Another evil plan with a big red Self Destruct button: one of the supported remote instructions for the network is "run a command" (0x24). All you have to do is find an entry point and command it to killall -9.bugtraq and the command will propagate through the network, killing itself. Doesn't keep it from regenerating on the original https vulnerability vector, but we could perhaps slow down the DDoS attacks.
Well, I've been keeping my RedHat 7.3 up2date and I got hit. I didn't know it until I read this post, but last night TicketMaster Brasil (of all places) pinged my server one minute before the characteristic/tmp/.uubugtraq file appeared. The only thing that saved me was that the link phase of the worm compilation failed due to missing libraries (specifically, RC4 and MD5).
I agree that package management is good, but it looks like RedHat is running behind on this one. I'll be closing down the SSL port on my firewall for now:-(
Although I never saw it actually operating, you can probably clear the worm from your system via the following command (though you'll have to take measures to ensure it doesn't come right back):
killall -9.bugtraq
The worm itself is nicely commented; it even has a disclaimer that the author isn't responsible for any harm:
Peer-to-peer UDP Distributed Denial of Service (PUD) by contem@efnet
<snip>
I am not responsible for any harm caused by this program! I made this program to demonstrate peer-to-peer communication and should not be used in real life. It is an education program that should never even be ran at all, nor used in any way, shape or form. It is not the authors fault if it was used for any purposes other than educational.
Doubt the disclaimer will keep him out of jail for life, though
It might be useful to develop a Bluetooth-capable device in a Compact Flash form factor that acts like a memory card, but really stores its data on a remote device (like a laptop). Such a card could be inserted into any existing CF camera and used in the same way as the Sony.
An on-card cache could help it get past transfer time issues for the purposes of compatibility with existing cameras.
Spammers can simply pay to use it
on
Haiku vs Spam
·
· Score: 2
From the article:
Individuals and Internet service providers can license and use the mark for free, while businesses and bulk e-mail companies will pay to use it.
Habeas system Subverted by big spammers Who pay to use it
The 25 post office electronic/hardcopy hybrid was just the last thing that actually happened. The Postmaster General determined that "Generation III" delivery systems of the kind we're familiar with today should not be a part of the mission of the Postal Service.
The point of the article was that he could as easily have decided to go the other way
It didn't work for my.mp3.com, so I don't know why it would work here. As I recall, the judge in that case effectively ruled that even though the company guaranteed that a particular copy of music was directly linked to a real CD, it was still somehow "different" from the original and so they were found to be distributing an illegal copy.
If asked the question, "What is my life worth to you?", can you really respond to me with a dollar amount?
Well, if you fly in the USA, the FAA values it around $2 million. At least, that's the largest amount of money it will force the airline industry to pay to save one life in normal operations.
I doubt "Hexa Person" actually advocates the use of hexadecimal. Judging from the posting pattern, s/he simply wandered around the site linked by the "Physics in the Movies" post, discovered the Hexadecimal pages, and constructed a new Slashdot account devoted to insulting other posters. Fortunately, it looks like s/he got tired and went to bed after an hour and a half of this nonsense. Hopefully s/he'll forget about it in the morning.
The irony is that Hexa Person doesn't really understand hexadecimal, since there are comments of the form "$16.99 should be written 10h.99." 0x10.99 is only 16.59765625 decimal.
REPLAYTV 4500 Digital Video Recorder
Activation and Service Agreement
1. Use of the Service You may use the service for any purpose and SonicBlue can't say "boo" about it.
2. Fees and Term of the ReplayTV Service SonicBlue would like for you to pay for the service, but if you figure out how to steal it, well we can certainly respect such an achievement.
3. DISCLAIMERS AND LIMITATIONS OF LIABILITY If you use the ReplayTV 4500 to store emergency response procedures for a nuclear reactor and the product fails to function during a disaster due to neutron flux, SonicBlue accepts full responsibility for the resulting environmental damage.
4. Miscellaneous You may modify this agreement at any time in any way without notice to SonicBlue. Failure of Sonicblue to notice or respond will constitute our agreement to the new conditions.
BY CLICKING ON THE "I AGREE" LINK BELOW, I REPRESENT THAT I HAVE READ, AND I UNDERSTAND AND AGREE TO, THE TERMS STATED ABOVE.
*Any* good driver would also know that you can't stop an 18 wheeler on a dime without causing a jack-knife. However, the instinct to simply slam on the brakes as you would in a passenger vehicle is too great to be ignored, so most US jurisdictions require a special license to drive vehicles of that type.
