So you're saying that the Jedi will now consist largely of beautiful women who dress like wild west characters and are able to change personalities at will?
RIAA has lawyers on retainer. J. Thomas has to pay for them.
RIAA is attempting to financially destroy Ms. Thomas permanently and irretrievably.
It's stopped being about RIAA trying to extract any money from this case, and switched to them trying to make an example by bludgeoning Thomas with lawyers until she either declares bankruptcy or commits suicide. Faced with the overwhelming legal force that RIAA represents, they are probably hoping that other pirates will just cough up the few thousand dollars they usually ask for rather than face the complete and utter destruction of their personal and financial existence for sharing a couple of songs.
The type of manager who answers "Everything!" is going to take you to task for "wasting" so much time working up a timeline and prioritizing stuff. "That's time you could have spent PROGRAMMING!"
The first contract was a voluntary agreement. One which I did not have the opportunity to review before I broke the shrinkwrap and rendered the product unreturnable, but still one that I feel I entered into reasonably freely.
The remainder were conditional to receiving a benefit I had already bought and paid for, and the consequences of not agreeing to the new contracts were that my product would not receive updates and therefore become increasingly insecure.
I can understand the "fine, then don't update it", and I can understand the argument that updates are "added value". But I see them as part of what I purchased in the first place. Maybe I'm wrong in that point of view, but I slowly grew more and more uncomfortable with the additional conditions foisted upon me in return for those updates. With WGA, it reached the point where I had had enough.
And, by the way, I have complied with every one of Microsoft's agreements I have "agreed" to. It's just reached the point where I'm tired of "agreeing" to changes to the EULA.
I'm not going to pirate their product, and I'm not espousing that others do so. I don't even want a refund of my purchase price for XP. I feel I've gotten fair value out of it.
I just don't want to spend any more money on software sold by a company that has changed the conditions under which I can use previous purchases with them. If I go out and buy Windows 7, what's the guarantee that Microsoft won't change the EULA again to their favor?
Maybe you don't care, and that's certainly your right.
While I feel for your friend, I must point out that "sold it at a HUGE discount from other retailers" is a clear warning sign.
"HUGE" discounts almost always mean that the retailer has purchased a Microsoft site license and is reselling the activation code for fun and profit. When you buy one of these volume licenses, you have to sign a contract saying that you won't resell or sublet them and that they are strictly for the use of your own company. The retailer is now out of business probably because they got caught and shut down, or shut themselves down after milking the site license for all it was worth and are now doing business under a new name with a new license.
Alternatively, they found one of the site license activation codes on the Internet that some disgruntled employees post from time to time. Microsoft eventually detects those and disables them.
Your friend was robbed, but not by Microsoft. Microsoft is no more liable for that than Chevy would be if your friend ended up buying a "previously stolen" Camaro, or Rolex would be if your friend bought hers from a guy in a trench coat at a street corner. Just because the packaging LOOKS genuine doesn't mean it is.
I sincerely hope this was not a terribly expensive lesson for her.
I agree, to a point. However, I don't believe all of the "we can change everything we want to" was in the original Windows XP EULA. It got added in with the various service packs, etc, that were included in the purchase price of the original software. So the only EULA I feel I "chose to accept" original one on my XP CD. I was coerced into agreeing to the others in order to get updates that I was told I already had the right to. I'd agree with you fully if I had had the opportunity to accept or deny the new EULA in return for something new.
Oblig. car analogy: "Now that you've had your car for 5 years and it's paid for, we've decided to reduce your 10-year warranty to a 5-year warranty, which has now just expired. If you want your 10-year warranty back, you have to allow us to install this box that monitors to make sure the car hasn't been loaned to anyone else without our consent, and if we think it has we can deny you warranty service, and the "Check Engine" light will light up every time you start the car and warn you that your car is no longer genuine."
But, you're right - Microsoft does business the way they do business, and it's pretty clear that they are unapologetic about these sorts of one-sided contract changes. They've got you by the short-and-curlies, and that's just the sort of behavior they are known for now.
