A more important question would be: Did Limbaugh issue a correction once the report was published? If he did not, he is clearly trying to intentionally mislead his listeners. This is only slightly different from lying, and is deserving of harsh criticism.
Language changes with time. This particular word has changed meanings (or at least got a new meaning) in the English language. You don't have to like that fact, but bitching on slashdot isn't going to change that fact.
People in the industry are aware that "hack" used to mean "cleverly manipulate a device into doing something its designers did not intend." People also know that "wherefor" used to mean "why." In both cases, the original definitions no longer apply.
Language changes. You'll get over it. There are more important battles to fight.
This is not about full disclosure. This is responsible disclosure. Full disclosure would be if he went to bugtraq before contacting the vendor. Responsible disclosure is where a responsible security research goes to the vendor FIRST, and only goes to the public after the vendor has had a reasonable amount of time to fix the problem.
Responsible disclosure allows responsible companies to get a fix before a flaw is used maliciously, but the researchers still get credit. With responsible disclosure everyone wins except black hats.
Full disclosure benefits black hats more than it does anyone else.
I'm sorry that you were modded down as a troll, but you do have a valid point.
Yes, it seems far too many moderators don't know what "troll" means. It is truly a pity that the slashdot editors don't provide any incentive for metamoderation. Moderation was a good idea, but it is being badly executed here at slashdot.
contestants swilled free Cokes to keep themselves awake during the 24-hour, no-sleep phase of the competition
It is detestable that a contest sponsored by Microsoft would encourage such unhealthy behavior. It isn't surprising, though. I imagine Microsoft would love to train a generation of employees to sacrifice their health and youth for the company using such practices. By the time the increased incidence of heart and stress-related injuries would start hitting the company HMO budget, these jobs will have outsourced to an even poorer part of the world.
And we were wrong to do it. Metric prefixes meant base 10 for "years and years and years" before people started trying to use them for base 2. In every industry, and part of the computer industry, metric prefixes mean base 10.
Why fight the rest of the world over this? Now that we have binary prefixes, let's use them! This idea that metric prefixes are base 10 in networking and base 2 in storage is embarrassingly inconsistent. Let binary prefixes mean binary, and let metric prefixes mean base 10! Just because we did it one way in the past doesn't mean it is the best way to do it now! This is engineering, not religion.
To see something and think "someone else may have created that" is not unique to humans. A beaver might speculate that some other beaver created a beaver dam. A person may speculate that some other person may have created the ground he's walking on. To conceive that something was created by something else, whether it is a beaver dam or the moon, is not some incredible feat of human psychology.
Keep Jesus out of science. It's just plain absurd.
I think Microsoft's main consideration with driver signing is stability, not security.
It is a lot easier and more reliable to test a driver for stability than it is to test it for security. There is so much crap hardware with flakey drivers floating around which causes stability problems, Windows has an undeservedly bad reputation for stability. Everyone blames Microsoft when the see a BSOD, but in many cases they should be blaming the manufacturer of their $10 SATA adapter.
I'm posting this from an Ubuntu box, so I'm no MS apologist. But Windows' reputation for being unstable is greatly exaggerated. Signed drivers may help correct this particular market perception.
You just claimed that people who don't believe in magic aren't really people! Do you hold the same bigoted views of people of other races and sexual orientations?
How did a half-wit like yourself learn how to use a computer?
I don't. Lots of people don't. Some have notions of multiple "creators." Where did you get this little nugget of "wisdom," some Dark Ages philosopher?
Lots of animals have abstraction. Bees can communicate complex navigational routes using sign language inside their hives. That's pretty clear abstraction.
"Humans are fundamentally different from other animals, because we can travel into space using only tools we built."
From a psychological view, this really could be nothing more than a very slight improvement in intelligence compared to other animals, not something fundamentally different.
What is with the obsession with tools? Plenty of animals use tools. Humans aren't unique in that respect.
There is a saying amongst psychologists that at some point, each must come up with a reason why humans are fundamentally different from the other animals, only for someone to eventually prove them wrong.
I covered myself with that "or existing law or case law requires it" bit.
