And your qualifications for making this dismissive assessment are...? Or do you have peer reviewed studies to which you can cite to support your position?
Killing people with computers is a LOT harder than killing them with kinetic weapons because, aside from people being monitored by computers in hospitals, most people aren't directly relying on the computers to keep them alive.
The north eastern US suffered a major, multi-day blackout a few years ago. It did not bring the country to its knees. Similarly, regional weather events may shut down transit/business/etc., but people are moving to backup systems (e.g., walking/biking to work in the case of NYC) and dealing for the time it will take to bring the systems back online.
Any cyber attack that could actually meaningfully harm the US would cross the line into casus belli and likely receive a kinetic response.
It's possible that some kind of cyber attack could be used as a distraction or to syphon off resources while a kinetic attack takes place, but that's still assuming some other nation believes it is in their national interests to get into a shooting match with the US.
Sen. Lieberman had an opinion piece in the NYT (http://www.nytimes.com/roomfordebate/2012/10/17/should-industry-face-more-cybersecurity-mandates/the-cyber-threat-is-real-and-must-be-stopped-by-business-and-government) supporting your position. Numerous real security professionals would disagree, from Bruce Schneier (http://www.schneier.com/blog/archives/2012/10/stoking_cyber_f.html) to people like Scot Terban (http://www.schneier.com/blog/archives/2012/10/stoking_cyber_f.html).
1) Explain what you're collecting in real-time at the moment when you give me the option whether or not to permit you to collect it. Tell me what you will use it for, when you will delete it and the consequences if I don't give it to you. People don't read privacy disclosures. Give notice and ask permission at the moment of proposed collection. Make it opt-in, not opt-out.
2) Only request the information required to perform the service I've requested. Use the information I provide only to provide the service I've requested. Only share the information I provide with third parties to the limited extent necessary to provide the services I've requested. Obtain contractual commitments from those third parties that cause them to protect my information and delete it as soon as they've done what's required to provide the service I've requested. Keep information only as long as necessary to provide the service I've requested and delete it after you've done what's required to provide the service I've requested.
3) Protect my information. Encrypt in transit and at rest. Delete thoroughly and don't give in to the urge to collect and keep information just because it might be useful some time in the future. You can't lose what you don't have.
You say the collection "... is for purposes of analysis and ultimately functionality, not persistence." That seems inconsistent with the collection of name and email address. I can't think of too many use cases where you're collecting my name and email address and don't plan to keep it (and use it for marketing or otherwise share it in some way). If you need to contact me or I need to create a user-id that is my email address, you don't need my name.
Your privacy policy is your contract with your user. It is an operational document that must be consistent with your practices. The privacy policy should be consistent with your policies and procedures. If the information you collect, or the way you handle it changes, you must change your privacy policy.
This issue has been gaining importance as our online life becomes an increasing portion of our activity and consumption. People used to keep photos in albums - now they're scattered among devices, memory cards and online services. Personal diaries are now protected with a password instead of a physical lock - and might even be stored on Blogger or LiveJournal or another online service rather than on a hard drive. Family financial information or even personal recipes might be stored in Google Docs. Most of the services we use on a regular basis have little-to-no provisions in place for a family member or an executor to transfer account information. Few companies and even fewer users are thinking about end of life issues when it comes to their online lives.
>Because while things may have been well designed originally or planned including all the fancy redundancy, after years of no major >issues it becomes a target of its own success: cutbacks and people saying "see, we never needed it, and look at how much >money we can save". Such is the way of things.
Part of this is also people who are bad at math. I once had a major disagreement with a business guy trying to explain that there was a significant difference between a server that had been 100% available for a given time period and one that was _architected_ to be 100% available. He couldn't understand that the former scenario involves getting lucky, while the latter is the result of (more expensive) design.
>It would give a mechanism to see how many people agree or disagree with a post, without the flood of useless "lol me >too!11!!!1!!!!!1" AOLer posts that plague slashdot
In other words, you've just described what Digg used to be.
I've had the 15/2 service for a couple of months, and while I haven't had DNS problems, it doesn't play nicely with my alarm system. Now that I've got FiOS, if I let the landline ring more than twice the alarm system seizes the line as if it were trying to call out with an alert.
