I'm confused - Google Wave is something you have to specifically sign up for, not opt in to. And up until today you've had to ask someone for an invitation to join.
A few of mine tried. After a couple hundred messages, you have to type each character and wait a second or two before you can type the next one.
I finally gave up when it started taking me more than a minute to type a short sentence. I started longing for the incredible speed of BBSes and my old 300-baud modem.
If you are running systems so close that running Aero has an actual practical effect, then you are running underpowered servers.
Personally, I don't think that a server needs a video card with DirectX 3D support, a hardware pixel shader, 32 bits per pixel, etc. If you really, honestly need a GUI to administer a server, a much simpler VGA card will suffice, and will have much more stable drivers.
Once you start turning on 3D effects, you will send a lot more data over the stream for your remote desktop. Maybe not enough to affect your network, but it certainly adds complexity to the whole process.
You have to make decisions for your own servers. Given that Aero has already had published vulnerabilities that are not present in "Classic", of which this is just another one, I personally feel it's foolish in the extreme to load Aero on to a server.
It may be "nice", but it does not appear to enable an admin to do anything that non-Aero could do just as well, it just looks prettier. And adds complexity (points of possible failure and vulnerabilities).
Having a GUI is a logical tradeoff for a less-experienced admin to be able to manage a server. Fine. Making that GUI more complex doesn't add anything to that capability, it just makes it prettier. And makes the system more vulnerable to failure and attack.
I can see that. Perhaps you are a small business and you don't want to train your network admins on CLI tools, so they use the "easier" (read: "requires less training") GUI rather than the faster CLI. Fair enough, not everyone can afford fully-trained network engineers to manage a few small in-house servers.
But, seriously, Aero? Even the least experienced network admin doesn't need to enable Aero to administer the server. It's a waste of CPU and memory resources for something that (hopefully) you spend a few minutes a week on. If you insist on using a GUI to administer your servers, fine, but at least make it the simplest GUI you can use to get your job done.
As GP said, the simpler your interface, the less likely there is to be an exploitable security flaw in it. The more complex you make your remote access capabilities, the more likely it is that someone else can find a vector in to them.
SFTP/SSH exchanges very little data and has very few possible attack vectors. "Classic" GUI has a few more attack vectors and possible failures and exchanges a lot more data, but it adds simplicity for those not comfy with the CLI, so there's a logical trade-off there.
Aero adds a lot more traffic, a lot more complexity, a lot more potential vectors for both failure AND attack, and does not make the GUI any more functional for administrative tasks.
Now, if you're using Server 2008 on your desktop as your daily machine, and you like sexy GUI, OK, I can see Aero being enabled. But there's no reason to enable Aero on an actual server.
Agreed, it's not uncrackable. Nothing is. Physical access to the hardware means that, eventually, you can crack it. The only real goal is to make it take long enough as to be (hopefully) impractical.
The point is, though, that even if you manage to keep it from wiping itself, it's still a damned hard nut to crack once it's locked. An 8-character password with at least one numeric (which is what my company requires - I think they can get even more complex if you're truly paranoid, and the minimum password field is two digits) is still going to take some time.
I've also never seen a Blackberry opened up - I honestly don't know how hard it would be to make a bitwise copy of the memory, or what safeguards might be in place to make that more difficult. I'm sure if RIM was cooperating with the investigation they could help bypass any physical blocks that might be in place, though.
My Blackberry locks itself after 15 minutes of non-use. The key to decrypt the data on the phone is itself encrypted by the password (8 characters minimum) that I use to unlock the phone. Screw that password up ten times and the phone wipes. It also locks itself on power-up.
About the only real option would be to either have someone press a button on the phone every 10 minutes (assuming it's not already locked when taken), which would be a real trick when the thing is in a Faraday cage or bag.
The very same things that make the Blackberry and newer iPhones attractive to businesses (and Government agencies, for that matter) are what make it undesirable from a forensics point of view. These things are designed so they can be configured to be extremely paranoid, and are very tough to crack.
