There used to be two general ways to handle security flaws when you discovered them. Either you could privately exploit the hell out of them. Or you could just privately report them to the company involved and wait patiently for them to release a fix.
However there is a big problem with this particular model. The problem is that companies like Cisco, Microsoft, etc. don't really seem to think that exploits that allow people to remotely execute administrator level code are really that big of deal, and they figure that they can just create a patch when "we get around to it" or "next year".
Meanwhile, do you really think that you are the only person in the entire world who is guaranteed to find the exploit? The black hats of the world have probably already found the exploit anyway in many cases. It's just the customers who are suffering because a patch is not available.
This model of waiting around forever was a dismal failure. So, security professionals found that by publicly releasing their findings, they could force companies to take security more seriously. The responsible way to do this is to first inform the company privately of your finding, and give them a reasonable chance to fix it.
What you think is reasonable is up to you, *not* them. They are playing by your rules. You are not playing by theirs. Remember, that you are being nice to them by not just publicly releasing the exploit the day that you found it. So, they should respect that. If they do not, that is their problem. Still, as a professional, you should rise above them and try to give them a reasonable time to fix the problem.
Now in this case, what he did was he informed them 4 months ago of the vulnerability along with a proof of concept. They decided not to fix the problem. They claimed there was no problem. He waited patiently for *4 months*. They said that this wasn't really a vulnerability. Then, they knew well in advance of his presentation at Black Hat, and yet they still chose not to fix the problem.
So, what is he supposed to do? As a security professional, it is his ethical obligation to publicly disclose his findings at that point.
In conclusion, Cisco should spend more money on engineers instead of lawyers.
Well, I'm sure that is the intent of the feature, yes. But it has many other useful applications as well.
For example, say you have several confidential/classified documents from a particular informant that have come from a particular office printer. Now, say for example, one of these documents gets discovered accidently in transit by someone who works for the same people as the informant. Now, the people searching for the leak may have a way to narrow down the source of the leak somewhat since they can determine where it was printed. In some cases this could be sufficient to identify the source.
Likewise, say you are a political party. So long as someone has at least one thing printed from each of your printers, they can positively test each document and establish whether or not it came from your printer. So, don't try to forge those memos about the competing party on your office printers. Nor on your home printers. Better use printers one time and then destroy them.
And for that matter, don't try to write anonymous letters to the editor. And certainly don't write letters that say stuff like "Dear aiport security people. Your aiport security sucks... etc."
Well, let's think about this for a moment. You've got a lot of people out there that really don't buy a whole lot of music or really even listen to the radio all that much or whatever. Many of these people probably don't even get on the internet and read Slashdot (gasp) and some of them don't even know what it is... So that is one group of people.
Then you've got your second group of people who are avid music fans. They are out their buying CD's like mad, or at least in comparison to the first group. And they always want the latest album when it comes out. And they listen to all the newest songs. And they get into arguments with their friends about which band is better... And they are out their downloading MP3s and all that. Well, in comparision to the first group, ofcourse they buy a lot more music. Many people from the first group don't even *own* a stereo.
And yeah, there are a lot of groups in between these two extremes, but you get my point...
Well, weapons that are less than nonlethethal weapons can be a good thing in a situation where your protesters are likely to present a real security threat to the military/police. But, they are not *always* a good thing. Think about the cases where the protesters are instead protesting peacefully, but the authorities really just don't like what they are saying.
Remember Tiananmen Square in China? The Chinese Military was very reluctant to run over its own people with Tanks, for example. Remember that guy who stepped out in front of the tank? The military person driving the tank stopped the tank rather than run over him. Some times, people are very unwilling to shoot peaceful protesters with machine guns. Because of this, the Chinese were able to have an inspiring protest that was not just broken up by trivial measures.
Remember Gandhi? He was committed to nonviolent protest. There is a certain difficulty for a military force when faced with someone like Gandhi when armed with rifles. You only have a finite supply of bullets, and each innocent person you kill only strengthens the resolve of the protesters.
A nonlethal weapon changes things considerably, and potentially in a concerning way. If a protester says, "We hate the Rebulicans", or "The troops should leave Iraq" or "The government sucks" or they burn a flag, or they say, "Monica was really not as pretty as Marilyn Monroe. WTF were you thinking?!!" the authorities might be tempted to use their ray guns to break them up.
