You're assuming a) that any given receiver (including a GPS receiver) uses the same intermediate frequencies to generate the one you're attempting to receive; and b) that the signal generated by such a receiver is sufficiently powerful to affect the reception on other frequencies (even harmonics).
The "harmonics" you're describing are less than a 10th of the wavelength of the GPS frequency you're naming, and the fact that they're only a few MHz apart tells me that they are not any appreciable fraction of the main frequency (+/- the intermediate(s)). Harmonics typically sit at nice friendly fractions of intermediate frequencies +/- the primary frequency. Things like 1/2, 1/4, 5/8, not 6/101.
The power output is another thing. I have never seen a receiver that was capable of broadcasting intermediate frequencies more than a few feet. To encompass a city block, you'd need to be transmitting with a walkie-talkie amount of power -on frequency-. If you're thinking harmonics and intermediate frequencies here, the power output has to go up exponentially. I can't imagine any receiver transmitting that kind of RF energy and passing FCC inspection.
That leaves me with nothing to bargain with, so the lobbyists win by default.
If this is a major factor with your congressmen, it sounds like you voted the wrong guy into office. Your congressmen are put there to represent your (the constituent's) interests. Sure, that includes corporations, but it should never be exclusive. You should not need any bargaining chips. If he/she is not consistently representing your interests, he does not need to be in that office.
... because they provide the (genuine) expertise that politicians lack, at the expense of objectivity. In other words, legislators let the lobbyists think for them simply because it's easier than thinking for themselves.
This is exactly why we should be writing them. Clue them in, educate them about why such-and-such is bad or why this-or-that is better. Why do the lobbyists have to be subject matter experts?
Expanding upon the other reply to this post, in order to do any real CLI interaction with it, I imagine you'd have to connect a real input device. The screen/wheel or whatever other buttons the watch would posess are probably meant to interact with applications designed for the watch. They don't expect you to be interacting with a shell prompt during normal usage, they expect you to have a "watch" app running and handling input via the standard interface.
Besides, how geeky would it look to have a big bulky keyboard (even laptop-sized or smaller) connected via a thin ribbon cable to a tiny screen strapped to your wrist. Imagine how annoying it would be to type and watch the screen at the same time. Heh.
Ignoring the fact that we don't have the technology yet to put a viable GPS receiver into something that would fit into a wristwatch, wouldn't a watch that automatically changes time zones be nifty? Automatically keeps in synch whenever it's around a network providing NTP services?
What about an alert device, a messaging end-point for critical monitoring services on your network. Forget sending a message to your pager (20 seconds to 5 minutes or more delivery time), just send a UDP packet to a process on your watch, and get an instant alert or textual page right then and there. Respond with equal ease.
Granted, these things could be done with specialized software specifically designed from scratch to be put into a watch, but why re-invent when you can re-use? Linux provides the perfect framework for all sorts of experimentation like this. That's what makes it cool.
People are quick to poke fun at logging into your watch, the fact that you'd have to lug around a keyboard to interact with it, etc., but consider that you can build your own interface, make your "watch" do whatever it is you wanted to do. Start up the scripts while it's plugged into your base station, and use its 4 buttons (or whatever) to interact with your software.
The advantage to putting Linux on this is that you can suddenly use any of your existing development tools and languages to build the wristwatch of your dreams. You want multiple time-zone support? Piece of cake. A count-down timer that has a 13-minute starting point instead of just 10 or 15? 50 different alarms? A custom alarm tune? Hack it in!
Sure, it's only a watch, but with something like this on your wrist, it's a watch you can do whatever you want with.
This has little to do with inherent "bugs" or vulnerabilities in the operating system and everything to do with a lack of knowledge and proper system configuration.
It's also far easier to utilize a newly hacked Linux system for evil than it is to do the same with NT, so Linux tends to be more of a target. And if you stupidly set up an insecure system and advertise its presence to the world, it will be a much more tantalizing target.
I'm not talking about logs (and even so, the percentage of hax0rd boxes that are truly without logs or other evidence of intrusion are probably smaller than you think).
