If the law considers that "generating" or "retrieving information" via a telecom device makes it an information service, then literally everything you do with your telephone and cable line are an information service rather than a telecom service. I agree with you that that's the letter of the law, but it doesn't seem to match up with reality very well.
Here's what I want to know: the zlib maintainers know that their code is heavily used in open source product, and they can easily use ldd on a typical Linux or *BSD install to find out exactly which programs use zlib. So they know who to contact about vulnerabilities. However, if Microsoft just takes open source code and incorporates it into their products, how will the zlib folks know to contact them prior to public disclosure? It surely can't be the responsibility of the zlib team to grep through every single closed-source binary out there in order to make sure that it didn't use zlib.
It seems like if there isn't a mailing list for every single library's security issues, then closed source vendors will become second-class citizens when it comes to getting forewarning about a big security announcement like this. This seems like what has happened to Microsoft in this case; otherwise they would have had a raft of fixes available when the original story was released, right?
The other alternative is the vendor early warning list idea that Microsoft has been pushing, but the problem with that is: the more people on the list (and you'd have to have hundreds of vendors in the case of a base library like zlib, I'd think), the more likely that one of them will leak the story to the black hats, so that the delay while vendors prepare patches becomes a liability for the unpatched public. That doesn't seem like a good scenario to me either.
Well, I was thinking more along the lines of web caching, firewalling, that sort of thing. It's true that there are several things that work better when your bandwidth provider (you know, the guy at the head of the pipe) is also your ISP - they can do caching for you, you don't have to worry about your email password being plaintext (or at least you don't have to worry quite as much), etc. Those things are a little more complicated if you have to go halfway around the world to get to them.
But yeah, for vanilla web browsing you don't need an ISP at all. I should've explained what I was thinking.
Y'know, I don't care about the cable regulation one way or the other as much as some people, but I think the FCC has really missed the boat on their classification of the service here. What people have demonstrated that they want, time and time again, is connectivity. We want a high-speed telecommunications service. If we want an information service too, we'll get a web browser, or something like that. We don't need the FCC to decide for us what we want; we know what we want.
It's the bundling of connectivity with services that is slowing all of these rollouts, IMHO - if we could get bandwidth from one company, and mail/news/web access from another, then the market would quickly determine the best bandwidth providers as well as the best mail/news/web access providers. This FCC action is limiting the scope of such unbundling, which seems like a step backwards to me.
I continue to be amazed that Intel is not on the side of the content industry here - they must have some scary numbers on how much work implementing DRM on their chips would be. Or maybe they understand that many consumers just won't buy a Pentium DRM+ 3000?
There are some rights that you can't waive, though - for example, you can't really sell yourself into slavery in the U.S. even if you wanted to. Such a waiver would not be upheld by the courts. So this is sort of a case like EULAs; we just need the courts to clarify that you really can't waive such a right, so any agreements based on such a waiver are void.
Individual people aren't necessarily smart about technology issues, though - most people are willing to just take whatever Silicon Valley and Redmond give them, and be happy with with they got. These are people who can't set the clock on the VCR that you're saying won't be able to tape anything, remember? I think that you do have to have the sensationalism to get their attention, just like the nightly news has story leads like "A common household item could kill you. Details in a few minutes, but first the weather!". You have to get people hooked with "Congress is trying to stop you from taping Buffy" and then break the actual technology issue into bite-sized pieces.
According to my reading of Miranda, it only guarantees that you will be informed of your rights, etc., in the interests of securing your 5th Amendment right against self-incrimination. For example, this synopsis seems to hit the important points.
There wouldn't be a need to preserve the 5th Amendment rights during situation where you are not on the witness stand, unless the 5th Amendment also applies to statements that you make while not under oath. So it appears that the courts think that the 5th Amendment does not just apply to testimony under oath, but in fact applies to many situations in which your statements may later be used against you. Which was the loophole in your original statement that I was trying to point out.
It's good that you brought up Miranda, actually, because the language of it seems to be pretty clear in terms of what you can and cannot be compelled to say:
The privilege against self-incrimination, which has had a long and expansive historical
development, is the essential mainstay of our adversary system, and guarantees to the individual the
"right to remain silent unless he chooses to speak in the unfettered exercise of his own will," during a
period of custodial interrogation [p*437] as well as in the courts or during the course of other official
investigations.
In the absence of other effective measures, the following procedures to safeguard the Fifth
Amendment privilege must be observed: the person in custody must, prior to interrogation, be clearly
informed that he has the right to remain silent, and that anything he says will be used against him in
court;...
