Re:The pay-for-play concept works
on
Pay to Play
·
· Score: 2
The upgrades are only a bitch if you get them. There was (and is, and always will be) a housing shortage, but their fix was to create a mirror image of the world. There was a client patch, but no new client or purchase was required.
They also keep pumping out new clients. They released a 3D client with access to a new landmass (no housing there) and in general, it flopped. A low percentage of the playerbase uses the 3D client and the landmass for that client is empty. Now they're releasing another 3D client which mostly consists of new artwork (no new landmass). I imagine that the only reason new clients keep coming out is to ensure that some incarnation of UO is fresh on the shelves instead of wasting away in the bargain bin.
Buying the new clients has always been up to the player, though. If you want access to all the new stuff, you go buy the new client; if you're happy with the same stuff, you don't spend the extra money. The initial expansion pack (The Second Age, I think 1998?) was eventually released for free as a bigass client patch to everyone who hadn't already bought it. I assume that over time the newer features will eventually be doled out in a similar fashion, once the retail market for copies of the "latest and greatest" client dies off. I haven't bought any of the new revisions, aside from paying shipping for a beta CD of the first 3D client, and don't plan on buying any of them.
I have no doubt that people who use the current 3D client, but don't go out and buy the new one that's coming out, will eventually have access to the new stuff without having to buy it. People still using the 2D client will eventually be able to access the 3D client's landmass without paying for the privilege. It comes back to the movie theater analogy, really. If you want to watch the latest must-see flick now, you go and shell out the money. If you don't mind waiting, you can see it next year on cable without having to pay anything extra. There are (apparently) enough people who have to "get it now" to support the release of all these clients as retail, but there are also plenty of people who don't mind waiting.
Shaun
The pay-for-play concept works
on
Pay to Play
·
· Score: 5, Interesting
I've been playing Ultima Online for more than two years now. The game itself is cheap, it's in the bargain bin at most retailers, and it costs $9.95/month to keep an account to play the game. I have two accounts. UO boasts some 300K+ active accounts, and other games like Everquest are fairly popular as well. At first I too was hesitant to shell out a monthly fee - then I thought about it. I can pay 10 bucks to go to a movie and be entertained for 2 hours, or I can pay 10 bucks for unlimited entertainment in a month's time. Screw the movie theater.
May only be a niche market, but pay-for-play is definitely a viable model.
What bothered me most about the article was the mention that gift cards are selling on eBay for 75 cents on the dollar. They said they hadn't verified any of the current auctions as being fraudulent (how would they have gone about doing this, anyway?) but the article implied that every gift card on eBay is probably illegit.
Gimme a break! I can't count the number of times I've been sent gift certificates to stores that don't exist here, or to stores I have no interest in visiting. Not every retailer will let you shop on their website, and some of the ones who do won't let you redeem gift certificates online. In cases like this, you wind up with a nice (and maybe expensive) gift that you can't use. The obvious solution is to sell it - cheaper than it would cost to buy at the store, of course, or else what's the point - to someone who does have a store in their area.
Who'd have thought that there might actually be unwanted/unusable gifts for sale on eBay a few days after Christmas? Apparently not MSNBC...
You have a point here. I'll agree that AOL and Earthlink started small and built on a niche market. They were fortunate enough to be in the right place at the right time, doing the right thing.
As for Time Warner (RoadRunner), other cable companies (Comcast, Shaw, etc.) and phone companies (DSL), this argument doesn't hold water. These companies didn't start out as mom-and-pop ISPs and grow big because they gave good service. They jumped into the ISP biz with billions in pocket, with absolute control over their service areas, and with millions of eyes to deliver their ads to. This isn't survival of the fittest, it's more like getting a winning hand because you stacked the deck.
While cable and telcos may have started small in their own markets, they're now monopolies in their own right, and this was true long before they knew what the internet was. They didn't make their money selling connectivity, they made it selling TV and phone lines, often as the sole providers of those services. They can afford to undercut the other guys (in cases where there are any). And they're regulated, to boot; which makes the possibility of them disappearing about zero.
>...then why are we seeing an explosion of decidely non-corporate,
>distributed technologies like P2P networks and online gaming?
That's like saying that the interstate system isn't federalized because the government doesn't make the cars we drive. How do you run the technologies you mention? Over the cable owned by your local cable monopoly, or maybe over the copper owned by the telco. Big companies, getting bigger, and gaining more control. What happens when they decide to start fighting these new technologies? You may have bought your car from Ford, but the state troopers will still pull you over for speeding.
What do you do if your cable company blocks all inbound traffic, and only allows you to use 80, 25, and 110 out? (Keep in mind that tunneling is not an option for the average user.) Do you go to the "competition?" And what do you do if the phone company puts the same filters in place? Good luck running P2P over dialup.
