Are you being obtuse or has my communication ability deserted me. I think it must be the latter.
Privacy is the feature which has been disabled in the cloud. Now you pay for a "personal cloud" and all it does is give you back the privacy that you had in the first place on a standard networked file server.
At what point do you become a criminal? By looking at the URL bar and seeing an SQL statement, which can be used for SQL injection attacks? For changing a few characters in the URL bar and seeing that they're sending you other people's credit card numbers? I agree that he should just fuck em and ignore it.
At the exact point you press enter having changed the URL. That's the point at which you intentionally attempted to exceed your authorized use of the other sides computer. That's the point where you must have written permission to do exactly what you are doing to their computer. Most importantly that's the point at which you leave an indelible mark in their webserver's log file.
You should go a little easier on him until you have all the facts. For all you know, his "hacking" amounts to "I changed the URL from ``...?mode=show-account&userid=1'' to ``...?mode=show-account&userid=2'' "
That's the whole point. That is what almost all of us understand. This is precisely what is most dangerous thing for im. If it's true:
He deliberately accessed someone else's account
He did it in a way which can't be covered as "accidental"
He left logs of doing this on the web server
If he stops exactly after doing that, he might, just might, get away with this on grounds of "was just curious" and "immediately realised I had done something wrong and set out to fix that". However, any further action on his part can point towards this being a crime and get him into deep deep problems. Most likely if he did it once, he did it again. At that point it's almost unarguable computer crime and he may be in deep trouble.
He really needs to get the company to fix the problem, agree he was careful and then he needs to shut up completely. If the company won't fix the problem he needs to minimise any possibility of extending the crime by never having anything to do with them ever again.
'cmon. This is like watching a car crash in slow motion. We all know the guy is gonna end up in jail, but now we get the pleasure of being able to say "I told you so" when he ends up doing it because he ignored our wise advice (it doesn't matter what he does, he will have ignored somebody's advice). I see this as giving us not one but tens of front page stories. This is 100% news for nerds and Slasdot is creating it in front of your eyes.
Not having broken any laws is very unlikely; worse still it may be true locally, but likely he's broken US law and may be extradited or tricked into a situation where they can get him. Later, when he's had a clear statement from the company that he did the right thing, then that's the time to go to the press. Right now, when he's pretty clearly screwed up, he should be in damage limitation mode.
The fact that the company is giving "confused" and "aloof" answers may be just stupidity, but to paranoid me it suggests a trap. They are trying to get him to do something so that they can accuse him of doing something clearly illegal and have the FBI/CIA get rid of him. The fact he's sent an email suggests he's completely screwed unless he's done that through TOR + an anonymizer service.
What to do
Get lawyered up. Lawyers are expensive; not lawyers are much more expensive. Make sure you have one who has actually succeeded in protecting people in your exact situation.
See if the EFF will support you as a security researcher. Freedom of speech issues may help protect you. They may be able to recommend a lawyer. Unless you see martyrdom as your future, be careful not to become a public case until you know that that would be a benefit for you.
Try to find out for sure if you have broken any laws and the consequences. When doing this ensure you only talk to a lawyer (no internet searches!!) so that all discussions remain legally privileged and can't be used against you to show you knew what you were doing / had done
Find a CERT that would be interested in this. Do not communicate further with the company directly, only through the CERT. The EFF might do to. Any body which has real experience in doing disclosure and will isolate you from the risk of direct communication.
Pretending you don't know about the hole would probably have been best, but assume it's too late for that. You need to now go through the notification; until this is fixed you are at risk of lawsuit or prison.
Do not accept any offer of anything; no free travel; no free developer account; no "chance to help us clean up". This is likely an attempt to set you up for an extortion charge.
Anything further you do with this case, you do on your own isolated computer.
Do not do anything which could be interpreted as destruction of evidence. Your lawyer may be able to help you with advice about any data destruction you could do to minimise risk in a lawsuit.
Without legal advice otherwise, do not use any services from the company and don't visit the web site of the company. Beware of anything which might bind you into a contract with the company.
Prepare to be raided. All of your computers will be taken from you and any disks you have on site. Your close family and computer friends may also be raided. Make backups of everything and store them in a locked box somewhere which can't be related back to you. E.g. a trusted but distant friend from school times. Alternatively a vault in a private bank (e.g. in Switzerland).
