So, instead of trying to give information to its perhaps most important (potential) client group, they should just let misinformation and FUD fly?
I think you misunderstood the point I was trying to make (which is very possible, considering I don't quite get how to put it clearly). It has nothing to do with "letting lawyers run the show", but consider that when litigation is in progress, libel and slander accusations start flying pretty quickly. Say one thing against your "opponent" that ends up refuted by a court and you're open to civil lawsuits afterwards. =\
My other point was that there are "cleaner" ways to rectify facts: press releases, annoucements and other interviews, for example. By posting here, it looks like a desperate move to get the public on MySQL AB's side, besides risking igniting flamewars if the other party decided to post as well
Running a company that is not a behemoth during litigation can quickly get frustrating, and without letting lawyers run the show as you put it, you come to realize that the game is being played on their ground, and that you'd better follow their advice. Unless of course you want to end up out of business and in debt over lawyer fees and damages. =\
(Assuming you really are who you say you are. And no, I'm not trolling or asking for flames.)
While your clarifications may be welcome by readers here, I think it is not wise for you to post to this forum in the name of MySQL AB.
Why? Because it makes it look like MySQL is trying to sway public opinion in its favor, and it's generally bad form to publicly debate a conflict that is currently in legal battle. I'd be surprised if your lawyers did not advise against it.
Furthermore, by posting here, you diminish the apparence of integrity of your company, by showing it lowers itself to PR tactics to promote its view in a forum where the opposing party does not have a chance to respond. Slashdot is not a courtroom.
Even if NuSphere responded here, I don't think anything constructive would come out of it, except rehashing on issues both parties are well aware of.
From what I read in the article, this "protection" works from the fact that a computer CD drive will read the data differently than an audio-only drive, since it would treat the data as corrupt.
Does that mean that those CDs will not play on a computer CD drive at all?
I happen to not own any other cd player than my computer's CD drive, and I'm about sure I'm not the only one...
The post you responded to is correct: There ARE ways to protect network hubs from (D)DoS. One of them which Undernet uses is hiding the hub's IP, either through tunnelling (makes hubs look like they are on a local, non-routable address from the client servers) or making sure the servers do not give out IPs of connecting/splitting servers.
Of course, it assumes that you change where you host the hubs before it gets effective, and that noone leaks what the actual IP is, but it's a start. Sure, security through obscurity is no security at all, but what we're dealing with here are script kids.
It didnt solve all the problems on Undernet either, because client servers can and will still be attacked. but hubs, along with services, have always been the challenge script kiddies like to have because they cause much more trouble when they go down.
CaptJay,
former NewBrunswick.NJ.US.Undernet.Org Oper
I don't think the cards are physically destroyed. They are simply rendered unable to use DirecTV's service, which is well within what they should be (and in my opinion, are) allowed to do.
They won't get sued, because those who lost their "investment" did so for something they should not have had access to in the first place.
It would be like suing a car manufacturer for installing anti-starting devices in all their cars, and therefore in car you just stole, making it unusable. I'm sure you agree that a class action lawsuit from car thieves who could not use their stolen cars does not make much sense.
Good proposals in general, all of which are approaches we've been looking into.
However, as bad as it may seem, not hiding user's IP probably actually _saves_ DoS against servers, since script kids target the user, not the server.
Had it been a couple of years ago where one could actually have enough bandwith to hold attacks, I would have agreed with you that hiding user's IP is a good idea. Nowadays, I think it raises quite a debate, especially since it complicates channel ops' life quite a bit.
Attacks cannot be stopped altogether, since client servers will always have to be shown. Just so you know, Undernet already hides the IP adresses of its hub servers. But even this is not perfect, because it's still vulnerable to disclosure from the inside (either voluntary or accidental), and it's generally know which company hosts the hub anyway. So if the script kiddie wants a hub out, he'll probably DDoS every company netblock until the hub happens to drop. Wonderful, isn't it?
Nothing, but you will most likely be violating your cable company's terms of agreement (which they will I'm sure modify to account for this) and get your account cancelled.
