In large part I think it's the way the legal system reasons things: successive approximation to previous cases. The problem is that there's no sanity check for situations where the law says A but NOT Z, but you can build a chain of reasoning that A is true and A is equivalent to B, B is equivalent to C, C is equivalent to D and so on until you get Y is equivalent to Z therefore Z (exactly the opposite of what the law says).
The flaw is obvious when you realize that you can use that kind of successive approximation and the "if the difference between two things is suffuciently small, it can be ignored and the two things treated as equivalent" rule to prove that 1 = 2.
The French President's already demonstrated the vulnerabilities. If they want to put in 3-strikes disconnection based on accusations alone, target the people who approve of it. They've almost certainly done something that'll justify at least an accusation. Once they've got 3 of them, make a huge stink about the law they insisted be passed and demand that they be subject to it.
Old Shin'a'in proverb: "If the enemy is in range, so are you.".
Well, actually my employer does in fact generate their own power. Or rather, they can. Our data center runs off a UPS bank, which is fed by the mains feed and a generator. If mains power fails, the UPS has enough capacity to keep the data center running until the genny starts up and starts supplying power. It's more convenient to run off mains, but we don't assume mains power is totally reliable (or even completely clean, the UPS bank filters and stabilizes it).
And yes, they run monthly tests of the genny to make sure it'll start when it's needed. They also run an annual test that involves shutting off the mains feed upstream of us to make sure everything works when the mains feed goes dead for real, followed by a fail-over to our disaster-recovery data center to make sure that part of things works the way it's supposed to.
Unfortunately, that's not what the unemployment rules say. Your benefits aren't reduced if you're earning income, they end when you take a job or become self-employed. If you become unemployed again within a certain length of time, you can resume your previous claim instead of having to file a new one.
This is one reason I'd personally like to take welfare and unemployment, fold them all into one system and re-write the rules:
If you're disabled, elderly or a minor, you qualify automatically.
If you're healthy and able to work, you qualify if:
You're currently working and making less than 2x the benefit amount each week.
You're not working, are looking for work and are willing to take work if offered to you.
You've been turned down for jobs because of lack of qualifications and are taking classes that'll qualify you for jobs available in your area.
In all cases, your benefits are calculated by taking the maximum benefit amount you qualify for that week and subtracting 1/2 of your income for that week. The maximum benefit amount is just the larger of a) the current welfare benefit you'd qualify for and b) the amount of unemployment benefit you'd get by virtue of what you've paid in while working. No disruptions, no bouncing back and forth, the only real distinction is at the point where you exhaust your unemployment account and drop back to the welfare benefit amount.
Well, duh. That's how unemployment works: if you earn any money at all during a week, your benefits are reduced by at least that amount (maybe more, depending on things like how many hours you worked). Anybody who's had to deal with working short-term jobs while collecting unemployment knows this headache well. Yes, that means that it's not in your best interest to have any income at all while trying to collect unemployment, unless that income's more (after taxes and such) than your unemployment benefits. This leads to an unpleasant balancing act trying to meet the "looked for N jobs this week" requirement while not getting stuck with a job that'll only last a couple of days and won't pay enough to make up for the lost benefits.
All I can say to this lawyer is, welcome to the world most people have to deal with.
Two technical problems there. The first is that not all operating systems have or require anti-virus software. Linux, for example. By requiring anti-virus software you're putting a major roadblock in the way of using an OS that's less prone to being infected, which is probably a bad idea. But more insurmountable is the second: on a properly-configured system the ISP wouldn't be allowed to check for anti-virus. They're an outsider without a user account on the system. With proper security in place they aren't going to be allowed to connect, let alone gain the system-level access needed to determine what AV software's installed and whether it's running or not. On my network they wouldn't get past the border router, let alone into an actual PC. To enable your solution, you'd need to open exactly the kinds of security holes viruses and other malware exploit, and that's a very very bad idea indeed.
One difference: with Ethernet, duplication of MAC addresses causes a malfunction of the network itself. Prefixes are assigned to companies for a technical purpose: to insure no two companies ever manufacture cards that share an address. The USB vendor ID isn't used for addressing, so as long as the device correctly implements the capabilities it advertises itself as implementing (which aren't tied to vendor ID) there should be no hardware-level malfunctions. Apple's trying to use the vendor ID merely to block sync with devices that would otherwise be technically perfectly capable of correctly syncing with iTunes. IMO it's Apple's right to try that, but nobody else is obliged to go along with them.
I'd note that vendor impersonation has a long history. Microsoft themselves do it, Internet Explorer to this day claims to be Mozilla in it's user-agent string, and this was done with the deliberate intention of fooling Web servers into thinking it was actually Netscape.
