These stories show up because it didn't occur to the idiots in question that they could be tracked that way. However, once this becomes a common, and well known service, bad guys will increasingly be aware of it.
Btw. this kind of service has been available over here (Norway) for a couple of years now, and so far hardly anyone's bothered to sign up for it...
First of all, ethics has nothing to do with this. You're not worried about the ethics of the matter, if you were, you would've checked _FIRST_ to see whether what you were about to do was ehtical.
The real question you ask is: "how do I get away with blowing the whistle?"
It would, of course, be unethical to not notify the software makers, or the university, about such a vulnerability, but you should've talked to them about your suspicions in order to be ethical. After all, who knows what you could've broken in the process?
So you sent yourself up a certain waterway without a certain instrument, and that's just too bad for you.
"If I download a song but never listen to it, the record companies have lost absolutely nothing. However, if I steal a CD from a store and never listen to it, the CD still has to be replaced.
First of all, the cost of the CD is not relevant in this discussion, because any real loss inflicted on the record company is the loss of income on the music. CD cost is such a tiny fraction of this, as to be not worth considering.
Second of all, your "I never listen to it" argument will never have any credibility.
If you download a song, you do so with the intent of listening to it. There is no doubt about that.
Record companies are claiming that they are losing sales every time someone downloads a song.
Not at all. They lose sales every time someone downloads a song AND doesn't pay for it. The record company produces songs for sale, and you have no right to use their recordings without paying.
If the record companies had been a bit more foreseeing, they could've had music stores on the Internet ages ago, and avoided the problem alltogether.
I do believe record companies have themselves to blame for a lot this stuff, but there is no way you can get around the fact that the music was produced for sale through certain channels. Just because you can obtain it for free through a different channel, does not make the music any less copyright protected, because it is the same recording, which is copyrighted.
Copyright law might not reflect all aspects of this yet, but you can be sure it will.
Meanwhile, exploiting possible holes in this system will only lead to one thing: once legislation is in place, it will be much stricter than was necessary, just for the sake of stopping the worst few culprits.
MP3 downloading is nothing but shooting yourself in the foot.
And from this, it is obvious that Schneier seems to have a much more rational view on the matter. Kolstad is simply way off the mark.
Why? Well, simply because his "mental exercise" presents a bunch of worst case scenarios, but not a single piece of evidence or fact that shows how or when we would ever come into these situations.
The way it is presented, it looks more like unfounded paranoia than a sound analysis. He's repeatedly saying: what if is down for a week (or weeks)? What makes him think they will be, even if hit by a serious attack? Is he making the assumption that a more advanced worm would hit the Net with the initial force and speed of Slammer? Has he forgotten that Slammer effectively strangled itself? Also, he seems to ignore the fact that infrastructure providers (comms, water, electricity etc.) have been prepared for most kinds of disasters since the dawn of time, including computer system failures.
However much the geeks of the world would like to think so, the world does not revolve around computers, and won't end without them.
- Spamhaus' products "destroy" and "intercept" legitimate email transmissions.
- Spamhaus has *appropriated* IPs belonging to EMarketersAmerica member organizations for their own use and profit.
Ahh.. what a beaut.. These must be my favourite points of the spamming idiot's suit. I mean.. how dumb can you get?
What makes you think the rest of the world won't catch on to this as well?
Imagine when spammers flee the US, to use accounts in other countries.
Everybody else is going to jump on the bandwagon to secure some of this cash. Those who don't will probably, with time, be forced to pay taxed services to send through their networks. And, thus, most of the free and/or anonymous services will die.
Shouldn't be a problem, getting older generations to adopt this.
There is no way they'll have a working system up and running for a while anyway, and even when they do, they'd definetly have optional means of contact for a certain period.
OK, they are government, but they're not _that_ stupid. (are they?)
Micropayments in some form or another are a
necessity, aren't they?
Take small, recurring payments for, say, access to some information service.
The alternative to making these small payments would be subscription, right? But if the service
is sufficiently cheap (like 0.10$),
how much would we be willing to pay for a subscription? For how long?
First, the price for a subscription must be high enough to justify wasting transaction fees on. I'm not entirely sure that this price would be proportionate to the amount of usage expected.
If one changes the payment model (to micropayments) transaction fees would have to almost vanish. (This is one thing that makes it hard to get going, of course.) However, if we stick to "old" models, like a subscription, the rules of that game is less likely to change, and
we will be stuck with the transaction fees after all.
(My guess anyway..)
