Exactly my point. High ethics, low morals - they'd do *anything* possible *within the rules of the system* to get their client the winning side of the case. Creative use of an ambiguity in a law is fine and dandy - actually *breaking* one is a big no-no.
Think - if they were immoral *and* unethical, we'd hear a lot more about lawyers doing things like evidence tampering and the like.
(For the AD&D fans out there - ethics is the lawful/chaotic angle, morals is the good/evil angle. Most lawyers are so lawful neutral (at least as far as their profession is concerned) it's sickening - they don't care at all about good/evil as long as the rules are followed...)
Hardly likely to make a First Amendment right to distribute trade secrets, there's plenty of case law for that. There's some wiggle room if an investigative journalist uncovers stuff that's potentially a major impact on public health/safety sort of issues - I doubt a judge would see "stuff will be on sale next week" as qualifying (now, if FatWallet had found evidence that next week's sale price was a "reasonable" price and BestBuy had colluded with other outlets to fix the prices $40 higher, *then* you'd have a case.
Or to comment on another current case, the *only* reason the people who are currently mirroring the Diebold documents have any legal standing *at all* is because they're claiming a "fair use" exemption based on the fact that said documents have information regarding the security of elections, which has a public-interest angle that far outweighs Diebold's copyright claims.
Actually, the OP is correct - facts are not copyrightable. Copyright is however held on the *compilation* and upon the *embodiment* thereof.
17 USC 102 (b) says:
In no case does copyright protection for an original work of authorship extend to any idea, procedure, process, system, method of operation, concept, principle, or discovery, regardless of the form in which it is described, explained, illustrated, or embodied in such work
So finding out Mario cart 64 will be on sale and then publicizing it isn't a violation of copyright as long as they don't infringe the artwork/etc of the original. This dog won't hunt.
Best Buy would be *much* better served by wandering over to 18 USC 1832 and arguing it's a trade secret:
http://www4.law.cornell.edu/uscode/18/1832.html
18 USC 1832 (a)(2) seems a slam dunk:
without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;
This dog probably *can* hunt, and I admit no clue why Best Buy didn't pursue this unless they know of some reason why it would fall through in court. Best guess I can make is that there's some reason they can't make 1832(a) stick:
Whoever, with intent to convert a trade secret, that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly -
FatWallet could probably make the case that since Best Buy is willing to sell the gear on sale, that no injury is incurred because people wait till the sale starts to buy it. If Best Buy is injured because people buy the box at $149, they shouldn't be lowering the price from $179.
The average lawyer has a *highly* developed sense of *ethics*. It's *morals* they're lacking. The average lawyer has absolutely no trouble doing something completely slimy and nasty - but will be offended if you even *hint* that he do so in a manner that doesn't follow all the proper procedures and forms.
Think about it - if there are lawyers involved in an adversarial encounter (as opposed to, for instance, a real estate sale where everybody WANTS the deal to happen), you are almost guaranteed that somebody is going to have something sleazy done to them. On the other hand, if a lawyer at the other end of your state breaks the rules (breaks attourney-client privelege, etc), it makes the news at YOUR end of the state.
A co-worker has a band, and they've released like 8 or 9 albums. Last I asked him, the break-even point for CD's was a press run of only 500 or so. And once you have a good master, a second press run is a lot cheaper.
I think their biggest expense for their last album was studio time, even though they did it in a small local (downtown, in the evenings, upstairs from some store that closed at 5PM) studio.
Do all the virus/worm generated mail that I get counted against my 800M since it's sent to me, or against the poor Microsoft user who didn't patch their machine in time?
And does eliminating spam/virus email make a noticable hit in the numbers, or is it not even counted?
Hmmm.. I dunno. Last time I was out with that crew, the table racked up like 4 pitchers of Guinness and 2 Cokes (on top of a fairly large food order). Of course, we didn't have any nerds in tow, so that might explain it.
