I have to wonder why Ubuntu developers waste time on Ubuntu when it would be more constructive, less controversial and serve their target audience better to work on furthering the Debian Desktop Project instead. I am aware that many Ubuntu developers are also Debian developers, which makes this all the more pressing of a question.
... because Debian's focus is vastly different from Ubuntu's. Ubuntu has a significantly different decision-hierarchy, a different way of forming teams... different tools etc. It seems to me that there are many good arguments for having Ubuntu as a separate but dependent distribution. Calling it a waste of developers time is quite an unsupported claim...
And of course Debian should include anyone that has ever contributed to one of their upstream projects right?!
Yes Ubuntu does depend on Debian, but the whole purpose of Ubuntu membership is not to say "hey, you're cool and can hang with us"... but rather to help identify those who will help drive the Ubuntu community forward. As other posts have pointed out, membership gives things such as planet syndication, votes on certain topics etc.
Ubuntu would not exist without Debian, but Debian contributors quite simply care about Debian... not Ubuntu... so why would they ever want an Ubuntu membership? Same as upstream developers care about their project... lets not cloud "membership" with "respect", which a lot of posters here seem to be doing. You can happily live without being an Ubuntu member... being a member is only worth it if you care about contributing to Ubuntu.
I suspect a lot of this is to create a springboard into web storage and seamless sync. Existing backup solutions have closed clients, and are therefore not acceptable for tight inclusion into Ubuntu. Ubuntuone allows Canonical to start moving forward with integration with the desktop client things such as file and data synchronising. Other moves that point towards this desire to sync can be found in the heavy pushing of CouchDb for data-storage... something which also allows synchronizing between computers.
Basically, UbuntuOne is a move towards a tightly cloud integrated desktop. The other upside is the client and protocol is fully open source, so it is possible to create and host home servers (eventually... once someone starts putting the interface together). I agree with you the current setup is very over-priced, but I tend to suspect this is a proof of concept more than a solid business solution:-)
I agree with you that it probably wasn't the smartest hack to demonstrate to an audience of various hackers... but I think that his behaviour, though brash, is not deserving of what Paypal did.
He could have set up his own domain, but it wouldn't have carried the same weight as proving the vulnerability is present on a major commercial server, where people actually *care* about security.
Either way, that still doesn't excuse Paypal from their foolishness. If they want to ban him, they need to be honest about why... the TOS quote they used does not match the situation at all.
On an unrelated note, this kind of behaviour is pretty standard for Defcon. Hackers all tend to go for "showy" approaches to gain peer respect.
So... foolish of him? Yes. Brash of him? Yes. Something he should have gotten banned for? Definitely not. Was it a useful demonstration? Definitely
From Paypal's justification of their banning: "We do not, however, allow PayPal to be used in the sale or dissemination of tools which have the sole purpose to attack customers and illegally obtain individual customer information," the spokeswoman, Sara Gorman, wrote in an email. "We consider whether there is any legitimate use in helping to strengthen the defenses of one's site when determining violation of our policy."
The problem with your statement is that he did not cause Paypal problems in the way that you think. He showed a widespread security flaw, using Paypal as an example... and Paypal suddenly decided that the tools he was producing "have the sole purpose to attack customers and illegally obtain individual customer information". This is a complete and utter load of bollix.
So yes, Paypal may not be happy they have a vulnerability... the same vulnerability that every other SSL cert user has I might add... but he was not breaking their TOS. What they did was infantile and very counter-productive.
This kind of behaviour means the only people that know the flaws in your system are the hackers who want to exploit them for nefarious means, rather than these researchers, who are doing it partially to "help the world", but also to HELP YOU.
I wouldn't trust a company who discourages security penetration testing and thorough investigations of their systems in these ways. Because you can bet your pants, the black-hat hackers will do their homework and find these flaws if our researchers don't.
