I read an article commenting that the length of time that fetilized eggs can exist in vitro before they're inserted into the uterus is lengthening. The same article mentioned that the amount a child can be prematurely born and still saved is lengthening. It then asked the question: What happens when these two things meet?
Would it be ethical to have children (made) and not undergo pregnancy?
One idea was that if this were common, egg/sperm freezing and sterilization might be a typical approach to contraception.
Would this approach acceptable to the religions that bar current contraceptive practices (ie catholocism)?
Actually, whether you profit from it or not doesn't have any bearing on the legal implications. It may have a goodwill impact on the willingness of the infringed to sue, but from a legal standpoint, it doesn't matter. Making copies and giving them away is just as illegal as making copies and selling them.
The question, I think, is how fair use applies in this joint-ownership scenario. Can something in joint ownership be copied in order to be distributed to all its owners? As far as I know, this is legally untested. All the cases I've seen quoted on/. have been about either customers (quite irrelevant) or agents of the company (employees), not about shareholders themselves.
For example, Mp3.com beam-it doesn't apply, because the people involved aren't shareholders. The Xerox or whatever landmark case doesn't apply because the people involved were employees (scientists), and did not own the documents. In this case, the people involved own the licenses in question. This isn't like MS software licenses, because (assuming for a moment the EULA is enforceable) the license specifically states that it is only able to be used on a single computer. There are no such stipulations on music CDs.
Mp3.com failed in court not because they were trying to make money from copies (though you could argue that that's the real motivation behind the RIAA lawsuit), they lost in court because they created an illegal public database of music. Which is bunk, in my opinion, but they didn't ask me.
As I understand it, it is the company charter that determines what shareholders have access to, and what information is strictly reserved for members of the board and their designators. There are restrictions by the SEC on public companies of course as pertains to financials, but otherwise its up to your charter.
So, if your charter is "everything is available to all shareholders" or somesuch, then it works. I think you can bet that this isn't how the charter for RIAA members reads.
Isn't the difference in your example that the scientists were employed by the company, rather than owners of the company?
I don't think there have been cases where the 'sharers' of the work in question have been solely shareholders. If the company pays for a journal article, and determines that it will allow all shareholders to access it, is that fair use, since they are all part owners of the document?
Two points, the first is that I think implying that no subterfuge would exist in the world with as-ubiquitous-as-we-can-make-it surveillance you describe is being a little too optimistic. Are the monitoring systems able to tell the difference between hiking in the woods and visiting your meth lab in the woods?
Setting that aside for a moment, consider that our current laws should not be enforced in every situation. Every person breaks laws daily, be it accidentally speeding, jaywalking because its 2am and nobody's coming for miles, or not reporting the $20 you sold your couch for.
This is all currently handled with selective enforcement. Which sounds like a bad thing, and to some degree, it is. Selective enforcement opens the door to harassment. IDs checked more often for the racial group not in power. Jaywalking tickets for people dressed like a political group, this sort of thing. And as I said before, this behavior is magnified a thousand times with unhindered surveillance.
The alternative to selective enforcement is to adapt the legal code. This is a tempting approach as a programmer, I want to just fix the bugs that are in the system, and have done with it. Obviously, though, the problem is that this creates a legal code that is a nightmare to understand and maintain. Laws are already complex enough to allow multiple interpretations by a reasonable person. More laws doesn't fix that problem.
In the end, you may have less subterfuge (can't hide in your basement). However, that subterfuge will be replaced with corruption. It all starts with this kind of conversation: "Jaywalking's not a big problem, hey I can overlook that. Thanks for the donut last week, by the way..."
The system you describe still rewards the better liar, "It was just a donut, just an unrelated favor from a friend...", and the clandestine criminal. The amount of crime won't change, but the amount of protection that enemies of the state receive is reduced nearly to zero. Unless, of course, they lie as well. Which makes them seem like criminals, of course.
Assume that the police can do so without damaging anything of yours, disrupting your evening, or broadcasting your secrets to the neighborhood--essentially, doing so without having any impact on your life whatsoever, save for being caught if you're committing crimes.
The problem I have with it is the exclusivity of the last part, "save for being caught if you're committing crimes". I don't think that can ever be the only outcome of this surveillance.
Knowledge of 'questionable' activities can lead to harassing follow-up searches and actions. Owning a hookah, for example. Is that a novelty tobacco device, or drug paraphernalia? Or, to hit a little closer to you and I, attending religious seminar that turned out to be further right than expected.
Once the humans interpreting this data have formed an opinion about the people in question, their attitudes and behaviors in the future will be changed. You still haven't broken (and may well never break) the law, but the way that you're treated is significantly different.
Add to that the old addage that if you look hard enough, you're guaranteed to find something illegal, and you have a gigantic possibility for harassment.
The danger I'm talking about so far is just from the human nature of the investigators. If you imagine a situation where the powers in question have another reason to dislike you (you favor the legalization of a currently illegal act, or the reinterpretation of some law*) and you're in harrassment city.
This could certainly be considered a 'chilling effect' in many discussions. Say, for example, the discussion of the competence or even corruption of the chief of police.
I think so long as people are running it, it all leads to too much power, too much danger.
-Zipwow
* for the record, I'm *not* talking about marijuana (or not just marijuana, anyway). Most of us/.ers have pretty liberal views on intellectual property, etc to fall into that category.
Wow, that's a heck of a good point about the mountains. My first response was that making the base there would be a pain, but then I thought..
A platform hanging in the air by BALLOONS?
Yeah. Building on a mountaintop shouldn't be so rough. You'd want to be sure you didn't pick an active volcano though. Boom!
Actually, that's a bizarre thought. Can we maybe harness volcanic pressure to launch things into space? Sounds nuts, but its gotta be right up there with a launching platform suspended by balloons.