Software contracts, like the GPL, state pretty much unambiguously that they aren't "sales" so "first sale" doesn't apply. The purchasing party agrees that it is not a sale when they sign the contract.
The legal case may not be clear-cut, but those are the rules everyone seems to play by in the industry. Sort of like MAD. It seems pretty likely that this defacto interpretation will eventually become official.
You are right that nothing is clear-cut in IP law. But if you do start selling student editions of Visio on ebay to non-students, Microsoft might give you the chance to test some of that law in court.
One communication channel which I think is interesting is Wikipedia. Even if your bug's stego is edited out, you can view it via the article's history.
If the target in question actually uses Wikipedia, this would be about as undetectable as it gets.
And yes, for retrieval, you use a power-boosted antenna to public wifi, bounce through a few countries, hit tor and check the wiki page. Though, if your bug uses good stego on a high-traffic page, such secrecy may not be needed.
So you're saying that all of the software for sale by non-vendors on eBay is illegal?
In some cases. If you own the IP rights to something, that means all rights, including redistribution rights, are exclusively yours. Unless you specifically grant other people rights, or existing law or case law requires it (as is the case with books), nobody else has any rights to your IP whatsoever.
I'm not saying it's the ideal way to "promote science and the useful arts," but it is the law. Also, I am not a lawyer. This is not legal advice. This is only the impression I was left with after studying IP law a few years ago.
you would assume that anybody marketing a product to students must have never worked for a real company
No. That's not what I said. I said "probably not." There is a big difference between the words "must" and "probably."
If I own a license to use a software package, for instance, I'm fully able to sell that software license to somebody else.
Umm... No. Not unless that is in your contract. If, after verifying that your company has good security, I sell you software which connects to servers at MY company, you CAN NOT turn around and resell this software to some other company which has very very bad security. Doing so would put my company at considerable risk... something not factored in to the initial purchasing price.
If I sell HR software with a support contract to a company with 5 employees, that company can't resell it to a company with 25,000 employees. My costs due to supporting that number of people would easily blow the budget for that account.
Have you ever worked in a real company? Probably not, since the first example on your website is for "class notes."
Obviously, to be legal, I would have to delete any copies that I may have of the mp3 after I sell it.
To be legal? Which legal system is this? Intellectual Property is governed by different laws than physical property.
Personally, I would prefer the creation of some sort of "mass media" license which allows resale, and anything not under the mass media license would have to be negotiated face-to-face between the IP rights holder and the licensee. But no such law exists TODAY, so "to be legal," as you put it, one would have to follow existing IP law.
Perhaps some companies pay for the people, tools, and training necessary to detect a custom bug. Fewer yet may even send computers generating suspicious activity off to forensics for in-depth analysis.
Most say "We have anti-virus and IDS, and we hired a few people at $60k to look over the systems. We have done our due diligence, so our ass is covered if something bad happens." Such places will also have the occasional meeting with the agenda: "How can we cut costs at our security department so senior exec bonuses will be larger?"
Such companies have about 0% chance of ever finding a custom bug.
then you've shown that you're biased against that idea
I'm also biased against Santa Clause, the Easter Bunny, Compassionate Conservatism, and leprechauns. There is nothing wrong with being biased against stupid.
We don't know all the details of the Big Bang and of biogenesis. We do know that every scientific theory in the history of the world which involved imagining some sort of magical creature has turned out to be false. That's a pretty substantial track record to justify bias against magical nonexistent creatures.
Now, you can apologize for assuming that I didn't have a plan.
I did not make such an assumption. I stated that trashing the moderator pool without having a suggestion for improving it is being a jerk. This is still the case. You have such a suggestion, therefore you are not, necessarily, a jerk. It's funny how logic works out like that, isn't it?
You make that sound like it's some cool spy movie. It isn't. It's just plain illegal. Well paid, granted, but illegal. It's neither flashy (you can't even brag about your smooth moves!) nor in any way exciting.
Imagine you have some custom malware which is only in use in a few places in the world. There will be no anti-virus signature for it because its custom. Now imagine it looks for certain words or phrases (such as "earnings") in Word or Excel documents and encodes the surrounding text in to some covert, background-noise packet, like NTP or DNS. You have also programmed your bug to only phone home while the computer is in use, so you don't trigger any off-hour activity alarms.