I'm talking about real-time monitoring of network traffic and system usage. If someone's able to track the source of the attack back to a hax0rd system, all the competant admin has to do is fire up a packet sniffer, protected netstat-type utility, whatever, and figure out where YOU are connecting to this compromised machine. Since this connection is unlikely to be spoofed, the source address is guaranteed, and he can proceed to contact *that* ISP. Repeat if necessary.
Most decent dialup hardware is 100% digital anyway, so you have equipment sitting on ISDN lines capable of answering ISDN calls but serving up analog connectivity as well, so ALL calling numbers are available and can be logged or used in the fashion you mention. This level of logging is a common practice among most responsible ISP's.
Next election, write the candidates and express your distaste for these tactics. Ask them directly what their thoughts are on these same issues.
Additionally, just because a representative indicates he is for or against something does not mean that's the stance he will continue to take throughout his term. If his constituents voted him into office, that doesn't mean that the constituents, as a whole, agree with 100% of what the representative supports. A good congressmen also listens to what his constituents want. Sometimes that may mean he has to go against his own desires.
You would be surprised how much information is logged by ISP's.
The one ISP I have intimate knowledge about logged everything from date/time, connection speed, disconnection reason to the NUMBER YOU WERE CALLING FROM.
All of this information is kept strictly confidential, but is IMMENSELY useful when serious abuse incidents arise. If some Joe Hax0r is using the ISP as a throw-away dialup with some fake credit card number, and the Feds came knocking on the ISP's door, they wouldn't walk away empty handed: with the calling ID, they know exactly who the offender is.
I suspect most ISP's have logging of this nature.
I mean hell, for metered access, you've GOT to keep track of dialup usage. Additional information like that is trivial to add to a database, and the benefits are significant.
Instead of contacting the provider of the compromised system and having them shut down the offender, have them TRACK HIM DOWN. With simple network tools they can figure out where the intruder is connecting from and FIND the dickhead instead of just killing the connection, patching up the system and forgetting him.
Without IP spoofing, attacks like smurf become impossible. The only way you can DoS a site when your IP can't be spoofed is via a direct flood of traffic. Sure, you can coordinate the attack between several compromised systems, but without amplifiers such as with smurf, it's considerably less effective, and you announce the IP of every one of your intermediaries in the process, which means it'll probably be unusable as soon as the complaint gets back to the owners.
The guy quoted in this story seems to advocate against full disclosure. Malda seems to think this implies the absense of any disclosure.
Can't there be a middle ground? Can't we disclose enough information to accurately describe the problem, workarounds and/or fixes (preferably from the vendor itself, in the case of vulnerabilities not yet "in the wild") without publishing script-kiddie-compatible exploits that run right out of the box?
Of course, if an exploit already exists "in the wild", you're not hurting anybody much more by posting it to an appropriate forum like BugTraq. At this point worrying about full disclosure is rather moot.
And regardless, every possible bit of code, example and exploit should always be sent to the vendor first (even if it's just a few hours, if it's urgent that the information be publicized as quickly as possible). It's damn inconsiderate to post something publicly without giving the vendor any time at all to prepare a response, fix or workaround (and this goes back to my point about sending information to a qualified security firm before blindly posting incomplete/inaccurate information.. The vendor could easily be considered "qualified" in this respect, IMO).
If a sysadmin scans bugtraq even weekly, he can often have a patch or workaround for a vulnerability in his systems long before the vendor releases anything.
A good advisory should include workaround information. If the person reporting the vulnerability can't do this, then perhaps he needs to pass his information on to a qualified security firm who can.
Anyone capable of writing a script-kiddie-compatible exploit should be quite capable of providing detailed information and a workaround/fix without necessarily releasing an out-of-the-box root exploit to every kid on the Internet.
As you are probably aware, poorly written "advisories" on BugTraq are typically followed up in short order with something with significantly more information (in quality and/or quantity).
If nothing else, if the author of the advisory feels a code example is required to accurately describe the nature of the bug, at least make the reader work to get a working exploit out of it. You can publish example code without publishing a functioning exploit.
