Not even that. The US Government already has the ability to sign certificates themselves (yes, as an intermediate signing certificate courtesy of VeriSign, which your browser trusts...) They don't even have to ask VeriSign, they can do it themselves.
And it's worse than you state, your browser trusts not only the list of CAs it has, but also a whole chain of intermediary signing certificates ultimately signed by one of those root CAs... And there is no registry of those intermediate signing certificate or who they belong to.
"We also saw a number of commercial authorities that provided a smaller number of certificates to seemingly unrelated entities. For example, VeriSign, Inc. provided intermediates for Oracle, Symantec, and the U.S. Government"
Your browser trusts VeriSign, so your browser trusts the US Government, and not just one signing certificate, a bunch of them:
"All but a handful of the authorities 4 or more intermediates away from a browser-trusted root belonged to agencies within the U.S. Federal Government."
In all, their most recent survey found that 85 government agencies (from around the world, not just US, but quite probably MOSTLY US) had signed 17,865 certificates in active use. In almost all cases, any entity with signing authority is able to sign certificates for ANY domain. And of course such a survey is unlikely to notice any targeted MITMs against a particular suspect.
SSL can be MITM'd so long as you can sign a certificate in a way trusted by web browsers. And it turns out quite a number of branches of the US Government are among the nearly 2000 entities with the ability to sign certificates for any domain that will be accepted by web browsers as valid and trusted (which I did not know previously). See http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf
And RSA did recently ask developers to stop using all versions of the BSAFE toolikit (including Crypto-C ME, Micro Edition Suite, Crypto-J, Cert-J, SSL-J, Crypto-C, Cert-C, and SSL-C), which default to using Dual EC DRBG, and for all customers of RSA Data Protection Manager (DPM) server and clients to change the pseudo random number generator in use, since it also defaults to using Dual EC DRBG. See http://www.wired.com/threatlevel/2013/09/rsa-advisory-nsa-algorithm/
Not even that. The US Government has certificate signing power already. They don't need to copy any existing certificates, they can just generate and sign a certificate for whatever domain they want to MITM, and it will be accepted by the major browsers. If they don't have the cooperation of the ISP, they can easily hack a router.
We really need a new system of trust. Some mechanisms are in place to be more trustworthy, but they're not being used. For instance, the US Government COULD be empowered to sign certificates only for.gov or.mil domains. But, like nearly all entities with signing authority, they can sign certificates for ANY domain.
Furthermore, despite relaying through central servers, they have not used that capability AT ALL to help users of Skype.
If both you and the person you are talking to are not online at the same time, your message will not be delivered to that user. If they're offline, your message to them will be "pending". If you then go offline, then they come online, they still won't see the message, and the next time you come online it will still be "pending". - which is what you'd expect from direct, peer-to-peer communication.
So this routing through central servers does NOTHING to help users of the system, though it so easily could have by forwarding the stored message when one or the other user is online, not requiring both to be online at the same time to relay the messages.
This re-architecture solely to facilitate spying on users (particularly without telling them you're doing that and why), without taking the golden and possibly rather trivial opportunity to help improve the service, instead maintaining the ILLUSION of hard-to-intercept peer-to-peer behavior, is PURE EVIL.
I totally agree, recommendations are one thing, but the endorsements are worthless, 95% of the people who have given me endorsements could not possibly know in the slightest what I'm good at in terms of those skills. What happens is Linkedin gives them a prompt occasionally to "Endorse so-and-so for this skill" and they click "ok".
However, I don't believe that web interfaces will ever equal custom client code or custom apps for the simple reason that you get hesitations and delays during page and AJAX refreshes. One of the worst culprits for this is trying to implement drop down choice boxes that adapt their contents to previously selected data, such as country-state interactions. The only way I know of to do that with a web interface is to refresh the whole page, which is obscenely slow compared to the repopulation of the choice box data itself done by a custom interface.
I'm not sure I understand the problem here, unless you're doing it wrong. Lists of data like country-state interactions are small; there is no reason not to have that data available when the page loads (most likely as part of a script or json file), and updating the list from the data should be imperceptibly quick. If you need to query the server every single time to make sure you have the most up-to-date list, that problem would be the same for an actual app as a web app.
