No, those are most certainly not the only two conditions where the settlement woud want to be private. In fact, neither of those conditions are the most common one. The most common one is that the defendant, even though he does not think he is in the wrong, finds it cheaper and easier to settle than to have the enormous expense of a court trial. And those are the ones that the defendant most wants to keep private, because making them public puts a giant target for every scam artist on his back. Can you imagine what would happen if it became known that Ford would settle for $500 if you claim you pinched your finger in the door?
I didn't say settlements were unilateral, I said going to court was a unilateral action.
What you seem to want to do is create a kind of legal extortion. If someone claims you have wronged them your choice is either agree to their terms, or lose your right to privacy. The plaintiff can demand absolutely anything, and there is nothing you can do about it. Plaintiff can claim he injured himself and demand $1000. What are you going to do, just pay it? If you refuse, and the plaintiff sues, it is now 'in court'. Now the plaintiff can offer to settle for only $100. If that fact will be kept secret it is probably better for you to just pay the $100 rather than pay legal fees, etc. However, if the terms of the settlement will NOT be kept secret then it is a lousy deal for you, as everyone knows you are an easy target for $100. How is that fair to the defendant, whose only options would be pay the initially requested amount, or let the whole world know what you are willing to pay?
You do know that using the public institutions is not something the parties agree to, right? ONE party can take it to court, which according to you seems to me that the OTHER party loses all it's right to privacy. That is a pretty stupid idea.
Finally, the reasons the secrets were not kept secret is because the court ordered them to be shared with the other party. I fail to see why any of my secrets should be made public just because I was ordered to provide them to another party that happened to file suit against me.
That makes no sense at all. First, you have stated zero reasons why agreements between two private parties (any agreements) should be made public. Second, you somehow manage to drag goverment spying into it, as if that has anything at all to do with it.
There are good reasons why such things should be kept private. Let's say I file a claim against you, claiming your slightly uneven sidewalk caused me to stub my toe. You go ask your friendly lawyer what to do, and he says 'well, you could fight it but that could be expensive even if you win, but I talked to the guy and he is willing to settle for $100'. You accept the settlement. According to you, that should now be public information, thereby inviting everyone and his brother to file a claim against you, knowing that not only will you settle, but you will settle for at least $100.
The only thing your idea would do is eliminate settlements altogether, which is pretty much the opposite of the ideal situation.
What does staff being there 24x7 have to do with anything? Are you trying to say that a cleaning crew that only works 8 hours a day is not an important thing to have? You seem to have no idea how quickly a completely unhealthy and unsanitary condition can occur. The barricades are not there to stop those conditions from happening (they won't), they are there to keep the general public from those conditions. Even if people think it is OK to go around the barricades, so what? Maybe you don't care if the average tourist sees a completely desicrated monument, but I don't think that a majority of the people would think that is a good idea. People have pride in the monuments, etc. Nobody wants someones lasting image of a monument to be one of filth and uncaring.
Nope, you're entirely wrong. How do I know this? Because I have 30+ years experience in a company that sells primarily big-ticket items to F100 companies and goverments.
When it gets to the end of the quarter (or more importantly, fiscal year) you can bet the marketing team is working their asses off trying to get these deals done. There is no such thing as 'enough' revenue, more is ALWAYS better. The vendor wants to sell his product today at least as much if not moreso than the buyer needs to spend his money. Unless the vendor has more business than he can handle (very rare) the vendor will be in a mood to make deals.
The one thing you have right is this: And if that money goes back to the general budget then there's a good chance Congress will be budget cutting it next year. And the result of that budget cut is that the vendor is out a sale. So if course it is in the vendor's best interest to complete that sale NOW, while the money is available.
You clearly have no idea what you are talking about. Damn near ALL companies, non-profits, governments, etc have the same spending pattern, and it matches this one perfectly.
Let's say you run an IT department, and you have a 5 year equipment replacement cycle. At the beginning of the year you put in your budget that you need X dollars for equipment replacement, and that money is given to you. Now, you could, if you are not too bright, go spend all of that money right now. However, in 6 months some piece of equipment that you were not planning on replacing fails and needs to be replaced. Uh-oh! You have no money in the budget to replace it.