I keep thinking of this comic by Phil Foglio called "Girl Genius", its kind of a steampunk sort of thing. Science is kind of like magic, and some people have a sort of magic that lets them make all sorts of strange things. This generally results in them losing their grip on reality.
Amongst myself and my friends, "Event Horizon" is the yardstick by which we measure bad movies. We went in expecting a sci-fi film, but too soon realized it was a horror/ unwitting comedy.
"We need something to latch onto.."
"Hey! There's the communications module!" *kerunch*
I can understand filling the detaching 'tunnel' with exploding bolts. But actual explosives? And who was the idiot who said, "And hey, wouldn't it be handy if they were portable, and had their own timers?"
*shudders*
Mission to Mars is right up there too, but I like to think a lot of that plot is cleared up if you imagine NASA people sitting in a board room saying,
"Hey, the last ones we sent all died. I don't want to lose another good crew in that big tomb"
"Yeah. What if we sent Jimbo's team?"
"Who? Oh them. Yeah, we can lose them, let's do it."
Kind of like "Astronauts Like Us" who never met up with the real crew.
The article mentions that NASA was investigating it, but the inventor wouldn't allow them to pursue it when they refused to sign an NDA.
I'm guessing the actual temperature on the material would differ slightly based on friction (or its coefficient of friction? I'm not a physicist), so its possible that the plastic still wasn't feasable for some reason. Then again, I'm told most of the heat is from ram pressure, so friction may not make a lot of difference.
Another explanation could be that the starlite plastic doesn't handle the extreme cold of space.
Or, NASA refused to sign the NDA because they thought he was a crackpot. Their view is somewhat supported by the site's claim that Maurcie Ward is no longer interested in his revoluntionary material, having given it up for harness horse-racing.
Okay, I was mostly responding to the "I'm not doing anything wrong, search all you like" sentiment. However, the whole "flying is optional, so the government can restrict it as much as they'd like" argument (which I'm generalizing your statements to) is an interesting, and as you point out, a more on-topic, one.
Flying, like driving, is pretty far from being a right, and there are certainly cases where people should be restricted from doing both. However, I wouldn't go so far as to say that its a completely optional service. Neither is driving, for that matter. Try living in rural Montana without a car and having anything resembling a modern lifestyle.
Still, the government shouldn't be allowed to come into just any activity, even if its optional, and demand that you relinquish great swaths of your rights in order to perform it. To take it to ridiculous extremes, you don't *have* to buy groceries, you're "free" to grow them yourself, but that sure impinges on your lifestyle (and 'pursuit of happiness', maybe?) And with flying, you're effectively saying that if you pursue a certain set of jobs, you must give up these rights while flying.
We tolerate it to some degree with flying already because of safety concerns. One point many people make is that most of these rights violations (illegal search and siezure) don't actually get you an increased level of safety.
To be clear, there's a difference between a privately hired person scanning your stuff (which I think is fine, btw) and the government entity generating a giant database of your traveling habits.
I guess your latest post did only mention x-ray devices. If that's all the further this stuff went, I'd probably agree that it's fine.
To be completely on-topic, I don't have a fundamental problem with this device, provided its used in some way that doesn't show me naked. That's not so much a 'rights' issue as it is a "I don't want to be naked to anybody" issue.
Well, this is all just rambling without a direct point, I think I'll end it here.
If it's so dangerous to fly now, maybe it's time to invest in infrastructure and establish a real high-speed rail system, and not something built on a gravel berm that's insufficient for 40mph freight trains either. For an industrial nation, we have a crap rail system. Don't believe me? Get up from your computer and go take a look at it. It sucks.
A-freakin'-men.
Rail systems wouldn't even be that much slower, if you consider how much easier it is to load and unload trains. (think: paralell in many cars rather than serial through the front door hatch). I think trains can even be automated as well. That takes a little more blase` attitude, but when you're doing 120 in a 5000 ton machine, you measure braking distance in miles.
And, they can be much less polluting than the jet-powered monstrosities we have now.
Granted, it won't get you over the ocean, but it should do real well between San Fran, LA, and Vegas.
Are you kidding? You want them to schedule times for searches for criminal activities that don't "conflict with your schedule"?
Searching interferes. Your list of things that starts with "push, confiscate, pick my locks, " and ends with "be a dick" points that out pretty well. This kind of surveillance leads pretty directly to harassment. If the police perceive you as a lawbreaker (which is likely if they're watching your house), then finding reasons to arrest or fine you are easy enough when they have access to every action you make.
Did you sign your wife's check to deposit it so rent won't bounce? That's fraud. Got in a fight and threw something? Could be spousal abuse. Talked about driving home in a hurry? Oops, that's reckless endangerment. Got mad and said the president should keel over and die? Ah-ha! The highest of thoughtcrime. Nevermind the privacy invasion of your more intimate moments. If having that violated, having comitted no crime, please let me know your address, I could use the extra money a webcam could bring in.
At the end of the day, the best recommendation is: Don't give up your rights.
"Do I want airline security to make damn sure no one is bringing a bomb or gun on board? Hell Yes!"
If that's what they accomplished, that'd be great. The problem with all this "airline security" junk is that it doesn't make you any safer. Glass is still allowed on the flight, which can be easily made pointy enough to hold flight attendants hostage and demand cockpit access. Another poster has images of things easily smuggled through.
The one thing that might make airline safer today is the attitude of the passengers. Before the trade center attacks, I think most people felt that they should sit back, stay calm, and let the negotiators take care of it. Now the feeling I get from people is that if you're being hijacked, it is worth attempting to resist.
"I'm sure many Slashdotters can think of many hazardous materials that wouldn't show up in an X-ray machine."
And can you not also think of ways to hide them? C-4 doesn't have to be stamped into bricks with the letters "C-4" on the side.
I think there's also the perception that looking for a library to do what you need isn't work, while writing a solution is.
