I was a college student in 2002, and my university was one of the first to be offered the ability for students with an @xxx.edu email address to sign up for Facebook.
I signed up for it, looked at it, and saw what it did to my friends in the same dorm -- making them sit in front of the computer for hours at night, scrolling through pictures and comments posted by friends..all without communicating with them. I also had some serious concerns about privacy, as I started to see various little dramas emerge on campus as a result of information gleaned on Facebook. Also, since you have to use your real, legal name , this becomes very easily googlable and archivable for the future -- so something that seems "cool" in college could later become an embarrassing footnote during a future job search,
I have always used various pseduonyms online, and I use Google+ today for the reason it lets me do this. In such a way, I can contribute comments with more impartiality, and without fear that someone can google it and gain information about my personality, and political preferences.
However, since this person did indeed "friend" folks on Facebook that provided this information, the issue becomes more -- maybe he needs a second facebook or other social networking account so he can air his opinions more honestly?
It seems to me like Facebook's strategy is to make all this information easy to access, and accountable to an individual person -- and they want it to be searchable, indexed, accessible to anyone. The long web of political associations, viewpoints and other issues expressed on Facebook is a treasure trove for investigators and extremely worrisome in totalitarian societies.
How easy would it have been for the FBI to dismantle the Weather Underground in the 70s if all its members were on Facebook using their real names!?!
Option 3: Use option #1, but get a backup 1) phone line for slow verification and 2) GPRS/3G USB radio for internet access, and make sure communication over the network is entirely TLS/SSL.
Chances of both your 3G USB internet card and your DSL/cable going down simultaneously is quite low. Throw in a good old landline and modem to the mix and then there's super high availability.
If all these internet options don't work, chances are some massive disaster prevents your business from operating anyway, eh?
ATMs often use some type of cheap flash memory, and it's easy with basic forensic tools to recover even deleted data from there. As to encryption..some ATMs are quite old, and I wouldn't be surprised if you found a lot of DES implementations out there you can easily crack.
Don't use your credit card at a restaurant then. Almost all point of sale systems cache locally to some extent, often for up to a month!
These systems were all built with bad network communication in mind -- verifying over phones, etc, which causes them to have to store this credit card data (PAN data). Because modern systems are just upgrades on these old codebases, little has changed but to give it the bare amount of encryption/etc for PCI compliance, which is routinely ignored by small businesses.
I'd agree that some hackers don't leave rootkits and instead prefer to setup legitimate network access, use service accounts to get into the directory (LDAP/AD etc). Also, most remote access software has been changed/modified so that it's harder to use in an exploitative way -- look at Citrix GotoAssist or logmein -- hard to install those surreptitiously, or at least maintain them from there. That's why it's becoming less and less common to use legitimate software as an attack vector, along with lack of support for reverse_tcp connections to get around firewalls/etc has caused attackers to move on (and software like GTA or Logmein uses a central server to get around firewalls, which is less than appealing for some hackers). Something like a persistent meterpreter service may indeed work better for many.
However, I think there are some pretty serious hackers still using rootkits. How about Duqu/Stuxnet? Whoever wrote that seems fairly serious to me.
This is very outdated knowledge unfortunately and I think the example is no longer relevant, and has been obsoleted. I'm also a security auditor, and Dameware NT utilities was a common installation on Windows NT, 2000 and some 2003 servers that were compromised.
Unfortunately, Dameware NT utilities requires an open port on the firewall. Before Windows 2003's adoption, most servers had a public IP and were using no firewall or a software firewall. Thus, someone could exploit a Windows 2000 machine and then install Dameware NT utilities to keep open a backdoor to the console. However, if a hardware firewall is blocking all the ports dameware needs, you'd need to also compromise their internal network/VPN/etc. Thus, it's become a much less common vector for remote control.
Rather than go with dameware, a simple VNC or shell daemon is preferred by hackers these days, in my observations at least. Nessus and other vulnerability scanners will detect the DameWare NT utilities etc being installed. Of course, some custom snort rules can also detect it, but then you need a mirrored switch port and the motions of setting up an entire IDS system, which may not be able to happen immediately in an incident response scenario.
