If you don't like DRM don't use your money to buy DRM'd media. I find it amusing people whine incessantly about a feature they are free to use or not use.
Hardware manufacturers are in a much stronger position to save the world from DRM than most anyone else. I can refuse to buy DRM-infected media, but I can't necessarily get everybody else to do it, and if most people don't then DRM-free version of popular media may disappear. Whereas if a critical mass of hardware manufacturers refuse to support DRM then media companies will release media without hardware DRM in order to reach a critical mass of customers.
The challenge is that we have this erroneous belief that government determines our rights. It doesn't. It is supposed to provide *limitations* and enumerate its own rights. The Bill of Rights was a bad idea. We should have just agreed that we have the right to do ANYTHING. Flipped it on its head. Then the government should have come in and said, "Oh you can't say anything that would put the public in immediate danger like yelling fire! in a public space". Stuff like that.
I think you're missing the problem. It doesn't matter what the constitution says if they don't follow it.
It isn't that you need to set out a document that properly enumerates the limitations on government power. I mean you do, but we've more or less done that. Perhaps some of the language could be made more clear.
The real problem is that if the government is allowed to ignore what the constitution says or interpret it to mean something else because it's politically expedient then you're on the path to perdition.
The failure of the federal government to respect individual rights is in reality a failure of checks and balances. Congress is not supposed to pass laws that violate your privacy. The executive is not supposed to implement them. The courts are not supposed to uphold them. All three branches fail, and that failure is the one for which a solution must be devised.
OK done. Now how do I make an iPhone app and distribute it to all the iPhone users who want it if Apple doesn't like my app?
So how is restricting yourself to an official marketplace different from having one iOS store? You're arguing in favor of a walled garden!
I love how Slashdot bashed Windows for over a decade about its malware, but when malware happens to a Linux-based OS, it's deemed a "non-story."
One of the big reasons "real" Linux doesn't get malware is that it uses a package manager for most software installation. If you download some random binary from the internet, it doesn't have the execute bit set by default so you double click on it and it doesn't run. But if you know what you're doing you can flip the bit and run it, without breaking any laws or anything. It's like having the garden without the walls.
Now Apple comes in with this "walled garden" approach and I feel like you're conflating the two. Gardens are good. Walls are bad.
Right, so you root your iPhone and then you get iPhone malware.
People keep talking about walled garden etc. I don't know if anybody has ever heard about this method I use: It's called "don't run binaries from untrustworthy places" and it's been working pretty well for about as long as I can remember.
The point of having a non-jailbroken phone is that it won't run software that hasn't been signed. This makes it difficult for viruses or even trojan horses to slip past.
The trouble is that signing doesn't scale. You can't economically screen millions of apps sufficiently rigorously to ensure you aren't signing malware. If you make screening arduous then either everybody including grandma figures out how to run unsigned software and signing becomes irrelevant, or they don't and your platform fails because getting screened is sufficiently difficult or expensive to drive away small developers.
If you want to be really pure, buy a Nexus S, or a SheevaPlug, and install your own kernel and runtime on it.
That doesn't get me a strong and diverse ecosystem. They have to be in the hands of many people so that developers of Microsoft- and telco-unapproved software have prospective users to make it worth their while to write the software. I can't write it all myself.
It's fairly easy to get around the no open source rule though.
Every time you release closed source MyReallyAwesomeApp, immediately release an open sourced OpenMyReallyAwesomeApp.
Only if you refrain from using open source the way it was intended.
I can't write my app which is half GPL code from the FSF and half my own code and then release it under both the GPL and a closed license. I can only release it under the GPL.
Now, one could turn around and say that Microsoft is bad for having an App store that violates the GPL, but given how cooperative Microsoft has been with jailbreakers, I really don't think one would have a rhetorical leg to stand on with this argument. It would work much better against Apple.
I don't know, being "cooperative" with jailbreakers seems like trying to have it both ways. If they were really being cooperative then they wouldn't have created a device that needs a jailbreak for the owner to control it. Their obvious purpose is to get some of the benefits of an open device (because anybody can jailbreak and lots of people do) but simultaneously trying to pull the wool over the eyes of DRM supporters who spuriously think that lockdown is effective and useful, and maneuvering themselves into a position where they can use the DMCA selectively against anyone they don't like because everybody is a violator. I find it hard to support that.
It's very common for sudo to log to syslog. It's also very common for syslog to log in real time off-host. The user may break the logging trail, but they won't hide the command they ran to break the logging trail.
Only if the sudo log ends up off-host and the command the user entered to get a root shell wasn't something perfectly innocent-looking like "sudo emacs/etc/whatever" and getting root on the first machine doesn't give them root on the logging machine because e.g. somebody's ssh keys or other authentication credentials for the logging machine are stored on the first machine, or the rooted machine is running an authentication service, or it contains authentication-sensitive files, or it contains ssh keys to a machine that contains authentication-sensitive files, etc. and the attacker can't interrupt anything in the network path between the machine to be rooted and the logging server while the rooting is going on.
Which, now that I think about it, seems pretty trivial: Take down the network interface for a few seconds. At best the command taking down the interface gets logged, but nothing after it. At worst the interface goes down before the packet logging that command makes it out of the machine, and there may be various ways for the attacker to make sure the latter is what happens.
So if I am logged in as USER, are you saying sudo will use USER's $PATH
The normal behavior of sudo is to use the user's environment including $PATH. There is an option you can put in the sudoers file called env_reset that will cause it to not to do this. Some flavors now have that option on by default. There is also another option called secure_path which allows you to explicitly specify a PATH to use when running sudo. These solve part of the problem -- at least as long as you run sudo itself as/usr/bin/sudo.
