Yes, a technical approach could solve this. But a full solution would involve a disruption of how things currently work, and would not settle down until Microsoft (always the last hold out on advancing to new technology) implemented it on their browser and time was provided to get the vast majority of browsers upgraded. I estimate this will take 6 to 9 years. In the mean time, a law to block abuses is handy.
Ultimately, the server side has to always double check this against the user record of polls voted. The convenience is in preventing it from making a server request in the first place. That would be the Javascript code blocking the vote, or changing the vote box. Or if the whole page is refetched, don't include it dynamically the next time. There's no need to transmit such a cookie.
Couldn't browsers be made "EU-compatible" and give users a settings checkbox that says (more or less) "I either don't care about cookies or I'm perfectly comfortable dealing with them on my own (either with plugins like CookieCuller or manually.) Bring 'em on!"? Or doesn't the new law allow that?
If done on a case by case... that is, site by site (site being a domain name or maybe a host name), then sure, I'd go along with this. Just give the user options like:
I consent to return of cookies from and to different hosts within the same domain, for any domain.
I consent to return of cookies from and to different hosts with the same domain, for this domain only.
I consent to return of cookies from and to the same host in any domain.
I consent to return of cookies from and to the same host in this domain only.
I consent to return of cookies from and to this host only.
I do not consent to return of cookies from and to this domain.
I do not consent to return of cookies from and to this host.
I don't know what a cookie is, you insensitive clod.
The browser would then present this prompt for every host for which consent has not yet been given or refused. A preferences menu should allow reviewing and changing all existing consents or refusals thereof.
If browsers did a better job of managing user information, such as cookies, consent of cookie transmission, user logins, etc, then we might not need so much of the weird stuff we get stuck with.
When browsers ask the user for the consent upon receipt of each new cookie, then I will believe you. So, should the law have addressed browser makers, to prohibit them from passing cookies to web sites without the consent of the user? Perhaps so.
2. Affiliate marketing... There are a lot of other sites with good information (a book review site comes to mind) that I enjoy. They all keep the site running by giving affiliate links to the products, say to a book on amazon. Kill that for them, and you kill their revenue.
Maybe you can explain why you think cookies is the only way to do this.
So, would you propose that the people running these sites force the customer to consent before they allow them to use their services?? No, that won't work because they can only make them accept to their cookie, not the one downstream they actually get paid on. People have been so scared from cookie FUD that they will deny %90 of the time, and STILL kill many sites because their revenue has dried up.
Maybe you can explain why the downstream site needs a cookie to accomplish affiliate marketing when other means, such as embedding a code in the URL, are available.
I think this law, if they have to make one, should be more specific and say what you CAN'T use cookies for.
Why? So you can make up new ways to abuse cookies?
AND btw, affiliate links would be fine if we could JUST identify the computer, we do not need to identify the individual.
That can actually be dangerous. The next person to come along might link to the same site, and they figure it must be the same person, and re-use their identifying info that first person voluntarily provided. I don't see how knowing that it is the same computer, but not the same individual, helps in marketing, when marketing is targeted to people. Computers don't (yet) make buying decisions.
Lack of cookies does NOT prevent ads. Lack of cookies does not prevent ads from being linked to an alternate site. Lack of cookies does not prevent your userid from being included in the URL that takes you to the other site if you click on the cookie. Lack of cookies does not prevent your userid from being included in the URL that fetches the ad image from the other site. So ads are not really hindered. What is hindered is weak minded developers that only learned one way to do things.
Maybe it's a bit harsh. But so are the abuses of cookies.
Cookies are used to keep a shopping cart. That out-law.com article spells that out. Cookies are used to track logins on forum sites. There might be an implied consent, there. But to be sure, just ask for consent when users register. Previously registered users would be directed to the consent request page once the next time they try to login. Explain that the consent is for the cookie used keep their login state. Explain that without consent, the login process cannot be completed and the user would be limited to the access level of a non-logged-in user.
Now, what else are cookies used for, that consent should not need to be given for?
That's what you get when you let some company, even one that claims to be free, safe, and secure, take over your computer. You've already been 0wn3d! Some of us have safe computers, safely configured, based on safe operating systems we compile ourselves, using safe compilers. The music and movie industries already know we won't be 0wn3d and so they've already counted us out of their target market (although they still lie to the government and pretend as though they tried to actually have us as part of their market). So we get our tunes and views elsewhere, from places that don't try to rape our computers.
