So Anyone have a pretty gui built around one of the open source/free hypervisors with all the same basic features as vCenter (live migration, live strage migration, performance reporting)? oh, and the GUI needs to be easy for a windows person to use.
XenServer + XenCenter.
Add-on features are easy to come by; core product robustness is not.
Good luck trying to run FreeBSD, Solaris, or one of those less-common OS VMs on those 'free' hypervisors with performance comparable to VMware.
Yeah, Macs are so secure that they were the first to fall at Pwn2Own for five years in a row.
Macs presented a challenge, and are highly desirable to own, so it's no surprise that security researchers concentrated efforts on pwn1ng them, so they could walk away with the coolest toy participating in Pwn2own
In other words... it's a contest that tends to select a predictable result every time: whichever the platform is most desirable hardware, as far as the participants are concerned.
So the contest wasn't objective. It would be objective if they had offered the same reward (e.g. $5k cash), regardless of which platform was successfully pwned by the contestant.
I don't buy this reasoning. Malware writers would quite happily release malware for OSX if they could make it work. Just look back 20yrs ago
Invisible/deceptive malware is directly against the Apple Human Interface design Guidelines.
And developers targetting OS X are extremely respectful of Apple's application design rules.
Obviously, you have to prove that the photos. contain you to the authorities.:(
Just because the photo contains an image of you does not give you any copyright ownership.
Unless specified otherwise by a written agreement the photographer in general owns the right to the photos.
You would also need to prove you created the scene/captured the picture, so have a copyright claim, which is quite difficult if you were a subject of the picture.
This kind of thing comes up a lot when people employ the services of a professional photographer.
The photographer/studio that takes the pictures owns the pictures, is the only entity that can
legally copy, scan, or otherwise reproduce them, and in general, they'll charge a pretty penny for rights to personal use/reproduction or any digital copy of professionally taken portraits, e.g. $100+ per image.
The photographers who take family pics apparently often keep all the old ones on file,
and look for any media or anyone else daring to attempt to use their pics in publications,
or anyone scanning and posting to the internet, so they can sue for a payday.:-/
Our law disagrees. Actually, even taking a picture of someone (safe celebrities known to the law as "people of public interest") is not permitted without his or her explicit consent.
Actually... in US states it is "permitted", generally. If you are on public property, you can in general photograph anything or anyone you ordinarily observe. There is nothing to prevent that. Even if the subject doesn't want their picture to be known to the public. If they happen to walk by or through the viewfinder of your camera, you can snap photos without needing permission.
The act of publication is different.
If you choose to publish a photograph or use the image in commerce without a model release, you may incur liability.
This depends on the laws of the state where the picture's taken -- but it's generally not a crime of any sort to publish
a picture of someone without their consent, it might be a tort (dependant on state law), is all.
Of course, there are certain kinds of pictures that may be criminal to publish under any circumstances,
for example, obscene photos in violation of community or other legal standards, may be criminal
even with consent of subjects.
Especially if published means broadcast over public a TV channel, FCC regulations may be involved.
Google+ is in limited Field Trial
Right now, we're testing with a small number of people, but it won't be long before the Google+ project is ready for everyone. Leave us your email address and we'll make sure you're the first to know when we're ready to invite more people.
So unless that's just Google's way of trying to tell me, "We here at Google don't really like you" etc....
They haven't actually launched yet, and when they do, they could have many more signups.
It kind of screws up the "25 million users in one month of launch" concept though.
If you fail to conform to the norms dicacted by the Google hive mind, your account gets gGassed; which ends its entire Google life,
forcing you to stop using Google services altogether.
I don't think so. A tip can be anonymous (as long as the tipster is not interested in a reward). The accusation is BSA vs. a company, not the tipster vs. a company. Meanwhile, if the audit turns up anything
What, the audit the company refused to undergo?
Lawsuits must have a factual basis. You can't just go to a court and file a paper that says
"I'm suing you, because a little bird told me, you might be copying my software."
If the BSA can't produce some prior authentication of the information contained in the tip, including its source, they would be in trouble.
There is no copyright issue because the inventors did not reserve their copyright.
"Rights reserved" is not required for a work to be covered by copyright.
The notice used to be required, in the US, but this was changed, for any work published after 1989 in the US, a notice is not required; copyright is automatic, as soon as a novel work with the required 'creative aesthetic' is fixed in tangible form, and is owned by the person who created the work. Today only ~20 countries in the entire world require any sort of notice.
The notice is for the benefit of those countries, and it is a reminder to the owner of the copy, what rights they don't have.
Damages will increase if you remove a copyright notice, or prepare and distribute copies of a work with a copyright notice, as it will be presumed willful infringement -- you cannot claim ignorance (the notice is right there, in black and white.)
Besides the software very clearly states:
";;; Copyright (c) John Koza, All rights reserved. ;;; U.S. Patent #4,935,877. Other patents pending."