The trouble is that the actual root environment is only one attack vector. Suppose the attacker creates/evil, puts it at the front of $USER's $PATH and fills it with a bunch of binaries with names like echo, ls, gzip, etc. which under most circumstances just call their counterparts in/bin and/usr/bin.
Then you come along and type something like: echo 1 |/usr/bin/sudo tee/proc/sys/net/ipv4/ip_forward
This will run the actual/usr/bin/tee as root if you've taken precautions because root has a clean $PATH. The trouble is that it runs echo as/evil/echo, and/evil/echo parses its own command line to see if it contains sudo. It does, so it runs 'sudo rootkit'. Then you get a password prompt, which you think is for 'sudo tee' but is really for 'sudo rootkit' so you type your password and your system is rooted.
Yes. This is why you disable all those backdoors and only specify particular commands that can be run in/etc/sudoers, with others either denied, or lighting up your IDS/system monitoring like a Christmas tree.
(This also serves as a handy reminder that properly securing systems is *extremely difficult*.)
The real trouble is that in many cases it just isn't going to happen. Allow someone to run apt-get install, they can install a known-vulnerable setuid binary and root the system. Allow them to edit certain sensitive files in/etc, you're toast. On and on. But the person's job involves installing software or editing system files or whatever, so you have to allow it.
Doing that helps, but it doesn't eliminate the entire class of vulnerabilities. Try running "/usr/bin/sudo echo $USER" with env_reset turned on. You get the wheel user rather than root because the user's shell expands the variable before sudo resets the environment.
Wouldn't the same be true for su and the root account? Run malicious code as the root user, it can modify the root user's environment. Then you have a compromised system.
Sure, if you run malicious code as root you're screwed. But presumably you aren't e.g. browsing the web and running the perpetually-vulnerable Flash Player as root.
Sudo everything provides an actual audit trail to the actions taken by an admin. which is essential in environments where governance and acountability are required.
Provided you don't trust it to actually do those things. If someone can run 'sudo su -' then they own the system and can make the sudo log files say whatever they want, including removing the fact that they ran 'sudo su -'. Ditto 'sudo emacs', 'sudo dd', 'sudo mv' or any other command that as root will execute subsidiary commands, write specified data to specified files or any various other routes to a root shell. And in most cases you don't even need to muck about modifying logs: Just 'sudo emacs/etc/something/innocuous' and nothing untoward appears in the sudo log but you can run unlogged commands from within emacs, etc.
sudo can be useful in situations where you have a very limited subset of commands that a user should be able to execute as root and each will run as root without allowing the user to achieve a root shell. The trouble is that most commands that aren't already setuid aren't especially designed that way, so that scenario doesn't happen very often.
I guess you could say it's useful if you want to have some kind of faith-based auditing mechanism where you assume your sudoers aren't malicious and therefore won't modify the logs or work around the logging. But if you trust your sudoers that much then why do you need to audit them? It smells like a mechanism to provide the appearance of auditing so that someone's PHB can be satisfied that auditing exists, even though you can't really trust the audit log to be complete or correct.
This guy lost me with the first thing on the list. Going directly to root is great - if you're a noob in mom's basement. Nobody who has ever run systems in a serious environment mucks around as root as an alternative to something like sudo.
Contrary to the article's stated rationale, there is a real reason not to use sudo: If you run some malicious code as the wheel user, it can modify the wheel user's environment. Then the sudo command runs in the wheel user's environment with e.g. a malicious $PATH and you go from having a compromised user account to having a compromised system.
Incidentally, this is also why you should never run "su" and always run "/bin/su -".
It has been my supposition since I first heard of this that Watson would tend to fare poorer against human competitors when the clues are very terse, because then Watson doesn't get as much extra time over the human competitors to parse the clue and search its database for possible answers.
It seems like speed in answering is the least interesting part of all this. Especially when you're talking about the difference between six seconds and ten seconds or whatever. If the difference is between six seconds and six thousand years then we might care, but if it's a matter of replacing the racks with POWER 8 processors and trying again, what does it matter?
The interesting thing is whether it can get the right answer in any reasonable period of time.
Nope, the 26.9% is inclusive of state and local taxes. Federal taxes last year were about 15% of GDP (they're usually closer to 18% or so:
26.9% seems implausible. The federal government is currently spending some 25% of GDP. If they're only taking in 15-18%, that's...worrying. Moreover, most states, particularly the populous ones that constitute the bulk of the federal GDP, are spending some 20-30% of their respective state GDPs. I suppose it's possible that between the state and federal governments they're spending some 55% of GDP and only collecting 26.9%, but if that's really the case then it doesn't say much for the prospect of making up the difference in tax increases.
Um, yes. First, as the economy recovers, tax receipts increase and social spending for the impacted citizens will drop significantly, both which will significantly improve the deficit. Increasing taxes or decreasing spending when the economy is sucking wind is a recipe for making things worse (which actually serves to make deficits worse and costs more in the long term due to the extra damage to the economy and workforce).
Yes of course, running deficits during a recession will generally cause a quicker recovery. But the OP suggested raising taxes. It seems we agree that that is ill advised in the short term. The trouble is that if you wait until a recovery is already underway, people lose the will to cut programs. Especially the programs that remain bloated and inefficient because they have powerful lobbies behind them and can therefore only be modified in times of crisis -- namely social security and the military. If you wait, you have to make up the entire shortfall with tax increases, which causes substantially more economic harm than reforming bloated programs while the political will to do so is stronger. My suggestion is that we pass spending reduction reforms that won't take effect for a couple years.
