DNSSEC has its place, even for key distribution. But it does not provide a basis for trust because mere holdership of a DNS domain does not mean you are trustworthy.
The big win for DNSSEC is to distribute security policy in a scalable fashion. See my CAA and ESRV Internet drafts.
Imagine that you are visiting slashdot, wouldn't it be better to use SSL than en-clair if the site supports it? Wouldn't it be better to have encryption with a duff cert than no encryption at all? [*]
DNSSEC allows a site to put a flag in its DNS to say 'always use SSL when visiting slashdot on http'. Now the server knows that if it is going to slashdot and it is not encrypted there is a man in the middle. Same for Twitter, Google etd.
DNSSEC can also be used to ensure that the only certs trusted for a domain are ones authorized by the domain holder. This provides an independent trust path to CA issued X.509. If used in combination, security can be improved.
[*] The catch is that showing the user the padlock icon for a duff cert is going to make them less secure. That is why I would like to see the browsers remove the padlock icon completely for DV certs. the only reason the padlock is required is to allow the user to check that SSL is in use. Since the user can't and won't do that reliably it is a poor control anyway. But it is in any case a control that should be enforced by the browser not the user and DNSSEC security policy allows that to happen.
On key distribution, well sure, for typical Web services and for promiscuous security, DNSSEC validated keys are just fine. It is not going to be a money saver. It does not justify a padlock icon (neither does a DV cert). But it is perfectly adequate for most applications.
Unfortunately it is likely that making use of DNSSEC for key distribution is going to be delayed for at least a year due to IETF politics. I blame the people behind the DANE proposal. They have been less than forthcoming about their real agenda from the start and have shown absolutely no willingness to accept any input from other parts of the IETF. The IETF is a consensus based organization but the test is IETF consensus, not working group consensus. If a clique wants to change the rules for handling PKIX certs they have to get an IETF consensus that this should be done.
DANE could have easily been designed in a way that allowed security policy and key distribution to be completely separate. Unfortunately the ruling clique insists these be joined. The result is a spec that is in my opinion undeployable because the transition strategy for a scheme providing positive trust (key distribution) is by necessity very different to that required for a scheme that provides negative trust (key revocation, security policy, etc.).
Oh I know what he is trying but he has no clue what the threat model is.
The threat model in this case is a well funded state actor that might well be facing a full on revolution within the next 12 months. It does not matter how convergence might perform, there is not going to be time to deploy it before we need to reinforce the CA system. [Yes I work for a CA]
I think it most likely we will be seeing the Arab Spring spreading to Syria with the fall of Gaddafi. We are certainly going to be seeing a major ratcheting up of repressive measures in Syria and Iran. Iran knows that if Syria falls their regime will be the next to come under pressure. In many ways the Iranian regime is less stable than some that have already fallen. There are multiple power centers in the system. One of the ways the system can collapse is the Polish model, the people of Poland didn't have a revolution, they just voted the Communist party out of existence. If the Iranian regime ever allows a fair vote the same wil happen there.
Anyone think that we will have DNSSEC deployed on a widespread scale in the next 12 months? I don't and I am one of the biggest supporters of DNSSEC in the industry. DNSSEC is going to be the biggest new commercial opportunity for CAs since EV. Running DNSSEC is not trivial, running it badly has bad consequences, the cost of outsourced management of DNSSEC is going to be much less than a DNS training course ($1000/day plus travel) but rather more than a DV SSL certificate ($6 for the cheapest).
The other issue I see with Convergence is that it falls into the category of 'security schemes that works if we can trust everyone in a peer to peer network'.
Wikipedia manages a fair degree of accuracy, but does anyone think that they really get up to 99% accurate? Until this year the CA system had had three major breaches, all of which were trapped and closed really quickly plus about the same number of probes by security researchers kicking the tires. Until the Diginotar incident anyone who had revocation checking in place was 100% safe as far as we are aware, not a bad record really.
There is a population of about 1 million certs out there, even 200 would mean 99.95% accuracy.
Running a CA is really boring work. Not something I would actually do personally. To check someone's business credentials etc takes some time and effort. It is definitely the sort of thing that you want a completer-finisher type to be doing. Definitely not someone like me and for 95% of slashdot readers, probably not someone like you either.
The weak point in the SSL system is not the validation of certs by CAs, they are (in order) (1) the fact that SSL is optional (2) the fact that the user is left to check for use of SSL (3) the fact that low assurance certificates that have a minimal degree of validation result in the padlock display.
The weak point being exploited by Iran is the braindead fact that the Web requires users to provide their passwords to the Web site every time they log in. I proposed a mechanism in 1993 that does not require a CA at all and avoids that. Had RSA been unencumbered I would have adopted an approach similar to EKE that was stronger than DIGEST but again did not require a cert.
Certs are designed to allow users to decide who they can share their credit card numbers with. That is a LOW degree of risk because the transaction is insured. Certs are not intended to tell people it is safe to share their password with a site because it is NEVER safe to do that.
The typical recording contract of that era was expressly designed to avoid being categorized as 'work for hire' as it would mean a shorter copyright term.
The recording contracts were also designed to bilk the artists out of their royalties by requiring them to bear a very long list of costs.
