There is nothing new about allowing a company to repossess something it has sold if the buyer fails to pay for it, May added. Electric companies and other utilities end service to people who do not pay their bills, and banks repossess cars if the buyer does not make loan payments, he noted.
A bank cannot repossess your car because you told your friends how high the interest rate was. If I'm not mistaken--and I may very well be, ask your lawyers(ka-ching!)--the moment I breach my contract with the software supplier, they can shut off my software.
I inform my superiors that the database performs only at 50% of the standard rate, in violation of anti-benchmarking clauses in the contract, I can come to work next day and find my database performing at 0%.
Think the story ends here? Oh my, our database is broken and our data is trapped. Tsk, tsk, no reverse engineering, says so right there in the click wrap. So no wading through the propietary database file system to recover your data, and nobody else gets to sell you a tool either--they're just as bound by the No Reverse Engineering clauses as you are.
Forget Don't Copy That Floppy. We're down to Don't Whirl That Perl.
How sad. All the poor schmucks were tryin' to do was be c00l with the e-crowd...
Will somebody please track down the four major candidates and find out what they think about corporations being able to censor the reactions of their customers, or remotely disable their wholly owned property?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Lemme get this straight. I'm sorry, this verges on the unprecedented:
A highly controversial bill with extremely distrubing implications against every single consumer, small business, and corporation in the country doesn't manage to get a single dissenter in the Virginia House?
Not one?
I don't buy it. I can't buy it. A resolution commemorating the life and work of Charles Schulz wouldn't pass unanimously, yet something that makes Virginia the battleground for hundreds of millions--if not billions--of dollars worth of lawsuits...
Oh. You've gotta be kidding me. You've seriously, truly, really gotta be fucking kidding me. Not even the worst trial lawyer would sink to *that*.
People, grass roots are great, but we need trees right now. Does your school use Samba? Does your company? Guess how long Samba gets to stay legal if UCITA passes?
Managers, do you want to be liable for asking your employees which database would serve your company better? Do you like reading unbiased reports? Maybe you don't. Maybe you're masochistic. Maybe you prefer the lose-lose scenario of years in court vs. solutions you've just been banned from knowing are inferior.
Unfortunately, that's just not your choice. As ever so many are happy to mention, a company's primary obligation is to its shareholders. You've gotta maximimize profit, right? Does UCITA help you to maximize profit? Or does UCITA expose you to a constant stream of risks from which only years of litigation is the possible relief?
Consumers gain nothing. Businesses gain nothing. Software companies get the right to shut down...everything, with the full force of the law behind them.
Managers, whose company is it anyway?
CEO's, ready for hackers to start using those backdoors that software companies are gonna be able to legally put in their software?
Lawyers, ready to start drafting feverish defenses? Treasurers, ready to go for broke?
Virginians, wake up. You're under attack. Under the flag of the geek, you're about to get bit hard by a rattlesnake. Now, you might be able to suck the poison out, but it might be a better idea to whip out a shotgun and give UCITA's tounge a few more forks.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
GameNet, TechNet, Undernet, CultureNet, and InfoNet are always linking to eachother. CorpNet usually links to partners, allies, and "unbiased members of InfoNet, although it often owns EveryNet(or, The InterNet!). Lets not get into X-Net and links...
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Applying the concept of continents--highly separated, long held virtually unbridgable and highly distinct land forms(from a social perspective, which is what Mr. Katz is working towards)--seems almost foolhardy in today's age of blurred edges.
It is not difficult to imagine a rapidly growing "grass roots site", utilizing and propounding the usage of the latest technologies, arguing the sociopolitical gains of widespread distribution of stigma-free demand-met service. For a limited fee, legitimacy, superior service, or just plain recognition would be proferred upon the customer; the Decision Solution would be borne out tight integration between the objective fact, the groupthink bandwagon, and the means to complete the solving transaction. It'd be fun. It'd be sexy. It'd be commerce as God Himself must have intended it--it'd be huge.
And hungry...
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Somehow, someday, I'm going to start slipping down that horrible slope that Metcalfe has.
If this ever happens, please. Inform me that I am Metcalfing. Bludgeon it into my skull if you have to.
That's not to say that every controversial opinion I'll ever hold is automatically suspect--not that my opinions are particularly huge deal by any measurement, but I actually believe *gasp* that Microsoft has made some rather valuable technical advances in their time. But if I <i>ever</i> come up with something as *brain dead, credibility destroying, and obviously flaccid flamebait* as "Open Sores", please!
Help me! Remind me of Mr. Metcalfe. If that fails, go grab something from ESR's stash;-)
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Interesting. Appears to be an attempt at a rebuttal, or maybe something trying to elicit rampant anti-MS ranting.
You're not going to get that out of me; I hate Microsoft's business processes far more than I'll ever disrespect its coders by arbitrarily condemning the fruits of their labor.
Much Windows code is broken. Much isn't--I hold quite a bit of respect to your User Interface people, and I'm not afraid to admit it.
There are, however, some major problems with any infrastructure built upon Microsoft solutions. One serious issue is that, for alot of what MS does, they're the only ones that can do it--the collateral damage of the hidden and obfuscated OS interfaces which let MS attain dominance in the Office Suite market has been that Microsoft hasn't had the internal drive to fix those problems that everyone else needs to suffer through, but that Microsoft can escape by accessing their API's.
You'll never find Ordinals(API's accessed by numbers alone) on the Linux platform. And while there's alot of stuff you won't find on Linux, there's very little you can be sure you'll *never* find. And that's a problem.
I don't really want to argue the questionability of Microsoft in the literal programmatic space, if for no other reason than I think there are quite a few counterarguments that can be brought up that are entirely valid. The point is not really that Windows is an inferior environment to program in, it's that it's a much *harder* environment to program correctly, and worse, it's *intentionally* harder.
Linux, despite the lack of a VS6-grade IDE(and that's coming in the form of KDevelop), is and will always be far simpler for developers to dip their toes into. All systems ship with a compiler, and incremental study of universally available can convert even armchair coders into contributing members of the Linux community. There's a real bottom line in the fact that large scale customers can direct their own internal coders to fixing mission critical problems(i.e. the ones who are suffering the financial ruin can directly contribute to increasing their own savings) while small scale customers too tiny to appear on Microsoft's roadmap can still pull themselves out of the fire.
I agree with Microsoft's concept of a "digital nervous system", though I'm annoyed by the acronym. I'm just not convinced Microsoft is the greatest supplier of this system, and I don't think anyone else is either.
More about why I think the Open environment generates better code can be found in the essay on my website; please, feel free to respond with any concerns you might have after reading it or this post.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Federal development has a long history of public disclosure, and Open Source development is well known for providing the widest possible exposure of the codebase to security audit.
The common weakness of Open Source projects is the limited bandwidth for integrating the influx of data, patches, and functionality requests. Good projects have, and need, that core group of developers to guide the flow of the code, and it's this behavior that lends legitimacy to claims of authorship long after others take over non-insignificant module implementation.
This is the most concentrated point of labor in the otherwise highly distributed architecture of open code evolution. This, combined with the Federal Government's prediliction for disclosure and concerns about (national!) security, would make it advisable for at least a few government contracters to consider integrating the GPL as a key win in their official project bids.