Take social security as an example. Let's say we want to eliminate the funky regressive social security tax and make up the revenue by raising the federal withholding tax. We want to raise the retirement age by a few years to account for the fact that people are living longer. We want to make payments need-based so that we stop sending large government checks to retired millionaire investment bankers. The only way we're ever going to get any of that passed is if we do it now. But if it doesn't pass then all of the bad design stays with us and we end up having to fix it during the next crisis, which happens sooner and more powerfully because we didn't clean house when we had the chance.
That being said, that only becomes a problem if we either can't pay for it, or we're so politically dysfunctional that we won't. Japan has a much higher debt to GDP ratio (more than twice ours) and their interest rates are around 1%, so it's not a given that we're near some sort of tipping point. If republicans keep pushing for us to default on some or all of our debt though, we'll see how high rates can go I suppose.
It seems to me it's a problem even if we can pay for it, because it's still a gigantic money pit. In 2010 we paid over $400,000,000,000 in interest on the debt. That's a preposterous amount of money to be mailing to China and Saudi Arabia and otherwise setting on fire every year.
Um, again, No. Social Security has dedicated funding. You and your employer pay into it as a separate line item, and that money can't be "re-purposed", and the surpluses that were deliberately built up over the past 2 decades to cover the baby boom bulge are real money, invested in real treasury bonds (they're actually in filing cabinets in West Virginia, IIRC).
It can't be re-purposed because there is a law saying so. There is nothing preventing Congress from changing that law. Moreover, treasury bonds in the hands of the federal government are worthless paper. You can fill out an IOU to yourself that says you ow
Even the president's commission realized that it makes sense to wait until the economy recovers before you start massive cuts.
I don't disagree with that. But you can pass a law today that imposes future cuts. Raise the retirement age by x many years, effective as of 2014.
The trouble is that if you want to raise future taxes to pay back something like five years of huge deficits, you can't expect the tax increase to be small. And a large tax increase is, I would think fairly indisputably, very bad for a freshly recovering economy.
And what happened after WWII? Forty years of economic boom!
Did you mean to imply that the US is currently in a similar position economically to where it was at the end of WWII?
How many people die as a result of your cuts to SS and medicare? What were their lives worth?
Is this kind of rhetoric really necessary? The overwhelming majority of social security and medicare recipients are not at the margin of life and death. Need-based programs exist for those who are.
SS doesn't contribute to the deficit, so we should leave it alone, IMHO.
True or false: If some of the money currently distributed in social security checks were instead applied against the deficit, the deficit would be lower. The idea that social security doesn't contribute to the deficit is hocus pocus misdirection. Putting it in a separate ledger doesn't change the fact that money is being paid. And if money is being paid, it contributes to the deficit.
How is cutting more now better?
Social security is a very poorly designed program. The tax is exceptionally regressive: Someone earning minimum wage pays a higher percentage of their income than a high priced lawyer and someone who earns everything from capital gains pays nothing. It imposes a disproportionate burden on small business proprietors, who have to pay both the employee and employer share and generally can't take deductions against it for business expenses. A billionaire CEO is eligible to collect more benefits than someone who made $30,000/year. And there is no way to opt out of the system if it doesn't serve your needs. As far as I'm concerned they can scrap the whole program and replace it with a collection of state-funded senior living complexes for the indigent.
The actual numbers are less than half of that: Additional income, sales, and property taxes are assessed at the state and local levels. In the most recent year, overall tax revenue as a percentage of GDP was 26.9 percent. That's from the liberal Heritage foundation ranking page for the US ( http://www.heritage.org/index/Country/UnitedStates )
There is something wrong with your link. But let's say that number is right for the federal government. Add in state spending, which obviously differs by state, but let's say New York. In 2010 New York state spending was $283 B with a state GDP of $1114 B, which means state taxes had to be about 25% to cover the spending. (New York seems to be pretty typical, e.g. Alaska 36%, Mississippi 28%, New Jersey 21%, Oklahoma 21%, Oregon 26%, etc.) For New York, 26.9% and 25% is 51.9%. Alaska would be 62.9%. Admittedly it looks like the typical state is in the neighborhood of 50% and I claimed 60%, but it's hardly "less than half of that" and there do exist states with total taxation in excess of 60% of state GDP between state and federal taxes.
Taking a 10% deficit as the baseline also massively overstates the structural problem. Yes, the past 2 years have had those ~10% deficits, but unless you're predicting that the economic slump that we're just now starting to recover from will go on in perpetuity, or get worse, it's not a reasonable baseline.
The 10% deficits are the current reality. Unless your point is to just continue to run those kind of deficits today and for the next few years and then try to pay for them with tax increases five or ten years from now?
Moreover, there are differences between today and recent history. Right now debt as a percent of GDP is higher than it has been since the end of WWII, and unless we make significant cuts today it's going to get worse before it gets better. It's already about twice what it was when Regan took office. The only reason the interest isn't a present catastrophe is that interest rates are so low, and if the economy starts to recover then interest rates go back up and servicing the debt is going to seriously cut into the tax windfall that economic growth might otherwise produce.
Add to that the baby boomers retiring and removing their productive capacity (and income tax payments) while at the same time putting severe stress on social security and medicare as they start collecting rather than paying in.
Finally, Social Security is a dedicated funding stream and it can't contribute to the deficit by law. You could cancel the program tomorrow and it'd not change the actual deficit one bit (the reported "unified budget" deficit/surplus numbers are misleading since they include SS income, but that has nothing to do with the actual accounting).
