Google have mentioned "robots.txt" pretty much every time Murdoch has spoken about this idea or anyone has cared to ask them for a comment. They've done so that many times in fact that I expect they've resorted to sending sample "robots.txt" files over to News Corp. just to get them to shut up and leave them alone and have possibly even considered proactively bypassing News Corp's sites. Personally, I think the endless rhetoric from Murdoch and complete lack of action on behalf of News Corp. is because either this boils down to a serious difference of opinion between Murdoch and a good chunk of his senior staff or they have their doubts and don't want to go it alone just in case.
Google Mail has a feature in Labs whereby they identify social groups within your email contact so that if you exchange a lot of emails between a certain group of people and suddenly add a new recipient it will flag a possible problem. Surely it would be possible to apply a similar methodology to Google Groups only with the IP addresses messages originate from - send from a new IP assignment and the message gets moderated, no matter how many successful posts you've made from elsewhere.
Is that all? Excellent! In that case I think that I can cite an example of prior art.
I worked on a system called "MUCH", short for "Many Users Creating Hypermedia", at the University of Liverpool in England back in 1989-1992. Running on UNIX and built in-house by postgraduate students under the guidance of Professor Roy Rada using C and the Andrew Toolkit", the project itself was inspired by Ted Nelson's "Project Xanadu". Mention of the project is also made in Prof. Rada's C.V. at his current employer, The University of Maryland, Baltimore County.
Fairly obviously, given the name, MUCH allowed multiple users to collaboratively create SGML based hypermedia documents via an integrated version control mechanism similar to that employed by Wikipedia. These documents, while mostly textual (it was the early 1990's!) besides having the ability to contain both graphical and audio content, could also contain any number of embedded external applets written using the Andrew Toolkit. Some of the proof of concept applications developed while I was there (work continued after I left) included animated clocks, calendars, calculators and other widgets, many of which were interactive.
I didn't say "don't fix the issue", just that there are occassions where you can't immediately apply a patch, no matter how desirable it might be. Sadly this scenario does happen from time to time and particularly so with enterprise applications, where "enterprise" is defined as "very expensive software with only a comparatively small number of customers and an even smaller group of developers". It's not just expensive, non-COTS applications either. Case in point Microsoft's DLL Hell v2.0 issue. Equally, it's not just a Windows issue; some time ago I had a business critical manufacturing application segfault when attempts were made to run it under an updated version of the Linux Kernel on a test box. Unfortunately said Kernel was released to address a rather trivial exploit and we had to try and mitigate the risk as best as possible while waiting for the vendor to fix the problem.
I think the same idea came up when this group hijaaked the Torpig net, and quite probably on several other similar occassions. Unfortunately, that opens up a whole new can of worms, if you'll excuse the pun. Specifically, if they issue commands for a botnet to shut itself down, or try to patch a vulnerable system, then they potentially become liable for whatever might go wrong. What if that vulnerable system was responsible for something critical and hadn't been patched because the patch broke the application, for instance? Or if the Botnet's "suicide" command did indeed remove the problem... by completely wiping the hard disk of infected systems?
Isn't the McKinnon case more like charging him to buy the lock that had been missing when he walked in?
No, not really; I think it's a little more complex than that. As far as I can tell, to use your analogy, McKinnon basically rattled the locks on the door, and found that they were unlocked. He then entered, rifled through the underwear drawers hoping to find something sexy (UFO data), and took some photos of what he found (copied files). He then left again leaving things mostly undistubed except for a few things out of place. Upon later noticing this, the owner reacted as most victims of burglary do; by going completely over the top on security to prevent similar things happening again. McKinnon isn't just being asked to pay for the missing lock on the door, but also dead bolts on the windows, steel shutters, a motion detection system and burgular alarm.
It's stupid because of the bit about the recipe and lack of any concession to where ingredients are sourced or whether the production process used is identical.
As an example, historically (and we're talking at least a thousand years, since it gets mentioned in the Domesday Book) Cheshire cheese was manufactured by the same process in no less than five counties; Cheshire itself, plus Denbighshire, Flintshire, Shropshire and Staffordshire. The first two of those are in Wales, while the latter two and Cheshire itself are in England. According to the EU rules, only Cheshire cheese which is manufactured in Cheshire itself is now entitled to the name, despite all of the historical precedent to the contrary.