You now know whether these companies will beat earnings estimates or not. You can sell short or buy on margin with 100% confidence on the days these companies release their earnings reports.
So, no, you can't brag or tell chicks at bars that you are a spy doing espionage. But you CAN brag that you are a "trader" and are up 600% YTD.
Most companies barely fund and train their security departments well enough to stop mass worms--the kind that screw up large numbers of computers and suck up noticeable amounts of resources. There is NO WAY they would find a bug that does not replicate and lives on only a single PC in the finance department. Even if they did, they would likely just reformat the thing and be done with it. No reason starting in on forensics! Time is money!
Also, there is no huge chunk of money missing from any individual person, so who is going to hunt you down? You've only stolen a fraction of a penny per share from thousands of oblivious shareholders.
When the rewards are so high and the risks are so low, you can bet that there are many less-ethical people out there who are willing to do it, and would enjoy every minute of it. For some people, it wouldn't take much work convincing themselves that they are no more crooks than the people they are stealing from.
What is your proposal for selecting these mythical moderators, who are experts on all subjects from physics to history? Now, what is your proposal for motivating them to actually moderate?
Speak up, or you demonstrate that you are merely an annoying little jerk.
The chances of an asteroid destroying ALL LIFE AS WE KNOW IT are very small. The chances of energy independence destroying ALL LIFE AS WE KNOW IT are 0.
Your priorities are wrong, Ruby. I bet you aren't even a real doctor.
A more important question would be: Did Limbaugh issue a correction once the report was published? If he did not, he is clearly trying to intentionally mislead his listeners. This is only slightly different from lying, and is deserving of harsh criticism.
Language changes with time. This particular word has changed meanings (or at least got a new meaning) in the English language. You don't have to like that fact, but bitching on slashdot isn't going to change that fact.
People in the industry are aware that "hack" used to mean "cleverly manipulate a device into doing something its designers did not intend." People also know that "wherefor" used to mean "why." In both cases, the original definitions no longer apply.
Language changes. You'll get over it. There are more important battles to fight.
This is not about full disclosure. This is responsible disclosure. Full disclosure would be if he went to bugtraq before contacting the vendor. Responsible disclosure is where a responsible security research goes to the vendor FIRST, and only goes to the public after the vendor has had a reasonable amount of time to fix the problem.
Responsible disclosure allows responsible companies to get a fix before a flaw is used maliciously, but the researchers still get credit. With responsible disclosure everyone wins except black hats.
Full disclosure benefits black hats more than it does anyone else.
Why fight the rest of the world over this? Now that we have binary prefixes, let's use them! This idea that metric prefixes are base 10 in networking and base 2 in storage is embarrassingly inconsistent. Let binary prefixes mean binary, and let metric prefixes mean base 10! Just because we did it one way in the past doesn't mean it is the best way to do it now! This is engineering, not religion.
Yes. You lose. Thanks for playing, nitwit.
To see something and think "someone else may have created that" is not unique to humans. A beaver might speculate that some other beaver created a beaver dam. A person may speculate that some other person may have created the ground he's walking on. To conceive that something was created by something else, whether it is a beaver dam or the moon, is not some incredible feat of human psychology.
Keep Jesus out of science. It's just plain absurd.
I think Microsoft's main consideration with driver signing is stability, not security.
It is a lot easier and more reliable to test a driver for stability than it is to test it for security. There is so much crap hardware with flakey drivers floating around which causes stability problems, Windows has an undeservedly bad reputation for stability. Everyone blames Microsoft when the see a BSOD, but in many cases they should be blaming the manufacturer of their $10 SATA adapter.
I'm posting this from an Ubuntu box, so I'm no MS apologist. But Windows' reputation for being unstable is greatly exaggerated. Signed drivers may help correct this particular market perception.
You just claimed that people who don't believe in magic aren't really people! Do you hold the same bigoted views of people of other races and sexual orientations?
How did a half-wit like yourself learn how to use a computer?
Lots of animals have abstraction. Bees can communicate complex navigational routes using sign language inside their hives. That's pretty clear abstraction.