The timing is perfect: Microsoft's Worst-Case Scenario of the Sixty-Five Thousand Bug Operating System has deflated expectations of W2K considerably. Most governmental managers(decision makers) have just had a well-respected higher-up validate their employee's doubts in the "dominant paradigm". The market has fully validated Linux as a viable platform. And The Code Needs A Shepard.
Why not Open Outsource? So much of the resistance to bringing in outside workers is that the internal developers aren't confident outside workers are going to meet their specific user requirements. Internal resistance would be lessened considerably if employees knew they could always fix the problems in software they were being tasked with deploying--and they'd even get to have their fixes integrated into the next release! Various departments would be able to cease redundant development; critical fixes would be integrated, experimental forks would be both possible and feasable at a low cost of exploration, and outside developments would be integrated into the central source trees based upon the strength of functionality, not force.
Open Outsourcing is the answer to the question of how the code development house makes money in the essay <a href="http://www.doxpara.com/core.html">I published some time ago</a>, and should be considered by decision makers throughout the entire market. I was just recently working on integrating this information into my essay before the DDoS stuff hit; I'd be happy to have it ready as soon as possible if anybody wishes to take advantage of it to try to win a contract.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Half of me wants to sent it to the mayor; half of me is just wayyyyy too cynical right now to do so.
A large part of fighting the system is the feeling that it'd matter. I've read what politicians think of e-mail. I'd probably think that same damn thing.
You want a bottom line? Fun has no value to government. Only taxes.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
A switch functions by only analyzing the raw ethernet (or mac) address.
Not necessarily, anymore. L3 Switching and even L4 Switching is quite hot nowadays. Matching bits and ANDing them--that's what switches do, and that's what IP Interface checking does. L3 and L4 switches essentially match more bits in their quest to do better and more accurate QoS. I'm not absolutely sure if Cisco's switches will do the IP range checking, but I wouldn't be surprised if they did it in hardware. Sig, it's a cheap operation.
> A router works at a higher level, and CAN do > stateful analysis... but for speed you really > shouldn't - that's what the firewall is for. > Firewalling the backbones would be... umm.. > very bad.
For cryin' out loud, this has NOTHING to do with State. Either I'm sending out a packet on a bogus source, or I'm not. This contrasts *heavily* against "Firewall receives an ACK packet--is it spoofed, or is it a response to a pre-existing SYN? Better check the state..."
I'm not talking about firewalling the backbones, only the entry points. And what the hell do you think Yahoo screamed at their ISPs to do when lots of traffic was coming down the pipe that had nothing to do with the Web? "KILL EVERYTHING BUT PORT 80!"
That's not firewalling the backbones. That's managing the access points.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
That requires holding massive amounts of memory to hold all the information about which packets are going where, how many, etc.
Nope, Sig. You need stateful analysis when you cross the single packet barrier--for example, when the presence of an outgoing SYN creates a temporary tunnel through the firewall for an incoming ACK of a given Port/ISN+1.
It's just a comparison of the 32 bit Source Address with the 32 bit Network Address of the physical interface. That kinda thing doesn't even require Store And Forward...it's one or two AND ops. Where you start getting problems is when you have a layer or two of peered networks...but how many universities route packets for eachother?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
How viable would spoof protection at the backbone level be? In other words, after a certain date, all downstream links are categorized as either able to peer for other network blocks, or simply not. Admins who can't be bothered to spoof-protect their networks would get IP source ranges outside their IANA assigned IP block dropped at their first upstream provider; sites which need to maintain peering relationships thus have their direct motivation(their backup networks will ceae to function) to specifically lock down their peer forwarding to only those IP ranges they're actually peered with.
Yes, you obviously get problems as peering scenarios get traveling-salesman levels of complexity, but most sites (to my knowledge) don't exceed more than a few levels of peering--we should take advantage of this fact to enforce a top down elimination of infinite source spoofability? And, if so, would the precedent that this creates help or hinder the growth and freedom of the Internet?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
While you've done an excellent job analyzing the various DDoS tools, one thing I think we all realize about DoS tools is that, as time passes, we *are* going to lose the ability to detect whether a packet is fully legitimate or if contains a covertly channeled service denial command.
What's more insidious is that I don't think we're going to even be able to determine the nature of an attack in progress. Given enough compromised clients, it's more than conceivable that enough pseudo-browsers surfing at a humanistic rate could take down at highly database-driven sites, not to even mention overload the maximum number of streams a multimedia site can supply. Such an attack would only reflect itself as the attack of the <a href="http://slashdot.org/comments.pl?sid=00/02/08 /1338245&cid=60">Window Shopping Hordes</a>--people who search for everything but buy...nothing at all.
If we won't always be able to detect the initiation of these attacks, and we won't always be able to detect the commencement of these attacks, would it be fair to say that the only moderately reliable fingerprint of an looming attack is the single packet or set of packets that compromised the OS into loading the attack daemon in the first place?
If so, how can we use such fingerprints to our advantage? Should arbitrary core routers initiate tracer logs and NOC notification when large scale OS compromise fingerprints are detected?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Disney makes its animators sign statements that the company owns everything--every sketch, every thought, every image--on or off duty, at home, on vacation...
It's arguable that Disney contractually owns the dreams of its animators.
I'm excited to hear that Ford is creating a "minimum level of computing" for its employees, taking advantages of the tremendous network effects of having a totally wired workforce. They will benefit.
But will there be an acceptable barrier between work related and non work related reporting of computer resources? Will people unintentionally donate the fruits of their free time--hammered out on company resources--to their employers? More importantly, will we finally see a standard of privacy explictly formed for non-realtime(logged by protocol necessity, like email or ICQ) yet highly informal conversation? Or will all mutterings and water cooler talk end up the domain of the corporate censor?
I've *had* a coworker lose her job over a minorly snide comment on a discussion forum. When the lines of communication are owned by the corporation, are the dangers and rights violations posited by the Founding Fathers merely executed by the Corporate rather than the Governmental? Or is Ford explicitly delineating what it can and cannot monitor?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
[WARNING: THIS SLASHDOT POST WENT UP WITH LUDICROUSLY BAD TIMING FOR ME. THIS IS AN EXTREMELY BITTER RANT. I WILL REGRET POSTING THIS LATER. YA KNOW WHAT? FUCK IT AND ANYONE WHO DOESN'T LIKE IT.]
Dear Willie:
Damnit! Are you guys ever going to let guys like me have a life?
I'm tired of fighting, Mr. Mayor. I grew up in The City. I sat there at age 14, imagining that when 16 rolled around, gee, I'd finally have to stop asking for rides and start <i>going places</i>. But, whoops, 16 wasn't enough, everything was 18 and over. Fine. I waited. 18 rolled around...whoops again! Can't drink, can't party! Better wait 'til 21. Now I'm 21 and live in Santa Clara, and what do I hear but half the clubs in San Francisco are under attack.
What the hell? Do you own Prozac futures or something? Have you ever stopped for a moment and considered exactly happens when the event economy can support fewer and fewer individuals?