Especially in the EU as far as I know, although I've never really found a satisfactory citation for it. If a product incorporates a place of origin in the name such as "Cornish Pastry", "Cumberland Sausage", and any number of cheeses etc., then apparently it has to have actually have been made the the geographical location being referred to, even if the recipe is identical. Another bright idea brought to you by the numbnuts that spent taxpayers money in order to regulate the permitted curvature of bananas...
Fubar'ed profile or Java/Flash is quite likely. Every time I've ever had a recent release version of Firefox crash (been using it since v0.something) I've had a site open that is whitelisted in NoScript for Flash or using Java.
Another possibility is the cache, or more likely a corrupted SQLite index DB. I recently saw this with GMail borking for me on one PC and hanging the initial load screen, then offering to load without Labs (which I don't use) which worked fine. Trying to load the page using the "No Labs" URL had the same issue, yet basic HTML worked fine. After looking at corrupted cookies and rogue extensions, I flushed the cache which presumably also reset the DB and it's been fine ever since.
Actually, I don't think there are any reasons that are specific to OSS and don't also apply in some way to commercial software as well. Quite often though switches I've made have been to another Free/OSS application; once a company is happy to have non-commercial software deployed, it's pretty rare that door gets closed again in my experience. In the rough order of the number of times I've stopped using a Free/OSS app, the reasons have been:
A better Free/OSS project became available. This is a fact of life and applies to closed source too. It just happens; you either stick with the product you know or you move the the better competing product and deal with the costs of making the switch and the new product's learning curve. IMHO, this is fine and is usually a sign of a healthy, competetive market.
The developer lost interest and the project stagnated. Again, this also applies to closed source apps. Most annoying here is where there is no viable alternative to switch to, which can become somewhat problematic to say the least.
A required feature was not available and the developer wasn't prepared to add it. Frustrating, but often understandable if the developer's ideas for future development lie along a different track to your own. The usual response here is; develop your own patch or fork it, but a lot of corporates don't actually have the time and resources to do that.
Failure to inter-operate well with other, normally closed source, applications. Similar to the above, but usually this is normally unsolvable. If your business relies on a proprietary app with scant, if any, interface documentation another app can use, then that's too bad.
Higher-Ups decided another application was to be the company standard, including corporate takeovers. Not a lot you can do here; once senior management says $app is to be the standard, then it's pretty rare that you can convince them to change their minds. Even this works both ways; I've worked for a mostly Microsoft shop that got taken over by a much more OSS friendly company and one of the first things we did was replace IIS with Apache.
To be fair, Hubble has imaged some of the planets in the solar system including Mars. I guess Ed Weiler is a glass half-full kind of guy and thinks we're actually going to get someone on Mars before the funds get cut and it gets faked at Area 51 again.:)
Also NASA's Weekly Top 10 page is worth a look. It'll take a week or maybe two for the cream of the latst Hubble pictures to filter to the top though; updates are every Tuesday night or Wednesday morning depending on your timezone.
There's an example of the Carina Nebula showing both "false colour" and something a closer to the "real colour" you would see from your space ship at The Register. It's also one of the images from the 56 at the Hubble site linked in the story, but let's try and spread the Slashdotting Love around...
Also, your "few million miles" just might be a little off and in some cases a few million light years or more would be more realistic.:) Some of these dust clouds and so on are *BIG*. If the Tarantula Nebula, for instance, was located as close as the Orion Nebula it would cover about a quarter of the sky.
I was going to say pretty much the same thing. The recommendation and approved procedure for suspected cases of swine flu here in the UK is to *call* your doctor and go through the symptoms over the phone to avoid spreading the disease further. If the doc thinks you have a genuine cases, then a friend or relation can go and pick up a prescription for your TamiFlu and, big whoop, you get to cut about one day off your suffering. My local surgery even has a sign on the door to that effect.
How about having a tested Live CD or other recovery disk that will boot the machine and get it on the network? If the machine ever fails to boot due to a local config problem, then you can boot off the CD, log in remotely and then manually mount the local partitions in order to fix problems.
I'd agree with this, but I was actually more taken with the concept of the Combo Stop/Refresh/Go button which with 20:20 hindsight just made me think "Duh! Why wasn't it done like this from the start?" What might be better for the tabs though is "Version C"; put the tabs over the location bar, but below the standard title bar of the OS in question. Of course, we are talking about probably the most configurable browser of them all, so the best solution has to be "Version D" which is where the user gets to use whichever style they prefer.