Actually I'd like to be treated like the plumber. Nobody thinks the plumber broke their pipes (well, not unless he installed them in the first place), but they do know that he's the one who can fix them. And they know that if they try and be a cheapskate and not pay him his full rate, or if they stand there haranguing him about how bad a job he's doing, he'll pack up his toolkit and wave good-bye, leaving them standing there ankle-deep in... stuff they'd rather not think about, and their only option will be to call another plumber who'll have just as little tolerance for their games as the first one. Because the plumber knows that, no matter how important you think you are, there's always somebody else with a stopped-up sink who won't be such a pain.
That and both the customer and the plumber know that if the customer takes the plumber into court and complains about how the plumber didn't tell him he shouldn't dump tons of cut hair and congealed grease and crud down the drain and the plumber should've done something to keep that from causing a clog, the judge will fall out of his chair lauging, then dismiss the case with prejudice. And probably order the customer to pay the plumber's legal bills too, just to teach them not to file frivolous complaints.
I don't know about you, but if a bank suddenly sent me 1,300 account's financial information, and then sent me an email telling me not to open it, I would be sending an email, calling, writing a letter, anything, because if something happens later to any of those accounts, I'm going to be one of the first people looked at.
If it were me, I wouldn't be doing any of those things. That's because I'd've deleted the initial e-mail without reading it. An e-mail purporting to be from a bank I've never done business with is either a) an advertisement I'm not interested in, b) a phishing attempt I don't want to even look at let alone respond to, or c) information I don't need and don't want. Regardless of which it is, I've no need and no reason to even look at it, so into the bit bucket it goes. And why not? I'm under no obligation to read random correspondence someone else wants to send me, just like I'm under no obligation to read that wad of advertising flyers that show up in my mailbox every day.
Hmm, I just realized. IIRC AT&T (like most phone companies) offers a premium-rate-call blocking service themselves. One that you have to pay for, if they're like the others I'm familiar with. Google's blocking makes it unnecessary to pay for AT&T's blocking. I suspect that's why AT&T's upset.
One major difference between what Google's doing and what AT&;T would like to do: AT&T wants to block/limit something the user wants to do and that they are doing deliberately, when the blocking benefits AT&T and negatively affects the user. Google is blocking something the user doesn't know (before they get the bill, at least) would happen and didn't ask for, and the blocking benefits the user (by keeping them from being unwittingly charged a large sum of money) and not Google. The whole reason those rural numbers are used, after all, is specifically because they can charge high rates without it being apparent from the number that the charges are going to be any higher than normal. They're used to deceive callers into thinking the call's a regular one and not one that'll be charged at a premium rate. Blocking that deception is, IMO, just ever so slightly different from keeping a user from using a service they want to use.
You wouldn't need to scan the computer. Just watch for the network traffic signature of malware (eg. open ports known to belong to malware that respond to the appropriate malware's protocol when probed, or open ports belonging to a Web server serving up malware). My ISP already scans for open ports as a regular security precaution. As for opt-out, no. The people who are the most problem are exactly the ones who'd opt out instead of fixing the problem (because in their mind the problem isn't the malware, it's the ISP complaining to them about it, and opting out fixes their idea of the problem by making the ISP stop complaining at them).
Mostly I change to proprietary apps reluctantly, because those apps support a proprietary format or system that's not available to open-source and that I have to deal with and can't just ignore. I rarely change by choice, it's usually forced on me.
My reason for being reluctant to change: yes, open-source apps are complex, sometimes awkward to configure, often not as polished as the proprietary apps. Yes, it's often painful and annoying to get them working. But I can usually get them working and doing what I need. Proprietary apps more often tend to make the easy stuff easy and painless (as long as you're doing it the app vendor's way), and make everything else simply impossible. Open-source you tend to have to deal with a hodge-podge of sources of disorganized information. Proprietary apps you have to deal with a vendor support line who have no clue how their app works and can only answer questions we already have the answers to from the manuals. And with open-source if there's a bug I can usually fix it. Vendor software, well, take Oracle for an example (please, preferably to another planet). Our open-issue list with them, counting only serious and up, is into the 4 digits and growing. Average open time for our tickets is the high side of a year. The last time I tried to get them to fix a bug, it was about a problem with their connection pooling. It simply wouldn't work, and it would lock up the database servers (not the client, not just one server, the entire cluster of servers). I managed to reduce the bug to a single-page test program in plain C that reproduced the problem 100% of the time and needed nothing but the IBM compiler, libc and Oracle's tools and libraries. It took 8 months to convince Oracle to even compile and try that simple test case, they kept asking for it to be simplified. When they finally did compile and run it, within 24 hours we got back "Oh, yeah, we know all about that one. It's in all our current versions. We're planning on fixing it in our next major release, you just have to upgrade to it. No, we're not planning on fixing any of the prior releases.". Wonderful. Thanks loads. Really. And that's it, we're done. It doesn't matter how major the problem is or how important it is to get it fixed, there are no further avenues we can pursue.