Work for hire has a very specific meaning in copyright law. The labels can't redefine the meaning retrospectively. Or at least they can't unless they can bribe Congress to do it for them.
I don't see how not paying the witness money helps the BSA.
The witness originally offered the evidence in the hope and promise of a reward. Any evidence given by that witness is going to be tainted regardless of whether the reward was paid or not.
The article is incorrect. Microsoft does not ban 'open source', it bans one very specific type of license that the author expressly intends to be viral.
Microsoft use open source code, but they only use code with licences that do not have a viral clause. They use some of my open source code in IE. Microsoft also publish open source code, but not under viral licenses. RMS is very definite about his intention to contaminate proprietary code with his own.
Now before folk go off into a slashweenie froth over this. I know RMS, i have argued this point with him. And he is very very clear about his intent that the gpl be viral. He makes no secret at all about this. Go and talk to him if you do not believe me. But dont assume that because the description of his idea sounds nutty that it must be false. Again, you need to talk to him and know him.
We expressly rejected the gpl for licensing the CERN web code because we did not want the ideological baggage. The code was merely a tool to spread the web. Well ok not for Tim, he hadvcode attachment, but not to owning it. We did make a big mistake in making the code public domain, but there was not the selection of licenses we have today. BSD would have been a better choice.
So dont blame Mr softy for taking RMS seriously. There probably isnt a legal risk there. But Gates is merely taking RMS seriously.
That is why anonymous should be behind bars and so should anyone from Themis who has broken the law as proposed in this document.
the attacks proposed were against wikileaks, not just anonymous. There is no evidence wikileaks has broken us law. So this is not even vigilantism, it is a criminal attack.
They are self confessed liars. So why accept the claims of vandalism at face value?
I am at RSA, I was part of a long conversation with Art Coviello last night and he did not mention it. It his his confernce and it is a security conference. If the ckaim was true and had been reported i would have expected it to be mentined.
I think it rather more likely that they did not have the courage to show their faces.
They have been punked for a start. That is an embarrassment. But what would make them pariahs was the proposal to engage in criminal attacks and political misinformation. Many of us are ex law enforcement or ex intelligence. Others work closely with them. You cant do that if you are committing criminal acts yourself.
If i thought there was a chance he might show his face i would have gone to his session earlier. But that was never likely.
Last year he was talking about hacking online games and club penguin.
Hah! The Tea Party wants less government interference, not more..
No, all they want is to be told that they are absolutely right about everything and that they have a complete and infallible system of the world that only morons and the corrupt could possibly disagree with.
So really no different from Communists, Fascists, Moonies, and other cultists.
And the fact that the Tea Partiers talk about freedom all the time means precisely nothing. Karl Marx talked about freedom. So did Lenion, Stalin, Hitler, Mao and pretty much every other demagogue. And before he became Chancellor, most Germans regarded Hitler with pretty much the same disdain as Glenn Beck is considered.
When people talk about 'second amendment solutions' or the 'ammo box', what they are talking about is the murder of their political opponents. I don't draw comparisons with fascists and Stalinists lightly, but talking about murder of opponents crosses that line completely.
Whether or not Loughner's action in Arizona was a consequence of Palin and Beck's rhetoric can never be proved or disproved. But what is beyond dispute is that 1) that type of rhetoric can lead people to murder, 2) there is ample evidence that Palin in particular intended to use that rhetoric in order to intimidate her opponents, 3) no member of the Republican party leadership had the courage or the principles to condemn the rhetoric when it was being used.
So no, I don't think that the consequence of a tea party government would be less regulation or government interference. The people simply don't have the knowledge or experience to form a coherent policy, let alone implement one. What would result would be an increase in regulations that protect the interests of narrow cliques that can manipulate the party and a decrease in regulation that serves the public interest.
People can be totally self-deluding. Back in the 19th century the power elites believed that 'rain follows the plough' despite ample scientific evidence to the contrary. Now they want to believe that free markets are automatically self regulating and that climate change is not occurring.
Lawsuit? Just cut the damn wires with a pair of wire snips and toss the thing in the dumpster.
If I had seen that installation I would not have got as far as working out that it was a router. A plastic bag with wires coming out of it? That would be an immediate call to 911 to report a suspicious device even if it wasn't stuck on top of a gas manifold.
If I had gone as far as to work out it was a router, I would have called the gas board and told them that there was a serious incendiary risk.
A former QWest CEO went to prison. In my experience, the new QWest CEO is no more honest.
After a prosecution that seemed like it quite likely had more to do with Qwest having refused to participate in the Bush administration criminal wiretap program than what he was convicted of.
Making an A-bomb is one thing, miniaturizing the warhead to fit on a missile is a far more difficult problem.
That's an interesting opinion. It's worth recalling that these hard problems have been solved before by countries with similar-sized economies to Iran. The Iranian theocracy or other features of Iran's society may make these hard problems insurmountable for Iran, but otherwise a far more problem is a roadbump not a roadblock.
Who else has nuclear missile capability?
The UK developed their own bomb but gave up on missile delivery. Israel stole their technology from the US. The Soviets and Chinese certainly stole some stuff but had the resources to build missiles regardless. It took the Soviets another decade to build a missile after getting the bomb and they didn't start building a real stockpile until the Kennedy era.
