Right, the paper lists some common applications used by millions of people (BBC, Evernote, Weather Channel) that appear to be using the requested APIs for exactly what you'd expect. It lumps those in with a few obscure and sketchy ones doing nefarious things with those APIs. It makes no attempt to determine which apps are actually doing anything unexpected/evil, and which are behaving in exactly the way that a user would expect.
The unfiltered list gets posted on Slashdot, showered with the obligatory snark and tinfoil.
A first pass sanity check on the apps would have been more responsible. E.g. "The Weather Channel app sends my location to their servers... could this have a legitimate purpose for telling me the weather?" This would have probably pruned the list of applications down to a handful of garbage ones that no one had ever heard of.
The headline doesn't really match the contents of the paper as far as I can tell. For example, "Evernote" is listed in the paper for: 1) Taking pictures with the camera 2) Recording audio with the microphone 3) Determining your location And for transmitting this data to its servers.
These functions are, however, exactly what the application is designed for. You take notes (including snapshot notes and voice notes) and upload them to your account. When you launch the app, there are big buttons for "take a snapshot note" , "take an audio note", etc. Geo-tagging via the location APIs can be disabled from the Settings page, but this is another core advertised feature of the product.
So this is a bit like making it into Slashdot by discovering that a mail client transmits text that you type (and your email address!) to a mysterious "SMTP" server. Headline: "Researchers discover nefarious 'e-mail' application leaking your data... on the INTERNET!"
I'm guessing that this Denial of Service effect is largely due to the known scalability problems with X.509 CRLs. In a mature Public Key Infrastructure (PKI), about 1 in 6 certificates is revoked. A CRL is around 20-30 bytes in length for every revoked certificate.
That means that if you've issued 250,000 certificates, you can expect to have a CRL of about 1MB.
This aggregate information isn't bad for some back-end processing, but when a lot of clients try to grab the CRL, you can quickly saturate even a high-end 100Mbps hosted server farm.
Virtually every serious large-scale PKI (including VeriSign and Microsoft) is moving to OCSP to replace CRLs since each client will retrieve ~1kB per status request rather than a full 1MB CRL.
A warrant to buy stock at a future date is really the opposite of an investment. It's basically like an employee stock option, where the recipient (Sun) doesn't give any money to SCO unless it chooses to exercise the warrant at a later date. Sun would only exercise the warrant if the stock price of SCO had gone up enough in the mean time, and this is ultimately a money LOSING proposition for SCO, since it is handing over stock at some point in the future for lower than market value.
This is entirely in Sun's favor and gives no money or direct benefit to SCO. It is actually a form of compensation in the opposite direction... SCO was basically giving Sun warrants in exchange for something else. Most likely, that "something else" was Sun's license revenue or some market/partnership deal.
Absolutely, but these issues are separate from the question of whether a digital biometric should be represented on passport/border/identification documents.
National borders have used identification credentials (passports) with a second-factor biometric (photographs) for decades. The difference is that the old biometric was analog, and was performed manually by a customs agent, and the new one is digital.
The slashdot crowd should get up in arms about places where biometrics are used where governments/corporations have no right or requirement of knowing exactly who you are. Disneyland shouldn't need my fingerprint to sell me a ride on Magic Mountain.
Border crossings are a case where the governments absolutely SHOULD know exactly who you are. That's the entire point of something like a passport, and a second or third authentication factor will only help make this identification more accurate.
This is a completely separate issue from whether those resulting biometrics should be stored in a linked database that is accessible for law enforcement. This should be addressed through legislation, or biometrics should be chosen that would not directly help in law enforcement (e.g. iris scans, hand geometry, etc.).
Re:That's another issue Extreme Programming solves
on
Coder or Architect?
·
· Score: 1
Which is why I only use an amber 80x24 VT100 terminal at home... I'm terrified of what might happen if I could run applications on these so-called "personal computers."
The whole idea of carrying around a fast ARM processor that I can't use for running applications is goofy.
Re:Best reply to Mundie yet.
on
GPL FAQ
·
· Score: 1
Actually, it seems like a pretty bad response, with all of its talk of all non-GPL software as "tainted". Microsoft (et.al.) would like nothing more than to paint an impression of free software as a haven for ideological, birkenstock-wearing academics out to prevent anyone from creating and selling intellectual property for any purpose and any length of time.
I don't think Stallman's philosophy reflects the majority of free software authors or users. When most of us get out of college, we realize we may like to give some of our work away and also get paid (in revenue, not just linux VC funds) for other works we create.
A blanket statement that all non-GPL software products are "tainted" just harms programmers in relation to other professions (writers, artists, journalists) that can feed their families through controlled distribution of their original works.
Strictly speaking, Storage Area Networks are not the same as TCP/IP attached NFS or CIFS storage (which are typically referred to as Network Attached Storage - NAS).
NAS is nice since there are a lot of simple off-the-shelf solutions that allow you to put a bunch of disks up with a server that can be accessed by many computers at the same time for both reading and writing. NFS is simple old technology with support in any $500 Linux box with a $20 ethernet card. The disadvantage is that it is slow... as much as 100x slower than local hard drives due to all of the networking overhead.
