I'm not talking about the risk of being punished by the law. I'm talking about losing all of your friends and family because they think you are a terrorist. I'm talking about losing your job, having your name splashed all around in the media as though being charged or investigated makes you guilty (gee, does the media ever do that?). I'm talking about spending tens of thousands to defend yourself. If the government wants to charge you with one of two things (1) being a terrorist or (2) trading in child porn, then your life is effectivly over. Both of those charges can be brought against you just based on something being traced to your IP address. What the courts decide is pretty much irrelevent at that point, you might consider a life in prison better than life outside under those circumstances.
I just posted this because I always see slashdotters talking big about sending out fake echelon keyword laden email, or trying to fuck with the NSA and/or homeland security and that sort of thing. I wonder if any of them stop to think about what it would be like to be on the end of an investigation. I never have, but it sure does not look fun from what I see in the media.
Remember Richard Jewell? The FBI had him (falsly) accused of being the Olympic park bomber in 1996. While it created a huge mess of his life, we at least know about it and everyone now knows he is innocent. Imagine that happening today? Do you think he would have the chance to air his grievences in the media and sue the FBI? Or would he be rotting away in gitmo, life over, wondering what he did wrong and how this happened to him?
If everyone takes this approach, Tor will fail. If most people take this approach, the few that are runing endpoints are opening themselves up to the statistical likelihood that something illegal is coming out of their internet connection.
I'm sure you like, like I said, I just doubt they can both be used at the same time. All I'm saying is that Sony's excuse (at least to the MGS4 people) was the sensors.
Either way, (with the exception of the Metal Gear Solid games) I'm not going to miss the rumble function. The thought that someone is probably using the controller right now for sexual purposes is disturbing.:P
Nothing would kickstart the federal government's long term goal of outlawing encryption into action again (remember Gore and the Clipper Chip?) faster than if more people started using it.
I saw an interview with the creator of the Metal Gear Solid games talking about 4 on the PS3. They asked him about the lack of rumble (MGS being on the of few, if only games that used it for something that legitimately enhanced game-play). He said that his understand was that the PS3 controllers are going to have motion sensors in them (I guess like the Wii controller) and that you couldn't do both motion sensors and rumbling.
That kind of makes sense, but you could certainly provide both and let the game pick which to use (using both simultaneously would probably not work for obvious reasons). I'm guessing that is Sony's official excuse rather than saying "we lost a patent lawsuit".
Given the choice, I would much rather have a controller with motion sensors (and games designed to used them intelligently) rather than rumble any day. Contra would have been more fun for me if throwing the controller around actually made the player move a little faster or jump a little higher when I needed it. Let's face it, we all did this anyway, might as well make a controller that understands it.
Use Tor, why? So I can get investigated/exposed in the media/arrested when someone uses my node for something illegal? No thanks. Acted as a server node for a while, then decided it was not worth the risk with all this homeland security paranoia.
Law Enforcement (in this day and age of 0wned PCs, insecure wireless access points, Tor, RIAA tracking IPs to people who don't have computers, etc) STILL considers IP addresses to be valid and accurate identifiers of people. If something got traced to it and the ISP told them you had it at the time, guess what? You did it. The burden of proof would really be on YOU to prove that it was not you who was sending out a threatening email, communicating with a known terrorist, uploading child porn, or whatever. If they do know about Tor, they probably consider it more evidence that you are up to something illegal (just like PGP)
Perhaps you would be able to create enough reasonable doubt (assuming it was a real trial and not a secret government trial) to get off. I'm sure that would make you feel a little better after having your "crimes" written about at length in the local paper, your picture up on the local (maybe national?) news media, and possibly your money, job, family, and friends gone. Just because you won a court case does not mean everyone will not still assume you are guilty. How many people think OJ is innocent?
I'm not advocating being spineless and not taking a stand with technology, just remember what the risks are and ask yourself if you are really willing accept them. Today the population trusts anything that law enforcement tells them, especially if it is an internet related crime and even more so if it involves terrorism. Some geek whining about something called "tor" isn't going to convince your community you are not a dirty stinking terrorist.
My guess at this point is that some physical threat was made to the owners/operators of the company. Probably surveillance photos of their houses/kids/spouses or something along those lines. They seemed so gung ho right up to this point, and I cannot imagine what changed so suddenly to reverse their position.
Spammers and organized crime have been in bed together for quite a while, would this really be a surprise?
As for the definition of covert status, look it up yourself. Oh, wait you already did that, but in true MMoore fashion, you ignore and hope nobody will bother to find out for themselves.
Oh no you do not. Take it back, that is a massive (pun intended) insult:P
Let's play this game. She was not a covert agent, there was nothing wrong with "outing" her (in fact as non covert, she can't be outed). We both can accept that so far right?
