If the hole is known, why haven't you patched it? If it can't be patched, why are you still using it?
Since you seemed to have missed this point completely in my previous post (though you even quoted it), let me spell it out for you: Obscurity does not make insecure locks secure. In that sense, "security through obscurity" does not work, and I do understand that.
But if you wanted to be truly secure, you would closely guard such information as the location of your server, its address, the applications it runs, the protocols it uses, the name of the host, &c. In this sense, increased levels of obscurity reduce the chances of getting attacked in the first place. If your code is also secure, and your technicians are well-trained and experienced, then you have a chance to repel those attackers that penetrate your obscurity. Publishing information about your security methods, or your points of access, is an invitation to be attacked. And who would sign up for that?
I should apologise. I'm not nearly as law-abiding as you seem to think I am. I've lately begun to suspect, though, that my reasons for breaking this law or that are not well thought out. I suspect that my lawbreaking doesn't benefit me as much as I thought, and doesn't benefit my community at all.
When I break a law, it is almost always because I find it too difficult to keep, or change, or repeal: my lawbreaking is a matter of immediate convenience. Sometimes, when challenged, I parrot various catchphrases as an excuse: "The infraction is trivial!"; "The law is unjust!"; "I'm not hurting anyone!"; "Or if I am, they deserve to be hurt!"
On closer inspection, these excuses seem to be unsubstantiated, poorly reasoned, or obviously weak. In the end, my lawbreaking is nothing more than the instant gratification of my desires--hardly a good reason to abandon the conventions of my society (and note that one of these conventions is that all laws, no matter how trivial or annoying must be kept, and those that do not keep them should be punished).
Saying "such and such a law has no value" is very different from saying "keeping the Law has no value". If I find value in the Law--a system of rules to govern peaceful interactions between individuals--then I'd be very upset indeed by bad laws, since I must bear the burden of keeping them even though they do not improve society. It's precisely because I (hypothetically) value keeping the Law that bad laws are so burdensome. But if I find no value in keeping the Law, then specific laws are meaningless to me, whether good or bad. I'll ignore them all at my convenience.
Breaking a law might be the best way to improve society, but it might also contribute to a culture that devalues the Law. How does warezing movies make me a better person and a better citizen? How does it improve my community or enrich society? The answer is not clear to me, except that I know that as long as my arguments are weak, breaking the law does not do any of these things.
Any argument that began, "warezing movies improves the individual and the community because..." would interest me greatly. The arguments I have actually seen show little evidence of any attempt at reasoning, or any real concern for self- or social improvement. Should our motto really be "breaking the law is easier than fighting it"? That hardly seems a solid foundation on which to build a better system.
I can't really claim to have any special knowledge of what the movers and shakers think, but it often seems to me that they think like that.
I thought this conversation was about you and me, and what we think and do, though. How is the behavior of politicians relevant?
Do you mean that because politicians do it, it must be right for us to do it? Or do you mean that because politicians do not live up to this standard, there is no value in us living up to this standard? Or do you mean that the politicians have established a paradigm in which the only way to improve society is to break the law at our convenience, to satisfy our personal desires? Or have I missed your point entirely?
More like "majority sucks": that seems to be the lesson of history, anyway.
"Majority rules" is just an excuse to disenfranchise dissenters, really. How about this: let's all vote on a law. We'll all agree ahead of time to abide by the law, whether we voted for it or not. We'll agree to this because we all believe that a system of published conventions that everybody follows is better than the alternatives. Having agreed, we'll vote, according to the principle that our laws will be determined by the approval of a simple majority of authorized voters. Once the vote has been taken, and the results tallied, the law will be passed, and we will all abide by it. Those that don't will be punished according to rules that we have also voted on. Once we've got all that taken care of, then we can talk about "majority rules".
Using "majority rules" to defend an opinion held by you and maybe some other people (note that you haven't even established that the opinion is held by a majority, anyway) is possibly the second or third most retarded thing I've ever heard.
"This product is so shitty that I can't justify paying for it! In fact, it's so shitty that I'll take it without paying for it, and use it anyway!"
So let me get this straight: you think these movies aren't worth paying for, but they are worth breaking the law for?
Might as well be honest, and say, "I believe laws to be meaningless and unimportant; breaking them to suit my whims and is ethically--and financially!--sound."
I'm beginning to suspect that being a good citizen may actually be more important than warezing bad movies, largely due to the utter inanity of arguments such as yours. If you have a rational, ethically coherent argument to support the claim that warezing movies = good citizenship, I'd be interested to hear it.