No, Willie, I bet you haven't. I've heard about your parties--you've thrown kinkfests that put a good chunk of the Castro parties to shame, if only because of the straight laced people you've dragged to them--and I've gotta say, I respect your cojones. But guess what--you go ahead and harass and subject and isolate as many people as possible...
And you eliminate me, and people like me.
Take a college town, or take a city spiting its culture to win some votes, and start cracking down. People like me, who used to be more fodder for the party, who might actually turn out to be decently cool, become risk, pure and simple.
Don't invite the geeks. They'll call attention. Watch who you bring; too many and we'll get busted. Leave them to their toys; screw 'em if they want to look back at their youth without regret.
And School Administrators wonder aloud where all these cliques are coming from, and why nobody has any school spirit anymore, and how it is that so many students just don't know eachother.
Man cannot live on bread alone, and geeks cannot survive on mere technology. There's something called a well balanced life, and the systematic limitation of just how many people can enjoy theirs must end.
If residents are complaining, then the failure is the City's and the Zoning Commissions, not people like me who don't Know Everyone like you do. I want to have fun, Mr. Mayor. Yes, I admit it. I want to look back at a month and say, wow, I met some great people. I let myself go. I stopped being stressed about...everything.
I don't want drugs. I don't want pot. And I certainly don't want more f*cking technology. Give me loud music, new people, and an edge of unpredicatability without the constant and truly ridiculous fear and loathing of the police and the government and the city councils and the Self Appointed Fun Police and I'll be happy!
I'll live in your city!
I'll come home!
You ruin my hometown as I just turn 21, and while your Prozac futures might skyrocket, I ain't ever going home, save maybe to campaign against your ass.
Capiche?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
The problem with--and relevance of--Free PC's is that most non-formal computer communication is still log-based, whereas most informal non-computer communication is composed of realtime communication.
Consider: It's illegal to tap a phone line proactively, and it's impossible to tap a phone line retroactively. The speech was either recorded from the realtime source or it was lost to the passage of time. Similar considerations affect person to person contact.
However, email is based upon my message staying on your machine until you see it. AIM, ICQ, and other instant messaging systems also are based on the concept that your text remains for as long as the client desires. The courts have ruled--correctly, incidentally--that you should not have the same rights against recording of an email as you should of a phone call because of this.
That's not to say that email shouldn't be private material not dissimilar to any other form of non-realtime communication--a paper letter, a video tape, or whatnot. But it's intrinsic in the format that it gets recorded.
And that's why corporations love the concept of informal communications shifting to email.
There are many protections on informal speech that have gone unspecified because they've been implemented by the protections against recording realtime communications. As everything shifts to non-realtime, an individual's informal communication profile is far easier to track, maintain, and correct.
Give your employees free PC's, and start logging not just the memos but the chatter. Start watching the buzz, not the hype. Start attacking the quiet dissidents, not the martyrs.
Don't get me wrong--I personally think Ford Motors is embarking on a bold and honorable step in giving 350K free pc's to their employees. But as we shift towards a society where informal communications are intrinsically non-realtime and logged, we need to be aware that the separation between public and private speech needs to be maintained. If the Free PC's are given in a cynical attempt to fund a employee monitoring infrastructure, or even if that becomes the unintended consequence, the harms to business will be significant.
It's the ability to speak privately that has maintained most of business's immunity from free speech codes. Should Americans start needing to go to onerous lengths to be able to speak without fear, there will be a backlash and Corporate America will be hurt by the resultant votemongering. I am not convinced that this would be a particularly good thing.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
To think or even say so is very dangerous: If something you do supports somebody else, wouldn't it be a good idea for that certain someone to do it himself, and blame you? Arguing like you do is useful only to convince the neutral why they shouldn't act evil, but those who are already evil will use it to their own advantage, and try to make the good guys responsible!
I'm becoming more and more of a believer that very few people are genuinely evil, most are just supremely selfish. That "all is fair in love and war" is no surprise in that context; both come from the same source.
A little to think about as Valiumtine's Day rolls around. (D.O.H.)
Anyway, I'm pretty much saying flat out that nobody's going to be thinking these geniuses are all K-Rad 3133+ hackers when their behavior is successfully used to turn some of their best supporters--the tech industry--against the right to be anonymous online.
That's not associating with them. That's saying, there's no good reason for what you're doing, because you're just doing what certain governmental forces want you to do anyway.
And incidentally, yes the government could blame it on the nonexistent evil, but why do it themselves when they merely need to wait for a patsy to do it for them?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Correct me if I'm wrong, but it's usually the number of times that the image has been requested, not a page on which the image is placed. A DoS script is unlikely to waste time requesting images.
The idea is to be indistinguishable from a genuine customer. You can't determine who to block--you've got customers angry because the system is slow, but you have no way to determine which ones are fake and which ones are there to buy something.
This attack is particularly frightening when one considers the relatively low number of clients needed to knock out even a hardware encryption system. "They keep lookin', but they just don't buy...but at least the ad sales are great!"
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Yahoo was taken down by a major Denial of Service attack--this is true.
What's really scary isn't DoS attacks that are obvious, but ones which are indistinguishable from regular traffic.
Reasonably static and well hosted sites like Yahoo wouldn't be taken out, but the average E-Commerce site, with dynamically generated pages off a single-point-of-failure SQL Server architecture would be completely knocked out by what appeared to be nothing more than extremely heavy traffic.
Such an attack would require massive compromise of hosts(since they'd be able to execute only a few five minute random clicksessions per hour), but would show up on no security scans and would be indistinguishable from an unusually large horde of window shoppers.
How would you defend against this? How would you even know you were under attack?
And, most intriguingly, if you're getting paid by the ad impression, would you care?
A quick message to the people responsible...your behavior will eventually lead to the kind of IP network monitoring that the Russian Government is making all their ISPs pay for. It is one thing to describe the attacks and work to repair the infrastructure; it's something entirely different to execute attacks that will quickly lead to solutions that can only be described as nightmarish.
Think for a moment who <i>wins</i> when you take down Yahoo, and shudder. Because there is a winner, and in the long run, it ain't you. You're helping someone. Guess who.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
That's what I want to know: We know about all these stars at Redhat, and VA, and from everywhere else...
But who, I ask, is behind the smoothly polished quality of Mandrake?
The creator of BeroLinux joined the Mandrake project a long time ago, this much I remember. BeroLinux was not only a one man distribution but the first out of the gate with Kernel 2.2 up and running. Mandrake has alot of the feel of some one guiding force trying to catch all the loose ends--and it shows.
Yes, Mandrake 7.0 has areas of weakness that show up more than in any other Mandrake Linux distribution. Growing pains happen, and Mandrake's actually striking out with its own code this time around--and it's impressive code at that. Are Lothar and DiskDrake being ported to Alpha and Sparc as well?
You know, one of these days I'm just going to put up a clock "Days till Redhat acquires Mandrake"...
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
It sure ain't labels? Nah. They've still got their distribution networks set up, and the massive payola scenario they engineered with (former) radio station owners means that the advertising networks are locked up pretty tight too.