Pakistan and India have the bomb but have not demonstrated the ability to miniaturize it to fit on a delivery system. North Korea's delivery system tests have failed repeatedly.
But Stuxnet was not a typical exploit. It went into areas that had really not been attacked before.
People do attack those Open Source targets. Widely used and reviewed Open Source code is rather less likely to be of help than looking at proprietary code that very few people have seen.
Mitnick certainly went to great lengths to obtain source codes so it is pretty clear that they have a value in that community. Even if the value is to have something that other people do not.
considering that
1. Massive numbers of Jews left Russia to go to Israel in the past 20 years
2. Massive numbers of those Russians know a shitload about computers and
3. Massive numbers of them keep contact with their buds in Russia and
4. Russia has been helping Iran with its 'civilian' nuclear program for a long time.
Now, 4 is probably at the behest of the CIA, who pays the Russians big bucks to go "help" Iran. Thank god, is all I have to say, because of the Russians weren't inside Iran's program watching it, then the Chinese would be, and that's the last thing we need, a China-Iran alliance.
WWII was certainly a pyrrhic victory for the British Empire.
It was the best outcome that was available given the circumstances, but it was a national disaster even so.
That is one reason why people like David Brooder show themselves to be senile fools when they advocate starting a war to cure the economy. The US economy only benefitted from WWII due to a massive increase on the input side of the economy: married women started to do paid work.
If you look at every other war that the US has been involved with the result has been a massive increase in debt.
Not really, the US military wiped the Iraq military off the map easily, it was the occupation and insurgency that caused problems
The Iraq military used a technique that the US military were completely unprepared for. They took off their uniforms and went home to look after their family and communities, or in some cases, to go undercover and fight an ongoing resistance. The "wiping off the map" of the Iraq military, in large part [b]is[/b] the insurgency that has deviled the US forces.
Thats not quite accurate
Large parts of the Iraqi army deserted, but the resistance did not start till much later. The deserters were back at their posts shortly after the shooting finished, they wanted the victor to make good on their promise to pay them.
It was the disbanding of the Iraqi army that was the real tipping point. The soldiers were quite happy working for a different government up to the point where they all lost their jobs.
The original US plan was to go in, decapitate the government and install Ahmed Chalabai, a convicted bank fraudster who led the Iranian backed Iraqi opposition movement. He was pointed out to me as an Iranian agent in the mid 90s, long before the invasion. At the time he was peddling a bogus claim that Iraq had conducted an atomic test.
An actual invasion of Iran would face two major problems: Russia and China. Neither would allow the US to invade a country that provides it with critical resources.
Isn't this what they said when US troops were about to enter Baghdad?
That the revolutionary guards are so elite and will fight for every street that US army will get bogged down for months fighting a savage urban guerilla warfare with no clear victory in sight?
Well, before the saliva spit by those vocalising that view could dry up in the wind, the US army was smoking out bedazzled Saddam from a pit.
There was a substantial information warfare campaign designed to persuade the Iraqi generals to defect in return for certain guarantees. A significant number did so and there was considerably less fighting than expected.
That strategy worked in Iraq because Saddam was in a much weaker situation politically. The generals were willing to defect because they were not particularly eager to fight for Saddam. A regime change in which they maintained their position and status would suit them rather well.
It is much less likely that the same strategy would work a second time, not least because the Iranians are prepared for it but more importantly because the US went on to break each and every one of the guarantees that they had given to the Iraqi generals. Instead of allowing them to keep their positions, the US abolished the Iraqi army and threw most of the defecting generals in jail. Instead of effecting a quick, relatively bloodless coup, the US created a civil war which claimed the lives of between half a million and a million Iraqis.
It is very clear that a US attack on Iran is not going to be met with support from any segment of the population. It would force the pro-democracy forces to rally behind the regime, they would not attempt to topple it.
The pro-democracy demonstrations occurred in the wake of Obama's presidency because he had ended the policy of confrontation with Iran and made it possible for Iranians to oppose the regime without being disloyal to their country while it was under attack. Compare and contrast the success of that approach with that of Bush and the 'axis of evil' speech promising an imminent attack.
And give Israel 100% justification to out-right flatten Palestine? I don't think even Hezbollah is that stupid. Israel cares very little about public opinion when it comes to protecting the state. Iran/Hezbollah starts throwing more than annoyance-level bombs over the border and Israel fires up the bulldozers, gives 2-hour notice to evacuate, and starts evicting every last Palestinian in sight. It would be chaos, and guaranteed that the Israelis wouldn't give a damn. They might nuke Tehran just for giggles at that point.
What you are proposing here is that Israel start a war on Iran and then use the war as a pretext to commit genocide.
I don't think that the state of Israel would survive very long were it to do that. It certainly would lose the support of most US Jews.
Why do you believe that Iran controls all of the Strait of Hormuz?
What would it take? A couple of containers full of Chinese missiles?
Iran has the worlds fourth largest collection of missiles, just behind North Korea.