As big ISPs keep swallowing up the smaller ones, we're getting closer and closer to having as much of a "choice" of internet providers as we have a "choice" of utility providers. If nothing changes, I imagine that 10 years from now, you'll be able to choose between using one "local" (subsidiary of a nationally owned) internet service, or using nothing.
>If every Joe-Schmoe or Maw-and-Paw-start-upcompany was as
>good as the larger companies than 60 percent of the net wouldn't
>be controlled by said companies.
With all due respect, that's bullshit. The mom-and-pop ISPs often provide far better service than the big companies. Smaller subscriber bases typically mean better customer support. Try getting support out of AOL, MSN, etc. and then try getting support from your hometown ISP. The local guys are going to provide better service every time, because they don't have to support millions of customers.
But the mom-and-pop ISPs don't happen to own a massive cable television network on which they can run an incessant stream of commercials for their online service, free of charge. Anyone else who subscribes to Time Warner Cable knows what I'm talking about. AOL and RoadRunner commercials on every channel, every 15 minutes. It's impossible for momandpop.net to compete with that.
The mom-and-pop ISPs don't have millions of telephone subscribers whose bills they can stuff their advertisements into each month. I can't remember the last time my BellSouth bill didn't include a 5-page pamphlet explaining the wonders of DSL.
The mom-and-pop ISPs aren't going under because they suck. They're going under because they can't compete in a market dominated by bloated companies with billions of dollars to spend on advertising.
Why do you need defense against "Magic Lantern" if you're not doing anything illegal?
Why do people have curtains, blinds, or shutters on their windows if they aren't doing anything illegal? Because people like privacy. Privacy isn't illegal (yet).
Maybe I enjoy surfing porno websites. Maybe I work for a Fortune 100 company and have trade secrets on my computer. Maybe I'm secretly gay and that fact could be gleaned from my online habits. Or, hell, maybe I run the world's biggest cocaine trafficking ring over the internet. (Obligatory disclaimer, all of these situations are bogus.) It doesn't matter what I'm doing; without a warrant, the government has no more of a right to come in my house or my computer than a bum off the street.
The problem I see with Magic Lantern, vis a vis conventional searches, is that the potential for abuse is far too great. When the FBI raids a house, it's rather obvious. Maybe the person is at home, or the neighbors see it going down, etc. Makes it pretty difficult for them to just bust in any old house they want, without a warrant; and makes it pretty embarassing if they happen to screw up and raid the wrong house. This is (at least in my mind) a fairly good check and balance to ensure that the FBI isn't raiding houses on a whim.
What happens, though, if they bungle and put Magic Lantern on the wrong person's computer? It's a valid threat; if fucking bomb coordinates can be transposed, so can a suspect's IP address. What if Magic Lantern winds up on your computer or mine, even though we aren't doing anything illegal? There are no neighbors to see it happening, there is no embarassing story on CNN about the snafu, but before I know it, those corporate trade secrets on my computer are now in the government's hands. (IIRC, it was objection to exactly this type of risk that got France in a mess when they banned encryption.)
It's FBI in your home, but then again, its better than terrorists in your mall.
If there are terrorists at the mall, I at least have the choice to stay home and avoid them.
The first time I went to Windows Update, I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine.
So what happens if Microsoft allows Magic Lantern to be bundled inside the next.cab you get from windowsupdate.com - which, of course, is signed by Microsoft? You raised the point that ISPs tend to bend over, so you can't rule out the possibility that Microsoft might do the same.
And there are plenty of other companies MS could suggest for this committee. Nothing special about Connectix.
Every time Connectix sells a copy of Virtual PC, Microsoft sells another copy of Windows. Despite the widespread warezing of both products, I'd still call that pretty "special."
From the article,
A Microsoft lawyer said schools would benefit from the settlement, not [Microsoft], adding that schools would be able to make their own technology choices.
In other words, instead of flooding schools with PCs running Windows, they're just going to flood them with copies of Virtual PC. Running Windows on a PC vs. running it on a Mac with a free copy of VPC doesn't strike me as much of a "technology choice."
If you're talking about the owner of paypalwarning.com, I for one believe him. The site's been around awhile (I came across it it 3 or 4 months ago), so he doesn't need to spam to get visitors. The only thing spamming would gain him is bad blood and one hell of a bandwidth bill for this month. I say it's doubtful.
>That would make it possible for anyone to put the hurt on
>a legitimate business. Don't like Bob's Hardware Emporium?
>Talk to these guys in Taiwan, who will put together
>an authentic-looking spam campaign for you....
