this before, it came from blahblah.com website," and most importantly, I think, "click this button right here to visit the website you got this program from and see for yourself "
I think on the whole, you end up with fewer yet more meaningful dialog messages in the Leopard user experience, usually leading to the user actually reading and heeding them.
Maybe I'm new to this, but the summary lead me to believe that the finders of this vulnerability were in the process of responsibly disclosing the details to affected software and hardware vendors. Wouldn't blabbing about it on slashdot be the opposite? Wouldn't he then be blasted for dumping dangerous details on the public?
It's not just about telling the vendors, I'd say it's also about giving them reasonable time to find a way to distribute the fix... Microsoft, Apple, and Linux distro makers can use their built-in software updater... but what if you're Linksys or Netgear? I'm glad it's not my job to work out the logistics of pushing out a firmware update to what, 80% of the userbase that doesn't know their router even had a web console...
so no headphone jack and no A2DP means the 8GB of storage and the Amazon music store are pretty much useless.
It only has 1gb of storage, and it's system-use only. Any media must be stored on separately-purchased flash memory.
Hehe, Apple doesn't follow Apple's UI guidelines :)
You're shitting me, we're out of pasta?
I never suggested it be tossed out, I was detailing one specific situation. Of course any corporate desktop situation should be locked down sufficiently that AV can't be disabled by the user. I'm talking about the enormous amount of home users, using default XP and Vista installs that leave the primary user as admin.
Well, certainly social engineering is only a replacement for good old fashion 'sploits and the like in a very specific situation, say, a Myspace comment that looks like an embedded Youtube video, which, upon clicking, leads you to download a trojan with a full-featured friendly-looking installer that requests the user's antivirus be disabled before continuing.
Know-how and knowledge of real holes in existing code are the only way an internet worm, as apposed to a trojan, would spread. I remember slammer, and even worse, Blaster... I was a "tech" at Best Buy back then, Geeks before Geek Squad was rolled out to every store. Whole lotta overtime that week.
It was a rhetorical question. I understand the scope of the class, and in the scope of the class, the specific technical subject matter makes sense. I more meant in general terms, as a critique on the "malware industry." I should have been more specific.
Why bother trying to "penetrate antivirus software?" Just tell the user to kindly disable it else they'll be denied their dopey smiley emoticon pack or the privilege of having the Taco Bell dog read them their email or some shit.
Why bother working to evade potentially sophisticated technological security when you can go after the very very weakest link... the user?
I don't know why I'm replying to an AC, but you managed to miss his whole point about being unable to grep a dead tree. If you didn't know what grep meant and refused to take the 7 seconds and Google it, this basically means he's unable to perform some manner of a context search on a paper-on-the-table book the same way grep or Ctrl+F would allow him to do so on a computer. Searching for the exact syntax of a CSS command that contains the word 'border' inside of it is no fun when you're turning page after page. It'd be much easier to visit a page on the net and use ctrl+F to skim through.
The SDK would allow you to make such an app, but I'd be quite surprised if Apple blessed it for it's App store given the broad exclusive language of the App store terms of service.
Given how much more traffic I could generate on a computer vs. an iPhone, it'd probably fall under the "Generates disruptive amounts of bandwidth" exclude-from-store clause. Just speculation of course.
I too would love to see a tether-able iPhone from Apple. Until I see it from Apple, it should be available shortly from the unsupported avenue of 3rd-party development... jailbreaking and using one of the installer apps / repositories. iPhone s/w 2.0 has been jailbroken and it should just be hours/days before a public method is detailed and released. On iPhone h/w 1.x there were numerous proxy programs available. They worked by making an ad-hoc wifi connection with a laptop and entering some network settings on the computer.
I know, I want a solution from Apple too. But if it works the same way it did for iPhone h/w 1, it's good enough for me.
You know... all that stuff about one being an actual physical thing and other being an idea.
Oh so it's more like the war on drugs then? :)
"George Bush says 'we are losing the war on drugs'. Well you know what that implies? There's a war going on, and people on drugs are winning it! Well what does that tell you about drugs? Some smart, creative motherfuckers on that side." -Bill Hicks, RIP
...but the subject fails to mention, for whatever it's worth, that this is the same Lori Drew that's been all over the news for helping her daughter create a fake Myspace to lead a neighborhood 13 year old girl into thinking a boy liked her. Drew and her same-aged daughter (and apparently one other teen) perpetrated this farce and then pulled the rug out, making this teen girl think the boy no longer liked her. The girl subsequently committed suicide.
It seems that because of that, IMO, the feds are out to nail her on whatever they can, not because of a site's terms of use policy. Though this would set a terrifying precedent.
The iPhone 3G has A-GPS, or assisted GPS. It is a real, honest-to-God GPS receiver, but queries a database of known wifi hotspots and their locations in the event GPS lock can't be obtained.
Your iPod Touch does the latter already. It does not find you via the approximated location of your IP address.