So, instead, you don't spend all your money right away, and in 6 months you have money to replace the failing equipment that you were not planning on replacing. You get to the end of the fiscal year, and you still have what is left of that 'equipment replacement' money sitting there. So what are you going to do? You could decide that 'equipment replacement' isn't really needed, and give the money back, but in that case why did you budget for it in the first place? You could just repeat the same thing next year, but then you don't have a real equipment replacement plan, you are just in reaction mode all the time.
So what really happens is that you get to the end of the year and SPEND THE MONEY on equipment replacement, just like you planned to do in the beginning of the year. THIS is why just about everyone waits until the last possible moment to place their orders for anything that is not urgent. In addition, waiting til the last moment does, in fact, give you leverage with your suppliers. Why? Because you can say 'I have the money to spend, give me a good price and you can have it, or take your chances that next year I will still have money to spend.'
This is not 'lab conditions', this is real life. If you don't believe me, take a look at the financials of any company that sells primarily to business (ie not consumer stuff) and look at quarterly revenues. Notice a pattern?
You get to pay more for the privilege of buying at the last moment.
You are sort of right, but not in the situation being discussed here. I think you are thinking of the situation where you have an urgent need for something, and require a short delivery time. For that siuation you are correct.
However, that is not the situation here. Here, the situation is you have money that is 'expiring'. In addition, your vendors are probably ending their quarters/fiscal years and want their numbers to look good. In that situation, you get a better price, because you can say to the vendor 'I have the money now, you can sell for a price I want and increase your sales for the quarter. Or, you can take your chances that I will have this money available next year.'
I think (hope) that you made that up. I can think of two explanations. Your company is hopelessly screwed up, or the real concerns were about the SSL process, and not financial. If it really took $25K (including travel) just to approve a $100 expenditure, get out, quickly. On the other hand, it is entirely possible that management has real concerns about security, etc that they want addressed before letting someone obtain an SSL certificate in their name. That is reasonable. However, if your company has a web presence they should already have processes and policies for this sort of thing, so I am hoping the situation described happened at least a decade ago.
Unknown means unknown by the system running the app, not unknown by the world in general. Make your own cert, put it in the truststore, and now you are known.
I doubt many businesses (well run ones anyway) are using self-signed certs. Most likely they are using certs signed by themselves as a CA, which is not the same thing. If they are signing as their own CA then all they need to do is add their signing info to the truststore.
I would think businesses would welcome this change. They can ensure that their own apps run while making sure some app on a webpage somewhere does not run.
If you are going to accuse someone of not knowing what they are talking about, you should at least make sure you know what you are talking about.
NMI (non-maskable interrupt) is a physical pin on the processor. It is used (when used at all) to signal something very important (like memory errors). Your keyboard has no connection to this pin, and is therefore most certainly NOT using NMI.
When you press or release a key a scan code is generated. The keyboard driver will receive this scan code. It does not matter how the keyboard driver knows there is a code available - it could have received a (normal) interrupt or it could just poll the keyboard. The driver (software) maintains flags indicating the state of the special keys (shift., ctrl, alt). If a special key is pressed, the flag is turned on. If it is released the flag is turned off. If the driver sees that the code is a press of the 'delete' key, AND the flags for CTRL and ALT are on, it calls whatever special function is supposed to happen when ctrl-alt-delete is pressed. Otherwise, the scan code (and translated virtual key code) are placed in the input queue, to be handled by the application.
There is NO special hardware processing of ctrl-alt-delete. Those keys are handled exactly like every other keypress, and the 'special meaning' of that combination is determined and acted on solely by software.
There is no ctrl+alt+delete interrupt - where does this idea come from?
Now, for the question of why the combination was chosen instead of a specific key. Well, early on of course ctrl+alt+del was used to signal the BIOS to reboot the machine. Obviously, having a single key that can cause that function would be pretty dumb, so the combination made sense. That left all of the other keys able to be used by applications. Sure, YOU may never had to use the SysReq key, but if you were running an IBM 3270 or 5250 terminal emulator you used it, because a real 3270 had that key. Same with all the other keys - some app is probably using them for something.
So, when Windows needed a key to be used by the OS alone, what to do? Use the one combination that you KNOW no app is using, or grab a key and annoy all the users of apps that previously used that key?
