"If some one fails to deliver, another vendor can pick up whrer they left off with minimum disruption.
And maximum cost. This is about taxpayers dollars. If corporations want to do such things with private cash, be my guest."
In terms of project surviving vendor failure, the two cases are the same -- no sane buyer would pay for the development of a software system without the source code and the right to continue development independently of the initial vendor.
The argument for open sourcing is that since we (the citizens) paid for the software, we have a right to use it. We have the right to audit it ourselves (not through lame auditing contract terms like the ones that "protect" us from crooked vote counting machinery).
Sales tax is based on the location of the buyer, if the seller has a physical presence in that location.
If the seller has no physical presence in that location, there's no sales tax. This is because it's unreasonable to ask a seller to keep track of 2,000 different local tax rates, file 2,000 different tax forms, etc. But it's reasonable to ask a seller to file tax forms for locations where he's got an office.
This new law is simply an attempt to collect sales tax from out of state companies, because the states are desparate for money and see this as an easy target.
Exactly. I don't know why articles on this topic are labeled "internet tax" -- this is really an attempt by the states to tax out of state sales (which dwarf "internet sales"). Typically the tax proponents try to argue that the internet has some sort of exception (which it doesn't -- mail order companies taking orders through the internet pay the same taxes as any other mail order companies).
Requiring small businesses to compute and file sales taxes with every single state is absurd. Even if they unify the tax rates, that's still 50 sets of paperwork to generate, send off, and manage.
If the states really want to collect sales tax, they should set up a single set of taxes for mail order purchases, and implement a single system for reporting sales so that merchants could generate one set of paperwork to a central office, and that office could deal with all of the processing, tracking, and routing to deal with the 50 states. That's far more efficient than making millions of small business perform duplicate paperwork.
"He has probably made himself unemployable by any conventional organisation"
I certainly hope that this is not the case, because it would mean that people that hire security companies are quite stupid. What Geer said is commonly believed to be true within the security community. If you can't trust your security consultant to tell you what he honestly believes is the truth, there's not much point in hiring him. Geer seems to have been doing a great job of getting his employer visibility and a solid technical reputation by proving that they properly value their responsibility to their clients more than business partners or vendors. So now @stake took his good work and reversed it, establishing themselves as a company so stupid that they go out of their way to prove that not only their clients can't trust them to tell the truth, but that their employees can't trust them to back them up. The result will be that their employees will censor themselves to make sure that they don't offend anyone, making their advice meaningless.
It's certainly true that any operating system requires maintenance and updates. But it's misdirection to say that Windows would be as secure as, say, BSD if only it were properly administered. That's simply not true, because the operating systems are very different by design, not just implementation.
Microsoft makes decisions that make their operating system less secure by design. For example, by default they have far more network services enabled than any UNIX or Linux distribution. So even if their software were as secure as everyone else's, they're running with more potential open ports through which to be attacked.
The paper argues purely from a security perspective:
1) The dominance of any one operating system would lead to the potential (which has been realized repeatedly) for a virus to affect nearly all computers. They point out that from this perspective it would be as dangerous for any other operating system to domainate, so this issue is independent of Microsoft.
2) Microsoft's strategic goal is to increase their marketshare, which makes the monoculture even more dangerous. Of course, any other monoculture strives to perpetuate itself, so this is also independent of Microsoft.
3) Microsoft's behavior historically, and strategic interests going forward, are to make decisions that run counter to basic security principles. This makes MS particularly dangerous.
Imagine as an alternative what security would look if everyone ran Red Hat Linux. Issues (1) and (2) would apply -- if everthing ran Linux, a Linux vulnerability could wipe out everything. But issue (3) would not apply, since Red Hat doesn't have a track record of making extremely bad security decisions.
This seems odd to me -- those guys will sell mailing lists to _anyone_ promoting _anything_. If they're turning down money by refusing to allow CCIA to do this mailing, there's something else going on.
@stake's primary responsibility should be to secure their client's systems; prodding the players in the marketplace to produce more secure systems is their job. If I were a client of @stake I'd be very concerned that they placed a higher value on not offending a vendor than in providing security to their clients.
"When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company."
You mean "the average Slashdot poster who didn't RTFA assumes...".
"When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company."
The report states clearly on the first page that "Our conclusions have now been confirmed and amplified by the appearance of this important report by leading authorities in the field of cybersecurity: Dan Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, John S. Quarterman, Charles Pfleeger, and Bruce Schneier. CCIA and the report's authors have arrived at their conclusions independently. The views of the authors are their views and theirs alone."
