This is about the most clear-cut case of the DMCA's anti-circumvention provisions applying you could get. [...] if you're trying to find an optimal case on which to challenge the DMCA, this certainly isn't it.
On the contrary, I think that would make it an excellent case to challenge the DMCA with. If you try using a case where the DMCA shouldn't have been applied in the first place, the judge will just say "sorry, the DMCA doesn't apply" and toss it. With a case like this, you'd force the issue of whether the DMCA itself is appropriate.
Of course, forcing the issue entails risks, and I'd agree that using PlayFair as the subject would be questionable in the current political climate. But, IMHO, we ought to be looking for things that clearly violate the DMCA because they can demonstrate best why it's a bad law.
some people are under the impression that since they borrowed a CD from a friend, and copied that CD to their computer, it is now THEIR data.
And in at least some countries, they'd be right. In Japan, copyright law includes an explicit exception (section 30) that allows copies to be made for "personal, family, or similarly limited scope" use. Canada reportedly has a similar exception, though I'm not familiar with Canadian laws.
Normal people just accept that the police and politicians are corrupt and sold out. As long as politicians can deliver the pork most people are apathetic.
This is soooo true, and soooo frustrating, at least to one who's been raised to believe that one has a duty to make one's voice heard. There doesn't seem to be quite as much of it in the younger (10s/20s) generation, but that means it'll be 20-30 years before there are significant enough numbers of them to make any difference--if there's a difference to be made. People do get riled up about things that touch them--police misbehavior, accidents and the like--but they've pretty much given up on the big-scale issues. Granted, the media is focusing more on scandals these days, but who's to say that's not just a ploy to garner support? About the best I can say for Japan is that it's not actively trying to extinguish people's rights.
Pessimist? Me? Nah, it's not pessimism when everything really is going wrong.
I hear some figure about how criminals in Japan have a 80-90% chance of being caught, where as in the US, it's more like 20-30%.
No, Japan's about on par with the US there--in fact there've been news reports lamenting how the Japanese rate of catching criminals is "down" to 20% lately. The 80-90% figure is your chance of getting convicted if they take you to trial, and that's mostly because the police don't bring charges unless they're more or less certain they can convict you. (Even if you show up at the police station and confess to a crime, the standard procedure goes something like: confession --> interrogation --> confirm details --> okay, now we arrest you.)
Are you THAT fucking stupid? How long have you been a "network administrator"? Which part of Google and basic documentation do you not understand?
I don't mean to flame, but...
Are you THAT fucking stupid? How long have you been a "member of society"? Which part of consulting your peers do you not understand?
Just so that this isn't a total flame:
The fact that the submitter said nothing about Ethereal and the like doesn't mean he's unaware of them; he may just be wondering what other options are available. Or even if he is unaware, maybe he got drafted into the job by a PHB, and he's honestly trying to get more information. Yes, he could use Google, but asking people with experience is undeniably a more direct route to getting answers. Many people will answer such questions willingly. If you don't want to be bothered by them, then for crying out loud, just ignore them. There's no call for insults.
Also try reading this comment, and be enlightened. "He who knows not and knows that he knows not; he is ignorant, teach him."
RFC 25, 1969/10/30 says: ("links" are in essence TCP ports/connections)
NO HIGH LINK NUMBERS
Because it may be desirable to reserve one or more link numbers for
instrumentation purposes, and because 256 link numbers are many more
than are needed, we suggest that no link number over 63 be used. At
UCLA, we will implement our tables to take advantage of this limitation.
We also note that 32 may be even more realistic, but 64 is certainly
sufficient.
I work for Intel. My company paid 1/2 billion dollars replacing Pentium chips with that bug that nobody would ever notice except maybe six people. Software vendors get away with murder. They don't even have to replace their product even if it is not fit for it's stated purpose.
Maybe you could help by introducing your methodology to the programming community? No, really--if you can make things as complex as CPUs with as few bugs as they have, then I think software developers could learn a lot from the processes you use. Granted, there's a whole bunch of momentum saying "it's okay for software to suck" that needs to be turned around, but every little bit helps. (And I don't know how applicable hardware development processes are to software--I plead ignorance--but chips that just work have to count for something...)
Ammonia bonded to salt crystals in a closed system is driven off by the heat from a solar reflector
Ammonia (B) sheds tears of loneliness (C), which rain on cat (D) lying on rug (E). Cat despises getting wet, and shakes itself;
motion generates static electricity, and as dried-out cat walks by A/C control (F), spark (G) leaps out and sets it on "Ultra".
Cat dashes away in surprise, knocking over table (H) holding vase (I).
Vase withstands impact with floor (J), and cold air blowing from vent (K) freezes water (L). Expansion of water ruptures vase, and ball of ice (M) rolls out.