Sounds good for *some* scenarios. Remember that getting the latest kernel version source automatically can suck if:
1) You don't have network connectivity (either currently, or don't plan to have it - a kiosk or similar?)
2) You're trying to build a system to match the OTHER 3,284 machines already in the server farm.
Also, especially in the embedded world, the build system may not be the target system. I certainly don't want to be saying 'make oldconfig bzImage modules' on a Zaurus......
The difference is that you can pre-schedule a system bounce to install a patch - it's easier to deal with when you know it will be 2:05AM Saturday night.
You rarely get that luxury with failing processors, unless it's an IBM z-Series that will spare out a processor for you and then call home for a replacement, or you have the HAL9000 reporting that the radio antenna will undergo critical failure within 72 hours.
'big iron' has been a generic term for large enterprise-class systems ever since the DEC-10/20 and IBM S/360 processors 20-30 years ago. These days, it refers to boxes like IBM z-Series and Sun E15K boxes.
"What day-to-day operation aside from Han Reiser's "benchmark" wanking involves the creation and deletion of lots of files? A marathon pron run with mozilla creating image cache files, then you deleting them before anybody catches you?"
How about 'cd/usr/src/XFree86; make clean; make'? That's gonna remove/create shitloads of files in/usr/src, and/tmp is going to get beat on as well, even if you *do* compile with 'gcc -pipe'.
I totally botched the issue of vendor-backported patches. It's not an OSX-only issue - RedHat 8.0 has a nicely patched version that says 0.9.6b. I couldn't come up with a good way to fit instructions for RedHat, Debian, Suse, Solaris, AIX, Irix, Tru64, Solaris, *BSD, and whatever - all into a few lines. On the flip side, reading http://www.cert.org/advisories/CA-2003-26.html it seems that the CERT crew couldn't do it either - the 'Vendor Info' in Appendix A is over half the advisory.
"Who the hell uses sendmail as the root user anyway? Please email me if you do so, so I could laugh at you."
1) The setuid bit was removed in Sendmail 8.12.0, but there's a lot of 8.9.3 and 8.10.x and 8.11.x versions still out in the field.
2) Note that you *can* use the 'RunAsUser' option so the sendmail that's listening on port 25 and running your queue and all that stuff doesn't run as root - but then a lot of things break. The most notable breakage is that.forward processing gets hosed (because once it's running as non-root, it can't set its UID to the recipient of the mail, so any programs/etc run out of.forward don't get run as the right userid....).
"Can someone give me an example of a compromise based on a weak password?"
If I had a dollar for every time we've had User A hack into User B's computer/mailbox/whatever because User A guessed that User B used their lover's name as a password...
Those of you who patch regularly and often aren't the problem, or the target audience. Yes, the last Bind exploit was quite some time ago, and patched systems fixed it long ago. On the other hand, want to guess which there are more of out there, fully patched RedHat 9.0 boxes or unpatched RedHat 7.2 boxes?
One of the inputs into the ranking and selection criteria was how heavily exploited the holes were. And you know what? There's more sites being nailed *NOW* with the Apache Chunking hole than the most recent OpenSSH hole (Hint - which has more working exploits in the wild?)
To be blunt, we weren't targeting the admins that do a good job of keeping their systems tied down and up to date (THOSE guys can wander over to www.cisecurity.org (Yes, I'm a co-conspirator there too;) and see how they do on the benchmarks). We were targeting the sites that are running 3 years behind because they don't have a clue where to start.
It's not a checklist for perfect security. It's a checklist of "If you don't have a clue and the boss only gave you 2 hours to get the box online, do at least this much so you have a fighting chance".
Nobody who helped make this list was particularly thrilled by the need to do it - every single one of us wished it wasn't necessary, either because systems were at least that secured out of the box, or because systems were hardened by people who had both the skill and time to do the job.