I admit that I'm an amateur: I know nothing at all about security except what I read in novels or see in movies. I'm simply trying to reason this out as logically as I can from the axiom, "it's harder to attack what you can't see than to attack what you can see".
If you have any data or experience that illuminates your claims, please let me know.
I'm also not sure how obscurity makes a security method more complex; since obscurity consists simply of not telling people what you've got, it can't be more complex than widely publishing that information.
But I think I see the cause of the confusion: I'm speaking of robust security systems, but you may be speaking of secure code.
Obviously, the only way to get secure code is to write it: you can't write insecure code and then make it secure by not telling anybody about the insecurities. This is the same as making a lock that opens to any key, and not telling anyone. The lock is still insecure. But security components are different from security practices. Your locks should be secure, and nobody should know what make and model of locks you have. Your software should be secure, and nobody should know what software you use.
I see nothing in the word "computer" that automatically filters out half-assed attackers. I imagine that any security target would attract a similar cross-section of attackers.
And assuming that you have half-assed attackers will get you breached in either case anyway. It's precisely because you assume full-assed attackers that you use not only strong crypto/strong locks, but also obscurity, auditing, authentication, and any other obstacle you can devise. Assuming you don't need obscurity "because it doesn't work" makes you half-assed, and does nothing to raise the price of entry for your attackers.
How about
e) Given the reasonable expectation that experienced cryptographers and information experts generally don't get online through AOL (since AOL markets heavily to non-technical people, and most if not all technical people you meet don't use it at all), it is reasonable to expect that an AOL user will not come up with a technically robust encryption scheme.
It's not about techno-bigotry, so much as reasonable expectations based on years of statistical and anecdotal evidence.
Not by itself, at least. I always figured that obscurity would be the first element of any robust defense in depth.
You'll have trouble picking the locks on my door if you have no idea where I live. But I don't rely only on your ignorance to protect my home--I also have really good locks.
Of course, now that you know I have really good locks, your job becomes a little bit easier. If I told you the make and model of my locks, that would make your job easier yet. You'd probably also like to know about my alarm system, guard dogs, and surveillance cameras.
Every piece of information you have about my security improves your chances of breaching it, and reduces my obscurity by an unacceptable amount.
Obscurity is a vital component of any physical security system. Period.
Perhaps you'd feel better if you knew about the Origins and Use of the Winged Sun-Disk. Apparently, it's also mentioned in Maurice's Indian Antiquities . You can get an idea of how widespread this symbol was in this discussion about the migration of symbols. Google provides links to many more such sites, if you'd like to conduct further impromptu research.
It's a pity you didn't see any when you were in Egypt. You appear to have missed out on a significant core element of Egyptian iconography.
Well, of course the Beatles were a boy band. I'm not disputing that! It's the Monkees that weren't a boy band. They were a subversion of the boy band, and we're waaay overdue for another one.
Not only do we already have at least one very big "google", but we already have very big "goggles" as well. Protecting facilities from airborne attackers is already trivial for nations with our level of technology and resources. A full-scale world war might jeopardize the elevator, but only if we were saturated with targets and for some reason the elevator was low on our list of things to defend (I imagine it would actually be right up in the Top Ten Things To Defend, alongside our military command infrastructure, our civil command infrastructure, and our industrial base). Terrorists using passenger planes, SCUD missiles, military surplus helicopter gunships, commandeered Coast Guard vessels, or whatever probably wouldn't stand a chance.
Hrm. You did go out of your way to describe something the parent poster gave no indication of having done. You invented a scenario that was quite silly and stupid, and made fun of the parent poster as if he had done this thing. What else would you call "humor" that crosses the line into unsubstantiated personal ridicule?
Some points: First, the blog post is primarily important to the poster. As long as the poster is satisfied with the blog, then its mission is accomplished. Second, people who do read posts about mundane tasks do so because they, at least, find them interesting. Third, a lot of people seem value the communication that goes on in blogs at least as much as the content. Just because you don't care about blogs doesn't make them worthless.
Many people (my parents, for example), don't see anything interesting about Slashdot. Does that make us all misguided losers? Probably not: some of us are misguided losers whether we post here or not.
The Monkees weren't a boy band so much as a postmodern satire of the Beatles. You must be capable of holding a grudge for a very long time, if you're still bitter about their "comeback".
Mark Walhberg, meanwhile, never really had anything worth coming back for. The moment he realized this, he changed jobs, finding work as a halfway-decent actor. If all the boy bands made Wahlberg's "comeback", music would be a much better place, and movies wouldn't be any worse than they currently are.
