Another thing is, you could attempt to download far more data than your connection is capable of.
For example, making a portable device participant in a BitTorrent network, where the client intentionally attempts to
download as much data as possible -- at a high loss rate, the data your phone isn't capable of receiving still gets sent by
the tower, and therefore still congests the wireless portion of their network, but your device never receives the data, because it's not capable of it.
Packet loss is an end-to-end connectivity thing; it is no specific party's responsibility.
Ultimately, the end user has to take responsibility for requesting packets that they are unable to receive.
It would probably be better if the phones warned the user about high packet loss or implemented a temporary self-shutoff or backoff.
And wireless providers offered SLA credits, for data discarded before it's even attempted sent by the provider's
radio towards the user's phone (e.g. Output discards).
Otherwise, packet loss by the phone itself, or loss of radio transmission, is a result of network congestion. There actually is very good sense in the user having to pay as if data was received when they are requesting packets that are being lost due to congestion --- the user is participating in the congestion that
should be prompting the network provider to upgrade the network in that area, so they should pay more for causing
that congestion.
The providers should just clarify that dropped packets do count, and choose appropriate pricing.
To be honest this is kind of a ridiculous standard anyway. The way I read it, it seems to me the sites I would least want to track me are the exact sites that are most likely to ignore DNT completely
The problem is DNT has no teeth. There should be some mode of identification and publication of sites that ignore DNT in a blacklist.
And when browsers encounter a site known to ignore DNT, they should refuse to allow redirecting to it, or sourcing content remotely from the site via remote script frames or images tags.
And the ability to set and store cookies readable by a blacklisted site should be blocked.
If ignoring DNT had more tangible negative repurcussions for the site operator, they would be less likely to do it
This is how Science is like a failed software project: they value their process more than their goal. I could go out and make the most amazing, society-altering discovery ever
Until you can convince peers that this is an amazing discovery, then it is just your opinion that you have
a valid discover, and also your opinion that it's amazing.
When and if you can write the article and convince peers in the field, then and only then do you have something
I could go out and make the most amazing, society-altering discovery ever, but I wouldn't be allowed to tell Wikipedia about it, because it would be "original research"
It sure would be. You misunderstood what Wikipedia is, I think.
Wikipedia is an encyclopedia, not a peer-reviewed research journal.
Your amazing discovery should be submitted to a peer-reviewed journal, and the media.
Once your discovery has been corroborated, there will be secondary sources available, and then the work on developing the articles for
Encyclopedae such as Wikipedia by the authors/editors of those encyclopedae can begin.
how about completely ignoring what a person is doing, and only punish them if they are driving recklessly, regardless of the cause.
The problem is this doesn't protect people who aren't driving recklessly, until after they're dead.
The only real way I can think of to detect if a texter is driving recklessly independent of their activity, is to have some mechanism, where random 'check obstacles' are deployed on the road, at random places, 1 stopping distance + 5 seconds away from approaching vehicles, to verify that drivers are paying attention.
E.g. a yellow cone hidden under the road, that pops up without warning.
If a driver hits the check obstacle, they are automatically cited a $200 fine.
Slap "reckless endangerment" and felony imprisonment on texting while operating a vehicle, and I bet the problem will be solved without harming anyone else.
No... the 'dangerous' people won't get that memo.
And the law will become another tool that can be leveraged to unfairly imprison people.
When you consider what techniques law enforcement will have to use to prove that crime -- things such as reviewing records from
cell phone companies, and finding a call or text sent 5, 10 minutes before the accident, and cell phone on their person
after the accident and calling for help, as proof that the person was using their cell phone.
Sure, the perp claimed they were stopped at the time, and the text message sent was unrelated to the accident,
but the record of a recent text will be circumstantial evidence strong enough to win a conviction, even if
the person wasn't texting.
If they did that, police would lose a huge revenue stream. Not going to happen.