This could have a chilling effect on free speach, and on people's right to protest. I will stand up to any member of the military that I served with and express my political opinions and trust him or her to not put a bullet through my head. But, if I am in a crowd of protesters, and someone decides to burn a flag, I know that many of those same people would pull the trigger on the ray gun in a heart beat.
Enumerate all the possible colors of Hats and file trademarks on them (Purple Hat, Aqua Hat, Green Hat, Pink Hat, etc.).
Then, write a Perl script that does daily google queries for each color of hat. Whenever someone else starts using Aqua Hat, or Gold Hat or whatever, Write them a Cease and Desist Letter. Also have your script attempt to locate new names of colors. Then automatically generate Trademark applications for those names of Hats as well.
File a Patent application for your Perl Script. Say it is an automated method of generating new classifications of hackers based on a dynamic color model.
Make sure your Perl script uses some trivial form of encryption. Make spurios claims that people who mention things like Aqua Hat are also clearly violating the DMCA by reverse engineering your Perl script to try to steal your valuable intellectual property. Not only that, but they are also viloating your patent.
Then, companies breaking into the security industry will come and buy your trademarked names from you.
Well, under the FOREIGN INTELLIGENCE SURVEILLANCE Act, intelligence agencies can monitor the communications of the suspect while he is in the foreign country. Then, under the Patriot Act, "the feds" can monitor his communications when he enters the US. All of this can be approved by Secret FISA courts from what I understand. Thanks to the Patriot act, everyone is now allowed to share their information with each other. So, if they wanted to arrest and prosecute this person, wouldn't it make sense to maybe launch an investigation, and gather evidence against him? Because the hearsay evidence of one source and one picture of two friends hanging out at a bar might actually not be enough to convict someone...
Hopefully our legal system will find a way to deal with new threats like people who learn to label their political enemies with the label of "terrorist" in order to deprive them of their civil liberties.
Yeah, but Windows doesn't count the "automaticatically crash after installing each patch" feature in their MTBF caculation...
Granted, no one is going to install patches on these kind of machines using automatic updates (one would think)... But, it never ceases to amaze me how Windows will automatically crash your machine (and not even save the state of open applications like Internet Explorer) after installing patches.
The Windows machines may measure MTBF in decades, but they probably measure uptime in days, or maybe weeks.
Why won't Phishers just implement Man In the Middle Attacks?
spoofed site: Enter your username and password Clueless user: foo, bar
[spoofed site uses username and password to contact real site and fetch challenge question using anonymous proxy]
spoofed site: What is your pet's name?
clueless user: Rover
[spoofed site uses answer to contact real site and fetch challenge question using anonymous proxy]
spoofed site: What is your birthday?
clueless user: 1/1/1901
[spoofed site uses answer to contact real site and fetch challenge question using anonymous proxy]
spoofed site: What is your pet's name?
clueless user: Rover
[spoofed site uses answer to contact real site and fetch "secret" image using anonymous proxy]
Now, if a second login is required to actually access account data, the user is more than willing to enter it at this point, since the web site has correctly verified that it is authentic.
Well, pretty much any web site that just takes a copyrighted work from one web site, rips it off and then puts it up on their own web site is, and always has been in danger.
The only real defense I can see either google or the Internet Archive raising is "Fair Use". But, if the court rules in favor of the Internet Archive and Google on the "fair use" issue, then how is in going to phrase it exactly? How are they going to phrase it in such a way so that I can not just mirror any copyrighted page I want to my geocities.com web site?
Trust me, I love the google cache. It let's me bypass content filtering. But, I think it will be a tricky issue for the court to come up with a way to apply the existing copyright law in a rational way to things like the Google cache.
You could use the nocache directives to hint to things whether or not they should be included in things like the Internet Archive or the Google cache. But that would break the efficiency of proxies and stuff. So, maybe the way it ought to really work is that we should just have a new directive or something that says "don't archive this site" or somesuch or "google is allowed to archive this, but no-one else"(that doesn't count proxy servers). Now, I know that anyone *could* cache the stuff to their hearts content regarldess of the flags. But if they republished the stuff on the web, and you found them, you could sue them or something.
Compare this case to previous cases that courts have considered where Ticketmaster has tried to sue people who have *linked* to their web site. The courts have said that links themselves are not copyright infringement because no actual copying occurs. But in their reasoning they have really clearly implied that if these other web sites had copied content from the Ticketmaster web site, that Ticketmaster would have won the Copright Infringement claim.