So why did the CIA throw a hissy fit when her non-covert identity was revealed? Why was Bush so upset that he (1) said that nobody in his admin leaked her non-covert identity, (2) if anyone did they would be fired and (3) appoint a special prosecutor to find the source of the leak. For that matter why was a reporter held in jail over the leak of a non-covert agent?
Can someone please explain why Bush would waste so much time, effort, and money if there was no problem with revealing her identity?
Are we just supposed to pretend he didn't say this?
"Listen, I know of nobody -- I don't know of anybody in my administration who leaked classified information. If somebody did leak classified information, I'd like to know it, and we'll take the appropriate action. And this investigation is a good thing." --10/7/03
Or this?
"If someone committed a crime, they will no longer work in my administration." --7/18/05
Both of these are reponses to direction questions regarding Plame, not NSA wiretapping, not our CIA torture chambers, not any of the other things that they are pissed were revealed - Plame. So why say these things instead of just coming out and saying "It is a non-issue, she is not covert, and I can unclassify anything I damn well please. Next question". While that answer would have probably pissed off some, I would have welcomed the rare honesty.
Look, I am not a Bush basher by trade, and I consider myself pretty conservative (in the Gingrich/Regan sense) but I am also not an idiot. I know the constitution and I can detect hair splitting, sorry excuses bullshit when I hear it. Everything lately coming out of this admin regarding NSA spying, warrantless games, and the Plame affair sounds a whole lot like total weaseling bullshit. The defenses for these actions are getting weak and pathetic to the point where I cannot imagine how anyone is delivering them with a straight face. It seems only those paralysed by fear that Osama is lurking in every shadow and blinded by the belief that the government can do no wrong are still buying it. The rallying cry is "we are at war, the president can do everything he wants. Anyone calling for oversight or accountability in governemnt wants our children to die".
It still amuses me that those who somehow believe that Islamic terrorists are only after us because they hate our freedom consider removing those freedoms the best protection.
Yeah, the one Bush promised that nobody in his administration had anything to do with leaking the identity of, but if they did they would be fired. The one that Bush appointed an investigator to look into at the request of the CIA.
I'm sure they went to all that trouble for someone who wasn't really covert. You can make the argument that she was not really a secret agent all you want, but Bush can't. He committed himself to finding (and punishing) the one who leaked her identity, right? Why was the CIA pissed and Bush appointing investigators and promising to fire anyone in his administration involved with the leak?
If she was not covert (as many in talk radio love to claim) why didn't Bush just come out and say "Cheney did it, but it is no big deal since she was not covert and I declassified everything" and this whole episode could have been avoided?
There's a potential abuse. Now how do we prevent it without throwing the whole idea out the window?
Two words, "oversight" and "accountability"
No branch of government should be off doing things that intentionally circumvent the roles of the other two. Right now you have the Executive Branch off railing against "activist judges" (meaning: any judge who does not rule exactly as they intend) and cutting congress out of...well...everything claiming that national security trumps the constitution.
I almost wouldn't have a problem with the NSA assembling this data if it were publicly announced along with the safeguards to prevent it from being abused. The data should only be accessible with a warrant and the penalty for releasing it without one should be severe. Unfortunately the total secrecy surrounding these types of programs simply cries out "this is going to be abused". It also cries out "what else is going on that we haven't found out about".
I'm all for the government taking reasonable steps to protect the country, and I understand that secrecy is often necessary (from the general public, NEVER from congress and/or federal judges who should be issuing the warrants). However taking the approach that everyone is a potential terrorist and must be watched like a hawk is contrary to both the letter and spirit of the law in the US. Our response to threats needs to be balanced against the very freedoms and liberties that our enemies supposedly hate us for.
We (citizens) need to stop listening to the politicians who would have us believe that terrorists are all around us and (like the show 24) are always just a few seconds from killing us all if not for the ever vigilant forces of the federal government. Realistically, the terror threat is not as severe as most common dangers that have always existed and the federal government generally has no clue what its own people are doing half the time, let alone terrorists.
Be aggressively disloyal to your products and force their developers to improve or fade away.
Imagine what the state of IT could be like today if everyone took that approach. Instead each vendor pretty much knows they have a certain amount of people brainwashed/locked in and will never change because change is harder than sitting still.
This would be a great way for the government to identify whistleblowers. Then they could end the vicious cycle of getting caught when doing something illegal by frightening everying into shutting up.
If you aren't Al Qaeda, if you aren't calling Al Qaeda, and if Al Qaeda isn't calling you then you aren't being spied upon without a warrant. Period, end of story, nothing more to see here.
Well, given that there is no oversight and no ability for any party in our so called "checks and balances" system to verify this claim, that is a mightly odd statement for you to make. On what do you base this assertion? Or we are all cool now with just blindly trusting anything the whitehouse says for the remainder of the war on terrorism (read: forever)?