There is also no way to perform performance tuning and UI tricks like dynamically making widgets visible/invisible with a web app, something that is very common to high performance custom interfaces. In part, this is because web apps don't have the necessary layout management interfaces that a custom application does, which allows them to position those hidden widgets appropriately so that they overlay each other to the pixel.
Seriously? How is it we can't position elements over other elements with pixel-perfect accuracy on the web? We've been doing it for years. Similarly with making elements visible/invisible, which can be done trivially and instantly on the web as well.
Might it have been possible for Microsoft to fight this by clearly separating Skype-to-Skype calls from Skype-to-telephone calls? Only the latter would clearly fall under CALEA as far as I know. I don't know whether they tried or not, but instead of caving and making all of Skype transparent to the feds, they could have at least walled off the (much less-used) Skype-to-telephony bridge, and kept the rest more protected. Might not have mattered much though, considering all the access the feds compelled from the likes of Google, Facebook, and Yahoo (where telephony was not necessarily involved).
Why wouldn't it be trivial for NSA to create their own self-signed key for your domain and use it in a man-in-the-middle attack?
When it comes to them getting the certificate through legal means, it sounds from this as if they are doing it by going directly to each company, which could mean you'd be required to cough up your self-signed key if they had the legal force to compel it.
Now in the case where they might go to a certificate signing authority and ask for your keys so they can silently snoop on your traffic (even stored traffic after the fact) without your knowledge, that might be where there's a vulnerability in a key signed by a CA, because someone outside your business has knowledge of it. However, using Perfect Forward Security features of SSL/TLS could prevent this from being a problem except in an actual man-in-the-middle attack.
True, but as all those providers gradually switched over to default https connections, the Gmail, Facebook, etc. traffic flowing over the backbones has become encrypted.
Furthermore, if they do find something suspicious, it's damn convenient to be able to dump the user's entire email box, contacts, etc. as well as to monitor future activity no matter where they connect from, rather than having to search for such data as it passes by various backbones and past activity from a huge undifferentiated archive of internet traffic.
I can't even count the number of times I've had this exact conversation with a project manager... I think it is equal to the number of projects I have worked on.
And I have been right every time, even when they outsourced all the work.
Except... " the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed". Well the owner of the exclusive right is NASA (US Government = we the people), NOT Scripps. So Scripps was indeed guilty of perjury by claiming to be the owner of that right, or someone authorized to act on behalf of NASA. (The "alleged infringement' would speak to whether the use is fair or not; it should not, in my opinion, speak to whether the claimant incorrectly claims to be the owner of someone else's work.)
I do think this is, and should be, a punishable offense and the sooner these companies are punished for each instance of this kind of behavior the better, because they sure are abusing it and are hurting real people, and society, in the process.
True, modern IE is not that hard to support. But the only "modern" IE is IE9. Supporting IE8 and 7 is still a nightmare, though they are in no respect "modern".
- To support IE8, one assumes that you will avoid all use of CSS3, or at the least avoid CSS3 selectors and assume that it doesn't need to be pixel perfect (no gradients, shadows or rounded corners). - To support IE7, you furthermore need to avoid all use of CSS2.1 selectors. - The farther you go back, the more you also need to worry about vagaries in margins and other positioning differences.
In other words, to gracefully support IE7+, you basically need to code for the web of 10 years ago, which is more time-consuming, inflexible, and difficult to maintain going forward, and also leads to heavier pages (lots of background images, instead of a few lines of css code).
Yup, that's the crux of the problem. While it may be true, as others say below, that publication bias against negative results occurs in all fields (such as physics) regardless of study funding, what we are seeing now is the influence of pharmaceutical industry funding in the clinical trials used for FDA approval of drugs (that is, a company funding the trial of its own drug).
Specifically, drug studies funded by pharmaceutical companies are fourtimesmore likely to show a positive benefit than ones funded by neutral sources. This is a problem because nearly two-thirds of clinical trials used for FDA approval are now industry-funded.
Hang on, the other person said they're free/unlimited?
The other person was wrong. They are only free when included in some all-inclusive voice/data plan, which usually runs about $99/month. Since it's usually possible to add an adequate amount of data to voice for about $20/month less than that (without SMS), it's not at all true that most phone subscribers have an SMS plan, or that it comes for free. (Note: since I don't typically watch video for hours on end or stream music all day long, I've never used more than about 25% of my available bandwidth on one of the lower-tier data plans despite tethering my laptop, especially because my phone uses local Wi-Fi at home and work.)