Also, the "let's shoot boy bands into space... without space suits!" comment is older now, but not any more tired, than when it was first made. Remember that you're posting on Slashdot, where we already know you don't like boy bands. Originality is much more important than mindlessly repeating the same inane remarks over and over again. Bandwagoning the editor's own tired "insights" puts me in the mood to space you, ahead of the pop-music chorus line of the week.
At least the boy bands are paid professionals: they can dance and sing better than you or I, they work hard, they maintain wholesome appearances, and they appear to be having a lot of fun. They're getting paid for something they do well, and it's something they enjoy doing well.
I'm not moved by the music that's written for them, and I abhor the whole music industry/marketing system that makes boy bands possible and lucrative, but the bands themselves are no more evil than they would be if they appeared under a system of independent copyright-owning artists.
Imagine a songwriter who believes his work would appeal to a certain demographic--highschool girls, for example. So he amasses some capital, hires a group of clean-cut young men and a choreographer, writes some catchy tunes, teaches them the lyrics, music, and dance steps, and hits the road. They work as a team, and work hard. They get lucky, create some buzz, burn an album, collect some royalties from downloads and webcasts (in addition to the take from their touring), and generally have a good time writing and fronting the music.
That's not so bad, is it? No different from the independent rappers, emo bands, country singers, folk artists, &c. that will spring up in our hypothetical RIAA-free utopia. I think boy bands will always be with us, and I don't think they will ever be the problem.
Yes, over here on Slashdot we're much more enlightened. Instead of using the web to communicate with our friends and family, we run around acting like jerks and flaming people for no good reason. Much better than those stupid blogging ego-trips.
According to the article, the report was prepared by an independent research company. Linux Today carried the story because it contains positive statements made by a third party about Linux.
Meanwhile, here on/., people seem to be saying that the report came from Linux Today, and therefore is too biased to be trusted.
So on the one hand, you're wrong about the source of the report, just like a lot of other posters. On the other hand, you're wrong about/.'s response to the report.
But hey, at least things are somewhat better than you expected, which is always pleasant.
Slashdot Mirror
If the hole is known, why haven't you patched it? If it can't be patched, why are you still using it?
Since you seemed to have missed this point completely in my previous post (though you even quoted it), let me spell it out for you: Obscurity does not make insecure locks secure. In that sense, "security through obscurity" does not work, and I do understand that.
But if you wanted to be truly secure, you would closely guard such information as the location of your server, its address, the applications it runs, the protocols it uses, the name of the host, &c. In this sense, increased levels of obscurity reduce the chances of getting attacked in the first place. If your code is also secure, and your technicians are well-trained and experienced, then you have a chance to repel those attackers that penetrate your obscurity. Publishing information about your security methods, or your points of access, is an invitation to be attacked. And who would sign up for that?
I should apologise. I'm not nearly as law-abiding as you seem to think I am. I've lately begun to suspect, though, that my reasons for breaking this law or that are not well thought out. I suspect that my lawbreaking doesn't benefit me as much as I thought, and doesn't benefit my community at all.
When I break a law, it is almost always because I find it too difficult to keep, or change, or repeal: my lawbreaking is a matter of immediate convenience. Sometimes, when challenged, I parrot various catchphrases as an excuse: "The infraction is trivial!"; "The law is unjust!"; "I'm not hurting anyone!"; "Or if I am, they deserve to be hurt!"
On closer inspection, these excuses seem to be unsubstantiated, poorly reasoned, or obviously weak. In the end, my lawbreaking is nothing more than the instant gratification of my desires--hardly a good reason to abandon the conventions of my society (and note that one of these conventions is that all laws, no matter how trivial or annoying must be kept, and those that do not keep them should be punished).
Saying "such and such a law has no value" is very different from saying "keeping the Law has no value". If I find value in the Law--a system of rules to govern peaceful interactions between individuals--then I'd be very upset indeed by bad laws, since I must bear the burden of keeping them even though they do not improve society. It's precisely because I (hypothetically) value keeping the Law that bad laws are so burdensome. But if I find no value in keeping the Law, then specific laws are meaningless to me, whether good or bad. I'll ignore them all at my convenience.
Breaking a law might be the best way to improve society, but it might also contribute to a culture that devalues the Law. How does warezing movies make me a better person and a better citizen? How does it improve my community or enrich society? The answer is not clear to me, except that I know that as long as my arguments are weak, breaking the law does not do any of these things.
