Personally, I regard these advertisements as stealing my meager 33.6KBPS bandwidth from me, and in some cases holding the rest of the webpage hostage until they load themselves.
As a webmaster of a site that has ad banners on it to offset server costs, personally, I regard people that block my banners as stealing content from me.
Nobody's forcing you to go to these sites with banners. The bandwidth isn't being "stolen", it's a condition of viewing the page.
What's happening here is a thorny problem where individual "privacy" headbutts with everyone's best interests.
A quick background for those not in the know, Verant Interactive produces and maintains EverQuest, a massively-multiplayer online role-playing game. Thousands of players connect to Verant-administered servers and play alongside other players in a persistent world. It's the second major-market title in the MMORPG genre started by Ultima Online.
The way these games work is centralized servers store all the state information about the virtual world. To be general, nothing is stored client-side. This is required, because unlike games like Quake, the world is persistent. An early incarnation of this type of game was Diablo. The main difference between the newer games (UO and EQ) and Diablo is that with Diablo, all your character information was stored client-side. This became a major problem for the game, as it was only a matter of time before the file formats were reverse-engineered and people started modifying their characters to be super-powered.
By storing the information server-side, this type of cheating is avoided. No matter what you do, there will always be people who want to cheat, and if the information is stored server-side, people will try to exploit the server to cheat, or will "enhance" their client software in order to give them an unfair advantage in the game. Ultima Online has had a long history of dealing with this type of problem. Many security weaknesses in the UO servers were discovered (and fixed), but at the same time, these weaknesses were exploited by people, most often to do devestating things to other players of the game.
Recently, EQ has had the same things happening to it. A program known as "Show-EQ" has been around for quite some time, which simply gives a player an unfair advantage in the game. Verant has dealt with this in a subtle manner, changing their client/server data stream every so often to set back development of the utility.
In the past couple weeks, other programs for EQ have begun to pop up, with more nefarious purposes. The EverQuest servers have been crashed on more than one occasion by these programs. This is what brought Verant to suggesting drive-scanning. It's one thing if someone is just cheating, but it's another thing completely if they're maliciously trying to crash the game.
They took their first countermeasures not too long ago, by adding a feature to the client software that scans your Windows task list and looks for these "external utilities". If it finds one, it flips a "I'm a cheater" flag on your account and you end up with a cancelled EQ account.
They proposed to extend their search to the hard drive, to see if any of these programs even exist on your system... and this is where people started to get upset.
Verant has been very open and forthcoming about the proposed changes, keeping active discussions regarding the issue on the various websites dedicated to EverQuest, offering reasoning and explantions of the scanning process, and they even required all users to answer a poll question regarding the issue on login to the game (which turned up 80%+ in favor of the scanning).
Even with the overwhelming support of the scanning by their playerbase, they responsibly decided to back down on the issue.
Now granted, what they suggested could be a huge tool for abuse and privacy intrusion, but they did not try to "sneak" it past their users in any form. What they were proposing was nothing compared to some of the things that people thought they were planning on doing (there have been some heated arguments about it the past few days).
In short, its not really that they intended to intrude on people's privacy, but that they were seeking to increase the quality of their service and actually have a way to enforce their "no cheating" rules.
Verant should be commended on their responsible handling of this entire incident, not trashed in the court of public opinion based on reports that only tell half the story, like the one posted here on Slashdot.
Thoughts on possible remedies
on
Microsoft Loses
·
· Score: 5
(disclaimer, IANAL)
After skimming over the decision, I have some ideas as to where the eventual penalty in this case might go.
There are a few major issues that the decision seems to rest upon: Microsoft's exclusive contracts with OEMs to which it used to muscle Netscape out of the market, its corruption of Java, the fact that it tied IE in with Windows, and its high prices.
Nowhere does it mention that they made Windows incompatible with another piece of software, or that they used hidden APIs in any of their products, which would be the biggest argument toward opening part or all of the Windows source code. Since neither of those is mentioned at all, or even alluded to, I believe that opening their APIs/source code isn't a likely penalty.
A large portion of the decision is dedicated to Microsoft tying products into Windows, so I'd expect strict rules as to what can and cannot be built into Windows in the future (watch, WindowsME will ship without Notepad... after all, that's muscling vi and emacs out of the market). This one is very scary since it tends to suggest that the government might try to take a role in OS design.