This is just accounting shenanigans. If there was a cut in social security or medicare then the tax money currently going to those programs could be spent in reducing the deficit. The fact that you would, as a matter of accounting, end up reducing the social security tax and raising the general income tax by an equivalent amount in order to bring it about changes nothing about the actual impact of the change: Money distributed in social security checks is money that isn't, and could be, spent covering the deficit.
Let's think about that for a minute. Right now, between federal, state and local taxes, governments in the US collect about 60% of GDP as tax revenue. For the last couple of years the federal deficit has been a little over 10% of GDP. So if you want to balance the budget by raising taxes, you have to raise the 60% to 70%.
Which reduces the after-tax spending power of the average American by 25% (from 40% to 30% of before-tax spending power).
Which, of course, harms the economy to some degree. Which reduces the tax base. Which means the tax increase from 60% to 70% didn't raise the necessary 10% of GDP to cover the deficit, because it made GDP smaller. So you need to go higher than 70% to collect the necessary money -- but as you start to approach 100%, the amount of economic harm taxes cause becomes extremely severe. If you're lucky you might be able to raise overall taxes to e.g. 75% of GDP and collect the money you need -- but at the cost of significantly harming the long-term outlook by inducing investment capital flight. If you're unlucky then you can't collect that amount of money without raising the tax rate to the point where it causes immediate economic collapse.
And that's before considering the disparate consequences of a federal tax increase. The federal government might be able to cover its own deficit by increasing federal taxes. The problem is that the economic harm caused by the federal tax increase would completely torpedo the already-bankrupt states -- especially the ones like California which are already in the worst shape and would bear the brunt of a federal tax increase.
Add in the need for ultimately paying down the debt so that the interest stops sucking up a hundred billion dollars a year and the situation becomes clear.
There is no way out of this other than reducing the budgets of social security, medicare, medicaid and the DoD. NO WAY. The sooner people accept that, the sooner it can happen and the less painful it will be.
Can't happen. Google can't delist swaths of multi-billion dollar entertainment companies responsible for generating the bulk of popular culture. They'd sink their own battleship.
Who needs to delist them? I'd be willing to bet that the only reason various torrent websites aren't the first hit for any given Hollywood film is that Google is munging the results to favor the studio's websites. I'm not aware of any law that says they have to do that.
Here's the thing about that - No one gives a shit.
No, you're wrong. Most people don't care. Some people do. The people who do can discuss the problem and try to come up with solutions.
Like searching for and purchasing a strong patent not in the MPEG-LA pool that reads on H.264 and then demanding a high license fee for that patent for any use of H.264, so that suddenly the price difference is material and people start using the free WebM instead.
Or whatever else people can come up with.
Just because most people don't care, doesn't mean you shouldn't care. Most people are lemmings and I, for one, don't intend to follow them over the cliff.
A bridge is an expensive and inherently limited resource, and a usage charge is one of the best ways to manage it.
Nonsense. If this was the goal of toll collection, tolls would only be collected during times of traffic congestion, since collecting a toll at any other time would be mismanaging the resource by discouraging use at times when there is plenty of capacity, and would encourage motorists to not distinguish between times of congestion and other times. However, congestion pricing creates significant perverse incentives for governments: If they act to relieve congestion, even where doing so is highly cost effective and beneficial, they stand to lose the congestion charge revenue when the congestion disappears.
In addition, it is highly questionable whether tolls significantly reduce congestion anyway. Certainly toll booths do not -- they contribute to it by backing up traffic and grossly mismanaging the "inherently limited resource." And while transponders may not necessarily contribute to congestion, they make the psychological effect of paying the toll highly attenuated by separating the act of crossing the bridge from the act of paying the toll. If the goal is to discourage use then working so hard to hide the cost is self-defeating.
On top of all that, although bridges are expensive, they only need to be built once. The cost of maintaining a four lane bridge is not outrageously more than the cost of maintaining a two lane bridge. So if there is more demand for bridges than there are bridges, the optimal solution would seem to be to build more or wider bridges, rather than to use tolls to artificially suppress demand.
Wow, you started off with a great point about privacy (which I agree with), then devolved into a rant about how users of bridges, roads, etc. shouldn't have to pay for use and then into something silly about corporations.
What the OP said was that tolls are generally evil. And that is true. Whether you have toll collectors or transponder equipment, you end up wasting millions of taxpayer dollars on a revenue collection method that is strictly inferior to the alternative: Raising the gas tax.
We already have a gas tax, so the cost of increasing it to offset the revenue lost by eliminating tolls would have zero government overhead. Meanwhile you eliminate the cost of transponders, readers, collection and enforcement costs against those who don't pay, etc.
And as an added bonus, the privacy concerns entirely disappear.
Blacklisting the movie arm of Sony is harder because they own so many different movies and franchises under so many different names that its impossible to know which films I need to avoid.
There is an easy solution to that: If a movie is big enough that you see an ad for it, make sure the studio behind it doesn't see any of your money. It's not like the other major studios are run by a girl scout troop that donates the money to starving orphans.
Slashdot Mirror
If you don't like DRM don't use your money to buy DRM'd media. I find it amusing people whine incessantly about a feature they are free to use or not use.
Hardware manufacturers are in a much stronger position to save the world from DRM than most anyone else. I can refuse to buy DRM-infected media, but I can't necessarily get everybody else to do it, and if most people don't then DRM-free version of popular media may disappear. Whereas if a critical mass of hardware manufacturers refuse to support DRM then media companies will release media without hardware DRM in order to reach a critical mass of customers.