Please explain to me how running any local/remote exploit-of-the week and getting yourself a root prompt on the exploited system helps you discover flaws in your code or otherwise allows you to fix the problem.
A clear, concise description of the flaw and what should be done to work around it or fix it should be given, but in many cases we do not need root exploits released like this.
If it's ever necessary to distribute a tool to determine if you are vulnerable to some bug (in case for whatever reason it's not immediately obvious), the only thing that should be written is a tool that says "yes" or "no". Sure, somebody will be able to look at the code and figure out the nature of the bug, but the point is that the "exploit" itself cannot be instantly used by thousands of script kiddies. If it's necessary to distribute detailed information/code about a vulnerability, at least do so without providing an out-of-the-box exploit to any kid on the 'Net.
Yah, I guess this is a good point. First priority is getting stuff working again, but if you're a company that's adequately staffed, you should have enough people to put on the task of tracking him down.
I see that they've noticed a number of cracked boxes used in the attacks, but if *I* were the victim of something like this I would be on the phone in a second to the people running the networks of these cracked boxes. An on-going attack like this is typically very easy to spot from a network point of view, and with some competant admins, you can go from there straight back to the source.
I mean it may take a few times (if the box is vulnerable, sure there's an increased likelyhood of a lack of clueful administration) before you'll find someone that can help you, and if they're bouncing between multiple hops, it'll mean coordinating or conferencing phone calls, but it CAN be done.
The reason script kiddies get away with shit like this is because nobody ever takes the time and effort to track them down and prosecute. Since nobody does it, the l33t0 hax0r kiddies figure they're invincible and keep right on doing it.
The tools DO exist to track them down. There's always a trail if you can just find admins willing to help you every hop of the way. Given the nature of the attack, he's probably using the cracked machines solely for their unique network addresses, not as a means of hiding his identity. Given the number of such hosts, it should have been trivially easy to find SOMEONE willing to track this asshole back to his ISP.
Does "censorware" ever take PICS ratings (provided by the web site or within the HTML page itself) into consideration here? Does The List override any PICS information, or does the site's PICS ratings override the software?
It seems to me that it's in the sites' best interests to provide PICS rating information on their own, instead of letting "AI" algorithms try to determine whether or not the site is good or bad.
Of course, there will always be sites out there that are either ignorant of, refuse to take advantage of, or simply haven't used PICS. In these cases, I understand the need for a 3rd party to provide some type of "rating" for unrated content. There's also the case were some misguided web author wants his child porn or violence-oriented web site visible to everyone, so he might be inclined to give his page G-rated PICS ratings. In cases like this, I also understand the need for 3rd party ratings.
What is wrong with having censorware software only worry about unrated or misrated sites? The 3rd party offering the list could specify two classes of sites on the list. The first class would be for sites that don't appear to have PICS ratings. If the censorware client discovers ratings on its own, it can consider the listing to be out of date and honor the PICS ratings. The second class would be for misrated sites, where the software would deliberately ignore PICS ratings and use its own information about the site to render judgement.
Only then, if you REALLY feel it's necessary, should we resort to clumsy and inaccurate "AI" to try and guess at the content of the web page being served up.
Further, why do these lists have to be provided by the makers of the software? Why can't we have 3rd parties make up their own lists, with their own ratings for content? A censorware application could peridiocally update its list from any of these 3rd parties, depending on who they trust. Is there an "open" censorlist standard?
Take the Deja content, serve it up, but add YOUR OWN ads all over the place, linking text from articles, from their own content, but DON'T change any of their content itself, just re-package it.
Then when their lawyers come knocking, tell them they're free to start using this new tag you've come up with or some new HTTP header on each of their pages, which will cause your system to happily ignore that content.
Some might say the difference lies in the fact that by posting to USENET, you're giving implied consent to redistribute and archive. I don't believe web pages are awarded that, except insofar as pages may be cached and proxied.
The point is still the same. I don't want people taking stuff I've written and marking up the content with advertisements. It's one thing to offer up a free archive paid for by on-page advertisements. I can accept that, but don't muck up the content of my message with links I don't want there.