I'm interested as to which western nations don't allow class actions? The other point of interest is that this is a case where selling in a single place that allows class actions would essentially force the relevant company to try and avoid risk of these (i.e., release safe products) in all locations they sell at.
Basically, the only way to prove your assertion that evidence is lacking is to demonstrate that companies selling products ONLY in nations/places that don't allow class-action suits are releasing MORE defective/dangerous products compared to companies selling in at least one location that allows class-action suits. I'd draw a pretty venn diagram, but I'm afraid of how nerdy that might make this discussion seem!
Not on me unfortunately. It wasn't terribly complex... It looked like a windows explorer clone, the key difference was the sub-folders were a little more dynamic. I used it successfully for about 6 months before it got lost in the great harddrive crash of 2003... unfortunately this was before I'd learnt the lesson of external backups:(
It wouldn't be hard to recreate if you're really aching for a test drive though...
I definitely agree that the tree-hierarchy has it's place in the computing world. As you said, there are some things that are so solidly orthogonal that you want to restrict them to only one folder.
But I don't believe that forcing everyone through the same system is helpful. I know many things I have that simply don't fit well in folders. My music collection for example... how do I sort this? If I go by artist, it doesn't hold collaboration volumes very well, if I go by album, it is difficult to remember the artist... If I want to go by genre, I must choose only one, and this makes categorization of some artists very difficult where they seem to entirely change style over the course of a single album.
What I am saying is that hierarchical tree storage has it's place, but I don't think it is the most intuitive way of storing things:)
I agree that search-only functionality sucks btw. I even went so far as to make an interface in java that behaves like a folder interface, only it uses a tag system. In this view, a sub-folder is a tag that isn't already in the hierarchy, that is present on one or more of the child items. Allows folder navigation for those who like folders, addresses your point about easily seeing parent levels if desired... but also allows a file to live in multiple hierarchies... it worked nice. Not sure if you could base an OS on it though xD
Just to add a bit more information... one way I think of this is in terms of native languages. Most people who learn a second language, always need to translate through their primary language. E.g., if I learnt chinese, it might go: input in chinese => translate to english => concoct reply in english => translate to chinese => output in chinese
This is a lot of overhead. Compare this to a native chinese-speaker... who simply hears in chinese, and thinks & responds in the same language.
People who didn't grow up with computers don't develop the ability to "think" in computer terms like those of us "native" speakers. As such, dealing with files & folders, they need to go through this long translation process to a real-world analogy and back.
The problem is, the files & folders analogy is very thin. Have you ever lost a hand-written letter because the power suddenly went out?! Or mis-placed a single document in a huge huge stack of papers and photographs (e.g., more than 200). The answer to both is probably not... because a stack of paper 200 documents long is unmanageable in the real world... and a hand-written letter autosaves every change you make;-).
So yer, from this, a few breaks between the user's expectations of how folders and files work, and pretty soon it seems like a mystical cave. The user doesn't remember the exact folder sequence (after all, you can layer them ridiculously deep), and forgets where things are saved, and pretty soon they create a gnarly mess of their files & folders... and are lost!
Something that is perhaps more predictable is the idea of time-based or activity-based files (without folders). Gmail tags I find are also far more useful (means the user can simply search as they think of it, such as computer > essay > 2009 > university, or 2009 > university...etc.)
Either way, I would highly recommend observing some beginner users discretly if you can... I feel strongly it has helped me better understand how my users may see the programs I write:)
Ever watched someone who hasn't grown up on computers use files and folders? The physical notion may not be confusing, but the computer implementation definitely leaves a lot to be desired. I have had a 60minute discussion with someone about the distinction between copy & cut, and when it does and doesn't work. So yes... files & folders as used by computers can be enormously complex for those who are not accustomed to remembering large tree-maps;-)
Ahh. I can understand the difference:). The problem still stands though, that in many areas the crims caught on quite quick where the cameras were... and simply start wearing better disguises when committing crimes. The other slippery slope is once the cameras are in place... it now allows gradual "scope creep" of the camera uses. Sure, at first its automated and gets deleted after a few days, then a case or two finds it would have been useful to keep it for longer... so it becomes a few weeks. Then the police need to run a crack down on a certain crime, so they actively monitor the cameras (just for a short time of course!)...