Highly Sophisticated hackers these days do use rootkits and other backdoor exploits. They even use more sophisticated rootkits that can infect video card firmwares, etc, and be very difficult to remove.
In San Francisco, it's not in many locations (at least depending on the size of day), we have something called SFPark. http://sfpark.org/
Garages in New York and SF that I've visited also have similar policies and charge more for SUVs etc.
I would suggest you read "The Origins of Totalitarianism" by Hannah Arendt.
Your argument is that there is causation between there being a dictatorship in the first place, and then wealth and power being inevitably concentrated in the hands of the few.
However, most societies that have drifted towards totalitarianism (notably, North Korea, China, Stalinist Russia, etc) have always had striated, hierarchical societies with power and money being concentrated on the top. The revolutions merely installed a new group into the place of the elites.
The original anonymous coward who wrote that comment is correct, in that capitalism does naturally cause a disproportionate distribution of wealth and resources. That is why laissez-faire capitalism is all but nonexistent at this point, abandoned for mixed systems with controls over the economy -- e.g. the new deal, etc.
Now, dictatorship can result in a distribution of wealth to parties as well -- as was the "pacted transition" of South Korea to democracy after the military willfully gave up rule after many years. This control model of transition to capitalism and democracy helped create one of the strongest economies of Asia and has been looked at as a model for other societies to adopt as well.
Many scholars point out that changes in an economic system or a political system can create a new system that is a synergy between the two. For example, in the Middle Ages, capitalism emerged. However, feudal government was not good at responding to the demands of capitalism -- too often favoring certain parties, too slow to respond to the needs. Thus, a revolution was brewing to bring in a form of government responsive to the ever changing markets -- democracy -- whose system of elections ensures the government responds to developments quickly, or is replaced with one that will.
Therefore, Feudalism + Capitalism then = Democracy.
How is that compatible with capitalism leading to dictatorship?
I think we're misunderstanding each other. In proper SSH key configurations, the key itself has a passphrase, although this passphrase is not a 'password' in the typical sense in that it is not transmitted to the server. It's only using for decrypting the file in place.
Essentially what I was trying to say is that passwords only do so much, but should be used in combination with another means of security (e.g. two factor auth). I suppose "don't use passwords if possible" can be interpreted as simply "don't put security on things"; which is not what I was trying to say. I was just saying passwords aren't the only way to secure things and should be part of it, not end-all-be-all. Anyone with the password has access if you use a password, and there are lots of means of maintaining that. Now, obtaining SSH keys and getting 2fa-protected VPN credentials is a whole much tougher layer of the onion to peel back.
I think SSH key only access on a webserver is far superior to passwords being allowed. Of course, if you leave your key hanging out available, that'll be compromised. But good luck brute forcing an SSH key.
While Rackspace here says that SOPA is a flawed piece of legislation (jumping on the bandwagon after seeing the turmoil caused for GoDaddy in the blog and geekospheres), it leaves the door open for them to support future, similar acts when that becomes fashionable or serves to make them money.
Coming out now and making a public statement in support would be suicide for their business, especially their cloud hosting business that has a lot more tech-savvy and SOPA-conscious customers than GoDaddy's services like wordpress hosting etc.
But at the end of the day, if anyone sends Rackspace a subpoena or DMCA letter, they knee-jerk right into compliance and give what they want. They don't have a policy of fighting things like Twitter (which is of arguable utility), and have no history of using their legal resources to do anything but guarantee business continuity.
Rackspace is not known a company with any strong moral, ethical or other principles, it's just out there for profit, and it says what is fashionable for profit at the time.
Huh? I was referring to webservers where you don't have physical access and can only be hacked remotely. Of course no one would suggest having no password on your laptop, rather, your laptop should have full disk encryption if possible with a password. Using keyfiles from a smartcard and a password for that is even better.
You've forgot about the biggest factor inhibiting a cover-up -- the other news organizations! The NYT has a lot of rivals out there, and it's certain that the Wash Post or Reuters etc would love to run stories about their poor security, if that's the case.
The NY times has been hacked before and is frequently a target for hackers, defacements etc and very likely invests a good sum of money in internal security. However, their mass emails are done by an external vendor, and that's just probably managed as a monthly fee moreso than a part of their network.