I got Verizon in to fix the problem, since it didn't happen until they installed FiOS, and the tech generously informed me that (a) this is a common problem, (b) they were supposed to ask if I have an alarm system when I ordered and when they installed, and (c) they can't do anything about it, I have to get the alarm company out to fix it. Ugh.
Aside from that, the service has been great and the support from Verizon has been unusually good - they're putting a lot of effort behind FiOS.
Call me an optimist, but in the absence of an explicit statement that "All those incidental copies are fair use," I think this is a good result. The point here seems to be that the license the Digital Music Provider gets covers all of those things and the copyright owner can't use those incidental copies as a revenue generating opportunity separate from the initial license.
If copyright owners had never espoused this argument, or if DMP's weren't actually worried about it, then I could see the "wink and a nod" and the worry that this was raising something that didn't need to be raised, but I know that software licenses have created this type of incidental copy concern before.
If the Copyright Office is treating the license from the copyright owner to the DMP this was (covering incidental copies) then I don't see a reason why the CO would treat the license receive by the end user any differently.
All this does is remove some extraneous material from the real argument over whether you buy the right to make multiple copies for your own use (CD, computer, iPod, other) when you buy a single license.
The linked website seems to be shouting FUD from the rooftops.
I read the Copyright Office comments and the bill as posted on the discussion draft link, and I'd appreciate some help in understanding where you're coming from.
As I understand it, the bill deals with the relationship between Digital Music Providers and Copyright owners. It does not deal with the relationship between Digital Music Provider and end users (other than to define a DMP as an entity that provides digital music to end users).
The basic purpose of the bill is to create a compulsory licensing scheme for digital music, so that digital music providers can buy a single license (in the way that ASCAP and BMI license their portfolios today on behalf of the content producers). The compulsory licensing scheme enables digital music providers to avoid seeking out individual copyright owners and getting a license from each of them, and prevents copyright owners from refusing to license their works.
The bill appears to include caches and other incidental copies to prevent copyright owners from claiming that those are separate copies requiring a separate license. The bill specifically includes those incidental copies in the compulsory license granted to the DMP.
The retroactivity provision enables DMPs that have been providing digital music without the appropriate license to pay for their use dating back to 2001 (or whatever the date was in the bill) and thereby escape any claim that they violated the copyright owner's rights. This protects the DMP from liability.
So, if anyone has a reason to object to this bill, it's the copyright owners, not the end users.
While this is all based on a quick skim of the bill and the Copyright Office's comments, I'm really not sure how this bill creates the slew of horrors that have been posted on this page.
For the record, and in the interest of avoiding some of the low s/n ad hominim attacks that I've alrady seen launched in some of these comments, I don't work for the music industry, any entity associated with the music industry, and the comments are entirely my own. I distrust and generally despise the RIAA and MPAA, but I just don't see the harm to end users here. Perhaps that's ignorance on my part, so I'd appreciate it if someone could actually explain (preferably with references to the actual text of the bill) how this bill causes the problems y'all are fearing.
This one has been known for a while, but perhaps the FUD associated with a number like "10 BILLION DOLLARS" (said in appropriately Dr. Evil-ish fashion) could get some attention.
Spreadsheet functionality enables people to bury calculations and they become legacy tools within departments. They are like some of the worst spaghetti code. Someone who may be a serious spreadsheet jock develops a neat tool and it gets implemented in his/her department. The jock leaves, but the tool stays and continues to be used, despite the fact that no one left really knows how it works. Even assuming that there are no errors in it, as circumstances change, the spreadsheet might not produce the "correct" answer, but everyone accepts the answer produced by the legacy spreadsheet because "that's the way we've always done it." And, should someone attempt to modify the spreadsheet, they could get bitten by buried or misunderstood calculations.
Also, spreadsheets enable executives to embed assumptions and play "what ifs" with their forecasts, which is good. But then they use the scenarios they like best to get their pet projects approved using some rather suspect forecasts that "must be true because that's what Excel says the results are."
Spreadsheets are valuable tools, but, like any tool, you can get bitten if you don't really understand what you're using.
When my father was promoted to manage a department, I gave him advice about Dilbert, too. Walk around and look at the Dilbert cartoons posted in your people's cubes. When a new one goes up, look at it and think about whether the joke in that cartoon relates to something you did or said recently. If it does, learn from it.
I agree with you that this is a valid way to express dissatisfaction. However, I think it also serves to anger the legislators who voted against the bill, and will make those legislators less willing to listen to or cooperate with this group in the future.