Now if you're like me, you only have one company serving cable in your area, so you're stuck.
How do you know that they make *all* of their modifications public?
The article says they are releasing the source code to their packages. So if you don't trust their prebuilt binaries, you can always recompile the stuff yourself.
Of course, if they wanted to make hidden modifications, they would probably stick them into the kernel or the compiler (as with the UNIX backdoor a while ago)... But then you still would not be forced to run the kernel they use (you can apply their patches to your own trusted kernel sources), or the compiler they supply.
Is it perfect security? No. Are any other distributions providing perfect security? No. Will it be more trustworthy than some other distributions? Maybe.
Like it or not, NSA is an organization that really cares about tough and efficient security in computer systems. They also have alot of experts in that domain, and the fact that they make all of their modifications public is great for the open source software.
Even without taking all their modifications directly and integrating them, they might just show developpers innovative ways to secure Linux, which can lead to better security for everyone and alot of other software in which security is critical.
So in short, I think they're contributing to open source as a whole, not only to Linux. I also think their contribution is a BIG one. This sounds great!
Running an IRC server costs thousands of dollars per month to (mostly) large companies with big legal departments. There is (to my knowledge) no such thing as a Public IRC Network: all servers are owned by companies who pay for them and rightfully reserve the right to throw out anyone doing things they don't like with their bandwith. In fact, most of these companies host an IRC server to provide service for/their/ clients, but allow others to use it.
Now, will companies that host those supposedly "public" IRC Servers that are targetted by this software just stand there and watch while some other startup just wastes their bandwith with file trading bots? Does this make sense from a buisiness point of view?
Somehow I think not. I know AT&T (disclaimer: I have no relation with AT&T besides being an IRC Operator on one of their servers) would not want its servers used to help some other software work while not getting anything in return. What will happen? as soon as these clients are identifiable, they will most likely get automatically banned, or the trading channels closed. I for one am not going to tolerate these on my server taking up connections instead of people who actually want to chat.
In either case, moves by BitHive to try to go around these bans by say, pretending to be a standard mIRC client would probably get them in some legal trouble. I don't know on what basis, I'm not a lawyer, but legal departements can be so oooo creative =)
In short, the idea is good, but forgets one tiny thing: in the end, IRC servers belong to companies who don't like someone else just jumping in and using their paid bandwith.
A very valid point. Besides most of these agreements violate the Consumer Protection Law (LPC) in several aspects, mainly:
- Agreements signed under pressure (nowadays most stores will NOT take back an open package of software, since you may have well just copied the CD). So you don't have a choice to agree if you want to use the software. This no refund policy is also illegal under the Consumer Protection Law, since the law clearly states you can have full refund within 10 days of purchase.
- They cannot be legally binding, since there is no way to prove that whoever clicked "Agree" is the same person that uses the software.
- There is also a provision that states that you own any product you buy, and that this right cannot be removed.
So we have pretty strong protections here, the only problem is, noone is acting to stop companies from using such agreements here, even though they are clearly illegal.
You own the hardware AND the software copy that was mailed to you, per laws that apply to the US Postal Service.
Besides, I have yet to see one case in the US where a judge found that click-through licenses are legally binding. Just to be on the safe side, get your 12 year-old sister to fill in the form: contracts signed by minors are invalid.
Here in Quebec, about 90% of these agreements are against consumer protection laws, unenforcable and illegal. Furthermore, a judge clearly found that since you had no way of proving you were really the one pressing the "I agree" button, there is no way it could be considered legally binding. Besides, contracts signed under pressure are also invalid, and in most cases the software you bought is not refundable (since most stores won't take back an open CD, you could have made a copy of it..), in which case, to get something for your money, you are forced to accept the terms without possible negociation.
Basic point: There are MANY legal problems with click-through agreements, which most companies would rather you not know about and they surely don't want them tested in court when they can avoid it.
I have always wondered what was the idea behind those temporary work cards. I mean, if the person is skilled in a domain that your country badly needs, why would you not want to try to keep that person for as long as possible?
