Incidentally, you and I both know that "TS/SCI security" doesn't mean shit if you've got physical access to the machine. In many cases, it doesn't mean diddly under other circumstances, either.
Since you referenced TS/SCI I'm going to assume you have a military or defense contracting background. In light of that, if you'd read the entire thread, you really should know better than this. The first sentence of my GP reply was mostly in jest. The second and third sentences were serious.
This entire story stinks of a distinct lack of personal responsiblity. As far as analogies go, think of it as someone who abandons a property for months on end, allowing the grass to grow high, paint to begin peeling off the siding, and animals to take up residence in the living room. The owner returns to said derelict property and is shocked to find a family of raccoons nesting in his lounger.
This is why we actively maintain property, according to the very real tenet that you only own property to the extent that you can defend it against assault.
For once I'm going to have to encourage the mods to actually read an incendiary post (re: parent) in its entirety and do some fact-checking before modding the poster down. There's actually not anything I can find in this post with respect to actual citations and recent events at the hands of fanatics that isn't true. Thought some may find it deeply disturbing and distasteful, including peaceful adherents to the faith, the last paragraph is pretty much beyond factual dispute.
You jest, but your point is well taken. Gaming a search engine into delivering happy shiny results from a search on a major worldwide religion isn't going to stop fanatical adherents to said faith from blowing themselves and others up. This has got to be one of the worst cases of public sector idiocy I've ever seen.
If you're just relying on the law to protect you with your inadequate security, you're being negligent.
Note to mods: don't mod me up, use your points to mod parent down.
You completely missed my point. If you attempt to break into my house, I've got a.40 caliber pistol that will prevent any further malicious activity you might be planning. Once again, my property = my responsibility to protect. This whole thread is about the senselessness of relying on legal measures in lieu of adequate safeguards and reactive measures.
You couldn't be more wrong. When it comes to proof-of-concept research that illustrates a vulnerability, "If I didn't do it, somebody else would" is one of the noblest defenses known to man.
Just to reinforce the old saying that you only truly have the freedoms that you can actually defend yourself, anyone who enters my home on an unauthorized basis is likely to get a.40 caliber answer to their silent question. Screw prosecuting for trespass.
Considering the fact that it's Scandinavia we're talking about, what if there's already an attractive young lady in the washroom? Furthermore, what if my wife is the one who needs to use the washroom? May I legally occupy it when both women are present?
I guess I should have secured that outlet to prevent unauthorized access. My property, my responsibility. There's an old saying that your freedoms are only valid to the extent that you're able to defend them.
By not selling that you are hurting the authors, not Amazon.
I assure you, a significant number of affiliates who immediately remove their links to Amazon's catalog of merchandise will hurt them, especially in a down economy where people simply aren't spending anywhere near what they were two years ago. As for the authors, I sincerely doubt they're depending solely on Amazon to sell their books. As for your last point regarding promoting stuff Amazon refuses to sell, I've already registered a domain and intend to start development work on a site in the next couple of days. I'll gladly take the money they don't want.
I do in fact recall the research you're describing; it was several years ago if I'm not mistaken, and pretty cool stuff. That said, there is a huge difference here; having chunks of data available for retrieval for anywhere from a day to several months is a far cry from the hours I recall from the past research you're describing.
Pay attention, class. Here is a fine example of living proof that being in possession of disposable income is, at best, only weakly correlated to intelligence.
Yes, it should absolutely be how we solve social issues. Technical fixes apply to more than just networks and computing platforms; they're equally applicable to most social problems if people are willing to approach the issues from a rational perspective.
Does it contain recyclable content such as bottles and cans that I can redeem for cash upon my next trip to Publix? If so, absolutely! I would appreciate it if you'd remove any infectious material prior to dropping it off on my porch, however. I've seen a lot of weird stuff in garbage as a consequence of military service, but I'm not really cool with things like used needles anymore. Please, give me goods equivalent to cash, I'm not gonna stand in your way.
I agree with your points in principle, and would like to offer an alternative means by which the students could have demonstrated their methodology.
