Finkployd supplies the rhetorical question raised in the original story with a possibly unpopular answer
So here I am, typical/. demographic (white, male, geek) posting to a site where I can finally belong. A place to meet and interact with other white male geeks who don't necessarily fit in.
And now I'm being set up to be picked on and bullied by YOU GUYS TOO!!?? WTF? I can't get a break anywhere.
I kid, I kid.
I actually have some pretty mixed feelings about all of this. On one hand there is the crowd that seems to shout "give me my internet connection and then go away. I will do whatever I want with it including share movies, music, disparage my employer who provides the connection, my school who provides the connection, and there is nothing you can ever do about it". I don't agree with these people, that is just stupid. I can understand the desire for the school to limit the occurrence of people the give scholarships to who represent them at major sporting events that a lot of people place importance on advertising how much of a drunken idiot they are to the world. That probably is not good for recruitment and I would want to stop giving that person money too.
Then there is the other side that shouts "It is the school/company's connection, they can enforce any rule they want. No more political activism, no mentioning competitors/other schools in emails, websites, or IM. Any asinine rule the school or company thinks up should be valid, you have no free speech over someone else's medium". I don't agree with that either, that is just scary. There is no point in having a first amendment if the most popular communication mediums are exempt from it. We ARE talking about a state school, although maybe not a state funded scholarship.
So what is a self respecting geek to think? Does a net connection from someone else come with an entitlement to do whatever you want with it? I don't think so. It does not seem unreasonable that an ISP like a school would want to curtail certain activities which would damage its reputation, or put it at legal risk. Otherwise you have every machine turning into a spam gateway, porn server, and limewire client pumping out crappy music and movies all day.
The problem from the school's perspective is that while p2p, facebook, open email relays, etc. can all be used for legal things, they often are not. And while yes the student ultimately bears the responsibility in the eyes of the law, the school still have to devote resources to complying with DMCA takedown notices, cease and desist letters, and that sort of thing. Combine that with the drain on bandwidth these activities often cause (granted not facebook but I have long since gone off topic) and I can see their desire to just cut out these annoying and troublesome activities (from a PR point of view). They built this infrastructure for research remember, and never said they would be happy dealing with constant illegal and/or problematic (from a technical standpoint) use.
Two things bother me a lot about this:
(1) the fact that it was tacked on as a condition of the scholarship after the fact. Yes I know there is probably a "this agreement may be changed at any time" clause but it still sucks. Why not just make this a new clause on new scholarships and roll it in that way? Retroactively changing agreements, legal or not is still a bad way to do business.
(2) The slippery slope. Some wise ass is going to chime in with how the slippery slope is a logical fallacy, and they are right. However it keeps happening and claiming "logical fallacy" is a bad excuse for poor pattern recognition. Like just about everything designed to limit some kind of use, more will pop up after this. Now that the school knows that anytime a troublesome service appears on the internet, regardless of legality or even liability (has a school even been sued over something that happened on facebook?), they will. Government starts demanding information on people who post on DailyKos (or
Hmmm, State school, good point, that does probably change things a bit. How much, I don't know. As much as I'm sure all the armchair lawyers on/. are claiming this is unconstitutional I am sure that the University had its lawyers look it over and give it the OK.
While I am sure they could not make this a blanket rule for all students, are the athletes with scholarships held to a different legal standard? I know that you can give money to a state school and fund a specific scholarship for a specific group (women, African Americans, etc) which the school would not be allowed to do on its own. Maybe since there is private money involved in the scholarship it works differently? There is probably a whole lot about this we do not know which enters into a legal argument.
"Makes you wonder why they even bother providing internet connections on college campuses."
Oh you know, research, email, that sort of thing. This may surprise you but the original intent of providing internet access was not to pass around mp3's, pictures of yourself drunk, and porn (well, that last one is debatable).
You would think students over the years would have gotten better about using the internet but it seems it has regressed quite a bit. I am reminded of reports of students at the university where I work getting busted selling drugs on facebook and posting pictures of themselves doing illegal things. In the papers they always seem quoted as indignantly saying "I didn't know the police could monitor that stuff, that is really scary" as though cops looking at facebook was on par with warrant-less wiretapping.
Look, I'm a Fight The Power, Go EFF, Die MPAA kinda guy. However, the way I see it is if a school is giving you tens of thousands of dollars for your education and they decide they want you to either (1) not advertise that you are a drunken asshole all over the net, or (2) risk losing that free money, then that is their right. I think it is a little harsh to ban facebook altogether, I think I might have seen one or two actual mature entries in it, but that is certainly on more solid legal ground than subjectively taking it on a case by case basis.