Occam's razor, Skapare....if they went through all this effort on a phishing attempt, if they had hacked the internal DB couldn't they just run the cards of high profile or high net worth individuals, maybe sorted by neighborhood? Start charging people on the Upper East Side of Manhattan first?
Or send out phishing emails to everyone and hope that the least perspicacious (and not reliably wealthy) individuals give you their information?
It just seems as though if the internal DB had been compromised, a lot of extra effort was done that was unnecessary or illogical. Thus I think logic fails on the assumption that the hack was internal to the NYT network, unless we get more information.
Or the IT department of their upstream mail transfer provider, as most media agencies have rather than building an in-house network. I hope these systems are discrete.
Received: from dmx1.bfi0.com (dmailer0121.dmx1.bfi0.com. [208.70.142.121])
by mx.google.com with ESMTP id v2si13633651ane.208.2011.12.28.10.17.18;
Wed, 28 Dec 2011 10:17:18 -0800 (PST)
At first glance with little information, it appears as though the messages in question with reply-to address @email.nytimes.com, which resolves to the same host as the @ record of nytimes.com (presently, 11:58 PST, 199.239.136.200).
However, the message was sent by dmailer099.dmx1.bfi0.com, 208.70.142.99. This is their upstream MTA provider called Epsilon, which had been known to have been hacked previously.
Chances are this customer list was compromised from an upstream provider and the mail messages sent via hacking one of the servers at their mail provider, and the NYTimes internal network was not compromised, at least ostensibly by this act. Chances also are that NYTimes only uses this provider for mass communication and not internal messaging.
So this is prominent because it involves the NYTimes and a phishing attempt, but in the grand scheme of things it's a bit of a dud.
Passwords are of course useful but not without their flaws, and they've been around so long that their flaws are long identified. Super complex passwords help for things like hard drive encryption, etc; where brute force is the only viable means of access.
Don't use passwords if possible! Especially on your public web Linux server, unless they're at the application-level and protected by TLS/SSL.
SSH daemon should only respond to key-based authentication queries, and furthermore iptables should lock down the SSH daemon to only known IPs. If your sysadmins don't pay for static IP service at home, they can use full tunnel VPN back to HQ.
Putting in mod_security and keeping SELinux on does a lot to keep apache safe as well.
I would argue that WPA2-PSK is not nearly as secure as ethernet, especially 802.1x protected ethernet (which is rare). Here's why:
* WiFi is wireless. Most hackers are more apt to hack from a coffee shop across the street with a nice 1-Watt WiFi radio/9+db antenna than try to gain physical access. You have to physically intrude into the network in order to get ethernet access -- and if you've gone this far, can't you just break into the server room and take the disks out of the servers!?!
* WPA2-PSK uses a shared key. It is not 802.1x, there's no external auth gateway like LDAP or even an internal database. This key is subject to being inadvertently shared if any computer or device with wifi access is compromised. Then, all your WiFi communications are in the clear!
* WPA2-PSK has absolutely no affect on ARP spoofing, poisoning, or other methods of running man-in-the-middle attacks. It's merely a perimeter security service -- once you're in the network, you can still run any attacks that the given routing equipment/firewalls allow you to, wireless or not.
Also, I'd like to point out that using WPA2-PSK does NOT secure your HTTP connections like HTTPS -- they are still subject to eavesdropping if someone is within your internal network, or, if they are at your ISP, or any intermediary network in between. WPA2 is highly distinct from, with little overlap and no substitute for using SSL/TLS for HTTP transmissions!!
My opinion is that WPA2-PSK is adequate security for a home of the average person, but not for any mid sized or above business (or small business processing credit cards or other financial data). The choice of WiFi security algorithm is only like a gatekeeper at the city walls, once someone has entered your city, you still need to police your city.
have put lot's of poor security in place now if trained to people to do IT work and not let a theory based class room do the training and payed for the hardware needed to do the job right vs trying to get by with the old stuff for a very long time.