Note that there are no company affiliations in that list, or on the front cover of the report, and that they clearly say that they're speaking as individuals, not as company representatives. The authors do list their current titles and employers in their bio's and on the "authors of the report" page, in order to establish their credibility (and that's a lot of credibility), but clearly don't speak for their employers.
Given that the document expresses the mainstream of security industry thinking, I'm a little amazed that this is even "news" much less something to fire someone over. Does any security professional think that a software monoculture is a good idea, or that Microsoft actually has security as its top priority (as opposed to market share or profitability)?
If we're to be serious about addressing vulnerabilities in our software infrastructure, we have to be willing to discuss these issues honestly, without self-censoring out of fear of stating the obvious when it's inconvenient.
Um... that was the POINT! The reason that artists all want to sign with a major label, even if they complain a lot, is that they'll make MORE money than trying to sell on their own.
Except for the $1M advance, of course, and the fact that 1M people know who the band is (so if they don't suck they can sell them more music, tour, sell T-shirts, etc.).
Admittedly the RFC is a bit vague -- in one place they define wildcards as a generic mechanism that could be construed as applying at any level in the heirarchy, but in other places they say that wildcards only apply within a domain, as I pointed out above. So an aggressive lawyer could argue that they're conforming to a degerate case of the RFC, even though reading it that way makes much of the RFC make no sense (e.g. why spend 1/3rd of the RFP on defining name errors and how to issue, propagate and cache them, if the TLD can be a wildcard, eliminating all name errors). IMO, Verisign's interpretation of the RFC is so irrational that it didn't occur to anyone that they had to explicitly prohibit it.
I wonder if perhaps the answer could be to issue a new RFC, obsoleting or updating RCF 1034, that clarifies that wildcards can't be applied across an entire TLD. If Verisign's contract states that they must support all current RFC's related to DNS (as opposed to freezing the DNS spec in time), that'd fix the problem.
Actually, hard drives are dramatically faster than they used to be. Back when I worked at GCC Technologies writing had drive device drivers, you were pretty happy if you could move 1 MB/sec (Mac Plus to 20 MB HD). I just read a review of some 10K RPM drives (http://www.tech-report.com/reviews/2003q2/10k-com paro/index.x?pg=1) that delivered sustained throughput of over 72 MB/sec.
Of course, systems also provide far more formatting capabilities, and have much better displays, which consumes disk space and CPU, but in return we don't have to use Electric Pencil on a TRS-80 storing to cassette tape.:-)
The thing that bothers me is that new Verisign has configured the DNS system to lie to everyone because it's profitable for them to do so. DNS' responsibility is simple: allow applications to look up names. If the name is registered it should return the appropriate IP address. If the name is not registered it should return an error. While Verisign has delusions of power, their job (in this situation) is simply to operate the DNS database, which they've just failed on a massive scale. The contract should be pulled and DNS administered by a non-profit, where DNS belongs.
plain old text mangles my post a bit, so here it is again. Sorry I didn't catch it in preview...
I believe that Verisign's use of a wildcard to map all DNS requests for *.com to their web site violates the relevant RFC's.
Going through all of the DNS RFC's, all of them assume or require that when a name is not found, the DNS server return an error.
Going through them in historical order: RFC 811 specifies that if the name is not found, a 'NAMNFD' code is returned. RFC 1034 also talks about sending "a name error indicating that the name does not exist" and "A name error (NE). This happens when the referenced name does not exist. For example, a user may have mistyped a host name." It also discusses caching name errors for efficiency, which of course only makes sense if the authoritative DNS servers actually issue name errors (which Verisign is now not doing). RFC 1035 specifies that if "the domain name referenced in the query does not exist" that a "Name Error" be returned.
There is a wildcard mechanism in RFC 1034, but it's defined to apply to '"*.<anydomain>", where <anydomain> is any domain name' which makes it pretty clear to me that it's not intended to apply to domains. To emphasise this, all of the examples of DNS wildcards are of the form *.X.COM or *.A.X.COM.
I believe that Verisign's use of a wildcard to map all DNS requests for *.com to their web site violates the relevant RFC's.
Going through all of the DNS RFC's, all of them assume or require that when a name is not found, the DNS server return an error.