Having dealt with some particularly aggressive corporate and legislative senders of take down notices while working for an ISP, the standard form basically boils down to "Take this down, now!" where "now" is usually specified as a deliberately panic inducing number of hours. That statement will usually be backed up with another one stating that making you, as the ISP, will be held jointly liable if you don't comply within the stated time frame, which is probably why the ISPs concerned here came so unstuck. This can arrive via post or via email, hence the reason why black-holing "abuse@" or whatever your whois contact might be is a bad idea, particularly in light of this case. As you point out, so far that could easily be someone with an axe to grind against the target pretending to be an authorized issuer of the take down or someone relying on scare tactics.
In practice, on authentic take downs for anyone that knows what they are doing there is *always* a responsive contact at the source with verifiable credentials and most respectable ISPs will be well aware that whatever "now!" is defined as is flexible provided that action is being seen to be taken. That's where it gets more iffy; large scale operations like YouTube receive so may take downs that they simply don't have the resources to contact each individual target of a take down and let them state their case, so it's act first and deal with the fallout later, if any.
Provided you're not dealing with a pile them high and sell them cheap sales model then in reality there is plenty of time for due process, if the ISP chooses to do so and has the procedural framework and resources in place to support it. That can easily include verification of the source of the take down notice, allowing the target of the take down a chance to voluntarily comply or present evidence why they are not in breach of legal/ToS/AUP requirements, send that back to the source for comment and anything else you care to dream up depending on the situation. Needless to say, anything you do needs to be documented, relevant logs need to be preserved, and *everything* gets CC'd to your own Legal Department so they can intervene if things start getting ugly.
You need to dig a bit (it's mentioned in the seventh paragraph of the linked article, with a more detailed discussion on the second page), but basically the ISP in question failed to take action to shut down the hosted sites despite repeated takedown notices from Louis Vuitton. The only real precedent that this sets if you ask me is a very positive one in that if your "abuse@" email is a blackhole then you had better have extremely good liability cover and/or be very hard to reach to avoid being served with lawsuits.
Re:Cold Sweats
on
Robotic Mold
·
· Score: 5, Funny
I think it can be summed up best as "what could possibly grow wrong?"
It's no more impractical than driving licenses, passports or any number of other of other professional certifications, and documentation that are required to practice a trade in countless careers. The only stumbling block is for a government to want to implement the bureacracry and amount of backend storage and processing power that will be required to operate the system. If you think through the implications of that last sentence for a minute, then you'll realise that quite a lot of parties also get some hidden "benefits" out of this, precisely because of the reasons you cite:
It creates jobs, when governments are struggling with high unemployment in the wake of a recession.
It creates cash flow (you'd didn't think it would be free, did you?) when governments are struggling with a public cautious of spending in the wake of a recession.
Best/worst of all, depending on who you are, it's a back channel to create a huge database of computer users, probably tied to their ISP and assigned IP addresses.
If this gets sufficient attention to gain some traction in a sufficiently inclined governent, then I think you'll see government, the intelligence community, law enforcement and big media all jump on board with their lobbyists in tow PDQ. Then you've got all of the ICT contractors that service them and will inevitably see this as a fat revenue stream (whether the idea works or not). Frankly, I'm surprised we've got this far since 9/11 before the idea has come up in front of government as opposed to in an IT joke.
You don't need to "enforce" the license via law enforcement, although it could make it interesting in connection with legislation where your computer was found to be a member of a botnet if you didn't have one. All you need to do is require that businesses only employ computer operators who have a license. I'm pretty sure you'd have a hard time getting a job as a delivery driver, say, without a valid driving license. How many career opportunities do you think that you'd have in the world if you need a license to use a computer for business. Pretty much any office work is out, and in theory you couldn't even work at McDonald's because their cash registers are actually PCs. It get's even more essential if ISPs need to see one to create an account, and technically modern mobile phones mean that could apply to cellular carriers too.
What you think of the idea is certainly up for discussion, but if you can get business on board then it very practical indeed.