If you've solved it by finding a library that does it, but it took you a while to find the right library and figure it out, you may find yourself in the hole. Your dept manager may ask "Why aren't you finished? You didn't have to write that component..." and be unhappy with the (accurate) reply of "Well, no, but it took me a while to evaluate the libraries available..."
I'm blessed to be avoiding these at my current position though, so I'm thankful.
Aside from the fact that ad hominem is the first tactic of the defeated, I'll respond to your questions...
You said that they "broke into the client" which is just stupid.
I can see where you're confused. Reverse engineering the client is legal (EULA notwithstanding). Using that information (and I'm guessing, some other information as well) to wreak havok on the server, disrupting the service for thousands, is quite illegal.
If you honestly think that hiding the protocols to access admin features means UbiSoft has fulfilled their responsibility for security than, quite frankly, you are an idiot.
First, you're making some assumptions that aren't warrented by the situation. Namely, that accessing the admin feature required one only to use the right protocols. While this may be the case, I suspect that the attackers also used some novel approach to circumvent the authentication scheme.
Even if this suspicion proves to be false, UBISoft has, in a legal sense, fulfilled their security obligation. As I've said before, entering an unlocked door can still be trespassing. For reference, see 'unlocked door' mentions on these sites:
Now, I'll grant that security through obscurity is stupid from a "protect your goods and data" point of view, but that's not what we're talking about. We're talking about the law, and the law says that it only has to be obvious that the area is private. They don't have to build three foot thick barriers to keep you out.
Newsflash: If someone emails you and says, "By the way, your admin ports are hanging out and anybody can connect in if they figure it out" shit hits the fan.
But the fan doesn't stop spinning. Which is my point. Every time you get a message that someone's found a new vulnerability in apache, you don't shut down the box while the fix is being coded. Heck, the security community in general doesn't even disclose the vulnerability until a fix is available, unless the company in question has just ignored it.
Had it been an email notification, the same process would have likely taken place.
You keep saying this, but haven't responded to my assertions that:
* the rollbacks would not be needed * the update can be written without taking the servers down * the patch can be applied during the normal update cycle, which is not during prime time * support personnel are not inundated with requests
I think these points adequately prove that there is a large difference between the attack and a friendly email.
You also think that these people have value.
Now you've made the point that I've been alluding to in earlier questions about why you think the things you do. I absolutely think these people have value. I think all people have value. You seem to have some grudge against either this particular activity or against the notion of entertainment in general. Perhaps you are one of the sort of people who view any server connected to the internet as just another obstacle and personal playground, rather than someone else's property providing a service to a community of people. Something seems to prevent you from seeing these people as important, and the servers as private.
They are paying for entertainment, so why do they bitch if they get to live the same experience again? If it was so much fun the first time, they'll do it better the second time.
Enjoying doing something is not the same as doing it over. See software development and home improvement projects.
They only mucked around on one server.
How do you know this? How would UBISoft know this? They only caused mass devistation on one server, who knows what they did on the rest? Or were about to do? When someone breaks one system on your c
Show me where it's illegal to reverse engineer software. Only technological copyright protection devices have this protection.
I've never said its illegal to reverse engineer software. Its not illegal to own lockpicks, either. Breaking into buildings, though. That's illegal. With or without lockpicks. In fact, you don't even have to lock the doors. All you have to do is make it clear that it is private property, and that the general public is not invited. I think by hiding the protocols to access these features, and calling them 'admin featuers', UBISoft has fulfilled this requirement.
Why would this be different if someone had sent them an email detailing how to do the attack and saying that it is possible other people know about it?
The fix for this problem can be written with the servers still running. Access to these functions can be monitored, possibly controlled at a firewall level. The installation of the patch can occur during normal weekly maintenence cycles, which take place during periods of low usage.
FAR less disruptive than a loss of eight hours of primetime, and the cost of support overtime.
You don't wait when you know there is a gaping security hole, you fix it then.
Somewhat true. Your first fix won't be the only fix, nor will it be the ultimate fix. Typically you'll disable the feature that has the problem (specifically in this case, remote access to the admin features), and then begin working on the fix, which may take weeks.
That said, your first response to finding a gaping security hole isn't to bring down the system, either. You say to yourself, "Ah, okay. I'll watch for that then, while I work on fixing it."
If someone steals my car,...
This analogy has nothing to do with this situation, because I'm not talking about damage to UBISoft for the most part, and we're talking about a service interruption, not a material theft.
No court will ever find that this attacker is directly responsible for more than the actual damage he caused directly. You are trying to blame him for indirect damage, and life doesn't work that way.
You keep saying this, but it doesn't get any more true. Explain how interruption of a service I pay for isn't clearly damage?
I've refuted every argument you've made:
The actions by the attackers were illegal (possibly we agreed on this from the beginning). There was damage done (interruption of a paid service).
The damage was a direct result of the attacker's actions (rollbacks necessary, monitoring not a viable approach, etc).
The damage was avoidable (if not by the attackers simply refusing to break the law, then by other approaches to the problem)
The time taken to fix the result of the attacks is independant of the time to fix the original bug. (reverting servers, answering support calls, etc).
A significant amount of people were harmed (more than 10,000).
You have never answered the question of why these people should not be punished (or deserve only extremely light punishment) for disrupting the service of thousands of people. Even by your own convoluted logic, the people on the attacked servers (at least a thousand of them) had their service disrupted for several hours. You have never explained why the time of these people is valueless, or why it is acceptable for the attackers to waste their time and disrupt their activities.
While I admit, that I'd be upset if I spent time building a character only to have it destroyed by another player. However, if this is "outlawed", there will be no bad guys, and no fun. Who wants to play against the computer all the time -- that defeats the purpose of online gaming.
These laws aren't meant to restrict the way the game works itself, but rather the consequences from out-of-game actions.
For example, if I killed your character and stole your stuff according to the rules of the game, I'd be fine. If, however, I used some exploit or hacked into the game server, or committed some fraud to destroy that character and your items, then you'd be talking about a crime.