And therein lies the problem. If you allow your citizens their own security, you can't see everything they do, and that makes it harder to catch the wrongdoers. If you want absolute information to catch wrongdoers, perhaps a democratic republic with constitutional protection of its citizens is not for you.
Let's say I run a website. If you visit my site and you don't enter any personally-identifiable data, I don't know who you are. But I do see your browser signature which I can store along with your IP address (which will at least usually identify your ISP) and if you haven't blocked it I can also use doubleclick or googleanalytics to get your unique cookie ID. I can freely sell that information to anyone I damned well please because there's no personally identifiable information in it. Data aggregators pay decent sums to collect that data.
Then, if you visit another site, they can buy the aggregate data on your visits and see what other sites you visit.
Eventually, you're going to buy something. That seller (if they are honest and have a decent privacy policy) will not sell your name. But they have it, and they have your entire browsing history. And they add the fact that "user 918470293487 purchased a XYZ-model digital camera at 8PM on the 15th for $X, after spending 4 hours on the site reviewing other models, looking at 245 reviews, focusing mostly on negative reviews, marking three of them as helpful, two of them as unhelpful, and asking the following questions on the user forums."
That is now part of your aggregate data. Do a search for "check engine light" and your car dealer knows something is wrong with your car, because they are collecting aggregate data and know who you are.
I went ahead and drank my coffee instead, which (if I do it before I cave in to the muffin man) is a sufficient appetite suppressant to get me through to my mid-morning snack of a couple of ounces of almonds, walnuts, sunflower seeds, and sesame sticks (also known as my "lunchtime workout fuel").:)
While I agree the numbers are just averages, I would also suggest losing weight to those numbers, at least for a short time, to see if they are right for you.
I used to be extremely overweight, and lost a lot of it over a couple of years about 6 years ago. I'm still a tad over, but getting there slowly.
Every few months, I'd reach what I called a "plateau". I stopped losing weight, my appetite went up, and my energy levels dropped. The first time, I thought my body was trying to tell me that I was at a good weight, and I backed off a little, but after a while my body adjusted to the new weight and I found I could lose weight again and feel even better. Then I'd hit another plateau.
The closer I get to my healthy weight, the longer and more pronounced these plateaus get. Especially once my BMI fell below 30 (out of the "obese" range). My last plateau has been about a year long (and I actually put on about ten pounds), but I'm starting to feel that I'm ready to drop another level.
There are precious few people who would be at anything approaching a "healthy" weight if they are in the "obese" BMI range. "Overweight", yes, there will be a decent number, but they are going to be somewhat rare and probably not exactly the kind of people who watch their BMI (cyclists who can do 50-100 miles at a stretch, serious hikers, competitive 5K+ runners, etc).
But don't forget that these are averages, and much as we'd all like to think otherwise, the vast majority of us fit quite nicely into the averages. Some need a bit more weight, some need a bit less, but the ranges are already pretty wide and accommodate a very large percentage of the population.
This is not to say that a BMI chart should override advice from your doctor, only that BMI charts are a reasonably valid measurement for an extremely high percentage of the population, and very few people are exceptions to it.
Your timing is perfect. I was just pondering whether to go down to the cafeteria for a morning muffin as a snack. Although everything you say is true and I already knew it, the timing of reading your post suddenly made me not so hungry for my muffin.
My point was that the Wii is a shade of grey. It's another vector to get people started on the path to fitness, or at least up off their asses from time to time.
- outrun your friends, you lose weight and lower the chance of getting a heart attack.
- get caught by the rottie, you die of dog-attack injuries, not of a heart attack.
About the only downside is if you die of a heart attack in panic from running from the dog, and the dog'll eat the evidence.
So no matter how you slice it, this is a win-win for the AHA.