Going through them in historical order: RFC 811 specifies that if the name is not found, a 'NAMNFD' code is returned. RFC 1034 also talks about sending "a name error indicating that the name does not exist" and "A name error (NE). This happens when the referenced name does not exist. For example, a user may have mistyped a host name." It also discusses caching name errors for efficiency, which of course only makes sense if the authoritative DNS servers actually issue name errors (which Verisign is now not doing). RFC 1035 specifies that if "the domain name referenced in the query does not exist" that a "Name Error" be returned.
There is a wildcard mechanism in RFC 1034, but it's defined to apply to '"*.", where is any domain name' which makes it pretty clear to me that it's not intended to apply to domains. To emphasise this, all of the examples of DNS wildcards are of the form *.X.COM or *.A.X.COM.
Spam is an artifact of email being virtually free to send, because it's paid for by the ISP's and the receivers, not the senders. This means that you can make money sending immense volumes of spam, even with a very low response rate. The only way to stop spam is to make it cost the senders more than it's worth to send.
Read the law -- it excludes pretty much any reasonable email. All it excludes is unsolicited commercial email.
As far as your "policing agency" concern goes -- the people filing the lawsuits under this law are the recipients of spam.
If the Mom-n-Pop shop "accidentally" sends out 100K unsolicited emails, they'll get nailed. And they should. And at $1M per "incident" for large scale spammers (the ones with "good lawyers to defend them"), there's plenty of incentive for people to identify and prosecute spammers. And best of all, this law makes advertisers liable, which means that they can't hide behind the spammers. If advertisers refuse to accept the risk of these lawsuits, they'll stop funding spam, and it'll stop.
I used to think that email filters could solve spam. Now that spamming has grown into a large, highly profitable business, making money off of intrusively annoying hundreds of millions of people and undermining the value of the single most successful internet application, I have changed my mind. There's no legitimate reason for any business to send unsolicited emails, and simple decency to behave in a civilized manner and not spam people. Apparently some people aren't restrained by a sense of decency, and I, for one, am pretty happy to have them restrained by the threat of massive lawsuits rather than to continue to trash our email network.
"Your proposal would make it easy for anybody who wanted to stifle their competition to joejob them, which would make it illegal to buy their product in spite of the fact that the spam is obviously bogus."
That's why there are courts. If someone sends out spam advertising your product, and you can convince a court that you didn't do it ("the spam is obviously bogus") you aren't liable. Also, sending illegal spam advertising a product wouldn't make it illegal to buy that product; it would just cost you a potential $1,000 an email, to a max of $1M per "incident" if you spammed from or into California.
"Do you think Grey Davis has any intention of keeping this up? With the CA recall election now slated for Oct 7th, he will do whatever he can to appeal to "the people" . Even if it's with empty legislation."
Grey Davis must be pretty impressive if he can travel back in time to convince Senator Murray to introduce a bill in February in order to head off the recall vote. ----- quote ----- BILL NUMBER: SB 186 ENROLLED BILL TEXT PASSED THE SENATE SEPTEMBER 11, 2003 PASSED THE ASSEMBLY SEPTEMBER 8, 2003 AMENDED IN ASSEMBLY SEPTEMBER 5, 2003 AMENDED IN ASSEMBLY AUGUST 25, 2003 AMENDED IN ASSEMBLY AUGUST 18, 2003 AMENDED IN ASSEMBLY JULY 10, 2003 AMENDED IN ASSEMBLY JULY 9, 2003 AMENDED IN ASSEMBLY JUNE 26, 2003 AMENDED IN SENATE MAY 22, 2003 AMENDED IN SENATE MAY 6, 2003 AMENDED IN SENATE MARCH 17, 2003
INTRODUCED BY Senator Murray
(Principal coauthor: Assembly Member Correa)
(Coauthors: Assembly Members Bermudez, Maldonado, and Simitian)
In re-reading the actual law, I spotted one other thing -- if the recipient explicitly invites the email, it's allowed. So if a company listed its purchasing agent on its web site, saying "email this guy if you want to sell us stuff" it'd be completely legal to do so.
Kinda falls in the "of course" category, but it's nice that they thought to cover it.
Slashdot Mirror
"If some one fails to deliver, another vendor can pick up whrer they left off with minimum disruption.
And maximum cost. This is about taxpayers dollars. If corporations want to do such things with private cash, be my guest."
In terms of project surviving vendor failure, the two cases are the same -- no sane buyer would pay for the development of a software system without the source code and the right to continue development independently of the initial vendor.