Give me a break! Frankly, I'm not sure why they've even bothered to obscure the identity of the company concerned since it's pretty much obvious to anyone who follows IT security news that they are talking about EstDomains and Vladimir Tsastsin. Try punching those into Google or whatever and you'll see this goes way beyond being just an "adware company".
You don't put the program on your compute; you keep it as a portable executable on a memory stick that is kept somewhere where it's highly unlikely to be found by a casual search; not too difficult given how small they can be. Combine that with something like TrueCrypt's hidden partitions that are supposedly(*) undetectable and as long as you don't slip up and divulge the fact there is a hidden "key", you can leave them searching through some suitably innocuous collection of data files.
(*) I refuse to believe in any "absolutes" like this when it comes to IT; many of the more innovative exploits out there take advantage of the mistaken belief that something can't be done or isn't an issue. People used to say it wasn't possible to write a program that could replicate by itself, and we all know how that turned out.
Actually, I'm mostly fine with the speed and typical results I'm getting at the moment. What annoys me the most about searching is when the first several pages of results are full of links to places that require you to have an account before you can access the answer or download the file. If I could define a blacklist that automatically excludes some of the worst offenders from my queries, that would be worth far more to me than shaving a few milliseconds of each search.
Slashdot Mirror
Google have mentioned "robots.txt" pretty much every time Murdoch has spoken about this idea or anyone has cared to ask them for a comment. They've done so that many times in fact that I expect they've resorted to sending sample "robots.txt" files over to News Corp. just to get them to shut up and leave them alone and have possibly even considered proactively bypassing News Corp's sites. Personally, I think the endless rhetoric from Murdoch and complete lack of action on behalf of News Corp. is because either this boils down to a serious difference of opinion between Murdoch and a good chunk of his senior staff or they have their doubts and don't want to go it alone just in case.
Google Mail has a feature in Labs whereby they identify social groups within your email contact so that if you exchange a lot of emails between a certain group of people and suddenly add a new recipient it will flag a possible problem. Surely it would be possible to apply a similar methodology to Google Groups only with the IP addresses messages originate from - send from a new IP assignment and the message gets moderated, no matter how many successful posts you've made from elsewhere.
Is that all? Excellent! In that case I think that I can cite an example of prior art.
I worked on a system called "MUCH", short for "Many Users Creating Hypermedia", at the University of Liverpool in England back in 1989-1992. Running on UNIX and built in-house by postgraduate students under the guidance of Professor Roy Rada using C and the Andrew Toolkit", the project itself was inspired by Ted Nelson's "Project Xanadu". Mention of the project is also made in Prof. Rada's C.V. at his current employer, The University of Maryland, Baltimore County.
Fairly obviously, given the name, MUCH allowed multiple users to collaboratively create SGML based hypermedia documents via an integrated version control mechanism similar to that employed by Wikipedia. These documents, while mostly textual (it was the early 1990's!) besides having the ability to contain both graphical and audio content, could also contain any number of embedded external applets written using the Andrew Toolkit. Some of the proof of concept applications developed while I was there (work continued after I left) included animated clocks, calendars, calculators and other widgets, many of which were interactive.
I didn't say "don't fix the issue", just that there are occassions where you can't immediately apply a patch, no matter how desirable it might be. Sadly this scenario does happen from time to time and particularly so with enterprise applications, where "enterprise" is defined as "very expensive software with only a comparatively small number of customers and an even smaller group of developers". It's not just expensive, non-COTS applications either. Case in point Microsoft's DLL Hell v2.0 issue. Equally, it's not just a Windows issue; some time ago I had a business critical manufacturing application segfault when attempts were made to run it under an updated version of the Linux Kernel on a test box. Unfortunately said Kernel was released to address a rather trivial exploit and we had to try and mitigate the risk as best as possible while waiting for the vendor to fix the problem.
I think the same idea came up when this group hijaaked the Torpig net, and quite probably on several other similar occassions. Unfortunately, that opens up a whole new can of worms, if you'll excuse the pun. Specifically, if they issue commands for a botnet to shut itself down, or try to patch a vulnerable system, then they potentially become liable for whatever might go wrong. What if that vulnerable system was responsible for something critical and hadn't been patched because the patch broke the application, for instance? Or if the Botnet's "suicide" command did indeed remove the problem... by completely wiping the hard disk of infected systems?
