Well, why not? I think that Afghanistani law would probably protect various terrorists that we badly want to see tried from any sort of legal apprehension. Should we just let it go? I mean, come on, that's a little absurd... the US has countries that are essentially its enemies, and the FBI should hobble itself because they are not interested in helping defending American property?
As far as the US justice system is concerned, events that occur outside it are essentially a black box, and rightly so. Nations exist in a realm of anarchy, governed only by agreements that are binding only as long as they feel like abiding by them. It may be that the FBI should be prevented from playing internationally, but that makes these incidents what? A military matter? I think that's an even worse idea.
Get a piece of paper. Write the passwords down. Lock it in a fire safe. People who need it and some other responsible authority who is easily contacted have the combination or key.
This sort of thing is desirable for disaster recovery, anyway--I keep a copy in the company safety deposit box, in addition to the one on-site. It's not particularly good to write passwords down, anywhere, but I'm in a similar situation and there are enough of them that there just isn't much choice. But far better to keep them off-line than use some of the techie solutions presented here. They're not susceptible to remote compromise and there's little chance of your piece of paper head-crashing or getting zapped with static electricity and losing all the information.
I think you're on to something with the penalties idea--that's really what the RIAA are good at, massaging legislators to put laws in place to protect their interests (usually at the expense of the consumer's interests).
But I don't think you'll see any "indemnity boxes" and if you do they'll be a joke. P2P is such a huge buzzword now that people forget that it is pretty much just another way of saying 'the Internet.' You don't need a fancy application for this stuff; IRC, FTP, HTTP... Gopher, even, if you wanted to resort to that... all of these are 'file-sharing' technologies and there's no way that the RIAA or anyone can tell that the packets you're swapping are copyrighted material or not. Even if you're using a detectable client, the onus is going to be on RIAA to prove that you're swapping stuff they own, not your own files. Legislation is not likely to change that--it's too firmly embedded in common law and common perception. But the penalties... you are quite right; those are a different matter.
And to riff a little further on your point, and get out of the morass of technicalities that you are replying to, one has to ask oneself, if Congress was so clearly given the right in Article I, Section 8 to arm and regulate the militia exclusively as an organized body, then why were the founders so intent on passing the Second Amendment at all? Why pass an amendment to grant the same power that was already assigned in the original document?
Such an interpretation not only defies logic but also flies in the face of what we know about our founding fathers and their views on government. They were clearly wary of the centralization of power in the hands of the few; guaranteeing ordinary citizens the right to maintain arms was a way of preventing such a thing from happening. People can argue all they want now about how effective that premise is in today's world, but I don't doubt that some of the men who constructed the Constitution and Bill of Rights would, if alive today, be holed up with the Fremen in Montana and trying to lay their hands on rocket launchers and nuclear weapons. The right and the wrong of that position lies elsewhere; but their intent was not to bottle armament up into a federally regulated force, but distribute it amongst the states.
Err... I like your example, but a lot of people already pretty much accept this one as stone cold fact. Probably not the best argument to try to make to the public (or even around here, considering some threads I've seen).
For someone who supposedly knows how to read, you did an awesome job of completely skipping over my entire second paragraph, which addresses your rather pathetic premise directly. It's been fun toying with you, though. Try again after you're out of junior high and then maybe we can have a real conversation.
If it were so easy to do long term covert taps right at the telco, then why is the NSA actually investing billions of dollars in equipment to do undersea taps?
You dumbass, that's my argument. Glad to see that you're not a troll, though... I get along much better with just plain idiots.
For that matter, the Russian embassy tunnel tends to prove my point too. Thanks. They dug that because... wait for it... because they couldn't reliably insert human agents to gather the information more directly! You're arguing in circles. You can't say "Oh, they'd just put an agent in to cover for themselves during the tap," and then turn around and argue about how difficult it is to put an agent in and expect anybody to listen to you. My entire point is that it's not that easy to put a covert agent in. The US intelligence establishment has leaned away from HUMINT and toward SIGINT and high-altitude imaging for years because of that. When you are lucky enough to actually get an agent (and most of them aren't actually US citizens--too difficult to create believable cover) it's very rare to be able to target them into a more favorable position. It's pot-luck; you get what they happen to have access to, not what you would like them to have access to.
Try doing your research by doing something other than watching old Bond flicks sometime.
Er... it seems to me if it were that easy for them to insert agents as engineers, they could avoid the whole complicated snarfing about in a cold, dark, hostile environment hundreds of meters beneath the surface of the ocean to place the tap. They'd just grab it at one of the ends. The very existence of the NSA puts a hole in your theory.