If we are going to remove any checks and balances type oversight and assume nobody in power ever makes mistakes, is corrupt, or abuses power for personal/political gain, then why even fuck with a criminal justice system? Obviously any intelligence agency so capable of identifying terrorists to wiretap would also be capable of identifying all criminals? We could completely dispense with the cumberome system of juries, lawyers, and judges and just let the infailable intelligence community finger criminals and lock em away based on their word.
When a liberal democrat gets into power are we going to just assume that they will not abuse this power just as you believe Bush would never abuse it? Or does this blind and baseless trust only apply to him?
You're right - both telnet and http protocols use TCP. The similarities end there and you know it.
I believe they are much more similar than you are giving them credit. I believe you are comparing them from a standpoint of user experience rather than actual technical implementation. But one is stateful and the other is not, so let's make it a more reasonable comparison.
FTP vs Telnet
Both are very similar, both can be configured for anonymous access, and most people would not think twice about browsing an ftp site they found if it were open for anonymous access. There is a sense that if you bothered to set up anonymous FTP, you want people to browse it and download files (otherwise what is the point?). At a technical level, what is the difference in an anonymous telnet session?
By your logic, spammers are innocent of any wrongdoing because SMTP uses TCP as well and sending millions of unsolicited commercial emails is morally equivalent to telnetting to port 25 and typing "HELO spam.com". It's not morally or legally equivalent and I fail to see why anyone would think it is.
It starts getting ugly here, doesn't it? If I put up a open relay SMTP server, is that not the equivalent of saying to the world "feel free to route mail through me, that is what I am designed to do"? Again, I can see how it would be considered reasonable that obviously this does not apply to SPAM, but what is the legal definition of SPAM? Without concrete legal definitions of things it is really impossible to deal with them at a legal level. One person's spam is another person's legit mass mailing to interested parties. The solution is to lock down the mail server.
By your logic, DDoS the hell out of anyone you want. After all, it's the same as typing PING yourhost.com. If they didn't want quadrillions of ICMP REPLY packets from broadcast addresses throughout the Internet, they shouldn't have connected to the public Internet. Again, just ludicrous.
Yes it is, but is no legitimate reason ever to trigger hundreds of machines to send repeated pings as fast as possible at one machine other than to intentionally bring down the machine. There are legitimate reasons to telnet into a box. We are stretching what is considered (historically and reasonably) normal and expected use of internet services.
Consider you accidentally leave a small hole in your system - it can be anything, a user without a password, a buffer overflow you didn't immediately patch, whatever. Some jackass comes along and exploits the weakness in your security. Let's assume he doesn't actually delete any data, and doesn't install a rootkit, doesn't copy your data to his workstation, doesn't install keyloggers, doesn't install sniffers, etc, etc. He just goes in to your system and pokes around for a little while. The question is... Did he cause any damage?
Ah, now we are talking about two totally different things. If you are speaking about exploiting an vulnerability such as a buffer overflow, hell yeah that is causing damage and illegal trespass, breaking and entering, what have you. That is certainly a different beast than using a common internet service exactly as it was designed and configured.
In this case, I think we are talking about accessing a non protected service (if that is really what we are talking about, the actual specifics in this case are not known beyond what the UFO loon said). This would be the same if I accidently put a database of student SSNs on a public webserver. Someone comes along and downloads the file, did they cause damage? No I did. At some point administrators need to be held accountable for what they DID do, not what they meant to do. If a misconfigured.mil ftp server is sharing out classified data, someone who stumbles upon it is not guilty of hacking into a government computer and stealing it.
It's unfortunate, but that is serious damages that wouldn't have been caused if the jerk wouldn't have taken positive, purposeful steps to
Taking this thinking to its conclusion leads you to one of two places. An internet where express permission must be given to access any resources including websites. Or (more likely) the designation of some services such as websites as exempt, but permission must be obtained to access any other services, including (or rather eliminating the possibility of) new ones down the road. And what major government/corporation wouldn't like to completely halt developement of new (possibly hard to trace, easy to pirate) services like like p2p, viop, etc.
As soon as we start treating certain services as special (like telent vs http) for no technical reason in the eyes of the law, we are going down a pretty disturbing road.
Anyone with half a brain and even moderate computer skills knows that using a web browser to access unprotected content is one thing. Telnetting into a machine, password or no, is a completely different matter.
Sorry to be blunt, but bullshit.
I can telnet to port 80 and type GET / and guess what, I'm browsing the web. It's the same damn thing.
Get half a brain and realise that what a web browser does and what telent does (sends ascii commands over a TCPIP connection) are almost identical. Simply because one protocol has some nicer clients does not magically alter what it is actually doing.
Keep in mind by his own admission he was scouring file systems for evidence of UFOs. How many file systems do you know don't require any authentication whatsoever?