And that X-No-Adverts header or whatever it is sounds an awful lot like, "If you don't want to be on our spam list anymore, just click Reply and say 'Remove!'". Why should I have to opt-out of a service I never opted-in to?
Redistribution and archiving is implied on USENET posts. Modifying content for the purpose of inserting advertisements and then redistributing that modified content is not.
For a more pervasive example of observastion, take a look at the grocery 'Club Cards' that are becoming popular. These cards allow the stores to attach names to the lists of purchases made. There is nothing to prevent them from selling this information to insurance companies and marketing companies
Great, just what we need: more conspiracy theories.
There is nothing stopping them from doing this now with your credit card number, your account number scanned from your check or if you're so paranoid you always pay with cash, even from the security cameras snapping your picture and comparing it with some sinister database with the intents you describe.
The tools already exist for them to do this, let's not freak out when something new comes along with just as much potential for evil big brother spying.
If your local supermarket is really doing this kind of thing to you, shop elsewhere. I think it's a pretty silly thought, myself.
If a copyrighted work is illegally redistributed, perhaps even with a "new" license (one that could make it public domain, for example), that license is null and void since the work was obtained/distributed illegally in the first place. You can't just slap a new license on something unless you *own* that something. Anyone downloading your copy, legally, have zero rights to it. If they honestly didn't know it was ripped off, and thought the "new" license/copyright terms were the real ones, they would be fine (they'd just lose subsequent rights to the work in total).
Of course, I'm just looking at this from a simple copyright perspective. People are using terms like trade secret and patent and trademark, etc., but simple copyright law is all that you need.
They wrote the document; they can determine exactly who is allowed to get it via how it can be redistributed.
Why don't we just borrow some books from the library and transcribe the contents on web pages? People would never have to buy books again! What about movies? CD's? It's the same concept.
They actually orbit quite a bit higher than LEO (in the area between LEO and geosynchronous). NASA has a great visualization tool at http://liftoff.msfc.n asa.gov/RealTime/Jtrack/3d/JTrack3d.html. I mainly use this for amateur radio satellites, but GPS satellites are in the catalog, and you can see where they are relative to most others.
At a given location, there are realistically 4-6 GPS satellites providing a solid signal. If you move one or two hundred miles away, 1 or 2 of those satellites will be different. If you limited your intentional errors to those initial satellites, you now have like a 20% accuracy increase. Move a few hundred miles away from that and you're further out of the error zone. A smart receiver could possibly figure out which satellites were giving the better signals and ignore the ones that were giving errors. You're right that error can't really be introduced with pinpoint accuracy, but the area where signal quality is 100% affected by intentional area can be made relatively small. Of course at least 1/4 - 1/2 of the world will be affected in some way, no matter how selective you try and get your satellites.
I imagine this ability (to switch off or introduce tremendous error) has been in the satellites since the beginning. The process of switching it on and off in real-time, as satellites pass over black-out areas, may be almost entirely automated. Just feed a set of coordinates to all of the GPS satellites, and have them figure out for themselves when to activate selective availability. *shrug*..
GPS satellites orbit in the area between low earth orbit and geosynchronous orbit. This means they move across the sky relatively slowly (geosynchronous satellites have no apparent motion, while low earth orbiting satellites are only usable in the sky for 10-15 minutes). This altitude means receivers can pick up the signals easier (geosynchronous satellites require heftier antennas or a parabolic reflector) and their slower relative velocities make them easier to lock on to and position over longer periods of time.
As far as the actual question, the other comments pretty much said it best. A satellite can be temporarily disabled or introduce error into the signal only as it's within range of the region in question. Even if you're 1/8th of the way around the world and end up locking on to this satellite as it starts introducing error into the signal, there are still several other satellites in range of your position that your receiver could lock on to instead, compensating for the error. This means the actual affected area can be isolated as much as they need to.
Slashdot Mirror
You're assuming a) that any given receiver (including a GPS receiver) uses the same intermediate frequencies to generate the one you're attempting to receive; and b) that the signal generated by such a receiver is sufficiently powerful to affect the reception on other frequencies (even harmonics).
