Couldn't you just make reasonable contractual requirements of your employees -- like not reveling trade secrets or customer relationships? Why must you be barred from working in large swaths of the industry instead of just being barred from releasing inside information?
If you're planning to get fired it's not tough. Among other things, you could just stop showing up. They'd either have to fire you or pay you to stay home, either of which work for your purposes.
I'll grant you that the range of "foreseen events" is bigger for people than rockets, and that we don't teach rockets to distrust and re-write existing algorithms (though since almost every launch failure mode ends with a boom that would probably be a waste of time).
But people are very bad at handling truly unforeseen events. What would you do if the flooring in your house suddenly had 99% less friction -- you'd likely fail (and fall) repeatedly when attempting to propel yourself. You'd probably eventually figure something out, but if you were only given one chance (like a rocket) I doubt you'd make it.
Alternatively both rockets and people both respond well to foreseen events, like a thrust imbalance or a course change. There are lots of things that happen during a rocket launch that cannot be predicted but must be observed and analyzed so the rocket can react appropriately.
If that observation, analysis and reaction is done internally I'd call the device "autonomous", at least for the scope described -- my cell phone isn't an autonomous voice-response system, but it is an autonomous radio system, determining how, when and what to transmit and what to do about things it receives without any necessary interaction from me. I need to talk at it and listen to provide useful voice interaction, but it's quite capable of sending and receiving data across a negotiated, dynamic radio link without any human intervention.
Just "entering" is generally not a crime -- to be criminal it typically requires knowledge that your presence is unlawful. And when it is a crime it's called "criminal trespass", at least 'round these parts.
Why would it need to be targeted only at AU users? If MS trusts (read: accepts enough money from) the AU government enough to add their CA to Windows why would they care if it was AU only or affected all versions of Windows?
I realize that security is about raising the bar by increasing the cost or risks or decreasing the reward. And in that respect what you're doing is perfectly reasonably. But on any network where you let users send GET requests to port 80 and receive HTTP data back -- even through a proxy and/or deep packet inspection (and excluding very restrictive environments like whitelist-only web browsing) -- they can tunnel data in and out of your network.
They could use plain old HTTP on port 80 and run encryption in the message body instead of the data stream. Even if you searched the message body looking for unusual data it's entirely possible to hide the real message inside perfectly valid HTTP requests and responses. And automated scripting could request other normal web pages to hide the tunnel-related traffic in among "normal" browsing.
At best you could say prove that such users visited a certain site frequently -- assuming you even noticed in the first place. Unless your workplace is very harsh I'd imagine it's hard to "make an example" out of someone for frequently revisiting the same site, particularly if you put up a good cover like job-related tools or a search engine. And even the "frequently revisited" bit could be hidden if you controlled enough remote IP addresses.
Like I said, what you're doing is reasonably, and you mention other measures you're taking to reduce the risk of this sort of attack. But so long as users have Ethernet cables at their desks and the ability to download web pages a technically skilled attacker can form arbitrary tunnels and can make them difficult to detect.
First the local IT admins make you install their certificate authority, so you trust certificates they generate.
Then they perform a man-in-the-middle attack on your SSL session using a dynamically generated certificate that you will trust because of the setup in stage one.
Obviously this only works when you can be convinced or required to trust their certificate authority. But in corporate environments that's the common case, and that's exactly where these kinds of devices are most likely to be deployed.
You could provide your own host. Pay a professional or ask a friend to let you run SSHD on some host outside the firewall. If necessary, install an HTTP wrapper to get your SSH data through the local proxy/packet inspector.
The remote box you're using won't be blocked because WebSense won't know anything about it. Even if your school noticed your traffic and reported it WebSense is unlikely to add your single-user, unadvertised node to their list of proxies. Your school could try to block you directly, but given the ease with which you could switch hosting providers it would be at worst a 1-day annoyance while you changed IPs (or domains, or whatever other identifier they are using to track your traffic).
You can get a VM or a cheap old box at some colo for $30/month and run whatever kind of proxy you like. It's not free, but it's not exactly expensive either, and you could share the cost with others users without much hassle.
Yes, but the elitist has an unspecified gender, and people don't much like being called "it". Modern usage suggests the plural pronoun (which in English is typically gender-neutral) when the subject -- singular or plural -- has an unknown gender.
So long as the server still responds to old-school SMTP requests it does little good to use a new, optional protocol -- spam bots will simply request a pure SMTP conversation and bypass whatever protections the new system provides.