On the other hand, every SMS plan I know of offers unlimited messages.
My friend had a package with 5,000 texts a month and regular broke that so had to move to an unlimited package.
In the US they don't have limited SMS plans, it's either unlimited or nothing. Those with unlimited plans may be texting thousands per month, but those without, paying per text (sent or received) typically send very few. I don't have a plan, and rarely text, but haven't blocked SMS (which I did seriously consider, and I assume many people probably do, especially older people) because it's occasionally useful. The occasional spam which costs me $0.50 annoys me, but ultimately doesn't cost me very much (it's usually not more than about one per month).
Except that most every carrier in the US charges $20/month extra for that unlimited SMS plan (or else $0.25 - $0.50 per text - sent or received! - with no plan). Yes, the other thing is that you pay equally to RECEIVE texts as to send them, even if they're spam.
Sometimes they bundle it in all-inclusive voice-SMS-data plans for like $99/month, but no, it's never free in the US.
That's just simple promotion - asking employees to mention to friends, family and other acquaintances the products or services the company offers.
Astroturfing would be if you were pretending to be someone who DIDN'T work at the company. So long as it's a social network where your affiliation with the company is clearly visible and/or all your friends/family already know you work there, there's no ethical problem.
You don't have to BS or anything like writing a glowing review of a product you haven't used/don't like, but simply liking or +1ing something is just a way to spread its visibility to more users.
A few years ago, I was looking through some studies on educational outcomes, crunched some of the numbers, and came to a conclusion. I don't have the source studies handy right now, but the conclusion I came to was that about 50% of student achievement was attributable to one thing: classroom management. That is, the teacher's ability to keep the students attentive and participating. And the difference between the worst 10% of teachers and the best 10% was about 2x - that is, students would learn about twice as much in a year with the best teachers as with the worst.
The thing about classroom management is that it's largely a teachable skill, like public speaking. There are lots of "tricks" to get people to pay attention and participate that can be taught, and learned. But it doesn't seem that schools (or teachers colleges) are even evaluating teachers on this skill, let alone training them to improve in it.
If we could achieve substantial improvement in most teachers in this area of skill, we could likely realize a great improvement in educational outcomes. Then we could move onto the next-biggest problem (whatever that is).
I suggest that before we worry about firing "bad" teachers, let alone whether unions make it difficult to do so, or arbitrarily try to hold teachers and students to some performance standard without giving them any clue how to achieve it, we put in place some standards relating to things that have been shown to really make a difference in the educational outcomes, and provide training to help them do so.
I don't agree that you example is (or at least should be) a derivative work, but it might constitute trademark infringement if the similarity is confusing enough.
I also don't agree that the "replicated" photograph from the original article should be considered a derivative work. If a complicated process was required to reproduce a photo, the second photographer would need to be quite experienced to figure out what that process was and replicate it - and it would take some effort to do so (having the equipment, going to the location, setting up the shot, doing all the processing and manipulations, etc.). It's not like they just copied the original photo, skipping all that knowledge and effort.
If the first photographer didn't get a patent on the process it took to make the photo, then it should be fair game for others to try to replicate it; if the original photographer publicized instructions for how it was done (allowing people to easily replicate it without figuring it out for themselves), then it should be fair game to follow those instructions; they'd still need to have the equipment and put in the effort to do so.
Being thematically similar enough to be confused with the original should not be protected by copyright; that's a job for trademarks, and if the original photographer didn't take out a trademark on it, then it should have no protection in that area.
Copyright is meant to prevent verbatim (in whole or in substantial part) lifting of work someone else already did. It is neither meant to prevent other works inspired by or paraphrasing the original, nor to prevent confusion between similar works (that's what trademarks are for), nor to stop someone from using a similar process in creating another work (that's what patents are for).
Rather than being offended and trying to claim copyright infringement, the original photographer should be flattered that their work was inspiring enough to be mimicked, which in the process will probably draw more attention to it, increasing the photographer's fame and income.
Slashdot Mirror
Precisely... according to the report, it's VeriSign that signed the US Government's intermediate certificates.
What redeemable qualities does this ignorant oligarch possess that would explain how she has repeatedly earned your vote over the years?
"Democrat", "Female"
Is there something else we need to know to vote for someone?