Change that from will throttle the engine TO will automatically inform the local authorities, and submit evidence of speeding from the vehicle's black box and computer, so they can automatically issue a ticket.
And it will be feasible.
While they're at it, they can also install voice recognition, and issue fines to people who use swear words, while in their car.
Often kidnapers aren't too happy about you talking on your cellphone... texting can be done discreetly.
Well, you can muffle the earpiece, dial 911, open the channel, and keep the call open, discretely.
They should really make an app for that though; basically, an app with a "Help, i'm being kidnapped" button;
that starts sending texts to a list of people, SMS messages with GPS data, and dials in 911.
I would be amenable to this, but require an ownership interest in any intellectual property developed, and an equity share in any business developed,
commensurate with the importance to the development of the idea/business of having that place to use at such an early stage.
(In other words, I would be taking a big risk, that I gave free space and utilities, and receive nothing of monetary value, but if the business were successful, the amount
due to me would be orders of magnitude more $$$ than a few months rent)
Actually, it's not easy. A trojan horse can draw the same UI, write the same file to the flash drive, and a naïve user would probably dutifully follow the instructions because the user would not know any better.
Not, if the functionality was enabled only on a USB port inside the chassis, or via the Management controller virtual USB (e.g. iLO)
The average user is not going to take a screwdriver, open their computer case, and find the USB port on the motherboard, to plug into.
while still allowing unsigned updates to be installed by the user manually from within a menu in the BIOS UI prior to booting.
I would favor, providing a mechanism in the boot menu for the user to add their own signing keys public RSA key, and set what permissions each signing key has.
The the signing authentication method for BIOS, could then be re-used for "Signed MBR bootcode" verification, and optional signing of a temporary read-only disk partition for booting an integrity-protected lightweight OS whose purpose is to authenticate the user and load full disk encryption keys, then boot
the OS/kernel from encrypted media.
So how about a switch that toggles the write enable pin to your bios flash on the front panel of your box?
This sounds like a mess, as it would interfere with organizations rolling out common baseline BIOS versions, and upgrading them in batches,
or make it prohibitively expensive.
It would result in organizations adopting a standard operating procedure: Make sure the Write Enable switch is set to ON,
and Epoxy it into place, to ensure BIOS update doesn't accidentally get broken in the future, by someone flipping it
A bunch of kids get together who wish they were going off on vacation.
Each kid pretends they have a different make and model of car,
except one is appointed car god, to decide who gets what, and what the outcomes are.
They each roll dice many many times, and the outcomes for certain sets of dice rolls will decide
how powerful their car will be, such as structural strength, speed, maneuverability, luck, and reliability
against breakdowns, and how much money they will get to buy equipment enhancements for their
imaginary car, such as +1 nitro boost, fenders of +10m/h speed, or +10m/s/s of braking force.
All of this gets put on a sheet of paper called the "car sheet".
The imaginary drivers set off on their quest, adventure, err, vacation, and do their best to pretend
they are actually driving across the continent.
The car god sets up encounters with adversaries, such as random pot holes, bums
on the street who randomly decide they want to steal the car keys, as soon as the player
gets out to take a quick rest after 10 hours of driving,
and ultimately decide if someone wins, or if anyone even finishes.
Sometimes a driver might find additional items on the track to aid them, they might gain
more cash, or a sad random unexpected fate may suddenly befall them, destroying them
upon the car god's whim; without warning, a tree suddenly collapses on you, your car
that you have been improving with new equipment for 6 months is destroyed R.I.P.;
car god tears up the car sheet.
In the event any of the drivers survive the adventure, they get to keep
their surviving car sheets and use them for next time, as long as the car god for the
next adventure does not object, or if their car is considered to be too powerful,
may adjust it down. Those that were destroyed, lose everything, and have to
go through the whole car creation process again next time.
Alternatively, a player might build up multiple car sheets over time, and then have
a choice of which car they will play next adventure, and some car gods might let
a player pretend they are two different drivers driving two of their different cars,
simultaneously.