Flowers (N) may be thawed or used as Christmas ornaments.
You're spot-on with the heat issue, and thanks to some clever blokes at Purdue University, here's your new direction [...] rather more still more integration with a very clever, very scaleable, amazingly efficient, built-in cooling system.
That's all very nice (no, really), but increased cooling power doesn't magically decrease the amount of heat produced by the CPU. If it generates 500W of heat, then it will generate 500W of heat no matter what super ultra cooling system you attach to it. Even if there's no danger of overheating, I don't see why we should have to use power equivalent to a microwave just to read/.
At the same time, all that heat has to go somewhere. If you don't have a similarly efficient heating system in the case, you'll just end up cooking your hard drives--or your house, if you're unlucky.
Maglevs may not be necessary in Europe and Japan given the relatively short distances between major population centers
Actually, Japan is working on a maglev system; last I heard they were up to 581 km/h. Yes, steel-wheel does the job for short-to-medium distances, but 3 hours to Osaka or 5 to Fukuoka is a bit long to a Japanese sense of time.
On the other hand, this is the same sense of time that goes ballistic if a train is 30 seconds late, so go figure.
Suppose these poems this guy wrote described in intimate detail what it's like to have sex with his wife. And she's still alive, and he's still alive. Doesn't he have a right to not want people to see them? Can't he write them down simply for his own enjoyment, or publish them for the select audience of his choosing, without being forced to give them up to these so-called "public commons" everyone's yammering about?
And if he does this, what would get it into public view? If he doesn't publish it, then for all practical purposes, it won't be in the public domain regardless of copyright law for the simple reason that the public doesn't know about it. Likewise if he publishes to a select group and nobody in the group "leaks" it. On the other hand, publishing it with copyright is no guarantee that nobody will take it and post it all over the Internet.
And one final point: even Drexler's assemblers are only machines. THEY ARE NOT ALIVE!!!! Damn it! They will not eat your brain any more than your feature-filled VCR will.
We'd have a much more intelligent populace if it wasn't for the brain-eating features on modern TVs and VCRs . . .
I'd ignore this troll if it hadn't been incomprehensibly modded Informative . . .
1. A program can call "exec" on any file, whether or not it has the execute bit set. The system does not check
As others have said, bull.
2. Any program with permission to write the file can turn on the execute bit.
Also bull:
user1@mybox:/home/user1> touch foo user1@mybox:/home/user1> chmod a+w foo user1@mybox:/home/user1> su user2 Password: user2@mybox:/home/user1> chmod a+x foo chmod: changing permissions of `foo': Operation not permitted
Now, I would agree that the execute bit doesn't make for a great security feature, and maybe your description of the origin of the execute bit really is correct, but next time try arguing that without the FUD.
That's why I said "or your favorite buffer overflow exploit"; I just picked HTTP for an example because it's one of the better-known cases. My point is that "local" vulnerabilities become remote ones when paired with buffer overflows in programs accepting remote input.
You've conveniently removed what I wrote: This is true on any *NIX system, there are tons of vulnerabilities which allow attackers who can execute code under a non-root UID to obtain root access.
I'm sorry, I misinterpreted your earlier post. I'll agree that the "root" concept has many problems, but nonetheless root privilege does allow an attacker to do anything (modulo securelevel--does Solaris have that?) to the system. Also keep in mind that for many people, it's not worth the expense to use a stronger security system, and for such people this is (and other root-elevation issues are also) high-risk.
Agreed; the advisory is feather-light on details so I can't tell how easy it is to exploit. My main concern (as I've mentioned in other replies) is that many "local" exploits can become remote exploits as well via otherwise-harmless buffer overflows in other programs. If the bug actually requires you to use a terminal to exploit it, it's not so bad as if it could be triggered by a simple execve(...), in which case any daemon not chroot'd becomes a potential avenue of attack.
if you would consider a remote exploit to be HIGH, that leaves a local exploit at medium, no?
I dunno, personally I'd consider both of them high--many local exploits can be exploited remotely as well via buffer overflows and the like. I'd put non-root privilege elevation at medium, and things like denial of service that don't actually damage the system at low to medium, but it all depends on the particular circumstances.
Where is this stated? All I see is that/usr/bin/passwd has a local root vulnerability; to me, that says that if I can exploit a buffer overflow in any arbitrary program, even an unprivileged one, I can get root on the box.
Slashdot Mirror
This is about the most clear-cut case of the DMCA's anti-circumvention provisions applying you could get. [...] if you're trying to find an optimal case on which to challenge the DMCA, this certainly isn't it.
On the contrary, I think that would make it an excellent case to challenge the DMCA with. If you try using a case where the DMCA shouldn't have been applied in the first place, the judge will just say "sorry, the DMCA doesn't apply" and toss it. With a case like this, you'd force the issue of whether the DMCA itself is appropriate.