Also, you can look at it as preparing these student athletes for the future. If they make it to the pros and become the typical corporate whore, they will have to get used to being told how to act, what to say, and what to do. College is actually preparing them for the real world;)
Good question, in fact once it was seen that they really were not hurt the floodgates opened and it seems nearly everyone company that had personal data started reporting breaches. I don't see where it hurt any of them to do so, most people still think identity thefts happens because of entering your credit card on a web form, not because the IT departments of most banks, credit card companies, data brokers, etc. seem to be staffed by knuckle-dragging morons.
Maybe you are right, maybe they will happily disclose anything and everything that happens knowing that the people it affects cannot do anything about it.
ChoicePoint isn't the only game in town, even in their specialized arena (they're a spinoff of Equifax). If they get a bad reputation for poor security then companies will stop doing business with them and start doing business with a competitor.
But why? How does their inability to protect data really hurt their customers one bit? What would the motivation be in dropping them because they didn't secure data very well?
And, contrary to many people, I do think these companies serve a valuable purpose. We would not have nearly the level of easily available credit in the US if it wasn't for them. And easily available credit leads to more home ownership, more small business startups, and numerous other advantages.
Without them you might have to wait a few days, or even weeks to get a line of credit. This is not a bad thing, in fact I would venture to guess there would be fewer problems if people DID have to wait for lines of credit. I just bought a house, the process is not lightening fast and you do not need instant credit to do it. And if someone is starting up a business on instant credit then they are not probably not thinking things through or planning very well.
Sure, it leads to some people drowning in credit debt as well, but that's due to irresponsibility on the part of both the person and the creditor -- in fact, accurate credit data is more likely to help avoid this problem than increase it.
Choicepoint has some major accuracy issues as well, so they are probably not helping there. In one notable case (referenced elsewhere in the comments) one person spent a week in jail due to Choicepoint's inaccurate data. I would venture to guess than since they are perceived as accurate, they actually make the situation WORSE by not being accurate. Kind of like how bad security is often worse than no security.
The issue is that consumers have little to no control over the data at this point -- you're only allowed to place a credit freeze in a handful of states (and the "warning" that you can place on your report is universally ignored). There's insufficient protections against inaccurate data. And getting access to your own report is still overly difficult (although it's improved greatly in the last year, now that everyone can get a free copy every year (twice a year in Georgia)).
What sickens me is that while protections are available, you have to pay for them. Not only do you have to pay for them, but you have to pay the people who are irresponsible with your data to begin with, thus necessitating the need for the protections. If that does not sound like a mob style protection racket, I don't know what does.
What repercussions? Did they lose business? Sure they got hit with a 10 million dollar fine but look at their financial statements, that is barely a drop in the bucket for them.
Honestly, companies are losing hundreds of thousands of records containing personal data every week, THERE ARE NO REPERCUSSIONS! They say oops, a couple of blogs report it, and life goes on for them. Sure some people get royally screwed but those people cannot trace it back to the company that had the breach. Heck, the government is losing data on its employees and military people, do you really think they are in any position to punish anyone for it? They don't even try anymore.
Perhaps I am too cynical, but when I see this: Carol DiBattiste, ChoicePoint's chief credentialing, compliance and privacy officer, says the company has taken numerous steps in the past year to make sure such a breach never happens again.
I cannot help but think they actually mean: Carol DiBattiste, ChoicePoint's chief credentialing, compliance and privacy officer, says the company has taken numerous steps in the past year to make sure such a breach is never made public again.
Really, the ONLY consequence a company like this suffers from a breach is negative publicity and maybe a token fine. Even bad publicity is not really a problem for them since the people they hurt have no say in whether or not to do business with them.
When that is the case, I'll bet it much easier to clamp down on leaks and not reveal breaches to the public/government than prevent them.
Are you under the impression that the Democrats would change anything if in power? That is so cute. I'm pretty much convinced that strict single term limits are the only answer. Career politicians from both parties are equally bad, just in different ways.
If you have to be used by millions of everyday users (ie, e commerce site), the answer is Verisign. Well known, trusted (by lawyers, this is more important than any technical issues if you are doing financial transactions), and way too expensive (but you have no choice, welcome to the CA oligopoly)
If you have a limited number of users, or especially if it is internal, use CACERT. Yes there is the headache of getting people to install the root but it is a one time thing and then you will never have to pay for a cert again.