I also agree with your solution. I switched to Linux Mint, largely in response to the underhanded tactics that crammed WGA on my computer without my knowledge or consent. It took a while to migrate everything I do over to Linux, but it's done now, and I can happily say that my household is now 100% Microsoft-free.
"RIP one Microsoft Customer, starting with MS-DOS 3.0, ending with Windows XP+WGA".
I'm also only one customer, and I fully realize that Microsoft doesn't give a flying shit about my stance. It's OK, the feeling is now happily mutual.
So if you and a bunch of other travelers want to take spare batteries, get a REALLY large suitcase and stuff it with batteries. You just might reach the mass necessary to get an exemption. You may have to buy batteries specifically to meet this minimum weight.:)
When in doubt, go to the source. Microsoft has a pretty decent write-up on this one. I don't know who taranfx.com is, but the only accurate bits of information in their article are what they cut-and-pasted from the Microsoft site. The rest is, umm, "fanciful". Sorry, I gotta call 'em like I see 'em.
Oh, one other useful bit from their stie... that everyone should stop using IE. Now.
I'd also add to only run a browser that has something like NoScript available. Javascript is just chock full of vulnerabilities of its own. Any time you allow strangers to run code on your computer, you are just asking for trouble.
But by now that goes without saying, and I've already said it until I'm blue in the face, and I've given up. Don Quixote is cut out for that sort of thing, I'm not.
If you use IE in Vista or Seven, turn protected mode on. If you use IE on XP, load the file:// protocol fix outlined at Microsoft's site. Hopefully Microsoft will come out with a fix soon. Load it. Immediately.
This may not be a serious vulnerability, but the vector will surely be used for more serious ones real soon as the black hatted assholes figure out how to read your file index and get a list of files to choose from.
If you're running AdBlock, click on the blacklist for that site. In my case, it's literally the first time I've seen that AdBlock has a mechanism for handling more blocked scripts than my screen can display.
If you're not running AdBlock, and you value your privacy at all, don't read the article.
6 Doubleclick cookies, a Quantserve pixel, cookies AND a pixel image from 2o7, more scripts from more companies than I care to count.
A few friends and I used to rotate our Kroger cards randomly about once a week. We were all from different walks of life, so I can imagine what Kroger thought after a while. "One week: 5 packs of Ramen and a 24-banger of Bud. Next week: Filet, salmon, fresh vegetables, and a couple $30 bottle of wine. Next week: Weight Watchers Meals and 'Vitamin Water'. WTF?"
No, the security advisory should have put "read-only" access as one of the mitigators. I'm frankly surprised it isn't, since that's a pretty severe mitigating factor. Most of the files you'd really want a copy of (Quicken, Money, etc) are located in the harder-to-predict user folders, and the files you can find easily would only be useful if you could alter them.
They strongly imply that the attacker has the same level of access to the files that the local user does, which when you read the actual attack methodology just ain't so.
The attacker only has access to files that the local user has access to (this is not an access escalation attack), but the actual method used to get the file looks like it couldn't be used to put anything back.
Still and all, there is a workaround for XP users that I'd strongly suggest looking at, and Vista and Seven users should be running in Protected Mode.
My company runs XP, and provides IE6 by default. So did my last two companies. Not that I use IE for anything but the Intranet, but most people still use it for all their browsing needs.
Actually, in Windows XP, it's C:\Documents and Settings\(username)\My Documents. That's true whether you are on a domain or not. So that is certainly a mitigating factor even back in XP, because a remote attacker is unlikely to know (username).
However, that's not the case on some machines. The default install from most manufacturers is one preinstalled user, who is Admin, with a default username set by the manufacturer. Dell uses "Default" for this, last I knew. So a lot of people are still vulnerable to this. And the most vulnerable to it are going to be the ones who know the least about how to prevent it.