Let's see, SMB, AFS, DFS, FTP, NFS (v3 and v4), yup, pretty much all of them can be configured for anonymous (which could mean no password required) access. Is it possible he is lying? Of course, the guy is a looney toon. However the point remains that accessing publically available, published data on the internet should not be illegal. The burden is on the publisher to protect whatever they intend to be private, not on the world to somehow discern is the data being served up to them is supposed to be there or not.
Finally, I have no idea why it's popular to defend people with no life that are amused by causing damage to systems they don't own and know they shouldn't be accessing.
I'm not defending him in this specific case because I have no idea what the facts are (not much besides his rambings have been published). If he lied and took advantage of an exploit or broke into a password protected system, throw the book at him. But don't create case law that says that even if someone takes no steps to protect data, even publishes it via a server, someone can be charged with illegally accessing simply because the owner "intended" it to be protected. That is just stupid no matter how you slice it.
"causing damage"? This is the first I have heard of that. How did he cause damage?
"know they shouldn't be accessing". Unfortunately, the only way to know if you should not be accessing something on the internet is if it is protected in some way (usually userid and password). There is no "private" vs "public" on the internet that people are just supposed to know, there is only "protected" and "unprotected".
Pretty much, but that is not the intent of people saying "just because it was not password protected you cannot just come in, you would get arrested if you tried that on my house". The problem is that on the Internet, if it is unlocked then YES you are allowed in. That is simply how it works. There is no such thing as a "private" webserver and a "public" webserver, there is only "protected" and "unprotected". You cannot have a private, unprotected webserver on the Internet.
What if it was in a "secret" place on my webserver that should have a password, but somehow I broke it and someone finds it from some links (say from Google crawning a webalizer log that I shouldn't have publically available), are they at fault just for pulling up a page that says, "passwords.html" ? In that case, I'd say yes, just due to the nature of the filename.
I agree with everything you said up to this point. I would hate to see case law go down the road where they say "well, it was a publically available, published file, but he should have known from the filename that it was intended to be protected and thus he broke the law by getting it". Someone could easily have found that file looking for information on the hit 70's game show "Password".
Of course not, but if it is being shared out over some form of server process and is not protected in any way, then yes.
My mail spool is not accessable without my userid and password. However if I were to run a web server off the same machine and accidently share out that directory....yes. That is me publishing those files on the internet.
If I turn on windows file sharing and place no ACLs on the files and allow anonymous access (or access without a password) that is publishing too.
Same with anonymous FTP. If I am dumb enough to turn on anonymous FTP sharing of my entire filesystem, that is clearly me publishing it all on the internet. Nobody should get in trouble for accessing a public FTP server right?
That is a good improvement on the analogy, I like it. I'm sure there are still issues as you take the analogy further but at a basic level that works pretty well.
It certainly beats the ignorant "a webserver is like a private house" analogy that keeps popping up.
He doesn't have to bump into it, I have legally downloaded many files that I specifically searched for and got without accidently bumping into them.
I agree that he went through a lot of hoops, but other than your average common sense ("common sense "generally is not a valid prosecution strategy), how should he have known he was not supposed to do that? Was there any warning that the data was intended to be private? Was there any security in place to keep people out? Sure it would be a stupid arguement, but what is to prevent him from thinking that it was there purposfully for him to find, he just had to go through a lot of technical crap to get to it.
This is how most of the internet looks to the average person. You and I know that there is a difference between hitting an anonymous FTP site and going into a machine via an unprotected VNC session (or however he did it, I have not seen much technical detail). However when you think about it logically, they are both basically the same thing. A client hitting an unprotected port on a server.
The problem with many of the arguements on this topic is that people are making assumptions. It's ok to hit port 80 on any machine on the net and get data back but don't go after certain other ports? Bull. If it is unprotected, then it is fair game for a human (or bot, think web crawler) to access it. This whole new mentality some people have about certain rules applying to certain sites and protocols and ports on a whim is bunk. It is that kind of thinking that lets some people think deep linking should be illegal or that accessing a public wifi AP is wrong.
I never denied there are analogies, just that they are not meaningful or all that accurate.
Requesting unprotected data from a port is not the same as going into an unlocked house, and it is pointless to pretend otherwise in a weak attempt to make a point (not necessarily you, just anyone who compares this to breaking into a house with no lock).
In fact, requesting unprotected data from a port without permission (unless you have a permission letter from commander taco, OSDN, and all contributors) is exactly what you did when reading this comment. When you posted your comment, you vandalized the inside of someone's poor, unprotected webserver:)
Slashdot Mirror
I'm not talking about the risk of being punished by the law. I'm talking about losing all of your friends and family because they think you are a terrorist. I'm talking about losing your job, having your name splashed all around in the media as though being charged or investigated makes you guilty (gee, does the media ever do that?). I'm talking about spending tens of thousands to defend yourself. If the government wants to charge you with one of two things (1) being a terrorist or (2) trading in child porn, then your life is effectivly over. Both of those charges can be brought against you just based on something being traced to your IP address. What the courts decide is pretty much irrelevent at that point, you might consider a life in prison better than life outside under those circumstances.