Even if you convince a significant portion of the world to use your system, you still will likely need to support SMTP for a good decade, and without significant penalties in your spam filter.
It's the same problem that every new "backwards compatible" extension for SMTP offers -- being backwards compatible means it can't address the real problems, and the marginal gain for smaller problems it solves or new features it offers is not sufficient to bother changing.
No, opening a closed, unlocked door is *not* breaking and entering. It's not even trespassing unless you are asked to leave or the premises is posted.
If you enter an unlocked premises and steal something it's still burglary, but there's no forceable entry unless you disable a reasonable security measure. There's possibly some law against entering an unsecured premises with the intent of committing a crime, but if it exists I couldn't tell you want it is (maybe something like trespassing, but without the need for posting or other notification).
Since we have no information about his intent or even his specific actions I'm not sure what analogy you're trying to draw, but in any case the analogy would probably be better if you understood it yourself.
Would you rather have a cost-cutting plant with hundreds of tons of high volatile fuel full of poisonous (and radioactive) chemicals and no containment dome near your home?
Or live next to train tracks where easily-gasified, extremely poisonously chemicals are shipped at high speed in relatively thin metal containers that are *not* designed to withstand crashes?
Sure, nuclear contamination (sometimes) has a longer threat timeline, but that's not really important if you're living there when it happens. And with the safety features that are standard in all plants even considerable negligence in a nuclear plant less dangerous than many other threats you don't bother to consider.
Ignoring the fact that non-profit groups might have the same reasons for cutting corners -- couldn't you use economic incentive to make corner-cutting unattractive?
For example, we could create a $500,000 tax credit for any inspection company that finds a significant violation not found by any previous inspection company (and fund it by fining the plant and/or the first inspection company). Then all you have to do is require inspection by at least 2 outside companies. It's possible to bribe them, but if you make the reward for finding faults high enough it quickly becomes cheaper to just avoid violations in the first place.
You could make the same sort of arguments against pencil-and-paper voting. What if I lack the fine muscle control necessary to mark the small boxes? What if I was mistaken about the alignment of the checkboxes with respect to the candidate names?
I'm not saying electronic voting is the answer, but it silly to pretend that there are no issues with paper-and-pencil methods.
If your electronic input devices had a sufficiently easy-to-use interface, and produced human-verifiable output, you could have the best of both worlds. You could have giant checkboxes, audio guides, alternate languages, make mistakes easy to correct (no need to ask for a new ballot) and *STILL* print a human-readable output ballot. That would ensure that all paper ballots are distinctly marked and easy-to-read, would allow voters to verify that the machine did what they intended, and would allow auditors easily to compare the paper count to the electronic count.
Heck, with a little pubkey signing you could even produce duplicate output to allow voters to take home a *verifiable* copy of their ballot and thereby permit citizen-organized recounts without any assistance from the government. That's something that paper just can't do.
Yes, because when a device designed to convert electromagnetic waves into audio waves does, um, exactly what it's designed to do that's a sure sign that something terrible is happening.
And I don't know about you, but my body shares about 87% of the components of a typical audio system, so I expect more or less the same effect on my body as on my cheap audio system.
--
Seriously your speaker system is *supposed* to make electrical noise into audio noise. That's the definition of a speaker.
And unless your entire audio signal path is shielded you shouldn't be terribly impressed that the wiring picks up nearby electromagnetic radiation. Compare the length of your cell phone antenna to the length of the unshielded wiring in your speaker system and consider if that orders-of-magnitude difference in length might be enough to overcome the sub-optimal tuning of the speaker signal wire as an antenna and allow it to pickup the cellular signal at sufficient strength to be audible.
So what you're saying is that the government currently has the most thugs with the biggest guns and therefore we should all give in to whatever kind of thuggery they want to inflict?
Maybe it's folly, but I for one would like to at least hope that there's some chance of overthrowing the government. If you give up that hope then there's not much practical difference between the existing government and a non-elected ruling class -- those in power must give some credence to the threat that they could be ousted or they have no incentive to act in a way that benefits anyone else. Being able to make a credible threat of overthrowing the government seems like a good way to keep those in power believing that they serve only at the pleasure of the people.
Having recently be assigned a Window Mobile phone and not owning a Windows desktop I can tell you it's is *not* easy to develop for -- you need MS Windows and MS Visual Studio. I don't know about you, but I don't really want to pay $200 for an OS and $200 for development tools just to write programs for my phone.