At least, that's how I read the originating articles.
Providing that functionality to begin with is the problem. The fact that any client, not just those provided by UbiSoft (Think of employee, vs someone walking in off the street) could do this given the proper knowledge (where the door is located.)
Are you, again, arguing that the attackers didn't have to break the code to do this? Whether the code "should" or "should not" contain this ability is pretty irrelevant.
Give each person the thirty cents, big fucking deal. Only give those people who were affected by the malicious client refunds, because that is the only damage caused by the perpetrator.
15,000 people could not play the game for eight hours. That interruption was a direct result of the attack. That interruption time does *not* include time to fix the original vulnerability, but only to clean up the problems caused by the attackers.
Again with the math, but 15,000 people times even 30 cents is $4500, a felony offense worth of damages.
My statement is that because this service is provided without uptime guarantee, nor do people pay per hour/minute but by month, there is no valid way to calculate actual damages.
Just because services are provided without uptime guarantees (no refunds on rainout games, for example) doesn't mean that disrupting them for other reasons isn't damage.
Furthermore, the EULA probably states that downtime will happen for reasons like software, hardware, and network maintenence. I doubt it lists malicious attackers.
You cannot include any damages done by UbiSoft having to patch their servers and services. Because had someone notified them via email it would still have the same outcome.
Ubisoft didn't spend that eight hours coding up a fix, testing it, and installing it. They spent that eight hours rolling back servers, changing firewall settings, banning users, and dealing with support calls. None of those things would have had to have been done had the attackers taken the 'friendly email' approach. Hence, all that time, that expense and effort is a direct result of the attack.
The work to actually fix the problem probably still needs to be done. This is akin to wedging closed a door with a broken latch. The latch still needs to be fixed.
Here's a nice little point-by-point rebuttal for you:
* The only people directly affected where those on the server when the perpetrator exploited the system.
This is false. All services were interrupted. All users were affected. Interruption to all services was a direct result of the attack. All servers needed to be reset, as the extent of the attack was not verifiable.
* UbiSoft is liable for their services, including patches. Therefor, any patches or rollbacks are on the shoulders of UbiSoft. There is nothing directly correlating responsibility for UbiSoft patching it's services and servers and the exploitation. Just because they became aware of it at that time, doesn't matter.
This is false. UBISoft is not 'liable' for anything. They are responsible for their services. Had this attack not happened, no rollbacks would have been needed, no additional downtime would have occurred. The fix would have been installed during their next maintenence cycle.
The attack caused additional downtime. Additional downtime is damage to the players.
* There is minimal damage, less than $500. For the actual amount of damage caused, it would cost more to use the court space to persecute. Excluding costs of law enforcement officials.
This is false. There is significant damage, more than $4000. The crime committed affected thousands of people. The perpetrators deserve punishment.
You read these points, and read them carefully. If you actually understand them, you'll understand that the attackers committed a serious crime, affecting thousands of people worldwide. This is certainly a punishable offense.
No, it's completely in sync with property. If a business doesn't have any locks on it's doors, and someone breaks in (by merely opening the door and walking in) and spreads toilet paper all over the place, the doors would then have locks installed. That's all I'm saying.
If a business doesn't have any locks on it's doors, and someone breaks in (by merely opening the door and walking in) and spreads toilet paper all over the place, the doors would then have locks installed.
Your analogy breaks down immediately. UBISoft clearly had locks on the doors. Not including the fucntionality in the client to begin with constitutes locks on the doors.
So, in your example, the building has a rather wimpy security system, say cheap locks. This is probably a stupid choice on their part, but that doesn't really affect the legality or morality of the situation. Then, someone breaks in and trashes the place. I can't think of an analogy for 15,000 people not being able to play a game that they subscribe to, but I think you can see the point from here.
Maybe the business should've invested in a night guard, but that doesn't make it legal to break the cheap locks.
This is wrong, and this is why I listed my point twice. 15,000 people were affected by a bug in UbiSofts system. 1,200 people (or 3,000 as registered on that server, whatever) were affected by what the attacker did.
You understand the difference?
No, because there isn't one.
Are you arguing that UBISoft, upon noticing this exploit, shouldn't have restarted and rolled back all their servers? If this security problem hadn't been violated in this way, the rollback (and affects on all the players) could have been avoided. Also, the outage for the servers could have been much shorter, and at a time where it would have less impact on the general player base.
The outage was a direct result of the attacker's actions. Just because the locks on the doors weren't as strong as they needed to be (in your analogy), doesn't mean that the attackers aren't responsible for having to check and clean the whole building for vandalism after they broke in.
There is no damage, as I've said before. Damage doesn't mean pissed of geeks. Damage means money that is actually lost that they would have otherwise. You can't list UbiSoft having to patch their servers and services, because that would be the case even if they were notified in a friendly email. You can only list the actual damages: None.
Again, there is clearly damage done.
The only reason that the people involved aren't getting refunds is because they haven't demanded it. And who would they demand it from? They would demand it from the attackers, as UBISoft's user agreement covers UBISoft from outages. When you're talking about damage here, you're talking about damage to anyone involved, not damage to only UBISoft.
I still don't understand why you think that disrupting several hours of the prime time of a service that serves thousands of people worldwide isn't worthy of serious punishment. It seems that you fundamentally don't believe that these people deserve to play their game unharassed.
Slashdot Mirror
How about replacing your ringtone with morse code of the caller?
-Zipwow
Entering morse code sounds like it would be worse than trying to type on my cellphone.
I guess that's why it's not my hobby.
-Zipwow
I read an article commenting that the length of time that fetilized eggs can exist in vitro before they're inserted into the uterus is lengthening. The same article mentioned that the amount a child can be prematurely born and still saved is lengthening. It then asked the question: What happens when these two things meet?
Would it be ethical to have children (made) and not undergo pregnancy?