I think the most important thing for blind users would be the ability to filter out the trolls on Slashdot because, well, you know, it would take a long time to read through them with the brail interface and all.
They definitely need different layers of protection. But an external firewall protecting them from the outside world and VLANS don't really protect them from their users who they are required to allow to connect to their servers, and yet, whose machines they have no configuration control over.
The problem is that all of their servers are going to be required to allow access to the (potentially) dangerous ports protocols and services that the client machines would want to exploit anyway. The machines that are problematic are other machines inside thier campus network that are Windows clients (for example) that are not secured and thus are going to be running mallicous code.
The servers are going to have stuff like SMTP, HTTP, HTTPS, plus all the ports necessary for windows authentication and file sharing. If they have web servers, then they probably have to open up FTP to them, because the professors are not smart enough to use SSH. That is a pretty minamalistic list. And I am ignoring any discussion of Linux/Unix servers for now.
Anyway, having host based firewalls on thier servers in addition to their other security measures does make some ammount of sense. If nothing else, they can provide a warning of what ip addresses are attempting to launch attacks against their servers, and what kind of attacks those are. This could potentially aid them in locating compromised machines and removing them from thier campus network.
I never said that I was in favor of marketing plans that don't support the realty of the product. Actually, I never said anything about marketing plans at all. But, I know what you mean anyway.
I never said I was in favor of Segway pulling their publicity stunt, only that if a company had a good product, such a scheme could be sucessful. The argument was that in all cases, companies should be open when starting up. What I was saying is that there may exist some company with some product such that the publicity stunt attempted by Segway could be beneficial.
Segway's problem was that they didn't have a product. So, it is difficult to imagine why someone would argue that in all cases that openess is the optimal strategy for *every* company in *every* case.
That example is clearly distracting people because of the Segway thing. Let's use a different one. This one is about secrecy, but it is not with a startup company.
Let's take for example how Apple is coming out with the new Macs on Intel. They mention that they have been compiling their OS on Intel for the last 5 years. The last 5 years??? WTF?! Now, let's say that instead of doing this with Apple itself, they had instead spun off a new company to do the Intel version of the Mac OS. If they had done that, it would be a perfectly good reason for a company to not have a lot of openess when starting up.
You might think that Segway sucks. But do they suck because they didn't have more openess during thier product development phase? I don't think that is really the fundamental problem with the Segway. I think if they had more openess during that time period then, most people wouldn't even have paid much attention to them. As it stands, we have all heard of them at least. Most people just might not like how they have implemented their product, or their price point or whatever. Personally, having ridden the Segway, I think it was a lot of fun. I'd like to have one, but they are too expensive.
My point isn't that the company is a great company. My point is that their publicity stunt could have worked, if only they had a product to back it up. If, for example, the Segway had been something as cool as the iPod was when it came out, then, it things might have been different...
OK. I agree that in many cases it is probably stupid to have stealth for a startup company. But, can you really go so far as to claim that it is true in *all* cases?
What about the Segway? They made a big publicity stunt out of being secrative. In some cases, how much information, and the timing of the information that you reveal about a new product is important for marketing purposes.
Sometimes to, when you are designing something new, you might have a nifty-cool technology, but not be entirely sure how that will fit into a product exactly. So, you might not want to come out and tell the public exactly what features your product is going to have, only to have them totally change next month, when you drastically change your design, or decided to reposition your product.
Having a large group of beta testers and customer feedback can be beneficial for some things. For other things, customers are going to tell you that they want the status quo, and you have to teach them that what they really want to do is spend more money and get the new improved spiffo-cool thing that everyone else is getting.
I thought he said "Windows 2K has actually been a great OS and this is coming from a Windows hacker..." But he actually said "hater". It still made sense the other way.
Here is the deal. In order for you to be able to distribute something under the GPL that is covered by a patent, you must provide a license for that patent that meets all of the terms and conditions of the GPL. The GPL does not say that you must provide a way for the end user to go out and get a license. On the contrary, you have no right to distribute GPL'd code that is encumbered by a patent unless you provide a license for that patent.
As an end user, you can not require me to go out and do anything special in order to have the freedoms guarenteed to me by the GPL. I don't have to go visit some web site. I don't have to click on a registration form. I don't have to give you my name and address. And I certainly don't have to register with Microsoft. Microsoft can kiss my a$$. If you give me your GPL'd code, you have to negotiate with Microsoft for their patent rights, not me. Otherwise, you don't get to use their patents in your GPL'd application.