That's usually referred to as a "joe-job," and it already happens frequently. Most of the time it's easy to tell a joe-job from a real spam campaign:
1. Spammers are too stupid to put a notice on their website saying "we didn't send you that." Joe-job victims will quickly put up such a notice once they get reports that they're being framed. (See paypalwarning.com, who were joe-jobbed over the weekend.)
2. Joe-jobs often, if not always, target sites that have been around awhile (long enough to garner some competitors) but have no history of spamming.
3. Real spammers start spamming for their site as soon as it becomes active, because they're used to the cycle of "find a new webhost, start spamming, get shutdown, find a new webhost." I resell webhosting accounts and I've seen this firsthand several times. They open an account and I wind up nuking it within a day or two due to complaints. Webmasters who have a track record of being legit rarely wake up one day and decide to start spamming.
4. Joe-jobbers often make the mistake of leaving evidence which clearly links them to a competitor or enemy of the framed site. Some of them even post the forged spam from their own company's network. Nothing says "joe-job" like spam for Bob's Hardware Emporium which originated from gw.carlshardware.com.
>Therefore, shutting down the "spammer" isn't going to do anything.
You're right - in those cases, to hell with the spammer, you have to go after the spamvertised product. Spammers spam because people are paying them to spam. People are paying spammers to spam because those people are making money off the spam. To borrow a Bush tactic, follow the money. If you're getting spam from Asia, Russia etc. advertising a website in the US (as I frequently do), forget tracking down the spammer unless you really want to spend the time doing so. Instead, forward the spam to the webhost of the target site, and the host of any email dropboxes contained within the spam.
It costs money to open webhosting accounts, so hit the real spammers (those who benefit from the advertising, not necessarily those who send the mail) in the pocketbook.
>Both pieces of code could potentially be used to steal a
>great deal of money
But only one of them was solicited by the very people who now claim they'd be hurt by it. Remember, researchers were invited to crack the copy protection, and if memory serves they were even offered a prize for doing so. I don't see Mastercard issuing any such challenges, and I don't envision the EFF defending a malicious cracker.
More likely the trojan is looking for the window classes registered by PGP... Not the executable name. Spy++ says it's PGPkeysMainWinClass. Recompiling from source, with new class names, ought to fix the problem in no time.
Arbor Networks' researchers went to the mail logs of a local ISP and compared several thousand unique mail sources with "murky" addresses spotted in their monitoring.
Am I reading this right? If so, am I alone in feeling uneasy about it? It would be interesting to know what ISP allowed "some research company" to look through their mail logs. I suspect Arbor was only interested in source IP addresses, but it still smells.
>Its kinda crazy thinking about all the stuff thats out
>there that no one will ever see. I always figured
>anything sensative for military use would be stored on
>a proprietary government network
Might already be that way and we just don't know it. Talk about "dark netspace," nobody holds more of it than the US military... A bunch of class A's - 6.*, 7.*, 11.*, 21.*, 22.* - not to mention the smaller, uglier blocks. I imagine they could be running some sort of TOP-SEC-NET (or maybe SEC-PORN-NET) on one of these, unbeknownst to the outside world.
We already have some precedents (in Felten and Sklyarov) about how "people who violate the DMCA get screwed." We don't need more of those, at least not at the expense of good people. The general public probably looks at these two cases as you'd expect them to: "Well, gee, they did break the law, so I guess they had it coming."
Alan is taking a different approach. He's not trying to show the world that breaking the law will get you in trouble. He's trying to show the world that people who obey the law are the ones being hampered. Instead of violating the law (knowingly or not) and then crying foul when he gets charged, he's making the point that complying with the DMCA interferes with legitimate business. It's a subtle difference, but IMO it's a better precedent. I think people will be more apt to see the DMCA as a bad law once they understand that it's the law-abiding citizens who are being effectively punished.
To quote a poster from the original thread on this issue, the DMCA is the only law so stupid that it must be fought through civil obedience!
Shaun
I know at least one market for .biz
on
.biz Open For Biz
·
· Score: 4, Funny
...fuckedcompany.com. fucked.biz would be so much easier to type! And so much more appropriate...
That's always an option. Problem is, who's going to download a program written by "anonymous" and posted to Tripod? Especially when you figure the target audience is folks who are either security minded or outright paranoid. I know I wouldn't go near it, there has to be some accountability or else people are going to be afraid to run the program.
I should have mentioned it's a Windows program, so it would be distributed as an EXE, you wouldn't be able to look over the source first. Then again if I was just going to "put it out there," so to speak, I guess it wouldn't hurt to bundle the source.
Apache allows you to ban a netblock, you don't have to do it on a per-IP basis. For example, if the guy's always coming from 209.14.27.*, you could create a directive for your root directory like:
(Limit GET POST)
order deny,allow
deny from 209.14.27.
(/Limit)
(Replace the parentheses with angle brackets, a la HTML.) If you can't tweak httpd.conf, put that in an.htaccess file instead.