They've got the songs, the stores, and the stations. What they didn't have is the software, and the hardware that comes inside. By threatening to sue and/or refuse to license standards to consumer audio hardware manufacturers, they get to force some absolutely ridiculous amounts of anti-consumer design.
Would you want to buy a player that would refuse to play your music? Are there market forces that are pushing you to say, "Gee, I wish my music collection just didn't work. I'd love it if I could lose my entire investment to a rogue hacker. If only nothing worked together, and I could only use Windows, and I was only allowed to have a single music playing device, and I was miserable with anything but CDs!"
Nope, but there sure as hell are labels that wouldn't mind you saying that.
SDMI's doomed to fail, because that's what it does best. SDMI fails. People are proclaiming the death of a PC over a failure rate that is infinitely lower than SDMI's <i>intentional</i> rate of failure.
And when it fails...the status quo, pre MP3 but post payola, will be maintained for the labels. That's the plan--musicians, consumers, hardware manufacturers, linux coders be damned.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Well, one of the points they brought up in the technical documentation is that the morpher has a larger scale picture of the codeforms than any branch prediction / out of order execution engines could possibly hope for. That, combined with some rather elegant sidesteps around the multi-store/read problem, means you're talking about a system that can possibly be the bridge between x86 and VLIW technology.
In the long run, I see code directly compiled to or written for the Transmeta processors. FX/32 was never the killer app for Alphas; Linux is.
As for FPGA's, we've heard alot of hype but surprisingly little results--a more efficient image capture board here, a bunch of hype about a FPGA programming language there...I'm in the post-hype, I'll believe it when I see it mode for those things.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
One of the things I discovered when I started looking more into the design of the Sound Blaster Live is that while it's got some ridiculous amount of MIPS, they're almost all hardcoded.
In other words, yeah, you can do alot of processing, if you're specifically trying to process what they're trying to accelerate.
Take a gigahertz X86 processor and toss 256x256 texture bilinear filtering at it, and it's gonna choke. Take a Voodoo 1 that has entire gate arrays devoted to doing nothing else *but* filtering 256x256 textures scaled to arbitrary sizes, and it'll do just fine. That doesn't mean a Voodoo 1 is by definition faster than a Gigahertz x86 chip; it means that a hardware architecture highly optimized for a specific type of processing can execute those specific operations or sets of operations much, much faster than software attempting to do the same with a more general architecture.
Gate arrays beat emulation any day of the week;-)
What's interesting is that there's a rather large problem going on in the computer industry: General purpose processors are already quite fast enough to do almost anything that can be thrown at them, with the exception of those tasks that are wayyyyy outside of their design specifications. So you have servers at 10% load saturating their network bandwidth, but make that same server a rendering station and it could have ten times the power and still not meet demand.
Makes an interesting case for FPGA architectures which can dynamically rewrite the actual logic gates, and for directly programming Transmeta's surprisingly versatile Crusoes.
Incidentally, surfing web pages on a television sucks. Will PSX2 ship with VGA out? If so, it might have an interesting chance. By then, though, x86 webpads will likely be the standard.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
If Judy in the secretarial pool clicks on a click-through license, that won't bind the corporation to anything because Judy is neither an actual nor an apparent agent of the corporation.
If Judy in the secretarial pool pirates software, nobody questions the company's liability.
UCITA puts anything and everything the software company desires into the same Verboten Behavior category.
You're also ignoring the fact that managers too download random software...
Bottom line, all liability becomes questionable. And where there's a question, there's a lawsuit. Lawsuits, my friend, become both inevitable and expensive.
What part of fishing for dollars don't you understand?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
You're a manager at a large corporation. You employ thousands of people, some very experienced, others that you're just beginning to train.
Let me tell you what you can't afford. You can't afford the liability of any of your thousands of employees having the ability to commit the company as a whole to damn near anything. It's one thing to be liable if an employee pirates something. It's something completely different if you have to have your very expensive lawyers evaluate every single software EULA that any piss-ant department might be exposing your company to.
A mandate to only use standard EULAs is the end result from corporations, and suddenly most software companies have no chance of defeating Microsoft(whose EULA has to be accepted) or Open Source Software(whose licenses are standardized and non-threatening by default.)
Lets not forget that benchmarking restrictions apply just as strongly within a company--oops, now your managers aren't allowed to ask your engineers which database server would best fit your business's needs. More importantly, lets not forget that using a given piece of code could suddenly obligate your entire company to a full disclosure on how that code is being used--running a database on MSSQL? Oops, maybe in the next revision they'll say they have a right to retrieve "performance metrics" and "critical statistics" automatically...oh, don't try to firewall them, they'll remotely disable your server anyway...
And it'll all be legal. Violations of personal privacy pale in all sorts of aspects to the vitriolic reaction against violations of corporate privacy.
Now, nobody's stupid. This isn't going to happen, folks. UCITA's going nowhere, because it's just too much risk to too many people with far too much money.
The only reason this is even a topic of discussion is because more lawyers see a fountain of money flowing from the lawsuits than they see a fiduciary duty to their retained corporate clients to disclose the tremendous amount of legal risk such an ill-advised bill would create.
Never in the history of law has an unlimited amount of liability been enforceable in a unidirectional contract negotation! The fact that such a bill got thoroughly rejected in the United States Congress should say more than a little about the advisability of such a dangerous standard of liability.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Physics is...not my strong suit. I don't claim it to be so, I'm not an expert in this field, I'm an outside observer that just has a few questions...
For one, exactly how do they propose to keep the water in liquid form?
Water remains liquid only at certain temperature/pressure ratios. Creating a vortex rather quickly creates large pressure differentials(almost by definition), and dumping light into something that isn't going to be able to spit it back out is going to increase temperature. How is the entire mass going to be kept in that one relatively small range that keeps the material liquid? Granted, an excessively smooth container might allow superheating of the fluid(water cannot boil unless there are microscopic ledges upon which bubbles may form, apparently), but having this fluid in contact with *any* other substance is going to create seriously ugly amounts of heat by way of friction.
Even supposing one could accelerate such a material to near-luminal speeds, at minimum a Zero-G environment and a vacuum would be required.
But that's one heck of a supposition! Assuming a massive objects could be spun at such extreme rates is...generous. Am I wrong, here?
I must also ask where the concept of absorption has gone. For a while there, I was imagining they were describing a merger between fiber optic cable and a roach motel--light got in, then was forced to spin round and round the vortex forever. But who said that the water would become instantly clear? As it spun around, wouldn't more and more of it be converted to heat until there was no light left? I'm not slowing down light if I move it through a fiber optic cable that's a kilometer long but on a spool only a foot thick. The light still moved a kilometer, even if (from my "perspective") it only moved a foot. But fiber optic cable is very transparent; water isn't nearly as such--particularly water that bubbles and is highly agitated.
And how would light enter the system if the outside walls of the vortex were so particularly chaotic? This part, I'm really missing.
Something just seems...wrong here. Someone care to clue me in?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Slashdot Mirror
There is nothing new about allowing a company to repossess something it has sold if the buyer fails to pay for it, May added. Electric companies and other utilities end service to people who do not pay their bills, and banks repossess cars if the buyer does not make loan payments, he noted.