It should be the opposite: immigrants who have specific in-demand skills should have benefits to encourage them to work in your country, not disadvantages over an unskilled worker.
Oh, wait, you US dudes have this weird thing called National Security, which is probably best protected by not keeping "strangers" in your country for too long;)
I suspect some weirdo C++ programmer behind this...I thought throwing cout around was nice, but throwing ambiant gases is probably alot more interresting.
I could not agree more. In the worse case where all your applications are themable or have a different interface, you have a wonderful mess of completely confusing software for users. The time the average user loses going "Now what does this 'thing' (actually a button) do?" is unbelievable.
If theming has its place, its in the way its used in *IX/UX Window managers. Theme EVERY apps and controls, not just every application with a different look!
One of the things that actually made Windows VERY popular is that all applications look the same and behave the same (granted, Apple had this too). I'd rather not imagine what a desktop will look like when "innovation" is synonym with ruining every UI standard that's been developped over the years.
If you were to set up a complete virtual environment with say a copy of the original files on your system and let the hacker in there, you could probably fool more than a few script kiddies. However such a trap would have to be very well thought out, so that the cracker's interactions with it seem to have a real effect on the environment. For example, if the cracker kills a process, it should at least pretend to die;)
On the other hand, fooling a very experienced cracker into thinking he is really on your system is probably alot harder than keeping him out (which is a large enough problem by itself).
Microsoft has always had this kind of aggressive attitude towards competiting OS's. Back then it bragged that Windows was more stable than MacOS, that Solaris had alot less uptime than Windows NT 3.51 (!).
The main point is, alot of people TRUST Microsoft, and those kinds of lies will pass as true for many an IT manager.
Reliability is Microsoft's damocles sword. They want to position themselves better with that problem, and instead of making a better product, I guess they decided to lower other products below them in public opinion.
Here in Canada they charge you a special tax over blank media (including blank CDs) which goes back to the recording industry to "compensate for illegal copying". The sad part is, the lobby of the recording industry with governments is so intense that regulations will favor them, not customers. For example, the govt here discarded the claim that CD-R's were used for legitimate computer backups, not only to copy mp3 files and audio CDs.
See this from the perspective of the folks who built that "standard" though. They want you to pay for a song, store it somewhere, and not be able to redistribute it to others or make copies you haven't paid for.
Of course you're usually allowed to make copies for your personnal use, but apparently they forgot THAT part of the copyright law when they designed the crap...
What seems to be really stupid though is that the software allows you to move files around, which renders them unusable, and it doesn't warn you?? If that's the case, it doesnt qualify as user-friendly to me.
There are alot more things on IRC that AI can help with other than trying to chat as if it were a human.
With a sufficient database, a darkbot can be made to respond to various text, and even randomly initiate "conversation" if set up that way. This could be called a simple reflex AI. This happens, do that.
But what's more interresting is to use AI on bots that keep track of alot of information on users on the channels they help protect, and use that information "intelligently" to perform their tasks better (e.g., using this information to determine someone just evaded a channel ban, and that action A should be taken). If made properly, the bot could end up acting like a watchful human channel op, doing whois' on users, recognizing floodnets for what they are, etc.
I have a bot in progress which I intend on builing that kind of stuff into when it gets more mature. It's basically useless right now, but anyways it's available from the tiBot project homepage. Anyone interrested in giving a hand is welcome, the bot is GPL'd.
Whatever country your from, you need to get someone who understands patent laws and obviously the laws you're subject to. Of course, you'd have to show that person what you have done and give him alot of information if you want him to help.
Some countries outlaw reverse engineering, some have specific provisions for it. Depending on where you are, the issues at hand will change alot.