A norwegian company, called Subclearing (no web page) now want to offer micropayments through your phonebill. You enter your mobile phone number on the merchant website, they SMS you the password. Of course, that SMS will be more expensive than a regular SMS-message.
Here's the article (in norwegian, sorry) from a norwegian news site.
What du you mean "out of business"?
If you use your domain for business purposes,
you'll most probably have a business address
that you publicize.
What's wrong with registering that instead of
your home address?
Of course it will, we humans are built
too short-sighted to avoid problems like that.
As for SSL, I agree with another comment here:
that might not be the big problem. Obtaining
account information by listening to the network
is no trivial task. It is far easier to write a program to generate card numbers, and then abuse those on the internet.
Which brings me to my point:
A much larger threat is poor access control / identification. (Grossly) simplified, it is not that dangerous that someone can "see" the transfer of money from my account to others. What's the problem is whether the originator of that transfer request can be identified.
If you use a one-time password, for instance, it can't be used again. So what if someone reads it?
Keywords in this area now are Certificates, PKI and such. This is already being used with credit card payments, and I'm sure banks could find it useful to adopt similar solutions.
FYI:
www.setco.org
http://www.mbna.com/shopsafe/index.html
Yes, I do; when the amount of advertising completely overwhelms and drowns the content.
Sometimes it seems to me like we're headed that way with spam as well.
Besides, with TV / magazine ads, I have the option
to completely forget about them, ignore them.
Not so with spam. I have to invest time and effort
to filter and delete all this junk.
If someone was to ring you up 20 times a day to
throw different salespitches, you would probably
want to outlaw phone sales, wouldn't you?
Your're right, knowing the MAC today is useless.
However, come IPv6, and for the case where
someone _did_ use the MAC as part of the address,
you will be uniquely identified...
Anyway, with abundant IP-addresses, ISPs will be more inclined to give out static addresses to users (for ID-/logging-purposes). Thus, you're
scr***d, whether the MAC is included or not.
Slashdot Mirror
But you miss the point completely!!
These stories show up because it didn't occur to the idiots in question that they could be tracked that way.
However, once this becomes a common, and well known service, bad guys will increasingly be aware of it.
Btw. this kind of service has been available over here (Norway) for a couple of years now, and so far hardly anyone's bothered to sign up for it...
First of all, ethics has nothing to do with this.
You're not worried about the ethics of the matter,
if you were, you would've checked _FIRST_ to see whether what you were about to do was ehtical.
The real question you ask is: "how do I get away
with blowing the whistle?"
It would, of course, be unethical to not notify the software makers, or the university, about such a vulnerability, but you should've talked to them about your suspicions in order to be ethical.
After all, who knows what you could've broken in the process?
So you sent yourself up a certain waterway without a certain instrument, and that's just too bad for you.
This is just plain silly.
:)
"If I download a song but never listen to it, the record companies have lost absolutely nothing. However, if I steal a CD from a store and never listen to it, the CD still has to be replaced.
First of all, the cost of the CD is not relevant in this discussion, because any real loss inflicted on the record company is the loss of income on the music. CD cost is such a tiny fraction of this, as to be not worth considering.
Second of all, your "I never listen to it" argument will never have any credibility.
If you download a song, you do so with the intent of listening to it. There is no doubt about that.
Record companies are claiming that they are losing sales every time someone downloads a song.
Not at all. They lose sales every time someone downloads a song AND doesn't pay for it. The record company produces songs for sale, and you have no right to use their recordings without paying.
If the record companies had been a bit more foreseeing, they could've had music stores on the Internet ages ago, and avoided the problem alltogether.
I do believe record companies have themselves to blame for a lot this stuff, but there is no way you can get around the fact that the music was produced for sale through certain channels. Just because you can obtain it for free through a different channel, does not make the music any less copyright protected, because it is the same recording, which is copyrighted.
Copyright law might not reflect all aspects of this yet, but you can be sure it will.
Meanwhile, exploiting possible holes in this system will only lead to one thing: once legislation is in place, it will be much stricter than was necessary, just for the sake of stopping the worst few culprits.
MP3 downloading is nothing but shooting yourself in the foot.
Cheers, Anders
So, you're saying that if something is too expensive for you to buy, you have a right to take it for free instead?
:)
Interesting view...
Cheers,
Anders
And from this, it is obvious that Schneier seems to have a much more rational view on the matter. Kolstad is simply way off the mark.
Why?
Well, simply because his "mental exercise" presents a bunch of worst case scenarios, but not a single piece of evidence or fact that shows how or when we would ever come into these situations.