Perhaps another special class of driver's license should be required for SUVs, since driving techniques which lead to acceptable risk in ordinary passenger cars apparently lead to death in SUVs.
In my experience, in a large corporation, there are hundreds of independently managed password domains, at least a dozen of which any one person will usually have to deal with on an ongoing basis. Differences in password change frequency, minimum lengths, differentials from prior passwords (sometimes from ANY password used by ANYONE on that system in the last year), and digit inclusion rules vary in a tower of Babel that make it difficult to even maintain passwords, let along ensure they are all maintained securely.
IMHO, ISP warrant execution should be held to the same standards as local telephone service warrants. Both service providers store similar kinds of court-demandable information and both depend heavily on computers to extract it correctly.
IANAL, so I don't know what the POTS standard is, but I doubt police officers actually have to be present. Having a flatfoot on site won't help unless s/he's intimately familiar with the database query system.
Actually, there are two copyrighted elements which need to be considered. The original sheet music which lists the notes that make up the song will have a copyright and separate performance right, which is probably violated by making a MIDI file and distributing it without consent ("reverse engineering" them from another performance won't exempt you). The original lyrics are also copyrighted and can't be reproduced for wide distribution (even as a vocal transformation) without consent.
www.lyrics.ch ran into this problem a few years back. They were shut down for a year or more as they sought permission from the various copyright holders and repackaged the lyrics in a "secure" format.
I don't think the legal issues are really all that jumbled. It's just a question of whether a parody of this form qualifies as a "fair use".
Learn the IP address associated with a globally-unique username
Unfortunately, the user identification problem is complicated by the fact that there may be more than one person using a given IP address. Firewalls which implement NAT and servers which have multiple simultaneous logins are quite common and give this complication real teeth.
You could perhaps claim that the task is really to associate an IP address and TCP/UDP port with a person, but you can only realistically use one service per port (port 80 overloading notwithstanding), so you'd have to say that the identification is solely for IM, and so the solution of the problem isn't really useful outside IM applications.
Or you could instead say that the task is to associate an IP address and TCP/UDP port with a person and a service, but now you've got the problem of identifying all services and handling the dynamic nature of port assignment as users become available/unavailable and declare themselves as participating/not participating in the various services. Not impossible, but hard enough that nobody seems to have solved it yet.
The DMCA is so valuable that companies are now moving their lawsuits into US jurisdictions so it can be applied. Now we just have to set up enough concession stands around the court houses so we can actually profit from all the lawyers that flock to our judicial system to escape the injustices of individual rights found overseas.
Not that I condone this sort of activity. As my cable provider regularly reminds me: Theft of Cable Service is a Crime.
The article talks about how the iPod can stay in your pocket as you steal the software, but you still have to plug the cable in.
When high speed wireless protocols become standard (Bluetooth is probably still too slow), this kind of stealing can be done without ever revealing that you have any device at all. It'll just show up in the Wireless Neighborhood when you walk up to the machine, you drag-copy the files, and walk away.
The issue of "state-specific injury" refers to grievances which exist only within one or more of the 10 remaining jurisdictions. For example, if California has a problem with OS/IE tying, Microsoft is claiming that the state cannot bring suit unless OS/IE tying is only being done on products marketed within its borders. If the same problem exists elsewhere, it can only be addressed at the federal level.
Not that I agree with the argument, mind you, but I think that's their point.
The same logic underlies Pascal's assertion that one should believe in God in the absence of direct evidence to the contrary because the cost of disbelieving is so high if you're wrong. I didn't buy that argument and I don't buy this one either.
The reasons for curbing environmental impacts must be based on believable evidence. The only question is where to set the "believable" threshold. I would put myself in the still-waiting-but-worried-enough-to-buy-a-Prius camp.
Unfortunately, the book's author seems to believe not only that the evidence to date fails to support the conclusion that the impacts are real, but that they in fact already support the opposite conclusion.
We should note that medicine does permit evolutionary paths which would not otherwise be open to our species. Consider the case of the human appendix: it is an "unnecessary" organ, but genetic mutation mechanisms are unlikely to eliminate it. This is because genetic mutation will normally cause gradual changes in anatomy, making potentially unnecessary organs smaller and smaller in succeeding generations until it is completely absent.
In the human appendix, however, mutations which are smaller than the current size actually make early death more likely, since smaller appendices are more suceptible to infection. The only natural mutation which can eliminate the organ is one which does so in one generation.
Medicine permits these more "frail" intermediate mutations to survive until a version is produced which can stand on its own.