So imagine that the police violate your Miranda rights, and you tell them where you hid the bodies before you get to talk to a lawyer. The judge will throw out that evidence in court, since the evidence was procured through a violation of the user's rights (unless the prosecution can demonstrate that they would have inevitably discovered the evidence anyway (you can see that I watch a lot of Law & Order:)). Evidence attained through a result of the violation of the suspect's rights is "tainted", and cannot be used against you in court.
So, working back closer to the original tack of this thread, it appears that the 5th Amendment applies to many things that you say, whether under oath or not. Evidence retrieved as a violation of your 5th Amendment/Miranda rights can't be used against you to incriminate you. If the only way to get the password from you is for you to say it, and the 5th Amendment applies to anything that you are compelled to say, then I don't see how this doesn't fall under the 5th Amendment protections. Just because it unlocks other existing evidence isn't sufficient - telling the officers where you hid the bodies also unlocks other existing evidence, but we have protections against that. Heck, even if you could somehow say where you hid the bodies without admitting to the murders, compelling such a statement would still violate the 5th Amendment.
Actually, no. You can screw up any one bit of/etc, and only that application stops working right. You try writing random bytes to the registry, and the whole machine stops booting.
Nothing's a risk when you have $billions in the bank. Do you realize how long Microsoft could coast at this point if they completely stopped doing any work at all?
If protection from incriminating statements only applies during testimony under oath, then what is stopping the police from beating a confession out of you during the discovery phase of the trial, and then using that confession in court?
Well, if you're not under oath when asked for the key, can't you just lie and say that you forgot? Although I suppose that's still contempt of court if they don't believe you.
If it's perjury versus confession, then it seems like you're in a "damned if you do, damned if you don't" situation, and the 5th amendment is providing you a way out of that position. If you are subpoenad for your encryption keys, you are likely also in a "damned if you do, damned if you don't" situation, except that here the choices are confession versus contempt of court. I don't see that much difference between the two situations in terms of the immediate consequences for the subpoenaee. One is under oath, and the other isn't, but both are a situation where you can either incriminate yourself, or else go to prison if the courts think that you are not sufficiently helpful in the self-incrimination process. It seems to me that the discovery process should be limited to physical evidence - anything that I must be forced to say feels like self-incrimination.
In reality I suppose it comes down to whether the penalty for the crime is worse than the contempt of court sentence.
du -k ~/.netscape/nsmail
...
296495/home/ethereal/.netscape/nsmail
This is for almost four years at this particular company. I'm not up to boss-like standards (of course, the fact that I can communicate without using.doc and.ppt files probably helps) but it's still a hefty archive.
Is it useful? Often it is - I have exact records of all my correspondence for the last four years, sorted by date, topic, etc. as I want it. And when all else fails, I can grep for the text in the message that I want. Of course, it helps that I religiously file mail into folders so that my inbox only contains email about tasks I haven't completed yet.
Frankly, I don't see how I could live with the example quoted in the article of deleting everything over 30 days old. I would be unable to function without reference to technical discussions, product release information, and the latest management diktats from 30 days, 3 months, or even three years ago (OK, maybe I could live without the mgmt stuff:). Do these companies with such a destruction policy just convert all their important email into other documents so that they can maintain state past 30 days? I honestly don't understand how you could just throw all that information away and hope to keep your business rolling forward. Maybe someone can enlighten me...
Re:Try using unique words
on
Google Juice
·
· Score: 1
ROTFL - I can't believe I didn't see that coming when I read the article:)
What an attitude - not only does your boss feel entitled to free software, but he doesn't even realize that the whole point is that you can fix a bug yourself if it would help you out. Not fixing it just means that you have to live with the pain, and it doesn't even really spite the free software community at all!
Ah, I stand corrected in some cases - secure communication, for instance. A very enlightening response, thank you.
For authentication purposes, you can tell when the pad has been guessed, because you ended up logged in when you guessed right. Which was what I was thinking of at the time. But you're right in the case of decrypting a secret message given only the ciphertext.
Nope, you still missed the point. Even if I use longer, nonlanguage passwords, it is still guessable. Even if I use a one-time-pad for my password, it is still guessable. Do you understand: if I have enough hardware or time, I can guess anything.
My point is that there are degrees of "guessability", and that we need to specify those when we are talking about security, rather than just bleating "guessable bad, one-time-pad better!" Dictionary-guessable is bad, line-noise is pretty good, one-time-pads are the best we can hope for, but all are guessable.
I think you're using the wrong troll post mad-libs form. Usually it's several paragraphs long, and talks about "charnel houses" a little more than that. Also some faked-up statistics.