What is with the obsession with tools? Plenty of animals use tools. Humans aren't unique in that respect.
There is a saying amongst psychologists that at some point, each must come up with a reason why humans are fundamentally different from the other animals, only for someone to eventually prove them wrong.
I covered myself with that "or existing law or case law requires it" bit.
Software contracts, like the GPL, state pretty much unambiguously that they aren't "sales" so "first sale" doesn't apply. The purchasing party agrees that it is not a sale when they sign the contract.
The legal case may not be clear-cut, but those are the rules everyone seems to play by in the industry. Sort of like MAD. It seems pretty likely that this defacto interpretation will eventually become official.
You are right that nothing is clear-cut in IP law. But if you do start selling student editions of Visio on ebay to non-students, Microsoft might give you the chance to test some of that law in court.
One communication channel which I think is interesting is Wikipedia. Even if your bug's stego is edited out, you can view it via the article's history.
If the target in question actually uses Wikipedia, this would be about as undetectable as it gets.
And yes, for retrieval, you use a power-boosted antenna to public wifi, bounce through a few countries, hit tor and check the wiki page. Though, if your bug uses good stego on a high-traffic page, such secrecy may not be needed.
I'm not saying it's the ideal way to "promote science and the useful arts," but it is the law. Also, I am not a lawyer. This is not legal advice. This is only the impression I was left with after studying IP law a few years ago.No. That's not what I said. I said "probably not." There is a big difference between the words "must" and "probably."
If I sell HR software with a support contract to a company with 5 employees, that company can't resell it to a company with 25,000 employees. My costs due to supporting that number of people would easily blow the budget for that account.
Have you ever worked in a real company? Probably not, since the first example on your website is for "class notes."
Wow. So you are telling me I could short Fergie? Quick! Buy 100 PUTs on "Big Girls Don't Cry!"
Personally, I would prefer the creation of some sort of "mass media" license which allows resale, and anything not under the mass media license would have to be negotiated face-to-face between the IP rights holder and the licensee. But no such law exists TODAY, so "to be legal," as you put it, one would have to follow existing IP law.
Perhaps some companies pay for the people, tools, and training necessary to detect a custom bug. Fewer yet may even send computers generating suspicious activity off to forensics for in-depth analysis.
Most say "We have anti-virus and IDS, and we hired a few people at $60k to look over the systems. We have done our due diligence, so our ass is covered if something bad happens." Such places will also have the occasional meeting with the agenda: "How can we cut costs at our security department so senior exec bonuses will be larger?"
Such companies have about 0% chance of ever finding a custom bug.
We don't know all the details of the Big Bang and of biogenesis. We do know that every scientific theory in the history of the world which involved imagining some sort of magical creature has turned out to be false. That's a pretty substantial track record to justify bias against magical nonexistent creatures.
You now know whether these companies will beat earnings estimates or not. You can sell short or buy on margin with 100% confidence on the days these companies release their earnings reports.
So, no, you can't brag or tell chicks at bars that you are a spy doing espionage. But you CAN brag that you are a "trader" and are up 600% YTD.
Most companies barely fund and train their security departments well enough to stop mass worms--the kind that screw up large numbers of computers and suck up noticeable amounts of resources. There is NO WAY they would find a bug that does not replicate and lives on only a single PC in the finance department. Even if they did, they would likely just reformat the thing and be done with it. No reason starting in on forensics! Time is money!
Also, there is no huge chunk of money missing from any individual person, so who is going to hunt you down? You've only stolen a fraction of a penny per share from thousands of oblivious shareholders.
When the rewards are so high and the risks are so low, you can bet that there are many less-ethical people out there who are willing to do it, and would enjoy every minute of it. For some people, it wouldn't take much work convincing themselves that they are no more crooks than the people they are stealing from.
Speak up, or you demonstrate that you are merely an annoying little jerk.
The chances of an asteroid destroying ALL LIFE AS WE KNOW IT are very small. The chances of energy independence destroying ALL LIFE AS WE KNOW IT are 0.
Your priorities are wrong, Ruby. I bet you aren't even a real doctor.