Providing the public with a warning that a vulnerability exists is not unethical and neither is providing information to the vendor but providing full exploit information is not only unethical but completely useless to the end user and places them at additional risk.
Partial disclosure of a new class of vulnerability can also result in new ways of thinking about problems. For example, to exploit webmail interfaces, I don't have to disclose how to write a CSS file that positions malicious links over a particular webmail app's legitimate interface links, just that such is possible. (FWIW, this was first fully disclosed to the major vendors/operators in 2000. Most of them spent weeks trying to convince themselves that it wasn't a problem that "Reply" lead to an off-site re-login screen... It was fixed only after the attack was described, as above, on a public list in 2001.)
With respect to ATMs, where could an attacker provide input into the app? Via 2-3 mechanisms on the ATM card, the UI, via displayed details of individual accounts, or other means. Perhaps "I can has <BOM>" is all someone needs to find out what to attack, after which an implementation would be relatively trivial.
Might as well install a clean linux distro to start with.
Which you would have to inspect in its entirety to verify that it has no nasty features anyway.
I'm not sure how open source Google stuff changes the chain of trust situation, unless you already have a complete code audit of another OS and desktop environment and it's cost prohibitive to do another on Google's.
Par2 is an excellent technical solution to this problem since it will fix alignment as well as truncation issues, but will get killed by the bureaucracy since it isn't well supported by the safe mainstream vendors. Also, the Linux Par2 implementations appear to script better than those for Windows.
Agreed. But even before we get there, I've not seen compellingly argued a compelling benefit to the public by including the information about the kidnapping in Wikipedia.
... We're not exactly talking about a simple harmonic oscillator here. I don't find it conceivable that the models and the data would match much at all. This does not disprove the hypothesis that the planet is experiencing significant global warming due to human activity. So if we can't prove it or disprove it right now, should we do nothing?
If we do not understand the system sufficiently to model it beyond some degree of reliability, we should not expect that our proposed perturbations to the system will produce the desired outcome at greater reliability than our model. This is a concern if we propose to commit a significant amount of the world's resources to perturbing the system along primarily one dimension, with the expectation of a fairly immediate and proportional response in primarily one other dimension.
Even if the current model becomes refined to be completely reliable in demonstrating the link between increasing emissions and increasing temperature, the data supporting the opposite relationship in the model, where decreasing emissions will decrease temperature, is somewhat weaker since most of our measurements have been of increasing emissions.
Among the joys of attempting to simplify complex systems...
Man might be happy to see the the sun God appear in the morning, since the sun God has always previously brought life and prosperity. This morning, however, the sun God might smite Man's head off. So you see, trend analysis is a poor substitute for understanding, and therefore we should all live in fear of the sun God and perform rituals to please the sun God.
The strength of the AGW argument would be demonstrated by its expression in a manner convincing to the general critical thinker, in addition to those expert in the art. Such a strong argument should be open to criticism from all sides, and should survive such convincingly if the argument advocates re-orienting the social and economic goals of most of the world's population. AGW proponents would do well to avoid a practice common to fundamentalist religions and cults where scripture is only allowed to be debated by those who already agree with the dogma.
...The fact remains that the author of the "quashed" report has never published a single paper relating to climatology and climate science, and has only worked as an economist for his entire career.
"Why a Different Approach Is Required if Global Climate Change Is to Be Controlled Efficiently or Even at All" WM. & MARY ENVTL. L. & POL'Y REV. Vol. 32:685, 2008
This Article finds that the emissions reduction approach would be ineffective at solving the dangerous climate change effects of global warm- ing because it would be technically risky, inflexible, extremely expensive, and politically unrealistic, and would probably delay more effective and vastly less expensive measures using solar radiation management. This suggests the awful possibility that very large amounts of money may be spent in a fruitless attempt to reduce GHG emissions at the same time that all the possible adverse economic consequences of climate change are realized.