The argument for open sourcing is that since we (the citizens) paid for the software, we have a right to use it. We have the right to audit it ourselves (not through lame auditing contract terms like the ones that "protect" us from crooked vote counting machinery).
Sales tax is based on the location of the buyer, if the seller has a physical presence in that location.
If the seller has no physical presence in that location, there's no sales tax. This is because it's unreasonable to ask a seller to keep track of 2,000 different local tax rates, file 2,000 different tax forms, etc. But it's reasonable to ask a seller to file tax forms for locations where he's got an office.
This new law is simply an attempt to collect sales tax from out of state companies, because the states are desparate for money and see this as an easy target.
Exactly. I don't know why articles on this topic are labeled "internet tax" -- this is really an attempt by the states to tax out of state sales (which dwarf "internet sales"). Typically the tax proponents try to argue that the internet has some sort of exception (which it doesn't -- mail order companies taking orders through the internet pay the same taxes as any other mail order companies).
Requiring small businesses to compute and file sales taxes with every single state is absurd. Even if they unify the tax rates, that's still 50 sets of paperwork to generate, send off, and manage.
If the states really want to collect sales tax, they should set up a single set of taxes for mail order purchases, and implement a single system for reporting sales so that merchants could generate one set of paperwork to a central office, and that office could deal with all of the processing, tracking, and routing to deal with the 50 states. That's far more efficient than making millions of small business perform duplicate paperwork.
"He has probably made himself unemployable by any conventional organisation"
I certainly hope that this is not the case, because it would mean that people that hire security companies are quite stupid. What Geer said is commonly believed to be true within the security community. If you can't trust your security consultant to tell you what he honestly believes is the truth, there's not much point in hiring him. Geer seems to have been doing a great job of getting his employer visibility and a solid technical reputation by proving that they properly value their responsibility to their clients more than business partners or vendors. So now @stake took his good work and reversed it, establishing themselves as a company so stupid that they go out of their way to prove that not only their clients can't trust them to tell the truth, but that their employees can't trust them to back them up. The result will be that their employees will censor themselves to make sure that they don't offend anyone, making their advice meaningless.
Well, eliminate Outlook, IE, and all of the ads for MS products (hotmail, MSN Messenger, etc.) and Windows 2003 would be a more reasonable server OS.
It's certainly true that any operating system requires maintenance and updates. But it's misdirection to say that Windows would be as secure as, say, BSD if only it were properly administered. That's simply not true, because the operating systems are very different by design, not just implementation.
Microsoft makes decisions that make their operating system less secure by design. For example, by default they have far more network services enabled than any UNIX or Linux distribution. So even if their software were as secure as everyone else's, they're running with more potential open ports through which to be attacked.
The paper argues purely from a security perspective:
1) The dominance of any one operating system would lead to the potential (which has been realized repeatedly) for a virus to affect nearly all computers. They point out that from this perspective it would be as dangerous for any other operating system to domainate, so this issue is independent of Microsoft.
2) Microsoft's strategic goal is to increase their marketshare, which makes the monoculture even more dangerous. Of course, any other monoculture strives to perpetuate itself, so this is also independent of Microsoft.
3) Microsoft's behavior historically, and strategic interests going forward, are to make decisions that run counter to basic security principles. This makes MS particularly dangerous.
Imagine as an alternative what security would look if everyone ran Red Hat Linux. Issues (1) and (2) would apply -- if everthing ran Linux, a Linux vulnerability could wipe out everything. But issue (3) would not apply, since Red Hat doesn't have a track record of making extremely bad security decisions.
"We help you make the hard decisions about what matters most in your business"
:-)
You can certainly see the result when they had to make a hard decision about what matters most in _their_ business.
This seems odd to me -- those guys will sell mailing lists to _anyone_ promoting _anything_. If they're turning down money by refusing to allow CCIA to do this mailing, there's something else going on.
@stake's primary responsibility should be to secure their client's systems; prodding the players in the marketplace to produce more secure systems is their job. If I were a client of @stake I'd be very concerned that they placed a higher value on not offending a vendor than in providing security to their clients.
"When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company."
You mean "the average Slashdot poster who didn't RTFA assumes...".
"When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company."
The report states clearly on the first page that "Our conclusions have now been confirmed and amplified by the appearance of this important report by leading authorities in the field of cybersecurity: Dan Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, John S. Quarterman, Charles Pfleeger, and Bruce Schneier. CCIA and the report's authors have arrived at their conclusions independently. The views of the authors are their views and theirs alone."