No, not really; I think it's a little more complex than that. As far as I can tell, to use your analogy, McKinnon basically rattled the locks on the door, and found that they were unlocked. He then entered, rifled through the underwear drawers hoping to find something sexy (UFO data), and took some photos of what he found (copied files). He then left again leaving things mostly undistubed except for a few things out of place. Upon later noticing this, the owner reacted as most victims of burglary do; by going completely over the top on security to prevent similar things happening again. McKinnon isn't just being asked to pay for the missing lock on the door, but also dead bolts on the windows, steel shutters, a motion detection system and burgular alarm.
It's stupid because of the bit about the recipe and lack of any concession to where ingredients are sourced or whether the production process used is identical.
As an example, historically (and we're talking at least a thousand years, since it gets mentioned in the Domesday Book) Cheshire cheese was manufactured by the same process in no less than five counties; Cheshire itself, plus Denbighshire, Flintshire, Shropshire and Staffordshire. The first two of those are in Wales, while the latter two and Cheshire itself are in England. According to the EU rules, only Cheshire cheese which is manufactured in Cheshire itself is now entitled to the name, despite all of the historical precedent to the contrary.
Especially in the EU as far as I know, although I've never really found a satisfactory citation for it. If a product incorporates a place of origin in the name such as "Cornish Pastry", "Cumberland Sausage", and any number of cheeses etc., then apparently it has to have actually have been made the the geographical location being referred to, even if the recipe is identical. Another bright idea brought to you by the numbnuts that spent taxpayers money in order to regulate the permitted curvature of bananas...
Fubar'ed profile or Java/Flash is quite likely. Every time I've ever had a recent release version of Firefox crash (been using it since v0.something) I've had a site open that is whitelisted in NoScript for Flash or using Java.
Another possibility is the cache, or more likely a corrupted SQLite index DB. I recently saw this with GMail borking for me on one PC and hanging the initial load screen, then offering to load without Labs (which I don't use) which worked fine. Trying to load the page using the "No Labs" URL had the same issue, yet basic HTML worked fine. After looking at corrupted cookies and rogue extensions, I flushed the cache which presumably also reset the DB and it's been fine ever since.
To be fair, Hubble has imaged some of the planets in the solar system including Mars. I guess Ed Weiler is a glass half-full kind of guy and thinks we're actually going to get someone on Mars before the funds get cut and it gets faked at Area 51 again. :)
Also NASA's Weekly Top 10 page is worth a look. It'll take a week or maybe two for the cream of the latst Hubble pictures to filter to the top though; updates are every Tuesday night or Wednesday morning depending on your timezone.
There's an example of the Carina Nebula showing both "false colour" and something a closer to the "real colour" you would see from your space ship at The Register. It's also one of the images from the 56 at the Hubble site linked in the story, but let's try and spread the Slashdotting Love around...
:) Some of these dust clouds and so on are *BIG*. If the Tarantula Nebula, for instance, was located as close as the Orion Nebula it would cover about a quarter of the sky.
Also, your "few million miles" just might be a little off and in some cases a few million light years or more would be more realistic.
I was going to say pretty much the same thing. The recommendation and approved procedure for suspected cases of swine flu here in the UK is to *call* your doctor and go through the symptoms over the phone to avoid spreading the disease further. If the doc thinks you have a genuine cases, then a friend or relation can go and pick up a prescription for your TamiFlu and, big whoop, you get to cut about one day off your suffering. My local surgery even has a sign on the door to that effect.
How about having a tested Live CD or other recovery disk that will boot the machine and get it on the network? If the machine ever fails to boot due to a local config problem, then you can boot off the CD, log in remotely and then manually mount the local partitions in order to fix problems.
I'd agree with this, but I was actually more taken with the concept of the Combo Stop/Refresh/Go button which with 20:20 hindsight just made me think "Duh! Why wasn't it done like this from the start?" What might be better for the tabs though is "Version C"; put the tabs over the location bar, but below the standard title bar of the OS in question. Of course, we are talking about probably the most configurable browser of them all, so the best solution has to be "Version D" which is where the user gets to use whichever style they prefer.