Look, x.509 is a halfway decent (if over-engineered) concept that is just horribly implemented. Cryptographically it is very strong, and in theory provides very strong authentication, data integrity, and encryption. In practice it is a stupid binary trust system (you completely trust every cert signed by a CA for everything or you trust nothing signed by that CA), and the CA's have banded together to basically ensure there will never again be any competition. The requirements to get a CA into a browser are batshit insane. A gentlemen's agreement exists between MS, Verisign, et al (Netscape/Firefox just does whatever MS does) to make sure that someone would have to spend millions and have pricing similar to all of the others to get in.
Verisign has proven time and again that they are more than happy to give sign a certificate to anyone capable of passing their stringent security checks which involve writing a check, so what makes them any more secure than CACERT? Nothing. Oh they have tamper proof hardware, vaults, and all kinds of james bond style doomsday devices hooked up to their secret underground bunker which houses the CA, but none of that matters if they perform the same authentication checks that CACERT does (can you receive email at the domain? Good you are in).
So don't get suckered into paying way too much for a string of bits if you don't have to. If running your own CA is not your thing (and it really is not all that hard, CA.pl which comes with openssl and an O'Reilly book is about all you need), go with CACERT. If this is not for something internal or something with a limited number of users that you could tell to download a CA, then break our your wallet and go to Verisign.
Let's see, I believe that claim was made about NT, 2000, XP, XPsp2, and Server 2003, which in fairness was the first OS they even really tried to make secure. It was also made about the XBox in terms of "unhackability" (which may not be a word, but should be).
So why would even the most hard core MS fanboy believe them this time? They have clearly shown a long running pattern of being unable to understand what "secure" means, but I bet there are people out there going "good, MS says this is secure, now all those alternative OS weenies can shut up".
Reminds of COPS where you see the woman with the black eye crying "But he loves me, he won't do it again" as the police take away her drunken, shirtless boyfriend.
Sorta. It is more like the server version of XP (like how there used to be workstation and server versions of 2000). What I liked though is that it is the first Windows server I have ever seen with sane default security options for things like IIS and the like. I think it can go down in history as the first networked Windows OS where MS put ANY effort into the security front.
Plus Active Directory is good technology. I've always been a fan of Kerberos and DCE, which is basically all AD is. Sadly MS took the usual steps to frustrate interoperability.
It takes time to rip out all the interesting features so that your coders can devote more effort to making sure the DRM is rock solid. But when you are building an entire OS around a feature nobody actually wants, you might as well take your time and do it right.
(I'm not an anti-windows fanboy, Server 2003 is quite a nice OS)
In other news, Microsoft promises not to try to cram too many new features into Vista and Neal Stephenson promises not to skimp on the detailed exposition in his next novel.
Meanwhile, they continue to delay it and the project clearly has no well-defined sense of direction. They've basically scrapped it and started over from scratch I don't know how many times
Wait a minute, are we talking about Vista?
and feature creep is not so much a problem as it is a religion for them.
At this point Vista is basically an operating systems built around one feature that nobody actually wants. Even the most hard core Windows proponants in my industry are trashing it for being feature stripped, delayed, and rewritten every couple of months. It is truely a monument to how mixed (and conflicting) goals, too many managers, and marketing driven leadership can just destroy a once promising product. I'm not so much a hater or lover of Windows, but it is always sad to see so much time, effort, and money basically go wasted.
Back in the early 90s (91 I think) we had a teacher's strike. They were making all kinds of insane claims in the media (we are doing this for the kids, to give them better quality education, etc) and I had an editorial published that basically tore their argument to shreds and was also critical of the school's administration in handling the strike. There were no repercussions with the exception of a few teachers who wouldn't talk to me after that.
Now I imagine I would have been expelled for expressing my opinion outside of school. Weird.
As far as a serious hobby with real applicability? Probably not unless you are into emergency communication type stuff. I used to command a sheriff's office search and rescue team and got into ham radio then. Since I don't do that anymore (since moving, I'm probably going to get into it again some day), I do not really use ham radio for anything real other than just messing around. The Internet is a much better day to day long distance communication medium.
Having said that, what keeps me involved is building my own gear. While you can spend thousands of dollars on stuff to get on the air, it is much more fun for me to grab the old soldering iron and make my own low power transmitters and receivers. Great way to keep up with electronics, radio theory, and all that fun stuff. There is even some neat work going on with software defined radios (mixing DIY radio building with Linux and programming:)
I find your average slashdotter tends to dislike ham radio as too old school and REALLY does not like the thought that ham radio is holding back BPL (along with a lot less vocal but more influential opponents like police, coast guard, FAA, etc). But hey, they also bought hook line and sinker into the hype that BPL is actually a viable broadband contender and not a snake-oil product.