These days, $300 will buy you a whitebox computer (assembled yourself, of course) that is capable of running 20 virtual machines. By analyzing the version numbers of common target platforms in the wild, you could conceivably build a virtual network of "real world class" servers with which to demonstrate your technique. Scale this to three or four servers running various wiki platforms, and you've got yourself a virtualized software ecosystem that you can do whatever you want to without fear of repercussions.
Hey, that's what I would have done, but I only have a GED and 15 years of network administration and programming experience;).
That depends entirely on your jurisdictional ability to prosecute me. By my personal code of ethics, I'd never engage in such behavior for commercial gain. Others aren't so picky (reference spammers, phishers, botnet operators, etc).
Add in the fact that wikis are specifically designed to allow open posting of content, and you've got yourself a problem if you're not competent enough to properly secure your site against even the most basic of threats.
Let me put it another way: if I own a gun and leave it on my front porch with a full magazine of ammo in it, I can't bitch when my weapon gets lifted and someone gets killed with it.
Hey, I agree it was a dick move on the students' part, but I still respect the research. Everything is obvious in hindsight, by the way.
What these students have really done is make a very public demonstration of something that's possible before less ethical parties got a crack at doing it on a large scale. For that, they should be commended. Would you condemn those who release proof-of-concept code for security exploits just because a vendor sat on their ass for months, refusing to care about the problem?
Ethical or not, if these students hadn't done it someone else would have, perhaps someone with far less respect for others. Reference my earlier reply in this thread for my opinion on the TOS angle.
I deal with this stuff all day long, predominantly from IP connections far outside U.S. jurisdiction. These students were, in my rather experienced and measured opinion, doing the community a favor by pointing out exactly how easy this sort of feat is to pull off.
Their note about using reCAPTCHA is sound advice. Admins who depend on TOS policies and their nation's legal framework to defend against networked threats are negligent in their duties. I don't waste my time worrying about chasing people around for violations of my sites' terms of service. Instead, I focus my efforts on deploying technical solutions that fix the issue.
Slashdot Mirror
Incidentally, you and I both know that "TS/SCI security" doesn't mean shit if you've got physical access to the machine. In many cases, it doesn't mean diddly under other circumstances, either.
Since you referenced TS/SCI I'm going to assume you have a military or defense contracting background. In light of that, if you'd read the entire thread, you really should know better than this. The first sentence of my GP reply was mostly in jest. The second and third sentences were serious.
This entire story stinks of a distinct lack of personal responsiblity. As far as analogies go, think of it as someone who abandons a property for months on end, allowing the grass to grow high, paint to begin peeling off the siding, and animals to take up residence in the living room. The owner returns to said derelict property and is shocked to find a family of raccoons nesting in his lounger.
This is why we actively maintain property, according to the very real tenet that you only own property to the extent that you can defend it against assault.
For once I'm going to have to encourage the mods to actually read an incendiary post (re: parent) in its entirety and do some fact-checking before modding the poster down. There's actually not anything I can find in this post with respect to actual citations and recent events at the hands of fanatics that isn't true. Thought some may find it deeply disturbing and distasteful, including peaceful adherents to the faith, the last paragraph is pretty much beyond factual dispute.
You jest, but your point is well taken. Gaming a search engine into delivering happy shiny results from a search on a major worldwide religion isn't going to stop fanatical adherents to said faith from blowing themselves and others up. This has got to be one of the worst cases of public sector idiocy I've ever seen.
If you're just relying on the law to protect you with your inadequate security, you're being negligent.
Note to mods: don't mod me up, use your points to mod parent down.
.40 caliber pistol that will prevent any further malicious activity you might be planning. Once again, my property = my responsibility to protect. This whole thread is about the senselessness of relying on legal measures in lieu of adequate safeguards and reactive measures.
You completely missed my point. If you attempt to break into my house, I've got a
You couldn't be more wrong. When it comes to proof-of-concept research that illustrates a vulnerability, "If I didn't do it, somebody else would" is one of the noblest defenses known to man.
I'm beginning to suspect you've been drinking. Heaven knows I have.
I've decided to take a personal interest in your posts.
Just to reinforce the old saying that you only truly have the freedoms that you can actually defend yourself, anyone who enters my home on an unauthorized basis is likely to get a .40 caliber answer to their silent question. Screw prosecuting for trespass.