"The nature of our business is both IT and media related and we are developing software solutions based on the Microsoft platform. "
"The nature of our business is to ignore all the users that use BSD, Linux, or Solaris, because we don't want their money. We only care about Windows users (and maybe some day, Mac users)."
There, fixed it for... them. And yea, I took that "solutions" buzzword out to help them not look so much like a bunch of clueless pinheads.
I have no interest in pirating. I am willing to pay for movies. I do know it takes money to make them.
However, if the movie industry has already counted me out of their market, then how is it that downloading the movie from a pirate location results in any loss of money on their part for my one download? Sure, I do know that there are people that are actually in the movie industry's target market who are trying to cheat the system and not pay, by using such piracy places. But do NOT assume that everyone is in the movie industry's target market (e.g. Windows users, and maybe Mac users). The rest of us (BSD users, Linux users, Solaris users, etc.) are not and the movie industry has made it very clear they don't want our money.
The same applies to people in other countries. If a service is NOT available in a given country, even if by another company or under another name, then this is AGAIN a case of the industry making it clear they do not want the money from a given market. if the content industry wants to make contracts specific by country, then THEY need to get those services running and functional in each and every country they want the market money from, and not act like cry babies about lost revenues from countries they didn't try to get those revenues from.
And this goes for the music industry, too. And that includes Spotify.
It requires their own client? Wow, that was brave of you. Does the Linux version come in both 32 bit and 64 bit versions? If I would have to run THEIR client, I'd want to do so ONLY on a SAFE computer (that rules out all of Windows and I don't have a Mac).
It's also a run-time environment. Let me know when you port (write) a {BSD,Linux} kernel FOR that environment. Then I will believe it to be serious enough for the kinds of applications the Go language may be targeted for.
What if I skipped over C++ for my stuff that needed OO? Actually, I am looking for a light-OO scripting language with a small footprint (not larger than bash itself, usable even in init code on embedded devices). Something like Javascript might do. But it needs to be a light weight implementation (speed isn't critical), and using reference counting instead of garbage collecting. I need it for standalone, but something that is intended for use embedded into applications can probably be used by making a simplistic host app that does nothing more than just run it.
According to the official site, "Go has... garbage collection". Is it mandatory? Or can its usage be avoided? One of the issues I have with GC is the wider footprint (and subsequent swapping activity) it imposes. There are situations where I want to avoid GC, but want something more than Plain Old C.
Just because more programming is done at a higher level, that does not rule out the benefits of adding certain useful advantages to lower level programming. There are many cases where avoiding the bloat (and that's what it comes across as in many of these cases) of higher level language systems. I program in both higher level and lower level, and make language choices based on the specific needs. I've yet to evaluate the language Go, so I can't say if it really adds the benefits I could use at the lower level. But for programming at the higher level, I find the choices are plenty (even though more come along all the time), and I often focus on what NOT to bother using at that level. Anyway, the point is, just because you might need something at a high level, don't expect everything new coming along to specifically be trying to address your high level needs.
... that too many developers and integrators will just use an SQL database by default without considering whether or not it is appropriate for the task. I see so many databases where there is little or no hint of any relationships even being involved. Some forums, for example, store postings in a database where the message content is a blob and it is indexed by a number. To get a post, look by number. While an SQL database can do this, so can many other database types. There's no complex relational searching with this; it's just basic indexing (with maybe a tree of index relationships). I'd sooner do this with a B-tree based filesystem.
No, six cents does not prove a damned thing. There might be code in there to flag "high transactions" for further checks. They KNOW their system is insecure and could put that in there to deal with the less common riskier cases. THIS is a test to see if people can steal more than a few cents. That's what counts. If a system would allow people to steal six cents every now and then, but had means to prevent theft beyond that, I would feel safe with it as a merchant. I want to know if it is possible to steal a major amount. This is a test to determine whether or not they have added that additional security for less common transaction.
Oh, I'm sure they will pounce on him like crazy. But that's part of why our legal system is broken. As long as he stops at the point where he proves it is possible to steal a significant amount of money, then it is Microsoft that has committed the crime, and the entire chain of executives that were involved in this should be hauled off to prison for several years for fraud (except those who were already known to be informing the government of this crime taking place).