I have to say I cannot agree with this -- IT folks from tech schools tend not to have any knowledge of security, and these are the folks who set domain admin passwords to the company name. You find the worst problems when doing security audits where the IT people are from tech schools. Completely self-taught IT people tend to do better in my experience, and ones with CS degrees the best because they understand RFCs and cryptology etc -- this experience comes from having done dozens of compliance/security audits.
Also, I'd hate to have to quip at you for this but, maybe that college education would have paid off in you being able to write complete senteces, understand contractions (e.g. lots, not lot's), capitalization and punctuation. If you're trying to defend seemingly less-educated people, writing at a first grade level is not going to help your cause..
So when you click "I agree", you're agreeing to a principle, not a contract? Sounds a bit unreasonable.
I think the moral of my comments is that you can debate whether or not it is technically legal all day, but this is a very distasteful act and Fyodor had taken measures to prevent it from happening. The fact someone found a legal loophole to get around enforcement of something clearly stated by Fyodor in his license is patently offensive, if not an actual criminal act or tort.
As far as contracts go, as long as the terms aren't illegal and you have proper meeting of the minds, assent, etc; you can write whatever you want in crayon. I don't see anything wrong with his terms that would make it unenforceable in court or otherwise illegal.
I don't think Fyodor's case hinges on it being a "derivative work." I think that definition is not germane to the fact he included the line about "Nmap into proprietary installer...".
Then there's the whole other issue as to whether he agreed to C|Net's terms.
On the Computer Fraud and Abuse Act, Note that I was quoting Fyodor and I personally do not think this act can be used in this context, and Fyodor did say "potentially."
In the end, I think a reasonably prudent person, and the average jury, would side with Fyodor's interpretation. However the average lawyer or judge would probably not. However, take Stephen Colbert's poll on the South Carolina ballot....are corporations people? The average person would vote "People are people" but the lawyer would say "Corporations are people." It's these systemic shenanigans that are being pointed out by this issue, and C|Net doing such a thing but being legally protected is nothing short of the same shenanigans.
There's a concept in common law jurisdictions called a "contract of adhesion." There is substantial case law about ToS and other agreements being overruled on adhese grounds.
But yes -- someone agreed to their terms. So de jure, they might have some protection, but de facto, they've angered the internet community and will face some repercussions. I've already blocked download.com through DNS redirection on many of my clients' networks.
Bruce:
This is taken directly from Fyodor's email to nmap-hackers:
In addition to the deception and trademark violation, and potential
violation of the Computer Fraud and Abuse Act, this clearly violates
Nmap's copyright. This is exactly why Nmap isn't under the plain GPL.
Our license (http://nmap.org/book/man-legal.html) specifically adds a
clause forbidding software which "integrates/includes/aggregates Nmap
into a proprietary executable installer" unless that software itself
conforms to various GPL requirements (this proprietary C|Net
download.com software and the toolbar don't). We've long known that
malicious parties might try to distribute a trojan Nmap installer, but
we never thought it would be C|Net's Download.com, which is owned by
CBS! And we never thought Microsoft would be sponsoring this
activity!
Slashdot Mirror
I signed up for it, looked at it, and saw what it did to my friends in the same dorm -- making them sit in front of the computer for hours at night, scrolling through pictures and comments posted by friends ..all without communicating with them. I also had some serious concerns about privacy, as I started to see various little dramas emerge on campus as a result of information gleaned on Facebook. Also, since you have to use your real, legal name , this becomes very easily googlable and archivable for the future -- so something that seems "cool" in college could later become an embarrassing footnote during a future job search,
I have always used various pseduonyms online, and I use Google+ today for the reason it lets me do this. In such a way, I can contribute comments with more impartiality, and without fear that someone can google it and gain information about my personality, and political preferences.
However, since this person did indeed "friend" folks on Facebook that provided this information, the issue becomes more -- maybe he needs a second facebook or other social networking account so he can air his opinions more honestly?
It seems to me like Facebook's strategy is to make all this information easy to access, and accountable to an individual person -- and they want it to be searchable, indexed, accessible to anyone. The long web of political associations, viewpoints and other issues expressed on Facebook is a treasure trove for investigators and extremely worrisome in totalitarian societies.