I recommend switching to free software for all the tools where you don't have to have the best possible solution.
For many problem spaces, Free software tools actually provide the better solution.
Sometimes the proprietary tool is better, not always though.
I sure wouldn't hold IIS up to Apache, or Windows DNS Service up to BIND.
And if you need a Firewall appliance on commodity hardware, you use Iptables, Ipfw, or one of a dozen free software based firewall distributions,
not Forefront / ISA.
Use a serial port, and let the warden keep a USB to serial connector in his safe.
Non-standard interfaces are more expensive.
USB2.0 ports are high-speed serial interfaces.
Older interfaces are inappropriate for large transfers.
Simply not providing any user access to the interfaces would be sufficient, however.
They could use a NIC interface for performing updates, however.
The machines that run the control systems should be industrial grade equipment, kept in a locked cabinet,
never able to be touched by the controller, to dissuade connecting them to the internet.
Preferably separate from the workstations that actually provide a user interface to the control system.
Those could connect to the control system over a private control LAN, and communicate using encrypted signed datagrams that must have a TTL of 254, for the controller to process them.
The user could be dissuaded from connecting to the internet by requiring that the workstation IP address
be issued by the controller via DHCP with an active lease to establish a connection over switch port links authenticated using 802.1X wired authentication, and providing a controller IP address as default gateway, with any unexplained packets sent towards internet hosts blackholed and designed to activate a tampering alarm.
In addition workstations designed to control the controller should be in a locked cabinet.
With no general purpose software installed on them, and only approved maintenance procedures
or change controls provided by the control device manufacturer/support company permitted.
Why are the prison control systems connected to the Internet? Who thought that was a good idea?
They are designed to operate without a connection to the internet.
However, the computers used to control them run Windows on general purpose hardware.
Which means it is possible to connect them to the internet.
If you ask me, the designer of the system should utilize embedded hardware booted from flash media and basically read-only to the end user.
Any reporting/data collection/data storage should be done by a second system connected to the control system over a NIC dedicated for that purpose.
No way to protect yourself from having to pay the lawyers though it seems...
Quite right... I am afraid so. You can no more do business responsibly without lawyers than you can do without accountants and clerical workers or other consultants you require in the course of your business. And people with the level of training and expertise lawyers have tend to be expensive.
the only real question then... is the amount of protection you get worth the lawyers?
If you have a large business, probably, more of your cash is at risk if sued, if you're likely to lose, and you don't have protection.
Another strategy would be to spend all the money on your legal defense fund and hope to win.
But if you run out of money, and therefore, will probably lose the lawsuit due to lack of defense funding,
or poor case, maybe it's a good idea to have the protection in place to fall back on.
If they lose out because the claim was false, then they have no reason to destroy his info. I would be shocked if they wouldn't want to at least make threats of suing him for the loses incurred because he lied.
Unless he actually admitted he lied, I don't think so.
The publicity of that case would cost the BSA in that people would hear of the BSA suing someone who reported piracy to them.
This would be handled privately and off the record.
Because maybe the BSA destroyed their record of the identity after they discovered their claim was false/total bunk,
or their case got thrown out? That's the main reason I can think of -- you pursued the identity of the reporter too late, after the BSA's need to preserve that information was gone.
I assume the BSA would have the information available, such as a sworn or at least signed statement from someone, to prove they actually had a reasonable basis for a lawsuit, in their own defense against claims of some sort of abuse of process, but maybe they don't keep the information.
I don't think you can sue someone or force discovery/go on a fishing expedition of an org's papers because "you claim some anonymous party has told you they think you did something against the law," however.
Some EULAs do include a clause that says the maker of the software is entitled to have an audit performed at a certain frequency under certain circumstances, as a condition of the EULA you have to accept to use the software -- but it doesn't seem like that clause would be much help, unless the software is registered and the organization admits they do have at least one copy of the software licensed under the EULA with that requirement.
That is... i'm saying... if your organization doesn't admit to the BSA that you have the software, and they have no access to your records, then what evidence would they have you accepted any EULA permitting an audit of that software's licenses?
I assume if you settle with the BSA racket rather than take them to court, they include some term in the settlement to protect the person who brought them the evenue opportunity, but that might not be true -- i'm not really sure if there tend to be legal ramifications for the person making a statement to the BSA or not.
Maybe instead of preemptively shutting down the business he should actually contact an asset protection expert,
for advice.
There are ways to structure a business to protect it against dubious legal threats, like the BSA.
A common example would be.... one corporation owning the building.... another corporation
owning the computers... etc
You can't just open a new business, move the assets, close your existing one, and evade legal problems.
There are many considerations, tax issues, and otherwise.
If you intentionally undercapitalize your existing business, you might be at risk of having a court find you
had committed a fraudulent transfer, or they might pierce the corporate veil.