Best advice I think is to not rush anything. Get advice from a lawyer/before/ you do anything. Better safe than sorry =)
Slashdot Mirror
I think you misunderstood the point I was trying to make (which is very possible, considering I don't quite get how to put it clearly). It has nothing to do with "letting lawyers run the show", but consider that when litigation is in progress, libel and slander accusations start flying pretty quickly. Say one thing against your "opponent" that ends up refuted by a court and you're open to civil lawsuits afterwards. =\
My other point was that there are "cleaner" ways to rectify facts: press releases, annoucements and other interviews, for example. By posting here, it looks like a desperate move to get the public on MySQL AB's side, besides risking igniting flamewars if the other party decided to post as well
Running a company that is not a behemoth during litigation can quickly get frustrating, and without letting lawyers run the show as you put it, you come to realize that the game is being played on their ground, and that you'd better follow their advice. Unless of course you want to end up out of business and in debt over lawyer fees and damages. =\
(Assuming you really are who you say you are. And no, I'm not trolling or asking for flames.)
While your clarifications may be welcome by readers here, I think it is not wise for you to post to this forum in the name of MySQL AB.
Why? Because it makes it look like MySQL is trying to sway public opinion in its favor, and it's generally bad form to publicly debate a conflict that is currently in legal battle. I'd be surprised if your lawyers did not advise against it.
Furthermore, by posting here, you diminish the apparence of integrity of your company, by showing it lowers itself to PR tactics to promote its view in a forum where the opposing party does not have a chance to respond. Slashdot is not a courtroom.
Even if NuSphere responded here, I don't think anything constructive would come out of it, except rehashing on issues both parties are well aware of.
Sincerely,
Jay.
From what I read in the article, this "protection" works from the fact that a computer CD drive will read the data differently than an audio-only drive, since it would treat the data as corrupt.
Does that mean that those CDs will not play on a computer CD drive at all?
I happen to not own any other cd player than my computer's CD drive, and I'm about sure I'm not the only one...
e = 2.7 something (irrationnal number)
The post you responded to is correct: There ARE ways to protect network hubs from (D)DoS. One of them which Undernet uses is hiding the hub's IP, either through tunnelling (makes hubs look like they are on a local, non-routable address from the client servers) or making sure the servers do not give out IPs of connecting/splitting servers.
Of course, it assumes that you change where you host the hubs before it gets effective, and that noone leaks what the actual IP is, but it's a start. Sure, security through obscurity is no security at all, but what we're dealing with here are script kids.
It didnt solve all the problems on Undernet either, because client servers can and will still be attacked. but hubs, along with services, have always been the challenge script kiddies like to have because they cause much more trouble when they go down.
CaptJay,
former NewBrunswick.NJ.US.Undernet.Org Oper
Guess what is on my desktop?? Thats right, windows, 2000 pro to be exact. Ya know why?
Because you didn't have to pay for it?
I don't think the cards are physically destroyed. They are simply rendered unable to use DirecTV's service, which is well within what they should be (and in my opinion, are) allowed to do.
They won't get sued, because those who lost their "investment" did so for something they should not have had access to in the first place.
It would be like suing a car manufacturer for installing anti-starting devices in all their cars, and therefore in car you just stole, making it unusable. I'm sure you agree that a class action lawsuit from car thieves who could not use their stolen cars does not make much sense.
Good proposals in general, all of which are approaches we've been looking into.
However, as bad as it may seem, not hiding user's IP probably actually _saves_ DoS against servers, since script kids target the user, not the server.
Had it been a couple of years ago where one could actually have enough bandwith to hold attacks, I would have agreed with you that hiding user's IP is a good idea. Nowadays, I think it raises quite a debate, especially since it complicates channel ops' life quite a bit.
Attacks cannot be stopped altogether, since client servers will always have to be shown. Just so you know, Undernet already hides the IP adresses of its hub servers. But even this is not perfect, because it's still vulnerable to disclosure from the inside (either voluntary or accidental), and it's generally know which company hosts the hub anyway. So if the script kiddie wants a hub out, he'll probably DDoS every company netblock until the hub happens to drop. Wonderful, isn't it?
An O flag to see if someone whois'd an oper? I don't know where you got this idea, but you managed to get a laugh from me.
The source is open, go check it before posting ridiculous assertions like this.
Nothing, but you will most likely be violating your cable company's terms of agreement (which they will I'm sure modify to account for this) and get your account cancelled.