Having dealt with some particularly aggressive corporate and legislative senders of take down notices while working for an ISP, the standard form basically boils down to "Take this down, now!" where "now" is usually specified as a deliberately panic inducing number of hours. That statement will usually be backed up with another one stating that making you, as the ISP, will be held jointly liable if you don't comply within the stated time frame, which is probably why the ISPs concerned here came so unstuck. This can arrive via post or via email, hence the reason why black-holing "abuse@" or whatever your whois contact might be is a bad idea, particularly in light of this case. As you point out, so far that could easily be someone with an axe to grind against the target pretending to be an authorized issuer of the take down or someone relying on scare tactics.
In practice, on authentic take downs for anyone that knows what they are doing there is *always* a responsive contact at the source with verifiable credentials and most respectable ISPs will be well aware that whatever "now!" is defined as is flexible provided that action is being seen to be taken. That's where it gets more iffy; large scale operations like YouTube receive so may take downs that they simply don't have the resources to contact each individual target of a take down and let them state their case, so it's act first and deal with the fallout later, if any.
Provided you're not dealing with a pile them high and sell them cheap sales model then in reality there is plenty of time for due process, if the ISP chooses to do so and has the procedural framework and resources in place to support it. That can easily include verification of the source of the take down notice, allowing the target of the take down a chance to voluntarily comply or present evidence why they are not in breach of legal/ToS/AUP requirements, send that back to the source for comment and anything else you care to dream up depending on the situation. Needless to say, anything you do needs to be documented, relevant logs need to be preserved, and *everything* gets CC'd to your own Legal Department so they can intervene if things start getting ugly.
You need to dig a bit (it's mentioned in the seventh paragraph of the linked article, with a more detailed discussion on the second page), but basically the ISP in question failed to take action to shut down the hosted sites despite repeated takedown notices from Louis Vuitton. The only real precedent that this sets if you ask me is a very positive one in that if your "abuse@" email is a blackhole then you had better have extremely good liability cover and/or be very hard to reach to avoid being served with lawsuits.
I think it can be summed up best as "what could possibly grow wrong?"
If this gets sufficient attention to gain some traction in a sufficiently inclined governent, then I think you'll see government, the intelligence community, law enforcement and big media all jump on board with their lobbyists in tow PDQ. Then you've got all of the ICT contractors that service them and will inevitably see this as a fat revenue stream (whether the idea works or not). Frankly, I'm surprised we've got this far since 9/11 before the idea has come up in front of government as opposed to in an IT joke.
You don't need to "enforce" the license via law enforcement, although it could make it interesting in connection with legislation where your computer was found to be a member of a botnet if you didn't have one. All you need to do is require that businesses only employ computer operators who have a license. I'm pretty sure you'd have a hard time getting a job as a delivery driver, say, without a valid driving license. How many career opportunities do you think that you'd have in the world if you need a license to use a computer for business. Pretty much any office work is out, and in theory you couldn't even work at McDonald's because their cash registers are actually PCs. It get's even more essential if ISPs need to see one to create an account, and technically modern mobile phones mean that could apply to cellular carriers too.
What you think of the idea is certainly up for discussion, but if you can get business on board then it very practical indeed.
Ooh! It's that "Here's the answer, what's the question?" game!
I think the question was... "Does the carpet match the drapes?"
Give me a break! Frankly, I'm not sure why they've even bothered to obscure the identity of the company concerned since it's pretty much obvious to anyone who follows IT security news that they are talking about EstDomains and Vladimir Tsastsin. Try punching those into Google or whatever and you'll see this goes way beyond being just an "adware company".
You don't put the program on your compute; you keep it as a portable executable on a memory stick that is kept somewhere where it's highly unlikely to be found by a casual search; not too difficult given how small they can be. Combine that with something like TrueCrypt's hidden partitions that are supposedly(*) undetectable and as long as you don't slip up and divulge the fact there is a hidden "key", you can leave them searching through some suitably innocuous collection of data files.
(*) I refuse to believe in any "absolutes" like this when it comes to IT; many of the more innovative exploits out there take advantage of the mistaken belief that something can't be done or isn't an issue. People used to say it wasn't possible to write a program that could replicate by itself, and we all know how that turned out.
Actually, I'm mostly fine with the speed and typical results I'm getting at the moment. What annoys me the most about searching is when the first several pages of results are full of links to places that require you to have an account before you can access the answer or download the file. If I could define a blacklist that automatically excludes some of the worst offenders from my queries, that would be worth far more to me than shaving a few milliseconds of each search.