Using your birthdate as a password is a horrible idea because it is easily guessable by people who know you, and easy to socially engineer out of you by people who don't really know you well. Using a football team is a horrible password because it is a dictionary word, and it is commonly used by like a zillion other people that think that no one would ever guess that.
In general, passwords should use a combination of upper and lower case letters with at least one number and one special character. Just taking dictionary words and replacing letters with numbers is not really a good idea either.
So, at some clubs here, they ask to scan your drivers license every time you enter the club. They ask to do this so they can verify that you are 21. In my case, my social security number, birthdate, and and address are not all digitally encoded in plaintext on the card. But, imagine how convenient this would be if they were. Airports would demand to scan your id. Bars would demand to scan your id. You want to buy beer? They would scan your id. Soon, you will be handing your identity out like candy.
No problem you think. I will do anything in the name of safety. Because, now all those terrorists will never be able to go anywhere because they won't have these spiffo cool identity cards like me. They will never be able to get a hold of that stuff in a million years... You know, all this "secret" identity info that we are passing around like candy.
BackStealth is an innovative Security Utility which allows to bypass the outbound protection of a Personal Firewall in order to establish a remote connection.
BackStealth is executed within the memory space allocated to your Firewall and thus does not appear to be a separate process. Such "Stealth" technique gives it full rights for access to the web, completely transparent and independant from all other applications.
I have not personally tested either Black Stealth or Firewar yet, so I do not know how well they work. I am planning on testing them soon in a lab configuration, probably initially under VMware.
Well, If you run arbitrary code as the administrator of your windows machine, what makes you think you can trust the integrity of your firewall to stop a program from sending out an e-mail?
see this
There are a number of well-known trojans/mallicous code that have integated code to circumvent host-based antivirus programs and firewalls. Some of them disable the firewalls. Some of them replace well known services like crss.exe that the firewall likely has a rule preconfigured for to allow it to alow connections on.
Others may initiate connections via other programs like Internet Explorer, which you have likely configured your firewall to allow outbound connections on anyway.
But honestly, if you are running one of the handful of common firewalls, and you run some arbitrary program as adminitraror, if it wants to be really stealthy and polite about it, it can just add a rule to your firewall software to always allow all outbound connections from it.
Don't get me wrong, it's not that I don't think that host based firewalls are not important. It's just that I don't think that they can not be circumvented.
The first time you find a buffer overflow that crashes Microsoft Word or Microsoft Outlook, you can have all sorts of fun with this. You just write all sorts of conspiracy threories into word documents and then make Word crash (How hard can that be?) and then make sure that they get sent off to Microsoft. Since the feedback is anonymous and all, you can feel free to pretend that you are the President of Sun or IBM, or whatever you want. Well, Red Hat is probably out... But, you get the idea.
Anyway, as long as this information can be used to collect corporate espinage that users inadvertantly send them, I say that people use it to send Microsoft disinformation.
Like, a good thing to send them would be rumors that random large companies are planning on suddenly switching all of thier desktops to Linux in a surprise press release that is being drafted.
Or rumors that Sun is about to suddenly abandon Windows in favor of an open source version of OS/2 which it is planning to buy in a surprise move.
Why does it cost $200 for ecomstation? I could see paying like maybe like $50 bucks for this just so I could install it under VMware and play around with it, though I would probably just wait for the Live CD and do it for free... I guess that their target audience is probably businesses that are not price sensitive to the difference between $50 and $200 though. That and there is the perception that if you charge more money for something that it has more value. Like at a garage sale you can have a TV for sale for 5 cents (because you just want to get rid of the stupid thing) for like 4 hours with no one buying it. But if you raise the price to like 50 bucks, someone will come along and offer you 30 bucks for it, and then you can reluctantly agree to take it.
You know, if they did open the source code up for this, their choice of licenses would make a big difference. Imagine what would happen if they chose the BSD license, rather than the GPL and their OS really caught on. Then Microsoft could incorporate all the resulting code back into Windows, for example.
On the other hand, if the chose the GPL, and their OS really caught on, maybe lots more Windows developers would be encouraged to also GPL their projects. However, perhaps GPL'ing the code would not even be possible to to the entanglement with other code to which they to not own the licenses. IANAL.
Slashdot Mirror
I don't know what your problem is. I for one welcome our new female robot overlords.
Two words "Professional obligation".