Really though, if you get into it, and avoid (1) the elitist pricks who got their license back in the day and hate everyone newer then themselves, (2) the mindless cliques that form on most local repeaters (Pittsburgh being a nice exception), and (3) the losers who live on eham and qrz and attack basically everyone, you will enjoy it. I tend to stick with the build it yourself qrp stuff and the more interesting microwave band projects out there. There is a ton of non-obvious and not all that publicized things you can get into with ham radio that does not involve just trying to work all 50 states or 100 countries for no particular reason.
Is it OK for someone to walk around the neighborhood and try turning all the doorknobs? How about pushing the doors open to see if they're bolted?
Because that is EXACTLY like finding a vulnerability on a website. Once again, real life analogies serve to only confuse the issue, having little to no relevence to the subject at hand.
There are many ways to find a bugs in web applications, often just from regular use. A vulnerability is nothing more than a bug that happens to have more serious reprocutions. I've seen cases where using the back button can change the user you are logged in as, refreshing a posted form can get you funky places, and accidently entering inforrect data (like alphanumeric data into a numeric only field without proper type checking) can total bring down a system and spit out a potentially exploited environment dump.
Now that is for regular users of a system, if we are taking about someone who has no business using a web application (number 1, why would he have access to it in the first place, it should be protected with an apache auth module or isapi auth module, but I digress), the situation gets more complicated. This person presumably has no permission using the website, let alone playing with urls, submitting funky data, or generally hacking around. However, you are pretty naive if you believe nobody else is doing this. Every server I have ever run is under attack pretty much all day, every day. If someone happens to find a vulnerability, I would much prefer them tell me about rather than keep quiet. Will I treat it as a breakin, distrust the good intentions of the reporter and assume I have to wipe the machine and reinstall everything from a known good backup? Yes. But again, better to know and have a chance of fixing it than never know.
I would argue that in a perfect world, someone trying to break into any system, regardless of intentions is just making things worse. However in the real world where there are tons of bots and blackhat hackers going after systems all the time with no intention of alerting their victims of vulnerabilities, someone who finds a vulnerability and alerts the webmaster is actually making things better. Regardless of whether or not he should have been there in the first place, the end result is that you can now make your environment more secure than it was before.
We have used mediawiki in my department (Emerging Technologies) at PSU and it has been a great success. There is some features to be desired that we had to modify it to handle. Specifically, using an external authentication system (we already have University wide accounts through Kerberos and our web single sign on system thanks, don't need another one) and some form of access controls would be nice, but overall it is great.
However, you really need to work with people who already are used to collaborating in general. A wiki is not going to change anything if the people you work with don't already work together on stuff. Interestingly, our "killer" use so far for it has been the yearly report, which is generally a huge document that everyone contributes little bits and pieces to. That seems to be the best use case for a wiki.
My hunch is that it is probably both mental and physical.
Technically, there is no difference. The brain is just regular body chemistry and just as physical as any other symptom. What often happens is that we (as a society) know very little about the brain and end up classifying perfectly physical things as "mental" (like mental illness) because we cannot yet explain it like we can most "physical" aliments.
Funny thing about Congress... certain members have been kept up to date on these operations since they were first created and yet several of them (most notably Nancy Pelosi) have expressed their outrage about finding out about these programs despite the fact that many knew since late 2001!
That's funny, are you under the impression that it would have been legal for Pelosi to express knowledge, let alone outrage, regarding this program before it was disclosed publically? The congressional committies are effectivly useless in this regard because it would be a violation of national security for them to exercise any actual oversight.
Let's see, if the govermemt forced (and there are many ways to force a company to do something) them, couldn't the goverment also apply that same force to make sure they don't blame the goverment?
"Just tell them you didn't do it, we will make sure any evidence to the contrary is classified for national security reasons"
Not only that, they aren't allowed to gather intelligence on American citizens.
+1 Funny
They are allowed to do whatever the DoD (under the direction of the whitehouse) tells them to do. Bush has shown that he has no qualms about using his wartime powers to make anything legal he needs to. Anyone disagreeing with this hates Amercia and wants us to be attacked by terrorists.
Slashdot Mirror
Finkployd supplies the rhetorical question raised in the original story with a possibly unpopular answer
/. demographic (white, male, geek) posting to a site where I can finally belong. A place to meet and interact with other white male geeks who don't necessarily fit in.
So here I am, typical
And now I'm being set up to be picked on and bullied by YOU GUYS TOO!!?? WTF? I can't get a break anywhere.
I kid, I kid.