Actually, it's a legitimate test. They may or may not have sanity checks and other security measures that are based on dollar amount. Testing at a few cents doesn't mean much (unless you do it at a high volume). Merchants won't care if they have been ripped off by a few cents a year (well, they might, but won't want to increase costs by a few dollars to address it). The test is to see if a large amount can work. Apparently it does if it finishes going through. If he gets a check for the amount and CAN cash it, the exploit works and the system is vulnerable. OTOH, if they catch this, even at a later date, and prevent the cash from being released, then maybe it is secure. The only way to PROVE that their system is vulnerable at an important level is to actually test it at that level. He should, of course, immediately surrender the cash back to whoever it came from to prove that his intentions are not to steal but to prove it is easy to steal.
If someone claims no one can get into their warehouse, and you just try the door and find it unlocked, who's fault is that? That's legally "breaking" (even if the door is not locked... entering would be next). But the claim is fraud if used in connection with telling people no one can get into the warehouse when it is clearly false. But the crime has to be done, at least in part, to prove the fraud. I just don't see opening the door as a moral crime (or even entering and taking things out as long as you don't keep them and just do this to prove the fraud). The fraud, however, is definitely a moral crime. We need to put (a lot) more CEOs in prison in this country (probably at least half of the Fortune 500 ones).
Make your report in dollars. Seriously, that's all that these people understand. Since you are a cost center, there's no profit to report. You report costs in dollars (computers purchased, maintenance performed, electricity used, etc), effectiveness in dollars (how this all affects the ability to provide the product or service to your customers or clients), and liability in dollars (the risks of failure due to insufficient spending on certain resources, such as better security, reliability, performance, etc). Lots of pretty, shaded, colorful, pie graphs will help.
What's REALLY sick is that this kind of activity, and many others that can result in infections, were well known YEARS BEFORE Fiola was persecuted. Yet on that basis, instead of the state being required to prove their case (they apparently got to assume he was the perp just because the computer he was using had the porn on it), he was required to prove that he was innocent. WE already knew this kind of thing is not just possible, but significant. But THEY didn't want to bother having to separate the real pedophiles from the innocent victims... or were just computer idiots (like the department he worked for that forced him to use an insecure computer).
We're supposed to have "presumed innocent until proven guilty" here in the USA. That would mean things like not being fired from your job. But Mr. Fiola was fired. He should at least get his job back. But since he was fired inappropriately, he should also get all the back pay. And that's in addition to being "made whole" by covering all his legal and health costs.
And the department he works for... should be required to switch everything to Linux.
Slashdot Mirror
Yes, a technical approach could solve this. But a full solution would involve a disruption of how things currently work, and would not settle down until Microsoft (always the last hold out on advancing to new technology) implemented it on their browser and time was provided to get the vast majority of browsers upgraded. I estimate this will take 6 to 9 years. In the mean time, a law to block abuses is handy.
Ultimately, the server side has to always double check this against the user record of polls voted. The convenience is in preventing it from making a server request in the first place. That would be the Javascript code blocking the vote, or changing the vote box. Or if the whole page is refetched, don't include it dynamically the next time. There's no need to transmit such a cookie.
Couldn't browsers be made "EU-compatible" and give users a settings checkbox that says (more or less) "I either don't care about cookies or I'm perfectly comfortable dealing with them on my own (either with plugins like CookieCuller or manually.) Bring 'em on!"? Or doesn't the new law allow that?
If done on a case by case ... that is, site by site (site being a domain name or maybe a host name), then sure, I'd go along with this. Just give the user options like:
The browser would then present this prompt for every host for which consent has not yet been given or refused. A preferences menu should allow reviewing and changing all existing consents or refusals thereof.
If browsers did a better job of managing user information, such as cookies, consent of cookie transmission, user logins, etc, then we might not need so much of the weird stuff we get stuck with.
When browsers ask the user for the consent upon receipt of each new cookie, then I will believe you. So, should the law have addressed browser makers, to prohibit them from passing cookies to web sites without the consent of the user? Perhaps so.
2. Affiliate marketing... There are a lot of other sites with good information (a book review site comes to mind) that I enjoy. They all keep the site running by giving affiliate links to the products, say to a book on amazon. Kill that for them, and you kill their revenue.
Maybe you can explain why you think cookies is the only way to do this.
So, would you propose that the people running these sites force the customer to consent before they allow them to use their services?? No, that won't work because they can only make them accept to their cookie, not the one downstream they actually get paid on. People have been so scared from cookie FUD that they will deny %90 of the time, and STILL kill many sites because their revenue has dried up.
Maybe you can explain why the downstream site needs a cookie to accomplish affiliate marketing when other means, such as embedding a code in the URL, are available.
