With all due respect, this is much ado about nothing. Let's examine some of the claims:
* Some older vulnerabilities in Apache 2 can be exploited by malicious people to inject malicious characters into log files and cause a DoS
Who is running Apache 2? Are most OS X users running their own web server in the first place? This isn't an Apple issue. Anyone who is running Apache, which includes all flavors of Unix as well as Windows has the same issues, but of those, the 2.x tree?? A tiny minority probably not even worth mentioning. This isn't necessarily Apple's responsibility unless they've branded Apache 2 and offered it as some core feature.
* Two vulnerabilities in the IPSec implementation can be exploited by malicious people to conduct MitM attacks (Man-in-the-Middle), establish unauthorised connections, or cause a DoS.
Again, this is an OpenSSL issue, not an Apple issue, and it has nothing specifically to do with Apple. The circumstances under which this exploit would be taken advantage of are pretty limited. That's not to say any of these issues shouldn't be addressed, and maybe Apple should more accurately call attention to these vulnerabilities but they aren't really the issues justified by the FUD being spewed.
* A vulnerability within AppleFileServer can be exploited by malicious people to compromise a vulnerable system.
Ok, this may be ONE issue so far that is attributable to Apple.
* An unspecified vulnerability exists within the CoreFoundation when handling environment variables. This may potentially be a privilege escalation vulnerability. This has not been confirmed, though.
WTF? An "unspecified vulnerability" that "has not been confirmed"? Did the lawyers from SCO write this article?
* An unspecified vulnerability exists within RAdmin when handling large requests. This may potentially be a system compromise issue. This has not been confirmed, though.
I agree with you on this. Most of my workstations are running 98SE and I see little incentive to upgrade. History has shown that with Microsoft, every new evolution of their software introduces even more problems than proposed solutions.
I really look forward to AMD getting out from under Intel's shadow. They are a great company that make great products that IMO are superior to Intel. We need more PC manufacturers to start offering more AMD options. And if I hear that stupid Intel jingle one more time I'm going postal.
I've actually set up a trust to deal with this. I've been slowly compiling CDs of my work and other information and building a web site. The idea is to dedicate a certain amount of my wealth to maintain a little site in cyberspace. Most people "live forver" through their children so I was doing this in case I end up not having any, and it's nice to know that if some pearl of wisdom you've learned can be shared and benefit others.
Ultimately, I guess when you die, who knows what happens. Relatives come crawling out of the woodwork like roaches and everything you work for could end up in a pedantic game of tug-of-war, but I'm hoping that won't happen.
When I originally spoke with a lawyer about doing this, the guy said it was pretty difficult to enforce detailed terms of things such as this after your death. You see in the movies about people who die and have spectacular conditions upon which gifts will be bequeathed. I'm under the impression some of this stuff isn't easily enforceable unless you really have someone managing things you trust.
Gates bought shares in trash-hauling company Republic Services in November 2001. The transaction put his holdings over a 10 percent threshold that required antitrust notification, the FTC said.
But Gates failed to notify antitrust authorities, believing he was exempt from the requirement because the acquisition was only for investment purposes.
Gates later made a corrected filing in the case, and the FTC declined to seek any penalties.
But six months later, Gates violated the rules again when he bought shares in ICOS, co-maker of the new impotence treatment Cialis, according to the FTC. Once again, Gates thought he was exempt from the regulation.
The FTC said it sought substantial penalties for the second mistake.
actually, this all sounds pretty decent to me. It's a small town, they can't be expected to hire a hundred specialists, and so someone at the department asks for help from someone who knows more about it.
It's a REAL SAD DAY when detectives don't know how to track down the source of a telephone call. They need a "specialist" for that?? Wouldn't this technique be taught in remedial detective work 0101?
Don't get me wrong. I applaud the detective for being innovative enough to query Mitnick for help, but surely this isn't some amazingly complex investigative issue.
The problem with your formula is that the bandwidh that you think you "own" is shared among many other users. It's not as unlimited a resource as you think.
The sad part of this is that the detective couldn't figure out what to ask for, or that SBC refused to cooperate fully. I think it's great that Mitnick gets some positive press and furthers the idea of white hat operations, but the more disturbing thing this story illuminates is how totally inept law enforcement is when it comes to tech issues.
The boy didn't even employ anything creative or hacker-like. He just dialed a number on his phone, and the authorities needed an ex-con hacker to help them with this?
I think stories like this call attention to the fact that there is a *desperate* need for more training of law enforcement people in tech issues.
There are better ways of addressing this issue than creating vigilante DDOS groups that create collateral damage and don't directly affect the true perpetrators.
You could try more effective methods such as:
* lobbying the governments to crack down on this * creating a campaign to filter the sites on various levels * creating an educational campaign to make more people aware of the scams
I disagree. I don't think these scammer web sites are getting that much fool traffic so that taking them down on a particular day matters much, and you end up wasting your own bandwidth.
I'm sorry, but DDoS'ing 419 sites seems really stupid. You might take their site down temporarily but you're also wasting just as much of your own bandwidth and affecting other more important services.