Attributed to an old test pilot: "Come on. My job is to get in an airplane that's never flown before, of a design that's never flown before, usually with lots of parts that've never been used in an airplane before, and go up and find out what it's performance limits are, usually by going past them. This is not an inherently safe activity.". I think most astronauts would agree with that sentiment. They know it's a risky activity, and they're there because they want to be there doing this strongly enough to outweigh the inherent risks. They'd probably rather not take stupid and unnecessary risks, but if it's a choice between taking the risks and never seeing space, well, to quote from Leslie Fish, "And before you take my dream / I will see you in Hell.".
I always thought one neccesary exception to the wiretap statute is: if you aren't permitted to preserve evidence against legal action, then the other party isn't permitted to refer to that evidence in any way either. And I mean "any way" in the fullest sense.
How about, instead of applying penalties, we change the approach? Right now the problem is that once the anonymous poster's identity is known, the original case is dropped and there's no way to force the plaintiff to file a new one naming an actual defendant. Instead, how about we not have the John Doe case dropped and a new one filed? It's, after all, the same defendant in both cases, the only difference is that in the second we know their name. So, file the John Doe case and make the case for having grounds to identify the defendant. Once the defendant's identity is known the case is amended to include their actual name, but since it's the same defendant no new case needs to be or is filed. If the defendant's responded, it now becomes much harder for the plaintiff to drop the case without the defendant agreeing to it and the plaintiff probably having to pay the defendant's legal bills.
CCP also noted that the accounts they dumped were also responsible for a lot of credit-card fraud which CCP had to foot the bill for. So they didn't forfeit 2% of their profits, they forfeited 2% of their profits minus the costs of the credit-card fraud associated with those accounts. The penalties (both in direct costs for those transactions and in higher processing fees for all transactions) are steep, so it's entirely possible that the fraud costs exceeded the revenue from those accounts. In that case, CCP actually will turn a profit by terminating those accounts.
Much of the problem with passwords is the number of entities who want them. Everybody you deal with wants you to create an account with them, which means one more password to deal with. I've got over a hundred passwords to various accounts in my records. Combine that with "strength" requirements that make them hard to remember and "security" policies that require changing them at (non-synchronized) intervals and you have a recipe for a migraine not all the Advil in the world can help. And many of those passwords aren't needed. Yes, I need a real account and password for my bank, or for E-Trade. No, I do not need an account and password for Amazon. Amazon doesn't need my username, they need me to be able to give them the credit-card details and shipping information for that purchase. Anything beyond that is for their convenience. If places that didn't need me to have an account didn't force me to maintain one, it'd make the password problem much more tractable.
Password strength requirements and mandatory-change intervals don't help, and do hurt. Strong passwords tend to be hard to remember in large numbers, and they're also hard to come up with. By forcing them to be changed regularly, you also all but force users to come up with passwords that aren't strong because they've run out of good ideas for strong ones. It also all but forces them to record them somewhere. Yes, one password isn't that hard to remember. But what did I say in the paragraph above? It's not just one password they have to remember, it's the dozens or hundreds that you and every other administrator out there require users to create and maintain. I'd much rather come up with one really strong password and be able to use it for a long period.
But it's vulnerable to guessing, you say Oh, really? Check your logs. When was the last time your systems were subject to a sophisticated attempt to guess passwords? I'm betting it's been years. Most attempts to guess passwords these days aren't attempts to break individual accounts, they try a few of the most obvious passwords across every user on the system looking for the couple who've left themselves open. Any password that meets even minimal strength requirements will be impervious to that sort of attack indefinitely. On top of that your system should be implementing lock-outs on repeated failed password attempts, and your IDS should be noticing the attempts from unusual (for that account) sources and blocking them. Let's face it, the most common attack users are subject to these days is the social-engineering attack designed to get them to give the attacker their password. And once the user's given the attacker their password, everything you've tried to do to keep attackers from guessing it becomes completely and utterly irrelevant.
As for writing passwords down, reality check here. At work my passwords are recorded in a locked drawer in my desk. Which is inside the secure doors, you can't get into that area without a keycard. The building's got 24/7 security on it too. If you don't work there, you're not likely to get anywhere near my password slip in the first place. And anyone who does get near it has already gotten physical access to every computer in the office. They don't need to break into desks and collect password slips, they can just install hardware keyloggers on the computers. Or reboot them from CDs or USB drives (changing BIOS settings if needed to allow it) and slide their malware straight into the OS image it and all the fancy AV software are inoperative. Or attach their own device to the network cables to sniff all the traffic for interesting things. In short, anyone in a position to read my written-down passwords is already smack in the middle of a target-rich environment and has a few hundred far more tempting things to go after before getting around to jimmying my desk drawer open, and the company's got far bigger problems to worry about.