One idea was that if this were common, egg/sperm freezing and sterilization might be a typical approach to contraception.
Would this approach acceptable to the religions that bar current contraceptive practices (ie catholocism)?
-Zipwow
Actually, whether you profit from it or not doesn't have any bearing on the legal implications. It may have a goodwill impact on the willingness of the infringed to sue, but from a legal standpoint, it doesn't matter. Making copies and giving them away is just as illegal as making copies and selling them.
/. have been about either customers (quite irrelevant) or agents of the company (employees), not about shareholders themselves.
The question, I think, is how fair use applies in this joint-ownership scenario. Can something in joint ownership be copied in order to be distributed to all its owners? As far as I know, this is legally untested. All the cases I've seen quoted on
For example, Mp3.com beam-it doesn't apply, because the people involved aren't shareholders. The Xerox or whatever landmark case doesn't apply because the people involved were employees (scientists), and did not own the documents. In this case, the people involved own the licenses in question. This isn't like MS software licenses, because (assuming for a moment the EULA is enforceable) the license specifically states that it is only able to be used on a single computer. There are no such stipulations on music CDs.
Mp3.com failed in court not because they were trying to make money from copies (though you could argue that that's the real motivation behind the RIAA lawsuit), they lost in court because they created an illegal public database of music. Which is bunk, in my opinion, but they didn't ask me.
-Zipwow
This is cute, but I think ultimately uninformed.
As I understand it, it is the company charter that determines what shareholders have access to, and what information is strictly reserved for members of the board and their designators. There are restrictions by the SEC on public companies of course as pertains to financials, but otherwise its up to your charter.
So, if your charter is "everything is available to all shareholders" or somesuch, then it works. I think you can bet that this isn't how the charter for RIAA members reads.
-Zipwow
Isn't the difference in your example that the scientists were employed by the company, rather than owners of the company?
I don't think there have been cases where the 'sharers' of the work in question have been solely shareholders. If the company pays for a journal article, and determines that it will allow all shareholders to access it, is that fair use, since they are all part owners of the document?
-Zipwow
Two points, the first is that I think implying that no subterfuge would exist in the world with as-ubiquitous-as-we-can-make-it surveillance you describe is being a little too optimistic. Are the monitoring systems able to tell the difference between hiking in the woods and visiting your meth lab in the woods?
Setting that aside for a moment, consider that our current laws should not be enforced in every situation. Every person breaks laws daily, be it accidentally speeding, jaywalking because its 2am and nobody's coming for miles, or not reporting the $20 you sold your couch for.
This is all currently handled with selective enforcement. Which sounds like a bad thing, and to some degree, it is. Selective enforcement opens the door to harassment. IDs checked more often for the racial group not in power. Jaywalking tickets for people dressed like a political group, this sort of thing. And as I said before, this behavior is magnified a thousand times with unhindered surveillance.
The alternative to selective enforcement is to adapt the legal code. This is a tempting approach as a programmer, I want to just fix the bugs that are in the system, and have done with it. Obviously, though, the problem is that this creates a legal code that is a nightmare to understand and maintain. Laws are already complex enough to allow multiple interpretations by a reasonable person. More laws doesn't fix that problem.
In the end, you may have less subterfuge (can't hide in your basement). However, that subterfuge will be replaced with corruption. It all starts with this kind of conversation: "Jaywalking's not a big problem, hey I can overlook that. Thanks for the donut last week, by the way..."
The system you describe still rewards the better liar, "It was just a donut, just an unrelated favor from a friend...", and the clandestine criminal. The amount of crime won't change, but the amount of protection that enemies of the state receive is reduced nearly to zero. Unless, of course, they lie as well. Which makes them seem like criminals, of course.
You said:
The problem I have with it is the exclusivity of the last part, "save for being caught if you're committing crimes". I don't think that can ever be the only outcome of this surveillance.
Knowledge of 'questionable' activities can lead to harassing follow-up searches and actions. Owning a hookah, for example. Is that a novelty tobacco device, or drug paraphernalia? Or, to hit a little closer to you and I, attending religious seminar that turned out to be further right than expected.
Once the humans interpreting this data have formed an opinion about the people in question, their attitudes and behaviors in the future will be changed. You still haven't broken (and may well never break) the law, but the way that you're treated is significantly different.
Add to that the old addage that if you look hard enough, you're guaranteed to find something illegal, and you have a gigantic possibility for harassment.
The danger I'm talking about so far is just from the human nature of the investigators. If you imagine a situation where the powers in question have another reason to dislike you (you favor the legalization of a currently illegal act, or the reinterpretation of some law*) and you're in harrassment city.
This could certainly be considered a 'chilling effect' in many discussions. Say, for example, the discussion of the competence or even corruption of the chief of police.
I think so long as people are running it, it all leads to too much power, too much danger.
-Zipwow
* for the record, I'm *not* talking about marijuana (or not just marijuana, anyway). Most of us
Wow, that's a heck of a good point about the mountains. My first response was that making the base there would be a pain, but then I thought..
A platform hanging in the air by BALLOONS?
Yeah. Building on a mountaintop shouldn't be so rough. You'd want to be sure you didn't pick an active volcano though. Boom!
Actually, that's a bizarre thought. Can we maybe harness volcanic pressure to launch things into space? Sounds nuts, but its gotta be right up there with a launching platform suspended by balloons.
I keep thinking of this comic by Phil Foglio called "Girl Genius", its kind of a steampunk sort of thing. Science is kind of like magic, and some people have a sort of magic that lets them make all sorts of strange things. This generally results in them losing their grip on reality.
http://www.studiofoglio.com/girlgenius.html
-Zipwow
What would a cell phone do around helium? Are you thinking of hydrogen (the unstable, non-noble gas), or am I uninformed?
-Zipwow
Amongst myself and my friends, "Event Horizon" is the yardstick by which we measure bad movies. We went in expecting a sci-fi film, but too soon realized it was a horror/ unwitting comedy.