Just trying to keep the quality of trolling at an acceptable level,
Slashdot Mirror
If the law considers that "generating" or "retrieving information" via a telecom device makes it an information service, then literally everything you do with your telephone and cable line are an information service rather than a telecom service. I agree with you that that's the letter of the law, but it doesn't seem to match up with reality very well.
Here's what I want to know: the zlib maintainers know that their code is heavily used in open source product, and they can easily use ldd on a typical Linux or *BSD install to find out exactly which programs use zlib. So they know who to contact about vulnerabilities. However, if Microsoft just takes open source code and incorporates it into their products, how will the zlib folks know to contact them prior to public disclosure? It surely can't be the responsibility of the zlib team to grep through every single closed-source binary out there in order to make sure that it didn't use zlib.
It seems like if there isn't a mailing list for every single library's security issues, then closed source vendors will become second-class citizens when it comes to getting forewarning about a big security announcement like this. This seems like what has happened to Microsoft in this case; otherwise they would have had a raft of fixes available when the original story was released, right?
The other alternative is the vendor early warning list idea that Microsoft has been pushing, but the problem with that is: the more people on the list (and you'd have to have hundreds of vendors in the case of a base library like zlib, I'd think), the more likely that one of them will leak the story to the black hats, so that the delay while vendors prepare patches becomes a liability for the unpatched public. That doesn't seem like a good scenario to me either.
Well, I was thinking more along the lines of web caching, firewalling, that sort of thing. It's true that there are several things that work better when your bandwidth provider (you know, the guy at the head of the pipe) is also your ISP - they can do caching for you, you don't have to worry about your email password being plaintext (or at least you don't have to worry quite as much), etc. Those things are a little more complicated if you have to go halfway around the world to get to them.
But yeah, for vanilla web browsing you don't need an ISP at all. I should've explained what I was thinking.
Y'know, I don't care about the cable regulation one way or the other as much as some people, but I think the FCC has really missed the boat on their classification of the service here. What people have demonstrated that they want, time and time again, is connectivity. We want a high-speed telecommunications service. If we want an information service too, we'll get a web browser, or something like that. We don't need the FCC to decide for us what we want; we know what we want.
It's the bundling of connectivity with services that is slowing all of these rollouts, IMHO - if we could get bandwidth from one company, and mail/news/web access from another, then the market would quickly determine the best bandwidth providers as well as the best mail/news/web access providers. This FCC action is limiting the scope of such unbundling, which seems like a step backwards to me.
Definitely. But just because people are ignorant of their rights, shouldn't mean that they can forfeit them forever.
I continue to be amazed that Intel is not on the side of the content industry here - they must have some scary numbers on how much work implementing DRM on their chips would be. Or maybe they understand that many consumers just won't buy a Pentium DRM+ 3000?
There are some rights that you can't waive, though - for example, you can't really sell yourself into slavery in the U.S. even if you wanted to. Such a waiver would not be upheld by the courts. So this is sort of a case like EULAs; we just need the courts to clarify that you really can't waive such a right, so any agreements based on such a waiver are void.
I have this overwhelming urge to take them up on the deal. Too bad my state attorney general is a big wuss :)
Individual people aren't necessarily smart about technology issues, though - most people are willing to just take whatever Silicon Valley and Redmond give them, and be happy with with they got. These are people who can't set the clock on the VCR that you're saying won't be able to tape anything, remember? I think that you do have to have the sensationalism to get their attention, just like the nightly news has story leads like "A common household item could kill you. Details in a few minutes, but first the weather!". You have to get people hooked with "Congress is trying to stop you from taping Buffy" and then break the actual technology issue into bite-sized pieces.
According to my reading of Miranda, it only guarantees that you will be informed of your rights, etc., in the interests of securing your 5th Amendment right against self-incrimination. For example, this synopsis seems to hit the important points.
There wouldn't be a need to preserve the 5th Amendment rights during situation where you are not on the witness stand, unless the 5th Amendment also applies to statements that you make while not under oath. So it appears that the courts think that the 5th Amendment does not just apply to testimony under oath, but in fact applies to many situations in which your statements may later be used against you. Which was the loophole in your original statement that I was trying to point out.
It's good that you brought up Miranda, actually, because the language of it seems to be pretty clear in terms of what you can and cannot be compelled to say:
So imagine that the police violate your Miranda rights, and you tell them where you hid the bodies before you get to talk to a lawyer. The judge will throw out that evidence in court, since the evidence was procured through a violation of the user's rights (unless the prosecution can demonstrate that they would have inevitably discovered the evidence anyway (you can see that I watch a lot of Law & Order :)). Evidence attained through a result of the violation of the suspect's rights is "tainted", and cannot be used against you in court.