The 419'ers exploit stupid people. These efforts don't address either the stupidity of people or the illegal activities of the scammers. It seems more like a publicity stunt to call attention to the artists than a legitimate and effective effort to stop 419ers.
While I don't condone the activities of the 419'ers, they don't bother me that much. Turn on the television and it'll take you about ten minutes before you see a commercial from an American company that's basically doing the same thing, misleading people into giving them money for something that is questionable. I have trouble distinguishing the current spate of weight-loss and penis enlargement pills from the tactics of 419'ers.
I figure anyone stupid enough to fall for these schemes will do so eventually, so we might as well let them learn from their mistakes sooner rather than later. That also goes for the goofy fake-cashiers check scams being perpetrated on people posting online classified ads. If you're selling something for $3000 and someone sends you a check for $6000 and wants you to wire the difference to another country, you're a fool who needs to be parted from your money.
A lot of the reason you see so many complaints about outsourcing on Slashdot tends to be the reinforced tendencies of self-selected sets.
Oh, and yours isn't?
The National Review. Shill for selected sets of political agendas propped up by the likes of Pfizer, Merck and Halliburton. There's a publication that's the bastion of objective and well thought out journalism.
Oh, and let's talk about the "distinguished" CATO Institute, a right-wing organization masquerading as libertarian to further the agenda of a select group of uber-powerful business interests. CATO was founded by a huge grant from a Chemical/Petroleum industry heir named Charles Koch.
* Cato leads the right-wing's push for privatization of government services. In 2001, the Washington Post, noting Cato's influence, said it "has spent about $3 million in the past six years to run a virtual war room to promote Social Security privatization."
* Cato supports the wholesale elimination of eight cabinet agencies - Commerce, Education, Energy, Labor, Agriculture, Interior, Transportation and Veterans Affairs - and the privatization of many government services.
* Right-wing foundations that fund Cato include: Castle Rock, Sarah Scaife, Koch Charitable, Olin, Earhart, and Bradley Foundations.
* CATO's corporate benefactors include: Philip Morris, R.J. Reynolds, Bell Atlantic Network Services, BellSouth Corporation, Digital Equipment Corporation, GTE Corporation, Microsoft Corp- oration, Netscape Communications Corporation, NYNEX Corporation, Sun Microsystems, Viacom International, American Express, Chase Manhattan Bank, Chemical Bank, Citicorp/Citibank, Commonwealth Fund, Prudential Securities and Salomon Brothers. Energy conglomerates include: Chevron Companies, Exxon Company, Shell Oil Company and Tenneco Gas, as well as the American Petroleum Institute, Amoco Foundation and Atlantic Richfield Foundation. Cato's pharmaceutical donors include Eli Lilly & Company, Merck & Company and Pfizer, Inc.
I wonder how many of the above companies are outsourcing? Probably every one of them.
The Washington post characterize'd CATO's agenda as, "A soup-to-nuts agenda to reduce spending, kill programs, terminate whole agencies and dramatically restrict the power of the federal government." That sounds really good in theory, but the underlying agenda of CATO is to pump out polarized "research" to further this cause, which ultimately divests critical responsibilities to a small set of mega-corporations, which probably have less a sense of responsibility and ethics than the government.
I'd be real scared of the future they're promoting..
IMO, outsourcing is merely a symptom of a much larger problem that has psychological and sociological roots.
I submit:
* There's a fundamental paradigm shift in the mindset of the American work force. This is evident in all societies that become more capitalist and consumer-centric, and America being the leader of this trend, exhibits the pathology to a more extreme degree than other societies. America also has a less-substantive cultural background from which its sense of purpose has evolved when compared with Asian or European cultures and this also contributes.
* While there are numerous exceptions, I see a substantive trend towards the output of the American worker, on average, considered little more than a means to an end. Sense of pride in a job well done now takes a back seat to revenue generated and the collection of material posessions.
* The new, extreme consumer-centric American society revolves around selling neatly-packaged, instantaneous [seeming] solutions to solve all known problems.
We have new economies rapidly being built around business models driven by the idea that everything needs to be constantly updated, upgraded and replaced. Things aren't built to last "forever"; products are specifically engineered to be quickly obsoleted in order to maintain a constant scheme of consumption and revenue.
* So now we have a society where we have managed to easily provide ourselves of basic necessities, and are now "manufacturing desire" as a product unto itself. The process of creating this market has two really bad side-effects: First, we are conditioned to consider all products to be inadequate, even from the moment we produce or acquire them. The fact that nothing is ever good enough demoralizes our work force. So nobody really cares about the quality of their work. Second, the process of promoting this consumer-centric model manifests itself in an ever-increasing sensory bombardment of messages promoting inadequacy and simple solutions (however unrealistic) to complex problems. People become ADD and progressively less-capable of addressing issues from a proactive perspective.
* So in our great, advanced society, we are overrun by those seeking simple solutions to complex problems, and those promoting simple solutions to complex problems. Our work ethic has gone to shit. We're so constantly bombarded with messages of inadequacy and the idea that "upgrading" will make everything instantly better, that we're not motivated to take the long road, understand why things fail, and actually solve problems. We just keep putting band-aids on things and passing the buck.