I don't know if anything in the decision really seems to point to Microsoft potentially being fined. I'd think that there probably will be a fine levied regardless, since it's such an easy thing to do. It looks like if anything is done regarding money, however, it might be that rebates will be offered to consumers, and future pricing on Microsoft products will be regulated. The "fines" will likely come in decisions in other lawsuits that will spring up now that Microsoft is officially an "evil monopoly".
The sections of the decision about Microsoft's business practices... it's exclusive contracts, and that it used its monopoly power to try to build a monopoly in a second market are very interesting indeed. There are definite shades in the decision that suggest the judge might be open to ruling that Microsoft be split in some form.
Up until today, I thought splitting Microsoft up was such a remote possibility based on what I've heard about the case so far, but after reading the decision, it seems like it might be a distinct possibility. Based on some of the wordings in the decision, a split would likely break Microsoft into seperate but equal, competiting companies, rather than along product lines. A break along product lines wouldn't solve most of the problems outlined in the decision.
Regardless, after the appeals are all through, what finally gets decided will be interesting to see.
You can be pedantic and quibble about the difference between Open Source and Free Software all you like. You can't have Free Software without it being Open Source.
My point is that that are people that want to use all this great software and ditch the "tiresome" politics of it all, they're called users. You know, those multitudes of people who are currently running Windows98 and who don't hate Microsoft (we can't all be perfect).
The Open Source/Free Software idea has the potential to change every user's experience, from the geeks that work in air-conditioned backrooms with clusters of servers, to the bricks that sit at their workstations and type up memos all day.... but for that to happen, it has to be approachable by users. Unfortunately, as a community, we aren't very approachable. In one corner we have people like RMS, who wants to take credit for anything and everything; and in the other corner we have the "armchair hackers" who seem to run around all day and threaten our friends like Corel with lawsuits because they went to the bathroom and didn't release the toilet paper under the GPL.
We have to understand that there are going to be people who don't care whether the source code is available or not. We have to understand that big name companies jumping into this Free Software love-fest might make a couple mistakes. We shouldn't jump down their throats and scare them off. In order to change the world, we need these people.
RMS is the "schoolyard bully" of Open Source/Free Software. He can't even keep all of us on his side, imagine what he's doing to the non-geeks that look at what we're doing. How many potential friends of Open Source/Free Software do you think he's scared off?
Seriously, I think RMS is bad for the Open Source movement. He comes across to the suits as a radical who will turn on them at a moment's notice. He gets an idea in his head and never changes his mind.
Not only that, but he seems to think he invented Linux (see the stupid GNU/Linux issue). Go figure.
I wasn't suggesting that a lawsuit would be done on the grounds that the censorship is unconstitutional, where in a majority of cases when this type of software is used, it's not. A parent has every right to block what kinds of sites their children can see.
That's not the problem with censorware. There's a big push to have these censorware packages installed in public libraries and other public Internet access kiosks. Suppose I run an online business that's been incorrectly blocked by one of these packages (there are several examples listed in both the report listed in the story, and on Peacefire)... do I, as a business owner, have legal ground to sue to creators of the censorware, since their software is arbitrarily blocking my site (which has no reason to be blocked), and costing me business? I'm sure monetary damages could be determined by lowered advertising revenue, and revenue through purchases... can the creators of censorware be held liable for the lost revenue due to their packages blocking access to the sites under their misrepresented pretense that they're blocking "harmful" sites?
So with the ability to extract "proof" from one of these censorware packages that they're blocking a site, and misrepresenting why they're blocking it (the site mentions that Peacefire is blocked for Violence/Profanity, among other things), is there any type of legal action that can be taken against the creators of the censorware? It's just another form of a denial-of-service attack, isn't it?
CERT must have decided that because of the inherent security flaws in tags in HTML, that they'd better deny access to the HTML versions of their advisory or someone might hax0r it.:-)
The cookie contains a user number and your password in cleartext. Even if the change password form requires you to type your old password... it's right there in the cookie and could easily be put into a URL to change the password.
Require the user to enter their user name too? Maybe... is there any way to get the user name from the user number? At first glance, I can only see a way to pull up user information by user name, not by user number.
If there's a way to correlate user name and user number? Maybe by peeking at the page via scripting? Slashdot makes it easy and puts your username on every page. A quick parse over an innerText property would retrieve it.
So IS there a secure way to do it? Is there even a way to totally avoid users from entering URLs like this... when URL-encoding has plenty of legitamite uses?
Actually alerting the contents of document.cookie was the first thing I tried. I did get a double URL encoded string, but decoding it revealed that it was not my password.
It does look to be a value based on my password, perhaps with certain characters removed and some added to the front. Undoubtedly they need to take your password and add a user number to the front, so that you have a unique cookie, since your password alone wouldn't be enough of a cookie to identify you.