Any argument that began, "warezing movies improves the individual and the community because..." would interest me greatly. The arguments I have actually seen show little evidence of any attempt at reasoning, or any real concern for self- or social improvement. Should our motto really be "breaking the law is easier than fighting it"? That hardly seems a solid foundation on which to build a better system.
I can't really claim to have any special knowledge of what the movers and shakers think, but it often seems to me that they think like that.
I thought this conversation was about you and me, and what we think and do, though. How is the behavior of politicians relevant?
Do you mean that because politicians do it, it must be right for us to do it? Or do you mean that because politicians do not live up to this standard, there is no value in us living up to this standard? Or do you mean that the politicians have established a paradigm in which the only way to improve society is to break the law at our convenience, to satisfy our personal desires? Or have I missed your point entirely?
Depending on your opinion of the Jargon File, you may find this definition much more canonical.
The true canon, of course, would be Heinlein's novel, but I wouldn't wish that on anyone :)
More like "majority sucks": that seems to be the lesson of history, anyway.
"Majority rules" is just an excuse to disenfranchise dissenters, really. How about this: let's all vote on a law. We'll all agree ahead of time to abide by the law, whether we voted for it or not. We'll agree to this because we all believe that a system of published conventions that everybody follows is better than the alternatives. Having agreed, we'll vote, according to the principle that our laws will be determined by the approval of a simple majority of authorized voters. Once the vote has been taken, and the results tallied, the law will be passed, and we will all abide by it. Those that don't will be punished according to rules that we have also voted on. Once we've got all that taken care of, then we can talk about "majority rules".
Using "majority rules" to defend an opinion held by you and maybe some other people (note that you haven't even established that the opinion is held by a majority, anyway) is possibly the second or third most retarded thing I've ever heard.
"This product is so shitty that I can't justify paying for it! In fact, it's so shitty that I'll take it without paying for it, and use it anyway!"
So let me get this straight: you think these movies aren't worth paying for, but they are worth breaking the law for?
Might as well be honest, and say, "I believe laws to be meaningless and unimportant; breaking them to suit my whims and is ethically--and financially!--sound."
I'm beginning to suspect that being a good citizen may actually be more important than warezing bad movies, largely due to the utter inanity of arguments such as yours. If you have a rational, ethically coherent argument to support the claim that warezing movies = good citizenship, I'd be interested to hear it.
That sounds pretty absolute. Are you sure your knowledge of the universe is comprehensive enough to justify your claim?
I admit that I'm an amateur: I know nothing at all about security except what I read in novels or see in movies. I'm simply trying to reason this out as logically as I can from the axiom, "it's harder to attack what you can't see than to attack what you can see". If you have any data or experience that illuminates your claims, please let me know. I'm also not sure how obscurity makes a security method more complex; since obscurity consists simply of not telling people what you've got, it can't be more complex than widely publishing that information. But I think I see the cause of the confusion: I'm speaking of robust security systems, but you may be speaking of secure code. Obviously, the only way to get secure code is to write it: you can't write insecure code and then make it secure by not telling anybody about the insecurities. This is the same as making a lock that opens to any key, and not telling anyone. The lock is still insecure. But security components are different from security practices. Your locks should be secure, and nobody should know what make and model of locks you have. Your software should be secure, and nobody should know what software you use.
I see nothing in the word "computer" that automatically filters out half-assed attackers. I imagine that any security target would attract a similar cross-section of attackers. And assuming that you have half-assed attackers will get you breached in either case anyway. It's precisely because you assume full-assed attackers that you use not only strong crypto/strong locks, but also obscurity, auditing, authentication, and any other obstacle you can devise. Assuming you don't need obscurity "because it doesn't work" makes you half-assed, and does nothing to raise the price of entry for your attackers.
How about e) Given the reasonable expectation that experienced cryptographers and information experts generally don't get online through AOL (since AOL markets heavily to non-technical people, and most if not all technical people you meet don't use it at all), it is reasonable to expect that an AOL user will not come up with a technically robust encryption scheme. It's not about techno-bigotry, so much as reasonable expectations based on years of statistical and anecdotal evidence.
Not by itself, at least. I always figured that obscurity would be the first element of any robust defense in depth. You'll have trouble picking the locks on my door if you have no idea where I live. But I don't rely only on your ignorance to protect my home--I also have really good locks. Of course, now that you know I have really good locks, your job becomes a little bit easier. If I told you the make and model of my locks, that would make your job easier yet. You'd probably also like to know about my alarm system, guard dogs, and surveillance cameras. Every piece of information you have about my security improves your chances of breaching it, and reduces my obscurity by an unacceptable amount. Obscurity is a vital component of any physical security system. Period.