My point is that by performing the same exercise before the vote, they might have influenced the vote to go the way they wanted. By doing this after the vote, at best, they require the process to start over again with a new bill to achieve what they want.
This actually exposes an interesting gap in SB 1386.
Under SB 1386 (which goes into effect on July 1), any entity covered by the law has a duty to notify California residents âoein the most expedient time possible and without unreasonable delayâ when it is known, or reasonably believed, that âoepersonal informationâ stored on the entityâ(TM)s computer systems has been disclosed to unauthorized persons as a result of a security breach. An entity is only exempt from the notification requirement when: (a) the âoepersonal informationâ disclosed was already publicly available through the federal, state, or local governments; (b) the âoepersonal informationâ was stored in an encrypted form; or (c) the unauthorized person would be unable to link the California residentâ(TM)s name with other sensitive data (e.g., Social Security number, credit card number, etc.). Entities that fail to comply with SB 1386 can be sued by individuals whose personal information was disclosed for damages suffered due to the disclosure (i.e., damages resulting from identity theft).
But, SB 1386 does not cover information legitimately sold, such as the SSN information acquired by the lobbying group. (I'm assuming that they weren't receiving stolen information.)
Had they done it before the vote, or gone to each Assembly-person and demonstrated the capability before the vote, that would've been legitimate lobbying. This is just petty and serves to make the Assembly-people less likely to listen to this group in the future.
Number 6: Where am I? Number 2: In the Village. Number 6: What do you want? Number 2: We want information. Number 6: Whose side are you on? Number 2: That would be telling, we want information, information information. Number 6: You won't get it. Number 2: By hook or by crook, we will. Number 6: Who are you? Number 2: The new Number 2. Number 6: Who is Number 1? Number 2: You are Number 6. Number 6: I am not a number, I am a free man!
Having Microsoft power an address system that would let the BSA, RIAA, MPAA (or others) pinpoint the computer with the "unauthorized" copies of software, MP3s or DVDs on it does not make me feel comfortable.
Can you imagine the chip that has a GPS receiver and that can translate into this adressing system?
CHIP: "Dear BSA - Computer Serial Number 123456789 has the following software...., and is located at coordinates 7XCD5 3RE66."
"Dear Ms. Rosen - Computer Serial Number 123456789 has the following MP3s...., and is located at coordinates 7XCD5 3RE66."
Just set your box to record lots of stuff that you want "THEM" to think you watch during the night or when you're not at home and there's nothing else that you care about. That way, your pr0n habits will seem like more of a statistical aberration.
Federal wiretap laws prohibit interception of electronic communications, including traffic monitoring across a network. There are exceptions for network protection, but Salgado said that is an "uneasy fit" for honeypots, because they are set up with the expectation of being attacked.
This isn't entirely correct. If you are the owner of the network, you can monitor what happens on it. You can doubly protect yourself by putting a banner on your login page that says that any use of the network is subject to monitoring, but the key thing that courts have looked at with regard to such monitoring is whether the person had a legitimate expectation of privacy in the communication. I think a judge would have a tough time accepting an argument that someone attacking your network had a legitimate expectation of privacy in his/her attack.
Even if you were only allowed to monitor your network for defensive purposes, I think the honeypot could arguably qualify as a defensive tool. For example, I have limited budget for physical security at my home. I recognize that there are a number of ways that someone could break in, and I take steps to secure or prevent those. However, if someone is determined to break in, I must recognize that they will find a way. To deal with that possibility, I try to recognize where an intruder might be able to break in, and I have cameras in those areas. If I could only afford a certain number of cameras, I might make one path a little easier or attractive than the others so that the intruder would take that path and thereby pass in front of the camera allowing me to gather evidence of the crime. The intruder has already committed the crime by being inside the house, the camera simply collects the evidence. By placing a honeypot and monitoring it, you are simply putting an intrusion detector on a place where unauthorized individuals are likely to go, if they are already committing the crime of being inside your network without authorization.
An operator might be held liable for damages if a compromised honeypot is used to launch an attack against a third party. "We don't know" if such liability would hold up in court, Salgado said.
