Yup. First, talk to a lawyer. This costs 30 min of his time, so it's not expensive.
If he confirms that this is unenforcible, propagate that to the company and see what they have to say. If it's a company with multiple offices, they may in fact be asking to sign a paper drafted for another country. In which case they may back off and come up with a revised version. I've been through this and it does in fact work.
If the lawyer says it's an OK as per local laws, ask company for a list of exemptions. Basically put together a list of current projects you are "working on" and have them attach this list. Again, be reasonable, explain the situation, and there's a good chance they will agree. Moreover, you will be talking to HR about this, and HR will be talking to legal dept. on your behalf. So do your best to win HR over first.
The trick with an exemption list, which _typically_ works, is to (a) be vague with project description (b) avoid a code escrow
If they don't get a copy of your current code tree, they won't ever be able to prove your existing version is not the one you have listed on an exemption list (excluding stupid mistakes, obviously).
Again, I personally made this sort of an arrangement with a former employer, and I know a couple of other people who did the same with other employers. It's doable. Just be polite and reasonable.
>We are working on an advanced system which will offer >developers broad access to natively program the iPhone's >amazing software platform while at the same time protecting >users from malicious programs.
Looking at their revolutionary AT&T deal, one would expect that they won't miss a chance to properly milk iPhone developers too. I simply don't believe that Apple would relinquish their control over what can and cannot run on the iPhone.
How's this for a prediction -
"To provide the best degree of the protection for iPhone users all third party applications will need to be cross-signed by Apple. This ensures that we stand behind the application and its developer (and that the developer pays through the nose for this lovely arrangement)".
Wouldn't it be better from a privacy perspective to integrate FF with OpenDNS instead ?
The end result is the same. But it effectively prevents the service provider from cross-correlating these URL lookups with the rest of the data it accumulated for an HTTP cookie.
And, yes, I have *.google-analytics.com null routed:-)
I am really curious who is sneaking out of Canada into US to work for $4 an hour. Sounds deviously clever. Especially if, for example in Vancouver, a dishwasher job pays $8-10 an hour.
> In almost every case open source binaries distributed by the developer or distributions are built in a completely transparent and reversible manner with checksums and digital sigs that can be used to verify them.
Theoretically a checksum can be used to match developer's binary against the one you built locally. This is completely impractical though given that virtually no OSS publisher provides an exact spec of their building environment. Checksum are provided strictly to assist in verifying that the binary was not corrupted in a transit. The same goes for the signatures, that additionally protect against intentional targeted tampering.
Also the "in almost every case" part is a very brave overstatement. This is true for active high-profile projects, but as a casual scan of sf.net will show you, it is simply not true for a vast majority of OSS projects. Besides, as per above, checksums have nothing to do with establishing trust in a publisher.
>> The same thing can be said about any piece of software. At some point you have to take the risk that your machine might be exposed.'
> Or... you could just use open source software.
Don't forget to build it from scratch. Presumably with a compiler that you also built from scratch. Oh, and don't forget to do the same for the dependencies.
Trustworthiness of the developer or any _binaries_ it distributes does not follow from the _source_ being open. Grandparent post is 100% correct. Any binary software carries a risk of exposure. Open source or not.
He's arguing that the license itself is a part of the software and therefore it's bound by the distribution rules.
Dual BSD/GPL licensing is a contraption that is used for one reason only - to let GPL projects use code from BSD projects. It is not meant to "free" this code. Think of it as a friendly gesture from BSD folks rather than an action of GPL adepts.
BSD/GPL is viral form of BSD that propagates the spirit of BSD in exactly the same way GPL does. Not everyone in O/S world subscribes under GNU's vision of "freedom", and Theo's response is a very clear indication of this.
Back in late 90s I had a conversation with a friend who lived in Israel. According to him the technique in question was THE security monitoring technique used in public places (perhaps it still is, I just don't know). Given the situation in the country, there's little doubt that the technique actually works... because otherwise they would've been scanning everyone shoes instead.
How to go about establishing the credibility of people who enforce it is a completely separate question. It is not however a reason to dismiss the approach altogether.
I wonder how long it would take for someone to create anti-GPL revision of BSD license. Basically - do whatever you want with the code except for using it in GPL projects.
It requires Apollo/Flash to run "properly" (whatever it means). They are also moving towards ad-supported and bundled "partner" software model as per this post in their blog.
There's no reason to trust free software unless you either audit entire code tree and build it yourself or get it from a 100% trustworthy source.
Former is impractical, latter is non-existent. So free or not, the chances of getting bent over by a publisher if he is really out to get you are pretty much the same.