With a 400 MHz processor and 8 GB of storage I don't understand why I can't just run a compiler on the phone. I probably wouldn't actually type code into the phone (though with a BlueTooth keyboard it wouldn't be that bad), but it would be nice to avoid the need for an ARM cross-compiling environment (and hence the need for a Windows desktop) and it would let me make and test minor modifications or debugging changes without needing to go back to a desktop somewhere and copy files around.
It *is* a perfectly valid Sunday activity, unless there's evidence that you're planning to hurt people. Having a car is not evidence that you're going to commit a crime. Sending someone a letter threatening to run them down with your car is.
Your cell phone is an electrical timing device. So is your kitchen timer.
And while we do regulate explosives, there are all sorts of valid reasons to have them or their components in your home or business -- maybe you blow things up for a living, or maybe you grow plants (ammonium nitrate) and heat your home (fuel oil) or run a combustion-powered equipment (diesel).
I'm sorry you're too scared of life to let anyone else enjoy it. It's sad, but I really must insist that you stop trying to terrorize the rest of the world just because you're afraid.
I'd be particularly surprised if your business turned off lights during the day and on at night -- most business run lighting when people are present, regardless of the outside conditions. Most building designs don't allow any other option.
In a similar fashion, street lights run only when it's dark. They don't care what time it is or how long it's been since they turned on -- they run from dusk to dawn no matter what the clock says.
Homes are the one place that lighting is likely to be used more when it's dark then when it's light. But even at home there are many places were lighting is based on occupancy and not time-of-day.
"Goodwill" is a specific subset of "intangible assets". Other items such as patents, copyrights, trademarks or other contractually transferable rights or privileges would be in the same category, but are not "goodwill", which has a specific meaning in accounting.
I agree video adaptors are annoying, but DisplayPort is a step in the right direction -- it's not something that Apple invented, and it's becoming available on Dell, HP, Lenovo, Samsung, etc. systems and displays as well.
So at the very least you won't be stuck buying Apple-produced adaptors or having the adaptor only work with one model of laptop.
Slashdot Mirror
Couldn't you just make reasonable contractual requirements of your employees -- like not reveling trade secrets or customer relationships? Why must you be barred from working in large swaths of the industry instead of just being barred from releasing inside information?
If you're planning to get fired it's not tough. Among other things, you could just stop showing up. They'd either have to fire you or pay you to stay home, either of which work for your purposes.
So is the truck. Or people even.
I'll grant you that the range of "foreseen events" is bigger for people than rockets, and that we don't teach rockets to distrust and re-write existing algorithms (though since almost every launch failure mode ends with a boom that would probably be a waste of time).
But people are very bad at handling truly unforeseen events. What would you do if the flooring in your house suddenly had 99% less friction -- you'd likely fail (and fall) repeatedly when attempting to propel yourself. You'd probably eventually figure something out, but if you were only given one chance (like a rocket) I doubt you'd make it.
Alternatively both rockets and people both respond well to foreseen events, like a thrust imbalance or a course change. There are lots of things that happen during a rocket launch that cannot be predicted but must be observed and analyzed so the rocket can react appropriately.
If that observation, analysis and reaction is done internally I'd call the device "autonomous", at least for the scope described -- my cell phone isn't an autonomous voice-response system, but it is an autonomous radio system, determining how, when and what to transmit and what to do about things it receives without any necessary interaction from me. I need to talk at it and listen to provide useful voice interaction, but it's quite capable of sending and receiving data across a negotiated, dynamic radio link without any human intervention.
Just "entering" is generally not a crime -- to be criminal it typically requires knowledge that your presence is unlawful. And when it is a crime it's called "criminal trespass", at least 'round these parts.
Why would it need to be targeted only at AU users? If MS trusts (read: accepts enough money from) the AU government enough to add their CA to Windows why would they care if it was AU only or affected all versions of Windows?
I realize that security is about raising the bar by increasing the cost or risks or decreasing the reward. And in that respect what you're doing is perfectly reasonably. But on any network where you let users send GET requests to port 80 and receive HTTP data back -- even through a proxy and/or deep packet inspection (and excluding very restrictive environments like whitelist-only web browsing) -- they can tunnel data in and out of your network.
They could use plain old HTTP on port 80 and run encryption in the message body instead of the data stream. Even if you searched the message body looking for unusual data it's entirely possible to hide the real message inside perfectly valid HTTP requests and responses. And automated scripting could request other normal web pages to hide the tunnel-related traffic in among "normal" browsing.
At best you could say prove that such users visited a certain site frequently -- assuming you even noticed in the first place. Unless your workplace is very harsh I'd imagine it's hard to "make an example" out of someone for frequently revisiting the same site, particularly if you put up a good cover like job-related tools or a search engine. And even the "frequently revisited" bit could be hidden if you controlled enough remote IP addresses.