This is theoretically possible, and I actually wrote another article for USENIX's magazine ";login:" on this subject called, "You've Been Cracked...And Now You're Sued."[1] But, if you're setting up a honeypot, you ought to be sophisticated enough to isolate it and prevent outbound attacks on other networks (or at least either notify those networks that they are being attacked or shut down the attack as soon as it starts). There's really no excuse for setting up a honeypot and then allowing it to be used as a zombie.
A hacker charged with illegal activities involving a honeypot could argue entrapment, which Salgado said is a difficult defense. He said it might not apply to so-called passive honeypots.
Salgado is correct that entrapment is a very difficult defense. The article doesn't point out, however, that the defense of entrapment is also only available to someone who is being prosecuted as the result of activity by a government agent (like the DOJ, FBI or some state or local law enforcement agency). If your company (or client), as a non-governmental entity, sets up a honeypot and a cracker gets prosecuted because of it, the defense of entrapment is not available. See the legal definition of entrapment at http://dictionary.lp.findlaw.com/
Furthermore, as Salgado also notes, because a honeypot is a purely passive thing, even if you were a government agent, you are not really inducing or encouraging a potential cracker to go attack it. If you were a government agent and set up a honeypot and then anonymously went to hacker sites and talked about this fantastic server with all kinds of really cool stuff on it and how easy it was to own, etc., etc., then you might be setting yourself up for the defense of entrapment.
John
[1];login: The Magazine of USENIX & Sage, vol. 26, no. 2 (Berkeley, CA : USENIX Association, 2001): pp. 73-76.
Slashdot Mirror
1 2 3 4 5 - That's the combination to my luggage!
AAA did a survey in the US about 20 years ago where they discovered that roughly 80% of people believed that they were above average drivers.
And your qualifications for making this dismissive assessment are...? Or do you have peer reviewed studies to which you can cite to support your position?
Copy/paste fail. The link to Scot Terban's article at krypt3ia is http://krypt3ia.wordpress.com/2012/10/29/the-threat-is-real-and-must-be-stopped-clarifications-and-rebuttal-by-an-infosec-professional-final-draft/
>The bacteria that enter the drinking supply poisons a good portion of an entire city and thousands (if not tens of thousands) die.
Because no one, not even the people there at the plant, notice that the sewage is going into the water, and no one notices that the water smells funny, etc., etc. NYC is dealing with something like this right now in the wake of hurricane Sandy. See http://www.huffingtonpost.com/2012/10/30/hurricane-sandy-sewage-toxic-_n_2046963.html.
Killing people with computers is a LOT harder than killing them with kinetic weapons because, aside from people being monitored by computers in hospitals, most people aren't directly relying on the computers to keep them alive.
The north eastern US suffered a major, multi-day blackout a few years ago. It did not bring the country to its knees. Similarly, regional weather events may shut down transit/business/etc., but people are moving to backup systems (e.g., walking/biking to work in the case of NYC) and dealing for the time it will take to bring the systems back online.
Any cyber attack that could actually meaningfully harm the US would cross the line into casus belli and likely receive a kinetic response.
It's possible that some kind of cyber attack could be used as a distraction or to syphon off resources while a kinetic attack takes place, but that's still assuming some other nation believes it is in their national interests to get into a shooting match with the US.
Sen. Lieberman had an opinion piece in the NYT (http://www.nytimes.com/roomfordebate/2012/10/17/should-industry-face-more-cybersecurity-mandates/the-cyber-threat-is-real-and-must-be-stopped-by-business-and-government) supporting your position. Numerous real security professionals would disagree, from Bruce Schneier (http://www.schneier.com/blog/archives/2012/10/stoking_cyber_f.html) to people like Scot Terban (http://www.schneier.com/blog/archives/2012/10/stoking_cyber_f.html).
The short requirements:
1) Explain what you're collecting in real-time at the moment when you give me the option whether or not to permit you to collect it. Tell me what you will use it for, when you will delete it and the consequences if I don't give it to you. People don't read privacy disclosures. Give notice and ask permission at the moment of proposed collection. Make it opt-in, not opt-out.
2) Only request the information required to perform the service I've requested. Use the information I provide only to provide the service I've requested. Only share the information I provide with third parties to the limited extent necessary to provide the services I've requested. Obtain contractual commitments from those third parties that cause them to protect my information and delete it as soon as they've done what's required to provide the service I've requested. Keep information only as long as necessary to provide the service I've requested and delete it after you've done what's required to provide the service I've requested.