Or you could just be trolling... wasn't it Arthur C. Clarke who once said that any sufficiently well-constructed troll would be virtually indistinguishable from routine stupidity?
Gosh, you're right, that would be awesome! And then we can go after all those scum that host porn sites! And anybody with a dancing hampster! I mean, that stuff's all just a useless waste of bandwidth too, right? Not to mention the fact that right now--this very instant--I'm having to pay my ISP extra to carry packets from people just posting crap on/. The nerve!
While I agree that there are some things egregeous enough to demand relatively harsh actions, I think it's clear to most reasonable people that the RBL is overkill for what it's reacting to. Combined with the fact that it's relatively ineffective at blocking spam, which is its stated purpose (see cites in Jamie's previously posted article--third-party research indicates that MAPS is one of the worst filtering systems out there) I think that this is more of a witch hunt than a socially responsible act of network defense. Do you honestly think that spam really absorbs a significant percentage of bandwidth in these days of fat pipes and graphics heavy websites? (actually, if anyone knows that stat, I would seriously be interested in seeing a cite for it... I've always wondered). I understand, and share, the common disgust with spammers. I'm all in favor of most anti-spam tactics, even including retaliatory spamming (especially liked some previous posters method of harvesting salesperson's e-mail addresses and hitting them back) which are easily seen as just as evil as the original abuse. But the RBL affects too many people who cannot have any control over it, and operates in too much secrecy to have any broad educational effect. I see all kinds of posters to this story clamoring about how you should shop for another ISP if you don't like one that uses the RBL, but that's both impractical for users who can't track down backbone providers (which is what we're really talking about here) for their ISP options, and flat-out impossible if you don't realize that the RBL is causing your problems--they provide no notification to the end-user. Not everyone has the base level of technical ability that the average poster here does.
And for those here blaring loudly that as a private company, Abovenet can do whatever it damn well pleases with the traffic it carries (quite correctly), I have two comments: one, extend that notion to other commonly provided services you patronize and see if it still sounds good; two, don't bitch about the inevitable lawsuits... that's how matters are resolved when companies do whatever they damn well please.
On your first point, absolutely correct. It's more like a documentation of legislative intent than anything, and while well-written and cogent document, it's definitely not the law.
On your second point, while I agree completely with your analysis and mostly with your conclusions, you're dead wrong about the intent, and you're wrong because you're ascribing the intent to modern factors, not historical ones. At the time the amendment was added, it was done precisely to prevent the government from becoming too powerful. There was no large, all-powerful federal force to make armed revolution futile in those days (as it likely would be today). Even in more recent history, such a thing was close to possible. You can argue about whether or not the South ever had a real chance in the Civil War, but you can't deny that they gave the North a run of trouble over secession. Guns made that possible; Southern militias fought that war for the Confederacy.
As I said, I tend to agree with your conclusions about the modern state of things; personally, I believed that we should just agree to conduct ourselves more civilly in these debates. But in the real world, power does ultimately rest on lethal force--while the government may hold the trump card there, it's understandable that people who consider themselves on the other side of the matter (a silly notion in a representative democracy, IMHO) don't want to give up the ace they have. Despite the perceived futility of armed action against the US government, I have little doubt that, were several of our more militant founding fathers alive today, they would be up in the hills in Montana someplace stockpiling Uzi's and plastic explosives. And OTOH, I think the worst reason in the world to bow to popular pressure and melt down your arms is simply to avoid giving "...the government more ammunition to hurl at you...." Just going along with the program for its own sake leads down a dark path.
How can they "guarantee" x hours of homework? I mean, you can say that you are absolutely going to have 1 hour in class each day and make that stick (providing they worry about attendance) but for homework, doesn't it sort of depend on the individual in question? When I was in high school, there was no homework--if I couldn't get it done during school hours, I didn't do it. After school and weekends, I was at work. I had plenty in college, but then, I only showed up for class half the time. But during those same periods, covering the same coursework, there were plenty of people who spent all night buried in books or slept through class, and got pretty much the same grades. How can you have a legal limit to hours of homework when you can't put an absolute measure on such? I'm truly curious about the jurisdiction you're in--if you could point a link or something to the code in question, I'd appreciate it.