Therefore, you should see an attorney about all that as well
Don't agree to any BSA demands or requests.
Find a lawyer experienced with dealing with the BSA.
If you agree to an audit, it's highly probable they will find something illegal, regardless of whether you did anything illegal or not.
You need a proof of purchase for every copy of an installed software product.
If you use a Windows environment, you need proof that you had sufficient CALs for everything, on effective audit date.
If anything's not in order, or you can't find one proof of purchase for 1 license of XXX, the BSA will insist the software is pirated (even if you bought it good and legal), tack on huge fines, etc
"We've just gotten a letter from an attorney representing the Business Software Alliance stating someone (we're certain it's a disgruntled former employee)"
Be prepared to sue that former employee, for all damages and costs your business incurred as a result of their allegation, If they made a frivolous/false claim that hurt your business, and you can show who it is, take them to court.
Maybe they (and others) will think twice, before making false reports to the BSA racket people.
The BSA needs their evidence to sue you, make sure you force the BSA to divulge the identity of the person reporting.
Again, you will need legal counsel to help you with this
If you really can easily distinguish well-encoded AAC or MP3 from FLAC you should lend us at HA your golden ears!
Not necessarily. The ability to hear a difference depends partly on the type and quality of your sound system.
By the way, I prefer and use Apple Lossless 94khz/24-bit (.M4A) over FLAC.
Not that FLAC sounds any different; I just find that working with the files seems faster,
as in compressing raw audio to M4A seems to happen at a much better rate than compressing the same data to FLAC,
and the files work on more devices; whereas very few devices seem to support FLAC.
So some people will say Codec A sounds best. Some will say Codec B sounds best. Some will say that Codecs A and B suck donkey shit and Codec C sounds best. What exactly does this prove?
It can show what percentage of the population on average could be expected to favor Codec A for a certain sample.
As for generalizing how Codec A/B/C did over one sample to the overall perceptions of Codec A/B/C over all possible samples
a simple listening test cannot do that.
Making any kind of general statement about Codec A/B/C would require many representative samples of all sorts of music encoded with each codec, and many
people participating in the double blind listening test.
By this logic, I should never lock my door to my house, as a determined thief can always force entry No benefit at all in preventing the casual or opportunistic thief from getting in and plundering at will.
Well, this is true if you leave the key in the lock, or leave a key in a well-known place such as under the doormat;
locking the door really doesn't protect you against an opportunistic thief, if a key is readily available.
With a massively distributed OS/device, the place where the key gets placed is going to be very public knowledge, so it's really just the same as locking the door but leaving a key in the lock.
Anyways... no I wouldn't say that locking a door is no point. First of all, the criminal and civil charges for forced entry and damage are more severe than simple breaking and entering. This is not really true of the virtual world -- stealing a user's password from an unencrypted sqlite DB and using it to get into their bacnk account is just as severe a crime as stealing an encrypted sqlite DB with the user's password, stealing the encryption key, and using their decrypted pw in the same manner.
Second of all, homeowners' insurance policies generally don't pay for items stolen in a burglary, if there is no police report or no signs of forced entry.
With the virtual world.... well... if an ID thief raids your credit card account electronically, you're not liable beyond $50 anyways, as long as the charges are fraudulent -- there is no virtual requirement to show 'forced entry'; only that the charges were unauthorized.
Insurance won't generally cover the loss of personal/private data, so showing signs of 'virtual forced entry' just isn't of any real benefit
Third of all.... unlike the virtual world; in the physical world, you can be sure that manual physical actions are required to defeat every security measure you put up. If you put up enough good measures, it will take so long to commit the crime, OR the crime will be so visible to the public, that criminals' chances of being caught are so high, that they will move on to an easier target.
Because houses are not like consumer electronics; houses are not produced en masse to identical specs...
not all houses have identical security designs provided by the manufacturer. Pretty much, every house is unique,
and there are most likely plenty of 'easy targets'.
With phones, for the most part, all targets of the same make/model phone will be equally 'easy' targets;
'moving on to an easier target' doesn't have much an analog, BUT it facilitates highly automatable,
standardizable methods of attack.
A cat burglar cannot "download a piece of software" to automatically force the door open on every house on the block without extra work, extra time spent on their part, doing physical things, requiring them to spend more time at risk, and thus increasing their chance of being caught.
Walking in the door is not obviously "wrong"..... busting down a door is going to raise suspicion of ANY person (neighbor or otherwise) that sees this, and the police are likely to be called as soon as these signs are spotted.
There have been some claims that this is an example Google being evil but this seems more like incompetence and hamfistedness
When practiced to a sufficient extent, incompetence and hamfistedness results in evil being done.
Turning off someone's e-mail account without warning for some mostly harmless against-the-rule action on a social networking site sure sounds like doing evil to me.