A bank cannot repossess your car because you told your friends how high the interest rate was. If I'm not mistaken--and I may very well be, ask your lawyers(ka-ching!)--the moment I breach my contract with the software supplier, they can shut off my software.
I inform my superiors that the database performs only at 50% of the standard rate, in violation of anti-benchmarking clauses in the contract, I can come to work next day and find my database performing at 0%.
Think the story ends here? Oh my, our database is broken and our data is trapped. Tsk, tsk, no reverse engineering, says so right there in the click wrap. So no wading through the propietary database file system to recover your data, and nobody else gets to sell you a tool either--they're just as bound by the No Reverse Engineering clauses as you are.
Forget Don't Copy That Floppy. We're down to Don't Whirl That Perl.
How sad. All the poor schmucks were tryin' to do was be c00l with the e-crowd...
Will somebody please track down the four major candidates and find out what they think about corporations being able to censor the reactions of their customers, or remotely disable their wholly owned property?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Are you kidding me?
Not a single legislator dissented?
Not one?
Lemme get this straight. I'm sorry, this verges on the unprecedented:
A highly controversial bill with extremely distrubing implications against every single consumer, small business, and corporation in the country doesn't manage to get a single dissenter in the Virginia House?
Not one?
I don't buy it. I can't buy it. A resolution commemorating the life and work of Charles Schulz wouldn't pass unanimously, yet something that makes Virginia the battleground for hundreds of millions--if not billions--of dollars worth of lawsuits...
Oh. You've gotta be kidding me. You've seriously, truly, really gotta be fucking kidding me. Not even the worst trial lawyer would sink to *that*.
People, grass roots are great, but we need trees right now. Does your school use Samba? Does your company? Guess how long Samba gets to stay legal if UCITA passes?
Managers, do you want to be liable for asking your employees which database would serve your company better? Do you like reading unbiased reports? Maybe you don't. Maybe you're masochistic. Maybe you prefer the lose-lose scenario of years in court vs. solutions you've just been banned from knowing are inferior.
Unfortunately, that's just not your choice. As ever so many are happy to mention, a company's primary obligation is to its shareholders. You've gotta maximimize profit, right? Does UCITA help you to maximize profit? Or does UCITA expose you to a constant stream of risks from which only years of litigation is the possible relief?
Consumers gain nothing. Businesses gain nothing. Software companies get the right to shut down...everything, with the full force of the law behind them.
Managers, whose company is it anyway?
CEO's, ready for hackers to start using those backdoors that software companies are gonna be able to legally put in their software?
Lawyers, ready to start drafting feverish defenses? Treasurers, ready to go for broke?
Virginians, wake up. You're under attack. Under the flag of the geek, you're about to get bit hard by a rattlesnake. Now, you might be able to suck the poison out, but it might be a better idea to whip out a shotgun and give UCITA's tounge a few more forks.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
On competitor links--
GameNet, TechNet, Undernet, CultureNet, and InfoNet are always linking to eachother. CorpNet usually links to partners, allies, and "unbiased members of InfoNet, although it often owns EveryNet(or, The InterNet!). Lets not get into X-Net and links...
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Applying the concept of continents--highly separated, long held virtually unbridgable and highly distinct land forms(from a social perspective, which is what Mr. Katz is working towards)--seems almost foolhardy in today's age of blurred edges.
It is not difficult to imagine a rapidly growing "grass roots site", utilizing and propounding the usage of the latest technologies, arguing the sociopolitical gains of widespread distribution of stigma-free demand-met service. For a limited fee, legitimacy, superior service, or just plain recognition would be proferred upon the customer; the Decision Solution would be borne out tight integration between the objective fact, the groupthink bandwagon, and the means to complete the solving transaction. It'd be fun. It'd be sexy. It'd be commerce as God Himself must have intended it--it'd be huge.
And hungry...
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
People, I have this awful feeling.
;-)
Somehow, someday, I'm going to start slipping down that horrible slope that Metcalfe has.
If this ever happens, please. Inform me that I am Metcalfing. Bludgeon it into my skull if you have to.
That's not to say that every controversial opinion I'll ever hold is automatically suspect--not that my opinions are particularly huge deal by any measurement, but I actually believe *gasp* that Microsoft has made some rather valuable technical advances in their time. But if I <i>ever</i> come up with something as *brain dead, credibility destroying, and obviously flaccid flamebait* as "Open Sores", please!
Help me! Remind me of Mr. Metcalfe. If that fails, go grab something from ESR's stash
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Interesting. Appears to be an attempt at a rebuttal, or maybe something trying to elicit rampant anti-MS ranting.
You're not going to get that out of me; I hate Microsoft's business processes far more than I'll ever disrespect its coders by arbitrarily condemning the fruits of their labor.
Much Windows code is broken. Much isn't--I hold quite a bit of respect to your User Interface people, and I'm not afraid to admit it.
There are, however, some major problems with any infrastructure built upon Microsoft solutions. One serious issue is that, for alot of what MS does, they're the only ones that can do it--the collateral damage of the hidden and obfuscated OS interfaces which let MS attain dominance in the Office Suite market has been that Microsoft hasn't had the internal drive to fix those problems that everyone else needs to suffer through, but that Microsoft can escape by accessing their API's.
You'll never find Ordinals(API's accessed by numbers alone) on the Linux platform. And while there's alot of stuff you won't find on Linux, there's very little you can be sure you'll *never* find. And that's a problem.
I don't really want to argue the questionability of Microsoft in the literal programmatic space, if for no other reason than I think there are quite a few counterarguments that can be brought up that are entirely valid. The point is not really that Windows is an inferior environment to program in, it's that it's a much *harder* environment to program correctly, and worse, it's *intentionally* harder.
Linux, despite the lack of a VS6-grade IDE(and that's coming in the form of KDevelop), is and will always be far simpler for developers to dip their toes into. All systems ship with a compiler, and incremental study of universally available can convert even armchair coders into contributing members of the Linux community. There's a real bottom line in the fact that large scale customers can direct their own internal coders to fixing mission critical problems(i.e. the ones who are suffering the financial ruin can directly contribute to increasing their own savings) while small scale customers too tiny to appear on Microsoft's roadmap can still pull themselves out of the fire.
I agree with Microsoft's concept of a "digital nervous system", though I'm annoyed by the acronym. I'm just not convinced Microsoft is the greatest supplier of this system, and I don't think anyone else is either.
More about why I think the Open environment generates better code can be found in the essay on my website; please, feel free to respond with any concerns you might have after reading it or this post.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Federal development has a long history of public disclosure, and Open Source development is well known for providing the widest possible exposure of the codebase to security audit.
The common weakness of Open Source projects is the limited bandwidth for integrating the influx of data, patches, and functionality requests. Good projects have, and need, that core group of developers to guide the flow of the code, and it's this behavior that lends legitimacy to claims of authorship long after others take over non-insignificant module implementation.
This is the most concentrated point of labor in the otherwise highly distributed architecture of open code evolution. This, combined with the Federal Government's prediliction for disclosure and concerns about (national!) security, would make it advisable for at least a few government contracters to consider integrating the GPL as a key win in their official project bids.