I'm sure that's part of it, but I think the real issue is that it's just not a priority for the companies involved. You're absolutely right, who wants to work in customer service for a living? But there are plenty of industries where they are able to staff support services with helpful, cheerful people, and there are some companies in this industry that do it--Dell comes to mind as a place I've called and never gotten a grumpy or flat-out dis-interested rep. It's not just the staff--it's the people who ought to be motivating them.
I think it's more symptomatic of the software life cycle than anything; in my experience, hardware manufacturers tend to provide better support (Dell, IBM) than software makers. My take on this would be that it is because hardware (especially big ticket items) last longer and are more likely to be replaced by a similar model from the same company. People tend to stick with what they like. Software, OTOH, is probably up for replacement in a year or two, and the publisher would rather sink money into marketing the new product than supporting the old.
I don't think your view of law and duty is actually all that different from mine. I agree with pretty much everything you've said; I just don't think (returning to the lousy mugger analogy) that it's acceptable to say "Don't walk in certain neighborhoods," instead of trying to address the root problem. Your point that such things are often symptomatic of greater social ills is well-taken--however, it crosses your point of individual responsibility being the only really relevant matter. If the muggee needs to be responsible for watching his or her back in indian country, then the mugger also needs to be responsible for, well, being a mugger. And I don't think that justice is not a deterrent, either. I think it's a great deterrent, where it's actually applied. Deterrence, however, is not easily measured in most contexts, so I can't cite anything for you particularly... it's just an observation of human nature. If you have an expectation that you're going to get caught and punished you're less likely to commit a rational crime. Murder would be an example--it has a very high clearance rate, and it's also the least common violent crime. And I guess, in short, that I don't think that being stupid means its okay to be victimized. I suppose I'm idealistic enough to think that our society should be such that you simply shouldn't have to worry about getting mugged/cracked.
Aside: The point about the stats, though, is that even though NT is higher than everything but the aggregate of all linux distros, it's not as much higher in exploits as it is in market penetration. If NT had 100% market share, they would have 100% of all exploits. In other words, you should see a correlation between how wide-spread an OS is an how many 'sploits are found for it, presuming all other factors are equal. But NT actually has a lower percentage of 'sploits against it than it has market penetration. So, for instance, if you took certain other operating systems and extrapolated them out to having the market share that NT currently does, you would actually see them with more exploits against them than NT has. You could argue that this is a Bad Thing and that more problems found mean more fixed; but I don't think you can argue that NT has more exploits for market share than other operating systems.
I don't have a comment on the nature of the exploits, since I can't seem to find any relevant stats for that. Off the top of my head, I can only think of a few popular IIS/NT exploits that allow full file access or arbitrary code execution.
I certainly wouldn't argue that most breaches--and I would go so far as to say ALL breaches--are preventable; it's just that it's much easier to see what would have prevented them in retrospect than it is beforehand. Certainly people should follow minimal best practices, at least--I completely agree with you on that point.
I guess I just find it disturbing that you seem to hold the victims more responsible for the problem than the attackers. Prudence is one thing, culpability another. To draw a poor analogy, if you're going to walk at night in a bad part of town, you should be prepared for muggers--but that doesn't mean you should just accept being mugged. You should still call the cops, try to find the guys who did it, and take them off the streets. That's not whining, it's civic responsibility. Vengeance is not the point--justice is. There may always be someone else, but that doesn't excuse these guys in particular--they should be pursued and removed from the scene.
Aside; that's an interesting argument against NT/IIS--usually what people say is that it's less secure because there are fewer reported vulnerabilities weekly than other, more open platforms... implying that more open platforms are better reviewed for security. If you really believe that, though, you should take a look at the actual numbers: securityfocus stats Considering the percentage of all webservers that are hosted on NT, it actually has fewer reported vulnerabilities for its market penetration than some Other operating systems (not naming any names here;) And if I remember the attrition.org numbers correctly, it's actually cracked less often per share, too.
I don't like how MS handles flaws, either, but it's really just a mirror for corporate America. I've never worked anywhere where the PHBs were more concerned with fixes than features--until after they got hit.
It seems that way because that's what the FBI have said, and it fits our prejudices.
Well, maybe that's why it seems that way to you but it seems that way to me because I've tried to get Russian authorities to move on extortion threats received from Russian nationals, and not gotten very far. I don't have any trouble believing that the victims in these cases didn't have any better luck. Do you have any evidence to the contrary, or were you just talking out of your ass because you don't like the FBI?
A vanilla webserver is a little different than a full-blown e-commerce system with a back-end database to worry about, sure. Presumably you can re-format, re-configure, slap source back on it and be running again in no time.