There used to be two general ways to handle security flaws when you discovered them. Either you could privately exploit the hell out of them. Or you could just privately report them to the company involved and wait patiently for them to release a fix.
However there is a big problem with this particular model. The problem is that companies like Cisco, Microsoft, etc. don't really seem to think that exploits that allow people to remotely execute administrator level code are really that big of deal, and they figure that they can just create a patch when "we get around to it" or "next year".
Meanwhile, do you really think that you are the only person in the entire world who is guaranteed to find the exploit? The black hats of the world have probably already found the exploit anyway in many cases. It's just the customers who are suffering because a patch is not available.
This model of waiting around forever was a dismal failure. So, security professionals found that by publicly releasing their findings, they could force companies to take security more seriously. The responsible way to do this is to first inform the company privately of your finding, and give them a reasonable chance to fix it.
What you think is reasonable is up to you, *not* them. They are playing by your rules. You are not playing by theirs. Remember, that you are being nice to them by not just publicly releasing the exploit the day that you found it. So, they should respect that. If they do not, that is their problem. Still, as a professional, you should rise above them and try to give them a reasonable time to fix the problem.
Now in this case, what he did was he informed them 4 months ago of the vulnerability along with a proof of concept. They decided not to fix the problem. They claimed there was no problem. He waited patiently for *4 months*. They said that this wasn't really a vulnerability. Then, they knew well in advance of his presentation at Black Hat, and yet they still chose not to fix the problem.
So, what is he supposed to do? As a security professional, it is his ethical obligation to publicly disclose his findings at that point.
In conclusion, Cisco should spend more money on engineers instead of lawyers.
Well, I'm sure that is the intent of the feature, yes. But it has many other useful applications as well.
For example, say you have several confidential/classified documents from a particular informant that have come from a particular office printer. Now, say for example, one of these documents gets discovered accidently in transit by someone who works for the same people as the informant. Now, the people searching for the leak may have a way to narrow down the source of the leak somewhat since they can determine where it was printed. In some cases this could be sufficient to identify the source.
Likewise, say you are a political party. So long as someone has at least one thing printed from each of your printers, they can positively test each document and establish whether or not it came from your printer. So, don't try to forge those memos about the competing party on your office printers. Nor on your home printers. Better use printers one time and then destroy them.
And for that matter, don't try to write anonymous letters to the editor. And certainly don't write letters that say stuff like "Dear aiport security people. Your aiport security sucks... etc."
Well, let's think about this for a moment. You've got a lot of people out there that really don't buy a whole lot of music or really even listen to the radio all that much or whatever. Many of these people probably don't even get on the internet and read Slashdot (gasp) and some of them don't even know what it is... So that is one group of people.
Then you've got your second group of people who are avid music fans. They are out their buying CD's like mad, or at least in comparison to the first group. And they always want the latest album when it comes out. And they listen to all the newest songs. And they get into arguments with their friends about which band is better... And they are out their downloading MP3s and all that. Well, in comparision to the first group, ofcourse they buy a lot more music. Many people from the first group don't even *own* a stereo.
And yeah, there are a lot of groups in between these two extremes, but you get my point...
Well, weapons that are less than nonlethethal weapons can be a good thing in a situation where your protesters are likely to present a real security threat to the military/police. But, they are not *always* a good thing. Think about the cases where the protesters are instead protesting peacefully, but the authorities really just don't like what they are saying.
Remember Tiananmen Square in China? The Chinese Military was very reluctant to run over its own people with Tanks, for example. Remember that guy who stepped out in front of the tank? The military person driving the tank stopped the tank rather than run over him. Some times, people are very unwilling to shoot peaceful protesters with machine guns. Because of this, the Chinese were able to have an inspiring protest that was not just broken up by trivial measures.
Remember Gandhi? He was committed to nonviolent protest. There is a certain difficulty for a military force when faced with someone like Gandhi when armed with rifles. You only have a finite supply of bullets, and each innocent person you kill only strengthens the resolve of the protesters.
A nonlethal weapon changes things considerably, and potentially in a concerning way. If a protester says, "We hate the Rebulicans", or "The troops should leave Iraq" or "The government sucks" or they burn a flag, or they say, "Monica was really not as pretty as Marilyn Monroe. WTF were you thinking?!!" the authorities might be tempted to use their ray guns to break them up.
This could have a chilling effect on free speach, and on people's right to protest. I will stand up to any member of the military that I served with and express my political opinions and trust him or her to not put a bullet through my head. But, if I am in a crowd of protesters, and someone decides to burn a flag, I know that many of those same people would pull the trigger on the ray gun in a heart beat.