Not even that. The US Government already has the ability to sign certificates themselves (yes, as an intermediate signing certificate courtesy of VeriSign, which your browser trusts...) They don't even have to ask VeriSign, they can do it themselves.
See http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf
And it's worse than you state, your browser trusts not only the list of CAs it has, but also a whole chain of intermediary signing certificates ultimately signed by one of those root CAs... And there is no registry of those intermediate signing certificate or who they belong to.
Yes, this.
"We also saw a number of commercial authorities that provided a smaller number of certificates to seemingly unrelated entities. For example, VeriSign, Inc. provided intermediates for Oracle, Symantec, and the U.S. Government"
Source: http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf
Your browser trusts VeriSign, so your browser trusts the US Government, and not just one signing certificate, a bunch of them:
"All but a handful of the authorities 4 or more intermediates away from a browser-trusted root belonged to agencies within the U.S. Federal Government."
In all, their most recent survey found that 85 government agencies (from around the world, not just US, but quite probably MOSTLY US) had signed 17,865 certificates in active use. In almost all cases, any entity with signing authority is able to sign certificates for ANY domain. And of course such a survey is unlikely to notice any targeted MITMs against a particular suspect.
SSL can be MITM'd so long as you can sign a certificate in a way trusted by web browsers. And it turns out quite a number of branches of the US Government are among the nearly 2000 entities with the ability to sign certificates for any domain that will be accepted by web browsers as valid and trusted (which I did not know previously). See http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf
And RSA did recently ask developers to stop using all versions of the BSAFE toolikit (including Crypto-C ME, Micro Edition Suite, Crypto-J, Cert-J, SSL-J, Crypto-C, Cert-C, and SSL-C), which default to using Dual EC DRBG, and for all customers of RSA Data Protection Manager (DPM) server and clients to change the pseudo random number generator in use, since it also defaults to using Dual EC DRBG. See http://www.wired.com/threatlevel/2013/09/rsa-advisory-nsa-algorithm/
Not even that. The US Government has certificate signing power already. They don't need to copy any existing certificates, they can just generate and sign a certificate for whatever domain they want to MITM, and it will be accepted by the major browsers. If they don't have the cooperation of the ISP, they can easily hack a router.
Reference: http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf
We really need a new system of trust. Some mechanisms are in place to be more trustworthy, but they're not being used. For instance, the US Government COULD be empowered to sign certificates only for .gov or .mil domains. But, like nearly all entities with signing authority, they can sign certificates for ANY domain.
The US Government owns root signing keys, so they can sign certificates for any domain they want whenever they want to.
Furthermore, despite relaying through central servers, they have not used that capability AT ALL to help users of Skype.
If both you and the person you are talking to are not online at the same time, your message will not be delivered to that user. If they're offline, your message to them will be "pending". If you then go offline, then they come online, they still won't see the message, and the next time you come online it will still be "pending". - which is what you'd expect from direct, peer-to-peer communication.
So this routing through central servers does NOTHING to help users of the system, though it so easily could have by forwarding the stored message when one or the other user is online, not requiring both to be online at the same time to relay the messages.
This re-architecture solely to facilitate spying on users (particularly without telling them you're doing that and why), without taking the golden and possibly rather trivial opportunity to help improve the service, instead maintaining the ILLUSION of hard-to-intercept peer-to-peer behavior, is PURE EVIL.
I totally agree, recommendations are one thing, but the endorsements are worthless, 95% of the people who have given me endorsements could not possibly know in the slightest what I'm good at in terms of those skills. What happens is Linkedin gives them a prompt occasionally to "Endorse so-and-so for this skill" and they click "ok".
However, I don't believe that web interfaces will ever equal custom client code or custom apps for the simple reason that you get hesitations and delays during page and AJAX refreshes. One of the worst culprits for this is trying to implement drop down choice boxes that adapt their contents to previously selected data, such as country-state interactions. The only way I know of to do that with a web interface is to refresh the whole page, which is obscenely slow compared to the repopulation of the choice box data itself done by a custom interface.
I'm not sure I understand the problem here, unless you're doing it wrong. Lists of data like country-state interactions are small; there is no reason not to have that data available when the page loads (most likely as part of a script or json file), and updating the list from the data should be imperceptibly quick. If you need to query the server every single time to make sure you have the most up-to-date list, that problem would be the same for an actual app as a web app.