The challenge is that we have this erroneous belief that government determines our rights. It doesn't. It is supposed to provide *limitations* and enumerate its own rights. The Bill of Rights was a bad idea. We should have just agreed that we have the right to do ANYTHING. Flipped it on its head. Then the government should have come in and said, "Oh you can't say anything that would put the public in immediate danger like yelling fire! in a public space". Stuff like that.
I think you're missing the problem. It doesn't matter what the constitution says if they don't follow it.
It isn't that you need to set out a document that properly enumerates the limitations on government power. I mean you do, but we've more or less done that. Perhaps some of the language could be made more clear.
The real problem is that if the government is allowed to ignore what the constitution says or interpret it to mean something else because it's politically expedient then you're on the path to perdition.
The failure of the federal government to respect individual rights is in reality a failure of checks and balances. Congress is not supposed to pass laws that violate your privacy. The executive is not supposed to implement them. The courts are not supposed to uphold them. All three branches fail, and that failure is the one for which a solution must be devised.
What? Yes you can. Don't buy an iPhone.
OK done. Now how do I make an iPhone app and distribute it to all the iPhone users who want it if Apple doesn't like my app?
So how is restricting yourself to an official marketplace different from having one iOS store? You're arguing in favor of a walled garden!
I love how Slashdot bashed Windows for over a decade about its malware, but when malware happens to a Linux-based OS, it's deemed a "non-story."
One of the big reasons "real" Linux doesn't get malware is that it uses a package manager for most software installation. If you download some random binary from the internet, it doesn't have the execute bit set by default so you double click on it and it doesn't run. But if you know what you're doing you can flip the bit and run it, without breaking any laws or anything. It's like having the garden without the walls.
Now Apple comes in with this "walled garden" approach and I feel like you're conflating the two. Gardens are good. Walls are bad.
"Because you can't choose not to use it."
http://cydia.saurik.com/
Right, so you root your iPhone and then you get iPhone malware.
People keep talking about walled garden etc. I don't know if anybody has ever heard about this method I use: It's called "don't run binaries from untrustworthy places" and it's been working pretty well for about as long as I can remember.
Good job using 'iOS malware' as the search query. It returns under 1.4 million hits compared to the 7 million some odd for 'android malware'.
Trouble is 'iphone malware' returns 71 million hits.
The point of having a non-jailbroken phone is that it won't run software that hasn't been signed. This makes it difficult for viruses or even trojan horses to slip past.
The trouble is that signing doesn't scale. You can't economically screen millions of apps sufficiently rigorously to ensure you aren't signing malware. If you make screening arduous then either everybody including grandma figures out how to run unsigned software and signing becomes irrelevant, or they don't and your platform fails because getting screened is sufficiently difficult or expensive to drive away small developers.
If you want to be really pure, buy a Nexus S, or a SheevaPlug, and install your own kernel and runtime on it.
That doesn't get me a strong and diverse ecosystem. They have to be in the hands of many people so that developers of Microsoft- and telco-unapproved software have prospective users to make it worth their while to write the software. I can't write it all myself.
It's fairly easy to get around the no open source rule though.
Every time you release closed source MyReallyAwesomeApp, immediately release an open sourced OpenMyReallyAwesomeApp.
Only if you refrain from using open source the way it was intended.
I can't write my app which is half GPL code from the FSF and half my own code and then release it under both the GPL and a closed license. I can only release it under the GPL.
Now, one could turn around and say that Microsoft is bad for having an App store that violates the GPL, but given how cooperative Microsoft has been with jailbreakers, I really don't think one would have a rhetorical leg to stand on with this argument. It would work much better against Apple.
I don't know, being "cooperative" with jailbreakers seems like trying to have it both ways. If they were really being cooperative then they wouldn't have created a device that needs a jailbreak for the owner to control it. Their obvious purpose is to get some of the benefits of an open device (because anybody can jailbreak and lots of people do) but simultaneously trying to pull the wool over the eyes of DRM supporters who spuriously think that lockdown is effective and useful, and maneuvering themselves into a position where they can use the DMCA selectively against anyone they don't like because everybody is a violator. I find it hard to support that.
It's very common for sudo to log to syslog. It's also very common for syslog to log in real time off-host. The user may break the logging trail, but they won't hide the command they ran to break the logging trail.
Only if the sudo log ends up off-host and the command the user entered to get a root shell wasn't something perfectly innocent-looking like "sudo emacs /etc/whatever" and getting root on the first machine doesn't give them root on the logging machine because e.g. somebody's ssh keys or other authentication credentials for the logging machine are stored on the first machine, or the rooted machine is running an authentication service, or it contains authentication-sensitive files, or it contains ssh keys to a machine that contains authentication-sensitive files, etc. and the attacker can't interrupt anything in the network path between the machine to be rooted and the logging server while the rooting is going on.
Which, now that I think about it, seems pretty trivial: Take down the network interface for a few seconds. At best the command taking down the interface gets logged, but nothing after it. At worst the interface goes down before the packet logging that command makes it out of the machine, and there may be various ways for the attacker to make sure the latter is what happens.
Is the problem that the USER's $PATH is changed to /evil/ running "/bin/sudo reboot" would execute "/evil/reboot" with the root or wheel privilege?
That is one of the possible problems, yes.
wheel's $PATH (if that is a separate user account at all)
http://en.wikipedia.org/wiki/Wheel (Unix term)
In this case it means a user that is allowed to su or sudo.