The timing is perfect: Microsoft's Worst-Case Scenario of the Sixty-Five Thousand Bug Operating System has deflated expectations of W2K considerably. Most governmental managers(decision makers) have just had a well-respected higher-up validate their employee's doubts in the "dominant paradigm". The market has fully validated Linux as a viable platform. And The Code Needs A Shepard.
Why not Open Outsource? So much of the resistance to bringing in outside workers is that the internal developers aren't confident outside workers are going to meet their specific user requirements. Internal resistance would be lessened considerably if employees knew they could always fix the problems in software they were being tasked with deploying--and they'd even get to have their fixes integrated into the next release! Various departments would be able to cease redundant development; critical fixes would be integrated, experimental forks would be both possible and feasable at a low cost of exploration, and outside developments would be integrated into the central source trees based upon the strength of functionality, not force.
Open Outsourcing is the answer to the question of how the code development house makes money in the essay <a href="http://www.doxpara.com/core.html">I published some time ago</a>, and should be considered by decision makers throughout the entire market. I was just recently working on integrating this information into my essay before the DDoS stuff hit; I'd be happy to have it ready as soon as possible if anybody wishes to take advantage of it to try to win a contract.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Tgg--
Half of me wants to sent it to the mayor; half of me is just wayyyyy too cynical right now to do so.
A large part of fighting the system is the feeling that it'd matter. I've read what politicians think of e-mail. I'd probably think that same damn thing.
You want a bottom line? Fun has no value to government. Only taxes.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
A switch functions by only analyzing the raw ethernet (or mac) address.
Not necessarily, anymore. L3 Switching and even L4 Switching is quite hot nowadays. Matching bits and ANDing them--that's what switches do, and that's what IP Interface checking does. L3 and L4 switches essentially match more bits in their quest to do better and more accurate QoS. I'm not absolutely sure if Cisco's switches will do the IP range checking, but I wouldn't be surprised if they did it in hardware. Sig, it's a cheap operation.
> A router works at a higher level, and CAN do
> stateful analysis... but for speed you really
> shouldn't - that's what the firewall is for.
> Firewalling the backbones would be... umm..
> very bad.
For cryin' out loud, this has NOTHING to do with State. Either I'm sending out a packet on a bogus source, or I'm not. This contrasts *heavily* against "Firewall receives an ACK packet--is it spoofed, or is it a response to a pre-existing SYN? Better check the state..."
I'm not talking about firewalling the backbones, only the entry points. And what the hell do you think Yahoo screamed at their ISPs to do when lots of traffic was coming down the pipe that had nothing to do with the Web? "KILL EVERYTHING BUT PORT 80!"
That's not firewalling the backbones. That's managing the access points.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
That requires holding massive amounts of memory to hold all the information about which packets are going where, how many, etc.
Nope, Sig. You need stateful analysis when you cross the single packet barrier--for example, when the presence of an outgoing SYN creates a temporary tunnel through the firewall for an incoming ACK of a given Port/ISN+1.
It's just a comparison of the 32 bit Source Address with the 32 bit Network Address of the physical interface. That kinda thing doesn't even require Store And Forward...it's one or two AND ops. Where you start getting problems is when you have a layer or two of peered networks...but how many universities route packets for eachother?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
How viable would spoof protection at the backbone level be? In other words, after a certain date, all downstream links are categorized as either able to peer for other network blocks, or simply not. Admins who can't be bothered to spoof-protect their networks would get IP source ranges outside their IANA assigned IP block dropped at their first upstream provider; sites which need to maintain peering relationships thus have their direct motivation(their backup networks will ceae to function) to specifically lock down their peer forwarding to only those IP ranges they're actually peered with.
Yes, you obviously get problems as peering scenarios get traveling-salesman levels of complexity, but most sites (to my knowledge) don't exceed more than a few levels of peering--we should take advantage of this fact to enforce a top down elimination of infinite source spoofability? And, if so, would the precedent that this creates help or hinder the growth and freedom of the Internet?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
While you've done an excellent job analyzing the various DDoS tools, one thing I think we all realize about DoS tools is that, as time passes, we *are* going to lose the ability to detect whether a packet is fully legitimate or if
8 /1338245&cid=60">Window Shopping Hordes</a>--people who search for everything but buy...nothing at all.
contains a covertly channeled service denial command.
What's more insidious is that I don't think we're going to even be able to determine the nature of an attack in progress. Given enough compromised clients, it's more than conceivable that enough pseudo-browsers surfing at a humanistic rate could take down at highly database-driven sites, not to even mention overload the maximum number
of streams a multimedia site can supply. Such an attack would only reflect itself as the attack of the <a href="http://slashdot.org/comments.pl?sid=00/02/0
If we won't always be able to detect the initiation of these attacks, and we won't always be able to detect the commencement of these attacks, would it be fair to say that the only moderately reliable fingerprint of an looming attack is the single packet or set of packets that compromised the OS into loading the attack daemon in the first place?
If so, how can we use such fingerprints to our advantage? Should arbitrary core routers initiate tracer logs and NOC notification when large scale OS compromise fingerprints are detected?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Somebody has to ask the question:
How much of me does my employer own?
Disney makes its animators sign statements that the company owns everything--every sketch, every thought, every image--on or off duty, at home, on vacation...
It's arguable that Disney contractually owns the dreams of its animators.
I'm excited to hear that Ford is creating a "minimum level of computing" for its employees, taking advantages of the tremendous network effects of having a totally wired workforce. They will benefit.
But will there be an acceptable barrier between work related and non work related reporting of computer resources? Will people unintentionally donate the fruits of their free time--hammered out on company resources--to their employers? More importantly, will we finally see a standard of privacy explictly formed for non-realtime(logged by protocol necessity, like email or ICQ) yet highly informal conversation? Or will all mutterings and water cooler talk end up the domain of the corporate censor?
I've *had* a coworker lose her job over a minorly snide comment on a discussion forum. When the lines of communication are owned by the corporation, are the dangers and rights violations posited by the Founding Fathers merely executed by the Corporate rather than the Governmental? Or is Ford explicitly delineating what it can and cannot monitor?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
[WARNING: THIS SLASHDOT POST WENT UP WITH LUDICROUSLY BAD TIMING FOR ME. THIS IS AN EXTREMELY BITTER RANT. I WILL REGRET POSTING THIS LATER. YA KNOW WHAT? FUCK IT AND ANYONE WHO DOESN'T LIKE IT.]
Dear Willie:
Damnit! Are you guys ever going to let guys like me have a life?
I'm tired of fighting, Mr. Mayor. I grew up in The City. I sat there at age 14, imagining that when 16 rolled around, gee, I'd finally have to stop asking for rides and start <i>going places</i>. But, whoops, 16 wasn't enough, everything was 18 and over. Fine. I waited. 18 rolled around...whoops again! Can't drink, can't party! Better wait 'til 21. Now I'm 21 and live in Santa Clara, and what do I hear but half the clubs in San Francisco are under attack.