Bwahahaha! Irony
It's a pity you didn't see any when you were in Egypt. You appear to have missed out on a significant core element of Egyptian iconography.
We cannot what? Would you be willing to clarify your point? I honestly don't understand the meaning of your remarks.
That's too disturbing, even for a hardened cynic like myself.
Well, of course the Beatles were a boy band. I'm not disputing that! It's the Monkees that weren't a boy band. They were a subversion of the boy band, and we're waaay overdue for another one.
No, it's just Slashdot repeating the same tired old joke over and over again.
Not only do we already have at least one very big "google", but we already have very big "goggles" as well. Protecting facilities from airborne attackers is already trivial for nations with our level of technology and resources. A full-scale world war might jeopardize the elevator, but only if we were saturated with targets and for some reason the elevator was low on our list of things to defend (I imagine it would actually be right up in the Top Ten Things To Defend, alongside our military command infrastructure, our civil command infrastructure, and our industrial base). Terrorists using passenger planes, SCUD missiles, military surplus helicopter gunships, commandeered Coast Guard vessels, or whatever probably wouldn't stand a chance.
Hrm. You did go out of your way to describe something the parent poster gave no indication of having done. You invented a scenario that was quite silly and stupid, and made fun of the parent poster as if he had done this thing. What else would you call "humor" that crosses the line into unsubstantiated personal ridicule?
Some points: First, the blog post is primarily important to the poster. As long as the poster is satisfied with the blog, then its mission is accomplished. Second, people who do read posts about mundane tasks do so because they, at least, find them interesting. Third, a lot of people seem value the communication that goes on in blogs at least as much as the content. Just because you don't care about blogs doesn't make them worthless.
Many people (my parents, for example), don't see anything interesting about Slashdot. Does that make us all misguided losers? Probably not: some of us are misguided losers whether we post here or not.
Bwahahaha!
Oh, wait... that was a troll, wasn't it?
Hrm.
Never mind. It's not like I was taking you seriously anyway.
The Monkees weren't a boy band so much as a postmodern satire of the Beatles. You must be capable of holding a grudge for a very long time, if you're still bitter about their "comeback".
Mark Walhberg, meanwhile, never really had anything worth coming back for. The moment he realized this, he changed jobs, finding work as a halfway-decent actor. If all the boy bands made Wahlberg's "comeback", music would be a much better place, and movies wouldn't be any worse than they currently are.
Also, the "let's shoot boy bands into space... without space suits!" comment is older now, but not any more tired, than when it was first made. Remember that you're posting on Slashdot, where we already know you don't like boy bands. Originality is much more important than mindlessly repeating the same inane remarks over and over again. Bandwagoning the editor's own tired "insights" puts me in the mood to space you, ahead of the pop-music chorus line of the week.
At least the boy bands are paid professionals: they can dance and sing better than you or I, they work hard, they maintain wholesome appearances, and they appear to be having a lot of fun. They're getting paid for something they do well, and it's something they enjoy doing well.
I'm not moved by the music that's written for them, and I abhor the whole music industry/marketing system that makes boy bands possible and lucrative, but the bands themselves are no more evil than they would be if they appeared under a system of independent copyright-owning artists.
Imagine a songwriter who believes his work would appeal to a certain demographic--highschool girls, for example. So he amasses some capital, hires a group of clean-cut young men and a choreographer, writes some catchy tunes, teaches them the lyrics, music, and dance steps, and hits the road. They work as a team, and work hard. They get lucky, create some buzz, burn an album, collect some royalties from downloads and webcasts (in addition to the take from their touring), and generally have a good time writing and fronting the music.
That's not so bad, is it? No different from the independent rappers, emo bands, country singers, folk artists, &c. that will spring up in our hypothetical RIAA-free utopia. I think boy bands will always be with us, and I don't think they will ever be the problem.
So much for my message of peace and happiness.
Yes, over here on Slashdot we're much more enlightened. Instead of using the web to communicate with our friends and family, we run around acting like jerks and flaming people for no good reason. Much better than those stupid blogging ego-trips.
Slashdot is the weblog of the world's premiere aggregate intelligence: Slashdot.
Meanwhile, here on /., people seem to be saying that the report came from Linux Today, and therefore is too biased to be trusted.
So on the one hand, you're wrong about the source of the report, just like a lot of other posters. On the other hand, you're wrong about /.'s response to the report.
But hey, at least things are somewhat better than you expected, which is always pleasant.