3) Protect my information. Encrypt in transit and at rest. Delete thoroughly and don't give in to the urge to collect and keep information just because it might be useful some time in the future. You can't lose what you don't have.
You say the collection "... is for purposes of analysis and ultimately functionality, not persistence." That seems inconsistent with the collection of name and email address. I can't think of too many use cases where you're collecting my name and email address and don't plan to keep it (and use it for marketing or otherwise share it in some way). If you need to contact me or I need to create a user-id that is my email address, you don't need my name.
Your privacy policy is your contract with your user. It is an operational document that must be consistent with your practices. The privacy policy should be consistent with your policies and procedures. If the information you collect, or the way you handle it changes, you must change your privacy policy.
This issue has been gaining importance as our online life becomes an increasing portion of our activity and consumption. People used to keep photos in albums - now they're scattered among devices, memory cards and online services. Personal diaries are now protected with a password instead of a physical lock - and might even be stored on Blogger or LiveJournal or another online service rather than on a hard drive. Family financial information or even personal recipes might be stored in Google Docs. Most of the services we use on a regular basis have little-to-no provisions in place for a family member or an executor to transfer account information. Few companies and even fewer users are thinking about end of life issues when it comes to their online lives.
I did an article about this about a year ago available at http://www.virtualworldlaw.com/2011/04/you-cant-take-it-with-you---death-and-the-virtual-world.html
>Because while things may have been well designed originally or planned including all the fancy redundancy, after years of no major
>issues it becomes a target of its own success: cutbacks and people saying "see, we never needed it, and look at how much >money we can save". Such is the way of things.
Part of this is also people who are bad at math. I once had a major disagreement with a business guy trying to explain that there was a significant difference between a server that had been 100% available for a given time period and one that was _architected_ to be 100% available. He couldn't understand that the former scenario involves getting lucky, while the latter is the result of (more expensive) design.
>It would give a mechanism to see how many people agree or disagree with a post, without the flood of useless "lol me
>too!11!!!1!!!!!1" AOLer posts that plague slashdot
In other words, you've just described what Digg used to be.
I've had the 15/2 service for a couple of months, and while I haven't had DNS problems, it doesn't play nicely with my alarm system. Now that I've got FiOS, if I let the landline ring more than twice the alarm system seizes the line as if it were trying to call out with an alert.
I got Verizon in to fix the problem, since it didn't happen until they installed FiOS, and the tech generously informed me that (a) this is a common problem, (b) they were supposed to ask if I have an alarm system when I ordered and when they installed, and (c) they can't do anything about it, I have to get the alarm company out to fix it. Ugh.
Aside from that, the service has been great and the support from Verizon has been unusually good - they're putting a lot of effort behind FiOS.
John
Call me an optimist, but in the absence of an explicit statement that "All those incidental copies are fair use," I think this is a good result. The point here seems to be that the license the Digital Music Provider gets covers all of those things and the copyright owner can't use those incidental copies as a revenue generating opportunity separate from the initial license.
If copyright owners had never espoused this argument, or if DMP's weren't actually worried about it, then I could see the "wink and a nod" and the worry that this was raising something that didn't need to be raised, but I know that software licenses have created this type of incidental copy concern before.
If the Copyright Office is treating the license from the copyright owner to the DMP this was (covering incidental copies) then I don't see a reason why the CO would treat the license receive by the end user any differently.
All this does is remove some extraneous material from the real argument over whether you buy the right to make multiple copies for your own use (CD, computer, iPod, other) when you buy a single license.
John
The linked website seems to be shouting FUD from the rooftops.
I read the Copyright Office comments and the bill as posted on the discussion draft link, and I'd appreciate some help in understanding where you're coming from.
As I understand it, the bill deals with the relationship between Digital Music Providers and Copyright owners. It does not deal with the relationship between Digital Music Provider and end users (other than to define a DMP as an entity that provides digital music to end users).
The basic purpose of the bill is to create a compulsory licensing scheme for digital music, so that digital music providers can buy a single license (in the way that ASCAP and BMI license their portfolios today on behalf of the content producers). The compulsory licensing scheme enables digital music providers to avoid seeking out individual copyright owners and getting a license from each of them, and prevents copyright owners from refusing to license their works.
The bill appears to include caches and other incidental copies to prevent copyright owners from claiming that those are separate copies requiring a separate license. The bill specifically includes those incidental copies in the compulsory license granted to the DMP.