Huh? NMI is a hardware thing, Ctrl+Alt+Delete is entirely a software thing. The only thing that ever had to do with NMI (related to this) is that on the PCjr the KEYBOARD used the NMI to signal a keystroke. This had an advantage that even if your PC somehow wound up in a interrupts-disabled state the keyboard interrupts would still be processed, and thus Ctrl+Alt+Delete would still work (the BIOS recognized the sequence and branched to the 'reset' code). On the other hand, it was a mistake because typing could interfere with timing critical things (like async comms). As far as I know, the PCjr was the only machine to ever use NMI for the keyboard.
Maybe what you are thinking is that there was no way (in Windows) to 'hook' the keyboard in a manner that could intercept Ctrl+Alt+Delete. That would prevent things from taking over the logon screen.
You are making the same mistake that a lot of other people on here make: you assume that the 'problem' is where your eyes are looking, so if you can demonstrate that you can still see something other than what you are directly looking at you are OK. Unfortunately, that is not the case. The problem is not where your eyes are looking, it is what your brain is doing.
You know how illusionists work, right? They cause you to focus your attention on something so that you completely miss other things that are happening in your field of vision. Same thing with texts - your attention is focused on the text, and as a result you will miss things happening around you, even if those things are in your field of vision. Looking at your feet is not at all the same as reading/sending texts.
Basically, your brain can be in either the 'alert' state or the 'focused' state, but not both at the same time. Driving, even sitting at a red light, requires the 'alert' state.
As has been pointed out elsewhere, this is what IBM's VM/CMS system has been doing for more than 40 years. You certainly don't launch a new VM every time you would create a process. You create a VM for, for instance, managing a database. That VM uses what amounts to a high-performance socket interface to listen for work requests from other VMs. The database VM is started when the hypervisor is started, and continues running until it dies or is shut down. If it dies, it can't take anything else with it because it is it's own VM. It can't have any IPC resources tied up, etc, because there aren't any. The only thing that would happen is any other VM with an active connection to the database VM would be notified that the connection terminated.
Internal to each VM the application can do whatever it wants. If it wants to have some sort of process control it can do that, as it is a virtual machine and can run anything it wants.
You have it backwards. There is no kernel (other than the hypervisor), everything is in userland. Each element of the software stack (network, web server, database, whatever) is a separate VM, completely isolated from the other services. A flaw in any service, no matter what 'privilege level' that service is running at, can not spread past what that service can do. Even if the services are running as 'root' they don't have access to any other service's data or whatever because they are in different VMs.
Why would you have to 'fire IP messages all over the place'? Any hypervisor worth a damn is going to have a high-performance method of passing messages between VMs without using IP or some such nonsense. There is no reason why a web server VM sending a message to a database VM is going to have any worse performance than a web server process sending a message to a database server process.
Breaks down on the security front? How so, exactly? Every message passed between VMs would have the ID of the originator added to the message somewhere, and that ID would be provided by the hypervisor, not the application. Additionally, security is improved because EVERYTHING runs in user space, and nothing runs as 'root'. You want a network connection? You have a network VM, which does nothing but process TCP/IP packets. Even if there is a flaw in the TCP/IP stack you can't do a privilege escalation because the network VM has no special privileges.
Fails for real workloads? Not really, it's been in use on 'real workloads' for more than 40 years on mainframes.
Holy crap! That is amazing! Who made this wonderful discovery, surely they must be nominated for some sort of prize. Oh, wait, everything with even the slightest bit of security uses rolling codes. Oh well.
In the past, factories did not have a whole lot of quality control. That is NOT to say that the things they produced were of low quality, but that there was variation. Different components were put together by different people. Person 'A' may have had a different technique he used when soldering a coil than person 'B'. That sort of thing. So, in the past, if your coil was leaking there was a reasonably good chance that the rest of the system was OK, and a coil repair made sense.
Today, there is a lot of quality control and automation. Again, that does not necessarily mean high quality, but it means consistency. Today, if your coil is leaking there is a very good chance that the entire system has reached the end of its useful life, because everything was built to the same specs. Sure, the guy could probably find and repair the leak. But what happens in two weeks when another leak pops up? Most people are going to have a fit and complain that the repairman ripped them off, etc. When they get done ranting, they will have the new leak fixed (maybe after bullying the repairman into doing it for free). And a few weeks later the THIRD leak appears, etc.
Did you actually ask the repairman why repairing was not appropriate, or did you automatically jump into 'must be a rip-off' mode?
Slashdot Mirror
And you still have provided zero reasons why this information should be public.