Someone else suggested automating the process, this is a good idea if you can do it. When Nimda first fired up, a friend of mine wrote a Perl script that took the remote IP and added it to the deny directive in.htaccess. He set that script as his 404 error handler for a few days, and anyone who did a Nimda scan was immediately blocked from further access to the site. Of course some legit users who mistyped a link probably wound up blocked, too. I imagine by now he's cleaned out the list, so it was only a temporary inconvenience to real visitors.
Your solution depends on how aggressive you want to be, and whether or not you care if a few babies get thrown out with the bathwater. Me, I'd just ban the netblock for a couple of weeks. The lusers will find another site to harass, and you can lift the ban.
You won't see many secure IM clients unless they were written outside the US. I wrote a secure peer2peer instant messaging client, i.e. you connect directly to your buddy instead of going through someone's server. The program Blowfish encrypts all IMs, supports variable bit-length keys between 32 and 448 bits, and allows the conversants to change the key at any time by setting a new password. Good luck eavesdropping!
Now, all that said, have you ever tried to get a program like this approved by the US government? I've spent hours poring over the BXA website, as well as the GPO's archive of EAR regulations, trying to figure out exactly what license exception I should apply for. After all the reading and research I've done, I've gotten nowhere. I sent an inquiry to the BXA's crypto folks and haven't heard back. I looked in Usenet and found twenty different answers. I did see it mentioned that if I release the program as open source I don't even have to get it licensed, but I couldn't verify that at BXA's site.
From what I gather, if I want to distribute the program I'd probably have to set a fixed key, or at the very least cap the key length at 160 bits. Then I'd have to apply under one of several license exception categories, though I don't know which; and if you apply for the wrong one, oops, sorry, you wasted your time documenting how your program meets the EAR requirements. Supposing I managed to apply properly, I may have to wait 30 days before making the program available; meanwhile my spec (and perhaps source code) is in someone else's hands.
$DEITY forbid I want to charge a shareware fee for the program, then I have to figure out whether it's classified as ENC Retail, ENC Non-Retail, etc. Or if I have the arms-trafficking gall to try and distribute the program with 448 bit capability - assuming that was approved, mind you - I'd have to implement some method of checking the IP address of each potential downloader to make sure they're inside the US... And then what happens if someone's using a proxy?
All in all I don't have the time to deal with this shit. And so I gave up (I get the feeling this is exactly what the whole mess is meant to encourage). I've given the program to some friends whom I can personally vouch for as US residents. Other than those few people, it'll probably never see the light of day. Unfortunate, but I wouldn't say it's the Big IM Players' fault that secure IM clients aren't taking off. They'd be everywhere if it wasn't such a hassle.
(BTW if anyone has had success getting a Blowfish program licensed for export, please reply with your secret!)
>I think it is a bit unfair that the US gets its own top level
>domain. All other countries have.co.xx or other than Australia
>who made theirs.com.au
Ah yes, Australia, who made theirs.com.au. The Brits could have made theirs.hmw.uk (Her Majesty's Web, of course). The Aussies could have made theirs.oz.au, or the Africans could have made theirs.kwan.za if they'd liked. It's up to whomever controls the TLD; namely, some branch of the country's government. Most of them went down the.co.cc,.gov.cc,.[edu|uni].cc path, probably because it made for good hierarchical organization.
If you don't like your country's ccTLD allotments, complain to your government, don't complain about mine!
>How about getting all the CRAP off of TV... it used to be
>only 1/2 shit, now it's 80% shit IMO. Commercials and content
>included.
And that's exactly why they're going after the internet (although it too is arguably 80% shit). Television in this country has become so filtered that it's difficult to find anything truly "objectionable" unless you subscribe to the Spice channel. Think fast, when was the last time you saw a radical political opinion - OK, OK, a non-Christian radical political opinion - on any TV channel?
You can flip back and forth between the major networks and the talking heads are saying the same thing. CNN slants it left, Fox slants it right, but neither side makes any real commentary. The only radical opinions on TV are the ones showing up on 700 Club, but I digress. It's okay for some nut to go on TV and blame September 11th on gays and abortion, but it's not okay for someone to go on TV and criticize the government. It's okay for the religious right to proseltyze on the public airwaves, but God forbid Howard Stern says "penis."
It's quite clear that government regulation of any media ends up favoring the government and stifling anything they see as prude. The stuff they've worked so hard to keep off of television and radio now flows freely on the internet, and you better believe it scares the hell out of them. If you can't control the medium, you can't control the speech. It seems to me like they're starting to realize that the internet cannot be FCC'd, and they're moving toward scare tactics instead ("we'll be watching you, and we won't need a warrant!").