I just posted this because I always see slashdotters talking big about sending out fake echelon keyword laden email, or trying to fuck with the NSA and/or homeland security and that sort of thing. I wonder if any of them stop to think about what it would be like to be on the end of an investigation. I never have, but it sure does not look fun from what I see in the media.
Remember Richard Jewell? The FBI had him (falsly) accused of being the Olympic park bomber in 1996. While it created a huge mess of his life, we at least know about it and everyone now knows he is innocent. Imagine that happening today? Do you think he would have the chance to air his grievences in the media and sue the FBI? Or would he be rotting away in gitmo, life over, wondering what he did wrong and how this happened to him?
Finkployd
If everyone takes this approach, Tor will fail. If most people take this approach, the few that are runing endpoints are opening themselves up to the statistical likelihood that something illegal is coming out of their internet connection.
Finkployd
I'm sure you like, like I said, I just doubt they can both be used at the same time.
./ for a little bit
Incidentally, I have no idea what the hell I am saying here. This is probably a sign I need to take a break from
Finkployd
I'm sure you like, like I said, I just doubt they can both be used at the same time. All I'm saying is that Sony's excuse (at least to the MGS4 people) was the sensors.
:P
Either way, (with the exception of the Metal Gear Solid games) I'm not going to miss the rumble function. The thought that someone is probably using the controller right now for sexual purposes is disturbing.
Finkployd
Nothing would kickstart the federal government's long term goal of outlawing encryption into action again (remember Gore and the Clipper Chip?) faster than if more people started using it.
Finkployd
I saw an interview with the creator of the Metal Gear Solid games talking about 4 on the PS3. They asked him about the lack of rumble (MGS being on the of few, if only games that used it for something that legitimately enhanced game-play). He said that his understand was that the PS3 controllers are going to have motion sensors in them (I guess like the Wii controller) and that you couldn't do both motion sensors and rumbling.
That kind of makes sense, but you could certainly provide both and let the game pick which to use (using both simultaneously would probably not work for obvious reasons). I'm guessing that is Sony's official excuse rather than saying "we lost a patent lawsuit".
Given the choice, I would much rather have a controller with motion sensors (and games designed to used them intelligently) rather than rumble any day. Contra would have been more fun for me if throwing the controller around actually made the player move a little faster or jump a little higher when I needed it. Let's face it, we all did this anyway, might as well make a controller that understands it.
Finkployd
Just to play devil's advocate.....
Use Tor, why? So I can get investigated/exposed in the media/arrested when someone uses my node for something illegal? No thanks. Acted as a server node for a while, then decided it was not worth the risk with all this homeland security paranoia.
Law Enforcement (in this day and age of 0wned PCs, insecure wireless access points, Tor, RIAA tracking IPs to people who don't have computers, etc) STILL considers IP addresses to be valid and accurate identifiers of people. If something got traced to it and the ISP told them you had it at the time, guess what? You did it. The burden of proof would really be on YOU to prove that it was not you who was sending out a threatening email, communicating with a known terrorist, uploading child porn, or whatever. If they do know about Tor, they probably consider it more evidence that you are up to something illegal (just like PGP)
Perhaps you would be able to create enough reasonable doubt (assuming it was a real trial and not a secret government trial) to get off. I'm sure that would make you feel a little better after having your "crimes" written about at length in the local paper, your picture up on the local (maybe national?) news media, and possibly your money, job, family, and friends gone. Just because you won a court case does not mean everyone will not still assume you are guilty. How many people think OJ is innocent?
I'm not advocating being spineless and not taking a stand with technology, just remember what the risks are and ask yourself if you are really willing accept them. Today the population trusts anything that law enforcement tells them, especially if it is an internet related crime and even more so if it involves terrorism. Some geek whining about something called "tor" isn't going to convince your community you are not a dirty stinking terrorist.
Finkployd
My guess at this point is that some physical threat was made to the owners/operators of the company. Probably surveillance photos of their houses/kids/spouses or something along those lines. They seemed so gung ho right up to this point, and I cannot imagine what changed so suddenly to reverse their position.
Spammers and organized crime have been in bed together for quite a while, would this really be a surprise?
Finkployd
As for the definition of covert status, look it up yourself. Oh, wait you already did that, but in true MMoore fashion, you ignore and hope nobody will bother to find out for themselves.
:P
Oh no you do not. Take it back, that is a massive (pun intended) insult
Let's play this game. She was not a covert agent, there was nothing wrong with "outing" her (in fact as non covert, she can't be outed). We both can accept that so far right?