Iran believes that the shutting down of the straits of Hormuz ended the Iran-Iraq war by forcing the US to force Saddam into offering a ceasefire. They are almost certainly correct in my view.
Regardless of whether they are correct, they have the means to control the straits and deny passage to any tanker through use of surface to ship missiles. Supertankers are big, heavy and expensive to replace. It only takes a threat of attack to force the oil price up into the stratosphere.
It is an open question as to whether the missiles could sink a US capital ship. The previous generation successfully disabled an Israeli cruiser when one was given to Hezbollah.
The disclosure that other gulf states called for an attack on Iran gives Iran the right to retaliate against them. I would expect that rather than focussing on the shipping, Iran would disable the ports.
Stuxnet exploits Cisco routing hardware, not Windows... I'm assuming you didn't RTFA.
Actually it has multiple exploits.
How about this for a deal: Intelligence service offers hackers access to parts of their Windows source code in return for writing the four zero day attacks.
This part of the intelligence world is very, very small, and the number of people who act as intermediaries between, for example, the IAEA and intelligence circles is even smaller.
The part of the actual intelligence world that would talk directly with NYT (and if not then the source is by definition not credible) about anything like this unless it was a sanctioned manipulation (by definition not credible) is zero zilch nada.
Unfortunately that is not true.
There are many people who leak for many reasons. During the Bush administration the intelligence services were actively leaking against them. That is how Josh Marshall at TPM was getting all that info on Cunningham and the pentagon bribery ring.
This looks to me to be the type of leak that is made to create a certain impression that suits the political interests of the leaker.
But more generally, intelligence people leak because they deal in information and the best way to get information from a journalist is usually to trade.
No, the attack does not look at all like a Chinese attack to me.
Stuxnet hit a number of Chinese facilities. It was a blunt instrument. The Chinese have a marked aversion to attacking the homeland.
The Chinese also have a fairly sharp distinction between espionage and malicious damage. They do not see espionage as being at all bad (neither does our side if truth is told). As far as they are concerned, taking Western technology is merely moral restitution for the damage inflicted through Western colonialism: the opium wars, open door policy, Japanese occupation etc.
While the Chinese might well do something like Stuxnet if they had a really, really good reason, I do not think it at all likely that they would cross that line without one. And I do not see why China would consider Iran's activities to be an actionable concern.
The code signing certs were ripped off from two Taiwanese companies. So it is highly likely some Chinese speakers were involved. But those are the type of resource that is traded openly on the black market.
The easiest way for the Chinese or US intel services to create the code signing certs would have been to establish a front operation.
It is really only the Russian intel services that outsource hacking to criminals. I think that if there is an intel link to Stuxnet at all, it is almost certainly Russia.
It is really rather obvious that both the Iranian and Israeli leadership would rather like to have a war but they need the other side to be seen to start it. Iran has gained tremendously from the Bush invasion of Iraq, not only has the US eliminated Iran's major regional rival, the war has allowed Iran to establish an essentially unbroken sphere of influence in the Shi'ia world.
It is even quite likely that Ahmedinejad is looking for an attack in order to complete the nuclear program. It is unlikely that the religious leadership would want to allow him to complete a nuclear bomb: it would put him above them. If Iran really wanted a nuclear weapon they would have one by now, they have vastly more resources than were available to the Manhattan project in the 40s. Another possibility is that Iran does already have a nuclear bomb but is unable to declare it since that would lead to an immediate attack etc.
In either case it would make perfect sense for Ahmedinejad to incite an Israeli attack which would provide a pretext for withdrawal from the NPT and become a declared nuclear power within a short interval.
A war between Israel and Iran would be a war of attrition with each side aiming to rack up as many civilian deaths as possible. Israel cannot win that game and it would be stupid of them to try. The mullahs have shown themselves quite capable of accepting a million casualties in a war.
The Times report itself says nothing new and nothing that can be believed. All that we know is that there is are sources in US/Israeli intelligence that want to take credit for Stuxnet. We do not even know if the source would even have knowledge of such an operation if it existed.
The motives for wanting to take credit are rather obvious. But if you look at what the attack achieved or was likely to achieve it is very hard to see how it would be in the interests of either to burn major intelligence assets for an act of minor vandalism.
We know that the attack involved four zero days, was written in a modular fashion, probably by multiple authors and had references that might have been intended to lead to a certain conclusion. What we really don't know much about is the payload code. We do not even know for certain what the target was.
For several weeks we were discussing media reports that 'confirmed' that the virus was Chinese on the basis of some 'expert' who had seen an algorithm in Chinese code and erroneously considered it to be uniquely Chinese. The press will repeat any nonsense that is said to them by someone who is convinced they are right.
If the target was indeed the Iranian centrifuges or the Iranian power plant then the only way that it could have possibly been expected to work would be with very deep knowledge of the design and deployment of a top secret Iranian facility. There are only two ways that knowledge could be available to the attacker - if they designed the plant or if they had a source with access.
Looking at the likely result of this attack I cannot possibly see how anyone would wish to let the Iranians know about the intelligence source for the sake of some minor inconvenience to the Iranian program.
A much more likely explanation in my view is the idea that the Russians wrote Stuxnet to damage the nuclear plant they designed and thus require Iran to buy additional services from Russia to repair the damage and to accept the reprocessing proposal (which they did). Such shakedown tactics were common during the Soviet era.