I don't see any definition of this "cookie" in the DNS RFCs. I don't see it in the SMTP RFCs, or Telnet, or FTP, or SNMP, or SSH, or in fact any Internet protocol except for HTTP. And I hate to have to tell Bell Canada this, but the majority of the Internet does not use HTTP for name resolution. It uses DNS, and interprets DNS responses including NXDOMAIN. So if they're going to implement an opt-out solution for DNS, it needs to work with DNS clients and not just with HTTP clients. Otherwise, they need to abandon DNS redirection and begin doing transparent proxying of HTTP instead.
Oh, and before you say "But everything uses the Web now!", riddle me this: what transport protocol does World of Warcraft use to communicate between the game and Blizzard? What protocol does Everquest use? Hint: it's not HTTP. Do you want to claim that World of Warcraft and Everquest have a negligible number of players?
If you have to add the word "technically", that's probably a red flag right there. It's like the little kid arguing "But I technically didn't take a cookie out of the cookie jar. I knocked it over and the cookies fell out on their own, I just picked one up after it wasn't inside the cookie jar anymore.".
Sharing as in file-sharing would be exactly the distribution right. You're making copies of the songs and distributing those copies to others, and that's exactly the basic right copyright law reserves to the author.
And yes, they could prove distribution to the public. They did, in fact. Not to mention that the defendant admitted it. Note that what's required for that proof is evidence that the defendant shared the files with someone (who can be an agent of the copyright holder, the authority of the recipient has zero to do with the authority of the distributor) and that it's reasonable that that wasn't the only person. It's the same standard of proof applied in the case of someone selling bootleg copies of books, no more and no less. And giving them away would be "other transfer of ownership", money doesn't need to be involved.
Remember what I said about technicalities. The judge is going to look at it and say "Making copies of an MP3 file and giving them away. Making photocopies of a book and giving them away. I don't see any significant difference between the first and the second. And don't try fast-talking me, son, I've had professionals try to flim-flam me and you ain't no professional. Either give me a solid, well-grounded legal argument that doesn't depend on tortured logic, or stop wasting my time.".
Let me ask you this: for books, for tapes, for magazines, for photographs, for phono records, for any other copyrighted material, is there a single shred of precedent in any court anywhere that making your own copies, without the authorization of the copyright owner, and handing them out on the street-corner to anyone who asks for one is not dissemination to the public? No money involved, merely bulk-quantity handing-out. If you're right, then somewhere you should be able to cite the case where a judge decided that. I just don't think you can.
That's the basic problem in this case: the defendant was in fact making and distributing copies of copyrighted works without authorization, and doing so well outside the bounds of any fair use. Copying works you already own for your own use is (or should be) fair use. Giving the occasional copy to a friend, maybe. But handing out copies in wholesale quantities to anybody who stops by your booth to ask (which is what P2P file sharing involves)? Not even. The lawyers know it, the judge knows it, the defendant knows it, and the average person knows it. And frankly I agree with the law on that point. Whether it's a book or an MP3, the author for a certain period gets to be the sole source for it. I don't agree with certain of the details, but in this case none of those areas were implicated. The only defense Joel Tenenbaum might have raised is "I had a geek set it up for me for my own use, I had no idea it was sharing those files with the world.". And even that's hurt by the fact that much of his library wasn't his own, wasn't anything he'd paid for. I've noticed that judges are like DMs: they don't like players who use technicalities to get away with breaking the rules, and they tend to find ways to use those same technicalities to make it so the players don't get away with it.
If the RIAA comes knocking, ask yourself three questions: "Am I downloading copyrighted songs without paying for them?", "Am I sharing copyrighted songs with the world?", and "Do I know full well I'm doing this?". If the answers to all three are "Yes.", then suck it up and pay the settlement. You can delay the inevitable, but they are going to win.
If all the music on your computer's rips of CDs, tapes etc. you own and you've only used P2P software for legal material, have a geek check your system. Even if you didn't intend to, if you use the software it may have started sharing more than you intended. If it turns out that's the case, don't try to hide it. It just makes you look guilty. Preserve the evidence (so the RIAA can't use the appearance of hiding something against you), shut down the sharing, and prepare the "I honestly didn't know it was happening." defense. It may not save you completely, but if you're otherwise clean it's likely to get the judge leaning in your favor.
If it turns out you've no illegal material on your systems and demonstrably weren't sharing anything out, then and only then do you haul out the big guns and go for a showdown with the RIAA.