Of course, this effect is mostly eliminated by the strong genetic mixing mentioned in the article, but then so is the "frailty":-)
Even the game displayed in the avacado picture shows some kind of strange naivete. "Airport"? Who'd pay 25 cents to simulate being stuck in ground traffic? Oh wait, people pay hundreds of dollars for that every day.
Won't be long before the makers of privacy tools will change their GUI front ends so that a keyboard is no longer used to authenticate. The simplest method would be to display a virtual keyboard and have the user mouse over to each character. It would be difficult, though not impossible, to construct a "mouse sniffer" that gathers enough data to reconstruct the password based on movement history. Defeating that would simply require randomly moving the virtual keyboard between each click. A bit of a pain, but if you really want to avoid the rubber hoses, you may have to do it.
The only problem after that is evading the "looking over your shoulder" that no-echo keyboard password prompts are so good at avoiding. Maybe a very low contrast virtual keyboard and cursor...
Slashdot Mirror
Interesting how Amazon jacks up the "List Price" by $300 (vs. Panasonic's MSRP) so they can claim that "You Save" that much.
Another evil plan with a big red Self Destruct button: one of the supported remote instructions for the network is "run a command" (0x24). All you have to do is find an entry point and command it to killall -9 .bugtraq and the command will propagate through the network, killing itself. Doesn't keep it from regenerating on the original https vulnerability vector, but we could perhaps slow down the DDoS attacks.
Well, I've been keeping my RedHat 7.3 up2date and I got hit. I didn't know it until I read this post, but last night TicketMaster Brasil (of all places) pinged my server one minute before the characteristic /tmp/.uubugtraq file appeared. The only thing that saved me was that the link phase of the worm compilation failed due to missing libraries (specifically, RC4 and MD5).
I agree that package management is good, but it looks like RedHat is running behind on this one. I'll be closing down the SSL port on my firewall for now :-(
Although I never saw it actually operating, you can probably clear the worm from your system via the following command (though you'll have to take measures to ensure it doesn't come right back):
The worm itself is nicely commented; it even has a disclaimer that the author isn't responsible for any harm:
Doubt the disclaimer will keep him out of jail for life, though
It might be useful to develop a Bluetooth-capable device in a Compact Flash form factor that acts like a memory card, but really stores its data on a remote device (like a laptop). Such a card could be inserted into any existing CF camera and used in the same way as the Sony.
An on-card cache could help it get past transfer time issues for the purposes of compatibility with existing cameras.
From the article:
Habeas system
Subverted by big spammers
Who pay to use it
The 25 post office electronic/hardcopy hybrid was just the last thing that actually happened. The Postmaster General determined that "Generation III" delivery systems of the kind we're familiar with today should not be a part of the mission of the Postal Service.
The point of the article was that he could as easily have decided to go the other way
It didn't work for my.mp3.com, so I don't know why it would work here. As I recall, the judge in that case effectively ruled that even though the company guaranteed that a particular copy of music was directly linked to a real CD, it was still somehow "different" from the original and so they were found to be distributing an illegal copy.
I doubt "Hexa Person" actually advocates the use of hexadecimal. Judging from the posting pattern, s/he simply wandered around the site linked by the "Physics in the Movies" post, discovered the Hexadecimal pages, and constructed a new Slashdot account devoted to insulting other posters. Fortunately, it looks like s/he got tired and went to bed after an hour and a half of this nonsense. Hopefully s/he'll forget about it in the morning.
The irony is that Hexa Person doesn't really understand hexadecimal, since there are comments of the form "$16.99 should be written 10h.99." 0x10.99 is only 16.59765625 decimal.
Try mine:
I Agree*Any* good driver would also know that you can't stop an 18 wheeler on a dime without causing a jack-knife. However, the instinct to simply slam on the brakes as you would in a passenger vehicle is too great to be ignored, so most US jurisdictions require a special license to drive vehicles of that type.
Perhaps another special class of driver's license should be required for SUVs, since driving techniques which lead to acceptable risk in ordinary passenger cars apparently lead to death in SUVs.
In my experience, in a large corporation, there are hundreds of independently managed password domains, at least a dozen of which any one person will usually have to deal with on an ongoing basis. Differences in password change frequency, minimum lengths, differentials from prior passwords (sometimes from ANY password used by ANYONE on that system in the last year), and digit inclusion rules vary in a tower of Babel that make it difficult to even maintain passwords, let along ensure they are all maintained securely.
IMHO, ISP warrant execution should be held to the same standards as local telephone service warrants. Both service providers store similar kinds of court-demandable information and both depend heavily on computers to extract it correctly.