The "harmonics" you're describing are less than a 10th of the wavelength of the GPS frequency you're naming, and the fact that they're only a few MHz apart tells me that they are not any appreciable fraction of the main frequency (+/- the intermediate(s)). Harmonics typically sit at nice friendly fractions of intermediate frequencies +/- the primary frequency. Things like 1/2, 1/4, 5/8, not 6/101.
The power output is another thing. I have never seen a receiver that was capable of broadcasting intermediate frequencies more than a few feet. To encompass a city block, you'd need to be transmitting with a walkie-talkie amount of power -on frequency-. If you're thinking harmonics and intermediate frequencies here, the power output has to go up exponentially. I can't imagine any receiver transmitting that kind of RF energy and passing FCC inspection.
That leaves me with nothing to bargain with, so the lobbyists win by default.
... because they provide the (genuine) expertise that politicians lack, at the expense of objectivity. In other words, legislators let the lobbyists think for them simply because it's easier than thinking for themselves.
If this is a major factor with your congressmen, it sounds like you voted the wrong guy into office. Your congressmen are put there to represent your (the constituent's) interests. Sure, that includes corporations, but it should never be exclusive. You should not need any bargaining chips. If he/she is not consistently representing your interests, he does not need to be in that office.
This is exactly why we should be writing them. Clue them in, educate them about why such-and-such is bad or why this-or-that is better. Why do the lobbyists have to be subject matter experts?
Expanding upon the other reply to this post, in order to do any real CLI interaction with it, I imagine you'd have to connect a real input device. The screen/wheel or whatever other buttons the watch would posess are probably meant to interact with applications designed for the watch. They don't expect you to be interacting with a shell prompt during normal usage, they expect you to have a "watch" app running and handling input via the standard interface.
Besides, how geeky would it look to have a big bulky keyboard (even laptop-sized or smaller) connected via a thin ribbon cable to a tiny screen strapped to your wrist. Imagine how annoying it would be to type and watch the screen at the same time. Heh.
Ignoring the fact that we don't have the technology yet to put a viable GPS receiver into something that would fit into a wristwatch, wouldn't a watch that automatically changes time zones be nifty? Automatically keeps in synch whenever it's around a network providing NTP services?
What about an alert device, a messaging end-point for critical monitoring services on your network. Forget sending a message to your pager (20 seconds to 5 minutes or more delivery time), just send a UDP packet to a process on your watch, and get an instant alert or textual page right then and there. Respond with equal ease.
Granted, these things could be done with specialized software specifically designed from scratch to be put into a watch, but why re-invent when you can re-use? Linux provides the perfect framework for all sorts of experimentation like this. That's what makes it cool.
People are quick to poke fun at logging into your watch, the fact that you'd have to lug around a keyboard to interact with it, etc., but consider that you can build your own interface, make your "watch" do whatever it is you wanted to do. Start up the scripts while it's plugged into your base station, and use its 4 buttons (or whatever) to interact with your software.
The advantage to putting Linux on this is that you can suddenly use any of your existing development tools and languages to build the wristwatch of your dreams. You want multiple time-zone support? Piece of cake. A count-down timer that has a 13-minute starting point instead of just 10 or 15? 50 different alarms? A custom alarm tune? Hack it in!
Sure, it's only a watch, but with something like this on your wrist, it's a watch you can do whatever you want with.
This has little to do with inherent "bugs" or vulnerabilities in the operating system and everything to do with a lack of knowledge and proper system configuration.
It's also far easier to utilize a newly hacked Linux system for evil than it is to do the same with NT, so Linux tends to be more of a target. And if you stupidly set up an insecure system and advertise its presence to the world, it will be a much more tantalizing target.
I'm not talking about logs (and even so, the percentage of hax0rd boxes that are truly without logs or other evidence of intrusion are probably smaller than you think).