It's easy, and to some extent valid, to observe that different policies and procedures would prevent or minimize damage after the fact. People should always use a compromise as an excuse to review their procedures. But security is always a compromise on usability, and determining ahead of time exactly where to draw that fine line is an impossible art.
Incidentally, if you don't feel that NT/IIS has adequate security, it seems to me that you've missed your own point--properly installed and configured, that setup can be as secure as anything else on the market. But perhaps you were trying to say that in your case, you couldn't provide the functionality that you wanted with the security you wanted. I guess that would be my point--you've got to make that tradeoff somewhere, and I'm not sure you should castigate these guys for doing so. Nobody likes a whiner, but I think it's reasonable to be pretty pissed off when you get jammed like that.
Which argument? The first sentence is pretty well established case law; if it weren't, you wouldn't be able to keep logs and no one would ever get busted for cracking. The second, I dunno. Jurisdiction regarding information is not, in my mind, the same as jurisdiction regarding physical apprehension. I mean, they can collect information about the movement of suspects outside the US without any by-your-leave from anyone, or read a foreign newspaper, or whatever. I think jurisdiction is probably the wrong word. Russian law may have been violated, but OTOH, it doesn't seem like the Russian authorities were too keen on following up on the original case against the crackers, so I doubt they're too concerned about the FBI doing it. Personally, I don't have an issue with it--there are places in the world which are pretty much beyond the pale of ordinary international cooperation for law enforcement. Just because there are not any agreements for enforcement in those areas does not mean that criminals operating there should just get a bye. If local law can't constrain them, why should it constrain the Feds?
You've either never been cracked or you are a freakin' genius or your didn't recover right. Just because you find a compromise on day X, it does not mean that it happened on day X... could have been yesterday, last week, a month ago. It takes time to go back and validate all of your data even if you were doing regular backups through that time. You have to find the last trusted backup, not just the last one you happened to make. It can take weeks to properly do forensics and work your way back to a trusted backup set.
If you're running a real production network, you probably already do monitor attacks as they happen (provided you have a clue). The difference is, if you register an attack on your production boxes, you want, and need, to shut it down immediately--block the attack, patch the hole, get control again. Almost by definition, you are only going to catch initial compromise attacks that way--until, of course, that one time you don't.
The idea with a honeynet is that you don't have to worry about immediately responding and securing the system against the compromise--you can let the intruder wander around a bit and get a feel for what he's going to do once he's inside. What's the second step? How can you secure yourself against that? Because at some point, you're going to get someone who you can't catch at the first step. So in my mind, that's the attraction. How can you build a defense in depth if you don't ever see what a hacker can do once they get inside? If you've got a honeynet running, you can leave the front door unlocked and see what the guy does after he's in the house--and then you know what to lock up inside the house. The next guy might not come in through the front door, but you'll still be in good shape.
Well, 1) votes, and they vote for 2), in much greater numbers than the 3) Grassroots activists do. If 3) voted in numbers greater than 1) then you'd see 2) taking some notice, even though it might hurt their bottom line a little bit short term. Otherwise, they wouldn't have any long-term to take advantage of.
Grass roots activism is a great catch-phrase that no one actually seems to understand. You can't simply equate it with the popular will on a given matter--there are grass roots movements fighting for and against abortion, for example. Just because a particular grass-roots campaign fails doesn't mean that the will of the people has somehow been quashed by the mighty. And the attitude that most people hold toward Social Security is pretty laid back; it's not that much of your check, and hey, someone should support those geezers so they don't clutter up the streets anyway, right? I think that people are concerned about it, but not so concerned that it is a huge priority for them in the voting booth. OTOH, if you started telling them that John Ashcroft was watching them do the wild thing on closed circuit TV, they'd get testy enough to do something about it.
But what makes you think it has to be a 'permit' thing? Can't speak for the rest of the world, but even though politicians and the press tend to shape debates here in the US, public willpower is still an awesome force to contend with. If ever such a meme picked up enough steam in the general public (and how could it not? If it were so obvious that the politicians could see everything about Joe Average's life, what are the odds that Joe Average wouldn't want, and demand, the same sort of access to politician's lives?) you'd see it happening pretty quick. Not necessarily for the "right" reasons but just because the average American gets wicked pissed off when they see someone else who's allowed to do something they're not.
Slashdot Mirror
Well, why not? I think that Afghanistani law would probably protect various terrorists that we badly want to see tried from any sort of legal apprehension. Should we just let it go? I mean, come on, that's a little absurd... the US has countries that are essentially its enemies, and the FBI should hobble itself because they are not interested in helping defending American property?