How easy would it have been for the FBI to dismantle the Weather Underground in the 70s if all its members were on Facebook using their real names!?!
It used to, back in the 90's. But it's bidirectional now, and has been for a long time.
I'm pretty sure you can get HughesNet anywhere, but the cost might be prohibitive for certain businesses.
Chances of both your 3G USB internet card and your DSL/cable going down simultaneously is quite low. Throw in a good old landline and modem to the mix and then there's super high availability.
If all these internet options don't work, chances are some massive disaster prevents your business from operating anyway, eh?
ATMs often use some type of cheap flash memory, and it's easy with basic forensic tools to recover even deleted data from there. As to encryption..some ATMs are quite old, and I wouldn't be surprised if you found a lot of DES implementations out there you can easily crack.
These systems were all built with bad network communication in mind -- verifying over phones, etc, which causes them to have to store this credit card data (PAN data). Because modern systems are just upgrades on these old codebases, little has changed but to give it the bare amount of encryption/etc for PCI compliance, which is routinely ignored by small businesses.
However, I think there are some pretty serious hackers still using rootkits. How about Duqu/Stuxnet? Whoever wrote that seems fairly serious to me.
Unfortunately, Dameware NT utilities requires an open port on the firewall. Before Windows 2003's adoption, most servers had a public IP and were using no firewall or a software firewall. Thus, someone could exploit a Windows 2000 machine and then install Dameware NT utilities to keep open a backdoor to the console. However, if a hardware firewall is blocking all the ports dameware needs, you'd need to also compromise their internal network/VPN/etc. Thus, it's become a much less common vector for remote control.
Rather than go with dameware, a simple VNC or shell daemon is preferred by hackers these days, in my observations at least. Nessus and other vulnerability scanners will detect the DameWare NT utilities etc being installed. Of course, some custom snort rules can also detect it, but then you need a mirrored switch port and the motions of setting up an entire IDS system, which may not be able to happen immediately in an incident response scenario.
Highly Sophisticated hackers these days do use rootkits and other backdoor exploits. They even use more sophisticated rootkits that can infect video card firmwares, etc, and be very difficult to remove.
In San Francisco, it's not in many locations (at least depending on the size of day), we have something called SFPark. http://sfpark.org/ Garages in New York and SF that I've visited also have similar policies and charge more for SUVs etc.
Your argument is that there is causation between there being a dictatorship in the first place, and then wealth and power being inevitably concentrated in the hands of the few.
However, most societies that have drifted towards totalitarianism (notably, North Korea, China, Stalinist Russia, etc) have always had striated, hierarchical societies with power and money being concentrated on the top. The revolutions merely installed a new group into the place of the elites.
The original anonymous coward who wrote that comment is correct, in that capitalism does naturally cause a disproportionate distribution of wealth and resources. That is why laissez-faire capitalism is all but nonexistent at this point, abandoned for mixed systems with controls over the economy -- e.g. the new deal, etc.
Now, dictatorship can result in a distribution of wealth to parties as well -- as was the "pacted transition" of South Korea to democracy after the military willfully gave up rule after many years. This control model of transition to capitalism and democracy helped create one of the strongest economies of Asia and has been looked at as a model for other societies to adopt as well.
Many scholars point out that changes in an economic system or a political system can create a new system that is a synergy between the two. For example, in the Middle Ages, capitalism emerged. However, feudal government was not good at responding to the demands of capitalism -- too often favoring certain parties, too slow to respond to the needs. Thus, a revolution was brewing to bring in a form of government responsive to the ever changing markets -- democracy -- whose system of elections ensures the government responds to developments quickly, or is replaced with one that will.
Therefore, Feudalism + Capitalism then = Democracy.
How is that compatible with capitalism leading to dictatorship?
Essentially what I was trying to say is that passwords only do so much, but should be used in combination with another means of security (e.g. two factor auth). I suppose "don't use passwords if possible" can be interpreted as simply "don't put security on things"; which is not what I was trying to say. I was just saying passwords aren't the only way to secure things and should be part of it, not end-all-be-all. Anyone with the password has access if you use a password, and there are lots of means of maintaining that. Now, obtaining SSH keys and getting 2fa-protected VPN credentials is a whole much tougher layer of the onion to peel back.