I actually have some pretty mixed feelings about all of this. On one hand there is the crowd that seems to shout "give me my internet connection and then go away. I will do whatever I want with it including share movies, music, disparage my employer who provides the connection, my school who provides the connection, and there is nothing you can ever do about it". I don't agree with these people, that is just stupid. I can understand the desire for the school to limit the occurrence of people the give scholarships to who represent them at major sporting events that a lot of people place importance on advertising how much of a drunken idiot they are to the world. That probably is not good for recruitment and I would want to stop giving that person money too.
Then there is the other side that shouts "It is the school/company's connection, they can enforce any rule they want. No more political activism, no mentioning competitors/other schools in emails, websites, or IM. Any asinine rule the school or company thinks up should be valid, you have no free speech over someone else's medium". I don't agree with that either, that is just scary. There is no point in having a first amendment if the most popular communication mediums are exempt from it. We ARE talking about a state school, although maybe not a state funded scholarship.
So what is a self respecting geek to think? Does a net connection from someone else come with an entitlement to do whatever you want with it? I don't think so. It does not seem unreasonable that an ISP like a school would want to curtail certain activities which would damage its reputation, or put it at legal risk. Otherwise you have every machine turning into a spam gateway, porn server, and limewire client pumping out crappy music and movies all day.
The problem from the school's perspective is that while p2p, facebook, open email relays, etc. can all be used for legal things, they often are not. And while yes the student ultimately bears the responsibility in the eyes of the law, the school still have to devote resources to complying with DMCA takedown notices, cease and desist letters, and that sort of thing. Combine that with the drain on bandwidth these activities often cause (granted not facebook but I have long since gone off topic) and I can see their desire to just cut out these annoying and troublesome activities (from a PR point of view). They built this infrastructure for research remember, and never said they would be happy dealing with constant illegal and/or problematic (from a technical standpoint) use.
Two things bother me a lot about this:
(1) the fact that it was tacked on as a condition of the scholarship after the fact. Yes I know there is probably a "this agreement may be changed at any time" clause but it still sucks. Why not just make this a new clause on new scholarships and roll it in that way? Retroactively changing agreements, legal or not is still a bad way to do business.
(2) The slippery slope. Some wise ass is going to chime in with how the slippery slope is a logical fallacy, and they are right. However it keeps happening and claiming "logical fallacy" is a bad excuse for poor pattern recognition. Like just about everything designed to limit some kind of use, more will pop up after this. Now that the school knows that anytime a troublesome service appears on the internet, regardless of legality or even liability (has a school even been sued over something that happened on facebook?), they will. Government starts demanding information on people who post on DailyKos (or
Hmmm, State school, good point, that does probably change things a bit. How much, I don't know. As much as I'm sure all the armchair lawyers on /. are claiming this is unconstitutional I am sure that the University had its lawyers look it over and give it the OK.
While I am sure they could not make this a blanket rule for all students, are the athletes with scholarships held to a different legal standard? I know that you can give money to a state school and fund a specific scholarship for a specific group (women, African Americans, etc) which the school would not be allowed to do on its own. Maybe since there is private money involved in the scholarship it works differently? There is probably a whole lot about this we do not know which enters into a legal argument.
Finkployd
"Makes you wonder why they even bother providing internet connections on college campuses."
;)
Oh you know, research, email, that sort of thing. This may surprise you but the original intent of providing internet access was not to pass around mp3's, pictures of yourself drunk, and porn (well, that last one is debatable).
You would think students over the years would have gotten better about using the internet but it seems it has regressed quite a bit. I am reminded of reports of students at the university where I work getting busted selling drugs on facebook and posting pictures of themselves doing illegal things. In the papers they always seem quoted as indignantly saying "I didn't know the police could monitor that stuff, that is really scary" as though cops looking at facebook was on par with warrant-less wiretapping.
Look, I'm a Fight The Power, Go EFF, Die MPAA kinda guy. However, the way I see it is if a school is giving you tens of thousands of dollars for your education and they decide they want you to either (1) not advertise that you are a drunken asshole all over the net, or (2) risk losing that free money, then that is their right. I think it is a little harsh to ban facebook altogether, I think I might have seen one or two actual mature entries in it, but that is certainly on more solid legal ground than subjectively taking it on a case by case basis.
Also, you can look at it as preparing these student athletes for the future. If they make it to the pros and become the typical corporate whore, they will have to get used to being told how to act, what to say, and what to do. College is actually preparing them for the real world
Finkployd
Oh ok, yeah I did miss your point the first time.