As far as the US justice system is concerned, events that occur outside it are essentially a black box, and rightly so. Nations exist in a realm of anarchy, governed only by agreements that are binding only as long as they feel like abiding by them. It may be that the FBI should be prevented from playing internationally, but that makes these incidents what? A military matter? I think that's an even worse idea.
Get a piece of paper. Write the passwords down. Lock it in a fire safe. People who need it and some other responsible authority who is easily contacted have the combination or key.
This sort of thing is desirable for disaster recovery, anyway--I keep a copy in the company safety deposit box, in addition to the one on-site. It's not particularly good to write passwords down, anywhere, but I'm in a similar situation and there are enough of them that there just isn't much choice. But far better to keep them off-line than use some of the techie solutions presented here. They're not susceptible to remote compromise and there's little chance of your piece of paper head-crashing or getting zapped with static electricity and losing all the information.
I think you're on to something with the penalties idea--that's really what the RIAA are good at, massaging legislators to put laws in place to protect their interests (usually at the expense of the consumer's interests).
But I don't think you'll see any "indemnity boxes" and if you do they'll be a joke. P2P is such a huge buzzword now that people forget that it is pretty much just another way of saying 'the Internet.' You don't need a fancy application for this stuff; IRC, FTP, HTTP... Gopher, even, if you wanted to resort to that... all of these are 'file-sharing' technologies and there's no way that the RIAA or anyone can tell that the packets you're swapping are copyrighted material or not. Even if you're using a detectable client, the onus is going to be on RIAA to prove that you're swapping stuff they own, not your own files. Legislation is not likely to change that--it's too firmly embedded in common law and common perception. But the penalties... you are quite right; those are a different matter.
And to riff a little further on your point, and get out of the morass of technicalities that you are replying to, one has to ask oneself, if Congress was so clearly given the right in Article I, Section 8 to arm and regulate the militia exclusively as an organized body, then why were the founders so intent on passing the Second Amendment at all? Why pass an amendment to grant the same power that was already assigned in the original document?
Such an interpretation not only defies logic but also flies in the face of what we know about our founding fathers and their views on government. They were clearly wary of the centralization of power in the hands of the few; guaranteeing ordinary citizens the right to maintain arms was a way of preventing such a thing from happening. People can argue all they want now about how effective that premise is in today's world, but I don't doubt that some of the men who constructed the Constitution and Bill of Rights would, if alive today, be holed up with the Fremen in Montana and trying to lay their hands on rocket launchers and nuclear weapons. The right and the wrong of that position lies elsewhere; but their intent was not to bottle armament up into a federally regulated force, but distribute it amongst the states.
Guns, knives, pointy sticks = contributory murder.
Err... I like your example, but a lot of people already pretty much accept this one as stone cold fact. Probably not the best argument to try to make to the public (or even around here, considering some threads I've seen).
For someone who supposedly knows how to read, you did an awesome job of completely skipping over my entire second paragraph, which addresses your rather pathetic premise directly. It's been fun toying with you, though. Try again after you're out of junior high and then maybe we can have a real conversation.
If it were so easy to do long term covert taps right at the telco, then why is the NSA actually investing billions of dollars in equipment to do undersea taps?
You dumbass, that's my argument. Glad to see that you're not a troll, though... I get along much better with just plain idiots.
For that matter, the Russian embassy tunnel tends to prove my point too. Thanks. They dug that because... wait for it... because they couldn't reliably insert human agents to gather the information more directly! You're arguing in circles. You can't say "Oh, they'd just put an agent in to cover for themselves during the tap," and then turn around and argue about how difficult it is to put an agent in and expect anybody to listen to you. My entire point is that it's not that easy to put a covert agent in. The US intelligence establishment has leaned away from HUMINT and toward SIGINT and high-altitude imaging for years because of that. When you are lucky enough to actually get an agent (and most of them aren't actually US citizens--too difficult to create believable cover) it's very rare to be able to target them into a more favorable position. It's pot-luck; you get what they happen to have access to, not what you would like them to have access to.
Try doing your research by doing something other than watching old Bond flicks sometime.
Er... it seems to me if it were that easy for them to insert agents as engineers, they could avoid the whole complicated snarfing about in a cold, dark, hostile environment hundreds of meters beneath the surface of the ocean to place the tap. They'd just grab it at one of the ends. The very existence of the NSA puts a hole in your theory.