The AHA statement sounds more like "we've tried getting people off their asses and doing exercise other ways, and people haven't done it. What the hell, it's worth a shot."
Mr. Richardson is well and truly dead at this point, so you're absolutely right there. He died in Feb 2009, so even if the family complies immediately, he's been dead for well over a year, and decomposition of the brain tissue pretty much assures that nothing short of cloning is likely to bring him back.
However, Mr. Richardson didn't sue the family (he's dead, remember?). Alcor Life Extension did. They sued probably primarily to get a precedent on file. That way, when this happens next time, they can get a quick judgment and get control of the patient's head quickly enough to freeze it before the damage becomes as severe as Mr. Richardson's is.
Not that I think cryogenically freezing the head, or even the entire body, stands a chance in hell of bringing someone back, but with the rise in population we'll no doubt need more spare organs in the future, and I for one don't mind having people put their bodies on ice at their own expense. More spare parts to go around.
First, I was making a more broad statement than this specific one. The chances you will have to deal the results of some stranger doing something evil with your connection are inversely proportional to the amount of effort you put into securing it from strangers.
Note I didn't say "chance of prosecution", only "chance of being caught having someone you don't know doing evil with your connection". The actual consequences may vary from "we couldn't prove it was you, so you're free" to "we couldn't prove it was you, but we'll only take ignorance as a defense once - secure your WiFi now" to the German "we won't hold you liable for the actions, only for providing the tools - secure your WiFi or face another fine" to "we'll let you off if you help us identify the real perp" to "you are utterly responsible for anything done on your connection."
I'm not trying to judge the merits of any of the above statutes, only state that you have to worry about them less if you put more effort into prevention. The harder you make your network to crack, the harder it will be for someone to crack it, and the less likely it is that someone can use your network for evil.
If you have a WPA2/AES network encrypted with a RADIUS rotating key and implement a secondary proprietary level of encryption, filter MAC addresses and encrypt their exchange, and set up an automated rail gun that points to any other device outside of your control and shoots it, then you probably won't ever have to deal with someone doing something bad on your network.;)
Let's not forget the important side effect - if you leave your access point completely open (even with SSID turned off, and even to a lesser extent with an inferior encryption like WAP) any passerby can capture and interpret any unencrypted data you send over that wireless LAN.
Your bank passwords are safe, those should be using SSL. But if you print your taxes on your wireless printer, surf regular web sites, or check your webmail, or even check your regular email, that information is transmitted to any receiver in range. And if it's unencrypted, anyone can intercept it and keep a copy.
Do you share folders from computer to computer? Open WLAN means that anyone can search for and find them, and take any contents they want.
So there are far more important reasons to secure your LAN than the possibility of liability from some third party's actions. Those third parties could screw with you directly.
OK, I see that argument. I even agree with it. But then where does that leave liability for people who actually do wrong?
Obviously this discussion has to set aside the Terms of Service of most ISPs that prohibit you from sharing your connection anyway, but that's a contractual matter and not a legal one.
If you allow anyone to use your WiFi, and someone uses it for something bad, the only name on record as controlling the connection is you. How are the authorities going to find the person who actually did it?
It does add a whole new problem of people being punished for their generosity, and that sucks, but these are some of the things we need to work out. And they aren't strictly analogous to anything we do today, so analogies to the existing law fall apart really fast.
Slashdot Mirror
I'm confused - Google Wave is something you have to specifically sign up for, not opt in to. And up until today you've had to ask someone for an invitation to join.
Or are you confusing it with Google Buzz?
A few of mine tried. After a couple hundred messages, you have to type each character and wait a second or two before you can type the next one.
I finally gave up when it started taking me more than a minute to type a short sentence. I started longing for the incredible speed of BBSes and my old 300-baud modem.
If you are running systems so close that running Aero has an actual practical effect, then you are running underpowered servers.