* In many markets, this pathology isn't as critical, but when you talk of computer systems, their ability to be qualified as capable or non-capable are obvious. So when you need a complex system developed, outsourcing the project to a different cultural state, that isn't so tainted (yet), and still maintains more of a sense of pride in a job well done, makes sense.
I've always felt that outsourcing was less about money and more about quality. And the truth is, the tech industry in America has become overly politicized, and the American worker has a dramatically diminished work ethic that is the result of his ever-changing environment, which de-emphasizes the significance of a job well done in favor of upgrading to the next perfect solution.
Is education an issue here? Yes, but it's not as much dependent upon the knowledge people posess as it is the need to educate people on more abstract concepts involving a non-materialistic search for satisfaction, pride and productivity.
In my experience, one of the most significant and under-recognized challenges in development is the selection of the right tools, operating environment and languages in which to develop/deploy an application.
These days, your typical American developer has a narrow stable of technology that he uses. He often doesn't stop to examine whether or not the application being designed is best suited for the environment in which he plans to build it.
I'm probably going to get flamed for this, but I believe we now have "vanity languages" and platforms that are driven more by marketing than fitness for a particular purpose. In the last several years I've seen lots of programs written in stuff like Java, Cold Fusion,.ASP, and Perl that really should have been using something different based on the demands of the process.
I would suspect a significant share of development disasters are due to the people involved choosing the wrong tools and then making things ten times harder for themselves later on.
Here's how the government can address the issue of the patent office being overwhelmed: Pass a law requiring that patent applicates be processed faster. *bingo* it's all fixed.
This seems to be the current trend. Never mind figuring out how to fund things or fixing the system, or improving existing processes. Let's just pass another low and magically expect everything to be fixed. It's worked with spam! It's worked with the war on terror and national security. Why not the USPTO?
Well, if there is "teeth" then the OSS movement should actively enforce this issue. That could generate much-needed money for their coffers. While Sun may not be the most desireable candidate to go after, they probably could serve as a suitable example so that others don't abuse the GPL.
If nothing is done about it, this reinforces the idea among corporate amerika (I perfer that spelling until we have our regime change) that the OSS movement are a bunch of pu**ies that are all talk and no action when it comes to playing in the world of big business.
My question is what remedies can be made realistically to enforce this? I assume you can revoke the license but what about compensatory damages? What is the real incentive to adhere to the terms if a company such as Sun has no fear that substantive repurcussions will result?
It seems standard policy now that corporate amerika factors in numerous "slaps on the wrists" to their ongoing business plans. Where's the teeth?
You said that PHP allows the user to override variables when register_globals is set. It doesn't.
Arguing semantics with you is probably pointless so this will be my last reply because what you're bringing up is just argumentative and not productive (nor accurate), but I'll respond to this since you still seemed to have not gotten the point.
1. register_globals allows users to override/overload (whatever you want to call it) variables.
That statement is TRUE. I didn't say "pre-initialized variables" - I said variables. PHP does not require variables to be pre-initialized and there are probably more PHP scripts on the net without pre-initialization than otherwise, not to mention there are circumstances where you might not want the variables initialized.
The only FUD here is you trying to cast a shadow of doubt over that saying that with proper variable declaration, it's a moot point. Yes, that's correct. But that's exactly why this feature is dangerous. If you do not initialize the variables but instead reference them within the script later, or you conditionally initialize them based on them not being defined, you have a SERIOUS security issue.
PHP does NOT require variables to be intialized. Therefore register_globals further emphasizes bad programming habits and dangerous programmatic behavior.
Your whiny diatribe about my point being FUD is ineffective.
I challenge you to grab 10 random PHP scripts and find even half of them with 100% declared variables. I doubt you could. Register_globals exacerbates the bad programming problem exponentially.
In a perfect world, all programmers would check write perfect code, initialize and cast all variables perfectly, validate and sanitize all input, and always know exactly what to expect. But we don't have this perfect world, so your whole argument doesn't mean a thing.
The only FUD here is you trying to legitimize register_globals as something necessary. IT IS NOT.
My solution to the problem:
* turn register_globals OFF, require PHP developers to reference each variable they need specifically
Your idea of security:
* turn register_globals ON, expect every programmer on the server to write PERFECT code, and if not, examine each and every script to make sure there's no overloading... and since you like register_globals, you probably also have safe_mode disabled, so you've got a fun server there to play with. I just hope you're not handling any important data.
Saying that register_globals is a dangerous feature is about the same as saying pointers are a dangerous feature. Just because programmers can be (are) stupid most of the time, doesn't mean that it's not an extremely useful feature.
I couldn't disagree with you more. The feature is unnecessary and dangerous. It doesn't offer any additional functionality that wasn't available before. The convenience it saves is negated by the additional work you have to make to maintain the integrity of other variables you are working with.
The example you cite is just one scenario among many others where things aren't so obvious. I'm fond of repurposing snippets of code where register_globals would wreak havoc: a routine that displays the content of a set of variables where in some cases these vars might be submitted and other times internally generated within other existing code. In a case like this, I don't override the value of a variable unless I check to first make sure it isn't already defined. Register_globals screws this up.