Let's then also consider outlawing workplaces near major highways where exposure to vehicle emissions poses the same type of threat as second hand smoke.
This isn't a vulnerability with existing encryption systems, it's a scheme for a different way to structure and encrypt the data to explicitly allow calculations on the data without exposing the original values.
IBM researcher solves longstanding cryptographic challenge Posted on 25 June 2009. An IBM researcher has solved a thorny mathematical problem that has confounded scientists since the invention of public-key encryption several decades ago. The breakthrough, called "privacy homomorphism," or "fully homomorphic encryption," makes possible the deep and unlimited analysis of encrypted information - data that has been intentionally scrambled - without sacrificing confidentiality.
IBM's solution, formulated by IBM Researcher Craig Gentry, uses a mathematical object called an "ideal lattice," and allows people to fully interact with encrypted data in ways previously thought impossible. With the breakthrough, computer vendors storing the confidential, electronic data of others will be able to fully analyze data on their clients' behalf without expensive interaction with the client, and without seeing any of the private data. With Gentry's technique, the analysis of encrypted information can yield the same detailed results as if the original data was fully visible to all.
Using the solution could help strengthen the business model of "cloud computing," where a computer vendor is entrusted to host the confidential data of others in a ubiquitous Internet presence. It might better enable a cloud computing vendor to perform computations on clients' data at their request, such as analyzing sales patterns, without exposing the original data.
Other potential applications include enabling filters to identify spam, even in encrypted email, or protecting information contained in electronic medical records. The breakthrough might also one day enable computer users to retrieve information from a search engine with more confidentiality.
"At IBM, as we aim to help businesses and governments operate in more intelligent ways, we are also pursuing the future of privacy and security," said Charles Lickel, vice president of Software Research at IBM. "Fully homomorphic encryption is a bit like enabling a layperson to perform flawless neurosurgery while blindfolded, and without later remembering the episode. We believe this breakthrough will enable businesses to make more informed decisions, based on more studied analysis, without compromising privacy. We also think that the lattice approach holds potential for helping to solve additional cryptography challenges in the future."
Two fathers of modern encryption - Ron Rivest and Leonard Adleman - together with Michael Dertouzos, introduced and struggled with the notion of fully homomorphic encryption approximately 30 years ago. Although advances through the years offered partial solutions to this problem, a full solution that achieves all the desired properties of homomorphic encryption did not exist until now.
IBM enjoys a tradition of making major cryptography breakthroughs, such as the design of the Data Encryption Standard (DES); Hash Message Authentication Code (HMAC); the first lattice-based encryption with a rigorous proof-of-security; and numerous other solutions that have helped advance Internet security.
Craig Gentry conducted research on privacy homomorphism while he was a summer student at IBM Research and while working on his PhD at Stanford University.
Yes, and therefore "difficult to implement sections x, y and z are unclear" would be a valid criticism of the standard, not "A bribed B and was hypocritical" (which may be a valid criticism of the standard-making process, but not of the standard itself).
If the claim is that the standard has many objective technical deficiencies, those deficiencies should be able to stand on their own without resorting to attacks on the standard's supporters. Otherwise, the argument risks assuming the same liabilities as "Skinheads support a high standard of clean highways, therefore highway cleanup is bad".
Why is it remarkable to you that a list of criticisms about the objective technical merits of a proposed standard does not include items about the political actions of parties to the standardization process?
Did ReiserFS gain or lose functionality for the sole reason that the author committed a crime? Did any of Alan Turing's theories gain or lose logical validity due to his sexual orientation becoming revealed? Did the arguments of the civil rights movement become wrong when they engaged in some quid pro quo actions to gain exposure?
I have no idea what a functional market is supposed to be
Then may I presuppose that you are a quant?
Before you raged into the keyboard, did you bother the read the rest of the post where I explain what you complain about without the jargon, and explain that a number of other variables with undetermined behaviours would come into play?