Now if you're like me, you only have one company serving cable in your area, so you're stuck.
How do you know that they make *all* of their modifications public?
The article says they are releasing the source code to their packages. So if you don't trust their prebuilt binaries, you can always recompile the stuff yourself.
Of course, if they wanted to make hidden modifications, they would probably stick them into the kernel or the compiler (as with the UNIX backdoor a while ago)... But then you still would not be forced to run the kernel they use (you can apply their patches to your own trusted kernel sources), or the compiler they supply.
Is it perfect security? No. Are any other distributions providing perfect security? No. Will it be more trustworthy than some other distributions? Maybe.
It's still just a proof of concept.
Like it or not, NSA is an organization that really cares about tough and efficient security in computer systems. They also have alot of experts in that domain, and the fact that they make all of their modifications public is great for the open source software.
Even without taking all their modifications directly and integrating them, they might just show developpers innovative ways to secure Linux, which can lead to better security for everyone and alot of other software in which security is critical.
So in short, I think they're contributing to open source as a whole, not only to Linux. I also think their contribution is a BIG one. This sounds great!
Running an IRC server costs thousands of dollars per month to (mostly) large companies with big legal departments. There is (to my knowledge) no such thing as a Public IRC Network: all servers are owned by companies who pay for them and rightfully reserve the right to throw out anyone doing things they don't like with their bandwith. In fact, most of these companies host an IRC server to provide service for /their/ clients, but allow others to use it.
Now, will companies that host those supposedly "public" IRC Servers that are targetted by this software just stand there and watch while some other startup just wastes their bandwith with file trading bots? Does this make sense from a buisiness point of view?
Somehow I think not. I know AT&T (disclaimer: I have no relation with AT&T besides being an IRC Operator on one of their servers) would not want its servers used to help some other software work while not getting anything in return. What will happen? as soon as these clients are identifiable, they will most likely get automatically banned, or the trading channels closed. I for one am not going to tolerate these on my server taking up connections instead of people who actually want to chat.
In either case, moves by BitHive to try to go around these bans by say, pretending to be a standard mIRC client would probably get them in some legal trouble. I don't know on what basis, I'm not a lawyer, but legal departements can be so oooo creative =)
In short, the idea is good, but forgets one tiny thing: in the end, IRC servers belong to companies who don't like someone else just jumping in and using their paid bandwith.
A very valid point. Besides most of these agreements violate the Consumer Protection Law (LPC) in several aspects, mainly:
- Agreements signed under pressure (nowadays most stores will NOT take back an open package of software, since you may have well just copied the CD). So you don't have a choice to agree if you want to use the software. This no refund policy is also illegal under the Consumer Protection Law, since the law clearly states you can have full refund within 10 days of purchase.
- They cannot be legally binding, since there is no way to prove that whoever clicked "Agree" is the same person that uses the software.
- There is also a provision that states that you own any product you buy, and that this right cannot be removed.
So we have pretty strong protections here, the only problem is, noone is acting to stop companies from using such agreements here, even though they are clearly illegal.
Standard IANAL disclaimer.
You own the hardware AND the software copy that was mailed to you, per laws that apply to the US Postal Service.
Besides, I have yet to see one case in the US where a judge found that click-through licenses are legally binding. Just to be on the safe side, get your 12 year-old sister to fill in the form: contracts signed by minors are invalid.
Here in Quebec, about 90% of these agreements are against consumer protection laws, unenforcable and illegal. Furthermore, a judge clearly found that since you had no way of proving you were really the one pressing the "I agree" button, there is no way it could be considered legally binding. Besides, contracts signed under pressure are also invalid, and in most cases the software you bought is not refundable (since most stores won't take back an open CD, you could have made a copy of it..), in which case, to get something for your money, you are forced to accept the terms without possible negociation.
Basic point: There are MANY legal problems with click-through agreements, which most companies would rather you not know about and they surely don't want them tested in court when they can avoid it.
I have always wondered what was the idea behind those temporary work cards. I mean, if the person is skilled in a domain that your country badly needs, why would you not want to try to keep that person for as long as possible?