This is very common in html/form applications where you might be re-displaying edited content previewing a form. I may have one set of code which handles filling out an empty form and editing an existing record. Keeping the variables undefined and retrieving them from GET/POST arrays allows me to reuse the code efficently and securely.
There are always work-arounds but the bottom line is pulling the data from the standard GET/POST arrays is much more professional and secure. It enforces proper programming techniques. Register_globals is a crutch. But what do I know? I've only written a best selling book on CGI programming and my software has received Editor's Choice in PC Magazine. I'm just a n00b.
Finally, I don't think you should be lecturing anyone on server security seeing that you got such a basic tenet plain wrong.
(Windows update), Spybot S&D, Startup Cop, TweakUI, Editeur (or another good notepad replacement), a set of DOS-compatible unix command line utilities (tar,gzip,etc.), Mozilla/Firefox, Eudora, 4dTime (NNTP time sync), WinZip, and an SSH client (SecureCRT).
Wrong. Is not the only way. Is the easier way. Especially if you are a clueless sysadmin. I agree with you that TDE brought it upon themselves thought. Problem is that you aren't punishing only TDE. You are punishing innocent ppl too, so your analogy:
You cannot find ANY form of "justice" that doesn't have collatoral damage.
I'm not doing anything to TDE's customers. That's hogwash. I'm choosing what systems I allow my network to communicate with. It's my perrogative. If there are innocent people using ISPs that are out of control with spam, I am merely one of tens of thousands of entities on the net that are likely exhibiting prejudice against these people. Whose fault is that? TDE. There are other, more serious perpetrators in the chain, but TDE is the identifiable "enabler" that can and will be addressed.
As I stated before I don't think that banging the users is a fair way of punishing a provider. Maybe a lot of that users can't change provider. I'm sure you don't mind, like you stated, but that doesn't make it fair, sorry
I have to believe you probably don't have much business experience. This is the way things are done. Companies are motivated by profit/loss and things tied to it: reputation, reliability, etc. Look around you.. the most effective way to affect change is to force it. TDE has no motivation to address the problem until it starts affecting their revenue.
The RBL process isn't aimed at users. It's aimed at irresponsible ISPs. The users are innocent victims, but there really hasn't proven to be a more effective method of addressing this problem given the circumstances. As an admin, I stick with what works and doesn't cost me a small fortune to implement. The spammers and lame ISPs have already wasted too much of my time already. For every victim at the RBL'd ISP, there are probably a thousand victims elsewhere that are mailbombed by the IPs at TDE.
You got it backwards. It's YOUR trash. 99,9% of it is USA spam directed to USA nerds.
Perpetrated with the cooperation of your non-USA ISP.
Blocking TDE is going to stop 419ers to find another badly configured system? No. Do you really want the spam to stop or do you prefer blaming ppl from the top of your soapbox? I don't know You aren't addressing the real problem at all.
I'm not blaming people. As I said before, I'm using the MOST EFFECTIVE APPROACH that has yet to be offered. It works better and faster than other methods. If you can come up with a better idea, I'm all ears, but don't waste my time with server or client-side filtering unless you are going to pay for those resources and the extra bandwidth we need because we're not stopping the spam.
I do know the real problem.
I'm not saying this is all TDE's fault, but TDE is the trackable link in the chain. They have a responsibility to control the traffic from their network. If TDE would publish details of the source of the exploitive spammers, the community would be more than happy to help them address the issue, but until then, those lepers need to be cordoned off until they can cure themselves.
First, the TV is a bad example. It's a one-way device. It's probably revolutionized laziness, but certainly not society. Even disregarding that, no, I don't think it is immoral for things to have costs. I think you are trying to change the topic.
Don't get me wrong. I applaud and share your desire to try to make the real world into IdealWorld(tm). I am just more of a realist on the side.
I don't buy the notion that some invented technology constitutes a morally inalienable right. At least when the technology involves an issue of convenience and not a critical need. Denying medicine to the sick would be immoral, but not letting someone access the Internet if they didn't have the means is far from immoral or unethical.
I remember very clearly something my 6th grade teacher told me when I saw a kid swipe a soccer ball from another kid on the playground: "Life isn't always fair." Yeah, you might be right, but that doesn't mean we shouldn't do everything within our power to make it fair. IdealWorld might not exist, but we can't just throw in the towel and give up trying to reach it.
My father used to say the same thing. I completely agree that it's a worthy endeavor to pursue IdealWorld(tm). But your notion of the ideal world and others will undoubtedly be different, so if there's a middle ground, it needs to be based around working with the existing system, flaws and all.
Slashdot Mirror
With all due respect, this is much ado about nothing. Let's examine some of the claims:
* Some older vulnerabilities in Apache 2 can be exploited by malicious people to inject malicious characters into log files and cause a DoS
Who is running Apache 2? Are most OS X users running their own web server in the first place? This isn't an Apple issue. Anyone who is running Apache, which includes all flavors of Unix as well as Windows has the same issues, but of those, the 2.x tree?? A tiny minority probably not even worth mentioning. This isn't necessarily Apple's responsibility unless they've branded Apache 2 and offered it as some core feature.