Considering the fact that it's Scandinavia we're talking about, what if there's already an attractive young lady in the washroom? Furthermore, what if my wife is the one who needs to use the washroom? May I legally occupy it when both women are present?
You really should have reviewed my other posts in this thread before replying. I've already addressed the points you raised here.
I guess I should have secured that outlet to prevent unauthorized access. My property, my responsibility. There's an old saying that your freedoms are only valid to the extent that you're able to defend them.
By not selling that you are hurting the authors, not Amazon.
I assure you, a significant number of affiliates who immediately remove their links to Amazon's catalog of merchandise will hurt them, especially in a down economy where people simply aren't spending anywhere near what they were two years ago. As for the authors, I sincerely doubt they're depending solely on Amazon to sell their books. As for your last point regarding promoting stuff Amazon refuses to sell, I've already registered a domain and intend to start development work on a site in the next couple of days. I'll gladly take the money they don't want.
I am in your debt.
I do in fact recall the research you're describing; it was several years ago if I'm not mistaken, and pretty cool stuff. That said, there is a huge difference here; having chunks of data available for retrieval for anywhere from a day to several months is a far cry from the hours I recall from the past research you're describing.
Pay attention, class. Here is a fine example of living proof that being in possession of disposable income is, at best, only weakly correlated to intelligence.
Yes, it should absolutely be how we solve social issues. Technical fixes apply to more than just networks and computing platforms; they're equally applicable to most social problems if people are willing to approach the issues from a rational perspective.
Does it contain recyclable content such as bottles and cans that I can redeem for cash upon my next trip to Publix? If so, absolutely! I would appreciate it if you'd remove any infectious material prior to dropping it off on my porch, however. I've seen a lot of weird stuff in garbage as a consequence of military service, but I'm not really cool with things like used needles anymore. Please, give me goods equivalent to cash, I'm not gonna stand in your way.
I agree with your points in principle, and would like to offer an alternative means by which the students could have demonstrated their methodology.
;).
These days, $300 will buy you a whitebox computer (assembled yourself, of course) that is capable of running 20 virtual machines. By analyzing the version numbers of common target platforms in the wild, you could conceivably build a virtual network of "real world class" servers with which to demonstrate your technique. Scale this to three or four servers running various wiki platforms, and you've got yourself a virtualized software ecosystem that you can do whatever you want to without fear of repercussions.
Hey, that's what I would have done, but I only have a GED and 15 years of network administration and programming experience
Well played, sir, well played :).
That depends entirely on your jurisdictional ability to prosecute me. By my personal code of ethics, I'd never engage in such behavior for commercial gain. Others aren't so picky (reference spammers, phishers, botnet operators, etc).
Add in the fact that wikis are specifically designed to allow open posting of content, and you've got yourself a problem if you're not competent enough to properly secure your site against even the most basic of threats.
Let me put it another way: if I own a gun and leave it on my front porch with a full magazine of ammo in it, I can't bitch when my weapon gets lifted and someone gets killed with it.
Hey, I agree it was a dick move on the students' part, but I still respect the research. Everything is obvious in hindsight, by the way.
What these students have really done is make a very public demonstration of something that's possible before less ethical parties got a crack at doing it on a large scale. For that, they should be commended. Would you condemn those who release proof-of-concept code for security exploits just because a vendor sat on their ass for months, refusing to care about the problem?
Ethical or not, if these students hadn't done it someone else would have, perhaps someone with far less respect for others. Reference my earlier reply in this thread for my opinion on the TOS angle.
I deal with this stuff all day long, predominantly from IP connections far outside U.S. jurisdiction. These students were, in my rather experienced and measured opinion, doing the community a favor by pointing out exactly how easy this sort of feat is to pull off.
Their note about using reCAPTCHA is sound advice. Admins who depend on TOS policies and their nation's legal framework to defend against networked threats are negligent in their duties. I don't waste my time worrying about chasing people around for violations of my sites' terms of service. Instead, I focus my efforts on deploying technical solutions that fix the issue.
There's actually a military practice scenario in which part of the scenario name is "Kobayashi Maru." Fun times.