No. Your focus on "high probability" is misguided. That's a minimum requirement, not the end. Effective security is a trade off of cost for coverage. The huge gaping flaw in your argument here is that:
Locking out an account is practically the same as locking out a device as far as the user is concerned. You've failed to address that point twice now, despite being directly questioned on it. So I am pretty sure you understand it, but just don't want to admit it.
It's not practically the same thing. It's not even close. Their 'device' is already not working, because it has incorrect credentials. With just one of their devices blocked (such as their work iPad at home they don't have on hand to change the password on), they can still access their account from whatever device they are actually using, such as their computer at work, or the iPhone they are carrying on them.
The user might not use the blocked device that often, in which case, its tarpitting/deactivation of the broken device could go unnoticed for a very long amount of time.
The assumption, then, is once they DO discover the device is failing authentication, they simply fix that device by correcting the password, and within the hour, the 'block' will expire, allowing the device to resume,
probably long before the average user calls anyone about this.
On the other hand.... if the device's auth failures lock their account; the effect is completely surprising to the average user. They will have no idea what has happened, and they will probably call the support desk irate demanding their account be fixed.
Their account gets unlocked..... 20 minutes later, it's locked again because their iPad at home has made 3 more failed sync attempts.
So not only is it equivalent, now you have a situation where the user can't repair the situation, because they have an incorrectly configured device attempting bogus authentications, which is out of their reach to correct, until the end of the day when they go home.
Now... for the sake of argument... let's just say this user is a CEO or sales guy, and the company could lose hundreds of millions if he can't get access to his e-mail to follow up, because some defective software has caused his entire account to be locked when it's not necessary....
I'd rather my doctor not use apps with his approved devices that are unregulated. Although, I'm sure the free-market would sort it all out.
I'd rather the FDA regulate the use of the combination of the app and the attachment in the case of (b).
And require a standard of testing for the combination of app on tablet and attachment together.
The tablet or app itself shouldn't need to be regulated or certified as an individual unit.
But (I suppose) a consequence of this, would be workers would have to use specific tablet, app version, attachment version.
And the Tablet hardware itself would have to be certified for that combination, probably resulting in a much more expensive "Attachment compatible"
branded tablet being released to meet the FDA cert requirements.
With regards to (a) I'm strongly opposed to that. Should the FDA start certifying the copy paper and ink used to print medical images on for professionals to make a specific diagnosis, and require them to use "FDA certified paper" costing $100/page to print all pictures on for diagnosis?
Let's not forget, all these costs get passed onto the patient too, and sometimes cost lives, when patient/their insurance can no longer,
or will no longer pay for treatment.
Oddly FDA "regulations"/certifications are often counterproductive and likely cost lives; it is difficult to determine if the number of lives saved
by FDA regulations exceeds the number of lives lost as a result of bureaucracy increasing medical costs and delaying the availability of life-saving treatments.
No. FDA certification of has a cost, and it should be limited to materials where the certification is actually more beneficial.
FDA certification of medical devices that can kill if they malfunction = good
FDA certification of drugs that can kill if they have unintended side-effects = good
FDA certification of diagnostic equipment used in an operating room = good
FDA certification of pen and paper, computer displays, software, or other ancillary tools chosen
by professionals to review medical data = bad
If the app-server combo has a decent session protocol, the app can get a session token from the server and discard the password.
I agree that's a very good idea. Why don't we implement Kerberos on our Android phones, and insist on
GSSAPI with a Kerberos service ticket to access POP3/IMAP/etc from the phone?
Or certificate-based authentication, where we install a X509 certificate on our phone, and the server
requires we authenticate with the right X509 certificate and use TLS/SSL in order to gain access to
our account, instead of using a password.
Then each device is separate and lost device can be dealt with by revoking certs.
Both of these are good solutions, but unfortunately, in most cases, neither will be an option,
and people would not like the Android phones if it required them to introduce proper security
to their mail server authentication, without addressing inconvenience issues.
Implementing token-based auth with IMAP or POP (unfortunately) requires special
cooperation of the mail server admin, since most mail servers have no additional authentication
options by default, beyond simple password; over SSL/TLS if you're fortunate.
The unpopularity of token-based auth for IMAP/POP stems from a lack of implementation of these security options on mail servers,
partially due to the limited history of standardization of token-based auth, and the limited understanding
most users have of the security issues with password storage and plaintext authentication.
Certificate based authentication has a problem that it's inconvenient, even though SSL/TLS is of course a very mature standard.
My impression is most sysadmins know nothing about token-based auth, GSSAPI, SASL, Kerberos, etc, would
be words they never heard of, even if they actually manage Windows AD, they never heard of Kerberos.
So... as you can imagine... token-based extensions beyond the base standard for IMAP/POP mail access are not that well known or widely implemented.
So Anyone have a pretty gui built around one of the open source/free hypervisors with all the same basic features as vCenter (live migration, live strage migration, performance reporting)? oh, and the GUI needs to be easy for a windows person to use.