Russia would not have an incentive to take credit for the attack in such circumstances. But some of the US/Israeli hawks would even knowing that the claim was false.
Slashdot Mirror
The big win for DNSSEC is to distribute security policy in a scalable fashion. See my CAA and ESRV Internet drafts.
Imagine that you are visiting slashdot, wouldn't it be better to use SSL than en-clair if the site supports it? Wouldn't it be better to have encryption with a duff cert than no encryption at all? [*]
DNSSEC allows a site to put a flag in its DNS to say 'always use SSL when visiting slashdot on http'. Now the server knows that if it is going to slashdot and it is not encrypted there is a man in the middle. Same for Twitter, Google etd.
DNSSEC can also be used to ensure that the only certs trusted for a domain are ones authorized by the domain holder. This provides an independent trust path to CA issued X.509. If used in combination, security can be improved.
[*] The catch is that showing the user the padlock icon for a duff cert is going to make them less secure. That is why I would like to see the browsers remove the padlock icon completely for DV certs. the only reason the padlock is required is to allow the user to check that SSL is in use. Since the user can't and won't do that reliably it is a poor control anyway. But it is in any case a control that should be enforced by the browser not the user and DNSSEC security policy allows that to happen.
On key distribution, well sure, for typical Web services and for promiscuous security, DNSSEC validated keys are just fine. It is not going to be a money saver. It does not justify a padlock icon (neither does a DV cert). But it is perfectly adequate for most applications.
Unfortunately it is likely that making use of DNSSEC for key distribution is going to be delayed for at least a year due to IETF politics. I blame the people behind the DANE proposal. They have been less than forthcoming about their real agenda from the start and have shown absolutely no willingness to accept any input from other parts of the IETF. The IETF is a consensus based organization but the test is IETF consensus, not working group consensus. If a clique wants to change the rules for handling PKIX certs they have to get an IETF consensus that this should be done.
DANE could have easily been designed in a way that allowed security policy and key distribution to be completely separate. Unfortunately the ruling clique insists these be joined. The result is a spec that is in my opinion undeployable because the transition strategy for a scheme providing positive trust (key distribution) is by necessity very different to that required for a scheme that provides negative trust (key revocation, security policy, etc.).
The threat model in this case is a well funded state actor that might well be facing a full on revolution within the next 12 months. It does not matter how convergence might perform, there is not going to be time to deploy it before we need to reinforce the CA system. [Yes I work for a CA]
I think it most likely we will be seeing the Arab Spring spreading to Syria with the fall of Gaddafi. We are certainly going to be seeing a major ratcheting up of repressive measures in Syria and Iran. Iran knows that if Syria falls their regime will be the next to come under pressure. In many ways the Iranian regime is less stable than some that have already fallen. There are multiple power centers in the system. One of the ways the system can collapse is the Polish model, the people of Poland didn't have a revolution, they just voted the Communist party out of existence. If the Iranian regime ever allows a fair vote the same wil happen there.
Anyone think that we will have DNSSEC deployed on a widespread scale in the next 12 months? I don't and I am one of the biggest supporters of DNSSEC in the industry. DNSSEC is going to be the biggest new commercial opportunity for CAs since EV. Running DNSSEC is not trivial, running it badly has bad consequences, the cost of outsourced management of DNSSEC is going to be much less than a DNS training course ($1000/day plus travel) but rather more than a DV SSL certificate ($6 for the cheapest).
The other issue I see with Convergence is that it falls into the category of 'security schemes that works if we can trust everyone in a peer to peer network'.
Wikipedia manages a fair degree of accuracy, but does anyone think that they really get up to 99% accurate? Until this year the CA system had had three major breaches, all of which were trapped and closed really quickly plus about the same number of probes by security researchers kicking the tires. Until the Diginotar incident anyone who had revocation checking in place was 100% safe as far as we are aware, not a bad record really.
There is a population of about 1 million certs out there, even 200 would mean 99.95% accuracy.
Running a CA is really boring work. Not something I would actually do personally. To check someone's business credentials etc takes some time and effort. It is definitely the sort of thing that you want a completer-finisher type to be doing. Definitely not someone like me and for 95% of slashdot readers, probably not someone like you either.
The weak point in the SSL system is not the validation of certs by CAs, they are (in order) (1) the fact that SSL is optional (2) the fact that the user is left to check for use of SSL (3) the fact that low assurance certificates that have a minimal degree of validation result in the padlock display.
The weak point being exploited by Iran is the braindead fact that the Web requires users to provide their passwords to the Web site every time they log in. I proposed a mechanism in 1993 that does not require a CA at all and avoids that. Had RSA been unencumbered I would have adopted an approach similar to EKE that was stronger than DIGEST but again did not require a cert.
Certs are designed to allow users to decide who they can share their credit card numbers with. That is a LOW degree of risk because the transaction is insured. Certs are not intended to tell people it is safe to share their password with a site because it is NEVER safe to do that.