Or you could just be trolling... wasn't it Arthur C. Clarke who once said that any sufficiently well-constructed troll would be virtually indistinguishable from routine stupidity?
Gosh, you're right, that would be awesome! And then we can go after all those scum that host porn sites! And anybody with a dancing hampster! I mean, that stuff's all just a useless waste of bandwidth too, right? Not to mention the fact that right now--this very instant--I'm having to pay my ISP extra to carry packets from people just posting crap on /. The nerve!
While I agree that there are some things egregeous enough to demand relatively harsh actions, I think it's clear to most reasonable people that the RBL is overkill for what it's reacting to. Combined with the fact that it's relatively ineffective at blocking spam, which is its stated purpose (see cites in Jamie's previously posted article--third-party research indicates that MAPS is one of the worst filtering systems out there) I think that this is more of a witch hunt than a socially responsible act of network defense. Do you honestly think that spam really absorbs a significant percentage of bandwidth in these days of fat pipes and graphics heavy websites? (actually, if anyone knows that stat, I would seriously be interested in seeing a cite for it... I've always wondered). I understand, and share, the common disgust with spammers. I'm all in favor of most anti-spam tactics, even including retaliatory spamming (especially liked some previous posters method of harvesting salesperson's e-mail addresses and hitting them back) which are easily seen as just as evil as the original abuse. But the RBL affects too many people who cannot have any control over it, and operates in too much secrecy to have any broad educational effect. I see all kinds of posters to this story clamoring about how you should shop for another ISP if you don't like one that uses the RBL, but that's both impractical for users who can't track down backbone providers (which is what we're really talking about here) for their ISP options, and flat-out impossible if you don't realize that the RBL is causing your problems--they provide no notification to the end-user. Not everyone has the base level of technical ability that the average poster here does.
And for those here blaring loudly that as a private company, Abovenet can do whatever it damn well pleases with the traffic it carries (quite correctly), I have two comments: one, extend that notion to other commonly provided services you patronize and see if it still sounds good; two, don't bitch about the inevitable lawsuits... that's how matters are resolved when companies do whatever they damn well please.
Thank you.
Oh, I don't know... I bet it gets pretty graphic when the person detaches from the building forty stories up.
Good sysadmin = paranoid
Small point...
On your first point, absolutely correct. It's more like a documentation of legislative intent than anything, and while well-written and cogent document, it's definitely not the law.
On your second point, while I agree completely with your analysis and mostly with your conclusions, you're dead wrong about the intent, and you're wrong because you're ascribing the intent to modern factors, not historical ones. At the time the amendment was added, it was done precisely to prevent the government from becoming too powerful. There was no large, all-powerful federal force to make armed revolution futile in those days (as it likely would be today). Even in more recent history, such a thing was close to possible. You can argue about whether or not the South ever had a real chance in the Civil War, but you can't deny that they gave the North a run of trouble over secession. Guns made that possible; Southern militias fought that war for the Confederacy.
As I said, I tend to agree with your conclusions about the modern state of things; personally, I believed that we should just agree to conduct ourselves more civilly in these debates. But in the real world, power does ultimately rest on lethal force--while the government may hold the trump card there, it's understandable that people who consider themselves on the other side of the matter (a silly notion in a representative democracy, IMHO) don't want to give up the ace they have. Despite the perceived futility of armed action against the US government, I have little doubt that, were several of our more militant founding fathers alive today, they would be up in the hills in Montana someplace stockpiling Uzi's and plastic explosives. And OTOH, I think the worst reason in the world to bow to popular pressure and melt down your arms is simply to avoid giving "...the government more ammunition to hurl at you...." Just going along with the program for its own sake leads down a dark path.
It wasn't a statement, it was a question. As for Russian authorities, personal experience. But the question stands. Having trouble answering?
How can they "guarantee" x hours of homework? I mean, you can say that you are absolutely going to have 1 hour in class each day and make that stick (providing they worry about attendance) but for homework, doesn't it sort of depend on the individual in question? When I was in high school, there was no homework--if I couldn't get it done during school hours, I didn't do it. After school and weekends, I was at work. I had plenty in college, but then, I only showed up for class half the time. But during those same periods, covering the same coursework, there were plenty of people who spent all night buried in books or slept through class, and got pretty much the same grades. How can you have a legal limit to hours of homework when you can't put an absolute measure on such? I'm truly curious about the jurisdiction you're in--if you could point a link or something to the code in question, I'd appreciate it.