I don't like the idea of a ratings system, but if we have to have web ratings, I'd rather they come from the industry than from the government. TV would be a much more interesting phenomenon if the FCC bailed out and left the networks to regulate themselves! Of course, if we speak loudly enough and refuse to participate, we don't have to have web ratings. A product no one uses fails to be significant.
Slashdot Mirror
The upgrades are only a bitch if you get them. There was (and is, and always will be) a housing shortage, but their fix was to create a mirror image of the world. There was a client patch, but no new client or purchase was required.
They also keep pumping out new clients. They released a 3D client with access to a new landmass (no housing there) and in general, it flopped. A low percentage of the playerbase uses the 3D client and the landmass for that client is empty. Now they're releasing another 3D client which mostly consists of new artwork (no new landmass). I imagine that the only reason new clients keep coming out is to ensure that some incarnation of UO is fresh on the shelves instead of wasting away in the bargain bin.
Buying the new clients has always been up to the player, though. If you want access to all the new stuff, you go buy the new client; if you're happy with the same stuff, you don't spend the extra money. The initial expansion pack (The Second Age, I think 1998?) was eventually released for free as a bigass client patch to everyone who hadn't already bought it. I assume that over time the newer features will eventually be doled out in a similar fashion, once the retail market for copies of the "latest and greatest" client dies off. I haven't bought any of the new revisions, aside from paying shipping for a beta CD of the first 3D client, and don't plan on buying any of them.
I have no doubt that people who use the current 3D client, but don't go out and buy the new one that's coming out, will eventually have access to the new stuff without having to buy it. People still using the 2D client will eventually be able to access the 3D client's landmass without paying for the privilege. It comes back to the movie theater analogy, really. If you want to watch the latest must-see flick now, you go and shell out the money. If you don't mind waiting, you can see it next year on cable without having to pay anything extra. There are (apparently) enough people who have to "get it now" to support the release of all these clients as retail, but there are also plenty of people who don't mind waiting.
Shaun
I've been playing Ultima Online for more than two years now. The game itself is cheap, it's in the bargain bin at most retailers, and it costs $9.95/month to keep an account to play the game. I have two accounts. UO boasts some 300K+ active accounts, and other games like Everquest are fairly popular as well. At first I too was hesitant to shell out a monthly fee - then I thought about it. I can pay 10 bucks to go to a movie and be entertained for 2 hours, or I can pay 10 bucks for unlimited entertainment in a month's time. Screw the movie theater.
May only be a niche market, but pay-for-play is definitely a viable model.
Shaun
What bothered me most about the article was the mention that gift cards are selling on eBay for 75 cents on the dollar. They said they hadn't verified any of the current auctions as being fraudulent (how would they have gone about doing this, anyway?) but the article implied that every gift card on eBay is probably illegit.
Gimme a break! I can't count the number of times I've been sent gift certificates to stores that don't exist here, or to stores I have no interest in visiting. Not every retailer will let you shop on their website, and some of the ones who do won't let you redeem gift certificates online. In cases like this, you wind up with a nice (and maybe expensive) gift that you can't use. The obvious solution is to sell it - cheaper than it would cost to buy at the store, of course, or else what's the point - to someone who does have a store in their area.
Who'd have thought that there might actually be unwanted/unusable gifts for sale on eBay a few days after Christmas? Apparently not MSNBC...
Shaun
You have a point here. I'll agree that AOL and Earthlink started small and built on a niche market. They were fortunate enough to be in the right place at the right time, doing the right thing.
As for Time Warner (RoadRunner), other cable companies (Comcast, Shaw, etc.) and phone companies (DSL), this argument doesn't hold water. These companies didn't start out as mom-and-pop ISPs and grow big because they gave good service. They jumped into the ISP biz with billions in pocket, with absolute control over their service areas, and with millions of eyes to deliver their ads to. This isn't survival of the fittest, it's more like getting a winning hand because you stacked the deck.
While cable and telcos may have started small in their own markets, they're now monopolies in their own right, and this was true long before they knew what the internet was. They didn't make their money selling connectivity, they made it selling TV and phone lines, often as the sole providers of those services. They can afford to undercut the other guys (in cases where there are any). And they're regulated, to boot; which makes the possibility of them disappearing about zero.
That's pretty stiff competition.
Shaun
>...then why are we seeing an explosion of decidely non-corporate,
>distributed technologies like P2P networks and online gaming?
That's like saying that the interstate system isn't federalized because the government doesn't make the cars we drive. How do you run the technologies you mention? Over the cable owned by your local cable monopoly, or maybe over the copper owned by the telco. Big companies, getting bigger, and gaining more control. What happens when they decide to start fighting these new technologies? You may have bought your car from Ford, but the state troopers will still pull you over for speeding.