If this does not "sound right", consider what would happen if Apple would open source the iTunes (say, under the BSD license) and would also provide a prebuilt binary from its own website. I think it is obvious that a vast majority of users will be using Apple's binary.
So there's nothing that would prevent Apple from building this binary from "slightly different" sources and adding some "extra" functionality to it. Even if the binary file discrepancies are discovered by the public, they can always be blamed on differences in a build environment & such. Any further _detailed_ analysis will be very slow and complicated due to the amount of work required.
Free or not, it all boils down to whether the user has the trust in a developer/publisher. People tend to assume that free software developers are more trustworthy, but it is a very dangerous and costly assumption.
Fuck off, idiot. It's not my machine. I don't use it. I didn't install anything on it. I didn't say the problem was caused by the software. I didn't spend much of my time working out why. It might be coincidence. It might not. STFU, and GBTW.
And this parent post is a textbook definition of the lack of sense of humor.
America is the land of opportunity, where anyone can be rich. No one is going to hand it to you, it takes hard work and perseverance, and a clear understanding that one's choices define one's circumstances, not the other way around.
And it is exactly so in any other country (with a handful of obvious exceptions).
Simply verifying the key (and sound of the voice) on each side match would determine if you've been tapped or not, right?
No, wrong.
It is possible to mount MnM on DH that would yield identical keys at both ends. That's what GP said - hash needs to cover not just the key, but all elements of DH exchange.
Here's what they say (it's a bit long, but it's worth reading) -
The Secure Desktop's primary difference from the User Desktop is that only trusted processes running as SYSTEM are allowed to run here (i.e. nothing running as the User's privilege level) and the path to get to the Secure Desktop from the User Desktop must also be trusted through the entire chain.
So what does this experience look like? When you click on a UAC shielded control, your user desktop will appear to dim and the window that caused the elevation request - typically the window you were most recently using - and the elevation UI will be made more prominent. This is to provide you with the highest level of context possible when interacting with the elevation dialog.....
So - again - how exactly are they planning to prevent arbitrary application from mimicing this behaviour ?
It will not need to bother with "Secure Desktop", but rather just make a copy of a screen, dim it, show in a topmost window covering entire screen and then superimposing fake, but otherwise OK looking UAC dialog.
Slashdot Mirror
Yup. First, talk to a lawyer. This costs 30 min of his time, so it's not expensive.
If he confirms that this is unenforcible, propagate that to the company and see what they have to say. If it's a company with multiple offices, they may in fact be asking to sign a paper drafted for another country. In which case they may back off and come up with a revised version. I've been through this and it does in fact work.
If the lawyer says it's an OK as per local laws, ask company for a list of exemptions. Basically put together a list of current projects you are "working on" and have them attach this list. Again, be reasonable, explain the situation, and there's a good chance they will agree. Moreover, you will be talking to HR about this, and HR will be talking to legal dept. on your behalf. So do your best to win HR over first.
The trick with an exemption list, which _typically_ works, is to (a) be vague with project description (b) avoid a code escrow
If they don't get a copy of your current code tree, they won't ever be able to prove your existing version is not the one you have listed on an exemption list (excluding stupid mistakes, obviously).
Again, I personally made this sort of an arrangement with a former employer, and I know a couple of other people who did the same with other employers. It's doable. Just be polite and reasonable.
.. that owns all these guns.
That's not to mention that Tesla made his death ray fly .. like .. very awesome and stuff.
through the sky. Which is
http://en.wikipedia.org/wiki/Tunguska_event#Selected_eyewitness_reports
>We are working on an advanced system which will offer
>developers broad access to natively program the iPhone's
>amazing software platform while at the same time protecting
>users from malicious programs.
Looking at their revolutionary AT&T deal, one would expect that
they won't miss a chance to properly milk iPhone developers too.
I simply don't believe that Apple would relinquish their control
over what can and cannot run on the iPhone.
How's this for a prediction -
"To provide the best degree of the protection for iPhone users
all third party applications will need to be cross-signed by
Apple. This ensures that we stand behind the application and
its developer (and that the developer pays through the nose for
this lovely arrangement)".
> but then I found http://gigaom.com/2005/07/04/gizmo-project-not-that-open-after-all/ ...
.."
"Some dude said that some dude said that someone heard
Wouldn't it be better from a privacy perspective to integrate FF with OpenDNS instead ?
:-)
The end result is the same. But it effectively prevents the service provider from cross-correlating these URL lookups with the rest of the data it accumulated for an HTTP cookie.