If you don't give them the infrastructure, they can't scope creep. In so many cases, there are public benefits to having some things in place, but I am finding that more and more these small benefits are vastly outweighed by the dangers of abuse. World politics being what it is... I don't want to grant them any power for fear they will fold to the wishes of some company or individual with wads of cash...
Don't fall into the trap of believing that video cameras help prevent crimes of any sort! See http://wiki.idebate.org/index.php/Argument:_Crime_cameras_have_not_had_a_significant_impact_on_crime_rates for examples. honestly, giving up this kind of privacy appears to be never worth it. Cameras are only as good as the people watching them... and how long do you think people will be watching them before the city decides to reduce funding?
There is a difference in using open source software though. The complaint isn't that the company is saving money, the complaint is that the company is exploiting a community to do its work, without giving anything back. Companies that depend on open source usually contribute back somehow... either in testing, bug reports, occasionally developer time etc.
In this case, the offensive part is that Verison is depending on a community that has been created by it's own incompetence, to continue to allow it to make fatter profits by being even more incompetent. Without doing anything worthwhile for the volunteers that are helping them.
If someone was developing OSS for a company that behaved like this, I'd be wondering if they realised how foolish they were being too...
The derivative work would not have been able to exist without my efforts though. So all I'm saying with the GPL license is that you are free to use my work, but only if you help me the same way my code has helped you.
BSD allows you to be selfish and just take my code and build on it, without ever returning the favour.
Slashdot Mirror
I have to wonder why Ubuntu developers waste time on Ubuntu when it would be more constructive, less controversial and serve their target audience better to work on furthering the Debian Desktop Project instead. I am aware that many Ubuntu developers are also Debian developers, which makes this all the more pressing of a question.
... because Debian's focus is vastly different from Ubuntu's. Ubuntu has a significantly different decision-hierarchy, a different way of forming teams... different tools etc. It seems to me that there are many good arguments for having Ubuntu as a separate but dependent distribution. Calling it a waste of developers time is quite an unsupported claim...
And of course Debian should include anyone that has ever contributed to one of their upstream projects right?!
Yes Ubuntu does depend on Debian, but the whole purpose of Ubuntu membership is not to say "hey, you're cool and can hang with us"... but rather to help identify those who will help drive the Ubuntu community forward. As other posts have pointed out, membership gives things such as planet syndication, votes on certain topics etc.
Ubuntu would not exist without Debian, but Debian contributors quite simply care about Debian... not Ubuntu... so why would they ever want an Ubuntu membership? Same as upstream developers care about their project... lets not cloud "membership" with "respect", which a lot of posters here seem to be doing. You can happily live without being an Ubuntu member... being a member is only worth it if you care about contributing to Ubuntu.
I suspect a lot of this is to create a springboard into web storage and seamless sync. Existing backup solutions have closed clients, and are therefore not acceptable for tight inclusion into Ubuntu. Ubuntuone allows Canonical to start moving forward with integration with the desktop client things such as file and data synchronising. Other moves that point towards this desire to sync can be found in the heavy pushing of CouchDb for data-storage... something which also allows synchronizing between computers.
Basically, UbuntuOne is a move towards a tightly cloud integrated desktop. The other upside is the client and protocol is fully open source, so it is possible to create and host home servers (eventually... once someone starts putting the interface together). I agree with you the current setup is very over-priced, but I tend to suspect this is a proof of concept more than a solid business solution :-)
I agree with you that it probably wasn't the smartest hack to demonstrate to an audience of various hackers... but I think that his behaviour, though brash, is not deserving of what Paypal did.
He could have set up his own domain, but it wouldn't have carried the same weight as proving the vulnerability is present on a major commercial server, where people actually *care* about security.