No, those are most certainly not the only two conditions where the settlement woud want to be private. In fact, neither of those conditions are the most common one. The most common one is that the defendant, even though he does not think he is in the wrong, finds it cheaper and easier to settle than to have the enormous expense of a court trial. And those are the ones that the defendant most wants to keep private, because making them public puts a giant target for every scam artist on his back. Can you imagine what would happen if it became known that Ford would settle for $500 if you claim you pinched your finger in the door?
I didn't say settlements were unilateral, I said going to court was a unilateral action.
What you seem to want to do is create a kind of legal extortion. If someone claims you have wronged them your choice is either agree to their terms, or lose your right to privacy. The plaintiff can demand absolutely anything, and there is nothing you can do about it. Plaintiff can claim he injured himself and demand $1000. What are you going to do, just pay it? If you refuse, and the plaintiff sues, it is now 'in court'. Now the plaintiff can offer to settle for only $100. If that fact will be kept secret it is probably better for you to just pay the $100 rather than pay legal fees, etc. However, if the terms of the settlement will NOT be kept secret then it is a lousy deal for you, as everyone knows you are an easy target for $100. How is that fair to the defendant, whose only options would be pay the initially requested amount, or let the whole world know what you are willing to pay?
You do know that using the public institutions is not something the parties agree to, right? ONE party can take it to court, which according to you seems to me that the OTHER party loses all it's right to privacy. That is a pretty stupid idea.
Finally, the reasons the secrets were not kept secret is because the court ordered them to be shared with the other party. I fail to see why any of my secrets should be made public just because I was ordered to provide them to another party that happened to file suit against me.
That makes no sense at all. First, you have stated zero reasons why agreements between two private parties (any agreements) should be made public. Second, you somehow manage to drag goverment spying into it, as if that has anything at all to do with it.
There are good reasons why such things should be kept private. Let's say I file a claim against you, claiming your slightly uneven sidewalk caused me to stub my toe. You go ask your friendly lawyer what to do, and he says 'well, you could fight it but that could be expensive even if you win, but I talked to the guy and he is willing to settle for $100'. You accept the settlement. According to you, that should now be public information, thereby inviting everyone and his brother to file a claim against you, knowing that not only will you settle, but you will settle for at least $100.
The only thing your idea would do is eliminate settlements altogether, which is pretty much the opposite of the ideal situation.
What does staff being there 24x7 have to do with anything? Are you trying to say that a cleaning crew that only works 8 hours a day is not an important thing to have? You seem to have no idea how quickly a completely unhealthy and unsanitary condition can occur. The barricades are not there to stop those conditions from happening (they won't), they are there to keep the general public from those conditions. Even if people think it is OK to go around the barricades, so what? Maybe you don't care if the average tourist sees a completely desicrated monument, but I don't think that a majority of the people would think that is a good idea. People have pride in the monuments, etc. Nobody wants someones lasting image of a monument to be one of filth and uncaring.
Nope, you're entirely wrong. How do I know this? Because I have 30+ years experience in a company that sells primarily big-ticket items to F100 companies and goverments.
When it gets to the end of the quarter (or more importantly, fiscal year) you can bet the marketing team is working their asses off trying to get these deals done. There is no such thing as 'enough' revenue, more is ALWAYS better. The vendor wants to sell his product today at least as much if not moreso than the buyer needs to spend his money. Unless the vendor has more business than he can handle (very rare) the vendor will be in a mood to make deals.
The one thing you have right is this: And if that money goes back to the general budget then there's a good chance Congress will be budget cutting it next year. And the result of that budget cut is that the vendor is out a sale. So if course it is in the vendor's best interest to complete that sale NOW, while the money is available.
You clearly have no idea what you are talking about. Damn near ALL companies, non-profits, governments, etc have the same spending pattern, and it matches this one perfectly.
Let's say you run an IT department, and you have a 5 year equipment replacement cycle. At the beginning of the year you put in your budget that you need X dollars for equipment replacement, and that money is given to you. Now, you could, if you are not too bright, go spend all of that money right now. However, in 6 months some piece of equipment that you were not planning on replacing fails and needs to be replaced. Uh-oh! You have no money in the budget to replace it.
So, instead, you don't spend all your money right away, and in 6 months you have money to replace the failing equipment that you were not planning on replacing. You get to the end of the fiscal year, and you still have what is left of that 'equipment replacement' money sitting there. So what are you going to do? You could decide that 'equipment replacement' isn't really needed, and give the money back, but in that case why did you budget for it in the first place? You could just repeat the same thing next year, but then you don't have a real equipment replacement plan, you are just in reaction mode all the time.