What do you do if your cable company blocks all inbound traffic, and only allows you to use 80, 25, and 110 out? (Keep in mind that tunneling is not an option for the average user.) Do you go to the "competition?" And what do you do if the phone company puts the same filters in place? Good luck running P2P over dialup.
As big ISPs keep swallowing up the smaller ones, we're getting closer and closer to having as much of a "choice" of internet providers as we have a "choice" of utility providers. If nothing changes, I imagine that 10 years from now, you'll be able to choose between using one "local" (subsidiary of a nationally owned) internet service, or using nothing.
Shaun
>If every Joe-Schmoe or Maw-and-Paw-start-upcompany was as
>good as the larger companies than 60 percent of the net wouldn't
>be controlled by said companies.
With all due respect, that's bullshit. The mom-and-pop ISPs often provide far better service than the big companies. Smaller subscriber bases typically mean better customer support. Try getting support out of AOL, MSN, etc. and then try getting support from your hometown ISP. The local guys are going to provide better service every time, because they don't have to support millions of customers.
But the mom-and-pop ISPs don't happen to own a massive cable television network on which they can run an incessant stream of commercials for their online service, free of charge. Anyone else who subscribes to Time Warner Cable knows what I'm talking about. AOL and RoadRunner commercials on every channel, every 15 minutes. It's impossible for momandpop.net to compete with that.
The mom-and-pop ISPs don't have millions of telephone subscribers whose bills they can stuff their advertisements into each month. I can't remember the last time my BellSouth bill didn't include a 5-page pamphlet explaining the wonders of DSL.
The mom-and-pop ISPs aren't going under because they suck. They're going under because they can't compete in a market dominated by bloated companies with billions of dollars to spend on advertising.
Shaun
>The Reg® carried this story about then, too..
3 7 ("Researchers Probe Dark and Murky Net")
:)
So did Slashdot, with the same byline and the same link to the same SecurityFocus article:
http://slashdot.org/article.pl?sid=01/11/15/05172
I think tomorrow we'll be hearing that the Mir is about to plummet back to earth
Shaun
Maybe I enjoy surfing porno websites. Maybe I work for a Fortune 100 company and have trade secrets on my computer. Maybe I'm secretly gay and that fact could be gleaned from my online habits. Or, hell, maybe I run the world's biggest cocaine trafficking ring over the internet. (Obligatory disclaimer, all of these situations are bogus.) It doesn't matter what I'm doing; without a warrant, the government has no more of a right to come in my house or my computer than a bum off the street.
The problem I see with Magic Lantern, vis a vis conventional searches, is that the potential for abuse is far too great. When the FBI raids a house, it's rather obvious. Maybe the person is at home, or the neighbors see it going down, etc. Makes it pretty difficult for them to just bust in any old house they want, without a warrant; and makes it pretty embarassing if they happen to screw up and raid the wrong house. This is (at least in my mind) a fairly good check and balance to ensure that the FBI isn't raiding houses on a whim.
What happens, though, if they bungle and put Magic Lantern on the wrong person's computer? It's a valid threat; if fucking bomb coordinates can be transposed, so can a suspect's IP address. What if Magic Lantern winds up on your computer or mine, even though we aren't doing anything illegal? There are no neighbors to see it happening, there is no embarassing story on CNN about the snafu, but before I know it, those corporate trade secrets on my computer are now in the government's hands. (IIRC, it was objection to exactly this type of risk that got France in a mess when they banned encryption.)If there are terrorists at the mall, I at least have the choice to stay home and avoid them.
Shaun
Shaun
From the article,In other words, instead of flooding schools with PCs running Windows, they're just going to flood them with copies of Virtual PC. Running Windows on a PC vs. running it on a Mac with a free copy of VPC doesn't strike me as much of a "technology choice."
Shaun
>he claims he's not doing the spamming. uh huh.
If you're talking about the owner of paypalwarning.com, I for one believe him. The site's been around awhile (I came across it it 3 or 4 months ago), so he doesn't need to spam to get visitors. The only thing spamming would gain him is bad blood and one hell of a bandwidth bill for this month. I say it's doubtful.
Shaun
>That would make it possible for anyone to put the hurt on
>a legitimate business. Don't like Bob's Hardware Emporium?
>Talk to these guys in Taiwan, who will put together
>an authentic-looking spam campaign for you....
That's usually referred to as a "joe-job," and it already happens frequently. Most of the time it's easy to tell a joe-job from a real spam campaign:
1. Spammers are too stupid to put a notice on their website saying "we didn't send you that." Joe-job victims will quickly put up such a notice once they get reports that they're being framed. (See paypalwarning.com, who were joe-jobbed over the weekend.)
2. Joe-jobs often, if not always, target sites that have been around awhile (long enough to garner some competitors) but have no history of spamming.