I'm sure that's part of it, but I think the real issue is that it's just not a priority for the companies involved. You're absolutely right, who wants to work in customer service for a living? But there are plenty of industries where they are able to staff support services with helpful, cheerful people, and there are some companies in this industry that do it--Dell comes to mind as a place I've called and never gotten a grumpy or flat-out dis-interested rep. It's not just the staff--it's the people who ought to be motivating them.
I think it's more symptomatic of the software life cycle than anything; in my experience, hardware manufacturers tend to provide better support (Dell, IBM) than software makers. My take on this would be that it is because hardware (especially big ticket items) last longer and are more likely to be replaced by a similar model from the same company. People tend to stick with what they like. Software, OTOH, is probably up for replacement in a year or two, and the publisher would rather sink money into marketing the new product than supporting the old.
I don't think your view of law and duty is actually all that different from mine. I agree with pretty much everything you've said; I just don't think (returning to the lousy mugger analogy) that it's acceptable to say "Don't walk in certain neighborhoods," instead of trying to address the root problem. Your point that such things are often symptomatic of greater social ills is well-taken--however, it crosses your point of individual responsibility being the only really relevant matter. If the muggee needs to be responsible for watching his or her back in indian country, then the mugger also needs to be responsible for, well, being a mugger. And I don't think that justice is not a deterrent, either. I think it's a great deterrent, where it's actually applied. Deterrence, however, is not easily measured in most contexts, so I can't cite anything for you particularly... it's just an observation of human nature. If you have an expectation that you're going to get caught and punished you're less likely to commit a rational crime. Murder would be an example--it has a very high clearance rate, and it's also the least common violent crime. And I guess, in short, that I don't think that being stupid means its okay to be victimized. I suppose I'm idealistic enough to think that our society should be such that you simply shouldn't have to worry about getting mugged/cracked.
Aside: The point about the stats, though, is that even though NT is higher than everything but the aggregate of all linux distros, it's not as much higher in exploits as it is in market penetration. If NT had 100% market share, they would have 100% of all exploits. In other words, you should see a correlation between how wide-spread an OS is an how many 'sploits are found for it, presuming all other factors are equal. But NT actually has a lower percentage of 'sploits against it than it has market penetration. So, for instance, if you took certain other operating systems and extrapolated them out to having the market share that NT currently does, you would actually see them with more exploits against them than NT has. You could argue that this is a Bad Thing and that more problems found mean more fixed; but I don't think you can argue that NT has more exploits for market share than other operating systems.
I don't have a comment on the nature of the exploits, since I can't seem to find any relevant stats for that. Off the top of my head, I can only think of a few popular IIS/NT exploits that allow full file access or arbitrary code execution.
I certainly wouldn't argue that most breaches--and I would go so far as to say ALL breaches--are preventable; it's just that it's much easier to see what would have prevented them in retrospect than it is beforehand. Certainly people should follow minimal best practices, at least--I completely agree with you on that point.
;) And if I remember the attrition.org numbers correctly, it's actually cracked less often per share, too.
I guess I just find it disturbing that you seem to hold the victims more responsible for the problem than the attackers. Prudence is one thing, culpability another. To draw a poor analogy, if you're going to walk at night in a bad part of town, you should be prepared for muggers--but that doesn't mean you should just accept being mugged. You should still call the cops, try to find the guys who did it, and take them off the streets. That's not whining, it's civic responsibility. Vengeance is not the point--justice is. There may always be someone else, but that doesn't excuse these guys in particular--they should be pursued and removed from the scene.
Aside; that's an interesting argument against NT/IIS--usually what people say is that it's less secure because there are fewer reported vulnerabilities weekly than other, more open platforms... implying that more open platforms are better reviewed for security. If you really believe that, though, you should take a look at the actual numbers: securityfocus stats Considering the percentage of all webservers that are hosted on NT, it actually has fewer reported vulnerabilities for its market penetration than some Other operating systems (not naming any names here
I don't like how MS handles flaws, either, but it's really just a mirror for corporate America. I've never worked anywhere where the PHBs were more concerned with fixes than features--until after they got hit.
It seems that way because that's what the FBI have said, and it fits our prejudices.
Well, maybe that's why it seems that way to you but it seems that way to me because I've tried to get Russian authorities to move on extortion threats received from Russian nationals, and not gotten very far. I don't have any trouble believing that the victims in these cases didn't have any better luck. Do you have any evidence to the contrary, or were you just talking out of your ass because you don't like the FBI?
A vanilla webserver is a little different than a full-blown e-commerce system with a back-end database to worry about, sure. Presumably you can re-format, re-configure, slap source back on it and be running again in no time.