Like I said, what you're doing is reasonably, and you mention other measures you're taking to reduce the risk of this sort of attack. But so long as users have Ethernet cables at their desks and the ability to download web pages a technically skilled attacker can form arbitrary tunnels and can make them difficult to detect.
First the local IT admins make you install their certificate authority, so you trust certificates they generate.
Then they perform a man-in-the-middle attack on your SSL session using a dynamically generated certificate that you will trust because of the setup in stage one.
Obviously this only works when you can be convinced or required to trust their certificate authority. But in corporate environments that's the common case, and that's exactly where these kinds of devices are most likely to be deployed.
You could provide your own host. Pay a professional or ask a friend to let you run SSHD on some host outside the firewall. If necessary, install an HTTP wrapper to get your SSH data through the local proxy/packet inspector.
The remote box you're using won't be blocked because WebSense won't know anything about it. Even if your school noticed your traffic and reported it WebSense is unlikely to add your single-user, unadvertised node to their list of proxies. Your school could try to block you directly, but given the ease with which you could switch hosting providers it would be at worst a 1-day annoyance while you changed IPs (or domains, or whatever other identifier they are using to track your traffic).
You can get a VM or a cheap old box at some colo for $30/month and run whatever kind of proxy you like. It's not free, but it's not exactly expensive either, and you could share the cost with others users without much hassle.
Technically that's *an* internet. It's only part of *the* Internet if it's also connected the global network.
Yes, but the elitist has an unspecified gender, and people don't much like being called "it". Modern usage suggests the plural pronoun (which in English is typically gender-neutral) when the subject -- singular or plural -- has an unknown gender.
So long as the server still responds to old-school SMTP requests it does little good to use a new, optional protocol -- spam bots will simply request a pure SMTP conversation and bypass whatever protections the new system provides.
Even if you convince a significant portion of the world to use your system, you still will likely need to support SMTP for a good decade, and without significant penalties in your spam filter.
It's the same problem that every new "backwards compatible" extension for SMTP offers -- being backwards compatible means it can't address the real problems, and the marginal gain for smaller problems it solves or new features it offers is not sufficient to bother changing.
No, opening a closed, unlocked door is *not* breaking and entering. It's not even trespassing unless you are asked to leave or the premises is posted.
If you enter an unlocked premises and steal something it's still burglary, but there's no forceable entry unless you disable a reasonable security measure. There's possibly some law against entering an unsecured premises with the intent of committing a crime, but if it exists I couldn't tell you want it is (maybe something like trespassing, but without the need for posting or other notification).
Since we have no information about his intent or even his specific actions I'm not sure what analogy you're trying to draw, but in any case the analogy would probably be better if you understood it yourself.
Would you rather have a cost-cutting plant with hundreds of tons of high volatile fuel full of poisonous (and radioactive) chemicals and no containment dome near your home?
Or live next to train tracks where easily-gasified, extremely poisonously chemicals are shipped at high speed in relatively thin metal containers that are *not* designed to withstand crashes?
Sure, nuclear contamination (sometimes) has a longer threat timeline, but that's not really important if you're living there when it happens. And with the safety features that are standard in all plants even considerable negligence in a nuclear plant less dangerous than many other threats you don't bother to consider.
Ignoring the fact that non-profit groups might have the same reasons for cutting corners -- couldn't you use economic incentive to make corner-cutting unattractive?
For example, we could create a $500,000 tax credit for any inspection company that finds a significant violation not found by any previous inspection company (and fund it by fining the plant and/or the first inspection company). Then all you have to do is require inspection by at least 2 outside companies. It's possible to bribe them, but if you make the reward for finding faults high enough it quickly becomes cheaper to just avoid violations in the first place.
Even if it's as slow or slower than a human the bot is still often more efficient -- you don't have to hire a human.
Plus the bot can work 24/7/365, and never makes any transcriptions errors -- humans typically fail both those tests.
/ I write bots for a living
// Scraping information at its owner's request
/// Still have to apply work-arounds because information owner doesn't tell (often third-part) webmaster that I'm allowed to scrape
You could make the same sort of arguments against pencil-and-paper voting. What if I lack the fine muscle control necessary to mark the small boxes? What if I was mistaken about the alignment of the checkboxes with respect to the candidate names?
I'm not saying electronic voting is the answer, but it silly to pretend that there are no issues with paper-and-pencil methods.