Republicans had the Presidency, the House, and the Senate from 2003 to 2007 -- a ridiculously convenient opportunity to address the mortgage lending market problems. Democrats can't filibuster for four solid years!
Well, yes, the democrats can filibuster repeatedly. And the Senate has a heck of a lot of other important business to do as well; the republicans couldn't bring up one particular matter for four solid years.
You don't get debates from liberals because you make stuff up. Dems only had a supermajority in the senate for four months, most of which were in recess.
Obviously they cared more about having long recesses than getting things done....
I think excessively poor software should result in some form of negligence... but general “can happen to anyone” type bugs.. no.
How do you define that in a manner that does not result in a slew of lawsuits to let the courts try to sort out the matter?
How do you feel about your next copy of Windows costing $2000 per seat, instead of $200,
due to the premium required to help cover the added legal costs?
This malware demonstrates why that's poor advice by taking advantage of software's "physical" access to a machine
A keylogger on the host can still capture keystrokes sent to a guest VM.
It's sound advise, but missing an an important additional proviso:
In addition to doing banking in a banking VM, the web browser on the host, and all software other than virtualization software should be disabled and removed
A new separate Virtual machine should be created for all non-Banking activity.
Any program run on the physical computer would be a risk.
If all risky activities are done in a VM, and all secure activities are done in a different VM,
the configuration of the risky VM is edited to disable copy and paste, and enable isolation
functionality (such as disablement of folders shared with the host, and running programs on the host
via the VMware backdoor), and the virtualization software is kept up to date,
Then the secure VM will be protected from most threats,
other than possibly network-based Man in the Middle attacks.
The possibility of man in the middle attacks by an infected normal-use VM could be mitigated by bridging the different VMs to different NICs on different LANS behind different routers
I've even managed to lock up the busybox shell doing things like forcing an unused datastore to unmount, you would think doing things like this directly upon vmkernel would be a bad idea and have the potential to disrupt VM's running on the host
Well, it certainly would, if any VM were running on the datastore, and you were actually successful.
It's more likely you just broke the shell, and the management world was still running happily.
Everything on the VMkernel, including the Tech support console runs in their schedulable entities that they call Worlds, which has similarities to the Linux concept of a process.
Sure it's possible to break your shell, or get it hung up. But the world your tech support console is executed by a separate world, it's not the same as the various other worlds on the system, that the various VMs run in.
I believe you may be in error on that.... last I heard, the remaining 10 people using windows Mobile
have since been assimilated, and joined Balmer's army of Windows-using (formerly human) Zombies,
as a result, the total count is 0 of the mobile users effected are people.
ESXi boots a minimal Linux kernel, which then loads vmkernel (the Hypervisor) along with some other virtualization components.
No... there is no "Linux" kernel that ESXi contains, as the service console was completely removed, there is only the VMkernel; there are some superficial similarities between the Tech support ESXi shell and a Linux shell, much in the same way as there are some superficial similarities between a command shell interface on AIX and Linux.
However, the VMkernel contains components that are derived from Linux, such as the driver system,
and various drivers, so you could legitimately say that ESXi is a mixture of Linux code and some proprietary code
in the same package.
If the user has physical access to a machine, then they have privileged access to that machine,
and every virtual machine and local software run on that physical machine while they have
physical access to it.
The same reason malware might want to compromise a printer or other network device.
It's a place the malware can hide on the network, from AV scanners.
Another trick would be for the malware to create a VM of its own running a general purpose OS,
or create a nested VM situation to run its malware payload.
Any of those techniques can accomplish the objective of allowing remote usage of the
host's CPU and callback to the malware author to receive work
Another thing is, you could attempt to download far more data than your connection is capable of. For example, making a portable device participant in a BitTorrent network, where the client intentionally attempts to download as much data as possible -- at a high loss rate, the data your phone isn't capable of receiving still gets sent by the tower, and therefore still congests the wireless portion of their network, but your device never receives the data, because it's not capable of it.