Either way, that still doesn't excuse Paypal from their foolishness. If they want to ban him, they need to be honest about why... the TOS quote they used does not match the situation at all.
On an unrelated note, this kind of behaviour is pretty standard for Defcon. Hackers all tend to go for "showy" approaches to gain peer respect.
So... foolish of him? Yes. Brash of him? Yes. Something he should have gotten banned for? Definitely not. Was it a useful demonstration? Definitely
From Paypal's justification of their banning:
"We do not, however, allow PayPal to be used in the sale or dissemination of tools which have the sole purpose to attack customers and illegally obtain individual customer information," the spokeswoman, Sara Gorman, wrote in an email. "We consider whether there is any legitimate use in helping to strengthen the defenses of one's site when determining violation of our policy."
The problem with your statement is that he did not cause Paypal problems in the way that you think. He showed a widespread security flaw, using Paypal as an example... and Paypal suddenly decided that the tools he was producing "have the sole purpose to attack customers and illegally obtain individual customer information". This is a complete and utter load of bollix.
So yes, Paypal may not be happy they have a vulnerability... the same vulnerability that every other SSL cert user has I might add... but he was not breaking their TOS. What they did was infantile and very counter-productive.
This kind of behaviour means the only people that know the flaws in your system are the hackers who want to exploit them for nefarious means, rather than these researchers, who are doing it partially to "help the world", but also to HELP YOU.
I wouldn't trust a company who discourages security penetration testing and thorough investigations of their systems in these ways. Because you can bet your pants, the black-hat hackers will do their homework and find these flaws if our researchers don't.
Burden of proof is such a fun thing to throw around :)
I see the point of your post... but my feeling is that the G-GP's assertion is more likely to be true than yours.
The best thing I can think of to prove this (in a very unacademic as only slashdot condones...), is a good ol' google search: http://www.google.com.au/search?q=avoids+class+action
That tells you that some companies do care about avoiding class action suits. Therefore the G-GP's assertion has some support in articles :)
I'm interested as to which western nations don't allow class actions? The other point of interest is that this is a case where selling in a single place that allows class actions would essentially force the relevant company to try and avoid risk of these (i.e., release safe products) in all locations they sell at.
Basically, the only way to prove your assertion that evidence is lacking is to demonstrate that companies selling products ONLY in nations/places that don't allow class-action suits are releasing MORE defective/dangerous products compared to companies selling in at least one location that allows class-action suits. I'd draw a pretty venn diagram, but I'm afraid of how nerdy that might make this discussion seem!
Not on me unfortunately. It wasn't terribly complex... It looked like a windows explorer clone, the key difference was the sub-folders were a little more dynamic. I used it successfully for about 6 months before it got lost in the great harddrive crash of 2003... unfortunately this was before I'd learnt the lesson of external backups :(
It wouldn't be hard to recreate if you're really aching for a test drive though...
I definitely agree that the tree-hierarchy has it's place in the computing world. As you said, there are some things that are so solidly orthogonal that you want to restrict them to only one folder.
But I don't believe that forcing everyone through the same system is helpful. I know many things I have that simply don't fit well in folders. My music collection for example... how do I sort this? If I go by artist, it doesn't hold collaboration volumes very well, if I go by album, it is difficult to remember the artist... If I want to go by genre, I must choose only one, and this makes categorization of some artists very difficult where they seem to entirely change style over the course of a single album.
What I am saying is that hierarchical tree storage has it's place, but I don't think it is the most intuitive way of storing things :)
I agree that search-only functionality sucks btw. I even went so far as to make an interface in java that behaves like a folder interface, only it uses a tag system. In this view, a sub-folder is a tag that isn't already in the hierarchy, that is present on one or more of the child items. Allows folder navigation for those who like folders, addresses your point about easily seeing parent levels if desired... but also allows a file to live in multiple hierarchies... it worked nice. Not sure if you could base an OS on it though xD
Just to add a bit more information... one way I think of this is in terms of native languages. Most people who learn a second language, always need to translate through their primary language. E.g., if I learnt chinese, it might go: input in chinese => translate to english => concoct reply in english => translate to chinese => output in chinese
This is a lot of overhead. Compare this to a native chinese-speaker... who simply hears in chinese, and thinks & responds in the same language.