If your electronic input devices had a sufficiently easy-to-use interface, and produced human-verifiable output, you could have the best of both worlds. You could have giant checkboxes, audio guides, alternate languages, make mistakes easy to correct (no need to ask for a new ballot) and *STILL* print a human-readable output ballot. That would ensure that all paper ballots are distinctly marked and easy-to-read, would allow voters to verify that the machine did what they intended, and would allow auditors easily to compare the paper count to the electronic count.
Heck, with a little pubkey signing you could even produce duplicate output to allow voters to take home a *verifiable* copy of their ballot and thereby permit citizen-organized recounts without any assistance from the government. That's something that paper just can't do.
Yes, because when a device designed to convert electromagnetic waves into audio waves does, um, exactly what it's designed to do that's a sure sign that something terrible is happening.
And I don't know about you, but my body shares about 87% of the components of a typical audio system, so I expect more or less the same effect on my body as on my cheap audio system.
--
Seriously your speaker system is *supposed* to make electrical noise into audio noise. That's the definition of a speaker.
And unless your entire audio signal path is shielded you shouldn't be terribly impressed that the wiring picks up nearby electromagnetic radiation. Compare the length of your cell phone antenna to the length of the unshielded wiring in your speaker system and consider if that orders-of-magnitude difference in length might be enough to overcome the sub-optimal tuning of the speaker signal wire as an antenna and allow it to pickup the cellular signal at sufficient strength to be audible.
So what you're saying is that the government currently has the most thugs with the biggest guns and therefore we should all give in to whatever kind of thuggery they want to inflict?
Maybe it's folly, but I for one would like to at least hope that there's some chance of overthrowing the government. If you give up that hope then there's not much practical difference between the existing government and a non-elected ruling class -- those in power must give some credence to the threat that they could be ousted or they have no incentive to act in a way that benefits anyone else. Being able to make a credible threat of overthrowing the government seems like a good way to keep those in power believing that they serve only at the pleasure of the people.
Having recently be assigned a Window Mobile phone and not owning a Windows desktop I can tell you it's is *not* easy to develop for -- you need MS Windows and MS Visual Studio. I don't know about you, but I don't really want to pay $200 for an OS and $200 for development tools just to write programs for my phone.
With a 400 MHz processor and 8 GB of storage I don't understand why I can't just run a compiler on the phone. I probably wouldn't actually type code into the phone (though with a BlueTooth keyboard it wouldn't be that bad), but it would be nice to avoid the need for an ARM cross-compiling environment (and hence the need for a Windows desktop) and it would let me make and test minor modifications or debugging changes without needing to go back to a desktop somewhere and copy files around.
It *is* a perfectly valid Sunday activity, unless there's evidence that you're planning to hurt people. Having a car is not evidence that you're going to commit a crime. Sending someone a letter threatening to run them down with your car is.
Your cell phone is an electrical timing device. So is your kitchen timer.
And while we do regulate explosives, there are all sorts of valid reasons to have them or their components in your home or business -- maybe you blow things up for a living, or maybe you grow plants (ammonium nitrate) and heat your home (fuel oil) or run a combustion-powered equipment (diesel).
I'm sorry you're too scared of life to let anyone else enjoy it. It's sad, but I really must insist that you stop trying to terrorize the rest of the world just because you're afraid.
You're assuming there's a power savings. That's not known to be true. In fact there's some evidence that it actually *wastes* power.
I'd be particularly surprised if your business turned off lights during the day and on at night -- most business run lighting when people are present, regardless of the outside conditions. Most building designs don't allow any other option.
In a similar fashion, street lights run only when it's dark. They don't care what time it is or how long it's been since they turned on -- they run from dusk to dawn no matter what the clock says.
Homes are the one place that lighting is likely to be used more when it's dark then when it's light. But even at home there are many places were lighting is based on occupancy and not time-of-day.
"Goodwill" is a specific subset of "intangible assets". Other items such as patents, copyrights, trademarks or other contractually transferable rights or privileges would be in the same category, but are not "goodwill", which has a specific meaning in accounting.
I agree video adaptors are annoying, but DisplayPort is a step in the right direction -- it's not something that Apple invented, and it's becoming available on Dell, HP, Lenovo, Samsung, etc. systems and displays as well.
So at the very least you won't be stuck buying Apple-produced adaptors or having the adaptor only work with one model of laptop.
http://h10010.www1.hp.com/wwpc/us/en/en/WF06c/A10-51210-64268-348724-64268-3769762-3769763-3769765.html