IANAL, so I don't know what the POTS standard is, but I doubt police officers actually have to be present. Having a flatfoot on site won't help unless s/he's intimately familiar with the database query system.
Actually, there are two copyrighted elements which need to be considered. The original sheet music which lists the notes that make up the song will have a copyright and separate performance right, which is probably violated by making a MIDI file and distributing it without consent ("reverse engineering" them from another performance won't exempt you). The original lyrics are also copyrighted and can't be reproduced for wide distribution (even as a vocal transformation) without consent.
www.lyrics.ch ran into this problem a few years back. They were shut down for a year or more as they sought permission from the various copyright holders and repackaged the lyrics in a "secure" format.
I don't think the legal issues are really all that jumbled. It's just a question of whether a parody of this form qualifies as a "fair use".
Very precise estimate. Is this a conversion from sort of metric unit count?
Maybe I've been watching too much Heath Ledger/Julia Stiles, but I misread that title the first time through...
You could perhaps claim that the task is really to associate an IP address and TCP/UDP port with a person, but you can only realistically use one service per port (port 80 overloading notwithstanding), so you'd have to say that the identification is solely for IM, and so the solution of the problem isn't really useful outside IM applications.
Or you could instead say that the task is to associate an IP address and TCP/UDP port with a person and a service, but now you've got the problem of identifying all services and handling the dynamic nature of port assignment as users become available/unavailable and declare themselves as participating/not participating in the various services. Not impossible, but hard enough that nobody seems to have solved it yet.
The DMCA is so valuable that companies are now moving their lawsuits into US jurisdictions so it can be applied. Now we just have to set up enough concession stands around the court houses so we can actually profit from all the lawyers that flock to our judicial system to escape the injustices of individual rights found overseas.
Not that I condone this sort of activity. As my cable provider regularly reminds me: Theft of Cable Service is a Crime.
The article talks about how the iPod can stay in your pocket as you steal the software, but you still have to plug the cable in.
When high speed wireless protocols become standard (Bluetooth is probably still too slow), this kind of stealing can be done without ever revealing that you have any device at all. It'll just show up in the Wireless Neighborhood when you walk up to the machine, you drag-copy the files, and walk away.
The issue of "state-specific injury" refers to grievances which exist only within one or more of the 10 remaining jurisdictions. For example, if California has a problem with OS/IE tying, Microsoft is claiming that the state cannot bring suit unless OS/IE tying is only being done on products marketed within its borders. If the same problem exists elsewhere, it can only be addressed at the federal level.
Not that I agree with the argument, mind you, but I think that's their point.
The same logic underlies Pascal's assertion that one should believe in God in the absence of direct evidence to the contrary because the cost of disbelieving is so high if you're wrong. I didn't buy that argument and I don't buy this one either.
The reasons for curbing environmental impacts must be based on believable evidence. The only question is where to set the "believable" threshold. I would put myself in the still-waiting-but-worried-enough-to-buy-a-Prius camp.
Unfortunately, the book's author seems to believe not only that the evidence to date fails to support the conclusion that the impacts are real, but that they in fact already support the opposite conclusion.
We should note that medicine does permit evolutionary paths which would not otherwise be open to our species. Consider the case of the human appendix: it is an "unnecessary" organ, but genetic mutation mechanisms are unlikely to eliminate it. This is because genetic mutation will normally cause gradual changes in anatomy, making potentially unnecessary organs smaller and smaller in succeeding generations until it is completely absent.
:-)
In the human appendix, however, mutations which are smaller than the current size actually make early death more likely, since smaller appendices are more suceptible to infection. The only natural mutation which can eliminate the organ is one which does so in one generation.
Medicine permits these more "frail" intermediate mutations to survive until a version is produced which can stand on its own.
Of course, this effect is mostly eliminated by the strong genetic mixing mentioned in the article, but then so is the "frailty"
Even the game displayed in the avacado picture shows some kind of strange naivete. "Airport"? Who'd pay 25 cents to simulate being stuck in ground traffic? Oh wait, people pay hundreds of dollars for that every day.
Won't be long before the makers of privacy tools will change their GUI front ends so that a keyboard is no longer used to authenticate. The simplest method would be to display a virtual keyboard and have the user mouse over to each character. It would be difficult, though not impossible, to construct a "mouse sniffer" that gathers enough data to reconstruct the password based on movement history. Defeating that would simply require randomly moving the virtual keyboard between each click. A bit of a pain, but if you really want to avoid the rubber hoses, you may have to do it.
The only problem after that is evading the "looking over your shoulder" that no-echo keyboard password prompts are so good at avoiding. Maybe a very low contrast virtual keyboard and cursor...