Slashdot Mirror
In large part I think it's the way the legal system reasons things: successive approximation to previous cases. The problem is that there's no sanity check for situations where the law says A but NOT Z, but you can build a chain of reasoning that A is true and A is equivalent to B, B is equivalent to C, C is equivalent to D and so on until you get Y is equivalent to Z therefore Z (exactly the opposite of what the law says).
The flaw is obvious when you realize that you can use that kind of successive approximation and the "if the difference between two things is suffuciently small, it can be ignored and the two things treated as equivalent" rule to prove that 1 = 2.
The French President's already demonstrated the vulnerabilities. If they want to put in 3-strikes disconnection based on accusations alone, target the people who approve of it. They've almost certainly done something that'll justify at least an accusation. Once they've got 3 of them, make a huge stink about the law they insisted be passed and demand that they be subject to it.
Old Shin'a'in proverb: "If the enemy is in range, so are you.".
Well, actually my employer does in fact generate their own power. Or rather, they can. Our data center runs off a UPS bank, which is fed by the mains feed and a generator. If mains power fails, the UPS has enough capacity to keep the data center running until the genny starts up and starts supplying power. It's more convenient to run off mains, but we don't assume mains power is totally reliable (or even completely clean, the UPS bank filters and stabilizes it).
And yes, they run monthly tests of the genny to make sure it'll start when it's needed. They also run an annual test that involves shutting off the mains feed upstream of us to make sure everything works when the mains feed goes dead for real, followed by a fail-over to our disaster-recovery data center to make sure that part of things works the way it's supposed to.
Unfortunately, that's not what the unemployment rules say. Your benefits aren't reduced if you're earning income, they end when you take a job or become self-employed. If you become unemployed again within a certain length of time, you can resume your previous claim instead of having to file a new one.
This is one reason I'd personally like to take welfare and unemployment, fold them all into one system and re-write the rules:
If you're disabled, elderly or a minor, you qualify automatically.
If you're healthy and able to work, you qualify if:
In all cases, your benefits are calculated by taking the maximum benefit amount you qualify for that week and subtracting 1/2 of your income for that week. The maximum benefit amount is just the larger of a) the current welfare benefit you'd qualify for and b) the amount of unemployment benefit you'd get by virtue of what you've paid in while working. No disruptions, no bouncing back and forth, the only real distinction is at the point where you exhaust your unemployment account and drop back to the welfare benefit amount.
Well, duh. That's how unemployment works: if you earn any money at all during a week, your benefits are reduced by at least that amount (maybe more, depending on things like how many hours you worked). Anybody who's had to deal with working short-term jobs while collecting unemployment knows this headache well. Yes, that means that it's not in your best interest to have any income at all while trying to collect unemployment, unless that income's more (after taxes and such) than your unemployment benefits. This leads to an unpleasant balancing act trying to meet the "looked for N jobs this week" requirement while not getting stuck with a job that'll only last a couple of days and won't pay enough to make up for the lost benefits.
All I can say to this lawyer is, welcome to the world most people have to deal with.
Two technical problems there. The first is that not all operating systems have or require anti-virus software. Linux, for example. By requiring anti-virus software you're putting a major roadblock in the way of using an OS that's less prone to being infected, which is probably a bad idea. But more insurmountable is the second: on a properly-configured system the ISP wouldn't be allowed to check for anti-virus. They're an outsider without a user account on the system. With proper security in place they aren't going to be allowed to connect, let alone gain the system-level access needed to determine what AV software's installed and whether it's running or not. On my network they wouldn't get past the border router, let alone into an actual PC. To enable your solution, you'd need to open exactly the kinds of security holes viruses and other malware exploit, and that's a very very bad idea indeed.
One difference: with Ethernet, duplication of MAC addresses causes a malfunction of the network itself. Prefixes are assigned to companies for a technical purpose: to insure no two companies ever manufacture cards that share an address. The USB vendor ID isn't used for addressing, so as long as the device correctly implements the capabilities it advertises itself as implementing (which aren't tied to vendor ID) there should be no hardware-level malfunctions. Apple's trying to use the vendor ID merely to block sync with devices that would otherwise be technically perfectly capable of correctly syncing with iTunes. IMO it's Apple's right to try that, but nobody else is obliged to go along with them.
I'd note that vendor impersonation has a long history. Microsoft themselves do it, Internet Explorer to this day claims to be Mozilla in it's user-agent string, and this was done with the deliberate intention of fooling Web servers into thinking it was actually Netscape.