Now I'm itching to go get the Slash code and look at it.
(Sorry about the post, it was just to further illustrate the point you showed... that your cookies can be used against you)
Many of you are still laughed at for taking that very precaution.
This vulnerability isn't anything new. It's been around since scripting was first implemented in a browser. It isn't a security flaw in cookies, or scripting. It's a security flaw in the CGI that is running on a particular site.
I have the strange notion that whoever suggested such draconian methods of "alleviating the problem" (which they say has never actually been reported to them as a problem) is probably some closed-minded technophobic fool who's afraid to upgrade from Linux 1.0 because they are under the mindset "if you can't do it in Linux 1.0, is it worth doing?".
who needs "innovative, flashy looks" when a nice text-prompt will work just fine?
This is exactly the attitude that the author was pointing out as the reason why the acceptance of Open Source software on the user's desktop is still quite a ways off.
The point is: end users want innovative, flashy looks, and Good Design(tm). They freeze up like a deer in the headlights when they see a $ or a #. Geeks are happy with command prompts and tend to assume everyone else is to, or they assume implementing skins will solve everyone's problem. Skins are no substitute for good UI design. Thanks for illustrating the author's point.
....Say what? From whose ass was this number pulled? I certainly haven't experienced an equality in female gamers online. Unless BarbieQuest came out and nobody told me.
This number does not only include what's mainly viewed as online games, such as Quake, UO, EQ, Diablo... it also counts Yahoo's online games of Hearts, and the various Jeopardy and Wheel of Fortune type games at The Station.
Those are extremely dominated by women, who generally posses no tech skills other than knowing how to get their web browser into a game.
That's where the high number of "women gamers" comes from.
Slashdot Mirror
Personally, I regard these advertisements as stealing my meager 33.6KBPS bandwidth from me, and in some cases holding the rest of the webpage hostage until they load themselves.
As a webmaster of a site that has ad banners on it to offset server costs, personally, I regard people that block my banners as stealing content from me.
Nobody's forcing you to go to these sites with banners. The bandwidth isn't being "stolen", it's a condition of viewing the page.
I run a fairly large EverQuest-related humor site, so I've been following this issue since it started (even if only to make fun of it).
What's happening here is a thorny problem where individual "privacy" headbutts with everyone's best interests.
A quick background for those not in the know, Verant Interactive produces and maintains EverQuest, a massively-multiplayer online role-playing game. Thousands of players connect to Verant-administered servers and play alongside other players in a persistent world. It's the second major-market title in the MMORPG genre started by Ultima Online.
The way these games work is centralized servers store all the state information about the virtual world. To be general, nothing is stored client-side. This is required, because unlike games like Quake, the world is persistent. An early incarnation of this type of game was Diablo. The main difference between the newer games (UO and EQ) and Diablo is that with Diablo, all your character information was stored client-side. This became a major problem for the game, as it was only a matter of time before the file formats were reverse-engineered and people started modifying their characters to be super-powered.
By storing the information server-side, this type of cheating is avoided. No matter what you do, there will always be people who want to cheat, and if the information is stored server-side, people will try to exploit the server to cheat, or will "enhance" their client software in order to give them an unfair advantage in the game. Ultima Online has had a long history of dealing with this type of problem. Many security weaknesses in the UO servers were discovered (and fixed), but at the same time, these weaknesses were exploited by people, most often to do devestating things to other players of the game.
Recently, EQ has had the same things happening to it. A program known as "Show-EQ" has been around for quite some time, which simply gives a player an unfair advantage in the game. Verant has dealt with this in a subtle manner, changing their client/server data stream every so often to set back development of the utility.
In the past couple weeks, other programs for EQ have begun to pop up, with more nefarious purposes. The EverQuest servers have been crashed on more than one occasion by these programs. This is what brought Verant to suggesting drive-scanning. It's one thing if someone is just cheating, but it's another thing completely if they're maliciously trying to crash the game.
They took their first countermeasures not too long ago, by adding a feature to the client software that scans your Windows task list and looks for these "external utilities". If it finds one, it flips a "I'm a cheater" flag on your account and you end up with a cancelled EQ account.
They proposed to extend their search to the hard drive, to see if any of these programs even exist on your system... and this is where people started to get upset.
Verant has been very open and forthcoming about the proposed changes, keeping active discussions regarding the issue on the various websites dedicated to EverQuest, offering reasoning and explantions of the scanning process, and they even required all users to answer a poll question regarding the issue on login to the game (which turned up 80%+ in favor of the scanning).