Plain language goes a long way in discussions among the regular folk who just want to discuss in broad strokes things like the parts of the economy which their hard work powers, and which most matter to them.
You're welcome to come down from your high economics pedestal at any time. We won't hold you against it (for long).
In a functional market, they would sell more games counteracts game stop would lose half its revenue per game. If the demand for games is directly related only to their price, the gross revenue wouldn't change, but the handling cost for changing the number of units transacted to achieve that revenue would increase or decrease. Having the price while doubling the volume would effectively increase gamestop's transaction cost per game, while not increasing the publisher's revenue. That would just be an assholish move with no winners.
If prices were halved, I suspect that volume would more than double since, as other posters have pointed out, there's less risk to try each game. If the cost/profit ratio does not change (for either the publishers or gamestop) by virtue of halving the price and more than doubling the volume, the effect would result in more revenue to both gamestop and publishers. Who profits more depends on how much the transaction cost proportionately increases per sale for gamestop, versus how much of the publishers' sunk costs per title are distributed to each unit produced.
Halving the wholesale and retail prices would also generate side effects relating to barriers to entry. It it cost becomes x/2 to stock a video game store, more video game stores would be establishable with current capital reserves. If the market price for a game becomes x/2, smaller market segments may become unprofitable because the total population wouldn't double to make up the volume. If expectations of game quality become halved by virtue of price becoming x/2, new markets could emerge on each side of the quality of games which currently sell for x.
The good people at Tor, Freenet, etc. and all their users seem to think sound the premise that transferring or storing chunks of encrypted data is not the same as transferring or storing the original data, and they have had access to better legal minds than either you or I. A similar assumption about storing data is popular but generally unrefuted in that other story: http://yro.slashdot.org/story/09/06/03/1951209/UK-Police-Want-Plug-In-Computer-Crime-Detectors
But I've missed your argument about the soundness of the premise. If this argument were sound, did you mean to imply, by calling it a "stunt" and "word games", that you would agree with a magistrate whose personal affinity for this argument outweighed its objective merits in their decision? Please elaborate, if you could.
Interesting, and thank you. The tax in the article is explicitly a state sales tax, while my understanding of the IRS is that it deals with national income tax. The tax in the article would appear to stack on top of, but not otherwise affect, the existing income tax on stolen goods. How else might those two interact?
Also, did the Capone case concern sales tax, income tax, or both, and at which levels of government?
Per your suggestion, I'd like to learn more about what you have to say, specifically case law where it is established that: a) product==money b) product==earnings if those where the specific findings in the Capone case. Specific paragraph numbers from the ruling would be nice, but I'll take a case number.
Taxation on an activity has the effect of legitimizing it. Paying 15% of the value of an MP3 to the government still has advantages to paying 100% of the value to RIAA et al...
No, have an unpatched and fully malwared Windows install that does nothing meaningful, which would have allowed others to use the computer without knowledge or permission...
But you didn't download the song. You downloaded several chunks of random (encrypted) data which could be assembled into a song. The chunks didn't even all come from the same place.
Also, if these downloads are illegal or part of illegal activity, there's a conceptual issue of being able to tax them in the first place, and secondly, an issue with the state using funds derived from the proceeds of crime.
Slashdot Mirror
Providing the public with a warning that a vulnerability exists is not unethical and neither is providing information to the vendor but providing full exploit information is not only unethical but completely useless to the end user and places them at additional risk.
Partial disclosure of a new class of vulnerability can also result in new ways of thinking about problems. For example, to exploit webmail interfaces, I don't have to disclose how to write a CSS file that positions malicious links over a particular webmail app's legitimate interface links, just that such is possible. (FWIW, this was first fully disclosed to the major vendors/operators in 2000. Most of them spent weeks trying to convince themselves that it wasn't a problem that "Reply" lead to an off-site re-login screen... It was fixed only after the attack was described, as above, on a public list in 2001.)