They get their Dell, never see a login, are never aware that their username on the machine is "Default", are never aware that Internet Explorer is not the only web browser or why they should take the trouble to switch, and they use the preinstalled Quicken or MS Money to do their checkbooks. C:\Documents and Settings\Default\My Documents\Quicken\Quicken.qw (or whatever the default filename and extension is for saved Quicken files) would probably get a readable result from around 1% of machines out there, at a guess.
Actually, the security advisory describes the attack, and while the remote attacker would have access to any file the local user does, it does not appear the file could be altered, just copied or examined. The security bulletin never lays this out in uncertain terms, but the description of the actual process looks like a read-only one.
Given that Windows usually stores important stuff in c:\Documents and Settings\(username)\blahblah, the remote attacker would have to know (username) before they could get to the juicy stuff. And that's just not all that practical in a remote attack scenario. Most of the truly known paths just don't contain a lot of common filenames that are unique and contain important data.
Still, Protected mode in Vista and above protects you, and the bulletin shows a workaround for Windows XP (set the file:// protocol so it can't run ActiveX even locally).
And there's always a better browser, which would be defined pretty much as anything without ActiveX. But that's a given.
Update: There is now a discussion on the article that covers this very topic. Someone theorized that the USPTO received blank pages (meaning that "upside down" meant "back to front".
The author's reply:
According to the people involved, that is not the case. The page was simply put in bottom side first. Otherwise, the response would have been that the received fax was blank.
Not in this case. Someone theorized that to the author of the original article in the discussion section there, and the author said:
According to the people involved, that is not the case. The page was simply put in bottom side first. Otherwise, the response would have been that the received fax was blank.
How would they differentiate that from just receiving a blank page (or a transmission error, or their own machine running out of toner or ink if it's a paper FAX machine).
Wouldn't the correct reply simply be "we got a blank page, so there's nothing to file, please resend"?
I'm supposed to feel outrage because a government office wants to save our tax money by requiring people (lawyers) too stupid to use a fax machine to correct their own mistakes?
How is this saving our tax money?
Option 1:
- Find the form letter that says the original FAX was sent upside down (call that 30 seconds if it happens a lot).
- Fill out the details of the recipient and get the recipient's FAX number (1-2 minutes).
- FAX out a copy to the recipient (1 minute).
- Fill out the rejection paperwork (assuming a few minutes).
- Eventually receive the replacement document.
- File paperwork.
Option 2:
- Hit fucking "page rotate". Twice if it's only capable of 90 degrees at a time. On a DOS-based 286SX with 4MB RAM and FAXManager, that used to take me about 5 seconds per keypress, so I expect whatever the USPTO is running might be a tad faster. If not, they are looking at ten seconds, tops.
- File paperwork.
If this is true (and I hope to [insert deity here] that this is just a joke), the government office is not saving tax money, they are wasting it. They are wasting several minutes of their time, and phone charges to send the replacement FAX out. Assuming it's all electronic, they are also wasting storage space to store the image of the rejected application and the audit trail including the image of their return FAX. Assuming it's paper, they are wasting paper and filing space.
That explains it. I had submitted a process patent describing "the use of the 'rotate image' key as it relates to images that are the result of translation from a Facsimile transmission". I thought it was unique and innovative since no one uses FAX any more, but it was rejected. Similarly, my "application of human digits to vertically reorient sheets of paper that come out of a Facsimile machine in an undesired orientation" was also rejected.
My transmission must have been routed via Australia.
Slashdot Mirror
I'm also curious as to why only one sequel was done to Terminator, and "Alien" never really got much of a followup either.
Oh, well, at least they didn't turn Lord of the Rings into a movie series.
Joss Whedon...
So you're saying that the Jedi will now consist largely of beautiful women who dress like wild west characters and are able to change personalities at will?
What would this new series be called?
Dollfly Wars? Firewars House? Firedoll Wars? Flying Stardoll Firewars?
RIAA has lawyers on retainer. J. Thomas has to pay for them.