I think SSH key only access on a webserver is far superior to passwords being allowed. Of course, if you leave your key hanging out available, that'll be compromised. But good luck brute forcing an SSH key.
How about what Google is doing, paying lobbying groups and using lots of their resources to actively campaign against SOPA?
While Rackspace here says that SOPA is a flawed piece of legislation (jumping on the bandwagon after seeing the turmoil caused for GoDaddy in the blog and geekospheres), it leaves the door open for them to support future, similar acts when that becomes fashionable or serves to make them money.
Coming out now and making a public statement in support would be suicide for their business, especially their cloud hosting business that has a lot more tech-savvy and SOPA-conscious customers than GoDaddy's services like wordpress hosting etc.
But at the end of the day, if anyone sends Rackspace a subpoena or DMCA letter, they knee-jerk right into compliance and give what they want. They don't have a policy of fighting things like Twitter (which is of arguable utility), and have no history of using their legal resources to do anything but guarantee business continuity.
Rackspace is not known a company with any strong moral, ethical or other principles, it's just out there for profit, and it says what is fashionable for profit at the time.
Huh? I was referring to webservers where you don't have physical access and can only be hacked remotely. Of course no one would suggest having no password on your laptop, rather, your laptop should have full disk encryption if possible with a password. Using keyfiles from a smartcard and a password for that is even better.
The NY times has been hacked before and is frequently a target for hackers, defacements etc and very likely invests a good sum of money in internal security. However, their mass emails are done by an external vendor, and that's just probably managed as a monthly fee moreso than a part of their network.
Occam's razor, Skapare....if they went through all this effort on a phishing attempt, if they had hacked the internal DB couldn't they just run the cards of high profile or high net worth individuals, maybe sorted by neighborhood? Start charging people on the Upper East Side of Manhattan first?
Or send out phishing emails to everyone and hope that the least perspicacious (and not reliably wealthy) individuals give you their information?
It just seems as though if the internal DB had been compromised, a lot of extra effort was done that was unnecessary or illogical. Thus I think logic fails on the assumption that the hack was internal to the NYT network, unless we get more information.
Or the IT department of their upstream mail transfer provider, as most media agencies have rather than building an in-house network. I hope these systems are discrete.
Available here: https://gist.github.com/1529336
Received: from dmx1.bfi0.com (dmailer0121.dmx1.bfi0.com. [208.70.142.121]) by mx.google.com with ESMTP id v2si13633651ane.208.2011.12.28.10.17.18; Wed, 28 Dec 2011 10:17:18 -0800 (PST)
Interesting areas:
DKIM-Signature: v=1; a=rsa-sha1; d=email.newyorktimes.com; s=ei; c=simple/simple; DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
At first glance with little information, it appears as though the messages in question with reply-to address @email.nytimes.com, which resolves to the same host as the @ record of nytimes.com (presently, 11:58 PST, 199.239.136.200). However, the message was sent by dmailer099.dmx1.bfi0.com, 208.70.142.99. This is their upstream MTA provider called Epsilon, which had been known to have been hacked previously. Chances are this customer list was compromised from an upstream provider and the mail messages sent via hacking one of the servers at their mail provider, and the NYTimes internal network was not compromised, at least ostensibly by this act. Chances also are that NYTimes only uses this provider for mass communication and not internal messaging. So this is prominent because it involves the NYTimes and a phishing attempt, but in the grand scheme of things it's a bit of a dud.
Don't use passwords if possible! Especially on your public web Linux server, unless they're at the application-level and protected by TLS/SSL.
SSH daemon should only respond to key-based authentication queries, and furthermore iptables should lock down the SSH daemon to only known IPs. If your sysadmins don't pay for static IP service at home, they can use full tunnel VPN back to HQ.
Putting in mod_security and keeping SELinux on does a lot to keep apache safe as well.
* WiFi is wireless. Most hackers are more apt to hack from a coffee shop across the street with a nice 1-Watt WiFi radio/9+db antenna than try to gain physical access. You have to physically intrude into the network in order to get ethernet access -- and if you've gone this far, can't you just break into the server room and take the disks out of the servers!?!