We used to have "networked hard disks" or "file servers". Then we started having cloud servers which did the same but you lost the personal control. Now the marketing people started selling a "personal cloud" which is in fact exactly what you were selling originally, but this time they are selling the "personal" bit as if it's a new feature. In exactly the same way as phones originally only provided network connectivity; then people added browsing; then U.S. operators started blocking the network connectivity, finally the marketing people could start selling you back "tethering" which is exactly what you had near the beginning, but this time you have to pay extra.
Awesome. It's like tethering. A completely invented feature created by taking something away that wasn't missing in the first place. The people who think these things up have imaginations worthy of Iain M Banks or almost even Iain Banks. .
additionally, if you are smart, you'll probably choose to find yourself a better job/salary in the industry instead of picking a govt position during time of austerity.
Almost every part of industry is going to be vulnerable when the Chinese decide it's time to go independent and finally pull the plug on the dollar. However, you do know what GCHQ does? Don't you? It's primary job is to spy on Americans (for legal reasons the NSA isn't allowed do, so they spy on Europeans, Ozzies and the rest of the world in return for GCHQ spying on Americans). The more the US economy collapses; the more movements like Occupy start demanding money goes out of US politics, the more work there is going to be for GCHQ.
It is not a coincidence that just now, as the US crash is coming, as the UK is having it's most brutal public service cuts in years, is the first time you have heard of GCHQ which can usually recruit directly from top universities having to have a public recruiting campaign. This may well be the only place where you will be able to have a state pension and negotiate to keep it with reasonable terms. This is certainly the place which the US will keep paying for even when they stop paying for every other part of their own army. Especially when they stop paying for every other part of their own army.
Yes; those damn brits who insist on making their police actually investigate corporate crimes. If this was a proper civilised country the corporations would be allowed control the media for political benefit and nobody would lift a finger. Look at how the FBI have managed to make accusations of hacking 9/11 victims completely disappear for example*. That's a proper example of a police system that knows that it's job is controlling the people.
* we'll leave Australians for a while; there has been some uncivilised muttering about news international corruption, but it's quite possible that nothing will be done..
You have a definite point here; may I recommend a book "the Corporation" by Joel Backan, which will give you lots of material to support your case. In this case I don't thing you are picking the right target in at least two senses. Firstly, this is a case where those people who wrote apologies turn out, at least in their own terms, to have been right. Google did give out the code in the end. In the case of Google, a much more productive example would be the way that the whole of Google has been designed as an end run around the GPL. The example to warn about would be their lack of clear promises to offer free licenses to FOSS projects for all their patents. If the example you had brought up had been Apple then you would find plenty of posters who were supporting them for ages (and even now) as a driver of innovation even when it was obvious that their lawyer friendly side was coming out.
The (low level) OS was open. The GUI / User interface were not. Basically nobody succeeded in getting a full pure Debian install running as the main OS on the N900 but you could get a Debian chroot. That makes it "more open" since you could install the software you wanted including full Debian compatible software, but not sufficiently open.
A good warning against people who roll their own distributions.
Man; I have just subscribed to your newsletter. As a person who has fought to get MacOS / OS X to "just work" (don't get me wrong; the others are worse) I know your pain.
This is a simple matter of competence and trust. When Google says "we will release the source later" even those of us who are a bit outraged* mostly trust them. When Oracle says little and occasionally mutters "we are working on the community" we immediately see a bunch of executioners coming out and start to panic. I know that I immediately switched to Jenkins / Libre Office the minute I heard that there was a fork away from Oracle. I still haven't got it together to get Cyanogenomod even though it's probably more beneficial for me. I have stopped basing anything on MySQL that I can avoid for a while.
This is actually correct. Oracle's behavior is generally outrageous and should not be rewarded. It's completely reasonable to take almost anything Red Hat says on trust whilst I wouldn't accept a contract from Microsoft without Billions in cash, a series of senior management hostages, ownership of 90% of the voting shares, a safe room, free use of the US army for my own defence and a personal promise from a known trustworthy dominant alien intelligence to intervene on my behalf. Let's just say I'm not expecting things to work out well for Nokia.