With respect to ATMs, where could an attacker provide input into the app? Via 2-3 mechanisms on the ATM card, the UI, via displayed details of individual accounts, or other means. Perhaps "I can has <BOM>" is all someone needs to find out what to attack, after which an implementation would be relatively trivial.
Which you would have to inspect in its entirety to verify that it has no nasty features anyway.
I'm not sure how open source Google stuff changes the chain of trust situation, unless you already have a complete code audit of another OS and desktop environment and it's cost prohibitive to do another on Google's.
World of Paperwork on PlenaryNet?
Par2 is an excellent technical solution to this problem since it will fix alignment as well as truncation issues, but will get killed by the bureaucracy since it isn't well supported by the safe mainstream vendors. Also, the Linux Par2 implementations appear to script better than those for Windows.
Agreed. But even before we get there, I've not seen compellingly argued a compelling benefit to the public by including the information about the kidnapping in Wikipedia.
... We're not exactly talking about a simple harmonic oscillator here. I don't find it conceivable that the models and the data would match much at all. This does not disprove the hypothesis that the planet is experiencing significant global warming due to human activity. So if we can't prove it or disprove it right now, should we do nothing?
If we do not understand the system sufficiently to model it beyond some degree of reliability, we should not expect that our proposed perturbations to the system will produce the desired outcome at greater reliability than our model. This is a concern if we propose to commit a significant amount of the world's resources to perturbing the system along primarily one dimension, with the expectation of a fairly immediate and proportional response in primarily one other dimension.
Even if the current model becomes refined to be completely reliable in demonstrating the link between increasing emissions and increasing temperature, the data supporting the opposite relationship in the model, where decreasing emissions will decrease temperature, is somewhat weaker since most of our measurements have been of increasing emissions.
Among the joys of attempting to simplify complex systems...
Man might be happy to see the the sun God appear in the morning, since the sun God has always previously brought life and prosperity. This morning, however, the sun God might smite Man's head off. So you see, trend analysis is a poor substitute for understanding, and therefore we should all live in fear of the sun God and perform rituals to please the sun God.
The strength of the AGW argument would be demonstrated by its expression in a manner convincing to the general critical thinker, in addition to those expert in the art. Such a strong argument should be open to criticism from all sides, and should survive such convincingly if the argument advocates re-orienting the social and economic goals of most of the world's population. AGW proponents would do well to avoid a practice common to fundamentalist religions and cults where scripture is only allowed to be debated by those who already agree with the dogma.
...The fact remains that the author of the "quashed" report has never published a single paper relating to climatology and climate science, and has only worked as an economist for his entire career.
http://carlineconomics.googlepages.com/CarlinWhy.pdf
"Why a Different Approach Is Required if Global Climate Change Is to Be Controlled Efficiently or Even at All" WM. & MARY ENVTL. L. & POL'Y REV. Vol. 32:685, 2008
A dozen more examples of his articles relating to climate are here:
http://carlineconomics.googlepages.com/
It's another debate as to whether or not his published papers are heretical to whomever asserts authority over the climate science canon.
Take off every 'partisan' !! For great justice.
You've mistaken the mob for democracy.
Let's then also consider outlawing workplaces near major highways where exposure to vehicle emissions poses the same type of threat as second hand smoke.
This isn't a vulnerability with existing encryption systems, it's a scheme for a different way to structure and encrypt the data to explicitly allow calculations on the data without exposing the original values.
Yes, and therefore "difficult to implement sections x, y and z are unclear" would be a valid criticism of the standard, not "A bribed B and was hypocritical" (which may be a valid criticism of the standard-making process, but not of the standard itself).
If the claim is that the standard has many objective technical deficiencies, those deficiencies should be able to stand on their own without resorting to attacks on the standard's supporters. Otherwise, the argument risks assuming the same liabilities as "Skinheads support a high standard of clean highways, therefore highway cleanup is bad".