* Two vulnerabilities in the IPSec implementation can be exploited by malicious people to conduct MitM attacks (Man-in-the-Middle), establish unauthorised connections, or cause a DoS.
Again, this is an OpenSSL issue, not an Apple issue, and it has nothing specifically to do with Apple. The circumstances under which this exploit would be taken advantage of are pretty limited. That's not to say any of these issues shouldn't be addressed, and maybe Apple should more accurately call attention to these vulnerabilities but they aren't really the issues justified by the FUD being spewed.
* A vulnerability within AppleFileServer can be exploited by malicious people to compromise a vulnerable system.
Ok, this may be ONE issue so far that is attributable to Apple.
* An unspecified vulnerability exists within the CoreFoundation when handling environment variables. This may potentially be a privilege escalation vulnerability. This has not been confirmed, though.
WTF? An "unspecified vulnerability" that "has not been confirmed"? Did the lawyers from SCO write this article?
* An unspecified vulnerability exists within RAdmin when handling large requests. This may potentially be a system compromise issue. This has not been confirmed, though.
More unconfirmed vulnerabilities? Nice FUD.
I think this graphic pretty much sums up the story despite the best efforts of a few corrupt investment brokers and lawyers.
I agree with you on this. Most of my workstations are running 98SE and I see little incentive to upgrade. History has shown that with Microsoft, every new evolution of their software introduces even more problems than proposed solutions.
I really look forward to AMD getting out from under Intel's shadow. They are a great company that make great products that IMO are superior to Intel. We need more PC manufacturers to start offering more AMD options. And if I hear that stupid Intel jingle one more time I'm going postal.
on more duct tape!
I've actually set up a trust to deal with this. I've been slowly compiling CDs of my work and other information and building a web site. The idea is to dedicate a certain amount of my wealth to maintain a little site in cyberspace. Most people "live forver" through their children so I was doing this in case I end up not having any, and it's nice to know that if some pearl of wisdom you've learned can be shared and benefit others.
Ultimately, I guess when you die, who knows what happens. Relatives come crawling out of the woodwork like roaches and everything you work for could end up in a pedantic game of tug-of-war, but I'm hoping that won't happen.
When I originally spoke with a lawyer about doing this, the guy said it was pretty difficult to enforce detailed terms of things such as this after your death. You see in the movies about people who die and have spectacular conditions upon which gifts will be bequeathed. I'm under the impression some of this stuff isn't easily enforceable unless you really have someone managing things you trust.
Gates bought shares in trash-hauling company Republic Services in November 2001. The transaction put his holdings over a 10 percent threshold that required antitrust notification, the FTC said.
But Gates failed to notify antitrust authorities, believing he was exempt from the requirement because the acquisition was only for investment purposes.
Gates later made a corrected filing in the case, and the FTC declined to seek any penalties.
But six months later, Gates violated the rules again when he bought shares in ICOS, co-maker of the new impotence treatment Cialis, according to the FTC. Once again, Gates thought he was exempt from the regulation.
The FTC said it sought substantial penalties for the second mistake.
Aha! Now things are starting to make sense!
actually, this all sounds pretty decent to me. It's a small town, they can't be expected to hire a hundred specialists, and so someone at the department asks for help from someone who knows more about it.
It's a REAL SAD DAY when detectives don't know how to track down the source of a telephone call. They need a "specialist" for that?? Wouldn't this technique be taught in remedial detective work 0101?
Don't get me wrong. I applaud the detective for being innovative enough to query Mitnick for help, but surely this isn't some amazingly complex investigative issue.
This is probably something that's merely an oversight on behalf of his broker.
But of course. A man of limited means such as Gates probably can't afford a broker that is capable of performing legally-required, due-dilligence.
The problem with your formula is that the bandwidh that you think you "own" is shared among many other users. It's not as unlimited a resource as you think.
The sad part of this is that the detective couldn't figure out what to ask for, or that SBC refused to cooperate fully. I think it's great that Mitnick gets some positive press and furthers the idea of white hat operations, but the more disturbing thing this story illuminates is how totally inept law enforcement is when it comes to tech issues.
The boy didn't even employ anything creative or hacker-like. He just dialed a number on his phone, and the authorities needed an ex-con hacker to help them with this?
I think stories like this call attention to the fact that there is a *desperate* need for more training of law enforcement people in tech issues.
There are better ways of addressing this issue than creating vigilante DDOS groups that create collateral damage and don't directly affect the true perpetrators.
You could try more effective methods such as:
* lobbying the governments to crack down on this
* creating a campaign to filter the sites on various levels
* creating an educational campaign to make more people aware of the scams
I disagree. I don't think these scammer web sites are getting that much fool traffic so that taking them down on a particular day matters much, and you end up wasting your own bandwidth.
The only worthwhile thing to come out of all this are the brilliant scamming of the scammers themselves which is tremendously entertaining.