* A "bit outraged" is difficult to explain. It doesn't worry me most of the time because I have come to believe that Google does what they say, but when I think about it too much I get very annoyed. I guess I don't want to trust Google, but feel forced to do so by other people who are more evil than they are.
Python has an attitude that little should be hidden. Ruby has lots of automagic and can be confusing for professional programmers let alone beginners. At the same time most important things are available in python. For a first language python would seem to be obviously better
It's not a substitute. Oil products are incredibly convenient. They concentrate energy into a small space (compare energy density for jet fule with Li batteries one day) doen't spontaneously burn (compare with hydrogen) but it burn easily when you want it to (compare with coal / wood etc).
However, oil is even more valuable as the base material for things such as plastics. Burning it is a true sin and our descendants are likely going to hate us for it.
To make solar panels a direct oil substitute, fundamentally we need processes for turning electricity (+CO2 from the atmosphere and H from water) into hydrocarbons. These do exist, but most are in early research stages and/or quite inefficient. Getting them going at large scale, together with much cheaper solar panels would be great.
I'm always pretty willing to accept the possibility that a big company is screwing over a little guy. Also that what's in a news article which has likely been inspired by the big company's publicity people shouldn't be taken at face value. Looking at this story however, he sent malware by mail and got it installed on their computers. That's at least two pretty big lines crossed over. A) The line of illegality; even if someone tells you to send malware by mail, it's still very likely to be illegal and it's likely that they are ripping you off if they claim they have the right to allow you to do that. Virus samples, for example, should be extremely carefully handled. B) the line of stupidity. You never break into someone else's system without written permission from someone very senior. If this existed we would have heard.
Others have made points about people using it. However, there's another reason that Linux is important even to those that have never even heard of it. Linux provided a solid base of competition to Microsoft when nothing else could. That meant that there was a space where open protocols and ideas could develop.
Many, or even most, of the new developmenents which come to you as a Windows user would not have come if Microsoft had been able to sit there forever and ever imagining the development of Longhorn and never having to deliver anything of value to its users.
Just think about the way that Internet Explorer development lagged for years and years during the time when it had total market dominance. This, in it's self, should be interesting enough to keep technical people experimenting with alternative systems whenever they have an appropriate chance.
Gnome has lots more stuff than just the shell. As a random example, it includes an encrypted password store that can be shared between applications. There is lots of room for valuable cooperation here. In fact the Gnome people even cooperate with the KDE people and standardise a number of things which mean that it's easier to use KDE applications in a Gnome environment and visa-versa. Doing this means that you can get the benefits of working together (more rapid evolution; more applications available) together with the benefits of being separate (different interfaces; ability to experiment with different approaches to controversial features; ability to make choices which avoid bloat instead of including everybody's option).
The level at which cooperation takes place is fundamentally an internal environment developer decision. This is one of the great things about FOSS software. For now they want to use most of Gnome. Maybe later they will change their mind. Maybe later Gnome will start to be built of more components that they can share and actually become closer to them. Why worry?
My cost was per power station, not per reactor; It's very rare nowadays to build a single reactor on a site. I don't think the total average output is 2GW. As with Wind power, but to a lesser extent they have down time and outages (surprisingly much due to the requirement to shutdown every time there is a nuclear incident - fossil fuel power stations can keep running even with minor problems). If I remember right this gives about 80% availability and the plant runs at about 80% of nominal capacity.
45,462 of them were by intelligence agents abusing their work position. This is an estimate based on classified information which I am unable to share with you for various reasons, but please feel free to disprove it.
I do understand that. However, that's the inevitable consequence of the nuclear industry demonstrating complete incompetence. Look on Slashdot and most other places where "technical people" meet with their religious belief in Nuclear power. You will see that the Chernobyl and Fukashima disasters are presented as evidence that Nuclear power is safe. "This is the worst you can get" they say. But the only reason we have to believe that is statements from the same nuclear engineers as told us that these accidents were impossible in the first place.
It's been demonstrated that nuclear engineers, who claimed that accidents were "one in a million years" with the first generation of reactors don't know what they are talking about (this was the standard statement in the 1970s and 1980s). Treating that as experimental evidence it strongly suggests that right now we seem to have to ignore the engineering advice about how safe or unsafe plants are. Instead we have to look at the accidents statistically. We can learn that major incidents happen yearly. Normally I'd say that it's a good guess that nuclear accidents follow something like the an accident pyramid. If that's so, and if serious accidents occur approximately every 5-10 years as recently, then we can expect an ultra-serious (small country destroying?) accident some time in the next 50-100 years.