Packet loss is an end-to-end connectivity thing; it is no specific party's responsibility. Ultimately, the end user has to take responsibility for requesting packets that they are unable to receive.
It would probably be better if the phones warned the user about high packet loss or implemented a temporary self-shutoff or backoff. And wireless providers offered SLA credits, for data discarded before it's even attempted sent by the provider's radio towards the user's phone (e.g. Output discards).
Otherwise, packet loss by the phone itself, or loss of radio transmission, is a result of network congestion. There actually is very good sense in the user having to pay as if data was received when they are requesting packets that are being lost due to congestion --- the user is participating in the congestion that should be prompting the network provider to upgrade the network in that area, so they should pay more for causing that congestion.
The providers should just clarify that dropped packets do count, and choose appropriate pricing.
Considering what you're about to do for 4+ years, maybe you should treat this as a psych problem!
It's more like a marketing problem... if you need the certificates to market yourself, and a business tradeoff regarding the cost.
Getting the certs might have a high upfront price, BUT that price might be worth it, if you get more business faster as a result of having it.
How To Prove IT Knowledge Without Expensive Certificates?
Prove it with Inexpensive certificates. Prove it with 3rd party endorsements/referrals.
To be honest this is kind of a ridiculous standard anyway. The way I read it, it seems to me the sites I would least want to track me are the exact sites that are most likely to ignore DNT completely
The problem is DNT has no teeth. There should be some mode of identification and publication of sites that ignore DNT in a blacklist.
And when browsers encounter a site known to ignore DNT, they should refuse to allow redirecting to it, or sourcing content remotely from the site via remote script frames or images tags.
And the ability to set and store cookies readable by a blacklisted site should be blocked.
If ignoring DNT had more tangible negative repurcussions for the site operator, they would be less likely to do it
This is how Science is like a failed software project: they value their process more than their goal. I could go out and make the most amazing, society-altering discovery ever
Until you can convince peers that this is an amazing discovery, then it is just your opinion that you have a valid discover, and also your opinion that it's amazing.
When and if you can write the article and convince peers in the field, then and only then do you have something
.
I could go out and make the most amazing, society-altering discovery ever, but I wouldn't be allowed to tell Wikipedia about it, because it would be "original research"
It sure would be. You misunderstood what Wikipedia is, I think. Wikipedia is an encyclopedia, not a peer-reviewed research journal.
Your amazing discovery should be submitted to a peer-reviewed journal, and the media.
Once your discovery has been corroborated, there will be secondary sources available, and then the work on developing the articles for Encyclopedae such as Wikipedia by the authors/editors of those encyclopedae can begin.
how about completely ignoring what a person is doing, and only punish them if they are driving recklessly, regardless of the cause.
The problem is this doesn't protect people who aren't driving recklessly, until after they're dead.
The only real way I can think of to detect if a texter is driving recklessly independent of their activity, is to have some mechanism, where random 'check obstacles' are deployed on the road, at random places, 1 stopping distance + 5 seconds away from approaching vehicles, to verify that drivers are paying attention.
E.g. a yellow cone hidden under the road, that pops up without warning.
If a driver hits the check obstacle, they are automatically cited a $200 fine.
Slap "reckless endangerment" and felony imprisonment on texting while operating a vehicle, and I bet the problem will be solved without harming anyone else.
No... the 'dangerous' people won't get that memo.
And the law will become another tool that can be leveraged to unfairly imprison people.
When you consider what techniques law enforcement will have to use to prove that crime -- things such as reviewing records from cell phone companies, and finding a call or text sent 5, 10 minutes before the accident, and cell phone on their person after the accident and calling for help, as proof that the person was using their cell phone.
Sure, the perp claimed they were stopped at the time, and the text message sent was unrelated to the accident, but the record of a recent text will be circumstantial evidence strong enough to win a conviction, even if the person wasn't texting.
If they did that, police would lose a huge revenue stream. Not going to happen.