So why did the CIA throw a hissy fit when her non-covert identity was revealed? Why was Bush so upset that he (1) said that nobody in his admin leaked her non-covert identity, (2) if anyone did they would be fired and (3) appoint a special prosecutor to find the source of the leak. For that matter why was a reporter held in jail over the leak of a non-covert agent?
Can someone please explain why Bush would waste so much time, effort, and money if there was no problem with revealing her identity?
Are we just supposed to pretend he didn't say this?
"Listen, I know of nobody -- I don't know of anybody in my administration who leaked classified information. If somebody did leak classified information, I'd like to know it, and we'll take the appropriate action. And this investigation is a good thing." --10/7/03
Or this?
"If someone committed a crime, they will no longer work in my administration." --7/18/05
Both of these are reponses to direction questions regarding Plame, not NSA wiretapping, not our CIA torture chambers, not any of the other things that they are pissed were revealed - Plame. So why say these things instead of just coming out and saying "It is a non-issue, she is not covert, and I can unclassify anything I damn well please. Next question". While that answer would have probably pissed off some, I would have welcomed the rare honesty.
Look, I am not a Bush basher by trade, and I consider myself pretty conservative (in the Gingrich/Regan sense) but I am also not an idiot. I know the constitution and I can detect hair splitting, sorry excuses bullshit when I hear it. Everything lately coming out of this admin regarding NSA spying, warrantless games, and the Plame affair sounds a whole lot like total weaseling bullshit. The defenses for these actions are getting weak and pathetic to the point where I cannot imagine how anyone is delivering them with a straight face. It seems only those paralysed by fear that Osama is lurking in every shadow and blinded by the belief that the government can do no wrong are still buying it. The rallying cry is "we are at war, the president can do everything he wants. Anyone calling for oversight or accountability in governemnt wants our children to die".
It still amuses me that those who somehow believe that Islamic terrorists are only after us because they hate our freedom consider removing those freedoms the best protection.
Finkployd
Yeah, the one Bush promised that nobody in his administration had anything to do with leaking the identity of, but if they did they would be fired. The one that Bush appointed an investigator to look into at the request of the CIA.
I'm sure they went to all that trouble for someone who wasn't really covert. You can make the argument that she was not really a secret agent all you want, but Bush can't. He committed himself to finding (and punishing) the one who leaked her identity, right? Why was the CIA pissed and Bush appointing investigators and promising to fire anyone in his administration involved with the leak?
If she was not covert (as many in talk radio love to claim) why didn't Bush just come out and say "Cheney did it, but it is no big deal since she was not covert and I declassified everything" and this whole episode could have been avoided?
Finkployd
There's a potential abuse. Now how do we prevent it without throwing the whole idea out the window?
Two words, "oversight" and "accountability"
No branch of government should be off doing things that intentionally circumvent the roles of the other two. Right now you have the Executive Branch off railing against "activist judges" (meaning: any judge who does not rule exactly as they intend) and cutting congress out of...well...everything claiming that national security trumps the constitution.
I almost wouldn't have a problem with the NSA assembling this data if it were publicly announced along with the safeguards to prevent it from being abused. The data should only be accessible with a warrant and the penalty for releasing it without one should be severe. Unfortunately the total secrecy surrounding these types of programs simply cries out "this is going to be abused". It also cries out "what else is going on that we haven't found out about".
I'm all for the government taking reasonable steps to protect the country, and I understand that secrecy is often necessary (from the general public, NEVER from congress and/or federal judges who should be issuing the warrants). However taking the approach that everyone is a potential terrorist and must be watched like a hawk is contrary to both the letter and spirit of the law in the US. Our response to threats needs to be balanced against the very freedoms and liberties that our enemies supposedly hate us for.
We (citizens) need to stop listening to the politicians who would have us believe that terrorists are all around us and (like the show 24) are always just a few seconds from killing us all if not for the ever vigilant forces of the federal government. Realistically, the terror threat is not as severe as most common dangers that have always existed and the federal government generally has no clue what its own people are doing half the time, let alone terrorists.
Finkployd
Be aggressively disloyal to your products and force their developers to improve or fade away.
Imagine what the state of IT could be like today if everyone took that approach. Instead each vendor pretty much knows they have a certain amount of people brainwashed/locked in and will never change because change is harder than sitting still.
Finkployd
Few things in that movie crack me up as much as how he says "Und Animals could be bread und SLAUGHTERED"
Finkployd
This would be a great way for the government to identify whistleblowers. Then they could end the vicious cycle of getting caught when doing something illegal by frightening everying into shutting up.
Finkployd
If you aren't Al Qaeda, if you aren't calling Al Qaeda, and if Al Qaeda isn't calling you then you aren't being spied upon without a warrant. Period, end of story, nothing more to see here.
Well, given that there is no oversight and no ability for any party in our so called "checks and balances" system to verify this claim, that is a mightly odd statement for you to make. On what do you base this assertion? Or we are all cool now with just blindly trusting anything the whitehouse says for the remainder of the war on terrorism (read: forever)?