The kind of safety over-engineering we have to do to get away from this has real costs and environmental implications. If those costs make nuclear more expensive than renewable then the message is clear. Build renewable energy sources and limit nuclear reactors to one or two worldwide on which we can learn for the future. Ensure that those plants are run for research, not profit and that they are seriously monitored to ensure that they are safe. When the minor incident rate in those plants goes below one every ten years (which on a typical pyramid would suggest one catastrophe about every 5000 years; still a bit more than is really desirable), then we can start considering having multiple plants running.
Slashdot Mirror
Privacy is the feature which has been disabled in the cloud. Now you pay for a "personal cloud" and all it does is give you back the privacy that you had in the first place on a standard networked file server.
At what point do you become a criminal? By looking at the URL bar and seeing an SQL statement, which can be used for SQL injection attacks? For changing a few characters in the URL bar and seeing that they're sending you other people's credit card numbers? I agree that he should just fuck em and ignore it.
At the exact point you press enter having changed the URL. That's the point at which you intentionally attempted to exceed your authorized use of the other sides computer. That's the point where you must have written permission to do exactly what you are doing to their computer. Most importantly that's the point at which you leave an indelible mark in their webserver's log file.
You should go a little easier on him until you have all the facts. For all you know, his "hacking" amounts to "I changed the URL from ``...?mode=show-account&userid=1'' to ``...?mode=show-account&userid=2'' "
That's the whole point. That is what almost all of us understand. This is precisely what is most dangerous thing for im. If it's true:
If he stops exactly after doing that, he might, just might, get away with this on grounds of "was just curious" and "immediately realised I had done something wrong and set out to fix that". However, any further action on his part can point towards this being a crime and get him into deep deep problems. Most likely if he did it once, he did it again. At that point it's almost unarguable computer crime and he may be in deep trouble.
He really needs to get the company to fix the problem, agree he was careful and then he needs to shut up completely. If the company won't fix the problem he needs to minimise any possibility of extending the crime by never having anything to do with them ever again.
'cmon. This is like watching a car crash in slow motion. We all know the guy is gonna end up in jail, but now we get the pleasure of being able to say "I told you so" when he ends up doing it because he ignored our wise advice (it doesn't matter what he does, he will have ignored somebody's advice). I see this as giving us not one but tens of front page stories. This is 100% news for nerds and Slasdot is creating it in front of your eyes.
Not having broken any laws is very unlikely; worse still it may be true locally, but likely he's broken US law and may be extradited or tricked into a situation where they can get him. Later, when he's had a clear statement from the company that he did the right thing, then that's the time to go to the press. Right now, when he's pretty clearly screwed up, he should be in damage limitation mode.
The fact that the company is giving "confused" and "aloof" answers may be just stupidity, but to paranoid me it suggests a trap. They are trying to get him to do something so that they can accuse him of doing something clearly illegal and have the FBI/CIA get rid of him. The fact he's sent an email suggests he's completely screwed unless he's done that through TOR + an anonymizer service.
What to do
We used to have "networked hard disks" or "file servers". Then we started having cloud servers which did the same but you lost the personal control. Now the marketing people started selling a "personal cloud" which is in fact exactly what you were selling originally, but this time they are selling the "personal" bit as if it's a new feature. In exactly the same way as phones originally only provided network connectivity; then people added browsing; then U.S. operators started blocking the network connectivity, finally the marketing people could start selling you back "tethering" which is exactly what you had near the beginning, but this time you have to pay extra.
Awesome. It's like tethering. A completely invented feature created by taking something away that wasn't missing in the first place. The people who think these things up have imaginations worthy of Iain M Banks or almost even Iain Banks. .
additionally, if you are smart, you'll probably choose to find yourself a better job/salary in the industry instead of picking a govt position during time of austerity.
Almost every part of industry is going to be vulnerable when the Chinese decide it's time to go independent and finally pull the plug on the dollar. However, you do know what GCHQ does? Don't you? It's primary job is to spy on Americans (for legal reasons the NSA isn't allowed do, so they spy on Europeans, Ozzies and the rest of the world in return for GCHQ spying on Americans). The more the US economy collapses; the more movements like Occupy start demanding money goes out of US politics, the more work there is going to be for GCHQ.