The typical recording contract of that era was expressly designed to avoid being categorized as 'work for hire' as it would mean a shorter copyright term. The recording contracts were also designed to bilk the artists out of their royalties by requiring them to bear a very long list of costs. Work for hire has a very specific meaning in copyright law. The labels can't redefine the meaning retrospectively. Or at least they can't unless they can bribe Congress to do it for them.
I don't see how not paying the witness money helps the BSA. The witness originally offered the evidence in the hope and promise of a reward. Any evidence given by that witness is going to be tainted regardless of whether the reward was paid or not.
Microsoft use open source code, but they only use code with licences that do not have a viral clause. They use some of my open source code in IE. Microsoft also publish open source code, but not under viral licenses. RMS is very definite about his intention to contaminate proprietary code with his own.
Now before folk go off into a slashweenie froth over this. I know RMS, i have argued this point with him. And he is very very clear about his intent that the gpl be viral. He makes no secret at all about this. Go and talk to him if you do not believe me. But dont assume that because the description of his idea sounds nutty that it must be false. Again, you need to talk to him and know him.
We expressly rejected the gpl for licensing the CERN web code because we did not want the ideological baggage. The code was merely a tool to spread the web. Well ok not for Tim, he hadvcode attachment, but not to owning it. We did make a big mistake in making the code public domain, but there was not the selection of licenses we have today. BSD would have been a better choice.
So dont blame Mr softy for taking RMS seriously. There probably isnt a legal risk there. But Gates is merely taking RMS seriously.
they have gone beyond protecting wikileaks and some are looking to replace them and set all information and secrets free.
Both groups belong in jail in my view.
That is why anonymous should be behind bars and so should anyone from Themis who has broken the law as proposed in this document.
the attacks proposed were against wikileaks, not just anonymous. There is no evidence wikileaks has broken us law. So this is not even vigilantism, it is a criminal attack.
The group proposed using disinformation tactics. So why believe their word now? Doing so without question seems naive.
I am at RSA, I was part of a long conversation with Art Coviello last night and he did not mention it. It his his confernce and it is a security conference. If the ckaim was true and had been reported i would have expected it to be mentined.
I think it rather more likely that they did not have the courage to show their faces.
They have been punked for a start. That is an embarrassment. But what would make them pariahs was the proposal to engage in criminal attacks and political misinformation. Many of us are ex law enforcement or ex intelligence. Others work closely with them. You cant do that if you are committing criminal acts yourself.
If i thought there was a chance he might show his face i would have gone to his session earlier. But that was never likely.
Last year he was talking about hacking online games and club penguin.
Hah! The Tea Party wants less government interference, not more..
No, all they want is to be told that they are absolutely right about everything and that they have a complete and infallible system of the world that only morons and the corrupt could possibly disagree with.
So really no different from Communists, Fascists, Moonies, and other cultists.
And the fact that the Tea Partiers talk about freedom all the time means precisely nothing. Karl Marx talked about freedom. So did Lenion, Stalin, Hitler, Mao and pretty much every other demagogue. And before he became Chancellor, most Germans regarded Hitler with pretty much the same disdain as Glenn Beck is considered.
When people talk about 'second amendment solutions' or the 'ammo box', what they are talking about is the murder of their political opponents. I don't draw comparisons with fascists and Stalinists lightly, but talking about murder of opponents crosses that line completely.
Whether or not Loughner's action in Arizona was a consequence of Palin and Beck's rhetoric can never be proved or disproved. But what is beyond dispute is that 1) that type of rhetoric can lead people to murder, 2) there is ample evidence that Palin in particular intended to use that rhetoric in order to intimidate her opponents, 3) no member of the Republican party leadership had the courage or the principles to condemn the rhetoric when it was being used.
So no, I don't think that the consequence of a tea party government would be less regulation or government interference. The people simply don't have the knowledge or experience to form a coherent policy, let alone implement one. What would result would be an increase in regulations that protect the interests of narrow cliques that can manipulate the party and a decrease in regulation that serves the public interest.
People can be totally self-deluding. Back in the 19th century the power elites believed that 'rain follows the plough' despite ample scientific evidence to the contrary. Now they want to believe that free markets are automatically self regulating and that climate change is not occurring.
If I had seen that installation I would not have got as far as working out that it was a router. A plastic bag with wires coming out of it? That would be an immediate call to 911 to report a suspicious device even if it wasn't stuck on top of a gas manifold.
If I had gone as far as to work out it was a router, I would have called the gas board and told them that there was a serious incendiary risk.
A former QWest CEO went to prison. In my experience, the new QWest CEO is no more honest.
After a prosecution that seemed like it quite likely had more to do with Qwest having refused to participate in the Bush administration criminal wiretap program than what he was convicted of.
Making an A-bomb is one thing, miniaturizing the warhead to fit on a missile is a far more difficult problem.
That's an interesting opinion. It's worth recalling that these hard problems have been solved before by countries with similar-sized economies to Iran. The Iranian theocracy or other features of Iran's society may make these hard problems insurmountable for Iran, but otherwise a far more problem is a roadbump not a roadblock.
Who else has nuclear missile capability?
The UK developed their own bomb but gave up on missile delivery. Israel stole their technology from the US. The Soviets and Chinese certainly stole some stuff but had the resources to build missiles regardless. It took the Soviets another decade to build a missile after getting the bomb and they didn't start building a real stockpile until the Kennedy era.