Change that from will throttle the engine TO will automatically inform the local authorities, and submit evidence of speeding from the vehicle's black box and computer, so they can automatically issue a ticket.
And it will be feasible.
While they're at it, they can also install voice recognition, and issue fines to people who use swear words, while in their car.
Often kidnapers aren't too happy about you talking on your cellphone... texting can be done discreetly.
Well, you can muffle the earpiece, dial 911, open the channel, and keep the call open, discretely.
They should really make an app for that though; basically, an app with a "Help, i'm being kidnapped" button; that starts sending texts to a list of people, SMS messages with GPS data, and dials in 911.
Someone tell them what the "board" in room & board means, I don't think they know.
So they're saying there is room and board, as long as the guest pays for the food..
That could mean the boarder has to buy all the food, and someone in the household prepares it for those that live there and the boarder
I would be amenable to this, but require an ownership interest in any intellectual property developed, and an equity share in any business developed, commensurate with the importance to the development of the idea/business of having that place to use at such an early stage.
(In other words, I would be taking a big risk, that I gave free space and utilities, and receive nothing of monetary value, but if the business were successful, the amount due to me would be orders of magnitude more $$$ than a few months rent)
Actually, it's not easy. A trojan horse can draw the same UI, write the same file to the flash drive, and a naïve user would probably dutifully follow the instructions because the user would not know any better.
Not, if the functionality was enabled only on a USB port inside the chassis, or via the Management controller virtual USB (e.g. iLO)
The average user is not going to take a screwdriver, open their computer case, and find the USB port on the motherboard, to plug into.
while still allowing unsigned updates to be installed by the user manually from within a menu in the BIOS UI prior to booting.
I would favor, providing a mechanism in the boot menu for the user to add their own signing keys public RSA key, and set what permissions each signing key has.
The the signing authentication method for BIOS, could then be re-used for "Signed MBR bootcode" verification, and optional signing of a temporary read-only disk partition for booting an integrity-protected lightweight OS whose purpose is to authenticate the user and load full disk encryption keys, then boot the OS/kernel from encrypted media.
So how about a switch that toggles the write enable pin to your bios flash on the front panel of your box?
This sounds like a mess, as it would interfere with organizations rolling out common baseline BIOS versions, and upgrading them in batches, or make it prohibitively expensive.
It would result in organizations adopting a standard operating procedure: Make sure the Write Enable switch is set to ON, and Epoxy it into place, to ensure BIOS update doesn't accidentally get broken in the future, by someone flipping it
A bunch of kids get together who wish they were going off on vacation.
Each kid pretends they have a different make and model of car, except one is appointed car god, to decide who gets what, and what the outcomes are.
They each roll dice many many times, and the outcomes for certain sets of dice rolls will decide how powerful their car will be, such as structural strength, speed, maneuverability, luck, and reliability against breakdowns, and how much money they will get to buy equipment enhancements for their imaginary car, such as +1 nitro boost, fenders of +10m/h speed, or +10m/s/s of braking force. All of this gets put on a sheet of paper called the "car sheet".
The imaginary drivers set off on their quest, adventure, err, vacation, and do their best to pretend they are actually driving across the continent.
The car god sets up encounters with adversaries, such as random pot holes, bums on the street who randomly decide they want to steal the car keys, as soon as the player gets out to take a quick rest after 10 hours of driving, and ultimately decide if someone wins, or if anyone even finishes.
Sometimes a driver might find additional items on the track to aid them, they might gain more cash, or a sad random unexpected fate may suddenly befall them, destroying them upon the car god's whim; without warning, a tree suddenly collapses on you, your car that you have been improving with new equipment for 6 months is destroyed R.I.P.; car god tears up the car sheet.
In the event any of the drivers survive the adventure, they get to keep their surviving car sheets and use them for next time, as long as the car god for the next adventure does not object, or if their car is considered to be too powerful, may adjust it down. Those that were destroyed, lose everything, and have to go through the whole car creation process again next time.