419eater does a great job profiling the scammers. Now what we need is a web site with pictures of the morons who fall for these scams.
I'm sorry, but DDoS'ing 419 sites seems really stupid. You might take their site down temporarily but you're also wasting just as much of your own bandwidth and affecting other more important services.
The 419'ers exploit stupid people. These efforts don't address either the stupidity of people or the illegal activities of the scammers. It seems more like a publicity stunt to call attention to the artists than a legitimate and effective effort to stop 419ers.
While I don't condone the activities of the 419'ers, they don't bother me that much. Turn on the television and it'll take you about ten minutes before you see a commercial from an American company that's basically doing the same thing, misleading people into giving them money for something that is questionable. I have trouble distinguishing the current spate of weight-loss and penis enlargement pills from the tactics of 419'ers.
I figure anyone stupid enough to fall for these schemes will do so eventually, so we might as well let them learn from their mistakes sooner rather than later. That also goes for the goofy fake-cashiers check scams being perpetrated on people posting online classified ads. If you're selling something for $3000 and someone sends you a check for $6000 and wants you to wire the difference to another country, you're a fool who needs to be parted from your money.
A lot of the reason you see so many complaints about outsourcing on Slashdot tends to be the reinforced tendencies of self-selected sets.
Oh, and yours isn't?
The National Review. Shill for selected sets of political agendas propped up by the likes of Pfizer, Merck and Halliburton. There's a publication that's the bastion of objective and well thought out journalism.
Oh, and let's talk about the "distinguished" CATO Institute, a right-wing organization masquerading as libertarian to further the agenda of a select group of uber-powerful business interests. CATO was founded by a huge grant from a Chemical/Petroleum industry heir named Charles Koch.
* Cato leads the right-wing's push for privatization of government services. In 2001, the Washington Post, noting Cato's influence, said it "has spent about $3 million in the past six years to run a virtual war room to promote Social Security privatization."
* Cato supports the wholesale elimination of eight cabinet agencies - Commerce, Education, Energy, Labor, Agriculture, Interior, Transportation and Veterans Affairs - and the privatization of many government services.
* Right-wing foundations that fund Cato include: Castle Rock, Sarah Scaife, Koch Charitable, Olin, Earhart, and Bradley Foundations.
* CATO's corporate benefactors include:
Philip Morris, R.J. Reynolds, Bell Atlantic Network Services, BellSouth Corporation, Digital Equipment Corporation, GTE Corporation, Microsoft Corp- oration, Netscape Communications Corporation, NYNEX Corporation, Sun Microsystems, Viacom International, American Express, Chase Manhattan Bank, Chemical Bank, Citicorp/Citibank, Commonwealth Fund, Prudential Securities and Salomon Brothers. Energy conglomerates include: Chevron Companies, Exxon Company, Shell Oil Company and Tenneco Gas, as well as the American Petroleum Institute, Amoco Foundation and Atlantic Richfield Foundation. Cato's pharmaceutical donors include Eli Lilly & Company, Merck & Company and Pfizer, Inc.
I wonder how many of the above companies are outsourcing? Probably every one of them.
The Washington post characterize'd CATO's agenda as, "A soup-to-nuts agenda to reduce spending, kill programs, terminate whole agencies and dramatically restrict the power of the federal government." That sounds really good in theory, but the underlying agenda of CATO is to pump out polarized "research" to further this cause, which ultimately divests critical responsibilities to a small set of mega-corporations, which probably have less a sense of responsibility and ethics than the government.
I'd be real scared of the future they're promoting..
IMO, outsourcing is merely a symptom of a much larger problem that has psychological and sociological roots.
I submit:
* There's a fundamental paradigm shift in the mindset of the American work force. This is evident in all societies that become more capitalist and consumer-centric, and America being the leader of this trend, exhibits the pathology to a more extreme degree than other societies. America also has a less-substantive cultural background from which its sense of purpose has evolved when compared with Asian or European cultures and this also contributes.
* While there are numerous exceptions, I see a substantive trend towards the output of the American worker, on average, considered little more than a means to an end. Sense of pride in a job well done now takes a back seat to revenue generated and the collection of material posessions.
* The new, extreme consumer-centric American society revolves around selling neatly-packaged, instantaneous [seeming] solutions to solve all known problems.
We have new economies rapidly being built around business models driven by the idea that everything needs to be constantly updated, upgraded and replaced. Things aren't built to last "forever"; products are specifically engineered to be quickly obsoleted in order to maintain a constant scheme of consumption and revenue.
* So now we have a society where we have managed to easily provide ourselves of basic necessities, and are now "manufacturing desire" as a product unto itself. The process of creating this market has two really bad side-effects: First, we are conditioned to consider all products to be inadequate, even from the moment we produce or acquire them. The fact that nothing is ever good enough demoralizes our work force. So nobody really cares about the quality of their work. Second, the process of promoting this consumer-centric model manifests itself in an ever-increasing sensory bombardment of messages promoting inadequacy and simple solutions (however unrealistic) to complex problems. People become ADD and progressively less-capable of addressing issues from a proactive perspective.