People who didn't grow up with computers don't develop the ability to "think" in computer terms like those of us "native" speakers. As such, dealing with files & folders, they need to go through this long translation process to a real-world analogy and back.
The problem is, the files & folders analogy is very thin. Have you ever lost a hand-written letter because the power suddenly went out?! Or mis-placed a single document in a huge huge stack of papers and photographs (e.g., more than 200). The answer to both is probably not... because a stack of paper 200 documents long is unmanageable in the real world... and a hand-written letter autosaves every change you make ;-).
So yer, from this, a few breaks between the user's expectations of how folders and files work, and pretty soon it seems like a mystical cave. The user doesn't remember the exact folder sequence (after all, you can layer them ridiculously deep), and forgets where things are saved, and pretty soon they create a gnarly mess of their files & folders... and are lost!
Something that is perhaps more predictable is the idea of time-based or activity-based files (without folders). Gmail tags I find are also far more useful (means the user can simply search as they think of it, such as computer > essay > 2009 > university, or 2009 > university ...etc.)
Either way, I would highly recommend observing some beginner users discretly if you can... I feel strongly it has helped me better understand how my users may see the programs I write :)
Ever watched someone who hasn't grown up on computers use files and folders? The physical notion may not be confusing, but the computer implementation definitely leaves a lot to be desired. I have had a 60minute discussion with someone about the distinction between copy & cut, and when it does and doesn't work. So yes... files & folders as used by computers can be enormously complex for those who are not accustomed to remembering large tree-maps ;-)
Ahh. I can understand the difference :). The problem still stands though, that in many areas the crims caught on quite quick where the cameras were... and simply start wearing better disguises when committing crimes. The other slippery slope is once the cameras are in place... it now allows gradual "scope creep" of the camera uses. Sure, at first its automated and gets deleted after a few days, then a case or two finds it would have been useful to keep it for longer... so it becomes a few weeks. Then the police need to run a crack down on a certain crime, so they actively monitor the cameras (just for a short time of course!)...
If you don't give them the infrastructure, they can't scope creep. In so many cases, there are public benefits to having some things in place, but I am finding that more and more these small benefits are vastly outweighed by the dangers of abuse. World politics being what it is... I don't want to grant them any power for fear they will fold to the wishes of some company or individual with wads of cash...
Don't fall into the trap of believing that video cameras help prevent crimes of any sort! See http://wiki.idebate.org/index.php/Argument:_Crime_cameras_have_not_had_a_significant_impact_on_crime_rates for examples. honestly, giving up this kind of privacy appears to be never worth it. Cameras are only as good as the people watching them... and how long do you think people will be watching them before the city decides to reduce funding?
Wow.. That is one of the most succinct explanations of CDO's I've ever heard. Well done!
There is a difference in using open source software though. The complaint isn't that the company is saving money, the complaint is that the company is exploiting a community to do its work, without giving anything back. Companies that depend on open source usually contribute back somehow... either in testing, bug reports, occasionally developer time etc. In this case, the offensive part is that Verison is depending on a community that has been created by it's own incompetence, to continue to allow it to make fatter profits by being even more incompetent. Without doing anything worthwhile for the volunteers that are helping them. If someone was developing OSS for a company that behaved like this, I'd be wondering if they realised how foolish they were being too...
Finally! Some intelligent discussion might happen...
The derivative work would not have been able to exist without my efforts though. So all I'm saying with the GPL license is that you are free to use my work, but only if you help me the same way my code has helped you. BSD allows you to be selfish and just take my code and build on it, without ever returning the favour.