"We need something to latch onto.."
"Hey! There's the communications module!"
*kerunch*
I can understand filling the detaching 'tunnel' with exploding bolts. But actual explosives? And who was the idiot who said, "And hey, wouldn't it be handy if they were portable, and had their own timers?"
*shudders*
Mission to Mars is right up there too, but I like to think a lot of that plot is cleared up if you imagine NASA people sitting in a board room saying,
"Hey, the last ones we sent all died. I don't want to lose another good crew in that big tomb"
"Yeah. What if we sent Jimbo's team?"
"Who? Oh them. Yeah, we can lose them, let's do it."
Kind of like "Astronauts Like Us" who never met up with the real crew.
-Zipwow
I found on this site a mention of 1650 C for reentry temperatures, which seems low enough to make the material feasable.
r m.net/~dmg/mysteries/mystery1.html
I did my own google search on ward and starlite, and found this:
http://web.archive.org/web/20010407012348/www.cha
The article mentions that NASA was investigating it, but the inventor wouldn't allow them to pursue it when they refused to sign an NDA.
I'm guessing the actual temperature on the material would differ slightly based on friction (or its coefficient of friction? I'm not a physicist), so its possible that the plastic still wasn't feasable for some reason. Then again, I'm told most of the heat is from ram pressure, so friction may not make a lot of difference.
Another explanation could be that the starlite plastic doesn't handle the extreme cold of space.
Or, NASA refused to sign the NDA because they thought he was a crackpot. Their view is somewhat supported by the site's claim that Maurcie Ward is no longer interested in his revoluntionary material, having given it up for harness horse-racing.
-Zipwow
Okay, I was mostly responding to the "I'm not doing anything wrong, search all you like" sentiment. However, the whole "flying is optional, so the government can restrict it as much as they'd like" argument (which I'm generalizing your statements to) is an interesting, and as you point out, a more on-topic, one.
Flying, like driving, is pretty far from being a right, and there are certainly cases where people should be restricted from doing both. However, I wouldn't go so far as to say that its a completely optional service. Neither is driving, for that matter. Try living in rural Montana without a car and having anything resembling a modern lifestyle.
Still, the government shouldn't be allowed to come into just any activity, even if its optional, and demand that you relinquish great swaths of your rights in order to perform it. To take it to ridiculous extremes, you don't *have* to buy groceries, you're "free" to grow them yourself, but that sure impinges on your lifestyle (and 'pursuit of happiness', maybe?) And with flying, you're effectively saying that if you pursue a certain set of jobs, you must give up these rights while flying.
We tolerate it to some degree with flying already because of safety concerns. One point many people make is that most of these rights violations (illegal search and siezure) don't actually get you an increased level of safety.
To be clear, there's a difference between a privately hired person scanning your stuff (which I think is fine, btw) and the government entity generating a giant database of your traveling habits.
I guess your latest post did only mention x-ray devices. If that's all the further this stuff went, I'd probably agree that it's fine.
To be completely on-topic, I don't have a fundamental problem with this device, provided its used in some way that doesn't show me naked. That's not so much a 'rights' issue as it is a "I don't want to be naked to anybody" issue.
Well, this is all just rambling without a direct point, I think I'll end it here.
-Zipwow
If it's so dangerous to fly now, maybe it's time to invest in infrastructure and establish a real high-speed rail system, and not something built on a gravel berm that's insufficient for 40mph freight trains either. For an industrial nation, we have a crap rail system. Don't believe me? Get up from your computer and go take a look at it. It sucks.
A-freakin'-men.
Rail systems wouldn't even be that much slower, if you consider how much easier it is to load and unload trains. (think: paralell in many cars rather than serial through the front door hatch). I think trains can even be automated as well. That takes a little more blase` attitude, but when you're doing 120 in a 5000 ton machine, you measure braking distance in miles.
And, they can be much less polluting than the jet-powered monstrosities we have now.
Granted, it won't get you over the ocean, but it should do real well between San Fran, LA, and Vegas.
-Zipwow
Are you kidding? You want them to schedule times for searches for criminal activities that don't "conflict with your schedule"?
Searching interferes. Your list of things that starts with "push, confiscate, pick my locks, " and ends with "be a dick" points that out pretty well. This kind of surveillance leads pretty directly to harassment. If the police perceive you as a lawbreaker (which is likely if they're watching your house), then finding reasons to arrest or fine you are easy enough when they have access to every action you make.
Did you sign your wife's check to deposit it so rent won't bounce? That's fraud. Got in a fight and threw something? Could be spousal abuse. Talked about driving home in a hurry? Oops, that's reckless endangerment. Got mad and said the president should keel over and die? Ah-ha! The highest of thoughtcrime. Nevermind the privacy invasion of your more intimate moments. If having that violated, having comitted no crime, please let me know your address, I could use the extra money a webcam could bring in.
At the end of the day, the best recommendation is: Don't give up your rights.
-Zipwow
"Do I want airline security to make damn sure no one is bringing a bomb or gun on board? Hell Yes!"
If that's what they accomplished, that'd be great. The problem with all this "airline security" junk is that it doesn't make you any safer. Glass is still allowed on the flight, which can be easily made pointy enough to hold flight attendants hostage and demand cockpit access. Another poster has images of things easily smuggled through.
The one thing that might make airline safer today is the attitude of the passengers. Before the trade center attacks, I think most people felt that they should sit back, stay calm, and let the negotiators take care of it. Now the feeling I get from people is that if you're being hijacked, it is worth attempting to resist.
"I'm sure many Slashdotters can think of many hazardous materials that wouldn't show up in an X-ray machine."
And can you not also think of ways to hide them? C-4 doesn't have to be stamped into bricks with the letters "C-4" on the side.
-Zipwow
The best thing about standards is... there's so MANY of them!
-Zipwow
detail
overview
A href is for you!