RIAA is attempting to financially destroy Ms. Thomas permanently and irretrievably.
It's stopped being about RIAA trying to extract any money from this case, and switched to them trying to make an example by bludgeoning Thomas with lawyers until she either declares bankruptcy or commits suicide. Faced with the overwhelming legal force that RIAA represents, they are probably hoping that other pirates will just cough up the few thousand dollars they usually ask for rather than face the complete and utter destruction of their personal and financial existence for sharing a couple of songs.
The type of manager who answers "Everything!" is going to take you to task for "wasting" so much time working up a timeline and prioritizing stuff. "That's time you could have spent PROGRAMMING!"
The first contract was a voluntary agreement. One which I did not have the opportunity to review before I broke the shrinkwrap and rendered the product unreturnable, but still one that I feel I entered into reasonably freely.
The remainder were conditional to receiving a benefit I had already bought and paid for, and the consequences of not agreeing to the new contracts were that my product would not receive updates and therefore become increasingly insecure.
I can understand the "fine, then don't update it", and I can understand the argument that updates are "added value". But I see them as part of what I purchased in the first place. Maybe I'm wrong in that point of view, but I slowly grew more and more uncomfortable with the additional conditions foisted upon me in return for those updates. With WGA, it reached the point where I had had enough.
And, by the way, I have complied with every one of Microsoft's agreements I have "agreed" to. It's just reached the point where I'm tired of "agreeing" to changes to the EULA.
I'm not going to pirate their product, and I'm not espousing that others do so. I don't even want a refund of my purchase price for XP. I feel I've gotten fair value out of it.
I just don't want to spend any more money on software sold by a company that has changed the conditions under which I can use previous purchases with them. If I go out and buy Windows 7, what's the guarantee that Microsoft won't change the EULA again to their favor?
Maybe you don't care, and that's certainly your right.
While I feel for your friend, I must point out that "sold it at a HUGE discount from other retailers" is a clear warning sign.
"HUGE" discounts almost always mean that the retailer has purchased a Microsoft site license and is reselling the activation code for fun and profit. When you buy one of these volume licenses, you have to sign a contract saying that you won't resell or sublet them and that they are strictly for the use of your own company. The retailer is now out of business probably because they got caught and shut down, or shut themselves down after milking the site license for all it was worth and are now doing business under a new name with a new license.
Alternatively, they found one of the site license activation codes on the Internet that some disgruntled employees post from time to time. Microsoft eventually detects those and disables them.
Your friend was robbed, but not by Microsoft. Microsoft is no more liable for that than Chevy would be if your friend ended up buying a "previously stolen" Camaro, or Rolex would be if your friend bought hers from a guy in a trench coat at a street corner. Just because the packaging LOOKS genuine doesn't mean it is.
I sincerely hope this was not a terribly expensive lesson for her.
I agree, to a point. However, I don't believe all of the "we can change everything we want to" was in the original Windows XP EULA. It got added in with the various service packs, etc, that were included in the purchase price of the original software. So the only EULA I feel I "chose to accept" original one on my XP CD. I was coerced into agreeing to the others in order to get updates that I was told I already had the right to. I'd agree with you fully if I had had the opportunity to accept or deny the new EULA in return for something new.
Oblig. car analogy: "Now that you've had your car for 5 years and it's paid for, we've decided to reduce your 10-year warranty to a 5-year warranty, which has now just expired. If you want your 10-year warranty back, you have to allow us to install this box that monitors to make sure the car hasn't been loaned to anyone else without our consent, and if we think it has we can deny you warranty service, and the "Check Engine" light will light up every time you start the car and warn you that your car is no longer genuine."
But, you're right - Microsoft does business the way they do business, and it's pretty clear that they are unapologetic about these sorts of one-sided contract changes. They've got you by the short-and-curlies, and that's just the sort of behavior they are known for now.