Of course, forcing the issue entails risks, and I'd agree that using PlayFair as the subject would be questionable in the current political climate. But, IMHO, we ought to be looking for things that clearly violate the DMCA because they can demonstrate best why it's a bad law.
some people are under the impression that since they borrowed a CD from a friend, and copied that CD to their computer, it is now THEIR data.
And in at least some countries, they'd be right. In Japan, copyright law includes an explicit exception (section 30) that allows copies to be made for "personal, family, or similarly limited scope" use. Canada reportedly has a similar exception, though I'm not familiar with Canadian laws.
Run, during run observe surroundings
I tried this once, and got depression from all the grey skyscrapers around me . . .
Normal people just accept that the police and politicians are corrupt and sold out. As long as politicians can deliver the pork most people are apathetic.
This is soooo true, and soooo frustrating, at least to one who's been raised to believe that one has a duty to make one's voice heard. There doesn't seem to be quite as much of it in the younger (10s/20s) generation, but that means it'll be 20-30 years before there are significant enough numbers of them to make any difference--if there's a difference to be made. People do get riled up about things that touch them--police misbehavior, accidents and the like--but they've pretty much given up on the big-scale issues. Granted, the media is focusing more on scandals these days, but who's to say that's not just a ploy to garner support? About the best I can say for Japan is that it's not actively trying to extinguish people's rights.
Pessimist? Me? Nah, it's not pessimism when everything really is going wrong.
I hear some figure about how criminals in Japan have a 80-90% chance of being caught, where as in the US, it's more like 20-30%.
No, Japan's about on par with the US there--in fact there've been news reports lamenting how the Japanese rate of catching criminals is "down" to 20% lately. The 80-90% figure is your chance of getting convicted if they take you to trial, and that's mostly because the police don't bring charges unless they're more or less certain they can convict you. (Even if you show up at the police station and confess to a crime, the standard procedure goes something like: confession --> interrogation --> confirm details --> okay, now we arrest you.)
Are you THAT fucking stupid? How long have you been a "network administrator"? Which part of Google and basic documentation do you not understand?
I don't mean to flame, but...
Are you THAT fucking stupid? How long have you been a "member of society"? Which part of consulting your peers do you not understand?
Just so that this isn't a total flame:
The fact that the submitter said nothing about Ethereal and the like doesn't mean he's unaware of them; he may just be wondering what other options are available. Or even if he is unaware, maybe he got drafted into the job by a PHB, and he's honestly trying to get more information. Yes, he could use Google, but asking people with experience is undeniably a more direct route to getting answers. Many people will answer such questions willingly. If you don't want to be bothered by them, then for crying out loud, just ignore them. There's no call for insults.
Also try reading this comment, and be enlightened. "He who knows not and knows that he knows not; he is ignorant, teach him."
For the record, I use tcpdump.
RFC 25, 1969/10/30 says: ("links" are in essence TCP ports/connections)
How things have changed...If you were scanning all e-mails, would you put your resources on mails that [...] look like junk mail?
Yes, if they kept getting sent back and forth among the same small group of people.
I work for Intel. My company paid 1/2 billion dollars replacing Pentium chips with that bug that nobody would ever notice except maybe six people. Software vendors get away with murder. They don't even have to replace their product even if it is not fit for it's stated purpose.
Maybe you could help by introducing your methodology to the programming community? No, really--if you can make things as complex as CPUs with as few bugs as they have, then I think software developers could learn a lot from the processes you use. Granted, there's a whole bunch of momentum saying "it's okay for software to suck" that needs to be turned around, but every little bit helps. (And I don't know how applicable hardware development processes are to software--I plead ignorance--but chips that just work have to count for something...)
Ammonia bonded to salt crystals in a closed system is driven off by the heat from a solar reflector
Ammonia (B) sheds tears of loneliness (C), which rain on cat (D) lying on rug (E). Cat despises getting wet, and shakes itself; motion generates static electricity, and as dried-out cat walks by A/C control (F), spark (G) leaps out and sets it on "Ultra". Cat dashes away in surprise, knocking over table (H) holding vase (I). Vase withstands impact with floor (J), and cold air blowing from vent (K) freezes water (L). Expansion of water ruptures vase, and ball of ice (M) rolls out. Flowers (N) may be thawed or used as Christmas ornaments.
(With apologies to Rube Goldberg.)
You're spot-on with the heat issue, and thanks to some clever blokes at Purdue University, here's your new direction [...] rather more still more integration with a very clever, very scaleable, amazingly efficient, built-in cooling system.
That's all very nice (no, really), but increased cooling power doesn't magically decrease the amount of heat produced by the CPU. If it generates 500W of heat, then it will generate 500W of heat no matter what super ultra cooling system you attach to it. Even if there's no danger of overheating, I don't see why we should have to use power equivalent to a microwave just to read /.