I'm talking about real-time monitoring of network traffic and system usage. If someone's able to track the source of the attack back to a hax0rd system, all the competant admin has to do is fire up a packet sniffer, protected netstat-type utility, whatever, and figure out where YOU are connecting to this compromised machine. Since this connection is unlikely to be spoofed, the source address is guaranteed, and he can proceed to contact *that* ISP. Repeat if necessary.
Most decent dialup hardware is 100% digital anyway, so you have equipment sitting on ISDN lines capable of answering ISDN calls but serving up analog connectivity as well, so ALL calling numbers are available and can be logged or used in the fashion you mention. This level of logging is a common practice among most responsible ISP's.
Get him recalled.
Don't vote for him in the next election.
Write him a letter and express these concerns.
Next election, write the candidates and express your distaste for these tactics. Ask them directly what their thoughts are on these same issues.
Additionally, just because a representative indicates he is for or against something does not mean that's the stance he will continue to take throughout his term. If his constituents voted him into office, that doesn't mean that the constituents, as a whole, agree with 100% of what the representative supports. A good congressmen also listens to what his constituents want. Sometimes that may mean he has to go against his own desires.
You would be surprised how much information is logged by ISP's.
The one ISP I have intimate knowledge about logged everything from date/time, connection speed, disconnection reason to the NUMBER YOU WERE CALLING FROM.
All of this information is kept strictly confidential, but is IMMENSELY useful when serious abuse incidents arise. If some Joe Hax0r is using the ISP as a throw-away dialup with some fake credit card number, and the Feds came knocking on the ISP's door, they wouldn't walk away empty handed: with the calling ID, they know exactly who the offender is.
I suspect most ISP's have logging of this nature.
I mean hell, for metered access, you've GOT to keep track of dialup usage. Additional information like that is trivial to add to a database, and the benefits are significant.
Instead of contacting the provider of the compromised system and having them shut down the offender, have them TRACK HIM DOWN. With simple network tools they can figure out where the intruder is connecting from and FIND the dickhead instead of just killing the connection, patching up the system and forgetting him.
Without IP spoofing, attacks like smurf become impossible. The only way you can DoS a site when your IP can't be spoofed is via a direct flood of traffic. Sure, you can coordinate the attack between several compromised systems, but without amplifiers such as with smurf, it's considerably less effective, and you announce the IP of every one of your intermediaries in the process, which means it'll probably be unusable as soon as the complaint gets back to the owners.
The guy quoted in this story seems to advocate against full disclosure. Malda seems to think this implies the absense of any disclosure.
Can't there be a middle ground? Can't we disclose enough information to accurately describe the problem, workarounds and/or fixes (preferably from the vendor itself, in the case of vulnerabilities not yet "in the wild") without publishing script-kiddie-compatible exploits that run right out of the box?
To add to my post:
Of course, if an exploit already exists "in the wild", you're not hurting anybody much more by posting it to an appropriate forum like BugTraq. At this point worrying about full disclosure is rather moot.
And regardless, every possible bit of code, example and exploit should always be sent to the vendor first (even if it's just a few hours, if it's urgent that the information be publicized as quickly as possible). It's damn inconsiderate to post something publicly without giving the vendor any time at all to prepare a response, fix or workaround (and this goes back to my point about sending information to a qualified security firm before blindly posting incomplete/inaccurate information.. The vendor could easily be considered "qualified" in this respect, IMO).
If a sysadmin scans bugtraq even weekly, he can often have a patch or workaround for a vulnerability in his systems long before the vendor releases anything.
A good advisory should include workaround information. If the person reporting the vulnerability can't do this, then perhaps he needs to pass his information on to a qualified security firm who can.
Anyone capable of writing a script-kiddie-compatible exploit should be quite capable of providing detailed information and a workaround/fix without necessarily releasing an out-of-the-box root exploit to every kid on the Internet.
As you are probably aware, poorly written "advisories" on BugTraq are typically followed up in short order with something with significantly more information (in quality and/or quantity).
If nothing else, if the author of the advisory feels a code example is required to accurately describe the nature of the bug, at least make the reader work to get a working exploit out of it. You can publish example code without publishing a functioning exploit.