If we are going to remove any checks and balances type oversight and assume nobody in power ever makes mistakes, is corrupt, or abuses power for personal/political gain, then why even fuck with a criminal justice system? Obviously any intelligence agency so capable of identifying terrorists to wiretap would also be capable of identifying all criminals? We could completely dispense with the cumberome system of juries, lawyers, and judges and just let the infailable intelligence community finger criminals and lock em away based on their word.
When a liberal democrat gets into power are we going to just assume that they will not abuse this power just as you believe Bush would never abuse it? Or does this blind and baseless trust only apply to him?
You're right - both telnet and http protocols use TCP. The similarities end there and you know it.
.mil ftp server is sharing out classified data, someone who stumbles upon it is not guilty of hacking into a government computer and stealing it.
I believe they are much more similar than you are giving them credit. I believe you are comparing them from a standpoint of user experience rather than actual technical implementation. But one is stateful and the other is not, so let's make it a more reasonable comparison.
FTP vs Telnet
Both are very similar, both can be configured for anonymous access, and most people would not think twice about browsing an ftp site they found if it were open for anonymous access. There is a sense that if you bothered to set up anonymous FTP, you want people to browse it and download files (otherwise what is the point?). At a technical level, what is the difference in an anonymous telnet session?
By your logic, spammers are innocent of any wrongdoing because SMTP uses TCP as well and sending millions of unsolicited commercial emails is morally equivalent to telnetting to port 25 and typing "HELO spam.com". It's not morally or legally equivalent and I fail to see why anyone would think it is.
It starts getting ugly here, doesn't it? If I put up a open relay SMTP server, is that not the equivalent of saying to the world "feel free to route mail through me, that is what I am designed to do"? Again, I can see how it would be considered reasonable that obviously this does not apply to SPAM, but what is the legal definition of SPAM? Without concrete legal definitions of things it is really impossible to deal with them at a legal level. One person's spam is another person's legit mass mailing to interested parties. The solution is to lock down the mail server.
By your logic, DDoS the hell out of anyone you want. After all, it's the same as typing PING yourhost.com. If they didn't want quadrillions of ICMP REPLY packets from broadcast addresses throughout the Internet, they shouldn't have connected to the public Internet. Again, just ludicrous.
Yes it is, but is no legitimate reason ever to trigger hundreds of machines to send repeated pings as fast as possible at one machine other than to intentionally bring down the machine. There are legitimate reasons to telnet into a box. We are stretching what is considered (historically and reasonably) normal and expected use of internet services.
Consider you accidentally leave a small hole in your system - it can be anything, a user without a password, a buffer overflow you didn't immediately patch, whatever. Some jackass comes along and exploits the weakness in your security. Let's assume he doesn't actually delete any data, and doesn't install a rootkit, doesn't copy your data to his workstation, doesn't install keyloggers, doesn't install sniffers, etc, etc. He just goes in to your system and pokes around for a little while. The question is... Did he cause any damage?
Ah, now we are talking about two totally different things. If you are speaking about exploiting an vulnerability such as a buffer overflow, hell yeah that is causing damage and illegal trespass, breaking and entering, what have you. That is certainly a different beast than using a common internet service exactly as it was designed and configured.
In this case, I think we are talking about accessing a non protected service (if that is really what we are talking about, the actual specifics in this case are not known beyond what the UFO loon said). This would be the same if I accidently put a database of student SSNs on a public webserver. Someone comes along and downloads the file, did they cause damage? No I did. At some point administrators need to be held accountable for what they DID do, not what they meant to do. If a misconfigured
It's unfortunate, but that is serious damages that wouldn't have been caused if the jerk wouldn't have taken positive, purposeful steps to
I most likely am, but I feel it is worth it.
Taking this thinking to its conclusion leads you to one of two places. An internet where express permission must be given to access any resources including websites. Or (more likely) the designation of some services such as websites as exempt, but permission must be obtained to access any other services, including (or rather eliminating the possibility of) new ones down the road. And what major government/corporation wouldn't like to completely halt developement of new (possibly hard to trace, easy to pirate) services like like p2p, viop, etc.
As soon as we start treating certain services as special (like telent vs http) for no technical reason in the eyes of the law, we are going down a pretty disturbing road.
Finkployd
Anyone with half a brain and even moderate computer skills knows that using a web browser to access unprotected content is one thing. Telnetting into a machine, password or no, is a completely different matter.
Sorry to be blunt, but bullshit.
I can telnet to port 80 and type GET / and guess what, I'm browsing the web. It's the same damn thing.
Get half a brain and realise that what a web browser does and what telent does (sends ascii commands over a TCPIP connection) are almost identical. Simply because one protocol has some nicer clients does not magically alter what it is actually doing.