Good question, in fact once it was seen that they really were not hurt the floodgates opened and it seems nearly everyone company that had personal data started reporting breaches. I don't see where it hurt any of them to do so, most people still think identity thefts happens because of entering your credit card on a web form, not because the IT departments of most banks, credit card companies, data brokers, etc. seem to be staffed by knuckle-dragging morons.
Maybe you are right, maybe they will happily disclose anything and everything that happens knowing that the people it affects cannot do anything about it.
Finkployd
ChoicePoint isn't the only game in town, even in their specialized arena (they're a spinoff of Equifax). If they get a bad reputation for poor security then companies will stop doing business with them and start doing business with a competitor.
But why? How does their inability to protect data really hurt their customers one bit? What would the motivation be in dropping them because they didn't secure data very well?
And, contrary to many people, I do think these companies serve a valuable purpose. We would not have nearly the level of easily available credit in the US if it wasn't for them. And easily available credit leads to more home ownership, more small business startups, and numerous other advantages.
Without them you might have to wait a few days, or even weeks to get a line of credit. This is not a bad thing, in fact I would venture to guess there would be fewer problems if people DID have to wait for lines of credit. I just bought a house, the process is not lightening fast and you do not need instant credit to do it. And if someone is starting up a business on instant credit then they are not probably not thinking things through or planning very well.
Sure, it leads to some people drowning in credit debt as well, but that's due to irresponsibility on the part of both the person and the creditor -- in fact, accurate credit data is more likely to help avoid this problem than increase it.
Choicepoint has some major accuracy issues as well, so they are probably not helping there. In one notable case (referenced elsewhere in the comments) one person spent a week in jail due to Choicepoint's inaccurate data. I would venture to guess than since they are perceived as accurate, they actually make the situation WORSE by not being accurate. Kind of like how bad security is often worse than no security.
The issue is that consumers have little to no control over the data at this point -- you're only allowed to place a credit freeze in a handful of states (and the "warning" that you can place on your report is universally ignored). There's insufficient protections against inaccurate data. And getting access to your own report is still overly difficult (although it's improved greatly in the last year, now that everyone can get a free copy every year (twice a year in Georgia)).
What sickens me is that while protections are available, you have to pay for them. Not only do you have to pay for them, but you have to pay the people who are irresponsible with your data to begin with, thus necessitating the need for the protections. If that does not sound like a mob style protection racket, I don't know what does.
Finkployd
What repercussions? Did they lose business? Sure they got hit with a 10 million dollar fine but look at their financial statements, that is barely a drop in the bucket for them.
Honestly, companies are losing hundreds of thousands of records containing personal data every week, THERE ARE NO REPERCUSSIONS! They say oops, a couple of blogs report it, and life goes on for them. Sure some people get royally screwed but those people cannot trace it back to the company that had the breach. Heck, the government is losing data on its employees and military people, do you really think they are in any position to punish anyone for it? They don't even try anymore.
Finkployd
Perhaps I am too cynical, but when I see this:
Carol DiBattiste, ChoicePoint's chief credentialing, compliance and privacy officer, says the company has taken numerous steps in the past year to make sure such a breach never happens again.
I cannot help but think they actually mean:
Carol DiBattiste, ChoicePoint's chief credentialing, compliance and privacy officer, says the company has taken numerous steps in the past year to make sure such a breach is never made public again.
Really, the ONLY consequence a company like this suffers from a breach is negative publicity and maybe a token fine. Even bad publicity is not really a problem for them since the people they hurt have no say in whether or not to do business with them.
When that is the case, I'll bet it much easier to clamp down on leaks and not reveal breaches to the public/government than prevent them.
Finkployd
United States != Mexico
I'm not saying the concept does not have its problems, but I believe those problems would bit be as bad as the horrid mess we have now.
Finkployd
Are you under the impression that the Democrats would change anything if in power? That is so cute. I'm pretty much convinced that strict single term limits are the only answer. Career politicians from both parties are equally bad, just in different ways.
Finkployd
If you have to be used by millions of everyday users (ie, e commerce site), the answer is Verisign. Well known, trusted (by lawyers, this is more important than any technical issues if you are doing financial transactions), and way too expensive (but you have no choice, welcome to the CA oligopoly)
If you have a limited number of users, or especially if it is internal, use CACERT. Yes there is the headache of getting people to install the root but it is a one time thing and then you will never have to pay for a cert again.