I also agree with your solution. I switched to Linux Mint, largely in response to the underhanded tactics that crammed WGA on my computer without my knowledge or consent. It took a while to migrate everything I do over to Linux, but it's done now, and I can happily say that my household is now 100% Microsoft-free.
"RIP one Microsoft Customer, starting with MS-DOS 3.0, ending with Windows XP+WGA".
I'm also only one customer, and I fully realize that Microsoft doesn't give a flying shit about my stance. It's OK, the feeling is now happily mutual.
So if you and a bunch of other travelers want to take spare batteries, get a REALLY large suitcase and stuff it with batteries. You just might reach the mass necessary to get an exemption. You may have to buy batteries specifically to meet this minimum weight. :)
http://www.microsoft.com/technet/security/advisory/980088.mspx
When in doubt, go to the source. Microsoft has a pretty decent write-up on this one. I don't know who taranfx.com is, but the only accurate bits of information in their article are what they cut-and-pasted from the Microsoft site. The rest is, umm, "fanciful". Sorry, I gotta call 'em like I see 'em.
Oh, one other useful bit from their stie... that everyone should stop using IE. Now.
I'd also add to only run a browser that has something like NoScript available. Javascript is just chock full of vulnerabilities of its own. Any time you allow strangers to run code on your computer, you are just asking for trouble.
But by now that goes without saying, and I've already said it until I'm blue in the face, and I've given up. Don Quixote is cut out for that sort of thing, I'm not.
If you use IE in Vista or Seven, turn protected mode on. If you use IE on XP, load the file:// protocol fix outlined at Microsoft's site. Hopefully Microsoft will come out with a fix soon. Load it. Immediately.
This may not be a serious vulnerability, but the vector will surely be used for more serious ones real soon as the black hatted assholes figure out how to read your file index and get a list of files to choose from.
With Google Latitude, you'd be able to tag your hippies and keep better track of them. :)
If you're running AdBlock, click on the blacklist for that site. In my case, it's literally the first time I've seen that AdBlock has a mechanism for handling more blocked scripts than my screen can display.
If you're not running AdBlock, and you value your privacy at all, don't read the article.
6 Doubleclick cookies, a Quantserve pixel, cookies AND a pixel image from 2o7, more scripts from more companies than I care to count.
"My God! It's full of crap!"
#1 - Store loyalty cards? GET RID OF THEM.
A few friends and I used to rotate our Kroger cards randomly about once a week. We were all from different walks of life, so I can imagine what Kroger thought after a while. "One week: 5 packs of Ramen and a 24-banger of Bud. Next week: Filet, salmon, fresh vegetables, and a couple $30 bottle of wine. Next week: Weight Watchers Meals and 'Vitamin Water'. WTF?"
No, the security advisory should have put "read-only" access as one of the mitigators. I'm frankly surprised it isn't, since that's a pretty severe mitigating factor. Most of the files you'd really want a copy of (Quicken, Money, etc) are located in the harder-to-predict user folders, and the files you can find easily would only be useful if you could alter them.
They strongly imply that the attacker has the same level of access to the files that the local user does, which when you read the actual attack methodology just ain't so.
The attacker only has access to files that the local user has access to (this is not an access escalation attack), but the actual method used to get the file looks like it couldn't be used to put anything back.
Still and all, there is a workaround for XP users that I'd strongly suggest looking at, and Vista and Seven users should be running in Protected Mode.
Right, but they are all running Windows 7.
My company runs XP, and provides IE6 by default. So did my last two companies. Not that I use IE for anything but the Intranet, but most people still use it for all their browsing needs.
Actually, in Windows XP, it's C:\Documents and Settings\(username)\My Documents. That's true whether you are on a domain or not. So that is certainly a mitigating factor even back in XP, because a remote attacker is unlikely to know (username).
However, that's not the case on some machines. The default install from most manufacturers is one preinstalled user, who is Admin, with a default username set by the manufacturer. Dell uses "Default" for this, last I knew. So a lot of people are still vulnerable to this. And the most vulnerable to it are going to be the ones who know the least about how to prevent it.