Personally, I don't think that a server needs a video card with DirectX 3D support, a hardware pixel shader, 32 bits per pixel, etc. If you really, honestly need a GUI to administer a server, a much simpler VGA card will suffice, and will have much more stable drivers.
Once you start turning on 3D effects, you will send a lot more data over the stream for your remote desktop. Maybe not enough to affect your network, but it certainly adds complexity to the whole process.
You have to make decisions for your own servers. Given that Aero has already had published vulnerabilities that are not present in "Classic", of which this is just another one, I personally feel it's foolish in the extreme to load Aero on to a server.
It may be "nice", but it does not appear to enable an admin to do anything that non-Aero could do just as well, it just looks prettier. And adds complexity (points of possible failure and vulnerabilities).
Having a GUI is a logical tradeoff for a less-experienced admin to be able to manage a server. Fine. Making that GUI more complex doesn't add anything to that capability, it just makes it prettier. And makes the system more vulnerable to failure and attack.
This vulnerability was found in Aero, not in a video driver.
Vulnerabilities have been found in X before, and fixed. This is no different.
Not sure where the anger comes from, but you might consider a nice hot cup of tea and a short break. Cheers.
I can see that. Perhaps you are a small business and you don't want to train your network admins on CLI tools, so they use the "easier" (read: "requires less training") GUI rather than the faster CLI. Fair enough, not everyone can afford fully-trained network engineers to manage a few small in-house servers.
But, seriously, Aero? Even the least experienced network admin doesn't need to enable Aero to administer the server. It's a waste of CPU and memory resources for something that (hopefully) you spend a few minutes a week on. If you insist on using a GUI to administer your servers, fine, but at least make it the simplest GUI you can use to get your job done.
As GP said, the simpler your interface, the less likely there is to be an exploitable security flaw in it. The more complex you make your remote access capabilities, the more likely it is that someone else can find a vector in to them.
SFTP/SSH exchanges very little data and has very few possible attack vectors. "Classic" GUI has a few more attack vectors and possible failures and exchanges a lot more data, but it adds simplicity for those not comfy with the CLI, so there's a logical trade-off there.
Aero adds a lot more traffic, a lot more complexity, a lot more potential vectors for both failure AND attack, and does not make the GUI any more functional for administrative tasks.
Now, if you're using Server 2008 on your desktop as your daily machine, and you like sexy GUI, OK, I can see Aero being enabled. But there's no reason to enable Aero on an actual server.
They were specifying the years in dotBeats, or whatever in the hell they called those things.
But, hopefully, by the time we ever need it, the copyrights will be expired.
We can only hope Disney goes out of business soon so content created in the later half of last century will be freed by the middle of next century.
Agreed, it's not uncrackable. Nothing is. Physical access to the hardware means that, eventually, you can crack it. The only real goal is to make it take long enough as to be (hopefully) impractical.
The point is, though, that even if you manage to keep it from wiping itself, it's still a damned hard nut to crack once it's locked. An 8-character password with at least one numeric (which is what my company requires - I think they can get even more complex if you're truly paranoid, and the minimum password field is two digits) is still going to take some time.
I've also never seen a Blackberry opened up - I honestly don't know how hard it would be to make a bitwise copy of the memory, or what safeguards might be in place to make that more difficult. I'm sure if RIM was cooperating with the investigation they could help bypass any physical blocks that might be in place, though.
In that case, no one named "Dave" should ever buy an iPhone. Ever.
My Blackberry locks itself after 15 minutes of non-use. The key to decrypt the data on the phone is itself encrypted by the password (8 characters minimum) that I use to unlock the phone. Screw that password up ten times and the phone wipes. It also locks itself on power-up.
About the only real option would be to either have someone press a button on the phone every 10 minutes (assuming it's not already locked when taken), which would be a real trick when the thing is in a Faraday cage or bag.
The very same things that make the Blackberry and newer iPhones attractive to businesses (and Government agencies, for that matter) are what make it undesirable from a forensics point of view. These things are designed so they can be configured to be extremely paranoid, and are very tough to crack.