So what really happens is that you get to the end of the year and SPEND THE MONEY on equipment replacement, just like you planned to do in the beginning of the year. THIS is why just about everyone waits until the last possible moment to place their orders for anything that is not urgent. In addition, waiting til the last moment does, in fact, give you leverage with your suppliers. Why? Because you can say 'I have the money to spend, give me a good price and you can have it, or take your chances that next year I will still have money to spend.'
This is not 'lab conditions', this is real life. If you don't believe me, take a look at the financials of any company that sells primarily to business (ie not consumer stuff) and look at quarterly revenues. Notice a pattern?
You get to pay more for the privilege of buying at the last moment.
You are sort of right, but not in the situation being discussed here. I think you are thinking of the situation where you have an urgent need for something, and require a short delivery time. For that siuation you are correct.
However, that is not the situation here. Here, the situation is you have money that is 'expiring'. In addition, your vendors are probably ending their quarters/fiscal years and want their numbers to look good. In that situation, you get a better price, because you can say to the vendor 'I have the money now, you can sell for a price I want and increase your sales for the quarter. Or, you can take your chances that I will have this money available next year.'
I think (hope) that you made that up. I can think of two explanations. Your company is hopelessly screwed up, or the real concerns were about the SSL process, and not financial. If it really took $25K (including travel) just to approve a $100 expenditure, get out, quickly. On the other hand, it is entirely possible that management has real concerns about security, etc that they want addressed before letting someone obtain an SSL certificate in their name. That is reasonable. However, if your company has a web presence they should already have processes and policies for this sort of thing, so I am hoping the situation described happened at least a decade ago.
Unknown means unknown by the system running the app, not unknown by the world in general. Make your own cert, put it in the truststore, and now you are known.
An certificate signed by an internal CA is not the same thing as a self-signed certificate.
I doubt many businesses (well run ones anyway) are using self-signed certs. Most likely they are using certs signed by themselves as a CA, which is not the same thing. If they are signing as their own CA then all they need to do is add their signing info to the truststore.
I would think businesses would welcome this change. They can ensure that their own apps run while making sure some app on a webpage somewhere does not run.
If you are going to accuse someone of not knowing what they are talking about, you should at least make sure you know what you are talking about.
NMI (non-maskable interrupt) is a physical pin on the processor. It is used (when used at all) to signal something very important (like memory errors). Your keyboard has no connection to this pin, and is therefore most certainly NOT using NMI.
When you press or release a key a scan code is generated. The keyboard driver will receive this scan code. It does not matter how the keyboard driver knows there is a code available - it could have received a (normal) interrupt or it could just poll the keyboard. The driver (software) maintains flags indicating the state of the special keys (shift., ctrl, alt). If a special key is pressed, the flag is turned on. If it is released the flag is turned off. If the driver sees that the code is a press of the 'delete' key, AND the flags for CTRL and ALT are on, it calls whatever special function is supposed to happen when ctrl-alt-delete is pressed. Otherwise, the scan code (and translated virtual key code) are placed in the input queue, to be handled by the application.
There is NO special hardware processing of ctrl-alt-delete. Those keys are handled exactly like every other keypress, and the 'special meaning' of that combination is determined and acted on solely by software.
There is no ctrl+alt+delete interrupt - where does this idea come from?
Now, for the question of why the combination was chosen instead of a specific key. Well, early on of course ctrl+alt+del was used to signal the BIOS to reboot the machine. Obviously, having a single key that can cause that function would be pretty dumb, so the combination made sense. That left all of the other keys able to be used by applications. Sure, YOU may never had to use the SysReq key, but if you were running an IBM 3270 or 5250 terminal emulator you used it, because a real 3270 had that key. Same with all the other keys - some app is probably using them for something.
So, when Windows needed a key to be used by the OS alone, what to do? Use the one combination that you KNOW no app is using, or grab a key and annoy all the users of apps that previously used that key?
Huh? NMI is a hardware thing, Ctrl+Alt+Delete is entirely a software thing. The only thing that ever had to do with NMI (related to this) is that on the PCjr the KEYBOARD used the NMI to signal a keystroke. This had an advantage that even if your PC somehow wound up in a interrupts-disabled state the keyboard interrupts would still be processed, and thus Ctrl+Alt+Delete would still work (the BIOS recognized the sequence and branched to the 'reset' code). On the other hand, it was a mistake because typing could interfere with timing critical things (like async comms). As far as I know, the PCjr was the only machine to ever use NMI for the keyboard.