* So in our great, advanced society, we are overrun by those seeking simple solutions to complex problems, and those promoting simple solutions to complex problems. Our work ethic has gone to shit. We're so constantly bombarded with messages of inadequacy and the idea that "upgrading" will make everything instantly better, that we're not motivated to take the long road, understand why things fail, and actually solve problems. We just keep putting band-aids on things and passing the buck.
* In many markets, this pathology isn't as critical, but when you talk of computer systems, their ability to be qualified as capable or non-capable are obvious. So when you need a complex system developed, outsourcing the project to a different cultural state, that isn't so tainted (yet), and still maintains more of a sense of pride in a job well done, makes sense.
I've always felt that outsourcing was less about money and more about quality. And the truth is, the tech industry in America has become overly politicized, and the American worker has a dramatically diminished work ethic that is the result of his ever-changing environment, which de-emphasizes the significance of a job well done in favor of upgrading to the next perfect solution.
Is education an issue here? Yes, but it's not as much dependent upon the knowledge people posess as it is the need to educate people on more abstract concepts involving a non-materialistic search for satisfaction, pride and productivity.
In my experience, one of the most significant and under-recognized challenges in development is the selection of the right tools, operating environment and languages in which to develop/deploy an application.
.ASP, and Perl that really should have been using something different based on the demands of the process.
These days, your typical American developer has a narrow stable of technology that he uses. He often doesn't stop to examine whether or not the application being designed is best suited for the environment in which he plans to build it.
I'm probably going to get flamed for this, but I believe we now have "vanity languages" and platforms that are driven more by marketing than fitness for a particular purpose. In the last several years I've seen lots of programs written in stuff like Java, Cold Fusion,
I would suspect a significant share of development disasters are due to the people involved choosing the wrong tools and then making things ten times harder for themselves later on.
Here's how the government can address the issue of the patent office being overwhelmed: Pass a law requiring that patent applicates be processed faster. *bingo* it's all fixed.
This seems to be the current trend. Never mind figuring out how to fund things or fixing the system, or improving existing processes. Let's just pass another low and magically expect everything to be fixed. It's worked with spam! It's worked with the war on terror and national security. Why not the USPTO?
Well, if there is "teeth" then the OSS movement should actively enforce this issue. That could generate much-needed money for their coffers. While Sun may not be the most desireable candidate to go after, they probably could serve as a suitable example so that others don't abuse the GPL.
If nothing is done about it, this reinforces the idea among corporate amerika (I perfer that spelling until we have our regime change) that the OSS movement are a bunch of pu**ies that are all talk and no action when it comes to playing in the world of big business.
My question is what remedies can be made realistically to enforce this? I assume you can revoke the license but what about compensatory damages? What is the real incentive to adhere to the terms if a company such as Sun has no fear that substantive repurcussions will result?
It seems standard policy now that corporate amerika factors in numerous "slaps on the wrists" to their ongoing business plans. Where's the teeth?
You said that PHP allows the user to override variables when register_globals is set. It doesn't.
Arguing semantics with you is probably pointless so this will be my last reply because what you're bringing up is just argumentative and not productive (nor accurate), but I'll respond to this since you still seemed to have not gotten the point.
1. register_globals allows users to override/overload (whatever you want to call it) variables.
That statement is TRUE. I didn't say "pre-initialized variables" - I said variables. PHP does not require variables to be pre-initialized and there are probably more PHP scripts on the net without pre-initialization than otherwise, not to mention there are circumstances where you might not want the variables initialized.
The only FUD here is you trying to cast a shadow of doubt over that saying that with proper variable declaration, it's a moot point. Yes, that's correct. But that's exactly why this feature is dangerous. If you do not initialize the variables but instead reference them within the script later, or you conditionally initialize them based on them not being defined, you have a SERIOUS security issue.
PHP does NOT require variables to be intialized. Therefore register_globals further emphasizes bad programming habits and dangerous programmatic behavior.
Your whiny diatribe about my point being FUD is ineffective.
I challenge you to grab 10 random PHP scripts and find even half of them with 100% declared variables. I doubt you could. Register_globals exacerbates the bad programming problem exponentially.
In a perfect world, all programmers would check write perfect code, initialize and cast all variables perfectly, validate and sanitize all input, and always know exactly what to expect. But we don't have this perfect world, so your whole argument doesn't mean a thing.
The only FUD here is you trying to legitimize register_globals as something necessary. IT IS NOT.
My solution to the problem:
* turn register_globals OFF, require PHP developers to reference each variable they need specifically
Your idea of security:
* turn register_globals ON, expect every programmer on the server to write PERFECT code, and if not, examine each and every script to make sure there's no overloading... and since you like register_globals, you probably also have safe_mode disabled, so you've got a fun server there to play with. I just hope you're not handling any important data.
Saying that register_globals is a dangerous feature is about the same as saying pointers are a dangerous feature. Just because programmers can be (are) stupid most of the time, doesn't mean that it's not an extremely useful feature.