Note that there are no company affiliations in that list, or on the front cover of the report, and that they clearly say that they're speaking as individuals, not as company representatives. The authors do list their current titles and employers in their bio's and on the "authors of the report" page, in order to establish their credibility (and that's a lot of credibility), but clearly don't speak for their employers.
Given that the document expresses the mainstream of security industry thinking, I'm a little amazed that this is even "news" much less something to fire someone over. Does any security professional think that a software monoculture is a good idea, or that Microsoft actually has security as its top priority (as opposed to market share or profitability)?
If we're to be serious about addressing vulnerabilities in our software infrastructure, we have to be willing to discuss these issues honestly, without self-censoring out of fear of stating the obvious when it's inconvenient.
Um... that was the POINT! The reason that artists all want to sign with a major label, even if they complain a lot, is that they'll make MORE money than trying to sell on their own.
Congressmen have a responsibility _both_ to the people of their district and to the country as a whole.
Except for the $1M advance, of course, and the fact that 1M people know who the band is (so if they don't suck they can sell them more music, tour, sell T-shirts, etc.).
The slot on the back looks like RAM to me.
I have no idea what the blue 7-pin connector is -- I've never seen that connector before.
There's what looks like a normal 4-pin power connector (4-pins, keyed, white plastic) towards the middle of the board from the battery.
And you're right -- it is amazing how clean this board is. They make it looks like they could easily compress it another 1-2 cm!
Admittedly the RFC is a bit vague -- in one place they define wildcards as a generic mechanism that could be construed as applying at any level in the heirarchy, but in other places they say that wildcards only apply within a domain, as I pointed out above. So an aggressive lawyer could argue that they're conforming to a degerate case of the RFC, even though reading it that way makes much of the RFC make no sense (e.g. why spend 1/3rd of the RFP on defining name errors and how to issue, propagate and cache them, if the TLD can be a wildcard, eliminating all name errors). IMO, Verisign's interpretation of the RFC is so irrational that it didn't occur to anyone that they had to explicitly prohibit it.
I wonder if perhaps the answer could be to issue a new RFC, obsoleting or updating RCF 1034, that clarifies that wildcards can't be applied across an entire TLD. If Verisign's contract states that they must support all current RFC's related to DNS (as opposed to freezing the DNS spec in time), that'd fix the problem.
Actually, hard drives are dramatically faster than they used to be. Back when I worked at GCC Technologies writing had drive device drivers, you were pretty happy if you could move 1 MB/sec (Mac Plus to 20 MB HD). I just read a review of some 10K RPM drives (http://www.tech-report.com/reviews/2003q2/10k-com paro/index.x?pg=1) that delivered sustained throughput of over 72 MB/sec.
:-)
Of course, systems also provide far more formatting capabilities, and have much better displays, which consumes disk space and CPU, but in return we don't have to use Electric Pencil on a TRS-80 storing to cassette tape.
The thing that bothers me is that new Verisign has configured the DNS system to lie to everyone because it's profitable for them to do so. DNS' responsibility is simple: allow applications to look up names. If the name is registered it should return the appropriate IP address. If the name is not registered it should return an error. While Verisign has delusions of power, their job (in this situation) is simply to operate the DNS database, which they've just failed on a massive scale. The contract should be pulled and DNS administered by a non-profit, where DNS belongs.
plain old text mangles my post a bit, so here it is again. Sorry I didn't catch it in preview...
I believe that Verisign's use of a wildcard to map all DNS requests for *.com to their web site violates the relevant RFC's.
Going through all of the DNS RFC's, all of them assume or require that when a name is not found, the DNS server return an error.
Going through them in historical order: RFC 811 specifies that if the name is not found, a 'NAMNFD' code is returned. RFC 1034 also talks about sending "a name error indicating that the name does not exist" and "A name error (NE). This happens when the referenced name does not exist. For example, a user may have mistyped a host name." It also discusses caching name errors for efficiency, which of course only makes sense if the authoritative DNS servers actually issue name errors (which Verisign is now not doing). RFC 1035 specifies that if "the domain name referenced in the query does not exist" that a "Name Error" be returned.
There is a wildcard mechanism in RFC 1034, but it's defined to apply to '"*.<anydomain>", where <anydomain> is any domain name' which makes it pretty clear to me that it's not intended to apply to domains. To emphasise this, all of the examples of DNS wildcards are of the form *.X.COM or *.A.X.COM.