It is not a coincidence that just now, as the US crash is coming, as the UK is having it's most brutal public service cuts in years, is the first time you have heard of GCHQ which can usually recruit directly from top universities having to have a public recruiting campaign. This may well be the only place where you will be able to have a state pension and negotiate to keep it with reasonable terms. This is certainly the place which the US will keep paying for even when they stop paying for every other part of their own army. Especially when they stop paying for every other part of their own army.
He's a British tabloid journalist. He's probably already spying on his wife and child and selling it on the internet.
Yes; those damn brits who insist on making their police actually investigate corporate crimes. If this was a proper civilised country the corporations would be allowed control the media for political benefit and nobody would lift a finger. Look at how the FBI have managed to make accusations of hacking 9/11 victims completely disappear for example*. That's a proper example of a police system that knows that it's job is controlling the people.
* we'll leave Australians for a while; there has been some uncivilised muttering about news international corruption, but it's quite possible that nothing will be done..
You have a definite point here; may I recommend a book "the Corporation" by Joel Backan, which will give you lots of material to support your case. In this case I don't thing you are picking the right target in at least two senses. Firstly, this is a case where those people who wrote apologies turn out, at least in their own terms, to have been right. Google did give out the code in the end. In the case of Google, a much more productive example would be the way that the whole of Google has been designed as an end run around the GPL. The example to warn about would be their lack of clear promises to offer free licenses to FOSS projects for all their patents. If the example you had brought up had been Apple then you would find plenty of posters who were supporting them for ages (and even now) as a driver of innovation even when it was obvious that their lawyer friendly side was coming out.
The (low level) OS was open. The GUI / User interface were not. Basically nobody succeeded in getting a full pure Debian install running as the main OS on the N900 but you could get a Debian chroot. That makes it "more open" since you could install the software you wanted including full Debian compatible software, but not sufficiently open.
A good warning against people who roll their own distributions.
Man; I have just subscribed to your newsletter. As a person who has fought to get MacOS / OS X to "just work" (don't get me wrong; the others are worse) I know your pain.
This is a simple matter of competence and trust. When Google says "we will release the source later" even those of us who are a bit outraged* mostly trust them. When Oracle says little and occasionally mutters "we are working on the community" we immediately see a bunch of executioners coming out and start to panic. I know that I immediately switched to Jenkins / Libre Office the minute I heard that there was a fork away from Oracle. I still haven't got it together to get Cyanogenomod even though it's probably more beneficial for me. I have stopped basing anything on MySQL that I can avoid for a while.
This is actually correct. Oracle's behavior is generally outrageous and should not be rewarded. It's completely reasonable to take almost anything Red Hat says on trust whilst I wouldn't accept a contract from Microsoft without Billions in cash, a series of senior management hostages, ownership of 90% of the voting shares, a safe room, free use of the US army for my own defence and a personal promise from a known trustworthy dominant alien intelligence to intervene on my behalf. Let's just say I'm not expecting things to work out well for Nokia.
* A "bit outraged" is difficult to explain. It doesn't worry me most of the time because I have come to believe that Google does what they say, but when I think about it too much I get very annoyed. I guess I don't want to trust Google, but feel forced to do so by other people who are more evil than they are.
Python has an attitude that little should be hidden. Ruby has lots of automagic and can be confusing for professional programmers let alone beginners. At the same time most important things are available in python. For a first language python would seem to be obviously better
You fail at sequences. The R is obviously shifting to the right on every third position.
(R)eading, w(R)itinng, a(R)ithmatic, Pe(R)l
;-b
mod this down; it's a response to a Goatse troll and deserves to suffer.
Solar Panels....
It's not a substitute. Oil products are incredibly convenient. They concentrate energy into a small space (compare energy density for jet fule with Li batteries one day) doen't spontaneously burn (compare with hydrogen) but it burn easily when you want it to (compare with coal / wood etc).
However, oil is even more valuable as the base material for things such as plastics. Burning it is a true sin and our descendants are likely going to hate us for it.
To make solar panels a direct oil substitute, fundamentally we need processes for turning electricity (+CO2 from the atmosphere and H from water) into hydrocarbons. These do exist, but most are in early research stages and/or quite inefficient. Getting them going at large scale, together with much cheaper solar panels would be great.