And yes, we're collectively ticked by the fact that it's so damned hard to retire items. On the other hand, it's instructive to go back and re-read the original Multics penetration study:
It's no different than most cable TV pricing schemes. You pay $20/mo, you get like 15 channels. You shell out $40, you get 60 channels. You shell out some more, they throw in premium movie channels. You want pay-per-view, you pay per view.
I don't see anybody complaining that their rights are being abused because ESPN and Showtime aren't in the bargain package....
Sure, it *says* it came from the Gaza Strip. Did you actually *verify* that? Or did you read the page, look at the WHOIS, and quit there, without doing a traceroute or anything like that?
And even if it really DID come from there, it isn't like Palestine is so removed from civilization that there's no way to get laundered money there from southern California....
It's only dumb if you are thinking of using it for resolving actual Internet resources. In fact, if you actually *read* (gasp, shock) the draft, it's *really* about providing a *SYNTAX* so you can represent things like a Dewey Decimal number or a product number or the VIN of your car or....
Slashdot Mirror
Exactly my point. High ethics, low morals - they'd do *anything* possible *within the rules of the system* to get their client the winning side of the case. Creative use of an ambiguity in a law is fine and dandy - actually *breaking* one is a big no-no.
Think - if they were immoral *and* unethical, we'd hear a lot more about lawyers doing things like evidence tampering and the like.
(For the AD&D fans out there - ethics is the lawful/chaotic angle, morals is the good/evil angle. Most lawyers are so lawful neutral (at least as far as their profession is concerned) it's sickening - they don't care at all about good/evil as long as the rules are followed...)
Hardly likely to make a First Amendment right to distribute trade secrets, there's plenty of case law for that. There's some wiggle room if an investigative journalist uncovers stuff that's potentially a major impact on public health/safety sort of issues - I doubt a judge would see "stuff will be on sale next week" as qualifying (now, if FatWallet had found evidence that next week's sale price was a "reasonable" price and BestBuy had colluded with other outlets to fix the prices $40 higher, *then* you'd have a case.
Or to comment on another current case, the *only* reason the people who are currently mirroring the Diebold documents have any legal standing *at all* is because they're claiming a "fair use" exemption based on the fact that said documents have information regarding the security of elections, which has a public-interest angle that far outweighs Diebold's copyright claims.
(IANAL, and I don't play one on TV)
Actually, the OP is correct - facts are not copyrightable. Copyright is however held on the *compilation* and upon the *embodiment* thereof.
17 USC 102 (b) says:
In no case does copyright protection for an original work of authorship extend to any idea, procedure, process, system, method of operation, concept, principle, or discovery, regardless of the form in which it is described, explained, illustrated, or embodied in such work
So finding out Mario cart 64 will be on sale and then publicizing it isn't a violation of copyright as long as they don't infringe the artwork/etc of the original. This dog won't hunt.
Best Buy would be *much* better served by wandering over to 18 USC 1832 and arguing it's a trade secret:
http://www4.law.cornell.edu/uscode/18/1832.html
18 USC 1832 (a)(2) seems a slam dunk:
without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;
This dog probably *can* hunt, and I admit no clue why Best Buy didn't pursue this unless they know of some reason why it would fall through in court. Best guess I can make is that there's some reason they can't make 1832(a) stick:
Whoever, with intent to convert a trade secret, that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly -
FatWallet could probably make the case that since Best Buy is willing to sell the gear on sale, that no injury is incurred because people wait till the sale starts to buy it. If Best Buy is injured because people buy the box at $149, they shouldn't be lowering the price from $179.
The average lawyer has a *highly* developed sense of *ethics*. It's *morals* they're lacking. The average lawyer has absolutely no trouble doing something completely slimy and nasty - but will be offended if you even *hint* that he do so in a manner that doesn't follow all the proper procedures and forms.