I believe that Verisign's use of a wildcard to map all DNS requests for *.com to their web site violates the relevant RFC's.
Going through all of the DNS RFC's, all of them assume or require that when a name is not found, the DNS server return an error.
Going through them in historical order: RFC 811 specifies that if the name is not found, a 'NAMNFD' code is returned. RFC 1034 also talks about sending "a name error indicating that the name does not exist" and "A name error (NE). This happens when the referenced name does not exist. For example, a user may have mistyped a host name." It also discusses caching name errors for efficiency, which of course only makes sense if the authoritative DNS servers actually issue name errors (which Verisign is now not doing). RFC 1035 specifies that if "the domain name referenced in the query does not exist" that a "Name Error" be returned.
There is a wildcard mechanism in RFC 1034, but it's defined to apply to '"*.", where is any domain name' which makes it pretty clear to me that it's not intended to apply to domains. To emphasise this, all of the examples of DNS wildcards are of the form *.X.COM or *.A.X.COM.
Spam is an artifact of email being virtually free to send, because it's paid for by the ISP's and the receivers, not the senders. This means that you can make money sending immense volumes of spam, even with a very low response rate. The only way to stop spam is to make it cost the senders more than it's worth to send.
Read the law -- it excludes pretty much any reasonable email. All it excludes is unsolicited commercial email.
As far as your "policing agency" concern goes -- the people filing the lawsuits under this law are the recipients of spam.
If the Mom-n-Pop shop "accidentally" sends out 100K unsolicited emails, they'll get nailed. And they should. And at $1M per "incident" for large scale spammers (the ones with "good lawyers to defend them"), there's plenty of incentive for people to identify and prosecute spammers. And best of all, this law makes advertisers liable, which means that they can't hide behind the spammers. If advertisers refuse to accept the risk of these lawsuits, they'll stop funding spam, and it'll stop.
I used to think that email filters could solve spam. Now that spamming has grown into a large, highly profitable business, making money off of intrusively annoying hundreds of millions of people and undermining the value of the single most successful internet application, I have changed my mind. There's no legitimate reason for any business to send unsolicited emails, and simple decency to behave in a civilized manner and not spam people. Apparently some people aren't restrained by a sense of decency, and I, for one, am pretty happy to have them restrained by the threat of massive lawsuits rather than to continue to trash our email network.
"Your proposal would make it easy for anybody who wanted to stifle their competition to joejob them, which would make it illegal to buy their product in spite of the fact that the spam is obviously bogus."
That's why there are courts. If someone sends out spam advertising your product, and you can convince a court that you didn't do it ("the spam is obviously bogus") you aren't liable. Also, sending illegal spam advertising a product wouldn't make it illegal to buy that product; it would just cost you a potential $1,000 an email, to a max of $1M per "incident" if you spammed from or into California.
"Do you think Grey Davis has any intention of keeping this up? With the CA recall election now slated for Oct 7th, he will do whatever he can to appeal to "the people" . Even if it's with empty legislation."
Grey Davis must be pretty impressive if he can travel back in time to convince Senator Murray to introduce a bill in February in order to head off the recall vote.
----- quote -----
BILL NUMBER: SB 186 ENROLLED
BILL TEXT
PASSED THE SENATE SEPTEMBER 11, 2003
PASSED THE ASSEMBLY SEPTEMBER 8, 2003
AMENDED IN ASSEMBLY SEPTEMBER 5, 2003
AMENDED IN ASSEMBLY AUGUST 25, 2003
AMENDED IN ASSEMBLY AUGUST 18, 2003
AMENDED IN ASSEMBLY JULY 10, 2003
AMENDED IN ASSEMBLY JULY 9, 2003
AMENDED IN ASSEMBLY JUNE 26, 2003
AMENDED IN SENATE MAY 22, 2003
AMENDED IN SENATE MAY 6, 2003
AMENDED IN SENATE MARCH 17, 2003
INTRODUCED BY Senator Murray
(Principal coauthor: Assembly Member Correa)
(Coauthors: Assembly Members Bermudez, Maldonado, and Simitian)
FEBRUARY 12, 2003
Cool.
In re-reading the actual law, I spotted one other thing -- if the recipient explicitly invites the email, it's allowed. So if a company listed its purchasing agent on its web site, saying "email this guy if you want to sell us stuff" it'd be completely legal to do so.
Kinda falls in the "of course" category, but it's nice that they thought to cover it.
This law reads really well. I wish they all did.