Pakistan and India have the bomb but have not demonstrated the ability to miniaturize it to fit on a delivery system. North Korea's delivery system tests have failed repeatedly.
But Stuxnet was not a typical exploit. It went into areas that had really not been attacked before.
People do attack those Open Source targets. Widely used and reviewed Open Source code is rather less likely to be of help than looking at proprietary code that very few people have seen.
Mitnick certainly went to great lengths to obtain source codes so it is pretty clear that they have a value in that community. Even if the value is to have something that other people do not.
considering that 1. Massive numbers of Jews left Russia to go to Israel in the past 20 years 2. Massive numbers of those Russians know a shitload about computers and 3. Massive numbers of them keep contact with their buds in Russia and 4. Russia has been helping Iran with its 'civilian' nuclear program for a long time. Now, 4 is probably at the behest of the CIA, who pays the Russians big bucks to go "help" Iran. Thank god, is all I have to say, because of the Russians weren't inside Iran's program watching it, then the Chinese would be, and that's the last thing we need, a China-Iran alliance.
You mean like the Shanghai Cooperation Treaty?
China has been allied with Iran for decades.
It was the best outcome that was available given the circumstances, but it was a national disaster even so.
That is one reason why people like David Brooder show themselves to be senile fools when they advocate starting a war to cure the economy. The US economy only benefitted from WWII due to a massive increase on the input side of the economy: married women started to do paid work.
If you look at every other war that the US has been involved with the result has been a massive increase in debt.
Not really, the US military wiped the Iraq military off the map easily, it was the occupation and insurgency that caused problems
The Iraq military used a technique that the US military were completely unprepared for. They took off their uniforms and went home to look after their family and communities, or in some cases, to go undercover and fight an ongoing resistance. The "wiping off the map" of the Iraq military, in large part [b]is[/b] the insurgency that has deviled the US forces.
Thats not quite accurate
Large parts of the Iraqi army deserted, but the resistance did not start till much later. The deserters were back at their posts shortly after the shooting finished, they wanted the victor to make good on their promise to pay them.
It was the disbanding of the Iraqi army that was the real tipping point. The soldiers were quite happy working for a different government up to the point where they all lost their jobs.
The original US plan was to go in, decapitate the government and install Ahmed Chalabai, a convicted bank fraudster who led the Iranian backed Iraqi opposition movement. He was pointed out to me as an Iranian agent in the mid 90s, long before the invasion. At the time he was peddling a bogus claim that Iraq had conducted an atomic test.
An actual invasion of Iran would face two major problems: Russia and China. Neither would allow the US to invade a country that provides it with critical resources.
Isn't this what they said when US troops were about to enter Baghdad? That the revolutionary guards are so elite and will fight for every street that US army will get bogged down for months fighting a savage urban guerilla warfare with no clear victory in sight?
Well, before the saliva spit by those vocalising that view could dry up in the wind, the US army was smoking out bedazzled Saddam from a pit.
There was a substantial information warfare campaign designed to persuade the Iraqi generals to defect in return for certain guarantees. A significant number did so and there was considerably less fighting than expected.
That strategy worked in Iraq because Saddam was in a much weaker situation politically. The generals were willing to defect because they were not particularly eager to fight for Saddam. A regime change in which they maintained their position and status would suit them rather well.
It is much less likely that the same strategy would work a second time, not least because the Iranians are prepared for it but more importantly because the US went on to break each and every one of the guarantees that they had given to the Iraqi generals. Instead of allowing them to keep their positions, the US abolished the Iraqi army and threw most of the defecting generals in jail. Instead of effecting a quick, relatively bloodless coup, the US created a civil war which claimed the lives of between half a million and a million Iraqis.
It is very clear that a US attack on Iran is not going to be met with support from any segment of the population. It would force the pro-democracy forces to rally behind the regime, they would not attempt to topple it.
The pro-democracy demonstrations occurred in the wake of Obama's presidency because he had ended the policy of confrontation with Iran and made it possible for Iranians to oppose the regime without being disloyal to their country while it was under attack. Compare and contrast the success of that approach with that of Bush and the 'axis of evil' speech promising an imminent attack.
No nation has been able to do that without conducting extensive tests. So that means having to build 50-100 bombs, not just one or two.
And give Israel 100% justification to out-right flatten Palestine? I don't think even Hezbollah is that stupid. Israel cares very little about public opinion when it comes to protecting the state. Iran/Hezbollah starts throwing more than annoyance-level bombs over the border and Israel fires up the bulldozers, gives 2-hour notice to evacuate, and starts evicting every last Palestinian in sight. It would be chaos, and guaranteed that the Israelis wouldn't give a damn. They might nuke Tehran just for giggles at that point.
What you are proposing here is that Israel start a war on Iran and then use the war as a pretext to commit genocide.
I don't think that the state of Israel would survive very long were it to do that. It certainly would lose the support of most US Jews.
Why do you believe that Iran controls all of the Strait of Hormuz?
What would it take? A couple of containers full of Chinese missiles?