And therein lies the problem. If you allow your citizens their own security, you can't see everything they do, and that makes it harder to catch the wrongdoers. If you want absolute information to catch wrongdoers, perhaps a democratic republic with constitutional protection of its citizens is not for you.
You've always had multitasking and background processes of stuff Apple writes into the OS. It's third-party apps that don't allow multitasking.
Plus, if the phone is being wiped, I don't think any other processes are going to be running. :)
The trouble is in aggregated data.
Let's say I run a website. If you visit my site and you don't enter any personally-identifiable data, I don't know who you are. But I do see your browser signature which I can store along with your IP address (which will at least usually identify your ISP) and if you haven't blocked it I can also use doubleclick or googleanalytics to get your unique cookie ID. I can freely sell that information to anyone I damned well please because there's no personally identifiable information in it. Data aggregators pay decent sums to collect that data.
Then, if you visit another site, they can buy the aggregate data on your visits and see what other sites you visit.
Eventually, you're going to buy something. That seller (if they are honest and have a decent privacy policy) will not sell your name. But they have it, and they have your entire browsing history. And they add the fact that "user 918470293487 purchased a XYZ-model digital camera at 8PM on the 15th for $X, after spending 4 hours on the site reviewing other models, looking at 245 reviews, focusing mostly on negative reviews, marking three of them as helpful, two of them as unhelpful, and asking the following questions on the user forums."
That is now part of your aggregate data. Do a search for "check engine light" and your car dealer knows something is wrong with your car, because they are collecting aggregate data and know who you are.
I went ahead and drank my coffee instead, which (if I do it before I cave in to the muffin man) is a sufficient appetite suppressant to get me through to my mid-morning snack of a couple of ounces of almonds, walnuts, sunflower seeds, and sesame sticks (also known as my "lunchtime workout fuel"). :)
While I agree the numbers are just averages, I would also suggest losing weight to those numbers, at least for a short time, to see if they are right for you.
I used to be extremely overweight, and lost a lot of it over a couple of years about 6 years ago. I'm still a tad over, but getting there slowly.
Every few months, I'd reach what I called a "plateau". I stopped losing weight, my appetite went up, and my energy levels dropped. The first time, I thought my body was trying to tell me that I was at a good weight, and I backed off a little, but after a while my body adjusted to the new weight and I found I could lose weight again and feel even better. Then I'd hit another plateau.
The closer I get to my healthy weight, the longer and more pronounced these plateaus get. Especially once my BMI fell below 30 (out of the "obese" range). My last plateau has been about a year long (and I actually put on about ten pounds), but I'm starting to feel that I'm ready to drop another level.
There are precious few people who would be at anything approaching a "healthy" weight if they are in the "obese" BMI range. "Overweight", yes, there will be a decent number, but they are going to be somewhat rare and probably not exactly the kind of people who watch their BMI (cyclists who can do 50-100 miles at a stretch, serious hikers, competitive 5K+ runners, etc).
But don't forget that these are averages, and much as we'd all like to think otherwise, the vast majority of us fit quite nicely into the averages. Some need a bit more weight, some need a bit less, but the ranges are already pretty wide and accommodate a very large percentage of the population.
This is not to say that a BMI chart should override advice from your doctor, only that BMI charts are a reasonably valid measurement for an extremely high percentage of the population, and very few people are exceptions to it.
Your timing is perfect. I was just pondering whether to go down to the cafeteria for a morning muffin as a snack. Although everything you say is true and I already knew it, the timing of reading your post suddenly made me not so hungry for my muffin.
Thank you.
My point was that the Wii is a shade of grey. It's another vector to get people started on the path to fitness, or at least up off their asses from time to time.
Hey,
- outrun your friends, you lose weight and lower the chance of getting a heart attack.
- get caught by the rottie, you die of dog-attack injuries, not of a heart attack.