What the hell? Do you own Prozac futures or something? Have you ever stopped for a moment and considered exactly happens when the event economy can support fewer and fewer individuals?
No, Willie, I bet you haven't. I've heard about your parties--you've thrown kinkfests that put a good chunk of the Castro parties to shame, if only because of the straight laced people you've dragged to them--and I've gotta say, I respect your cojones. But guess what--you go ahead and harass and subject and isolate as many people as possible...
And you eliminate me, and people like me.
Take a college town, or take a city spiting its culture to win some votes, and start cracking down. People like me, who used to be more fodder for the party, who might actually turn out to be decently cool, become risk, pure and simple.
Don't invite the geeks. They'll call attention. Watch who you bring; too many and we'll get busted. Leave them to their toys; screw 'em if they want to look back at their youth without regret.
And School Administrators wonder aloud where all these cliques are coming from, and why nobody has any school spirit anymore, and how it is that so many students just don't know eachother.
Man cannot live on bread alone, and geeks cannot survive on mere technology. There's something called a well balanced life, and the systematic limitation of just how many people can enjoy theirs must end.
If residents are complaining, then the failure is the City's and the Zoning Commissions, not people like me who don't Know Everyone like you do. I want to have fun, Mr. Mayor. Yes, I admit it. I want to look back at a month and say, wow, I met some great people. I let myself go. I stopped being stressed about...everything.
I don't want drugs. I don't want pot. And I certainly don't want more f*cking technology. Give me loud music, new people, and an edge of unpredicatability without the constant and truly ridiculous fear and loathing of the police and the government and the city councils and the Self Appointed Fun Police and I'll be happy!
I'll live in your city!
I'll come home!
You ruin my hometown as I just turn 21, and while your Prozac futures might skyrocket, I ain't ever going home, save maybe to campaign against your ass.
Capiche?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
The problem with--and relevance of--Free PC's is that most non-formal computer communication is still log-based, whereas most informal non-computer communication is composed of realtime communication.
Consider: It's illegal to tap a phone line proactively, and it's impossible to tap a phone line retroactively. The speech was either recorded from the realtime source or it was lost to the passage of time. Similar considerations affect person to person contact.
However, email is based upon my message staying on your machine until you see it. AIM, ICQ, and other instant messaging systems also are based on the concept that your text remains for as long as the client desires. The courts have ruled--correctly, incidentally--that you should not have the same rights against recording of an email as you should of a phone call because of this.
That's not to say that email shouldn't be private material not dissimilar to any other form of non-realtime communication--a paper letter, a video tape, or whatnot. But it's intrinsic in the format that it gets recorded.
And that's why corporations love the concept of informal communications shifting to email.
There are many protections on informal speech that have gone unspecified because they've been implemented by the protections against recording realtime communications. As everything shifts to non-realtime, an individual's informal communication profile is far easier to track, maintain, and correct.
Give your employees free PC's, and start logging not just the memos but the chatter. Start watching the buzz, not the hype. Start attacking the quiet dissidents, not the martyrs.
Don't get me wrong--I personally think Ford Motors is embarking on a bold and honorable step in giving 350K free pc's to their employees. But as we shift towards a society where informal communications are intrinsically non-realtime and logged, we need to be aware that the separation between public and private speech needs to be maintained. If the Free PC's are given in a cynical attempt to fund a employee monitoring infrastructure, or even if that becomes the unintended consequence, the harms to business will be significant.
It's the ability to speak privately that has maintained most of business's immunity from free speech codes. Should Americans start needing to go to onerous lengths to be able to speak without fear, there will be a backlash and Corporate America will be hurt by the resultant votemongering. I am not convinced that this would be a particularly good thing.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
To think or even say so is very dangerous: If something you do supports somebody else, wouldn't it be a good idea for that certain someone to do it himself, and blame you? Arguing like you do is useful only to convince the neutral why they shouldn't act evil, but those who are already evil will use it to their own advantage, and try to make the good guys responsible!
I'm becoming more and more of a believer that very few people are genuinely evil, most are just supremely selfish. That "all is fair in love and war" is no surprise in that context; both come from the same source.
A little to think about as Valiumtine's Day rolls around. (D.O.H.)
Anyway, I'm pretty much saying flat out that nobody's going to be thinking these geniuses are all K-Rad 3133+ hackers when their behavior is successfully used to turn some of their best supporters--the tech industry--against the right to be anonymous online.
That's not associating with them. That's saying, there's no good reason for what you're doing, because you're just doing what certain governmental forces want you to do anyway.
And incidentally, yes the government could blame it on the nonexistent evil, but why do it themselves when they merely need to wait for a patsy to do it for them?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Correct me if I'm wrong, but it's usually the number of times that the image has been requested, not a page on which the image is placed. A DoS script is unlikely to waste time requesting images.
The idea is to be indistinguishable from a genuine customer. You can't determine who to block--you've got customers angry because the system is slow, but you have no way to determine which ones are fake and which ones are there to buy something.
This attack is particularly frightening when one considers the relatively low number of clients needed to knock out even a hardware encryption system. "They keep lookin', but they just don't buy...but at least the ad sales are great!"
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Yahoo was taken down by a major Denial of Service attack--this is true.
What's really scary isn't DoS attacks that are obvious, but ones which are indistinguishable from regular traffic.
Reasonably static and well hosted sites like Yahoo wouldn't be taken out, but the average E-Commerce site, with dynamically generated pages off a single-point-of-failure SQL Server architecture would be completely knocked out by what appeared to be nothing more than extremely heavy traffic.
Such an attack would require massive compromise of hosts(since they'd be able to execute only a few five minute random clicksessions per hour), but would show up on no security scans and would be indistinguishable from an unusually large horde of window shoppers.
How would you defend against this? How would you even know you were under attack?
And, most intriguingly, if you're getting paid by the ad impression, would you care?
A quick message to the people responsible...your behavior will eventually lead to the kind of IP network monitoring that the Russian Government is making all their ISPs pay for. It is one thing to describe the attacks and work to repair the infrastructure; it's something entirely different to execute attacks that will quickly lead to solutions that can only be described as nightmarish.
Think for a moment who <i>wins</i> when you take down Yahoo, and shudder. Because there is a winner, and in the long run, it ain't you. You're helping someone. Guess who.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
That's what I want to know: We know about all these stars at Redhat, and VA, and from everywhere else...
But who, I ask, is behind the smoothly polished quality of Mandrake?
The creator of BeroLinux joined the Mandrake project a long time ago, this much I remember. BeroLinux was not only a one man distribution but the first out of the gate with Kernel 2.2 up and running. Mandrake has alot of the feel of some one guiding force trying to catch all the loose ends--and it shows.
Yes, Mandrake 7.0 has areas of weakness that show up more than in any other Mandrake Linux distribution. Growing pains happen, and Mandrake's actually striking out with its own code this time around--and it's impressive code at that. Are Lothar and DiskDrake being ported to Alpha and Sparc as well?
You know, one of these days I'm just going to put up a clock "Days till Redhat acquires Mandrake"...
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Who loses if digital media dies?