Iran has the worlds fourth largest collection of missiles, just behind North Korea.
Iran believes that the shutting down of the straits of Hormuz ended the Iran-Iraq war by forcing the US to force Saddam into offering a ceasefire. They are almost certainly correct in my view.
Regardless of whether they are correct, they have the means to control the straits and deny passage to any tanker through use of surface to ship missiles. Supertankers are big, heavy and expensive to replace. It only takes a threat of attack to force the oil price up into the stratosphere.
It is an open question as to whether the missiles could sink a US capital ship. The previous generation successfully disabled an Israeli cruiser when one was given to Hezbollah.
The disclosure that other gulf states called for an attack on Iran gives Iran the right to retaliate against them. I would expect that rather than focussing on the shipping, Iran would disable the ports.
Stuxnet exploits Cisco routing hardware, not Windows... I'm assuming you didn't RTFA.
Actually it has multiple exploits.
How about this for a deal: Intelligence service offers hackers access to parts of their Windows source code in return for writing the four zero day attacks.
This part of the intelligence world is very, very small, and the number of people who act as intermediaries between, for example, the IAEA and intelligence circles is even smaller.
The part of the actual intelligence world that would talk directly with NYT (and if not then the source is by definition not credible) about anything like this unless it was a sanctioned manipulation (by definition not credible) is zero zilch nada.
Unfortunately that is not true.
There are many people who leak for many reasons. During the Bush administration the intelligence services were actively leaking against them. That is how Josh Marshall at TPM was getting all that info on Cunningham and the pentagon bribery ring.
This looks to me to be the type of leak that is made to create a certain impression that suits the political interests of the leaker.
But more generally, intelligence people leak because they deal in information and the best way to get information from a journalist is usually to trade.
Stuxnet hit a number of Chinese facilities. It was a blunt instrument. The Chinese have a marked aversion to attacking the homeland.
The Chinese also have a fairly sharp distinction between espionage and malicious damage. They do not see espionage as being at all bad (neither does our side if truth is told). As far as they are concerned, taking Western technology is merely moral restitution for the damage inflicted through Western colonialism: the opium wars, open door policy, Japanese occupation etc.
While the Chinese might well do something like Stuxnet if they had a really, really good reason, I do not think it at all likely that they would cross that line without one. And I do not see why China would consider Iran's activities to be an actionable concern.
The code signing certs were ripped off from two Taiwanese companies. So it is highly likely some Chinese speakers were involved. But those are the type of resource that is traded openly on the black market.
The easiest way for the Chinese or US intel services to create the code signing certs would have been to establish a front operation.
It is really only the Russian intel services that outsource hacking to criminals. I think that if there is an intel link to Stuxnet at all, it is almost certainly Russia.
It is even quite likely that Ahmedinejad is looking for an attack in order to complete the nuclear program. It is unlikely that the religious leadership would want to allow him to complete a nuclear bomb: it would put him above them. If Iran really wanted a nuclear weapon they would have one by now, they have vastly more resources than were available to the Manhattan project in the 40s. Another possibility is that Iran does already have a nuclear bomb but is unable to declare it since that would lead to an immediate attack etc.
In either case it would make perfect sense for Ahmedinejad to incite an Israeli attack which would provide a pretext for withdrawal from the NPT and become a declared nuclear power within a short interval.
A war between Israel and Iran would be a war of attrition with each side aiming to rack up as many civilian deaths as possible. Israel cannot win that game and it would be stupid of them to try. The mullahs have shown themselves quite capable of accepting a million casualties in a war.
The Times report itself says nothing new and nothing that can be believed. All that we know is that there is are sources in US/Israeli intelligence that want to take credit for Stuxnet. We do not even know if the source would even have knowledge of such an operation if it existed.
The motives for wanting to take credit are rather obvious. But if you look at what the attack achieved or was likely to achieve it is very hard to see how it would be in the interests of either to burn major intelligence assets for an act of minor vandalism.
We know that the attack involved four zero days, was written in a modular fashion, probably by multiple authors and had references that might have been intended to lead to a certain conclusion. What we really don't know much about is the payload code. We do not even know for certain what the target was.
For several weeks we were discussing media reports that 'confirmed' that the virus was Chinese on the basis of some 'expert' who had seen an algorithm in Chinese code and erroneously considered it to be uniquely Chinese. The press will repeat any nonsense that is said to them by someone who is convinced they are right.
If the target was indeed the Iranian centrifuges or the Iranian power plant then the only way that it could have possibly been expected to work would be with very deep knowledge of the design and deployment of a top secret Iranian facility. There are only two ways that knowledge could be available to the attacker - if they designed the plant or if they had a source with access.
Looking at the likely result of this attack I cannot possibly see how anyone would wish to let the Iranians know about the intelligence source for the sake of some minor inconvenience to the Iranian program.
A much more likely explanation in my view is the idea that the Russians wrote Stuxnet to damage the nuclear plant they designed and thus require Iran to buy additional services from Russia to repair the damage and to accept the reprocessing proposal (which they did). Such shakedown tactics were common during the Soviet era.
Russia would not have an incentive to take credit for the attack in such circumstances. But some of the US/Israeli hawks would even knowing that the claim was false.