So, working back closer to the original tack of this thread, it appears that the 5th Amendment applies to many things that you say, whether under oath or not. Evidence retrieved as a violation of your 5th Amendment/Miranda rights can't be used against you to incriminate you. If the only way to get the password from you is for you to say it, and the 5th Amendment applies to anything that you are compelled to say, then I don't see how this doesn't fall under the 5th Amendment protections. Just because it unlocks other existing evidence isn't sufficient - telling the officers where you hid the bodies also unlocks other existing evidence, but we have protections against that. Heck, even if you could somehow say where you hid the bodies without admitting to the murders, compelling such a statement would still violate the 5th Amendment.
"Microsoft Beta Test? How can I lose?!"
Actually, no. You can screw up any one bit of /etc, and only that application stops working right. You try writing random bytes to the registry, and the whole machine stops booting.
Nothing's a risk when you have $billions in the bank. Do you realize how long Microsoft could coast at this point if they completely stopped doing any work at all?
Even worse - if you're not consuming, then the terrorists win! I know, because the President told me so.
Yes, let's think on their other big success of lumping everything into one large binary storage chunk: the registry.
Oh wait, that wasn't a success :)
If protection from incriminating statements only applies during testimony under oath, then what is stopping the police from beating a confession out of you during the discovery phase of the trial, and then using that confession in court?
Well, if you're not under oath when asked for the key, can't you just lie and say that you forgot? Although I suppose that's still contempt of court if they don't believe you.
If it's perjury versus confession, then it seems like you're in a "damned if you do, damned if you don't" situation, and the 5th amendment is providing you a way out of that position. If you are subpoenad for your encryption keys, you are likely also in a "damned if you do, damned if you don't" situation, except that here the choices are confession versus contempt of court. I don't see that much difference between the two situations in terms of the immediate consequences for the subpoenaee. One is under oath, and the other isn't, but both are a situation where you can either incriminate yourself, or else go to prison if the courts think that you are not sufficiently helpful in the self-incrimination process. It seems to me that the discovery process should be limited to physical evidence - anything that I must be forced to say feels like self-incrimination.
In reality I suppose it comes down to whether the penalty for the crime is worse than the contempt of court sentence.
I keep everything too:
du -k ~/.netscape/nsmail /home/ethereal/.netscape/nsmail
...
296495
This is for almost four years at this particular company. I'm not up to boss-like standards (of course, the fact that I can communicate without using .doc and .ppt files probably helps) but it's still a hefty archive.
Is it useful? Often it is - I have exact records of all my correspondence for the last four years, sorted by date, topic, etc. as I want it. And when all else fails, I can grep for the text in the message that I want. Of course, it helps that I religiously file mail into folders so that my inbox only contains email about tasks I haven't completed yet.
Frankly, I don't see how I could live with the example quoted in the article of deleting everything over 30 days old. I would be unable to function without reference to technical discussions, product release information, and the latest management diktats from 30 days, 3 months, or even three years ago (OK, maybe I could live without the mgmt stuff :). Do these companies with such a destruction policy just convert all their important email into other documents so that they can maintain state past 30 days? I honestly don't understand how you could just throw all that information away and hope to keep your business rolling forward. Maybe someone can enlighten me...
ROTFL - I can't believe I didn't see that coming when I read the article :)
Thanks.
What an attitude - not only does your boss feel entitled to free software, but he doesn't even realize that the whole point is that you can fix a bug yourself if it would help you out. Not fixing it just means that you have to live with the pain, and it doesn't even really spite the free software community at all!
I agree - get a new job, post haste.
At this rate, Windows XP will rate a whole volume of the RISKS Digest...
Ah, I stand corrected in some cases - secure communication, for instance. A very enlightening response, thank you.
For authentication purposes, you can tell when the pad has been guessed, because you ended up logged in when you guessed right. Which was what I was thinking of at the time. But you're right in the case of decrypting a secret message given only the ciphertext.
Nope, you still missed the point. Even if I use longer, nonlanguage passwords, it is still guessable. Even if I use a one-time-pad for my password, it is still guessable. Do you understand: if I have enough hardware or time, I can guess anything.
My point is that there are degrees of "guessability", and that we need to specify those when we are talking about security, rather than just bleating "guessable bad, one-time-pad better!" Dictionary-guessable is bad, line-noise is pretty good, one-time-pads are the best we can hope for, but all are guessable.
I think you're using the wrong troll post mad-libs form. Usually it's several paragraphs long, and talks about "charnel houses" a little more than that. Also some faked-up statistics.
Just trying to keep the quality of trolling at an acceptable level,
You're that guy from IT that keeps telling me that because my password is "guessable" that it's "weak", aren't you?
Think about it again - it's the same difference. Everything is guessable, given sufficient hardware.