I couldn't disagree with you more. The feature is unnecessary and dangerous. It doesn't offer any additional functionality that wasn't available before. The convenience it saves is negated by the additional work you have to make to maintain the integrity of other variables you are working with.
The example you cite is just one scenario among many others where things aren't so obvious. I'm fond of repurposing snippets of code where register_globals would wreak havoc: a routine that displays the content of a set of variables where in some cases these vars might be submitted and other times internally generated within other existing code. In a case like this, I don't override the value of a variable unless I check to first make sure it isn't already defined. Register_globals screws this up.
This is very common in html/form applications where you might be re-displaying edited content previewing a form. I may have one set of code which handles filling out an empty form and editing an existing record. Keeping the variables undefined and retrieving them from GET/POST arrays allows me to reuse the code efficently and securely.
There are always work-arounds but the bottom line is pulling the data from the standard GET/POST arrays is much more professional and secure. It enforces proper programming techniques. Register_globals is a crutch. But what do I know? I've only written a best selling book on CGI programming and my software has received Editor's Choice in PC Magazine. I'm just a n00b.
Finally, I don't think you should be lecturing anyone on server security seeing that you got such a basic tenet plain wrong.
Which basic tenet is that? Disagreeing with you?
(Windows update), Spybot S&D, Startup Cop, TweakUI, Editeur (or another good notepad replacement), a set of DOS-compatible unix command line utilities (tar,gzip,etc.), Mozilla/Firefox, Eudora, 4dTime (NNTP time sync), WinZip, and an SSH client (SecureCRT).
Wrong. Is not the only way. Is the easier way. Especially if you are a clueless sysadmin.
I agree with you that TDE brought it upon themselves thought. Problem is that you aren't punishing only TDE. You are punishing innocent ppl too, so your analogy:
You cannot find ANY form of "justice" that doesn't have collatoral damage.
I'm not doing anything to TDE's customers. That's hogwash. I'm choosing what systems I allow my network to communicate with. It's my perrogative. If there are innocent people using ISPs that are out of control with spam, I am merely one of tens of thousands of entities on the net that are likely exhibiting prejudice against these people. Whose fault is that? TDE. There are other, more serious perpetrators in the chain, but TDE is the identifiable "enabler" that can and will be addressed.
As I stated before I don't think that banging the users is a fair way of punishing a provider. Maybe a lot of that users can't change provider. I'm sure you don't mind, like you stated, but that doesn't make it fair, sorry
I have to believe you probably don't have much business experience. This is the way things are done. Companies are motivated by profit/loss and things tied to it: reputation, reliability, etc. Look around you.. the most effective way to affect change is to force it. TDE has no motivation to address the problem until it starts affecting their revenue.
The RBL process isn't aimed at users. It's aimed at irresponsible ISPs. The users are innocent victims, but there really hasn't proven to be a more effective method of addressing this problem given the circumstances. As an admin, I stick with what works and doesn't cost me a small fortune to implement. The spammers and lame ISPs have already wasted too much of my time already. For every victim at the RBL'd ISP, there are probably a thousand victims elsewhere that are mailbombed by the IPs at TDE.
You got it backwards. It's YOUR trash. 99,9% of it is USA spam directed to USA nerds.
Perpetrated with the cooperation of your non-USA ISP.
Blocking TDE is going to stop 419ers to find another badly configured system? No.
Do you really want the spam to stop or do you prefer blaming ppl from the top of your soapbox? I don't know
You aren't addressing the real problem at all.
I'm not blaming people. As I said before, I'm using the MOST EFFECTIVE APPROACH that has yet to be offered. It works better and faster than other methods. If you can come up with a better idea, I'm all ears, but don't waste my time with server or client-side filtering unless you are going to pay for those resources and the extra bandwidth we need because we're not stopping the spam.
I do know the real problem.
I'm not saying this is all TDE's fault, but TDE is the trackable link in the chain. They have a responsibility to control the traffic from their network. If TDE would publish details of the source of the exploitive spammers, the community would be more than happy to help them address the issue, but until then, those lepers need to be cordoned off until they can cure themselves.
First, the TV is a bad example. It's a one-way device. It's probably revolutionized laziness, but certainly not society. Even disregarding that, no, I don't think it is immoral for things to have costs. I think you are trying to change the topic.
Don't get me wrong. I applaud and share your desire to try to make the real world into IdealWorld(tm). I am just more of a realist on the side.
I don't buy the notion that some invented technology constitutes a morally inalienable right. At least when the technology involves an issue of convenience and not a critical need. Denying medicine to the sick would be immoral, but not letting someone access the Internet if they didn't have the means is far from immoral or unethical.
I remember very clearly something my 6th grade teacher told me when I saw a kid swipe a soccer ball from another kid on the playground: "Life isn't always fair." Yeah, you might be right, but that doesn't mean we shouldn't do everything within our power to make it fair. IdealWorld might not exist, but we can't just throw in the towel and give up trying to reach it.
My father used to say the same thing. I completely agree that it's a worthy endeavor to pursue IdealWorld(tm). But your notion of the ideal world and others will undoubtedly be different, so if there's a middle ground, it needs to be based around working with the existing system, flaws and all.