Please explain to me how running any local/remote exploit-of-the week and getting yourself a root prompt on the exploited system helps you discover flaws in your code or otherwise allows you to fix the problem.
A clear, concise description of the flaw and what should be done to work around it or fix it should be given, but in many cases we do not need root exploits released like this.
If it's ever necessary to distribute a tool to determine if you are vulnerable to some bug (in case for whatever reason it's not immediately obvious), the only thing that should be written is a tool that says "yes" or "no". Sure, somebody will be able to look at the code and figure out the nature of the bug, but the point is that the "exploit" itself cannot be instantly used by thousands of script kiddies. If it's necessary to distribute detailed information/code about a vulnerability, at least do so without providing an out-of-the-box exploit to any kid on the 'Net.
Yah, I guess this is a good point. First priority is getting stuff working again, but if you're a company that's adequately staffed, you should have enough people to put on the task of tracking him down.
I see that they've noticed a number of cracked boxes used in the attacks, but if *I* were the victim of something like this I would be on the phone in a second to the people running the networks of these cracked boxes. An on-going attack like this is typically very easy to spot from a network point of view, and with some competant admins, you can go from there straight back to the source.
I mean it may take a few times (if the box is vulnerable, sure there's an increased likelyhood of a lack of clueful administration) before you'll find someone that can help you, and if they're bouncing between multiple hops, it'll mean coordinating or conferencing phone calls, but it CAN be done.
The reason script kiddies get away with shit like this is because nobody ever takes the time and effort to track them down and prosecute. Since nobody does it, the l33t0 hax0r kiddies figure they're invincible and keep right on doing it.
The tools DO exist to track them down. There's always a trail if you can just find admins willing to help you every hop of the way. Given the nature of the attack, he's probably using the cracked machines solely for their unique network addresses, not as a means of hiding his identity. Given the number of such hosts, it should have been trivially easy to find SOMEONE willing to track this asshole back to his ISP.
Does "censorware" ever take PICS ratings (provided by the web site or within the HTML page itself) into consideration here? Does The List override any PICS information, or does the site's PICS ratings override the software?
It seems to me that it's in the sites' best interests to provide PICS rating information on their own, instead of letting "AI" algorithms try to determine whether or not the site is good or bad.
Of course, there will always be sites out there that are either ignorant of, refuse to take advantage of, or simply haven't used PICS. In these cases, I understand the need for a 3rd party to provide some type of "rating" for unrated content. There's also the case were some misguided web author wants his child porn or violence-oriented web site visible to everyone, so he might be inclined to give his page G-rated PICS ratings. In cases like this, I also understand the need for 3rd party ratings.
What is wrong with having censorware software only worry about unrated or misrated sites? The 3rd party offering the list could specify two classes of sites on the list. The first class would be for sites that don't appear to have PICS ratings. If the censorware client discovers ratings on its own, it can consider the listing to be out of date and honor the PICS ratings. The second class would be for misrated sites, where the software would deliberately ignore PICS ratings and use its own information about the site to render judgement.
Only then, if you REALLY feel it's necessary, should we resort to clumsy and inaccurate "AI" to try and guess at the content of the web page being served up.
Further, why do these lists have to be provided by the makers of the software? Why can't we have 3rd parties make up their own lists, with their own ratings for content? A censorware application could peridiocally update its list from any of these 3rd parties, depending on who they trust. Is there an "open" censorlist standard?
Take the Deja content, serve it up, but add YOUR OWN ads all over the place, linking text from articles, from their own content, but DON'T change any of their content itself, just re-package it.
Then when their lawyers come knocking, tell them they're free to start using this new tag you've come up with or some new HTTP header on each of their pages, which will cause your system to happily ignore that content.
Some might say the difference lies in the fact that by posting to USENET, you're giving implied consent to redistribute and archive. I don't believe web pages are awarded that, except insofar as pages may be cached and proxied.
The point is still the same. I don't want people taking stuff I've written and marking up the content with advertisements. It's one thing to offer up a free archive paid for by on-page advertisements. I can accept that, but don't muck up the content of my message with links I don't want there.