;)
It should be the opposite: immigrants who have specific in-demand skills should have benefits to encourage them to work in your country, not disadvantages over an unskilled worker.
Oh, wait, you US dudes have this weird thing called National Security, which is probably best protected by not keeping "strangers" in your country for too long
All good in theory, but there are already laws to make sure you don't try to pull that off.
You'd get additionnal charges for interfering with an investigation if you refuse to give them the password to unencrypt the hard drive.
Tough luck...
I suspect some weirdo C++ programmer behind this...I thought throwing cout around was nice, but throwing ambiant gases is probably alot more interresting.
I could not agree more. In the worse case where all your applications are themable or have a different interface, you have a wonderful mess of completely confusing software for users. The time the average user loses going "Now what does this 'thing' (actually a button) do?" is unbelievable.
If theming has its place, its in the way its used in *IX/UX Window managers. Theme EVERY apps and controls, not just every application with a different look!
One of the things that actually made Windows VERY popular is that all applications look the same and behave the same (granted, Apple had this too). I'd rather not imagine what a desktop will look like when "innovation" is synonym with ruining every UI standard that's been developped over the years.
If you were to set up a complete virtual environment with say a copy of the original files on your system and let the hacker in there, you could probably fool more than a few script kiddies. However such a trap would have to be very well thought out, so that the cracker's interactions with it seem to have a real effect on the environment. For example, if the cracker kills a process, it should at least pretend to die ;)
On the other hand, fooling a very experienced cracker into thinking he is really on your system is probably alot harder than keeping him out (which is a large enough problem by itself).
Au contraire.
Microsoft has always had this kind of aggressive attitude towards competiting OS's. Back then it bragged that Windows was more stable than MacOS, that Solaris had alot less uptime than Windows NT 3.51 (!).
The main point is, alot of people TRUST Microsoft, and those kinds of lies will pass as true for many an IT manager.
Reliability is Microsoft's damocles sword. They want to position themselves better with that problem, and instead of making a better product, I guess they decided to lower other products below them in public opinion.
Here in Canada they charge you a special tax over blank media (including blank CDs) which goes back to the recording industry to "compensate for illegal copying". The sad part is, the lobby of the recording industry with governments is so intense that regulations will favor them, not customers. For example, the govt here discarded the claim that CD-R's were used for legitimate computer backups, not only to copy mp3 files and audio CDs.
Security gone bad? maybe...
See this from the perspective of the folks who built that "standard" though. They want you to pay for a song, store it somewhere, and not be able to redistribute it to others or make copies you haven't paid for.
Of course you're usually allowed to make copies for your personnal use, but apparently they forgot THAT part of the copyright law when they designed the crap...
What seems to be really stupid though is that the software allows you to move files around, which renders them unusable, and it doesn't warn you?? If that's the case, it doesnt qualify as user-friendly to me.
There are alot more things on IRC that AI can help with other than trying to chat as if it were a human.
With a sufficient database, a darkbot can be made to respond to various text, and even randomly initiate "conversation" if set up that way. This could be called a simple reflex AI. This happens, do that.
But what's more interresting is to use AI on bots that keep track of alot of information on users on the channels they help protect, and use that information "intelligently" to perform their tasks better (e.g., using this information to determine someone just evaded a channel ban, and that action A should be taken). If made properly, the bot could end up acting like a watchful human channel op, doing whois' on users, recognizing floodnets for what they are, etc.
I have a bot in progress which I intend on builing that kind of stuff into when it gets more mature. It's basically useless right now, but anyways it's available from the tiBot project homepage. Anyone interrested in giving a hand is welcome, the bot is GPL'd.
Whatever country your from, you need to get someone who understands patent laws and obviously the laws you're subject to. Of course, you'd have to show that person what you have done and give him alot of information if you want him to help.
/before/ you do anything. Better safe than sorry =)
Some countries outlaw reverse engineering, some have specific provisions for it. Depending on where you are, the issues at hand will change alot.
Best advice I think is to not rush anything. Get advice from a lawyer