Why is it remarkable to you that a list of criticisms about the objective technical merits of a proposed standard does not include items about the political actions of parties to the standardization process?
Did ReiserFS gain or lose functionality for the sole reason that the author committed a crime? Did any of Alan Turing's theories gain or lose logical validity due to his sexual orientation becoming revealed? Did the arguments of the civil rights movement become wrong when they engaged in some quid pro quo actions to gain exposure?
I have no idea what a functional market is supposed to be
Then may I presuppose that you are a quant?
Before you raged into the keyboard, did you bother the read the rest of the post where I explain what you complain about without the jargon, and explain that a number of other variables with undetermined behaviours would come into play?
Plain language goes a long way in discussions among the regular folk who just want to discuss in broad strokes things like the parts of the economy which their hard work powers, and which most matter to them.
You're welcome to come down from your high economics pedestal at any time. We won't hold you against it (for long).
In a functional market, they would sell more games counteracts game stop would lose half its revenue per game. If the demand for games is directly related only to their price, the gross revenue wouldn't change, but the handling cost for changing the number of units transacted to achieve that revenue would increase or decrease. Having the price while doubling the volume would effectively increase gamestop's transaction cost per game, while not increasing the publisher's revenue. That would just be an assholish move with no winners.
If prices were halved, I suspect that volume would more than double since, as other posters have pointed out, there's less risk to try each game. If the cost/profit ratio does not change (for either the publishers or gamestop) by virtue of halving the price and more than doubling the volume, the effect would result in more revenue to both gamestop and publishers. Who profits more depends on how much the transaction cost proportionately increases per sale for gamestop, versus how much of the publishers' sunk costs per title are distributed to each unit produced.
Halving the wholesale and retail prices would also generate side effects relating to barriers to entry. It it cost becomes x/2 to stock a video game store, more video game stores would be establishable with current capital reserves. If the market price for a game becomes x/2, smaller market segments may become unprofitable because the total population wouldn't double to make up the volume. If expectations of game quality become halved by virtue of price becoming x/2, new markets could emerge on each side of the quality of games which currently sell for x.
Waterboarding FTW!
The good people at Tor, Freenet, etc. and all their users seem to think sound the premise that transferring or storing chunks of encrypted data is not the same as transferring or storing the original data, and they have had access to better legal minds than either you or I. A similar assumption about storing data is popular but generally unrefuted in that other story: http://yro.slashdot.org/story/09/06/03/1951209/UK-Police-Want-Plug-In-Computer-Crime-Detectors
But I've missed your argument about the soundness of the premise. If this argument were sound, did you mean to imply, by calling it a "stunt" and "word games", that you would agree with a magistrate whose personal affinity for this argument outweighed its objective merits in their decision? Please elaborate, if you could.
Interesting, and thank you. The tax in the article is explicitly a state sales tax, while my understanding of the IRS is that it deals with national income tax. The tax in the article would appear to stack on top of, but not otherwise affect, the existing income tax on stolen goods. How else might those two interact?
Also, did the Capone case concern sales tax, income tax, or both, and at which levels of government?
Per your suggestion, I'd like to learn more about what you have to say, specifically case law where it is established that:
a) product==money
b) product==earnings
if those where the specific findings in the Capone case. Specific paragraph numbers from the ruling would be nice, but I'll take a case number.
Taxation on an activity has the effect of legitimizing it. Paying 15% of the value of an MP3 to the government still has advantages to paying 100% of the value to RIAA et al...
No, have an unpatched and fully malwared Windows install that does nothing meaningful, which would have allowed others to use the computer without knowledge or permission...
But you didn't download the song. You downloaded several chunks of random (encrypted) data which could be assembled into a song. The chunks didn't even all come from the same place.
Also, if these downloads are illegal or part of illegal activity, there's a conceptual issue of being able to tax them in the first place, and secondly, an issue with the state using funds derived from the proceeds of crime.