* WPA2-PSK uses a shared key. It is not 802.1x, there's no external auth gateway like LDAP or even an internal database. This key is subject to being inadvertently shared if any computer or device with wifi access is compromised. Then, all your WiFi communications are in the clear!
* WPA2-PSK has absolutely no affect on ARP spoofing, poisoning, or other methods of running man-in-the-middle attacks. It's merely a perimeter security service -- once you're in the network, you can still run any attacks that the given routing equipment/firewalls allow you to, wireless or not.
Also, I'd like to point out that using WPA2-PSK does NOT secure your HTTP connections like HTTPS -- they are still subject to eavesdropping if someone is within your internal network, or, if they are at your ISP, or any intermediary network in between. WPA2 is highly distinct from, with little overlap and no substitute for using SSL/TLS for HTTP transmissions!!
My opinion is that WPA2-PSK is adequate security for a home of the average person, but not for any mid sized or above business (or small business processing credit cards or other financial data). The choice of WiFi security algorithm is only like a gatekeeper at the city walls, once someone has entered your city, you still need to police your city.
have put lot's of poor security in place now if trained to people to do IT work and not let a theory based class room do the training and payed for the hardware needed to do the job right vs trying to get by with the old stuff for a very long time.
I have to say I cannot agree with this -- IT folks from tech schools tend not to have any knowledge of security, and these are the folks who set domain admin passwords to the company name. You find the worst problems when doing security audits where the IT people are from tech schools. Completely self-taught IT people tend to do better in my experience, and ones with CS degrees the best because they understand RFCs and cryptology etc -- this experience comes from having done dozens of compliance/security audits.
Also, I'd hate to have to quip at you for this but, maybe that college education would have paid off in you being able to write complete senteces, understand contractions (e.g. lots, not lot's), capitalization and punctuation. If you're trying to defend seemingly less-educated people, writing at a first grade level is not going to help your cause..
So when you click "I agree", you're agreeing to a principle, not a contract? Sounds a bit unreasonable. I think the moral of my comments is that you can debate whether or not it is technically legal all day, but this is a very distasteful act and Fyodor had taken measures to prevent it from happening. The fact someone found a legal loophole to get around enforcement of something clearly stated by Fyodor in his license is patently offensive, if not an actual criminal act or tort.
As far as contracts go, as long as the terms aren't illegal and you have proper meeting of the minds, assent, etc; you can write whatever you want in crayon. I don't see anything wrong with his terms that would make it unenforceable in court or otherwise illegal. I don't think Fyodor's case hinges on it being a "derivative work." I think that definition is not germane to the fact he included the line about "Nmap into proprietary installer...". Then there's the whole other issue as to whether he agreed to C|Net's terms. On the Computer Fraud and Abuse Act, Note that I was quoting Fyodor and I personally do not think this act can be used in this context, and Fyodor did say "potentially." In the end, I think a reasonably prudent person, and the average jury, would side with Fyodor's interpretation. However the average lawyer or judge would probably not. However, take Stephen Colbert's poll on the South Carolina ballot....are corporations people? The average person would vote "People are people" but the lawyer would say "Corporations are people." It's these systemic shenanigans that are being pointed out by this issue, and C|Net doing such a thing but being legally protected is nothing short of the same shenanigans.
There's a concept in common law jurisdictions called a "contract of adhesion." There is substantial case law about ToS and other agreements being overruled on adhese grounds. But yes -- someone agreed to their terms. So de jure, they might have some protection, but de facto, they've angered the internet community and will face some repercussions. I've already blocked download.com through DNS redirection on many of my clients' networks.
Bruce: This is taken directly from Fyodor's email to nmap-hackers: In addition to the deception and trademark violation, and potential violation of the Computer Fraud and Abuse Act, this clearly violates Nmap's copyright. This is exactly why Nmap isn't under the plain GPL. Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding software which "integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to various GPL requirements (this proprietary C|Net download.com software and the toolbar don't). We've long known that malicious parties might try to distribute a trojan Nmap installer, but we never thought it would be C|Net's Download.com, which is owned by CBS! And we never thought Microsoft would be sponsoring this activity!