Even with the overwhelming support of the scanning by their playerbase, they responsibly decided to back down on the issue.
Now granted, what they suggested could be a huge tool for abuse and privacy intrusion, but they did not try to "sneak" it past their users in any form. What they were proposing was nothing compared to some of the things that people thought they were planning on doing (there have been some heated arguments about it the past few days).
In short, its not really that they intended to intrude on people's privacy, but that they were seeking to increase the quality of their service and actually have a way to enforce their "no cheating" rules.
Verant should be commended on their responsible handling of this entire incident, not trashed in the court of public opinion based on reports that only tell half the story, like the one posted here on Slashdot.
(disclaimer, IANAL)
... after all, that's muscling vi and emacs out of the market). This one is very scary since it tends to suggest that the government might try to take a role in OS design.
After skimming over the decision, I have some ideas as to where the eventual penalty in this case might go.
There are a few major issues that the decision seems to rest upon: Microsoft's exclusive contracts with OEMs to which it used to muscle Netscape out of the market, its corruption of Java, the fact that it tied IE in with Windows, and its high prices.
Nowhere does it mention that they made Windows incompatible with another piece of software, or that they used hidden APIs in any of their products, which would be the biggest argument toward opening part or all of the Windows source code. Since neither of those is mentioned at all, or even alluded to, I believe that opening their APIs/source code isn't a likely penalty.
A large portion of the decision is dedicated to Microsoft tying products into Windows, so I'd expect strict rules as to what can and cannot be built into Windows in the future (watch, WindowsME will ship without Notepad
I don't know if anything in the decision really seems to point to Microsoft potentially being fined. I'd think that there probably will be a fine levied regardless, since it's such an easy thing to do. It looks like if anything is done regarding money, however, it might be that rebates will be offered to consumers, and future pricing on Microsoft products will be regulated. The "fines" will likely come in decisions in other lawsuits that will spring up now that Microsoft is officially an "evil monopoly".
The sections of the decision about Microsoft's business practices... it's exclusive contracts, and that it used its monopoly power to try to build a monopoly in a second market are very interesting indeed. There are definite shades in the decision that suggest the judge might be open to ruling that Microsoft be split in some form.
Up until today, I thought splitting Microsoft up was such a remote possibility based on what I've heard about the case so far, but after reading the decision, it seems like it might be a distinct possibility. Based on some of the wordings in the decision, a split would likely break Microsoft into seperate but equal, competiting companies, rather than along product lines. A break along product lines wouldn't solve most of the problems outlined in the decision.
Regardless, after the appeals are all through, what finally gets decided will be interesting to see.
You can read the actual Conclusions of Law and Final Order here.
All we need to do now is clone Jeff Bezos and let him patent himself into obscurity.
You can be pedantic and quibble about the difference between Open Source and Free Software all you like. You can't have Free Software without it being Open Source.
My point is that that are people that want to use all this great software and ditch the "tiresome" politics of it all, they're called users. You know, those multitudes of people who are currently running Windows98 and who don't hate Microsoft (we can't all be perfect).
The Open Source/Free Software idea has the potential to change every user's experience, from the geeks that work in air-conditioned backrooms with clusters of servers, to the bricks that sit at their workstations and type up memos all day.... but for that to happen, it has to be approachable by users. Unfortunately, as a community, we aren't very approachable. In one corner we have people like RMS, who wants to take credit for anything and everything; and in the other corner we have the "armchair hackers" who seem to run around all day and threaten our friends like Corel with lawsuits because they went to the bathroom and didn't release the toilet paper under the GPL.
We have to understand that there are going to be people who don't care whether the source code is available or not. We have to understand that big name companies jumping into this Free Software love-fest might make a couple mistakes. We shouldn't jump down their throats and scare them off. In order to change the world, we need these people.
RMS is the "schoolyard bully" of Open Source/Free Software. He can't even keep all of us on his side, imagine what he's doing to the non-geeks that look at what we're doing. How many potential friends of Open Source/Free Software do you think he's scared off?
Seriously, I think RMS is bad for the Open Source movement. He comes across to the suits as a radical who will turn on them at a moment's notice. He gets an idea in his head and never changes his mind.
Not only that, but he seems to think he invented Linux (see the stupid GNU/Linux issue). Go figure.
From the article:
Similar panels in Washington enjoy budgets in excess of $1 million, roughly the cost of a single Tomahawk cruise missile.