3. Real spammers start spamming for their site as soon as it becomes active, because they're used to the cycle of "find a new webhost, start spamming, get shutdown, find a new webhost." I resell webhosting accounts and I've seen this firsthand several times. They open an account and I wind up nuking it within a day or two due to complaints. Webmasters who have a track record of being legit rarely wake up one day and decide to start spamming.
4. Joe-jobbers often make the mistake of leaving evidence which clearly links them to a competitor or enemy of the framed site. Some of them even post the forged spam from their own company's network. Nothing says "joe-job" like spam for Bob's Hardware Emporium which originated from gw.carlshardware.com.
Shaun
>Therefore, shutting down the "spammer" isn't going to do anything.
You're right - in those cases, to hell with the spammer, you have to go after the spamvertised product. Spammers spam because people are paying them to spam. People are paying spammers to spam because those people are making money off the spam. To borrow a Bush tactic, follow the money. If you're getting spam from Asia, Russia etc. advertising a website in the US (as I frequently do), forget tracking down the spammer unless you really want to spend the time doing so. Instead, forward the spam to the webhost of the target site, and the host of any email dropboxes contained within the spam.
It costs money to open webhosting accounts, so hit the real spammers (those who benefit from the advertising, not necessarily those who send the mail) in the pocketbook.
Shaun
>Both pieces of code could potentially be used to steal a
>great deal of money
But only one of them was solicited by the very people who now claim they'd be hurt by it. Remember, researchers were invited to crack the copy protection, and if memory serves they were even offered a prize for doing so. I don't see Mastercard issuing any such challenges, and I don't envision the EFF defending a malicious cracker.
Shaun
More likely the trojan is looking for the window classes registered by PGP... Not the executable name. Spy++ says it's PGPkeysMainWinClass. Recompiling from source, with new class names, ought to fix the problem in no time.
Shaun
Shaun
>Its kinda crazy thinking about all the stuff thats out
>there that no one will ever see. I always figured
>anything sensative for military use would be stored on
>a proprietary government network
Might already be that way and we just don't know it. Talk about "dark netspace," nobody holds more of it than the US military... A bunch of class A's - 6.*, 7.*, 11.*, 21.*, 22.* - not to mention the smaller, uglier blocks. I imagine they could be running some sort of TOP-SEC-NET (or maybe SEC-PORN-NET) on one of these, unbeknownst to the outside world.
Shaun
We already have some precedents (in Felten and Sklyarov) about how "people who violate the DMCA get screwed." We don't need more of those, at least not at the expense of good people. The general public probably looks at these two cases as you'd expect them to: "Well, gee, they did break the law, so I guess they had it coming."
Alan is taking a different approach. He's not trying to show the world that breaking the law will get you in trouble. He's trying to show the world that people who obey the law are the ones being hampered. Instead of violating the law (knowingly or not) and then crying foul when he gets charged, he's making the point that complying with the DMCA interferes with legitimate business. It's a subtle difference, but IMO it's a better precedent. I think people will be more apt to see the DMCA as a bad law once they understand that it's the law-abiding citizens who are being effectively punished.
To quote a poster from the original thread on this issue, the DMCA is the only law so stupid that it must be fought through civil obedience!
Shaun
...fuckedcompany.com. fucked.biz would be so much easier to type! And so much more appropriate...
Shaun
That's always an option. Problem is, who's going to download a program written by "anonymous" and posted to Tripod? Especially when you figure the target audience is folks who are either security minded or outright paranoid. I know I wouldn't go near it, there has to be some accountability or else people are going to be afraid to run the program.
I should have mentioned it's a Windows program, so it would be distributed as an EXE, you wouldn't be able to look over the source first. Then again if I was just going to "put it out there," so to speak, I guess it wouldn't hurt to bundle the source.
Of course, all this is purely hypothetical!
Shaun
Apache allows you to ban a netblock, you don't have to do it on a per-IP basis. For example, if the guy's always coming from 209.14.27.*, you could create a directive for your root directory like:
.htaccess file instead.
.htaccess. He set that script as his 404 error handler for a few days, and anyone who did a Nimda scan was immediately blocked from further access to the site. Of course some legit users who mistyped a link probably wound up blocked, too. I imagine by now he's cleaned out the list, so it was only a temporary inconvenience to real visitors.
(Limit GET POST)
order deny,allow
deny from 209.14.27.
(/Limit)
(Replace the parentheses with angle brackets, a la HTML.) If you can't tweak httpd.conf, put that in an
Someone else suggested automating the process, this is a good idea if you can do it. When Nimda first fired up, a friend of mine wrote a Perl script that took the remote IP and added it to the deny directive in
Your solution depends on how aggressive you want to be, and whether or not you care if a few babies get thrown out with the bathwater. Me, I'd just ban the netblock for a couple of weeks. The lusers will find another site to harass, and you can lift the ban.