XenServer + XenCenter.
Add-on features are easy to come by; core product robustness is not.
Good luck trying to run FreeBSD, Solaris, or one of those less-common OS VMs on those 'free' hypervisors with performance comparable to VMware.
Yeah, Macs are so secure that they were the first to fall at Pwn2Own for five years in a row.
Macs presented a challenge, and are highly desirable to own, so it's no surprise that security researchers concentrated efforts on pwn1ng them, so they could walk away with the coolest toy participating in Pwn2own
In other words... it's a contest that tends to select a predictable result every time: whichever the platform is most desirable hardware, as far as the participants are concerned.
So the contest wasn't objective. It would be objective if they had offered the same reward (e.g. $5k cash), regardless of which platform was successfully pwned by the contestant.
I don't buy this reasoning. Malware writers would quite happily release malware for OSX if they could make it work. Just look back 20yrs ago
Invisible/deceptive malware is directly against the Apple Human Interface design Guidelines. And developers targetting OS X are extremely respectful of Apple's application design rules.
Obviously, you have to prove that the photos. contain you to the authorities. :(
Just because the photo contains an image of you does not give you any copyright ownership.
Unless specified otherwise by a written agreement the photographer in general owns the right to the photos. You would also need to prove you created the scene/captured the picture, so have a copyright claim, which is quite difficult if you were a subject of the picture.
This kind of thing comes up a lot when people employ the services of a professional photographer. The photographer/studio that takes the pictures owns the pictures, is the only entity that can legally copy, scan, or otherwise reproduce them, and in general, they'll charge a pretty penny for rights to personal use/reproduction or any digital copy of professionally taken portraits, e.g. $100+ per image.
Remember the article about Photographer Who Took Family Portrait Of Girl Shot In Tucson Suing Media For Using The Photo ?
The photographers who take family pics apparently often keep all the old ones on file, and look for any media or anyone else daring to attempt to use their pics in publications, or anyone scanning and posting to the internet, so they can sue for a payday. :-/
Our law disagrees. Actually, even taking a picture of someone (safe celebrities known to the law as "people of public interest") is not permitted without his or her explicit consent.
Actually... in US states it is "permitted", generally. If you are on public property, you can in general photograph anything or anyone you ordinarily observe. There is nothing to prevent that. Even if the subject doesn't want their picture to be known to the public. If they happen to walk by or through the viewfinder of your camera, you can snap photos without needing permission.
The act of publication is different.
If you choose to publish a photograph or use the image in commerce without a model release, you may incur liability. This depends on the laws of the state where the picture's taken -- but it's generally not a crime of any sort to publish a picture of someone without their consent, it might be a tort (dependant on state law), is all.
Of course, there are certain kinds of pictures that may be criminal to publish under any circumstances, for example, obscene photos in violation of community or other legal standards, may be criminal even with consent of subjects.
Especially if published means broadcast over public a TV channel, FCC regulations may be involved.
A field trial is not a launch.
I try to sign up and I get a page that says:
Google+ is in limited Field Trial Right now, we're testing with a small number of people, but it won't be long before the Google+ project is ready for everyone. Leave us your email address and we'll make sure you're the first to know when we're ready to invite more people.
So unless that's just Google's way of trying to tell me, "We here at Google don't really like you" etc....
They haven't actually launched yet, and when they do, they could have many more signups. It kind of screws up the "25 million users in one month of launch" concept though.
Google+ Is neither Cathedral nor Bazaar.
Google+ is closer to a concentration camp.
If you fail to conform to the norms dicacted by the Google hive mind, your account gets gGassed; which ends its entire Google life, forcing you to stop using Google services altogether.
1989? Wasn't it in the late 1970s when the US adopted the Berne Convention?
Last I checked, the law was called the Berne Convention Implementation Act of 1988, not 1969.
I don't think so. A tip can be anonymous (as long as the tipster is not interested in a reward). The accusation is BSA vs. a company, not the tipster vs. a company. Meanwhile, if the audit turns up anything
What, the audit the company refused to undergo?
Lawsuits must have a factual basis. You can't just go to a court and file a paper that says "I'm suing you, because a little bird told me, you might be copying my software."
If the BSA can't produce some prior authentication of the information contained in the tip, including its source, they would be in trouble.
It's public domain now, so go ahead and use it.
NO.
There is no copyright issue because the inventors did not reserve their copyright.
"Rights reserved" is not required for a work to be covered by copyright. The notice used to be required, in the US, but this was changed, for any work published after 1989 in the US, a notice is not required; copyright is automatic, as soon as a novel work with the required 'creative aesthetic' is fixed in tangible form, and is owned by the person who created the work. Today only ~20 countries in the entire world require any sort of notice.