I think this law, if they have to make one, should be more specific and say what you CAN'T use cookies for.
Why? So you can make up new ways to abuse cookies?
AND btw, affiliate links would be fine if we could JUST identify the computer, we do not need to identify the individual.
That can actually be dangerous. The next person to come along might link to the same site, and they figure it must be the same person, and re-use their identifying info that first person voluntarily provided. I don't see how knowing that it is the same computer, but not the same individual, helps in marketing, when marketing is targeted to people. Computers don't (yet) make buying decisions.
Lack of cookies does NOT prevent ads. Lack of cookies does not prevent ads from being linked to an alternate site. Lack of cookies does not prevent your userid from being included in the URL that takes you to the other site if you click on the cookie. Lack of cookies does not prevent your userid from being included in the URL that fetches the ad image from the other site. So ads are not really hindered. What is hindered is weak minded developers that only learned one way to do things.
Maybe it's a bit harsh. But so are the abuses of cookies.
Cookies are used to keep a shopping cart. That out-law.com article spells that out. Cookies are used to track logins on forum sites. There might be an implied consent, there. But to be sure, just ask for consent when users register. Previously registered users would be directed to the consent request page once the next time they try to login. Explain that the consent is for the cookie used keep their login state. Explain that without consent, the login process cannot be completed and the user would be limited to the access level of a non-logged-in user.
Now, what else are cookies used for, that consent should not need to be given for?
... shut down all movie theatres.
That works fine several days after the movie first comes out. Before then, you have to be early to get a better seat.
That's what you get when you let some company, even one that claims to be free, safe, and secure, take over your computer. You've already been 0wn3d! Some of us have safe computers, safely configured, based on safe operating systems we compile ourselves, using safe compilers. The music and movie industries already know we won't be 0wn3d and so they've already counted us out of their target market (although they still lie to the government and pretend as though they tried to actually have us as part of their market). So we get our tunes and views elsewhere, from places that don't try to rape our computers.
"The nature of our business is both IT and media related and we are developing software solutions based on the Microsoft platform. "
"The nature of our business is to ignore all the users that use BSD, Linux, or Solaris, because we don't want their money. We only care about Windows users (and maybe some day, Mac users)."
There, fixed it for ... them. And yea, I took that "solutions" buzzword out to help them not look so much like a bunch of clueless pinheads.
I have no interest in pirating. I am willing to pay for movies. I do know it takes money to make them.
However, if the movie industry has already counted me out of their market, then how is it that downloading the movie from a pirate location results in any loss of money on their part for my one download? Sure, I do know that there are people that are actually in the movie industry's target market who are trying to cheat the system and not pay, by using such piracy places. But do NOT assume that everyone is in the movie industry's target market (e.g. Windows users, and maybe Mac users). The rest of us (BSD users, Linux users, Solaris users, etc.) are not and the movie industry has made it very clear they don't want our money.
The same applies to people in other countries. If a service is NOT available in a given country, even if by another company or under another name, then this is AGAIN a case of the industry making it clear they do not want the money from a given market. if the content industry wants to make contracts specific by country, then THEY need to get those services running and functional in each and every country they want the market money from, and not act like cry babies about lost revenues from countries they didn't try to get those revenues from.
And this goes for the music industry, too. And that includes Spotify.
It requires their own client? Wow, that was brave of you. Does the Linux version come in both 32 bit and 64 bit versions? If I would have to run THEIR client, I'd want to do so ONLY on a SAFE computer (that rules out all of Windows and I don't have a Mac).
It's also a run-time environment. Let me know when you port (write) a {BSD,Linux} kernel FOR that environment. Then I will believe it to be serious enough for the kinds of applications the Go language may be targeted for.
What if I skipped over C++ for my stuff that needed OO? Actually, I am looking for a light-OO scripting language with a small footprint (not larger than bash itself, usable even in init code on embedded devices). Something like Javascript might do. But it needs to be a light weight implementation (speed isn't critical), and using reference counting instead of garbage collecting. I need it for standalone, but something that is intended for use embedded into applications can probably be used by making a simplistic host app that does nothing more than just run it.
Let me know when the BSD and Linux kernels are entirely written in that. Then I will start to consider thinking about it.
According to the official site, "Go has ... garbage collection". Is it mandatory? Or can its usage be avoided? One of the issues I have with GC is the wider footprint (and subsequent swapping activity) it imposes. There are situations where I want to avoid GC, but want something more than Plain Old C.