There is also no way to perform performance tuning and UI tricks like dynamically making widgets visible/invisible with a web app, something that is very common to high performance custom interfaces. In part, this is because web apps don't have the necessary layout management interfaces that a custom application does, which allows them to position those hidden widgets appropriately so that they overlay each other to the pixel.
Seriously? How is it we can't position elements over other elements with pixel-perfect accuracy on the web? We've been doing it for years. Similarly with making elements visible/invisible, which can be done trivially and instantly on the web as well.
Might it have been possible for Microsoft to fight this by clearly separating Skype-to-Skype calls from Skype-to-telephone calls? Only the latter would clearly fall under CALEA as far as I know. I don't know whether they tried or not, but instead of caving and making all of Skype transparent to the feds, they could have at least walled off the (much less-used) Skype-to-telephony bridge, and kept the rest more protected. Might not have mattered much though, considering all the access the feds compelled from the likes of Google, Facebook, and Yahoo (where telephony was not necessarily involved).
Why wouldn't it be trivial for NSA to create their own self-signed key for your domain and use it in a man-in-the-middle attack?
When it comes to them getting the certificate through legal means, it sounds from this as if they are doing it by going directly to each company, which could mean you'd be required to cough up your self-signed key if they had the legal force to compel it.
Now in the case where they might go to a certificate signing authority and ask for your keys so they can silently snoop on your traffic (even stored traffic after the fact) without your knowledge, that might be where there's a vulnerability in a key signed by a CA, because someone outside your business has knowledge of it. However, using Perfect Forward Security features of SSL/TLS could prevent this from being a problem except in an actual man-in-the-middle attack.
Ding ding ding! We have a winner!
Obama is well aware of what happened to JFK, RFK, and MLK, Jr. Even Clinton got Lewinskied for bad behavior.
True, but as all those providers gradually switched over to default https connections, the Gmail, Facebook, etc. traffic flowing over the backbones has become encrypted.
Furthermore, if they do find something suspicious, it's damn convenient to be able to dump the user's entire email box, contacts, etc. as well as to monitor future activity no matter where they connect from, rather than having to search for such data as it passes by various backbones and past activity from a huge undifferentiated archive of internet traffic.
I can't even count the number of times I've had this exact conversation with a project manager... I think it is equal to the number of projects I have worked on.
And I have been right every time, even when they outsourced all the work.
Except... " the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed". Well the owner of the exclusive right is NASA (US Government = we the people), NOT Scripps. So Scripps was indeed guilty of perjury by claiming to be the owner of that right, or someone authorized to act on behalf of NASA. (The "alleged infringement' would speak to whether the use is fair or not; it should not, in my opinion, speak to whether the claimant incorrectly claims to be the owner of someone else's work.)
I do think this is, and should be, a punishable offense and the sooner these companies are punished for each instance of this kind of behavior the better, because they sure are abusing it and are hurting real people, and society, in the process.
True, modern IE is not that hard to support. But the only "modern" IE is IE9. Supporting IE8 and 7 is still a nightmare, though they are in no respect "modern".
- To support IE8, one assumes that you will avoid all use of CSS3, or at the least avoid CSS3 selectors and assume that it doesn't need to be pixel perfect (no gradients, shadows or rounded corners).
- To support IE7, you furthermore need to avoid all use of CSS2.1 selectors.
- The farther you go back, the more you also need to worry about vagaries in margins and other positioning differences.
In other words, to gracefully support IE7+, you basically need to code for the web of 10 years ago, which is more time-consuming, inflexible, and difficult to maintain going forward, and also leads to heavier pages (lots of background images, instead of a few lines of css code).
I am skeptical of $100,000 though.
Yup, that's the crux of the problem. While it may be true, as others say below, that publication bias against negative results occurs in all fields (such as physics) regardless of study funding, what we are seeing now is the influence of pharmaceutical industry funding in the clinical trials used for FDA approval of drugs (that is, a company funding the trial of its own drug).
Specifically, drug studies funded by pharmaceutical companies are four times more likely to show a positive benefit than ones funded by neutral sources. This is a problem because nearly two-thirds of clinical trials used for FDA approval are now industry-funded.