Look, x.509 is a halfway decent (if over-engineered) concept that is just horribly implemented. Cryptographically it is very strong, and in theory provides very strong authentication, data integrity, and encryption. In practice it is a stupid binary trust system (you completely trust every cert signed by a CA for everything or you trust nothing signed by that CA), and the CA's have banded together to basically ensure there will never again be any competition. The requirements to get a CA into a browser are batshit insane. A gentlemen's agreement exists between MS, Verisign, et al (Netscape/Firefox just does whatever MS does) to make sure that someone would have to spend millions and have pricing similar to all of the others to get in.
Verisign has proven time and again that they are more than happy to give sign a certificate to anyone capable of passing their stringent security checks which involve writing a check, so what makes them any more secure than CACERT? Nothing. Oh they have tamper proof hardware, vaults, and all kinds of james bond style doomsday devices hooked up to their secret underground bunker which houses the CA, but none of that matters if they perform the same authentication checks that CACERT does (can you receive email at the domain? Good you are in).
So don't get suckered into paying way too much for a string of bits if you don't have to. If running your own CA is not your thing (and it really is not all that hard, CA.pl which comes with openssl and an O'Reilly book is about all you need), go with CACERT. If this is not for something internal or something with a limited number of users that you could tell to download a CA, then break our your wallet and go to Verisign.
Finkployd
Let's see, I believe that claim was made about NT, 2000, XP, XPsp2, and Server 2003, which in fairness was the first OS they even really tried to make secure. It was also made about the XBox in terms of "unhackability" (which may not be a word, but should be).
So why would even the most hard core MS fanboy believe them this time? They have clearly shown a long running pattern of being unable to understand what "secure" means, but I bet there are people out there going "good, MS says this is secure, now all those alternative OS weenies can shut up".
Reminds of COPS where you see the woman with the black eye crying "But he loves me, he won't do it again" as the police take away her drunken, shirtless boyfriend.
Finkployd
Isn't server 2003 just XP rebadged?
Sorta. It is more like the server version of XP (like how there used to be workstation and server versions of 2000). What I liked though is that it is the first Windows server I have ever seen with sane default security options for things like IIS and the like. I think it can go down in history as the first networked Windows OS where MS put ANY effort into the security front.
Plus Active Directory is good technology. I've always been a fan of Kerberos and DCE, which is basically all AD is. Sadly MS took the usual steps to frustrate interoperability.
Finkployd
It takes time to rip out all the interesting features so that your coders can devote more effort to making sure the DRM is rock solid. But when you are building an entire OS around a feature nobody actually wants, you might as well take your time and do it right.
(I'm not an anti-windows fanboy, Server 2003 is quite a nice OS)
Finkployd
...okay, that's two gratuitous references to Vista on an unrelated topic by you so far.
Sorry, I'm trying to get some software working on the latest beta and it is on my mind.
So perhaps I'm obsessing a bit, but you are the one reading my comments and looking for patterns...
Finkployd
In other news, Microsoft promises not to try to cram too many new features into Vista and Neal Stephenson promises not to skimp on the detailed exposition in his next novel.
Finkployd
Meanwhile, they continue to delay it and the project clearly has no well-defined sense of direction. They've basically scrapped it and started over from scratch I don't know how many times
Wait a minute, are we talking about Vista?
and feature creep is not so much a problem as it is a religion for them.
Ah, I guess not.
Finkployd
DRM
At this point Vista is basically an operating systems built around one feature that nobody actually wants. Even the most hard core Windows proponants in my industry are trashing it for being feature stripped, delayed, and rewritten every couple of months. It is truely a monument to how mixed (and conflicting) goals, too many managers, and marketing driven leadership can just destroy a once promising product. I'm not so much a hater or lover of Windows, but it is always sad to see so much time, effort, and money basically go wasted.
Finkployd
Times, they have changed.
Back in the early 90s (91 I think) we had a teacher's strike. They were making all kinds of insane claims in the media (we are doing this for the kids, to give them better quality education, etc) and I had an editorial published that basically tore their argument to shreds and was also critical of the school's administration in handling the strike. There were no repercussions with the exception of a few teachers who wouldn't talk to me after that.
Now I imagine I would have been expelled for expressing my opinion outside of school. Weird.
As far as a serious hobby with real applicability? Probably not unless you are into emergency communication type stuff. I used to command a sheriff's office search and rescue team and got into ham radio then. Since I don't do that anymore (since moving, I'm probably going to get into it again some day), I do not really use ham radio for anything real other than just messing around. The Internet is a much better day to day long distance communication medium.