It's easy, and to some extent valid, to observe that different policies and procedures would prevent or minimize damage after the fact. People should always use a compromise as an excuse to review their procedures. But security is always a compromise on usability, and determining ahead of time exactly where to draw that fine line is an impossible art.
Incidentally, if you don't feel that NT/IIS has adequate security, it seems to me that you've missed your own point--properly installed and configured, that setup can be as secure as anything else on the market. But perhaps you were trying to say that in your case, you couldn't provide the functionality that you wanted with the security you wanted. I guess that would be my point--you've got to make that tradeoff somewhere, and I'm not sure you should castigate these guys for doing so. Nobody likes a whiner, but I think it's reasonable to be pretty pissed off when you get jammed like that.
Which argument? The first sentence is pretty well established case law; if it weren't, you wouldn't be able to keep logs and no one would ever get busted for cracking. The second, I dunno. Jurisdiction regarding information is not, in my mind, the same as jurisdiction regarding physical apprehension. I mean, they can collect information about the movement of suspects outside the US without any by-your-leave from anyone, or read a foreign newspaper, or whatever. I think jurisdiction is probably the wrong word. Russian law may have been violated, but OTOH, it doesn't seem like the Russian authorities were too keen on following up on the original case against the crackers, so I doubt they're too concerned about the FBI doing it. Personally, I don't have an issue with it--there are places in the world which are pretty much beyond the pale of ordinary international cooperation for law enforcement. Just because there are not any agreements for enforcement in those areas does not mean that criminals operating there should just get a bye. If local law can't constrain them, why should it constrain the Feds?
You've either never been cracked or you are a freakin' genius or your didn't recover right. Just because you find a compromise on day X, it does not mean that it happened on day X... could have been yesterday, last week, a month ago. It takes time to go back and validate all of your data even if you were doing regular backups through that time. You have to find the last trusted backup, not just the last one you happened to make. It can take weeks to properly do forensics and work your way back to a trusted backup set.
Really only addressing your first point, but:
If you're running a real production network, you probably already do monitor attacks as they happen (provided you have a clue). The difference is, if you register an attack on your production boxes, you want, and need, to shut it down immediately--block the attack, patch the hole, get control again. Almost by definition, you are only going to catch initial compromise attacks that way--until, of course, that one time you don't.
The idea with a honeynet is that you don't have to worry about immediately responding and securing the system against the compromise--you can let the intruder wander around a bit and get a feel for what he's going to do once he's inside. What's the second step? How can you secure yourself against that? Because at some point, you're going to get someone who you can't catch at the first step. So in my mind, that's the attraction. How can you build a defense in depth if you don't ever see what a hacker can do once they get inside? If you've got a honeynet running, you can leave the front door unlocked and see what the guy does after he's in the house--and then you know what to lock up inside the house. The next guy might not come in through the front door, but you'll still be in good shape.
Well, 1) votes, and they vote for 2), in much greater numbers than the 3) Grassroots activists do. If 3) voted in numbers greater than 1) then you'd see 2) taking some notice, even though it might hurt their bottom line a little bit short term. Otherwise, they wouldn't have any long-term to take advantage of.
Grass roots activism is a great catch-phrase that no one actually seems to understand. You can't simply equate it with the popular will on a given matter--there are grass roots movements fighting for and against abortion, for example. Just because a particular grass-roots campaign fails doesn't mean that the will of the people has somehow been quashed by the mighty. And the attitude that most people hold toward Social Security is pretty laid back; it's not that much of your check, and hey, someone should support those geezers so they don't clutter up the streets anyway, right? I think that people are concerned about it, but not so concerned that it is a huge priority for them in the voting booth. OTOH, if you started telling them that John Ashcroft was watching them do the wild thing on closed circuit TV, they'd get testy enough to do something about it.
Brin.
But what makes you think it has to be a 'permit' thing? Can't speak for the rest of the world, but even though politicians and the press tend to shape debates here in the US, public willpower is still an awesome force to contend with. If ever such a meme picked up enough steam in the general public (and how could it not? If it were so obvious that the politicians could see everything about Joe Average's life, what are the odds that Joe Average wouldn't want, and demand, the same sort of access to politician's lives?) you'd see it happening pretty quick. Not necessarily for the "right" reasons but just because the average American gets wicked pissed off when they see someone else who's allowed to do something they're not.
Not even economists are so cold-hearted as to base a decision to go to war solely on whether or not it will be profitable.