It sure ain't labels? Nah. They've still got their distribution networks set up, and the massive payola scenario they engineered with (former) radio station owners means that the advertising networks are locked up pretty tight too.
They've got the songs, the stores, and the stations. What they didn't have is the software, and the hardware that comes inside. By threatening to sue and/or refuse to license standards to consumer audio hardware manufacturers, they get to force some absolutely ridiculous amounts of anti-consumer design.
Would you want to buy a player that would refuse to play your music? Are there market forces that are pushing you to say, "Gee, I wish my music collection just didn't work. I'd love it if I could lose my entire investment to a rogue hacker. If only nothing worked together, and I could only use Windows, and I was only allowed to have a single music playing device, and I was miserable with anything but CDs!"
Nope, but there sure as hell are labels that wouldn't mind you saying that.
SDMI's doomed to fail, because that's what it does best. SDMI fails. People are proclaiming the death of a PC over a failure rate that is infinitely lower than SDMI's <i>intentional</i> rate of failure.
And when it fails...the status quo, pre MP3 but post payola, will be maintained for the labels. That's the plan--musicians, consumers, hardware manufacturers, linux coders be damned.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Well, one of the points they brought up in the technical documentation is that the morpher has a larger scale picture of the codeforms than any branch prediction / out of order execution engines could possibly hope for. That, combined with some rather elegant sidesteps around the multi-store/read problem, means you're talking about a system that can possibly be the bridge between x86 and VLIW technology.
In the long run, I see code directly compiled to or written for the Transmeta processors. FX/32 was never the killer app for Alphas; Linux is.
As for FPGA's, we've heard alot of hype but surprisingly little results--a more efficient image capture board here, a bunch of hype about a FPGA programming language there...I'm in the post-hype, I'll believe it when I see it mode for those things.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
One of the things I discovered when I started looking more into the design of the Sound Blaster Live is that while it's got some ridiculous amount of MIPS, they're almost all hardcoded.
;-)
In other words, yeah, you can do alot of processing, if you're specifically trying to process what they're trying to accelerate.
Take a gigahertz X86 processor and toss 256x256 texture bilinear filtering at it, and it's gonna choke. Take a Voodoo 1 that has entire gate arrays devoted to doing nothing else *but* filtering 256x256 textures scaled to arbitrary sizes, and it'll do just fine. That doesn't mean a Voodoo 1 is by definition faster than a Gigahertz x86 chip; it means that a hardware architecture highly optimized for a specific type of processing can execute those specific operations or sets of operations much, much faster than software attempting to do the same with a more general architecture.
Gate arrays beat emulation any day of the week
What's interesting is that there's a rather large problem going on in the computer industry: General purpose processors are already quite fast enough to do almost anything that can be thrown at them, with the exception of those tasks that are wayyyyy outside of their design specifications. So you have servers at 10% load saturating their network bandwidth, but make that same server a rendering station and it could have ten times the power and still not meet demand.
Makes an interesting case for FPGA architectures which can dynamically rewrite the actual logic gates, and for directly programming Transmeta's surprisingly versatile Crusoes.
Incidentally, surfing web pages on a television sucks. Will PSX2 ship with VGA out? If so, it might have an interesting chance. By then, though, x86 webpads will likely be the standard.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
If Judy in the secretarial pool clicks on a click-through license, that won't bind the corporation to anything because Judy is neither an actual nor an apparent agent of the corporation.
If Judy in the secretarial pool pirates software, nobody questions the company's liability.
UCITA puts anything and everything the software company desires into the same Verboten Behavior category.
You're also ignoring the fact that managers too download random software...
Bottom line, all liability becomes questionable. And where there's a question, there's a lawsuit. Lawsuits, my friend, become both inevitable and expensive.
What part of fishing for dollars don't you understand?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
UCITA is dead in the water, and here's why:
You're a manager at a large corporation. You employ thousands of people, some very experienced, others that you're just beginning to train.
Let me tell you what you can't afford. You can't afford the liability of any of your thousands of employees having the ability to commit the company as a whole to damn near anything. It's one thing to be liable if an employee pirates something. It's something completely different if you have to have your very expensive lawyers evaluate every single software EULA that any piss-ant department might be exposing your company to.
A mandate to only use standard EULAs is the end result from corporations, and suddenly most software companies have no chance of defeating Microsoft(whose EULA has to be accepted) or Open Source Software(whose licenses are standardized and non-threatening by default.)
Lets not forget that benchmarking restrictions apply just as strongly within a company--oops, now your managers aren't allowed to ask your engineers which database server would best fit your business's needs. More importantly, lets not forget that using a given piece of code could suddenly obligate your entire company to a full disclosure on how that code is being used--running a database on MSSQL? Oops, maybe in the next revision they'll say they have a right to retrieve "performance metrics" and "critical statistics" automatically...oh, don't try to firewall them, they'll remotely disable your server anyway...
And it'll all be legal. Violations of personal privacy pale in all sorts of aspects to the vitriolic reaction against violations of corporate privacy.
Now, nobody's stupid. This isn't going to happen, folks. UCITA's going nowhere, because it's just too much risk to too many people with far too much money.
The only reason this is even a topic of discussion is because more lawyers see a fountain of money flowing from the lawsuits than they see a fiduciary duty to their retained corporate clients to disclose the tremendous amount of legal risk such an ill-advised bill would create.
Never in the history of law has an unlimited amount of liability been enforceable in a unidirectional contract negotation! The fact that such a bill got thoroughly rejected in the United States Congress should say more than a little about the advisability of such a dangerous standard of liability.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Physics is...not my strong suit. I don't claim it to be so, I'm not an expert in this field, I'm an outside observer that just has a few questions...
For one, exactly how do they propose to keep the water in liquid form?
Water remains liquid only at certain temperature/pressure ratios. Creating a vortex rather quickly creates large pressure differentials(almost by definition), and dumping light into something that isn't going to be able to spit it back out is going to increase temperature. How is the entire mass going to be kept in that one relatively small range that keeps the material liquid? Granted, an excessively smooth container might allow superheating of the fluid(water cannot boil unless there are microscopic ledges upon which bubbles may form, apparently), but having this fluid in contact with *any* other substance is going to create seriously ugly amounts of heat by way of friction.
Even supposing one could accelerate such a material to near-luminal speeds, at minimum a Zero-G environment and a vacuum would be required.
But that's one heck of a supposition! Assuming a massive objects could be spun at such extreme rates is...generous. Am I wrong, here?
I must also ask where the concept of absorption has gone. For a while there, I was imagining they were describing a merger between fiber optic cable and a roach motel--light got in, then was forced to spin round and round the vortex forever. But who said that the water would become instantly clear? As it spun around, wouldn't more and more of it be converted to heat until there was no light left? I'm not slowing down light if I move it through a fiber optic cable that's a kilometer long but on a spool only a foot thick. The light still moved a kilometer, even if (from my "perspective") it only moved a foot. But fiber optic cable is very transparent; water isn't nearly as such--particularly water that bubbles and is highly agitated.
And how would light enter the system if the outside walls of the vortex were so particularly
chaotic? This part, I'm really missing.
Something just seems...wrong here. Someone care to clue me in?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com