The other person was wrong. They are only free when included in some all-inclusive voice/data plan, which usually runs about $99/month. Since it's usually possible to add an adequate amount of data to voice for about $20/month less than that (without SMS), it's not at all true that most phone subscribers have an SMS plan, or that it comes for free. (Note: since I don't typically watch video for hours on end or stream music all day long, I've never used more than about 25% of my available bandwidth on one of the lower-tier data plans despite tethering my laptop, especially because my phone uses local Wi-Fi at home and work.)
On the other hand, every SMS plan I know of offers unlimited messages.
In the US they don't have limited SMS plans, it's either unlimited or nothing. Those with unlimited plans may be texting thousands per month, but those without, paying per text (sent or received) typically send very few. I don't have a plan, and rarely text, but haven't blocked SMS (which I did seriously consider, and I assume many people probably do, especially older people) because it's occasionally useful. The occasional spam which costs me $0.50 annoys me, but ultimately doesn't cost me very much (it's usually not more than about one per month).
Except that most every carrier in the US charges $20/month extra for that unlimited SMS plan (or else $0.25 - $0.50 per text - sent or received! - with no plan). Yes, the other thing is that you pay equally to RECEIVE texts as to send them, even if they're spam.
Sometimes they bundle it in all-inclusive voice-SMS-data plans for like $99/month, but no, it's never free in the US.
It sounds just like the complaints that CDs sounded inferior to LPs...
That's just simple promotion - asking employees to mention to friends, family and other acquaintances the products or services the company offers.
Astroturfing would be if you were pretending to be someone who DIDN'T work at the company. So long as it's a social network where your affiliation with the company is clearly visible and/or all your friends/family already know you work there, there's no ethical problem.
You don't have to BS or anything like writing a glowing review of a product you haven't used/don't like, but simply liking or +1ing something is just a way to spread its visibility to more users.
A few years ago, I was looking through some studies on educational outcomes, crunched some of the numbers, and came to a conclusion. I don't have the source studies handy right now, but the conclusion I came to was that about 50% of student achievement was attributable to one thing: classroom management. That is, the teacher's ability to keep the students attentive and participating. And the difference between the worst 10% of teachers and the best 10% was about 2x - that is, students would learn about twice as much in a year with the best teachers as with the worst.
The thing about classroom management is that it's largely a teachable skill, like public speaking. There are lots of "tricks" to get people to pay attention and participate that can be taught, and learned. But it doesn't seem that schools (or teachers colleges) are even evaluating teachers on this skill, let alone training them to improve in it.
If we could achieve substantial improvement in most teachers in this area of skill, we could likely realize a great improvement in educational outcomes. Then we could move onto the next-biggest problem (whatever that is).
I suggest that before we worry about firing "bad" teachers, let alone whether unions make it difficult to do so, or arbitrarily try to hold teachers and students to some performance standard without giving them any clue how to achieve it, we put in place some standards relating to things that have been shown to really make a difference in the educational outcomes, and provide training to help them do so.
I don't agree that you example is (or at least should be) a derivative work, but it might constitute trademark infringement if the similarity is confusing enough.
I also don't agree that the "replicated" photograph from the original article should be considered a derivative work. If a complicated process was required to reproduce a photo, the second photographer would need to be quite experienced to figure out what that process was and replicate it - and it would take some effort to do so (having the equipment, going to the location, setting up the shot, doing all the processing and manipulations, etc.). It's not like they just copied the original photo, skipping all that knowledge and effort.
If the first photographer didn't get a patent on the process it took to make the photo, then it should be fair game for others to try to replicate it; if the original photographer publicized instructions for how it was done (allowing people to easily replicate it without figuring it out for themselves), then it should be fair game to follow those instructions; they'd still need to have the equipment and put in the effort to do so.
Being thematically similar enough to be confused with the original should not be protected by copyright; that's a job for trademarks, and if the original photographer didn't take out a trademark on it, then it should have no protection in that area.
Copyright is meant to prevent verbatim (in whole or in substantial part) lifting of work someone else already did. It is neither meant to prevent other works inspired by or paraphrasing the original, nor to prevent confusion between similar works (that's what trademarks are for), nor to stop someone from using a similar process in creating another work (that's what patents are for).
Rather than being offended and trying to claim copyright infringement, the original photographer should be flattered that their work was inspiring enough to be mimicked, which in the process will probably draw more attention to it, increasing the photographer's fame and income.
Because it is played on foot, as opposed to polo, which is played on horseback.
"Soccer" gets its name from "association football" whereas American football et al are descended from "Rugby" rules football.