The notice is for the benefit of those countries, and it is a reminder to the owner of the copy, what rights they don't have. Damages will increase if you remove a copyright notice, or prepare and distribute copies of a work with a copyright notice, as it will be presumed willful infringement -- you cannot claim ignorance (the notice is right there, in black and white.)
Besides the software very clearly states:
I recommend switching to free software for all the tools where you don't have to have the best possible solution.
For many problem spaces, Free software tools actually provide the better solution.
Sometimes the proprietary tool is better, not always though.
I sure wouldn't hold IIS up to Apache, or Windows DNS Service up to BIND.
And if you need a Firewall appliance on commodity hardware, you use Iptables, Ipfw, or one of a dozen free software based firewall distributions, not Forefront / ISA.
Use a serial port, and let the warden keep a USB to serial connector in his safe.
Non-standard interfaces are more expensive. USB2.0 ports are high-speed serial interfaces. Older interfaces are inappropriate for large transfers.
Simply not providing any user access to the interfaces would be sufficient, however. They could use a NIC interface for performing updates, however.
The machines that run the control systems should be industrial grade equipment, kept in a locked cabinet, never able to be touched by the controller, to dissuade connecting them to the internet.
Preferably separate from the workstations that actually provide a user interface to the control system. Those could connect to the control system over a private control LAN, and communicate using encrypted signed datagrams that must have a TTL of 254, for the controller to process them.
The user could be dissuaded from connecting to the internet by requiring that the workstation IP address be issued by the controller via DHCP with an active lease to establish a connection over switch port links authenticated using 802.1X wired authentication, and providing a controller IP address as default gateway, with any unexplained packets sent towards internet hosts blackholed and designed to activate a tampering alarm.
In addition workstations designed to control the controller should be in a locked cabinet. With no general purpose software installed on them, and only approved maintenance procedures or change controls provided by the control device manufacturer/support company permitted.
Why are the prison control systems connected to the Internet? Who thought that was a good idea?
They are designed to operate without a connection to the internet. However, the computers used to control them run Windows on general purpose hardware.
Which means it is possible to connect them to the internet.
If you ask me, the designer of the system should utilize embedded hardware booted from flash media and basically read-only to the end user. Any reporting/data collection/data storage should be done by a second system connected to the control system over a NIC dedicated for that purpose.
No way to protect yourself from having to pay the lawyers though it seems ...
Quite right... I am afraid so. You can no more do business responsibly without lawyers than you can do without accountants and clerical workers or other consultants you require in the course of your business. And people with the level of training and expertise lawyers have tend to be expensive.
the only real question then... is the amount of protection you get worth the lawyers?
If you have a large business, probably, more of your cash is at risk if sued, if you're likely to lose, and you don't have protection.
Another strategy would be to spend all the money on your legal defense fund and hope to win.
But if you run out of money, and therefore, will probably lose the lawsuit due to lack of defense funding, or poor case, maybe it's a good idea to have the protection in place to fall back on.
If they lose out because the claim was false, then they have no reason to destroy his info. I would be shocked if they wouldn't want to at least make threats of suing him for the loses incurred because he lied.
Unless he actually admitted he lied, I don't think so. The publicity of that case would cost the BSA in that people would hear of the BSA suing someone who reported piracy to them. This would be handled privately and off the record.
Why wouldn't you be able to anyway?
Because maybe the BSA destroyed their record of the identity after they discovered their claim was false/total bunk, or their case got thrown out? That's the main reason I can think of -- you pursued the identity of the reporter too late, after the BSA's need to preserve that information was gone.
I assume the BSA would have the information available, such as a sworn or at least signed statement from someone, to prove they actually had a reasonable basis for a lawsuit, in their own defense against claims of some sort of abuse of process, but maybe they don't keep the information.
I don't think you can sue someone or force discovery/go on a fishing expedition of an org's papers because "you claim some anonymous party has told you they think you did something against the law," however.
Some EULAs do include a clause that says the maker of the software is entitled to have an audit performed at a certain frequency under certain circumstances, as a condition of the EULA you have to accept to use the software -- but it doesn't seem like that clause would be much help, unless the software is registered and the organization admits they do have at least one copy of the software licensed under the EULA with that requirement.
That is... i'm saying... if your organization doesn't admit to the BSA that you have the software, and they have no access to your records, then what evidence would they have you accepted any EULA permitting an audit of that software's licenses?
I assume if you settle with the BSA racket rather than take them to court, they include some term in the settlement to protect the person who brought them the evenue opportunity, but that might not be true -- i'm not really sure if there tend to be legal ramifications for the person making a statement to the BSA or not.
Maybe instead of preemptively shutting down the business he should actually contact an asset protection expert, for advice.
There are ways to structure a business to protect it against dubious legal threats, like the BSA.
A common example would be.... one corporation owning the building.... another corporation owning the computers... etc
You can't just open a new business, move the assets, close your existing one, and evade legal problems. There are many considerations, tax issues, and otherwise.