And that is what I am concerned about.
Enumerate all the possible colors of Hats and file trademarks on them (Purple Hat, Aqua Hat, Green Hat, Pink Hat, etc.)
Then, write a Perl script that does daily google queries for each color of hat. Whenever someone else starts using Aqua Hat, or Gold Hat or whatever, Write them a Cease and Desist Letter. Also have your script attempt to locate new names of colors. Then automatically generate Trademark applications for those names of Hats as well.
File a Patent application for your Perl Script. Say it is an automated method of generating new classifications of hackers based on a dynamic color model.
Make sure your Perl script uses some trivial form of encryption. Make spurios claims that people who mention things like Aqua Hat are also clearly violating the DMCA by reverse engineering your Perl script to try to steal your valuable intellectual property. Not only that, but they are also viloating your patent.
Then, companies breaking into the security industry will come and buy your trademarked names from you.
Well, under the FOREIGN INTELLIGENCE SURVEILLANCE Act, intelligence agencies can monitor the communications of the suspect while he is in the foreign country. Then, under the Patriot Act, "the feds" can monitor his communications when he enters the US. All of this can be approved by Secret FISA courts from what I understand. Thanks to the Patriot act, everyone is now allowed to share their information with each other. So, if they wanted to arrest and prosecute this person, wouldn't it make sense to maybe launch an investigation, and gather evidence against him? Because the hearsay evidence of one source and one picture of two friends hanging out at a bar might actually not be enough to convict someone...
Hopefully our legal system will find a way to deal with new threats like people who learn to label their political enemies with the label of "terrorist" in order to deprive them of their civil liberties.
Yeah, but Windows doesn't count the "automaticatically crash after installing each patch" feature in their MTBF caculation...
Granted, no one is going to install patches on these kind of machines using automatic updates (one would think)... But, it never ceases to amaze me how Windows will automatically crash your machine (and not even save the state of open applications like Internet Explorer) after installing patches.
The Windows machines may measure MTBF in decades, but they probably measure uptime in days, or maybe weeks.
Why won't Phishers just implement Man In the Middle Attacks?
spoofed site: Enter your username and password
Clueless user: foo, bar
[spoofed site uses username and password to contact real site and fetch challenge question using anonymous proxy]
spoofed site: What is your pet's name?
clueless user: Rover
[spoofed site uses answer to contact real site and fetch challenge question using anonymous proxy]
spoofed site: What is your birthday?
clueless user: 1/1/1901
[spoofed site uses answer to contact real site and fetch challenge question using anonymous proxy]
spoofed site: What is your pet's name?
clueless user: Rover
[spoofed site uses answer to contact real site and fetch "secret" image using anonymous proxy]
Now, if a second login is required to actually access account data, the user is more than willing to enter it at this point, since the web site has correctly verified that it is authentic.
Well, pretty much any web site that just takes a copyrighted work from one web site, rips it off and then puts it up on their own web site is, and always has been in danger.
The only real defense I can see either google or the Internet Archive raising is "Fair Use". But, if the court rules in favor of the Internet Archive and Google on the "fair use" issue, then how is in going to phrase it exactly? How are they going to phrase it in such a way so that I can not just mirror any copyrighted page I want to my geocities.com web site?
Trust me, I love the google cache. It let's me bypass content filtering. But, I think it will be a tricky issue for the court to come up with a way to apply the existing copyright law in a rational way to things like the Google cache.
You could use the nocache directives to hint to things whether or not they should be included in things like the Internet Archive or the Google cache. But that would break the efficiency of proxies and stuff. So, maybe the way it ought to really work is that we should just have a new directive or something that says "don't archive this site" or somesuch or "google is allowed to archive this, but no-one else"(that doesn't count proxy servers). Now, I know that anyone *could* cache the stuff to their hearts content regarldess of the flags. But if they republished the stuff on the web, and you found them, you could sue them or something.
Let's put this into perspective.
l ines/content/2000040401.html
Compare this case to previous cases that courts have considered where Ticketmaster has tried to sue people who have *linked* to their web site. The courts have said that links themselves are not copyright infringement because no actual copying occurs. But in their reasoning they have really clearly implied that if these other web sites had copied content from the Ticketmaster web site, that Ticketmaster would have won the Copright Infringement claim.