So if I am logged in as USER, are you saying sudo will use USER's $PATH
The normal behavior of sudo is to use the user's environment including $PATH. There is an option you can put in the sudoers file called env_reset that will cause it to not to do this. Some flavors now have that option on by default. There is also another option called secure_path which allows you to explicitly specify a PATH to use when running sudo. These solve part of the problem -- at least as long as you run sudo itself as /usr/bin/sudo.
The trouble is that the actual root environment is only one attack vector. Suppose the attacker creates /evil, puts it at the front of $USER's $PATH and fills it with a bunch of binaries with names like echo, ls, gzip, etc. which under most circumstances just call their counterparts in /bin and /usr/bin.
Then you come along and type something like: /usr/bin/sudo tee /proc/sys/net/ipv4/ip_forward
echo 1 |
This will run the actual /usr/bin/tee as root if you've taken precautions because root has a clean $PATH. The trouble is that it runs echo as /evil/echo, and /evil/echo parses its own command line to see if it contains sudo. It does, so it runs 'sudo rootkit'. Then you get a password prompt, which you think is for 'sudo tee' but is really for 'sudo rootkit' so you type your password and your system is rooted.
Yes. This is why you disable all those backdoors and only specify particular commands that can be run in /etc/sudoers, with others either denied, or lighting up your IDS/system monitoring like a Christmas tree.
(This also serves as a handy reminder that properly securing systems is *extremely difficult*.)
The real trouble is that in many cases it just isn't going to happen. Allow someone to run apt-get install, they can install a known-vulnerable setuid binary and root the system. Allow them to edit certain sensitive files in /etc, you're toast. On and on. But the person's job involves installing software or editing system files or whatever, so you have to allow it.
Sudo can reset the environment.
Doing that helps, but it doesn't eliminate the entire class of vulnerabilities. Try running "/usr/bin/sudo echo $USER" with env_reset turned on. You get the wheel user rather than root because the user's shell expands the variable before sudo resets the environment.
Wouldn't the same be true for su and the root account? Run malicious code as the root user, it can modify the root user's environment. Then you have a compromised system.
Sure, if you run malicious code as root you're screwed. But presumably you aren't e.g. browsing the web and running the perpetually-vulnerable Flash Player as root.
Sudo everything provides an actual audit trail to the actions taken by an admin. which is essential in environments where governance and acountability are required.
Provided you don't trust it to actually do those things. If someone can run 'sudo su -' then they own the system and can make the sudo log files say whatever they want, including removing the fact that they ran 'sudo su -'. Ditto 'sudo emacs', 'sudo dd', 'sudo mv' or any other command that as root will execute subsidiary commands, write specified data to specified files or any various other routes to a root shell. And in most cases you don't even need to muck about modifying logs: Just 'sudo emacs /etc/something/innocuous' and nothing untoward appears in the sudo log but you can run unlogged commands from within emacs, etc.
sudo can be useful in situations where you have a very limited subset of commands that a user should be able to execute as root and each will run as root without allowing the user to achieve a root shell. The trouble is that most commands that aren't already setuid aren't especially designed that way, so that scenario doesn't happen very often.
I guess you could say it's useful if you want to have some kind of faith-based auditing mechanism where you assume your sudoers aren't malicious and therefore won't modify the logs or work around the logging. But if you trust your sudoers that much then why do you need to audit them? It smells like a mechanism to provide the appearance of auditing so that someone's PHB can be satisfied that auditing exists, even though you can't really trust the audit log to be complete or correct.
This guy lost me with the first thing on the list. Going directly to root is great - if you're a noob in mom's basement. Nobody who has ever run systems in a serious environment mucks around as root as an alternative to something like sudo.
Contrary to the article's stated rationale, there is a real reason not to use sudo: If you run some malicious code as the wheel user, it can modify the wheel user's environment. Then the sudo command runs in the wheel user's environment with e.g. a malicious $PATH and you go from having a compromised user account to having a compromised system.
Incidentally, this is also why you should never run "su" and always run "/bin/su -".
It has been my supposition since I first heard of this that Watson would tend to fare poorer against human competitors when the clues are very terse, because then Watson doesn't get as much extra time over the human competitors to parse the clue and search its database for possible answers.
It seems like speed in answering is the least interesting part of all this. Especially when you're talking about the difference between six seconds and ten seconds or whatever. If the difference is between six seconds and six thousand years then we might care, but if it's a matter of replacing the racks with POWER 8 processors and trying again, what does it matter?
The interesting thing is whether it can get the right answer in any reasonable period of time.
Nope, the 26.9% is inclusive of state and local taxes. Federal taxes last year were about 15% of GDP (they're usually closer to 18% or so:
26.9% seems implausible. The federal government is currently spending some 25% of GDP. If they're only taking in 15-18%, that's...worrying. Moreover, most states, particularly the populous ones that constitute the bulk of the federal GDP, are spending some 20-30% of their respective state GDPs. I suppose it's possible that between the state and federal governments they're spending some 55% of GDP and only collecting 26.9%, but if that's really the case then it doesn't say much for the prospect of making up the difference in tax increases.
Um, yes. First, as the economy recovers, tax receipts increase and social spending for the impacted citizens will drop significantly, both which will significantly improve the deficit. Increasing taxes or decreasing spending when the economy is sucking wind is a recipe for making things worse (which actually serves to make deficits worse and costs more in the long term due to the extra damage to the economy and workforce).