Actually I'd like to be treated like the plumber. Nobody thinks the plumber broke their pipes (well, not unless he installed them in the first place), but they do know that he's the one who can fix them. And they know that if they try and be a cheapskate and not pay him his full rate, or if they stand there haranguing him about how bad a job he's doing, he'll pack up his toolkit and wave good-bye, leaving them standing there ankle-deep in... stuff they'd rather not think about, and their only option will be to call another plumber who'll have just as little tolerance for their games as the first one. Because the plumber knows that, no matter how important you think you are, there's always somebody else with a stopped-up sink who won't be such a pain.
That and both the customer and the plumber know that if the customer takes the plumber into court and complains about how the plumber didn't tell him he shouldn't dump tons of cut hair and congealed grease and crud down the drain and the plumber should've done something to keep that from causing a clog, the judge will fall out of his chair lauging, then dismiss the case with prejudice. And probably order the customer to pay the plumber's legal bills too, just to teach them not to file frivolous complaints.
I don't know about you, but if a bank suddenly sent me 1,300 account's financial information, and then sent me an email telling me not to open it, I would be sending an email, calling, writing a letter, anything, because if something happens later to any of those accounts, I'm going to be one of the first people looked at.
If it were me, I wouldn't be doing any of those things. That's because I'd've deleted the initial e-mail without reading it. An e-mail purporting to be from a bank I've never done business with is either a) an advertisement I'm not interested in, b) a phishing attempt I don't want to even look at let alone respond to, or c) information I don't need and don't want. Regardless of which it is, I've no need and no reason to even look at it, so into the bit bucket it goes. And why not? I'm under no obligation to read random correspondence someone else wants to send me, just like I'm under no obligation to read that wad of advertising flyers that show up in my mailbox every day.
Hmm, I just realized. IIRC AT&T (like most phone companies) offers a premium-rate-call blocking service themselves. One that you have to pay for, if they're like the others I'm familiar with. Google's blocking makes it unnecessary to pay for AT&T's blocking. I suspect that's why AT&T's upset.
No. The US only has the 800/888 numbers (called party pays), there's no special area code reserved for premium-rate numbers.
One major difference between what Google's doing and what AT&;T would like to do: AT&T wants to block/limit something the user wants to do and that they are doing deliberately, when the blocking benefits AT&T and negatively affects the user. Google is blocking something the user doesn't know (before they get the bill, at least) would happen and didn't ask for, and the blocking benefits the user (by keeping them from being unwittingly charged a large sum of money) and not Google. The whole reason those rural numbers are used, after all, is specifically because they can charge high rates without it being apparent from the number that the charges are going to be any higher than normal. They're used to deceive callers into thinking the call's a regular one and not one that'll be charged at a premium rate. Blocking that deception is, IMO, just ever so slightly different from keeping a user from using a service they want to use.
You wouldn't need to scan the computer. Just watch for the network traffic signature of malware (eg. open ports known to belong to malware that respond to the appropriate malware's protocol when probed, or open ports belonging to a Web server serving up malware). My ISP already scans for open ports as a regular security precaution. As for opt-out, no. The people who are the most problem are exactly the ones who'd opt out instead of fixing the problem (because in their mind the problem isn't the malware, it's the ISP complaining to them about it, and opting out fixes their idea of the problem by making the ISP stop complaining at them).
Mostly I change to proprietary apps reluctantly, because those apps support a proprietary format or system that's not available to open-source and that I have to deal with and can't just ignore. I rarely change by choice, it's usually forced on me.
My reason for being reluctant to change: yes, open-source apps are complex, sometimes awkward to configure, often not as polished as the proprietary apps. Yes, it's often painful and annoying to get them working. But I can usually get them working and doing what I need. Proprietary apps more often tend to make the easy stuff easy and painless (as long as you're doing it the app vendor's way), and make everything else simply impossible. Open-source you tend to have to deal with a hodge-podge of sources of disorganized information. Proprietary apps you have to deal with a vendor support line who have no clue how their app works and can only answer questions we already have the answers to from the manuals. And with open-source if there's a bug I can usually fix it. Vendor software, well, take Oracle for an example (please, preferably to another planet). Our open-issue list with them, counting only serious and up, is into the 4 digits and growing. Average open time for our tickets is the high side of a year. The last time I tried to get them to fix a bug, it was about a problem with their connection pooling. It simply wouldn't work, and it would lock up the database servers (not the client, not just one server, the entire cluster of servers). I managed to reduce the bug to a single-page test program in plain C that reproduced the problem 100% of the time and needed nothing but the IBM compiler, libc and Oracle's tools and libraries. It took 8 months to convince Oracle to even compile and try that simple test case, they kept asking for it to be simplified. When they finally did compile and run it, within 24 hours we got back "Oh, yeah, we know all about that one. It's in all our current versions. We're planning on fixing it in our next major release, you just have to upgrade to it. No, we're not planning on fixing any of the prior releases.". Wonderful. Thanks loads. Really. And that's it, we're done. It doesn't matter how major the problem is or how important it is to get it fixed, there are no further avenues we can pursue.