See
http://www.bc.edu/bc_org/avp/law/st_org/iptf/head
The DMCA stuff is much more dicey.
But, I think that they actually have a prima facia case of copyright infringement.
IMNAL
Randy
I think the most important thing for blind users would be the ability to filter out the trolls on Slashdot because, well, you know, it would take a long time to read through them with the brail interface and all.
They definitely need different layers of protection. But an external firewall protecting them from the outside world and VLANS don't really protect them from their users who they are required to allow to connect to their servers, and yet, whose machines they have no configuration control over.
The problem is that all of their servers are going to be required to allow access to the (potentially) dangerous ports protocols and services that the client machines would want to exploit anyway. The machines that are problematic are other machines inside thier campus network that are Windows clients (for example) that are not secured and thus are going to be running mallicous code.
The servers are going to have stuff like SMTP, HTTP, HTTPS, plus all the ports necessary for windows authentication and file sharing. If they have web servers, then they probably have to open up FTP to them, because the professors are not smart enough to use SSH. That is a pretty minamalistic list. And I am ignoring any discussion of Linux/Unix servers for now.
Anyway, having host based firewalls on thier servers in addition to their other security measures does make some ammount of sense. If nothing else, they can provide a warning of what ip addresses are attempting to launch attacks against their servers, and what kind of attacks those are. This could potentially aid them in locating compromised machines and removing them from thier campus network.
I never said that I was in favor of marketing plans that don't support the realty of the product. Actually, I never said anything about marketing plans at all. But, I know what you mean anyway.
I never said I was in favor of Segway pulling their publicity stunt, only that if a company had a good product, such a scheme could be sucessful. The argument was that in all cases, companies should be open when starting up. What I was saying is that there may exist some company with some product such that the publicity stunt attempted by Segway could be beneficial.
Segway's problem was that they didn't have a product. So, it is difficult to imagine why someone would argue that in all cases that openess is the optimal strategy for *every* company in *every* case.
That example is clearly distracting people because of the Segway thing. Let's use a different one. This one is about secrecy, but it is not with a startup company.
Let's take for example how Apple is coming out with the new Macs on Intel. They mention that they have been compiling their OS on Intel for the last 5 years. The last 5 years??? WTF?! Now, let's say that instead of doing this with Apple itself, they had instead spun off a new company to do the Intel version of the Mac OS. If they had done that, it would be a perfectly good reason for a company to not have a lot of openess when starting up.
You might think that Segway sucks. But do they suck because they didn't have more openess during thier product development phase? I don't think that is really the fundamental problem with the Segway. I think if they had more openess during that time period then, most people wouldn't even have paid much attention to them. As it stands, we have all heard of them at least. Most people just might not like how they have implemented their product, or their price point or whatever. Personally, having ridden the Segway, I think it was a lot of fun. I'd like to have one, but they are too expensive.
My point isn't that the company is a great company. My point is that their publicity stunt could have worked, if only they had a product to back it up. If, for example, the Segway had been something as cool as the iPod was when it came out, then, it things might have been different...
OK. I agree that in many cases it is probably stupid to have stealth for a startup company. But, can you really go so far as to claim that it is true in *all* cases?
What about the Segway? They made a big publicity stunt out of being secrative. In some cases, how much information, and the timing of the information that you reveal about a new product is important for marketing purposes.
Sometimes to, when you are designing something new, you might have a nifty-cool technology, but not be entirely sure how that will fit into a product exactly. So, you might not want to come out and tell the public exactly what features your product is going to have, only to have them totally change next month, when you drastically change your design, or decided to reposition your product.
Having a large group of beta testers and customer feedback can be beneficial for some things. For other things, customers are going to tell you that they want the status quo, and you have to teach them that what they really want to do is spend more money and get the new improved spiffo-cool thing that everyone else is getting.
I thought he said "Windows 2K has actually been a great OS and this is coming from a Windows hacker..." But he actually said "hater". It still made sense the other way.
Here is the deal. In order for you to be able to distribute something under the GPL that is covered by a patent, you must provide a license for that patent that meets all of the terms and conditions of the GPL. The GPL does not say that you must provide a way for the end user to go out and get a license. On the contrary, you have no right to distribute GPL'd code that is encumbered by a patent unless you provide a license for that patent.