Maybe what you are thinking is that there was no way (in Windows) to 'hook' the keyboard in a manner that could intercept Ctrl+Alt+Delete. That would prevent things from taking over the logon screen.
You are making the same mistake that a lot of other people on here make: you assume that the 'problem' is where your eyes are looking, so if you can demonstrate that you can still see something other than what you are directly looking at you are OK. Unfortunately, that is not the case. The problem is not where your eyes are looking, it is what your brain is doing.
You know how illusionists work, right? They cause you to focus your attention on something so that you completely miss other things that are happening in your field of vision. Same thing with texts - your attention is focused on the text, and as a result you will miss things happening around you, even if those things are in your field of vision. Looking at your feet is not at all the same as reading/sending texts.
Basically, your brain can be in either the 'alert' state or the 'focused' state, but not both at the same time. Driving, even sitting at a red light, requires the 'alert' state.
Heh, yeah. More like 95,000 sq miles.
As has been pointed out elsewhere, this is what IBM's VM/CMS system has been doing for more than 40 years. You certainly don't launch a new VM every time you would create a process. You create a VM for, for instance, managing a database. That VM uses what amounts to a high-performance socket interface to listen for work requests from other VMs. The database VM is started when the hypervisor is started, and continues running until it dies or is shut down. If it dies, it can't take anything else with it because it is it's own VM. It can't have any IPC resources tied up, etc, because there aren't any. The only thing that would happen is any other VM with an active connection to the database VM would be notified that the connection terminated.
Internal to each VM the application can do whatever it wants. If it wants to have some sort of process control it can do that, as it is a virtual machine and can run anything it wants.
You have it backwards. There is no kernel (other than the hypervisor), everything is in userland. Each element of the software stack (network, web server, database, whatever) is a separate VM, completely isolated from the other services. A flaw in any service, no matter what 'privilege level' that service is running at, can not spread past what that service can do. Even if the services are running as 'root' they don't have access to any other service's data or whatever because they are in different VMs.
Why would you have to 'fire IP messages all over the place'? Any hypervisor worth a damn is going to have a high-performance method of passing messages between VMs without using IP or some such nonsense. There is no reason why a web server VM sending a message to a database VM is going to have any worse performance than a web server process sending a message to a database server process.
Breaks down on the security front? How so, exactly? Every message passed between VMs would have the ID of the originator added to the message somewhere, and that ID would be provided by the hypervisor, not the application. Additionally, security is improved because EVERYTHING runs in user space, and nothing runs as 'root'. You want a network connection? You have a network VM, which does nothing but process TCP/IP packets. Even if there is a flaw in the TCP/IP stack you can't do a privilege escalation because the network VM has no special privileges.
Fails for real workloads? Not really, it's been in use on 'real workloads' for more than 40 years on mainframes.
Nope, you're not the only one. That's exactly what I thought too.
No need to do that, they can just run Linux and AIX in separate LPARs if so desired.
Holy crap! That is amazing! Who made this wonderful discovery, surely they must be nominated for some sort of prize. Oh, wait, everything with even the slightest bit of security uses rolling codes. Oh well.
In the past, factories did not have a whole lot of quality control. That is NOT to say that the things they produced were of low quality, but that there was variation. Different components were put together by different people. Person 'A' may have had a different technique he used when soldering a coil than person 'B'. That sort of thing. So, in the past, if your coil was leaking there was a reasonably good chance that the rest of the system was OK, and a coil repair made sense.
Today, there is a lot of quality control and automation. Again, that does not necessarily mean high quality, but it means consistency. Today, if your coil is leaking there is a very good chance that the entire system has reached the end of its useful life, because everything was built to the same specs. Sure, the guy could probably find and repair the leak. But what happens in two weeks when another leak pops up? Most people are going to have a fit and complain that the repairman ripped them off, etc. When they get done ranting, they will have the new leak fixed (maybe after bullying the repairman into doing it for free). And a few weeks later the THIRD leak appears, etc.
Did you actually ask the repairman why repairing was not appropriate, or did you automatically jump into 'must be a rip-off' mode?