The retroactivity provision enables DMPs that have been providing digital music without the appropriate license to pay for their use dating back to 2001 (or whatever the date was in the bill) and thereby escape any claim that they violated the copyright owner's rights. This protects the DMP from liability.
So, if anyone has a reason to object to this bill, it's the copyright owners, not the end users.
While this is all based on a quick skim of the bill and the Copyright Office's comments, I'm really not sure how this bill creates the slew of horrors that have been posted on this page.
For the record, and in the interest of avoiding some of the low s/n ad hominim attacks that I've alrady seen launched in some of these comments, I don't work for the music industry, any entity associated with the music industry, and the comments are entirely my own. I distrust and generally despise the RIAA and MPAA, but I just don't see the harm to end users here. Perhaps that's ignorance on my part, so I'd appreciate it if someone could actually explain (preferably with references to the actual text of the bill) how this bill causes the problems y'all are fearing.
John
But they might if they figure out a way to make quantum breast implants... :)
Would those be of indeterminate size, location or both?
And would strippers with quantum breast implants have a higher spin number?
John
This one has been known for a while, but perhaps the FUD associated with a number like "10 BILLION DOLLARS" (said in appropriately Dr. Evil-ish fashion) could get some attention.
Spreadsheet functionality enables people to bury calculations and they become legacy tools within departments. They are like some of the worst spaghetti code. Someone who may be a serious spreadsheet jock develops a neat tool and it gets implemented in his/her department. The jock leaves, but the tool stays and continues to be used, despite the fact that no one left really knows how it works. Even assuming that there are no errors in it, as circumstances change, the spreadsheet might not produce the "correct" answer, but everyone accepts the answer produced by the legacy spreadsheet because "that's the way we've always done it." And, should someone attempt to modify the spreadsheet, they could get bitten by buried or misunderstood calculations.
Also, spreadsheets enable executives to embed assumptions and play "what ifs" with their forecasts, which is good. But then they use the scenarios they like best to get their pet projects approved using some rather suspect forecasts that "must be true because that's what Excel says the results are."
Spreadsheets are valuable tools, but, like any tool, you can get bitten if you don't really understand what you're using.
John
When my father was promoted to manage a department, I gave him advice about Dilbert, too. Walk around and look at the Dilbert cartoons posted in your people's cubes. When a new one goes up, look at it and think about whether the joke in that cartoon relates to something you did or said recently. If it does, learn from it.
John
I agree with you that this is a valid way to express dissatisfaction. However, I think it also serves to anger the legislators who voted against the bill, and will make those legislators less willing to listen to or cooperate with this group in the future.
My point is that by performing the same exercise before the vote, they might have influenced the vote to go the way they wanted. By doing this after the vote, at best, they require the process to start over again with a new bill to achieve what they want.
John
This actually exposes an interesting gap in SB 1386.
Under SB 1386 (which goes into effect on July 1), any entity covered by the law has a duty to notify California residents âoein the most expedient time possible and without unreasonable delayâ when it is known, or reasonably believed, that âoepersonal informationâ stored on the entityâ(TM)s computer systems has been disclosed to unauthorized persons as a result of a security breach. An entity is only exempt from the notification requirement when: (a) the âoepersonal informationâ disclosed was already publicly available through the federal, state, or local governments; (b) the âoepersonal informationâ was stored in an encrypted form; or (c) the unauthorized person would be unable to link the California residentâ(TM)s name with other sensitive data (e.g., Social Security number, credit card number, etc.). Entities that fail to comply with SB 1386 can be sued by individuals whose personal information was disclosed for damages suffered due to the disclosure (i.e., damages resulting from identity theft).
But, SB 1386 does not cover information legitimately sold, such as the SSN information acquired by the lobbying group. (I'm assuming that they weren't receiving stolen information.)
John
Had they done it before the vote, or gone to each Assembly-person and demonstrated the capability before the vote, that would've been legitimate lobbying. This is just petty and serves to make the Assembly-people less likely to listen to this group in the future.
John
I think you're number 6099727. ;-)
Number 6: Where am I?
Number 2: In the Village.
Number 6: What do you want?
Number 2: We want information.
Number 6: Whose side are you on?
Number 2: That would be telling, we want information, information information.
Number 6: You won't get it.
Number 2: By hook or by crook, we will.