And that X-No-Adverts header or whatever it is sounds an awful lot like, "If you don't want to be on our spam list anymore, just click Reply and say 'Remove!'". Why should I have to opt-out of a service I never opted-in to?
Redistribution and archiving is implied on USENET posts. Modifying content for the purpose of inserting advertisements and then redistributing that modified content is not.
For a more pervasive example of observastion, take a look at the grocery 'Club Cards' that are becoming popular. These cards allow the stores to attach names to the lists of purchases made. There is nothing to prevent them from selling this information to insurance companies and marketing companies
Great, just what we need: more conspiracy theories.
There is nothing stopping them from doing this now with your credit card number, your account number scanned from your check or if you're so paranoid you always pay with cash, even from the security cameras snapping your picture and comparing it with some sinister database with the intents you describe.
The tools already exist for them to do this, let's not freak out when something new comes along with just as much potential for evil big brother spying.
If your local supermarket is really doing this kind of thing to you, shop elsewhere. I think it's a pretty silly thought, myself.
Generally companies do not force nifty new features upon people that a sizable portion doesn't like, simply because people will not buy them.
These will almost certainly be optional features/settings on your phone. I mean, think about it.
If a copyrighted work is illegally redistributed, perhaps even with a "new" license (one that could make it public domain, for example), that license is null and void since the work was obtained/distributed illegally in the first place. You can't just slap a new license on something unless you *own* that something. Anyone downloading your copy, legally, have zero rights to it. If they honestly didn't know it was ripped off, and thought the "new" license/copyright terms were the real ones, they would be fine (they'd just lose subsequent rights to the work in total).
Of course, I'm just looking at this from a simple copyright perspective. People are using terms like trade secret and patent and trademark, etc., but simple copyright law is all that you need.
They wrote the document; they can determine exactly who is allowed to get it via how it can be redistributed.
Why don't we just borrow some books from the library and transcribe the contents on web pages? People would never have to buy books again! What about movies? CD's? It's the same concept.
They actually orbit quite a bit higher than LEO (in the area between LEO and geosynchronous). NASA has a great visualization tool at http://liftoff.msfc.n asa.gov/RealTime/Jtrack/3d/JTrack3d.html. I mainly use this for amateur radio satellites, but GPS satellites are in the catalog, and you can see where they are relative to most others.
At a given location, there are realistically 4-6 GPS satellites providing a solid signal. If you move one or two hundred miles away, 1 or 2 of those satellites will be different. If you limited your intentional errors to those initial satellites, you now have like a 20% accuracy increase. Move a few hundred miles away from that and you're further out of the error zone. A smart receiver could possibly figure out which satellites were giving the better signals and ignore the ones that were giving errors. You're right that error can't really be introduced with pinpoint accuracy, but the area where signal quality is 100% affected by intentional area can be made relatively small. Of course at least 1/4 - 1/2 of the world will be affected in some way, no matter how selective you try and get your satellites.
I imagine this ability (to switch off or introduce tremendous error) has been in the satellites since the beginning. The process of switching it on and off in real-time, as satellites pass over black-out areas, may be almost entirely automated. Just feed a set of coordinates to all of the GPS satellites, and have them figure out for themselves when to activate selective availability. *shrug*..
GPS satellites orbit in the area between low earth orbit and geosynchronous orbit. This means they move across the sky relatively slowly (geosynchronous satellites have no apparent motion, while low earth orbiting satellites are only usable in the sky for 10-15 minutes). This altitude means receivers can pick up the signals easier (geosynchronous satellites require heftier antennas or a parabolic reflector) and their slower relative velocities make them easier to lock on to and position over longer periods of time.
As far as the actual question, the other comments pretty much said it best. A satellite can be temporarily disabled or introduce error into the signal only as it's within range of the region in question. Even if you're 1/8th of the way around the world and end up locking on to this satellite as it starts introducing error into the signal, there are still several other satellites in range of your position that your receiver could lock on to instead, compensating for the error. This means the actual affected area can be isolated as much as they need to.