The way it is presented, it looks more like unfounded paranoia than a sound analysis. He's repeatedly saying: what if is down for a week (or weeks)?
What makes him think they will be, even if hit by a serious attack?
Is he making the assumption that a more advanced worm would hit the Net with the initial force and speed of Slammer? Has he forgotten that Slammer effectively strangled itself?
Also, he seems to ignore the fact that infrastructure providers (comms, water, electricity etc.) have been prepared for most kinds of disasters since the dawn of time, including computer system failures.
However much the geeks of the world would like to think so, the world does not revolve around computers, and won't end without them.
Point, but I don't think we should look to this timeline for any kind of accuracy...
:)
SPAM is older than '94, and blogs were around then, too.
Cheers,
Anders
Actually, his quest seems to be to piss off every person in the world.
And he's getting pretty good at it, too.
But at least they have made an explicit statement regarding this, and can use that to argue a case
against someone mining or scraping their site.
Did the company in the original article?
- Spamhaus' products "destroy" and "intercept" legitimate email transmissions. - Spamhaus has *appropriated* IPs belonging to EMarketersAmerica member organizations for their own use and profit.
Ahh.. what a beaut.. These must be my favourite points of the spamming idiot's suit. I mean.. how dumb can you get?
What makes you think the rest of the world won't catch on to this as well?
Imagine when spammers flee the US, to use accounts in other countries.
Everybody else is going to jump on the bandwagon to secure some of this cash. Those who don't will probably, with time, be forced to pay taxed services to send through their networks.
And, thus, most of the free and/or anonymous services will die.
Not to mention:
Bye-bye free email services
Bye-bye anonymous email-services
Shouldn't be a problem, getting older generations to adopt this.
There is no way they'll have a working system up and running for a while anyway, and even when they do, they'd definetly have optional means of contact for a certain period.
OK, they are government, but they're not _that_ stupid. (are they?)
Micropayments in some form or another are a necessity, aren't they?
Take small, recurring payments for, say, access to some information service.
The alternative to making these small payments would be subscription, right? But if the service is sufficiently cheap (like 0.10$), how much would we be willing to pay for a subscription? For how long?
First, the price for a subscription must be high enough to justify wasting transaction fees on. I'm not entirely sure that this price would be proportionate to the amount of usage expected. If one changes the payment model (to micropayments) transaction fees would have to almost vanish. (This is one thing that makes it hard to get going, of course.) However, if we stick to "old" models, like a subscription, the rules of that game is less likely to change, and we will be stuck with the transaction fees after all. (My guess anyway..)
A norwegian company, called Subclearing (no web page) now want to offer micropayments through your phonebill. You enter your mobile phone number on the merchant website, they SMS you the password. Of course, that SMS will be more expensive than a regular SMS-message. Here's the article (in norwegian, sorry) from a norwegian news site.
What du you mean "out of business"? If you use your domain for business purposes, you'll most probably have a business address that you publicize. What's wrong with registering that instead of your home address?
Of course it will, we humans are built too short-sighted to avoid problems like that. As for SSL, I agree with another comment here: that might not be the big problem. Obtaining account information by listening to the network is no trivial task. It is far easier to write a program to generate card numbers, and then abuse those on the internet. Which brings me to my point: A much larger threat is poor access control / identification. (Grossly) simplified, it is not that dangerous that someone can "see" the transfer of money from my account to others. What's the problem is whether the originator of that transfer request can be identified. If you use a one-time password, for instance, it can't be used again. So what if someone reads it? Keywords in this area now are Certificates, PKI and such. This is already being used with credit card payments, and I'm sure banks could find it useful to adopt similar solutions. FYI: www.setco.org http://www.mbna.com/shopsafe/index.html
Yes, I do; when the amount of advertising completely overwhelms and drowns the content.
Sometimes it seems to me like we're headed that way with spam as well.
Besides, with TV / magazine ads, I have the option
to completely forget about them, ignore them.
Not so with spam. I have to invest time and effort
to filter and delete all this junk.
If someone was to ring you up 20 times a day to
throw different salespitches, you would probably
want to outlaw phone sales, wouldn't you?
Your're right, knowing the MAC today is useless.
However, come IPv6, and for the case where
someone _did_ use the MAC as part of the address,
you will be uniquely identified...
Anyway, with abundant IP-addresses, ISPs will be more inclined to give out static addresses to users (for ID-/logging-purposes). Thus, you're
scr***d, whether the MAC is included or not.