-Zipwow
I think there's also the perception that looking for a library to do what you need isn't work, while writing a solution is.
If you've solved it by finding a library that does it, but it took you a while to find the right library and figure it out, you may find yourself in the hole. Your dept manager may ask "Why aren't you finished? You didn't have to write that component..." and be unhappy with the (accurate) reply of "Well, no, but it took me a while to evaluate the libraries available..."
I'm blessed to be avoiding these at my current position though, so I'm thankful.
-Zipwow
Must...resist...obvious...comment.
That would make you the only one, I think...
-Zipwow
Aside from the fact that ad hominem is the first tactic of the defeated, I'll respond to your questions...
://www.kenttrust.com/portscanning.htm
You said that they "broke into the client" which is just stupid.
I can see where you're confused. Reverse engineering the client is legal (EULA notwithstanding). Using that information (and I'm guessing, some other information as well) to wreak havok on the server, disrupting the service for thousands, is quite illegal.
If you honestly think that hiding the protocols to access admin features means UbiSoft has fulfilled their responsibility for security than, quite frankly, you are an idiot.
First, you're making some assumptions that aren't warrented by the situation. Namely, that accessing the admin feature required one only to use the right protocols. While this may be the case, I suspect that the attackers also used some novel approach to circumvent the authentication scheme.
Even if this suspicion proves to be false, UBISoft has, in a legal sense, fulfilled their security obligation. As I've said before, entering an unlocked door can still be trespassing. For reference, see 'unlocked door' mentions on these sites:
http://www.cipherwar.com/news/99/crime.htm
http
http://www. poprocks.com/journ/TA.html
Now, I'll grant that security through obscurity is stupid from a "protect your goods and data" point of view, but that's not what we're talking about. We're talking about the law, and the law says that it only has to be obvious that the area is private. They don't have to build three foot thick barriers to keep you out.
Newsflash: If someone emails you and says, "By the way, your admin ports are hanging out and anybody can connect in if they figure it out" shit hits the fan.
But the fan doesn't stop spinning. Which is my point. Every time you get a message that someone's found a new vulnerability in apache, you don't shut down the box while the fix is being coded. Heck, the security community in general doesn't even disclose the vulnerability until a fix is available, unless the company in question has just ignored it.
Had it been an email notification, the same process would have likely taken place.
You keep saying this, but haven't responded to my assertions that:
* the rollbacks would not be needed
* the update can be written without taking the servers down
* the patch can be applied during the normal update cycle, which is not during prime time
* support personnel are not inundated with requests
I think these points adequately prove that there is a large difference between the attack and a friendly email.
You also think that these people have value.
Now you've made the point that I've been alluding to in earlier questions about why you think the things you do. I absolutely think these people have value. I think all people have value. You seem to have some grudge against either this particular activity or against the notion of entertainment in general. Perhaps you are one of the sort of people who view any server connected to the internet as just another obstacle and personal playground, rather than someone else's property providing a service to a community of people. Something seems to prevent you from seeing these people as important, and the servers as private.
They are paying for entertainment, so why do they bitch if they get to live the same experience again? If it was so much fun the first time, they'll do it better the second time.
Enjoying doing something is not the same as doing it over. See software development and home improvement projects.
They only mucked around on one server.
How do you know this? How would UBISoft know this? They only caused mass devistation on one server, who knows what they did on the rest? Or were about to do? When someone breaks one system on your c
Show me where it's illegal to reverse engineer software. Only technological copyright protection devices have this protection.
...
I've never said its illegal to reverse engineer software. Its not illegal to own lockpicks, either. Breaking into buildings, though. That's illegal. With or without lockpicks. In fact, you don't even have to lock the doors. All you have to do is make it clear that it is private property, and that the general public is not invited. I think by hiding the protocols to access these features, and calling them 'admin featuers', UBISoft has fulfilled this requirement.
Why would this be different if someone had sent them an email detailing how to do the attack and saying that it is possible other people know about it?
The fix for this problem can be written with the servers still running. Access to these functions can be monitored, possibly controlled at a firewall level. The installation of the patch can occur during normal weekly maintenence cycles, which take place during periods of low usage.
FAR less disruptive than a loss of eight hours of primetime, and the cost of support overtime.
You don't wait when you know there is a gaping security hole, you fix it then.
Somewhat true. Your first fix won't be the only fix, nor will it be the ultimate fix. Typically you'll disable the feature that has the problem (specifically in this case, remote access to the admin features), and then begin working on the fix, which may take weeks.
That said, your first response to finding a gaping security hole isn't to bring down the system, either. You say to yourself, "Ah, okay. I'll watch for that then, while I work on fixing it."
If someone steals my car,
This analogy has nothing to do with this situation, because I'm not talking about damage to UBISoft for the most part, and we're talking about a service interruption, not a material theft.
No court will ever find that this attacker is directly responsible for more than the actual damage he caused directly. You are trying to blame him for indirect damage, and life doesn't work that way.
You keep saying this, but it doesn't get any more true. Explain how interruption of a service I pay for isn't clearly damage?
I've refuted every argument you've made:
The actions by the attackers were illegal (possibly we agreed on this from the beginning). There was damage done (interruption of a paid service).
The damage was a direct result of the attacker's actions (rollbacks necessary, monitoring not a viable approach, etc).
The damage was avoidable (if not by the attackers simply refusing to break the law, then by other approaches to the problem)
The time taken to fix the result of the attacks is independant of the time to fix the original bug. (reverting servers, answering support calls, etc).
A significant amount of people were harmed (more than 10,000).
You have never answered the question of why these people should not be punished (or deserve only extremely light punishment) for disrupting the service of thousands of people. Even by your own convoluted logic, the people on the attacked servers (at least a thousand of them) had their service disrupted for several hours. You have never explained why the time of these people is valueless, or why it is acceptable for the attackers to waste their time and disrupt their activities.