Attributed to an old test pilot: "Come on. My job is to get in an airplane that's never flown before, of a design that's never flown before, usually with lots of parts that've never been used in an airplane before, and go up and find out what it's performance limits are, usually by going past them. This is not an inherently safe activity.". I think most astronauts would agree with that sentiment. They know it's a risky activity, and they're there because they want to be there doing this strongly enough to outweigh the inherent risks. They'd probably rather not take stupid and unnecessary risks, but if it's a choice between taking the risks and never seeing space, well, to quote from Leslie Fish, "And before you take my dream / I will see you in Hell.".
I always thought one neccesary exception to the wiretap statute is: if you aren't permitted to preserve evidence against legal action, then the other party isn't permitted to refer to that evidence in any way either. And I mean "any way" in the fullest sense.
How about, instead of applying penalties, we change the approach? Right now the problem is that once the anonymous poster's identity is known, the original case is dropped and there's no way to force the plaintiff to file a new one naming an actual defendant. Instead, how about we not have the John Doe case dropped and a new one filed? It's, after all, the same defendant in both cases, the only difference is that in the second we know their name. So, file the John Doe case and make the case for having grounds to identify the defendant. Once the defendant's identity is known the case is amended to include their actual name, but since it's the same defendant no new case needs to be or is filed. If the defendant's responded, it now becomes much harder for the plaintiff to drop the case without the defendant agreeing to it and the plaintiff probably having to pay the defendant's legal bills.
CCP also noted that the accounts they dumped were also responsible for a lot of credit-card fraud which CCP had to foot the bill for. So they didn't forfeit 2% of their profits, they forfeited 2% of their profits minus the costs of the credit-card fraud associated with those accounts. The penalties (both in direct costs for those transactions and in higher processing fees for all transactions) are steep, so it's entirely possible that the fraud costs exceeded the revenue from those accounts. In that case, CCP actually will turn a profit by terminating those accounts.
AT&T/Cingular already tried these terms with their cel-phone service. They failed.
Much of the problem with passwords is the number of entities who want them. Everybody you deal with wants you to create an account with them, which means one more password to deal with. I've got over a hundred passwords to various accounts in my records. Combine that with "strength" requirements that make them hard to remember and "security" policies that require changing them at (non-synchronized) intervals and you have a recipe for a migraine not all the Advil in the world can help. And many of those passwords aren't needed. Yes, I need a real account and password for my bank, or for E-Trade. No, I do not need an account and password for Amazon. Amazon doesn't need my username, they need me to be able to give them the credit-card details and shipping information for that purchase. Anything beyond that is for their convenience. If places that didn't need me to have an account didn't force me to maintain one, it'd make the password problem much more tractable.
Password strength requirements and mandatory-change intervals don't help, and do hurt. Strong passwords tend to be hard to remember in large numbers, and they're also hard to come up with. By forcing them to be changed regularly, you also all but force users to come up with passwords that aren't strong because they've run out of good ideas for strong ones. It also all but forces them to record them somewhere. Yes, one password isn't that hard to remember. But what did I say in the paragraph above? It's not just one password they have to remember, it's the dozens or hundreds that you and every other administrator out there require users to create and maintain. I'd much rather come up with one really strong password and be able to use it for a long period.
But it's vulnerable to guessing, you say Oh, really? Check your logs. When was the last time your systems were subject to a sophisticated attempt to guess passwords? I'm betting it's been years. Most attempts to guess passwords these days aren't attempts to break individual accounts, they try a few of the most obvious passwords across every user on the system looking for the couple who've left themselves open. Any password that meets even minimal strength requirements will be impervious to that sort of attack indefinitely. On top of that your system should be implementing lock-outs on repeated failed password attempts, and your IDS should be noticing the attempts from unusual (for that account) sources and blocking them. Let's face it, the most common attack users are subject to these days is the social-engineering attack designed to get them to give the attacker their password. And once the user's given the attacker their password, everything you've tried to do to keep attackers from guessing it becomes completely and utterly irrelevant.
As for writing passwords down, reality check here. At work my passwords are recorded in a locked drawer in my desk. Which is inside the secure doors, you can't get into that area without a keycard. The building's got 24/7 security on it too. If you don't work there, you're not likely to get anywhere near my password slip in the first place. And anyone who does get near it has already gotten physical access to every computer in the office. They don't need to break into desks and collect password slips, they can just install hardware keyloggers on the computers. Or reboot them from CDs or USB drives (changing BIOS settings if needed to allow it) and slide their malware straight into the OS image it and all the fancy AV software are inoperative. Or attach their own device to the network cables to sniff all the traffic for interesting things. In short, anyone in a position to read my written-down passwords is already smack in the middle of a target-rich environment and has a few hundred far more tempting things to go after before getting around to jimmying my desk drawer open, and the company's got far bigger problems to worry about.