Think about it - if there are lawyers involved in an adversarial encounter (as opposed to, for instance, a real estate sale where everybody WANTS the deal to happen), you are almost guaranteed that somebody is going to have something sleazy done to them. On the other hand, if a lawyer at the other end of your state breaks the rules (breaks attourney-client privelege, etc), it makes the news at YOUR end of the state.
Guess I'll have to buy the White Album again.
:)
(At least these bozos can't patent their format, you can see the prior art right there in the movie..
A co-worker has a band, and they've released like 8 or 9 albums. Last I asked him, the break-even point for CD's was a press run of only 500 or so. And once you have a good master, a second press run is a lot cheaper.
I think their biggest expense for their last album was studio time, even though they did it in a small local (downtown, in the evenings, upstairs from some store that closed at 5PM) studio.
Do all the virus/worm generated mail that I get counted against my 800M since it's sent to me, or against the poor Microsoft user who didn't patch their machine in time?
And does eliminating spam/virus email make a noticable hit in the numbers, or is it not even counted?
Hmmm.. I dunno. Last time I was out with that crew, the table racked up like 4 pitchers of Guinness and 2 Cokes (on top of a fairly large food order). Of course, we didn't have any nerds in tow, so that might explain it.
The -test8 changelog is only stuff since -test7. If you're coming from a 2.4 series kernel, the link you want is:
. tx t
http://www.codemonkey.org.uk/post-halloween-2.5
In particular, *NOTE THAT YOU NEED NEW 'modutils' PACKAGES*. Failure to update these will mean 'insmod' and friends *will not work*.
Sounds good for *some* scenarios. Remember that getting the latest kernel version source automatically can suck if:
1) You don't have network connectivity (either currently, or don't plan to have it - a kiosk or similar?)
2) You're trying to build a system to match the OTHER 3,284 machines already in the server farm.
Also, especially in the embedded world, the build system may not be the target system. I certainly don't want to be saying 'make oldconfig bzImage modules' on a Zaurus......
The difference is that you can pre-schedule a system bounce to install a patch - it's easier to deal with when you know it will be 2:05AM Saturday night.
You rarely get that luxury with failing processors, unless it's an IBM z-Series that will spare out a processor for you and then call home for a replacement, or you have the HAL9000 reporting that the radio antenna will undergo critical failure within 72 hours.
Foundry has a specific product called that.
'big iron' has been a generic term for large enterprise-class systems ever since the DEC-10/20 and IBM S/360 processors 20-30 years ago. These days, it refers to boxes like IBM z-Series and Sun E15K boxes.
"What day-to-day operation aside from Han Reiser's "benchmark" wanking involves the creation and deletion of lots of files? A marathon pron run with mozilla creating image cache files, then you deleting them before anybody catches you?"
/usr/src/XFree86; make clean; make'? That's gonna remove/create shitloads of files in /usr/src, and /tmp is going to get beat on as well, even if you *do* compile with 'gcc -pipe'.
How about 'cd
Crap. Crappity crappity crap.
My fault.
I totally botched the issue of vendor-backported patches. It's not an OSX-only issue - RedHat 8.0 has a nicely patched version that says 0.9.6b. I couldn't come up with a good way to fit instructions for RedHat, Debian, Suse, Solaris, AIX, Irix, Tru64, Solaris, *BSD, and whatever - all into a few lines. On the flip side, reading http://www.cert.org/advisories/CA-2003-26.html it seems that the CERT crew couldn't do it either - the 'Vendor Info' in Appendix A is over half the advisory.
And yes, OSX 10.2.8 includes a backport patch..
I'll bite.. Which SANS track would help *CODERS* (as opposed to system admins, DBAs, security officers, and the like)?
"Who the hell uses sendmail as the root user anyway? Please email me if you do so, so I could laugh at you."
.forward processing gets hosed (because once it's running as non-root, it can't set its UID to the recipient of the mail, so any programs/etc run out of .forward don't get run as the right userid....).