At the same time, all that heat has to go somewhere. If you don't have a similarly efficient heating system in the case, you'll just end up cooking your hard drives--or your house, if you're unlucky.
Maglevs may not be necessary in Europe and Japan given the relatively short distances between major population centers
Actually, Japan is working on a maglev system; last I heard they were up to 581 km/h. Yes, steel-wheel does the job for short-to-medium distances, but 3 hours to Osaka or 5 to Fukuoka is a bit long to a Japanese sense of time.
On the other hand, this is the same sense of time that goes ballistic if a train is 30 seconds late, so go figure.
In 4 billion years when that sucker goes red-giant we'll see what it can't meltdown ;).
Build me a 1.4-billion-meter-wide fusion reactor, and we'll talk. ;)
Suppose these poems this guy wrote described in intimate detail what it's like to have sex with his wife. And she's still alive, and he's still alive. Doesn't he have a right to not want people to see them? Can't he write them down simply for his own enjoyment, or publish them for the select audience of his choosing, without being forced to give them up to these so-called "public commons" everyone's yammering about?
And if he does this, what would get it into public view? If he doesn't publish it, then for all practical purposes, it won't be in the public domain regardless of copyright law for the simple reason that the public doesn't know about it. Likewise if he publishes to a select group and nobody in the group "leaks" it. On the other hand, publishing it with copyright is no guarantee that nobody will take it and post it all over the Internet.
And one final point: even Drexler's assemblers are only machines. THEY ARE NOT ALIVE!!!! Damn it! They will not eat your brain any more than your feature-filled VCR will.
We'd have a much more intelligent populace if it wasn't for the brain-eating features on modern TVs and VCRs . . .
These laws reflect the people's view, not some corporation's greed.
You guys could do a great business exporting your government--you've got 6 billion potential customers waiting with bated breath.
Wouldn't logic dictate that anyone *might* be a terrorist, hence the agency will hold on to anyone's records indefinitely?
Well then, I'm sure glad my name isn't Anyone.
I guess now would not be the time to mention that Japan is already up to two megapixel phones . . .
I'd ignore this troll if it hadn't been incomprehensibly modded Informative . . .
1. A program can call "exec" on any file, whether or not it has the execute bit set. The system does not check
As others have said, bull.
2. Any program with permission to write the file can turn on the execute bit.
Also bull:
user1@mybox:/home/user1> touch foo
user1@mybox:/home/user1> chmod a+w foo
user1@mybox:/home/user1> su user2
Password:
user2@mybox:/home/user1> chmod a+x foo
chmod: changing permissions of `foo': Operation not permitted
Now, I would agree that the execute bit doesn't make for a great security feature, and maybe your description of the origin of the execute bit really is correct, but next time try arguing that without the FUD.
That's why I said "or your favorite buffer overflow exploit"; I just picked HTTP for an example because it's one of the better-known cases. My point is that "local" vulnerabilities become remote ones when paired with buffer overflows in programs accepting remote input.
Besides, you can break out of a chroot jail.
I can't think of a case in which one can run /bin/passwd without having already logged in.
GET /...shellcode.../bin/passwd HTTP/1.0
or your favorite buffer overflow exploit.
You've conveniently removed what I wrote: This is true on any *NIX system, there are tons of vulnerabilities which allow attackers who can execute code under a non-root UID to obtain root access.
I'm sorry, I misinterpreted your earlier post. I'll agree that the "root" concept has many problems, but nonetheless root privilege does allow an attacker to do anything (modulo securelevel--does Solaris have that?) to the system. Also keep in mind that for many people, it's not worth the expense to use a stronger security system, and for such people this is (and other root-elevation issues are also) high-risk.
Agreed; the advisory is feather-light on details so I can't tell how easy it is to exploit. My main concern (as I've mentioned in other replies) is that many "local" exploits can become remote exploits as well via otherwise-harmless buffer overflows in other programs. If the bug actually requires you to use a terminal to exploit it, it's not so bad as if it could be triggered by a simple execve(...), in which case any daemon not chroot'd becomes a potential avenue of attack.
if you would consider a remote exploit to be HIGH, that leaves a local exploit at medium, no?
I dunno, personally I'd consider both of them high--many local exploits can be exploited remotely as well via buffer overflows and the like. I'd put non-root privilege elevation at medium, and things like denial of service that don't actually damage the system at low to medium, but it all depends on the particular circumstances.
Yes, because prior authentication is required.
Where is this stated? All I see is that /usr/bin/passwd has a local root vulnerability; to me, that says that if I can exploit a buffer overflow in any arbitrary program, even an unprivileged one, I can get root on the box.