Yes of course, running deficits during a recession will generally cause a quicker recovery. But the OP suggested raising taxes. It seems we agree that that is ill advised in the short term. The trouble is that if you wait until a recovery is already underway, people lose the will to cut programs. Especially the programs that remain bloated and inefficient because they have powerful lobbies behind them and can therefore only be modified in times of crisis -- namely social security and the military. If you wait, you have to make up the entire shortfall with tax increases, which causes substantially more economic harm than reforming bloated programs while the political will to do so is stronger. My suggestion is that we pass spending reduction reforms that won't take effect for a couple years.
Take social security as an example. Let's say we want to eliminate the funky regressive social security tax and make up the revenue by raising the federal withholding tax. We want to raise the retirement age by a few years to account for the fact that people are living longer. We want to make payments need-based so that we stop sending large government checks to retired millionaire investment bankers. The only way we're ever going to get any of that passed is if we do it now. But if it doesn't pass then all of the bad design stays with us and we end up having to fix it during the next crisis, which happens sooner and more powerfully because we didn't clean house when we had the chance.
That being said, that only becomes a problem if we either can't pay for it, or we're so politically dysfunctional that we won't. Japan has a much higher debt to GDP ratio (more than twice ours) and their interest rates are around 1%, so it's not a given that we're near some sort of tipping point. If republicans keep pushing for us to default on some or all of our debt though, we'll see how high rates can go I suppose.
It seems to me it's a problem even if we can pay for it, because it's still a gigantic money pit. In 2010 we paid over $400,000,000,000 in interest on the debt. That's a preposterous amount of money to be mailing to China and Saudi Arabia and otherwise setting on fire every year.
Um, again, No. Social Security has dedicated funding. You and your employer pay into it as a separate line item, and that money can't be "re-purposed", and the surpluses that were deliberately built up over the past 2 decades to cover the baby boom bulge are real money, invested in real treasury bonds (they're actually in filing cabinets in West Virginia, IIRC).
It can't be re-purposed because there is a law saying so. There is nothing preventing Congress from changing that law. Moreover, treasury bonds in the hands of the federal government are worthless paper. You can fill out an IOU to yourself that says you ow
Even the president's commission realized that it makes sense to wait until the economy recovers before you start massive cuts.
I don't disagree with that. But you can pass a law today that imposes future cuts. Raise the retirement age by x many years, effective as of 2014.
The trouble is that if you want to raise future taxes to pay back something like five years of huge deficits, you can't expect the tax increase to be small. And a large tax increase is, I would think fairly indisputably, very bad for a freshly recovering economy.
And what happened after WWII? Forty years of economic boom!
Did you mean to imply that the US is currently in a similar position economically to where it was at the end of WWII?
How many people die as a result of your cuts to SS and medicare? What were their lives worth?
Is this kind of rhetoric really necessary? The overwhelming majority of social security and medicare recipients are not at the margin of life and death. Need-based programs exist for those who are.
SS doesn't contribute to the deficit, so we should leave it alone, IMHO.
True or false: If some of the money currently distributed in social security checks were instead applied against the deficit, the deficit would be lower.
The idea that social security doesn't contribute to the deficit is hocus pocus misdirection. Putting it in a separate ledger doesn't change the fact that money is being paid. And if money is being paid, it contributes to the deficit.
How is cutting more now better?
Social security is a very poorly designed program. The tax is exceptionally regressive: Someone earning minimum wage pays a higher percentage of their income than a high priced lawyer and someone who earns everything from capital gains pays nothing. It imposes a disproportionate burden on small business proprietors, who have to pay both the employee and employer share and generally can't take deductions against it for business expenses. A billionaire CEO is eligible to collect more benefits than someone who made $30,000/year. And there is no way to opt out of the system if it doesn't serve your needs. As far as I'm concerned they can scrap the whole program and replace it with a collection of state-funded senior living complexes for the indigent.
The actual numbers are less than half of that: Additional income, sales, and property taxes are assessed at the state and local levels. In the most recent year, overall tax revenue as a percentage of GDP was 26.9 percent. That's from the liberal Heritage foundation ranking page for the US ( http://www.heritage.org/index/Country/UnitedStates )
There is something wrong with your link. But let's say that number is right for the federal government. Add in state spending, which obviously differs by state, but let's say New York. In 2010 New York state spending was $283 B with a state GDP of $1114 B, which means state taxes had to be about 25% to cover the spending. (New York seems to be pretty typical, e.g. Alaska 36%, Mississippi 28%, New Jersey 21%, Oklahoma 21%, Oregon 26%, etc.) For New York, 26.9% and 25% is 51.9%. Alaska would be 62.9%. Admittedly it looks like the typical state is in the neighborhood of 50% and I claimed 60%, but it's hardly "less than half of that" and there do exist states with total taxation in excess of 60% of state GDP between state and federal taxes.
Taking a 10% deficit as the baseline also massively overstates the structural problem. Yes, the past 2 years have had those ~10% deficits, but unless you're predicting that the economic slump that we're just now starting to recover from will go on in perpetuity, or get worse, it's not a reasonable baseline.
The 10% deficits are the current reality. Unless your point is to just continue to run those kind of deficits today and for the next few years and then try to pay for them with tax increases five or ten years from now?
Moreover, there are differences between today and recent history. Right now debt as a percent of GDP is higher than it has been since the end of WWII, and unless we make significant cuts today it's going to get worse before it gets better. It's already about twice what it was when Regan took office. The only reason the interest isn't a present catastrophe is that interest rates are so low, and if the economy starts to recover then interest rates go back up and servicing the debt is going to seriously cut into the tax windfall that economic growth might otherwise produce.