Just because more programming is done at a higher level, that does not rule out the benefits of adding certain useful advantages to lower level programming. There are many cases where avoiding the bloat (and that's what it comes across as in many of these cases) of higher level language systems. I program in both higher level and lower level, and make language choices based on the specific needs. I've yet to evaluate the language Go, so I can't say if it really adds the benefits I could use at the lower level. But for programming at the higher level, I find the choices are plenty (even though more come along all the time), and I often focus on what NOT to bother using at that level. Anyway, the point is, just because you might need something at a high level, don't expect everything new coming along to specifically be trying to address your high level needs.
... that too many developers and integrators will just use an SQL database by default without considering whether or not it is appropriate for the task. I see so many databases where there is little or no hint of any relationships even being involved. Some forums, for example, store postings in a database where the message content is a blob and it is indexed by a number. To get a post, look by number. While an SQL database can do this, so can many other database types. There's no complex relational searching with this; it's just basic indexing (with maybe a tree of index relationships). I'd sooner do this with a B-tree based filesystem.
... he would just hurry up and get it done so I don't have to see any more of that Fox News crap in the Google News searches any more.
No, six cents does not prove a damned thing. There might be code in there to flag "high transactions" for further checks. They KNOW their system is insecure and could put that in there to deal with the less common riskier cases. THIS is a test to see if people can steal more than a few cents. That's what counts. If a system would allow people to steal six cents every now and then, but had means to prevent theft beyond that, I would feel safe with it as a merchant. I want to know if it is possible to steal a major amount. This is a test to determine whether or not they have added that additional security for less common transaction.
Oh, I'm sure they will pounce on him like crazy. But that's part of why our legal system is broken. As long as he stops at the point where he proves it is possible to steal a significant amount of money, then it is Microsoft that has committed the crime, and the entire chain of executives that were involved in this should be hauled off to prison for several years for fraud (except those who were already known to be informing the government of this crime taking place).
Actually, it's a legitimate test. They may or may not have sanity checks and other security measures that are based on dollar amount. Testing at a few cents doesn't mean much (unless you do it at a high volume). Merchants won't care if they have been ripped off by a few cents a year (well, they might, but won't want to increase costs by a few dollars to address it). The test is to see if a large amount can work. Apparently it does if it finishes going through. If he gets a check for the amount and CAN cash it, the exploit works and the system is vulnerable. OTOH, if they catch this, even at a later date, and prevent the cash from being released, then maybe it is secure. The only way to PROVE that their system is vulnerable at an important level is to actually test it at that level. He should, of course, immediately surrender the cash back to whoever it came from to prove that his intentions are not to steal but to prove it is easy to steal.
If someone claims no one can get into their warehouse, and you just try the door and find it unlocked, who's fault is that? That's legally "breaking" (even if the door is not locked ... entering would be next). But the claim is fraud if used in connection with telling people no one can get into the warehouse when it is clearly false. But the crime has to be done, at least in part, to prove the fraud. I just don't see opening the door as a moral crime (or even entering and taking things out as long as you don't keep them and just do this to prove the fraud). The fraud, however, is definitely a moral crime. We need to put (a lot) more CEOs in prison in this country (probably at least half of the Fortune 500 ones).
Make your report in dollars. Seriously, that's all that these people understand. Since you are a cost center, there's no profit to report. You report costs in dollars (computers purchased, maintenance performed, electricity used, etc), effectiveness in dollars (how this all affects the ability to provide the product or service to your customers or clients), and liability in dollars (the risks of failure due to insufficient spending on certain resources, such as better security, reliability, performance, etc). Lots of pretty, shaded, colorful, pie graphs will help.
What's REALLY sick is that this kind of activity, and many others that can result in infections, were well known YEARS BEFORE Fiola was persecuted. Yet on that basis, instead of the state being required to prove their case (they apparently got to assume he was the perp just because the computer he was using had the porn on it), he was required to prove that he was innocent. WE already knew this kind of thing is not just possible, but significant. But THEY didn't want to bother having to separate the real pedophiles from the innocent victims ... or were just computer idiots (like the department he worked for that forced him to use an insecure computer).
We're supposed to have "presumed innocent until proven guilty" here in the USA. That would mean things like not being fired from your job. But Mr. Fiola was fired. He should at least get his job back. But since he was fired inappropriately, he should also get all the back pay. And that's in addition to being "made whole" by covering all his legal and health costs.
And the department he works for ... should be required to switch everything to Linux.