If you intentionally undercapitalize your existing business, you might be at risk of having a court find you had committed a fraudulent transfer, or they might pierce the corporate veil. Therefore, you should see an attorney about all that as well
Don't agree to any BSA demands or requests. Find a lawyer experienced with dealing with the BSA.
If you agree to an audit, it's highly probable they will find something illegal, regardless of whether you did anything illegal or not. You need a proof of purchase for every copy of an installed software product. If you use a Windows environment, you need proof that you had sufficient CALs for everything, on effective audit date.
If anything's not in order, or you can't find one proof of purchase for 1 license of XXX, the BSA will insist the software is pirated (even if you bought it good and legal), tack on huge fines, etc
"We've just gotten a letter from an attorney representing the Business Software Alliance stating someone (we're certain it's a disgruntled former employee)"
Be prepared to sue that former employee, for all damages and costs your business incurred as a result of their allegation, If they made a frivolous/false claim that hurt your business, and you can show who it is, take them to court. Maybe they (and others) will think twice, before making false reports to the BSA racket people.
The BSA needs their evidence to sue you, make sure you force the BSA to divulge the identity of the person reporting. Again, you will need legal counsel to help you with this
If you really can easily distinguish well-encoded AAC or MP3 from FLAC you should lend us at HA your golden ears!
Not necessarily. The ability to hear a difference depends partly on the type and quality of your sound system.
By the way, I prefer and use Apple Lossless 94khz/24-bit (.M4A) over FLAC. Not that FLAC sounds any different; I just find that working with the files seems faster, as in compressing raw audio to M4A seems to happen at a much better rate than compressing the same data to FLAC, and the files work on more devices; whereas very few devices seem to support FLAC.
So some people will say Codec A sounds best. Some will say Codec B sounds best. Some will say that Codecs A and B suck donkey shit and Codec C sounds best. What exactly does this prove?
It can show what percentage of the population on average could be expected to favor Codec A for a certain sample.
As for generalizing how Codec A/B/C did over one sample to the overall perceptions of Codec A/B/C over all possible samples a simple listening test cannot do that.
Making any kind of general statement about Codec A/B/C would require many representative samples of all sorts of music encoded with each codec, and many people participating in the double blind listening test.
By this logic, I should never lock my door to my house, as a determined thief can always force entry No benefit at all in preventing the casual or opportunistic thief from getting in and plundering at will.
Well, this is true if you leave the key in the lock, or leave a key in a well-known place such as under the doormat; locking the door really doesn't protect you against an opportunistic thief, if a key is readily available.
With a massively distributed OS/device, the place where the key gets placed is going to be very public knowledge, so it's really just the same as locking the door but leaving a key in the lock.
Anyways... no I wouldn't say that locking a door is no point. First of all, the criminal and civil charges for forced entry and damage are more severe than simple breaking and entering. This is not really true of the virtual world -- stealing a user's password from an unencrypted sqlite DB and using it to get into their bacnk account is just as severe a crime as stealing an encrypted sqlite DB with the user's password, stealing the encryption key, and using their decrypted pw in the same manner.
Second of all, homeowners' insurance policies generally don't pay for items stolen in a burglary, if there is no police report or no signs of forced entry.
With the virtual world.... well... if an ID thief raids your credit card account electronically, you're not liable beyond $50 anyways, as long as the charges are fraudulent -- there is no virtual requirement to show 'forced entry'; only that the charges were unauthorized. Insurance won't generally cover the loss of personal/private data, so showing signs of 'virtual forced entry' just isn't of any real benefit
Third of all.... unlike the virtual world; in the physical world, you can be sure that manual physical actions are required to defeat every security measure you put up. If you put up enough good measures, it will take so long to commit the crime, OR the crime will be so visible to the public, that criminals' chances of being caught are so high, that they will move on to an easier target.
Because houses are not like consumer electronics; houses are not produced en masse to identical specs... not all houses have identical security designs provided by the manufacturer. Pretty much, every house is unique, and there are most likely plenty of 'easy targets'.
With phones, for the most part, all targets of the same make/model phone will be equally 'easy' targets; 'moving on to an easier target' doesn't have much an analog, BUT it facilitates highly automatable, standardizable methods of attack.
A cat burglar cannot "download a piece of software" to automatically force the door open on every house on the block without extra work, extra time spent on their part, doing physical things, requiring them to spend more time at risk, and thus increasing their chance of being caught.
Walking in the door is not obviously "wrong"..... busting down a door is going to raise suspicion of ANY person (neighbor or otherwise) that sees this, and the police are likely to be called as soon as these signs are spotted.
There have been some claims that this is an example Google being evil but this seems more like incompetence and hamfistedness
When practiced to a sufficient extent, incompetence and hamfistedness results in evil being done.