Actually I think the problem would be the Google people who have authorized access to your data.
I don't see any definition of this "cookie" in the DNS RFCs. I don't see it in the SMTP RFCs, or Telnet, or FTP, or SNMP, or SSH, or in fact any Internet protocol except for HTTP. And I hate to have to tell Bell Canada this, but the majority of the Internet does not use HTTP for name resolution. It uses DNS, and interprets DNS responses including NXDOMAIN. So if they're going to implement an opt-out solution for DNS, it needs to work with DNS clients and not just with HTTP clients. Otherwise, they need to abandon DNS redirection and begin doing transparent proxying of HTTP instead.
Oh, and before you say "But everything uses the Web now!", riddle me this: what transport protocol does World of Warcraft use to communicate between the game and Blizzard? What protocol does Everquest use? Hint: it's not HTTP. Do you want to claim that World of Warcraft and Everquest have a negligible number of players?
If you have to add the word "technically", that's probably a red flag right there. It's like the little kid arguing "But I technically didn't take a cookie out of the cookie jar. I knocked it over and the cookies fell out on their own, I just picked one up after it wasn't inside the cookie jar anymore.".
Sharing as in file-sharing would be exactly the distribution right. You're making copies of the songs and distributing those copies to others, and that's exactly the basic right copyright law reserves to the author.
And yes, they could prove distribution to the public. They did, in fact. Not to mention that the defendant admitted it. Note that what's required for that proof is evidence that the defendant shared the files with someone (who can be an agent of the copyright holder, the authority of the recipient has zero to do with the authority of the distributor) and that it's reasonable that that wasn't the only person. It's the same standard of proof applied in the case of someone selling bootleg copies of books, no more and no less. And giving them away would be "other transfer of ownership", money doesn't need to be involved.
Remember what I said about technicalities. The judge is going to look at it and say "Making copies of an MP3 file and giving them away. Making photocopies of a book and giving them away. I don't see any significant difference between the first and the second. And don't try fast-talking me, son, I've had professionals try to flim-flam me and you ain't no professional. Either give me a solid, well-grounded legal argument that doesn't depend on tortured logic, or stop wasting my time.".
Let me ask you this: for books, for tapes, for magazines, for photographs, for phono records, for any other copyrighted material, is there a single shred of precedent in any court anywhere that making your own copies, without the authorization of the copyright owner, and handing them out on the street-corner to anyone who asks for one is not dissemination to the public? No money involved, merely bulk-quantity handing-out. If you're right, then somewhere you should be able to cite the case where a judge decided that. I just don't think you can.
That's the basic problem in this case: the defendant was in fact making and distributing copies of copyrighted works without authorization, and doing so well outside the bounds of any fair use. Copying works you already own for your own use is (or should be) fair use. Giving the occasional copy to a friend, maybe. But handing out copies in wholesale quantities to anybody who stops by your booth to ask (which is what P2P file sharing involves)? Not even. The lawyers know it, the judge knows it, the defendant knows it, and the average person knows it. And frankly I agree with the law on that point. Whether it's a book or an MP3, the author for a certain period gets to be the sole source for it. I don't agree with certain of the details, but in this case none of those areas were implicated. The only defense Joel Tenenbaum might have raised is "I had a geek set it up for me for my own use, I had no idea it was sharing those files with the world.". And even that's hurt by the fact that much of his library wasn't his own, wasn't anything he'd paid for. I've noticed that judges are like DMs: they don't like players who use technicalities to get away with breaking the rules, and they tend to find ways to use those same technicalities to make it so the players don't get away with it.
If the RIAA comes knocking, ask yourself three questions: "Am I downloading copyrighted songs without paying for them?", "Am I sharing copyrighted songs with the world?", and "Do I know full well I'm doing this?". If the answers to all three are "Yes.", then suck it up and pay the settlement. You can delay the inevitable, but they are going to win.
If all the music on your computer's rips of CDs, tapes etc. you own and you've only used P2P software for legal material, have a geek check your system. Even if you didn't intend to, if you use the software it may have started sharing more than you intended. If it turns out that's the case, don't try to hide it. It just makes you look guilty. Preserve the evidence (so the RIAA can't use the appearance of hiding something against you), shut down the sharing, and prepare the "I honestly didn't know it was happening." defense. It may not save you completely, but if you're otherwise clean it's likely to get the judge leaning in your favor.
If it turns out you've no illegal material on your systems and demonstrably weren't sharing anything out, then and only then do you haul out the big guns and go for a showdown with the RIAA.