As an end user, you can not require me to go out and do anything special in order to have the freedoms guarenteed to me by the GPL. I don't have to go visit some web site. I don't have to click on a registration form. I don't have to give you my name and address. And I certainly don't have to register with Microsoft. Microsoft can kiss my a$$. If you give me your GPL'd code, you have to negotiate with Microsoft for their patent rights, not me. Otherwise, you don't get to use their patents in your GPL'd application.
Using your birthdate as a password is a horrible idea because it is easily guessable by people who know you, and easy to socially engineer out of you by people who don't really know you well. Using a football team is a horrible password because it is a dictionary word, and it is commonly used by like a zillion other people that think that no one would ever guess that.
In general, passwords should use a combination of upper and lower case letters with at least one number and one special character. Just taking dictionary words and replacing letters with numbers is not really a good idea either.
So, at some clubs here, they ask to scan your drivers license every time you enter the club. They ask to do this so they can verify that you are 21. In my case, my social security number, birthdate, and and address are not all digitally encoded in plaintext on the card. But, imagine how convenient this would be if they were. Airports would demand to scan your id. Bars would demand to scan your id. You want to buy beer? They would scan your id. Soon, you will be handing your identity out like candy.
No problem you think. I will do anything in the name of safety. Because, now all those terrorists will never be able to go anywhere because they won't have these spiffo cool identity cards like me. They will never be able to get a hold of that stuff in a million years... You know, all this "secret" identity info that we are passing around like candy.
I am not a number. I am a free man.
BackStealth is an innovative Security Utility which allows to bypass the outbound protection of a Personal Firewall in order to establish a remote connection.
BackStealth is executed within the memory space allocated to your Firewall and thus does not appear to be a separate process. Such "Stealth" technique gives it full rights for access to the web, completely transparent and independant from all other applications.
I have not personally tested either Black Stealth or Firewar yet, so I do not know how well they work. I am planning on testing them soon in a lab configuration, probably initially under VMware.
There are a number of well-known trojans/mallicous code that have integated code to circumvent host-based antivirus programs and firewalls. Some of them disable the firewalls. Some of them replace well known services like crss.exe that the firewall likely has a rule preconfigured for to allow it to alow connections on.
Others may initiate connections via other programs like Internet Explorer, which you have likely configured your firewall to allow outbound connections on anyway.
But honestly, if you are running one of the handful of common firewalls, and you run some arbitrary program as adminitraror, if it wants to be really stealthy and polite about it, it can just add a rule to your firewall software to always allow all outbound connections from it.
Don't get me wrong, it's not that I don't think that host based firewalls are not important. It's just that I don't think that they can not be circumvented.
Please send me $50,000 or I will post an article on Slashdot with a link to your website, and it will will go down for the next week.
The first time you find a buffer overflow that crashes Microsoft Word or Microsoft Outlook, you can have all sorts of fun with this. You just write all sorts of conspiracy threories into word documents and then make Word crash (How hard can that be?) and then make sure that they get sent off to Microsoft. Since the feedback is anonymous and all, you can feel free to pretend that you are the President of Sun or IBM, or whatever you want. Well, Red Hat is probably out... But, you get the idea.
Anyway, as long as this information can be used to collect corporate espinage that users inadvertantly send them, I say that people use it to send Microsoft disinformation.
Like, a good thing to send them would be rumors that random large companies are planning on suddenly switching all of thier desktops to Linux in a surprise press release that is being drafted.
Or rumors that Sun is about to suddenly abandon Windows in favor of an open source version of OS/2 which it is planning to buy in a surprise move.
Why does it cost $200 for ecomstation? I could see paying like maybe like $50 bucks for this just so I could install it under VMware and play around with it, though I would probably just wait for the Live CD and do it for free... I guess that their target audience is probably businesses that are not price sensitive to the difference between $50 and $200 though. That and there is the perception that if you charge more money for something that it has more value. Like at a garage sale you can have a TV for sale for 5 cents (because you just want to get rid of the stupid thing) for like 4 hours with no one buying it. But if you raise the price to like 50 bucks, someone will come along and offer you 30 bucks for it, and then you can reluctantly agree to take it.
You know, if they did open the source code up for this, their choice of licenses would make a big difference. Imagine what would happen if they chose the BSD license, rather than the GPL and their OS really caught on. Then Microsoft could incorporate all the resulting code back into Windows, for example.
On the other hand, if the chose the GPL, and their OS really caught on, maybe lots more Windows developers would be encouraged to also GPL their projects. However, perhaps GPL'ing the code would not even be possible to to the entanglement with other code to which they to not own the licenses. IANAL.