They get their Dell, never see a login, are never aware that their username on the machine is "Default", are never aware that Internet Explorer is not the only web browser or why they should take the trouble to switch, and they use the preinstalled Quicken or MS Money to do their checkbooks. C:\Documents and Settings\Default\My Documents\Quicken\Quicken.qw (or whatever the default filename and extension is for saved Quicken files) would probably get a readable result from around 1% of machines out there, at a guess.
Actually, the security advisory describes the attack, and while the remote attacker would have access to any file the local user does, it does not appear the file could be altered, just copied or examined. The security bulletin never lays this out in uncertain terms, but the description of the actual process looks like a read-only one.
Given that Windows usually stores important stuff in c:\Documents and Settings\(username)\blahblah, the remote attacker would have to know (username) before they could get to the juicy stuff. And that's just not all that practical in a remote attack scenario. Most of the truly known paths just don't contain a lot of common filenames that are unique and contain important data.
Still, Protected mode in Vista and above protects you, and the bulletin shows a workaround for Windows XP (set the file:// protocol so it can't run ActiveX even locally).
And there's always a better browser, which would be defined pretty much as anything without ActiveX. But that's a given.
Update: There is now a discussion on the article that covers this very topic. Someone theorized that the USPTO received blank pages (meaning that "upside down" meant "back to front".
The author's reply:
According to the people involved, that is not the case. The page was simply put in bottom side first. Otherwise, the response would have been that the received fax was blank.
Not in this case. Someone theorized that to the author of the original article in the discussion section there, and the author said:
According to the people involved, that is not the case. The page was simply put in bottom side first. Otherwise, the response would have been that the received fax was blank.
+(X) good idea.
(X) is as close as I can get to rendering the infinity symbol in a normal character set.
How would they differentiate that from just receiving a blank page (or a transmission error, or their own machine running out of toner or ink if it's a paper FAX machine).
Wouldn't the correct reply simply be "we got a blank page, so there's nothing to file, please resend"?
I don't think I've ever seen a signature that is so perfectly apropos to the subject of the post before. :)
Then wouldn't the reason be "we received a blank page"?
I'm supposed to feel outrage because a government office wants to save our tax money by requiring people (lawyers) too stupid to use a fax machine to correct their own mistakes?
How is this saving our tax money?
Option 1:
- Find the form letter that says the original FAX was sent upside down (call that 30 seconds if it happens a lot).
- Fill out the details of the recipient and get the recipient's FAX number (1-2 minutes).
- FAX out a copy to the recipient (1 minute).
- Fill out the rejection paperwork (assuming a few minutes).
- Eventually receive the replacement document.
- File paperwork.
Option 2:
- Hit fucking "page rotate". Twice if it's only capable of 90 degrees at a time. On a DOS-based 286SX with 4MB RAM and FAXManager, that used to take me about 5 seconds per keypress, so I expect whatever the USPTO is running might be a tad faster. If not, they are looking at ten seconds, tops.
- File paperwork.
If this is true (and I hope to [insert deity here] that this is just a joke), the government office is not saving tax money, they are wasting it. They are wasting several minutes of their time, and phone charges to send the replacement FAX out. Assuming it's all electronic, they are also wasting storage space to store the image of the rejected application and the audit trail including the image of their return FAX. Assuming it's paper, they are wasting paper and filing space.
While you're there, flush all the toilets at the same time. It'll put the entire patent office in a state of higgldy-piggldy (*).
(*) "higgldy-piggldy" means "a big mess"
- Milo
That explains it. I had submitted a process patent describing "the use of the 'rotate image' key as it relates to images that are the result of translation from a Facsimile transmission". I thought it was unique and innovative since no one uses FAX any more, but it was rejected. Similarly, my "application of human digits to vertically reorient sheets of paper that come out of a Facsimile machine in an undesired orientation" was also rejected.
My transmission must have been routed via Australia.