About the only downside is if you die of a heart attack in panic from running from the dog, and the dog'll eat the evidence.
So no matter how you slice it, this is a win-win for the AHA.
The AHA statement sounds more like "we've tried getting people off their asses and doing exercise other ways, and people haven't done it. What the hell, it's worth a shot."
I'm sure the $1.5M will come in handy too.
You're right, and wrong.
Mr. Richardson is well and truly dead at this point, so you're absolutely right there. He died in Feb 2009, so even if the family complies immediately, he's been dead for well over a year, and decomposition of the brain tissue pretty much assures that nothing short of cloning is likely to bring him back.
However, Mr. Richardson didn't sue the family (he's dead, remember?). Alcor Life Extension did. They sued probably primarily to get a precedent on file. That way, when this happens next time, they can get a quick judgment and get control of the patient's head quickly enough to freeze it before the damage becomes as severe as Mr. Richardson's is.
Not that I think cryogenically freezing the head, or even the entire body, stands a chance in hell of bringing someone back, but with the rise in population we'll no doubt need more spare organs in the future, and I for one don't mind having people put their bodies on ice at their own expense. More spare parts to go around.
Is that in Imperial or Metric?
First, I was making a more broad statement than this specific one. The chances you will have to deal the results of some stranger doing something evil with your connection are inversely proportional to the amount of effort you put into securing it from strangers.
Note I didn't say "chance of prosecution", only "chance of being caught having someone you don't know doing evil with your connection". The actual consequences may vary from "we couldn't prove it was you, so you're free" to "we couldn't prove it was you, but we'll only take ignorance as a defense once - secure your WiFi now" to the German "we won't hold you liable for the actions, only for providing the tools - secure your WiFi or face another fine" to "we'll let you off if you help us identify the real perp" to "you are utterly responsible for anything done on your connection."
I'm not trying to judge the merits of any of the above statutes, only state that you have to worry about them less if you put more effort into prevention. The harder you make your network to crack, the harder it will be for someone to crack it, and the less likely it is that someone can use your network for evil.
If you have a WPA2/AES network encrypted with a RADIUS rotating key and implement a secondary proprietary level of encryption, filter MAC addresses and encrypt their exchange, and set up an automated rail gun that points to any other device outside of your control and shoots it, then you probably won't ever have to deal with someone doing something bad on your network. ;)
Let's not forget the important side effect - if you leave your access point completely open (even with SSID turned off, and even to a lesser extent with an inferior encryption like WAP) any passerby can capture and interpret any unencrypted data you send over that wireless LAN.
Your bank passwords are safe, those should be using SSL. But if you print your taxes on your wireless printer, surf regular web sites, or check your webmail, or even check your regular email, that information is transmitted to any receiver in range. And if it's unencrypted, anyone can intercept it and keep a copy.
Do you share folders from computer to computer? Open WLAN means that anyone can search for and find them, and take any contents they want.
So there are far more important reasons to secure your LAN than the possibility of liability from some third party's actions. Those third parties could screw with you directly.
I know, and agree. I was going for +5 funny. No one was more surprised than myself to see an "insightful" tag on there. :)
More than you can afford. I know my fairy tales, and "The Goose That Lays The Golden Eggs" shall remain unharmed. :)
OK, I see that argument. I even agree with it. But then where does that leave liability for people who actually do wrong?
Obviously this discussion has to set aside the Terms of Service of most ISPs that prohibit you from sharing your connection anyway, but that's a contractual matter and not a legal one.
If you allow anyone to use your WiFi, and someone uses it for something bad, the only name on record as controlling the connection is you. How are the authorities going to find the person who actually did it?
It does add a whole new problem of people being punished for their generosity, and that sucks, but these are some of the things we need to work out. And they aren't strictly analogous to anything we do today, so analogies to the existing law fall apart really fast.
Couldn't the pirates sue them for unauthorized use of their code?