Shaun
You won't see many secure IM clients unless they were written outside the US. I wrote a secure peer2peer instant messaging client, i.e. you connect directly to your buddy instead of going through someone's server. The program Blowfish encrypts all IMs, supports variable bit-length keys between 32 and 448 bits, and allows the conversants to change the key at any time by setting a new password. Good luck eavesdropping!
Now, all that said, have you ever tried to get a program like this approved by the US government? I've spent hours poring over the BXA website, as well as the GPO's archive of EAR regulations, trying to figure out exactly what license exception I should apply for. After all the reading and research I've done, I've gotten nowhere. I sent an inquiry to the BXA's crypto folks and haven't heard back. I looked in Usenet and found twenty different answers. I did see it mentioned that if I release the program as open source I don't even have to get it licensed, but I couldn't verify that at BXA's site.
From what I gather, if I want to distribute the program I'd probably have to set a fixed key, or at the very least cap the key length at 160 bits. Then I'd have to apply under one of several license exception categories, though I don't know which; and if you apply for the wrong one, oops, sorry, you wasted your time documenting how your program meets the EAR requirements. Supposing I managed to apply properly, I may have to wait 30 days before making the program available; meanwhile my spec (and perhaps source code) is in someone else's hands.
$DEITY forbid I want to charge a shareware fee for the program, then I have to figure out whether it's classified as ENC Retail, ENC Non-Retail, etc. Or if I have the arms-trafficking gall to try and distribute the program with 448 bit capability - assuming that was approved, mind you - I'd have to implement some method of checking the IP address of each potential downloader to make sure they're inside the US... And then what happens if someone's using a proxy?
All in all I don't have the time to deal with this shit. And so I gave up (I get the feeling this is exactly what the whole mess is meant to encourage). I've given the program to some friends whom I can personally vouch for as US residents. Other than those few people, it'll probably never see the light of day. Unfortunate, but I wouldn't say it's the Big IM Players' fault that secure IM clients aren't taking off. They'd be everywhere if it wasn't such a hassle.
(BTW if anyone has had success getting a Blowfish program licensed for export, please reply with your secret!)
Shaun
>$income = $bandwidth + $other_guy - $ad_revenue;
;)
No wonder he shows a "profit" from his site, if he's subtracting his revenue from his expenses instead of the other way around...
Typical sneaky dot-com accounting
Shaun
>I think it is a bit unfair that the US gets its own top level .co.xx or other than Australia
.com.au
.com.au. The Brits could have made theirs .hmw.uk (Her Majesty's Web, of course). The Aussies could have made theirs .oz.au, or the Africans could have made theirs .kwan.za if they'd liked. It's up to whomever controls the TLD; namely, some branch of the country's government. Most of them went down the .co.cc, .gov.cc, .[edu|uni].cc path, probably because it made for good hierarchical organization.
>domain. All other countries have
>who made theirs
Ah yes, Australia, who made theirs
If you don't like your country's ccTLD allotments, complain to your government, don't complain about mine!
Shaun
>How about getting all the CRAP off of TV... it used to be
>only 1/2 shit, now it's 80% shit IMO. Commercials and content
>included.
And that's exactly why they're going after the internet (although it too is arguably 80% shit). Television in this country has become so filtered that it's difficult to find anything truly "objectionable" unless you subscribe to the Spice channel. Think fast, when was the last time you saw a radical political opinion - OK, OK, a non-Christian radical political opinion - on any TV channel?
You can flip back and forth between the major networks and the talking heads are saying the same thing. CNN slants it left, Fox slants it right, but neither side makes any real commentary. The only radical opinions on TV are the ones showing up on 700 Club, but I digress. It's okay for some nut to go on TV and blame September 11th on gays and abortion, but it's not okay for someone to go on TV and criticize the government. It's okay for the religious right to proseltyze on the public airwaves, but God forbid Howard Stern says "penis."
It's quite clear that government regulation of any media ends up favoring the government and stifling anything they see as prude. The stuff they've worked so hard to keep off of television and radio now flows freely on the internet, and you better believe it scares the hell out of them. If you can't control the medium, you can't control the speech. It seems to me like they're starting to realize that the internet cannot be FCC'd, and they're moving toward scare tactics instead ("we'll be watching you, and we won't need a warrant!").
I don't like the idea of a ratings system, but if we have to have web ratings, I'd rather they come from the industry than from the government. TV would be a much more interesting phenomenon if the FCC bailed out and left the networks to regulate themselves! Of course, if we speak loudly enough and refuse to participate, we don't have to have web ratings. A product no one uses fails to be significant.
Shaun