:)
Having said that, what keeps me involved is building my own gear. While you can spend thousands of dollars on stuff to get on the air, it is much more fun for me to grab the old soldering iron and make my own low power transmitters and receivers. Great way to keep up with electronics, radio theory, and all that fun stuff. There is even some neat work going on with software defined radios (mixing DIY radio building with Linux and programming
I find your average slashdotter tends to dislike ham radio as too old school and REALLY does not like the thought that ham radio is holding back BPL (along with a lot less vocal but more influential opponents like police, coast guard, FAA, etc). But hey, they also bought hook line and sinker into the hype that BPL is actually a viable broadband contender and not a snake-oil product.
Really though, if you get into it, and avoid (1) the elitist pricks who got their license back in the day and hate everyone newer then themselves, (2) the mindless cliques that form on most local repeaters (Pittsburgh being a nice exception), and (3) the losers who live on eham and qrz and attack basically everyone, you will enjoy it. I tend to stick with the build it yourself qrp stuff and the more interesting microwave band projects out there. There is a ton of non-obvious and not all that publicized things you can get into with ham radio that does not involve just trying to work all 50 states or 100 countries for no particular reason.
Is it OK for someone to walk around the neighborhood and try turning all the doorknobs? How about pushing the doors open to see if they're bolted?
Because that is EXACTLY like finding a vulnerability on a website. Once again, real life analogies serve to only confuse the issue, having little to no relevence to the subject at hand.
There are many ways to find a bugs in web applications, often just from regular use. A vulnerability is nothing more than a bug that happens to have more serious reprocutions. I've seen cases where using the back button can change the user you are logged in as, refreshing a posted form can get you funky places, and accidently entering inforrect data (like alphanumeric data into a numeric only field without proper type checking) can total bring down a system and spit out a potentially exploited environment dump.
Now that is for regular users of a system, if we are taking about someone who has no business using a web application (number 1, why would he have access to it in the first place, it should be protected with an apache auth module or isapi auth module, but I digress), the situation gets more complicated. This person presumably has no permission using the website, let alone playing with urls, submitting funky data, or generally hacking around. However, you are pretty naive if you believe nobody else is doing this. Every server I have ever run is under attack pretty much all day, every day. If someone happens to find a vulnerability, I would much prefer them tell me about rather than keep quiet. Will I treat it as a breakin, distrust the good intentions of the reporter and assume I have to wipe the machine and reinstall everything from a known good backup? Yes. But again, better to know and have a chance of fixing it than never know.
I would argue that in a perfect world, someone trying to break into any system, regardless of intentions is just making things worse. However in the real world where there are tons of bots and blackhat hackers going after systems all the time with no intention of alerting their victims of vulnerabilities, someone who finds a vulnerability and alerts the webmaster is actually making things better. Regardless of whether or not he should have been there in the first place, the end result is that you can now make your environment more secure than it was before.
Finkployd
We have used mediawiki in my department (Emerging Technologies) at PSU and it has been a great success. There is some features to be desired that we had to modify it to handle. Specifically, using an external authentication system (we already have University wide accounts through Kerberos and our web single sign on system thanks, don't need another one) and some form of access controls would be nice, but overall it is great.
However, you really need to work with people who already are used to collaborating in general. A wiki is not going to change anything if the people you work with don't already work together on stuff. Interestingly, our "killer" use so far for it has been the yearly report, which is generally a huge document that everyone contributes little bits and pieces to. That seems to be the best use case for a wiki.
Finkployd
My hunch is that it is probably both mental and physical.
Technically, there is no difference. The brain is just regular body chemistry and just as physical as any other symptom. What often happens is that we (as a society) know very little about the brain and end up classifying perfectly physical things as "mental" (like mental illness) because we cannot yet explain it like we can most "physical" aliments.
Finkployd
Funny thing about Congress... certain members have been kept up to date on these operations since they were first created and yet several of them (most notably Nancy Pelosi) have expressed their outrage about finding out about these programs despite the fact that many knew since late 2001!
That's funny, are you under the impression that it would have been legal for Pelosi to express knowledge, let alone outrage, regarding this program before it was disclosed publically? The congressional committies are effectivly useless in this regard because it would be a violation of national security for them to exercise any actual oversight.
Let's see, if the govermemt forced (and there are many ways to force a company to do something) them, couldn't the goverment also apply that same force to make sure they don't blame the goverment?
"Just tell them you didn't do it, we will make sure any evidence to the contrary is classified for national security reasons"
Finkployd
Not only that, they aren't allowed to gather intelligence on American citizens.
+1 Funny
They are allowed to do whatever the DoD (under the direction of the whitehouse) tells them to do. Bush has shown that he has no qualms about using his wartime powers to make anything legal he needs to. Anyone disagreeing with this hates Amercia and wants us to be attacked by terrorists.
Finkployd