Keep in mind by his own admission he was scouring file systems for evidence of UFOs. How many file systems do you know don't require any authentication whatsoever?
Let's see, SMB, AFS, DFS, FTP, NFS (v3 and v4), yup, pretty much all of them can be configured for anonymous (which could mean no password required) access. Is it possible he is lying? Of course, the guy is a looney toon. However the point remains that accessing publically available, published data on the internet should not be illegal. The burden is on the publisher to protect whatever they intend to be private, not on the world to somehow discern is the data being served up to them is supposed to be there or not.
Finally, I have no idea why it's popular to defend people with no life that are amused by causing damage to systems they don't own and know they shouldn't be accessing.
I'm not defending him in this specific case because I have no idea what the facts are (not much besides his rambings have been published). If he lied and took advantage of an exploit or broke into a password protected system, throw the book at him. But don't create case law that says that even if someone takes no steps to protect data, even publishes it via a server, someone can be charged with illegally accessing simply because the owner "intended" it to be protected. That is just stupid no matter how you slice it.
"causing damage"? This is the first I have heard of that. How did he cause damage?
"know they shouldn't be accessing". Unfortunately, the only way to know if you should not be accessing something on the internet is if it is protected in some way (usually userid and password). There is no "private" vs "public" on the internet that people are just supposed to know, there is only "protected" and "unprotected".
Finkployd
Isn't that the point you were making?
Pretty much, but that is not the intent of people saying "just because it was not password protected you cannot just come in, you would get arrested if you tried that on my house". The problem is that on the Internet, if it is unlocked then YES you are allowed in. That is simply how it works. There is no such thing as a "private" webserver and a "public" webserver, there is only "protected" and "unprotected". You cannot have a private, unprotected webserver on the Internet.
Finkployd
What if it was in a "secret" place on my webserver that should have a password, but somehow I broke it and someone finds it from some links (say from Google crawning a webalizer log that I shouldn't have publically available), are they at fault just for pulling up a page that says, "passwords.html" ? In that case, I'd say yes, just due to the nature of the filename.
I agree with everything you said up to this point. I would hate to see case law go down the road where they say "well, it was a publically available, published file, but he should have known from the filename that it was intended to be protected and thus he broke the law by getting it". Someone could easily have found that file looking for information on the hit 70's game show "Password".
Finkployd
Of course not, but if it is being shared out over some form of server process and is not protected in any way, then yes.
My mail spool is not accessable without my userid and password. However if I were to run a web server off the same machine and accidently share out that directory....yes. That is me publishing those files on the internet.
If I turn on windows file sharing and place no ACLs on the files and allow anonymous access (or access without a password) that is publishing too.
Same with anonymous FTP. If I am dumb enough to turn on anonymous FTP sharing of my entire filesystem, that is clearly me publishing it all on the internet. Nobody should get in trouble for accessing a public FTP server right?
Finkployd
That works, but I like this one better.
Finkployd
That is a good improvement on the analogy, I like it. I'm sure there are still issues as you take the analogy further but at a basic level that works pretty well.
It certainly beats the ignorant "a webserver is like a private house" analogy that keeps popping up.
Finkployd
He doesn't have to bump into it, I have legally downloaded many files that I specifically searched for and got without accidently bumping into them.
I agree that he went through a lot of hoops, but other than your average common sense ("common sense "generally is not a valid prosecution strategy), how should he have known he was not supposed to do that? Was there any warning that the data was intended to be private? Was there any security in place to keep people out? Sure it would be a stupid arguement, but what is to prevent him from thinking that it was there purposfully for him to find, he just had to go through a lot of technical crap to get to it.
This is how most of the internet looks to the average person. You and I know that there is a difference between hitting an anonymous FTP site and going into a machine via an unprotected VNC session (or however he did it, I have not seen much technical detail). However when you think about it logically, they are both basically the same thing. A client hitting an unprotected port on a server.
The problem with many of the arguements on this topic is that people are making assumptions. It's ok to hit port 80 on any machine on the net and get data back but don't go after certain other ports? Bull. If it is unprotected, then it is fair game for a human (or bot, think web crawler) to access it. This whole new mentality some people have about certain rules applying to certain sites and protocols and ports on a whim is bunk. It is that kind of thinking that lets some people think deep linking should be illegal or that accessing a public wifi AP is wrong.
Finkployd
I never denied there are analogies, just that they are not meaningful or all that accurate.
:)
Requesting unprotected data from a port is not the same as going into an unlocked house, and it is pointless to pretend otherwise in a weak attempt to make a point (not necessarily you, just anyone who compares this to breaking into a house with no lock).
In fact, requesting unprotected data from a port without permission (unless you have a permission letter from commander taco, OSDN, and all contributors) is exactly what you did when reading this comment. When you posted your comment, you vandalized the inside of someone's poor, unprotected webserver
Finkployd