Add to that the baby boomers retiring and removing their productive capacity (and income tax payments) while at the same time putting severe stress on social security and medicare as they start collecting rather than paying in.
Finally, Social Security is a dedicated funding stream and it can't contribute to the deficit by law. You could cancel the program tomorrow and it'd not change the actual deficit one bit (the reported "unified budget" deficit/surplus numbers are misleading since they include SS income, but that has nothing to do with the actual accounting).
This is just accounting shenanigans. If there was a cut in social security or medicare then the tax money currently going to those programs could be spent in reducing the deficit. The fact that you would, as a matter of accounting, end up reducing the social security tax and raising the general income tax by an equivalent amount in order to bring it about changes nothing about the actual impact of the change: Money distributed in social security checks is money that isn't, and could be, spent covering the deficit.
You could increase taxes.
Let's think about that for a minute. Right now, between federal, state and local taxes, governments in the US collect about 60% of GDP as tax revenue. For the last couple of years the federal deficit has been a little over 10% of GDP. So if you want to balance the budget by raising taxes, you have to raise the 60% to 70%.
Which reduces the after-tax spending power of the average American by 25% (from 40% to 30% of before-tax spending power).
Which, of course, harms the economy to some degree. Which reduces the tax base. Which means the tax increase from 60% to 70% didn't raise the necessary 10% of GDP to cover the deficit, because it made GDP smaller. So you need to go higher than 70% to collect the necessary money -- but as you start to approach 100%, the amount of economic harm taxes cause becomes extremely severe. If you're lucky you might be able to raise overall taxes to e.g. 75% of GDP and collect the money you need -- but at the cost of significantly harming the long-term outlook by inducing investment capital flight. If you're unlucky then you can't collect that amount of money without raising the tax rate to the point where it causes immediate economic collapse.
And that's before considering the disparate consequences of a federal tax increase. The federal government might be able to cover its own deficit by increasing federal taxes. The problem is that the economic harm caused by the federal tax increase would completely torpedo the already-bankrupt states -- especially the ones like California which are already in the worst shape and would bear the brunt of a federal tax increase.
Add in the need for ultimately paying down the debt so that the interest stops sucking up a hundred billion dollars a year and the situation becomes clear.
There is no way out of this other than reducing the budgets of social security, medicare, medicaid and the DoD. NO WAY. The sooner people accept that, the sooner it can happen and the less painful it will be.
Can't happen. Google can't delist swaths of multi-billion dollar entertainment companies responsible for generating the bulk of popular culture. They'd sink their own battleship.
Who needs to delist them? I'd be willing to bet that the only reason various torrent websites aren't the first hit for any given Hollywood film is that Google is munging the results to favor the studio's websites. I'm not aware of any law that says they have to do that.
Here's the thing about that - No one gives a shit.
No, you're wrong. Most people don't care. Some people do. The people who do can discuss the problem and try to come up with solutions.
Like searching for and purchasing a strong patent not in the MPEG-LA pool that reads on H.264 and then demanding a high license fee for that patent for any use of H.264, so that suddenly the price difference is material and people start using the free WebM instead.
Or whatever else people can come up with.
Just because most people don't care, doesn't mean you shouldn't care. Most people are lemmings and I, for one, don't intend to follow them over the cliff.
A bridge is an expensive and inherently limited resource, and a usage charge is one of the best ways to manage it.
Nonsense. If this was the goal of toll collection, tolls would only be collected during times of traffic congestion, since collecting a toll at any other time would be mismanaging the resource by discouraging use at times when there is plenty of capacity, and would encourage motorists to not distinguish between times of congestion and other times. However, congestion pricing creates significant perverse incentives for governments: If they act to relieve congestion, even where doing so is highly cost effective and beneficial, they stand to lose the congestion charge revenue when the congestion disappears.
In addition, it is highly questionable whether tolls significantly reduce congestion anyway. Certainly toll booths do not -- they contribute to it by backing up traffic and grossly mismanaging the "inherently limited resource." And while transponders may not necessarily contribute to congestion, they make the psychological effect of paying the toll highly attenuated by separating the act of crossing the bridge from the act of paying the toll. If the goal is to discourage use then working so hard to hide the cost is self-defeating.
On top of all that, although bridges are expensive, they only need to be built once. The cost of maintaining a four lane bridge is not outrageously more than the cost of maintaining a two lane bridge. So if there is more demand for bridges than there are bridges, the optimal solution would seem to be to build more or wider bridges, rather than to use tolls to artificially suppress demand.
Wow, you started off with a great point about privacy (which I agree with), then devolved into a rant about how users of bridges, roads, etc. shouldn't have to pay for use and then into something silly about corporations.
What the OP said was that tolls are generally evil. And that is true. Whether you have toll collectors or transponder equipment, you end up wasting millions of taxpayer dollars on a revenue collection method that is strictly inferior to the alternative: Raising the gas tax.
We already have a gas tax, so the cost of increasing it to offset the revenue lost by eliminating tolls would have zero government overhead. Meanwhile you eliminate the cost of transponders, readers, collection and enforcement costs against those who don't pay, etc.
And as an added bonus, the privacy concerns entirely disappear.
Blacklisting the movie arm of Sony is harder because they own so many different movies and franchises under so many different names that its impossible to know which films I need to avoid.
There is an easy solution to that: If a movie is big enough that you see an ad for it, make sure the studio behind it doesn't see any of your money. It's not like the other major studios are run by a girl scout troop that donates the money to starving orphans.