-Zipwow
While I admit, that I'd be upset if I spent time building a character only to have it destroyed by another player. However, if this is "outlawed", there will be no bad guys, and no fun. Who wants to play against the computer all the time -- that defeats the purpose of online gaming.
These laws aren't meant to restrict the way the game works itself, but rather the consequences from out-of-game actions.
For example, if I killed your character and stole your stuff according to the rules of the game, I'd be fine. If, however, I used some exploit or hacked into the game server, or committed some fraud to destroy that character and your items, then you'd be talking about a crime.
At least, that's how I read the originating articles.
-Zipwow
Providing that functionality to begin with is the problem. The fact that any client, not just those provided by UbiSoft (Think of employee, vs someone walking in off the street) could do this given the proper knowledge (where the door is located.)
Are you, again, arguing that the attackers didn't have to break the code to do this? Whether the code "should" or "should not" contain this ability is pretty irrelevant.
Give each person the thirty cents, big fucking deal. Only give those people who were affected by the malicious client refunds, because that is the only damage caused by the perpetrator.
15,000 people could not play the game for eight hours. That interruption was a direct result of the attack. That interruption time does *not* include time to fix the original vulnerability, but only to clean up the problems caused by the attackers.
Again with the math, but 15,000 people times even 30 cents is $4500, a felony offense worth of damages.
My statement is that because this service is provided without uptime guarantee, nor do people pay per hour/minute but by month, there is no valid way to calculate actual damages.
Just because services are provided without uptime guarantees (no refunds on rainout games, for example) doesn't mean that disrupting them for other reasons isn't damage.
Furthermore, the EULA probably states that downtime will happen for reasons like software, hardware, and network maintenence. I doubt it lists malicious attackers.
You cannot include any damages done by UbiSoft having to patch their servers and services. Because had someone notified them via email it would still have the same outcome.
Ubisoft didn't spend that eight hours coding up a fix, testing it, and installing it. They spent that eight hours rolling back servers, changing firewall settings, banning users, and dealing with support calls. None of those things would have had to have been done had the attackers taken the 'friendly email' approach. Hence, all that time, that expense and effort is a direct result of the attack.
The work to actually fix the problem probably still needs to be done. This is akin to wedging closed a door with a broken latch. The latch still needs to be fixed.
Here's a nice little point-by-point rebuttal for you:
* The only people directly affected where those on the server when the perpetrator exploited the system.
This is false. All services were interrupted. All users were affected. Interruption to all services was a direct result of the attack. All servers needed to be reset, as the extent of the attack was not verifiable.
* UbiSoft is liable for their services, including patches. Therefor, any patches or rollbacks are on the shoulders of UbiSoft. There is nothing directly correlating responsibility for UbiSoft patching it's services and servers and the exploitation. Just because they became aware of it at that time, doesn't matter.
This is false. UBISoft is not 'liable' for anything. They are responsible for their services. Had this attack not happened, no rollbacks would have been needed, no additional downtime would have occurred. The fix would have been installed during their next maintenence cycle.
The attack caused additional downtime. Additional downtime is damage to the players.
* There is minimal damage, less than $500. For the actual amount of damage caused, it would cost more to use the court space to persecute. Excluding costs of law enforcement officials.
This is false. There is significant damage, more than $4000. The crime committed affected thousands of people. The perpetrators deserve punishment.
You read these points, and read them carefully. If you actually understand them, you'll understand that the attackers committed a serious crime, affecting thousands of people worldwide. This is certainly a punishable offense.
You seem to imply th
No, it's completely in sync with property. If a business doesn't have any locks on it's doors, and someone breaks in (by merely opening the door and walking in) and spreads toilet paper all over the place, the doors would then have locks installed. That's all I'm saying.
If a business doesn't have any locks on it's doors, and someone breaks in (by merely opening the door and walking in) and spreads toilet paper all over the place, the doors would then have locks installed.
Your analogy breaks down immediately. UBISoft clearly had locks on the doors. Not including the fucntionality in the client to begin with constitutes locks on the doors.
So, in your example, the building has a rather wimpy security system, say cheap locks. This is probably a stupid choice on their part, but that doesn't really affect the legality or morality of the situation. Then, someone breaks in and trashes the place. I can't think of an analogy for 15,000 people not being able to play a game that they subscribe to, but I think you can see the point from here.
Maybe the business should've invested in a night guard, but that doesn't make it legal to break the cheap locks.
This is wrong, and this is why I listed my point twice. 15,000 people were affected by a bug in UbiSofts system. 1,200 people (or 3,000 as registered on that server, whatever) were affected by what the attacker did.
You understand the difference?
No, because there isn't one.
Are you arguing that UBISoft, upon noticing this exploit, shouldn't have restarted and rolled back all their servers? If this security problem hadn't been violated in this way, the rollback (and affects on all the players) could have been avoided. Also, the outage for the servers could have been much shorter, and at a time where it would have less impact on the general player base.
The outage was a direct result of the attacker's actions. Just because the locks on the doors weren't as strong as they needed to be (in your analogy), doesn't mean that the attackers aren't responsible for having to check and clean the whole building for vandalism after they broke in.
There is no damage, as I've said before. Damage doesn't mean pissed of geeks. Damage means money that is actually lost that they would have otherwise. You can't list UbiSoft having to patch their servers and services, because that would be the case even if they were notified in a friendly email. You can only list the actual damages: None.
Again, there is clearly damage done.
The only reason that the people involved aren't getting refunds is because they haven't demanded it. And who would they demand it from? They would demand it from the attackers, as UBISoft's user agreement covers UBISoft from outages. When you're talking about damage here, you're talking about damage to anyone involved, not damage to only UBISoft.
I still don't understand why you think that disrupting several hours of the prime time of a service that serves thousands of people worldwide isn't worthy of serious punishment. It seems that you fundamentally don't believe that these people deserve to play their game unharassed.
-Zipwow