Well, I suppose that's one way of keeping smut off the Internet... just blow up their servers.
... they just installed Linux on a hard drive and plugged it into the IDE port graciously provided on the I-Opener's main board.
Not groundbreaking, but interesting nonetheless.
I wasn't suggesting that a lawsuit would be done on the grounds that the censorship is unconstitutional, where in a majority of cases when this type of software is used, it's not. A parent has every right to block what kinds of sites their children can see.
... or are there no checks to prevent censorware from arbitrarily blocking sites? Why would a site like The National Organization for Women be blocked? Or an article about breast cancer? Or the texts of The Odyssey and The Iliad??
That's not the problem with censorware. There's a big push to have these censorware packages installed in public libraries and other public Internet access kiosks. Suppose I run an online business that's been incorrectly blocked by one of these packages (there are several examples listed in both the report listed in the story, and on Peacefire)... do I, as a business owner, have legal ground to sue to creators of the censorware, since their software is arbitrarily blocking my site (which has no reason to be blocked), and costing me business? I'm sure monetary damages could be determined by lowered advertising revenue, and revenue through purchases... can the creators of censorware be held liable for the lost revenue due to their packages blocking access to the sites under their misrepresented pretense that they're blocking "harmful" sites?
So with the ability to extract "proof" from one of these censorware packages that they're blocking a site, and misrepresenting why they're blocking it (the site mentions that Peacefire is blocked for Violence/Profanity, among other things), is there any type of legal action that can be taken against the creators of the censorware? It's just another form of a denial-of-service attack, isn't it?
CERT must have decided that because of the inherent security flaws in tags in HTML, that they'd better deny access to the HTML versions of their advisory or someone might hax0r it. :-)
The cookie contains a user number and your password in cleartext. Even if the change password form requires you to type your old password... it's right there in the cookie and could easily be put into a URL to change the password.
Require the user to enter their user name too? Maybe... is there any way to get the user name from the user number? At first glance, I can only see a way to pull up user information by user name, not by user number.
If there's a way to correlate user name and user number? Maybe by peeking at the page via scripting? Slashdot makes it easy and puts your username on every page. A quick parse over an innerText property would retrieve it.
So IS there a secure way to do it? Is there even a way to totally avoid users from entering URLs like this... when URL-encoding has plenty of legitamite uses?
Nevermind, my fault.
My URL decoder was stripping off certain characters. I can see the user number and password clearly now.
Actually alerting the contents of document.cookie was the first thing I tried. I did get a double URL encoded string, but decoding it revealed that it was not my password.
It does look to be a value based on my password, perhaps with certain characters removed and some added to the front. Undoubtedly they need to take your password and add a user number to the front, so that you have a unique cookie, since your password alone wouldn't be enough of a cookie to identify you.
Now I'm itching to go get the Slash code and look at it.
(Sorry about the post, it was just to further illustrate the point you showed... that your cookies can be used against you)
And here's an example of it actually being used:
Click here to see
Give me a break if it doesn't work, I just whipped this up in a couple minutes.
Many of you are still laughed at for taking that very precaution.
This vulnerability isn't anything new. It's been around since scripting was first implemented in a browser. It isn't a security flaw in cookies, or scripting. It's a security flaw in the CGI that is running on a particular site.
I have the strange notion that whoever suggested such draconian methods of "alleviating the problem" (which they say has never actually been reported to them as a problem) is probably some closed-minded technophobic fool who's afraid to upgrade from Linux 1.0 because they are under the mindset "if you can't do it in Linux 1.0, is it worth doing?".
who needs "innovative, flashy looks" when a nice text-prompt will work just fine?
This is exactly the attitude that the author was pointing out as the reason why the acceptance of Open Source software on the user's desktop is still quite a ways off.
The point is: end users want innovative, flashy looks, and Good Design(tm). They freeze up like a deer in the headlights when they see a $ or a #. Geeks are happy with command prompts and tend to assume everyone else is to, or they assume implementing skins will solve everyone's problem. Skins are no substitute for good UI design. Thanks for illustrating the author's point.
....Say what? From whose ass was this number pulled? I certainly haven't experienced an equality in female gamers online. Unless BarbieQuest came out and nobody told me.
This number does not only include what's mainly viewed as online games, such as Quake, UO, EQ, Diablo... it also counts Yahoo's online games of Hearts, and the various Jeopardy and Wheel of Fortune type games at The Station.
Those are extremely dominated by women, who generally posses no tech skills other than knowing how to get their web browser into a game.
That's where the high number of "women gamers" comes from.