Alternatively, a player might build up multiple car sheets over time, and then have a choice of which car they will play next adventure, and some car gods might let a player pretend they are two different drivers driving two of their different cars, simultaneously.
Republicans had the Presidency, the House, and the Senate from 2003 to 2007 -- a ridiculously convenient opportunity to address the mortgage lending market problems. Democrats can't filibuster for four solid years!
Well, yes, the democrats can filibuster repeatedly. And the Senate has a heck of a lot of other important business to do as well; the republicans couldn't bring up one particular matter for four solid years.
You don't get debates from liberals because you make stuff up. Dems only had a supermajority in the senate for four months, most of which were in recess.
Obviously they cared more about having long recesses than getting things done....
I think excessively poor software should result in some form of negligence ... but general “can happen to anyone” type bugs.. no.
How do you define that in a manner that does not result in a slew of lawsuits to let the courts try to sort out the matter?
How do you feel about your next copy of Windows costing $2000 per seat, instead of $200, due to the premium required to help cover the added legal costs?
This malware demonstrates why that's poor advice by taking advantage of software's "physical" access to a machine
A keylogger on the host can still capture keystrokes sent to a guest VM.
It's sound advise, but missing an an important additional proviso:
In addition to doing banking in a banking VM, the web browser on the host, and all software other than virtualization software should be disabled and removed
A new separate Virtual machine should be created for all non-Banking activity.
Any program run on the physical computer would be a risk.
If all risky activities are done in a VM, and all secure activities are done in a different VM, the configuration of the risky VM is edited to disable copy and paste, and enable isolation functionality (such as disablement of folders shared with the host, and running programs on the host via the VMware backdoor), and the virtualization software is kept up to date,
Then the secure VM will be protected from most threats, other than possibly network-based Man in the Middle attacks.
The possibility of man in the middle attacks by an infected normal-use VM could be mitigated by bridging the different VMs to different NICs on different LANS behind different routers
The ESXi shell is not an OS, but a process
I've even managed to lock up the busybox shell doing things like forcing an unused datastore to unmount, you would think doing things like this directly upon vmkernel would be a bad idea and have the potential to disrupt VM's running on the host
Well, it certainly would, if any VM were running on the datastore, and you were actually successful. It's more likely you just broke the shell, and the management world was still running happily.
Everything on the VMkernel, including the Tech support console runs in their schedulable entities that they call Worlds, which has similarities to the Linux concept of a process.
Sure it's possible to break your shell, or get it hung up. But the world your tech support console is executed by a separate world, it's not the same as the various other worlds on the system, that the various VMs run in.
This will be disasterous for tens of people!
I believe you may be in error on that.... last I heard, the remaining 10 people using windows Mobile have since been assimilated, and joined Balmer's army of Windows-using (formerly human) Zombies, as a result, the total count is 0 of the mobile users effected are people.
ESXi boots a minimal Linux kernel, which then loads vmkernel (the Hypervisor) along with some other virtualization components.
No... there is no "Linux" kernel that ESXi contains, as the service console was completely removed, there is only the VMkernel; there are some superficial similarities between the Tech support ESXi shell and a Linux shell, much in the same way as there are some superficial similarities between a command shell interface on AIX and Linux.
However, the VMkernel contains components that are derived from Linux, such as the driver system, and various drivers, so you could legitimately say that ESXi is a mixture of Linux code and some proprietary code in the same package.
If the user has physical access to a machine, then they have privileged access to that machine, and every virtual machine and local software run on that physical machine while they have physical access to it.
Why on earth would you want to do that?
The same reason malware might want to compromise a printer or other network device. It's a place the malware can hide on the network, from AV scanners.
Another trick would be for the malware to create a VM of its own running a general purpose OS, or create a nested VM situation to run its malware payload.
Any of those techniques can accomplish the objective of allowing remote usage of the host's CPU and callback to the malware author to receive work