Number 6: Who are you?
Number 2: The new Number 2.
Number 6: Who is Number 1?
Number 2: You are Number 6.
Number 6: I am not a number, I am a free man!
Just because the tv (and TiVo) is on, doesn't mean I'm watching. :-)
John
Having Microsoft power an address system that would let the BSA, RIAA, MPAA (or others) pinpoint the computer with the "unauthorized" copies of software, MP3s or DVDs on it does not make me feel comfortable.
...., and is located at coordinates 7XCD5 3RE66."
...., and is located at coordinates 7XCD5 3RE66."
Can you imagine the chip that has a GPS receiver and that can translate into this adressing system?
CHIP: "Dear BSA - Computer Serial Number 123456789 has the following software
"Dear Ms. Rosen - Computer Serial Number 123456789 has the following MP3s
Etc.
John
Just set your box to record lots of stuff that you want "THEM" to think you watch during the night or when you're not at home and there's nothing else that you care about. That way, your pr0n habits will seem like more of a statistical aberration.
John
I would like a lawyer or at least somebody to explain...
Read the previous post. One just did.
John
To address the issues raised in the article:
;login: The Magazine of USENIX & Sage, vol. 26, no. 2 (Berkeley, CA : USENIX Association, 2001): pp. 73-76.
Federal wiretap laws prohibit interception of electronic communications, including traffic monitoring across a network. There are exceptions for network protection, but Salgado said that is an "uneasy fit" for honeypots, because they are set up with the expectation of being attacked.
This isn't entirely correct. If you are the owner of the network, you can monitor what happens on it. You can doubly protect yourself by putting a banner on your login page that says that any use of the network is subject to monitoring, but the key thing that courts have looked at with regard to such monitoring is whether the person had a legitimate expectation of privacy in the communication. I think a judge would have a tough time accepting an argument that someone attacking your network had a legitimate expectation of privacy in his/her attack.
Even if you were only allowed to monitor your network for defensive purposes, I think the honeypot could arguably qualify as a defensive tool. For example, I have limited budget for physical security at my home. I recognize that there are a number of ways that someone could break in, and I take steps to secure or prevent those. However, if someone is determined to break in, I must recognize that they will find a way. To deal with that possibility, I try to recognize where an intruder might be able to break in, and I have cameras in those areas. If I could only afford a certain number of cameras, I might make one path a little easier or attractive than the others so that the intruder would take that path and thereby pass in front of the camera allowing me to gather evidence of the crime. The intruder has already committed the crime by being inside the house, the camera simply collects the evidence. By placing a honeypot and monitoring it, you are simply putting an intrusion detector on a place where unauthorized individuals are likely to go, if they are already committing the crime of being inside your network without authorization.
An operator might be held liable for damages if a compromised honeypot is used to launch an attack against a third party. "We don't know" if such liability would hold up in court, Salgado said.
This is theoretically possible, and I actually wrote another article for USENIX's magazine ";login:" on this subject called, "You've Been Cracked...And Now You're Sued."[1] But, if you're setting up a honeypot, you ought to be sophisticated enough to isolate it and prevent outbound attacks on other networks (or at least either notify those networks that they are being attacked or shut down the attack as soon as it starts). There's really no excuse for setting up a honeypot and then allowing it to be used as a zombie.
A hacker charged with illegal activities involving a honeypot could argue entrapment, which Salgado said is a difficult defense. He said it might not apply to so-called passive honeypots.
Salgado is correct that entrapment is a very difficult defense. The article doesn't point out, however, that the defense of entrapment is also only available to someone who is being prosecuted as the result of activity by a government agent (like the DOJ, FBI or some state or local law enforcement agency). If your company (or client), as a non-governmental entity, sets up a honeypot and a cracker gets prosecuted because of it, the defense of entrapment is not available. See the legal definition of entrapment at http://dictionary.lp.findlaw.com/
Furthermore, as Salgado also notes, because a honeypot is a purely passive thing, even if you were a government agent, you are not really inducing or encouraging a potential cracker to go attack it. If you were a government agent and set up a honeypot and then anonymously went to hacker sites and talked about this fantastic server with all kinds of really cool stuff on it and how easy it was to own, etc., etc., then you might be setting yourself up for the defense of entrapment.
John
[1]
There's always the Horta - the silicon-based life form that Spock mind-melded with.