I'm always pretty willing to accept the possibility that a big company is screwing over a little guy. Also that what's in a news article which has likely been inspired by the big company's publicity people shouldn't be taken at face value. Looking at this story however, he sent malware by mail and got it installed on their computers. That's at least two pretty big lines crossed over. A) The line of illegality; even if someone tells you to send malware by mail, it's still very likely to be illegal and it's likely that they are ripping you off if they claim they have the right to allow you to do that. Virus samples, for example, should be extremely carefully handled. B) the line of stupidity. You never break into someone else's system without written permission from someone very senior. If this existed we would have heard.
Others have made points about people using it. However, there's another reason that Linux is important even to those that have never even heard of it. Linux provided a solid base of competition to Microsoft when nothing else could. That meant that there was a space where open protocols and ideas could develop.
Many, or even most, of the new developmenents which come to you as a Windows user would not have come if Microsoft had been able to sit there forever and ever imagining the development of Longhorn and never having to deliver anything of value to its users.
Just think about the way that Internet Explorer development lagged for years and years during the time when it had total market dominance. This, in it's self, should be interesting enough to keep technical people experimenting with alternative systems whenever they have an appropriate chance.
Gnome has lots more stuff than just the shell. As a random example, it includes an encrypted password store that can be shared between applications. There is lots of room for valuable cooperation here. In fact the Gnome people even cooperate with the KDE people and standardise a number of things which mean that it's easier to use KDE applications in a Gnome environment and visa-versa. Doing this means that you can get the benefits of working together (more rapid evolution; more applications available) together with the benefits of being separate (different interfaces; ability to experiment with different approaches to controversial features; ability to make choices which avoid bloat instead of including everybody's option).
The level at which cooperation takes place is fundamentally an internal environment developer decision. This is one of the great things about FOSS software. For now they want to use most of Gnome. Maybe later they will change their mind. Maybe later Gnome will start to be built of more components that they can share and actually become closer to them. Why worry?
My cost was per power station, not per reactor; It's very rare nowadays to build a single reactor on a site. I don't think the total average output is 2GW. As with Wind power, but to a lesser extent they have down time and outages (surprisingly much due to the requirement to shutdown every time there is a nuclear incident - fossil fuel power stations can keep running even with minor problems). If I remember right this gives about 80% availability and the plant runs at about 80% of nominal capacity.
Are you sure you're an America?
He's from the RIAA. He speaks for the whole country whether the rest of them like it or not.
45,462 of them were by intelligence agents abusing their work position. This is an estimate based on classified information which I am unable to share with you for various reasons, but please feel free to disprove it.
I do understand that. However, that's the inevitable consequence of the nuclear industry demonstrating complete incompetence. Look on Slashdot and most other places where "technical people" meet with their religious belief in Nuclear power. You will see that the Chernobyl and Fukashima disasters are presented as evidence that Nuclear power is safe. "This is the worst you can get" they say. But the only reason we have to believe that is statements from the same nuclear engineers as told us that these accidents were impossible in the first place.
It's been demonstrated that nuclear engineers, who claimed that accidents were "one in a million years" with the first generation of reactors don't know what they are talking about (this was the standard statement in the 1970s and 1980s). Treating that as experimental evidence it strongly suggests that right now we seem to have to ignore the engineering advice about how safe or unsafe plants are. Instead we have to look at the accidents statistically. We can learn that major incidents happen yearly. Normally I'd say that it's a good guess that nuclear accidents follow something like the an accident pyramid. If that's so, and if serious accidents occur approximately every 5-10 years as recently, then we can expect an ultra-serious (small country destroying?) accident some time in the next 50-100 years.
The kind of safety over-engineering we have to do to get away from this has real costs and environmental implications. If those costs make nuclear more expensive than renewable then the message is clear. Build renewable energy sources and limit nuclear reactors to one or two worldwide on which we can learn for the future. Ensure that those plants are run for research, not profit and that they are seriously monitored to ensure that they are safe. When the minor incident rate in those plants goes below one every ten years (which on a typical pyramid would suggest one catastrophe about every 5000 years; still a bit more than is really desirable), then we can start considering having multiple plants running.