Turning off someone's e-mail account without warning for some mostly harmless against-the-rule action on a social networking site sure sounds like doing evil to me.
No. Your focus on "high probability" is misguided. That's a minimum requirement, not the end. Effective security is a trade off of cost for coverage. The huge gaping flaw in your argument here is that: Locking out an account is practically the same as locking out a device as far as the user is concerned. You've failed to address that point twice now, despite being directly questioned on it. So I am pretty sure you understand it, but just don't want to admit it.
It's not practically the same thing. It's not even close. Their 'device' is already not working, because it has incorrect credentials. With just one of their devices blocked (such as their work iPad at home they don't have on hand to change the password on), they can still access their account from whatever device they are actually using, such as their computer at work, or the iPhone they are carrying on them.
The user might not use the blocked device that often, in which case, its tarpitting/deactivation of the broken device could go unnoticed for a very long amount of time.
The assumption, then, is once they DO discover the device is failing authentication, they simply fix that device by correcting the password, and within the hour, the 'block' will expire, allowing the device to resume, probably long before the average user calls anyone about this.
On the other hand.... if the device's auth failures lock their account; the effect is completely surprising to the average user. They will have no idea what has happened, and they will probably call the support desk irate demanding their account be fixed.
Their account gets unlocked..... 20 minutes later, it's locked again because their iPad at home has made 3 more failed sync attempts.
So not only is it equivalent, now you have a situation where the user can't repair the situation, because they have an incorrectly configured device attempting bogus authentications, which is out of their reach to correct, until the end of the day when they go home.
Now... for the sake of argument... let's just say this user is a CEO or sales guy, and the company could lose hundreds of millions if he can't get access to his e-mail to follow up, because some defective software has caused his entire account to be locked when it's not necessary....
I'd rather my doctor not use apps with his approved devices that are unregulated. Although, I'm sure the free-market would sort it all out.
I'd rather the FDA regulate the use of the combination of the app and the attachment in the case of (b). And require a standard of testing for the combination of app on tablet and attachment together. The tablet or app itself shouldn't need to be regulated or certified as an individual unit.
But (I suppose) a consequence of this, would be workers would have to use specific tablet, app version, attachment version. And the Tablet hardware itself would have to be certified for that combination, probably resulting in a much more expensive "Attachment compatible" branded tablet being released to meet the FDA cert requirements.
With regards to (a) I'm strongly opposed to that. Should the FDA start certifying the copy paper and ink used to print medical images on for professionals to make a specific diagnosis, and require them to use "FDA certified paper" costing $100/page to print all pictures on for diagnosis? Let's not forget, all these costs get passed onto the patient too, and sometimes cost lives, when patient/their insurance can no longer, or will no longer pay for treatment.
Oddly FDA "regulations"/certifications are often counterproductive and likely cost lives; it is difficult to determine if the number of lives saved by FDA regulations exceeds the number of lives lost as a result of bureaucracy increasing medical costs and delaying the availability of life-saving treatments.
No. FDA certification of has a cost, and it should be limited to materials where the certification is actually more beneficial.
FDA certification of medical devices that can kill if they malfunction = good
FDA certification of drugs that can kill if they have unintended side-effects = good
FDA certification of diagnostic equipment used in an operating room = good
FDA certification of pen and paper, computer displays, software, or other ancillary tools chosen by professionals to review medical data = bad
If the app-server combo has a decent session protocol, the app can get a session token from the server and discard the password.
I agree that's a very good idea. Why don't we implement Kerberos on our Android phones, and insist on GSSAPI with a Kerberos service ticket to access POP3/IMAP/etc from the phone?
Or certificate-based authentication, where we install a X509 certificate on our phone, and the server requires we authenticate with the right X509 certificate and use TLS/SSL in order to gain access to our account, instead of using a password.
Then each device is separate and lost device can be dealt with by revoking certs. Both of these are good solutions, but unfortunately, in most cases, neither will be an option, and people would not like the Android phones if it required them to introduce proper security to their mail server authentication, without addressing inconvenience issues.
Implementing token-based auth with IMAP or POP (unfortunately) requires special cooperation of the mail server admin, since most mail servers have no additional authentication options by default, beyond simple password; over SSL/TLS if you're fortunate.
The unpopularity of token-based auth for IMAP/POP stems from a lack of implementation of these security options on mail servers, partially due to the limited history of standardization of token-based auth, and the limited understanding most users have of the security issues with password storage and plaintext authentication.
Certificate based authentication has a problem that it's inconvenient, even though SSL/TLS is of course a very mature standard.
My impression is most sysadmins know nothing about token-based auth, GSSAPI, SASL, Kerberos, etc, would be words they never heard of, even if they actually manage Windows AD, they never heard of Kerberos.
So... as you can imagine... token-based extensions beyond the base standard for IMAP/POP mail access are not that well known or widely implemented.