1) The setuid bit was removed in Sendmail 8.12.0, but there's a lot of 8.9.3 and 8.10.x and 8.11.x versions still out in the field.
2) Note that you *can* use the 'RunAsUser' option so the sendmail that's listening on port 25 and running your queue and all that stuff doesn't run as root - but then a lot of things break. The most notable breakage is that
"Can someone give me an example of a compromise based on a weak password?"
If I had a dollar for every time we've had User A hack into User B's computer/mailbox/whatever because User A guessed that User B used their lover's name as a password...
OK.. Speaking as one of the culprits here.. ;)
;) and see how they do on the benchmarks). We were targeting the sites that are running 3 years behind because they don't have a clue where to start.
s -o rig.pdf (24 pages)
s .p df (8 pages)
Those of you who patch regularly and often aren't the problem, or the target audience. Yes, the last Bind exploit was quite some time ago, and patched systems fixed it long ago. On the other hand, want to guess which there are more of out there, fully patched RedHat 9.0 boxes or unpatched RedHat 7.2 boxes?
One of the inputs into the ranking and selection criteria was how heavily exploited the holes were. And you know what? There's more sites being nailed *NOW* with the Apache Chunking hole than the most recent OpenSSH hole (Hint - which has more working exploits in the wild?)
To be blunt, we weren't targeting the admins that do a good job of keeping their systems tied down and up to date (THOSE guys can wander over to www.cisecurity.org (Yes, I'm a co-conspirator there too
It's not a checklist for perfect security. It's a checklist of "If you don't have a clue and the boss only gave you 2 hours to get the box online, do at least this much so you have a fighting chance".
Nobody who helped make this list was particularly thrilled by the need to do it - every single one of us wished it wasn't necessary, either because systems were at least that secured out of the box, or because systems were hardened by people who had both the skill and time to do the job.
And yes, we're collectively ticked by the fact that it's so damned hard to retire items. On the other hand, it's instructive to go back and re-read the original Multics penetration study:
http://www.acsac.org/2002/papers/classic-multic
and then look at the author's 30-years-later retrospective:
http://www.acsac.org/2002/papers/classic-multic
Executive Summary: It hasn't gotten much better over 30 years. In fact, it sucks worse.
It's no different than most cable TV pricing schemes. You pay $20/mo, you get like 15 channels. You shell out $40, you get 60 channels. You shell out some more, they throw in premium movie channels. You want pay-per-view, you pay per view.
I don't see anybody complaining that their rights are being abused because ESPN and Showtime aren't in the bargain package....
How is this any different?
So you're complaining that they looked in *THE OPEN SHARES* to identify stuff?
That's like leaving the blinds open and complaining about peeping toms across the street.....
an upstanding organization like the RIAA *LIE* to us? Never.. No.. Say it ain't so.....
That's what the MPAA wants you to think.
Sure, it *says* it came from the Gaza Strip. Did you actually *verify* that? Or did you read the page, look at the WHOIS, and quit there, without doing a traceroute or anything like that?
And even if it really DID come from there, it isn't like Palestine is so removed from civilization that there's no way to get laundered money there from southern California....
The poster you replied to had it right, and you took a left turn.
info:palm/model/P80900US isn't a *LINK* to anything. It's a way of encoding "this is a Palm model P809.."
If you think about it as a way to standardize the syntax of meta-keywords to make them more searchable, you'll be closer to the intent...
DDC is a acronym for the Dewey Decimal System.
www.ddc.com is apparently a hostname.
info:ddc/22/eng//004.678 is talking about a *DEWEY DECIMAL SYSTEM* number, *NOT* a URL on a host.
Consider this:
info:temp/C/23
Thats talking about a *temperature*, not a website called temp.
It's only dumb if you are thinking of using it for resolving actual Internet resources. In fact, if you actually *read* (gasp, shock) the draft, it's *really* about providing a *SYNTAX* so you can represent things like a Dewey Decimal number or a product number or the VIN of your car or....