True SAN gets rid of the TCP/IP and NFS and just directly attaches disks to computers using something like a Fibre network (SCSI-3). This is blazingly fast (approximately local HD speeds), but requires more complex networking. Since each computer is basically mounting SCSI devices, you also don't have any easy way to have multiple computers that can read and write from the same SAN storage. Shared-SAN software is in the pipeline from Tivoli and Veritas, but you might want to take a look at Global File System, which allows you to have multiple Linux boxes on a Fibre SAN (or SCSI bus!) read and write from the same disks.
Slashdot Mirror
Right, the paper lists some common applications used by millions of people (BBC, Evernote, Weather Channel) that appear to be using the requested APIs for exactly what you'd expect. It lumps those in with a few obscure and sketchy ones doing nefarious things with those APIs. It makes no attempt to determine which apps are actually doing anything unexpected/evil, and which are behaving in exactly the way that a user would expect.
The unfiltered list gets posted on Slashdot, showered with the obligatory snark and tinfoil.
A first pass sanity check on the apps would have been more responsible. ... could this have a legitimate purpose for telling me the weather?"
E.g. "The Weather Channel app sends my location to their servers
This would have probably pruned the list of applications down to a handful of garbage ones that no one had ever heard of.
The headline doesn't really match the contents of the paper as far as I can tell.
For example, "Evernote" is listed in the paper for:
1) Taking pictures with the camera
2) Recording audio with the microphone
3) Determining your location
And for transmitting this data to its servers.
These functions are, however, exactly what the application is designed for. You take notes (including snapshot notes and voice notes) and upload them to your account. When you launch the app, there are big buttons for "take a snapshot note" , "take an audio note", etc. Geo-tagging via the location APIs can be disabled from the Settings page, but this is another core advertised feature of the product.
So this is a bit like making it into Slashdot by discovering that a mail client transmits text that you type (and your email address!) to a mysterious "SMTP" server. ... on the INTERNET!"
Headline: "Researchers discover nefarious 'e-mail' application leaking your data
I'm guessing that this Denial of Service effect is largely due to the known scalability problems with X.509 CRLs. In a mature Public Key Infrastructure (PKI), about 1 in 6 certificates is revoked. A CRL is around 20-30 bytes in length for every revoked certificate.
That means that if you've issued 250,000 certificates, you can expect to have a CRL of about 1MB.
This aggregate information isn't bad for some back-end processing, but when a lot of clients try to grab the CRL, you can quickly saturate even a high-end 100Mbps hosted server farm.
Virtually every serious large-scale PKI (including VeriSign and Microsoft) is moving to OCSP to replace CRLs since each client will retrieve ~1kB per status request rather than a full 1MB CRL.
A warrant to buy stock at a future date is really the opposite of an investment. It's basically like an employee stock option, where the recipient (Sun) doesn't give any money to SCO unless it chooses to exercise the warrant at a later date. Sun would only exercise the warrant if the stock price of SCO had gone up enough in the mean time, and this is ultimately a money LOSING proposition for SCO, since it is handing over stock at some point in the future for lower than market value.
... SCO was basically giving Sun warrants in exchange for something else. Most likely, that "something else" was Sun's license revenue or some market/partnership deal.
This is entirely in Sun's favor and gives no money or direct benefit to SCO. It is actually a form of compensation in the opposite direction
Absolutely, but these issues are separate from the question of whether a digital biometric should be represented on passport/border/identification documents.
National borders have used identification credentials (passports) with a second-factor biometric (photographs) for decades. The difference is that the old biometric was analog, and was performed manually by a customs agent, and the new one is digital.
The slashdot crowd should get up in arms about places where biometrics are used where governments/corporations have no right or requirement of knowing exactly who you are. Disneyland shouldn't need my fingerprint to sell me a ride on Magic Mountain.
Border crossings are a case where the governments absolutely SHOULD know exactly who you are. That's the entire point of something like a passport, and a second or third authentication factor will only help make this identification more accurate.
This is a completely separate issue from whether those resulting biometrics should be stored in a linked database that is accessible for law enforcement. This should be addressed through legislation, or biometrics should be chosen that would not directly help in law enforcement (e.g. iris scans, hand geometry, etc.).
Drink the Kool-Aid ...
The whole idea of carrying around a fast ARM processor that I can't use for running applications is goofy.
I don't think Stallman's philosophy reflects the majority of free software authors or users. When most of us get out of college, we realize we may like to give some of our work away and also get paid (in revenue, not just linux VC funds) for other works we create.
A blanket statement that all non-GPL software products are "tainted" just harms programmers in relation to other professions (writers, artists, journalists) that can feed their families through controlled distribution of their original works.
NAS is nice since there are a lot of simple off-the-shelf solutions that allow you to put a bunch of disks up with a server that can be accessed by many computers at the same time for both reading and writing. NFS is simple old technology with support in any $500 Linux box with a $20 ethernet card. The disadvantage is that it is slow ... as much as 100x slower than local hard drives due to all of the networking overhead.
True SAN gets rid of the TCP/IP and NFS and just directly attaches disks to computers using something like a Fibre network (SCSI-3). This is blazingly fast (approximately local HD speeds), but requires more complex networking. Since each computer is basically mounting SCSI devices, you also don't have any easy way to have multiple computers that can read and write from the same SAN storage. Shared-SAN software is in the pipeline from Tivoli and Veritas, but you might want to take a look at Global File System, which allows you to have multiple Linux boxes on a Fibre SAN (or SCSI bus!) read and write from the same disks.