And, yes, I have *.google-analytics.com null routed
I am really curious who is sneaking out of Canada into US to work for $4 an hour.
Sounds deviously clever.
Especially if, for example in Vancouver, a dishwasher job pays $8-10 an hour.
> In almost every case open source binaries distributed by the developer or distributions are built in a completely transparent and reversible manner with checksums and digital sigs that can be used to verify them.
Theoretically a checksum can be used to match developer's binary against the one you built locally. This is completely impractical though given that virtually no OSS publisher provides an exact spec of their building environment. Checksum are provided strictly to assist in verifying that the binary was not corrupted in a transit. The same goes for the signatures, that additionally protect against intentional targeted tampering.
Also the "in almost every case" part is a very brave overstatement. This is true for active high-profile projects, but as a casual scan of sf.net will show you, it is simply not true for a vast majority of OSS projects. Besides, as per above, checksums have nothing to do with establishing trust in a publisher.
>> The same thing can be said about any piece of software. At some point you have to take the risk that your machine might be exposed.'
> Or... you could just use open source software.
Don't forget to build it from scratch. Presumably with a compiler
that you also built from scratch. Oh, and don't forget to do the
same for the dependencies.
Trustworthiness of the developer or any _binaries_ it distributes
does not follow from the _source_ being open. Grandparent post is
100% correct. Any binary software carries a risk of exposure.
Open source or not.
He's arguing that the license itself is a part of the software and therefore it's bound by the distribution rules.
Dual BSD/GPL licensing is a contraption that is used for one reason only - to let GPL projects use code from BSD projects. It is not meant to "free" this code. Think of it as a friendly gesture from BSD folks rather than an action of GPL adepts.
BSD/GPL is viral form of BSD that propagates the spirit of BSD in exactly the same way GPL does. Not everyone in O/S world subscribes under GNU's vision of "freedom", and Theo's response is a very clear indication of this.
Back in late 90s I had a conversation with a friend who lived in Israel. According to him the technique in question was THE security monitoring technique used in public places (perhaps it still is, I just don't know). Given the situation in the country, there's little doubt that the technique actually works ... because otherwise they would've been scanning everyone shoes instead.
How to go about establishing the credibility of people who enforce it is a completely separate question. It is not however a reason to dismiss the approach altogether.
Hehe .. and they are going to go like "hmm .. firemen had a point .. let's burn some books" :)
I wonder how long it would take for someone to create anti-GPL
revision of BSD license. Basically - do whatever you want with
the code except for using it in GPL projects.
It requires Apollo/Flash to run "properly" (whatever it means). They are also moving towards ad-supported and bundled "partner" software model as per this post in their blog.
> That actually will compile
Actually it won't. There is no char * casting operator in std::string.
> right before WW2, there were a _lot_ of voices in the USA advocating _carpet-bombing_ the USSR with nukes preemptively
FYI, nukes were not available before WW2.
There's no reason to trust free software unless you either
audit entire code tree and build it yourself or get it from
a 100% trustworthy source.
Former is impractical, latter is non-existent. So free or
not, the chances of getting bent over by a publisher if he
is really out to get you are pretty much the same.
If this does not "sound right", consider what would happen
if Apple would open source the iTunes (say, under the BSD
license) and would also provide a prebuilt binary from its
own website. I think it is obvious that a vast majority of
users will be using Apple's binary.
So there's nothing that would prevent Apple from building
this binary from "slightly different" sources and adding
some "extra" functionality to it. Even if the binary file
discrepancies are discovered by the public, they can always
be blamed on differences in a build environment & such.
Any further _detailed_ analysis will be very slow and
complicated due to the amount of work required.
Free or not, it all boils down to whether the user has the
trust in a developer/publisher. People tend to assume that
free software developers are more trustworthy, but it is a
very dangerous and costly assumption.
.. as well as grenade jumping. Though the closest one being a bug is strafe jump as it's actually a flaw in a strafing code.
Amen to that.
Soooo what happens when/if 5.x.x.x starts to get allocated and used?
Hamachi'd computers will not be able to communicate with 5.x.x.x I-net peers if Hamachi is running.
Fuck off, idiot. It's not my machine. I don't use it. I didn't install anything on it. I didn't say the problem was caused by the software. I didn't spend much of my time working out why.
It might be coincidence. It might not. STFU, and GBTW.
And this parent post is a textbook definition of the lack of sense of humor.
America is the land of opportunity, where anyone can be rich. No one is going to hand it to you, it takes hard work and perseverance, and a clear understanding that one's choices define one's circumstances, not the other way around.
And it is exactly so in any other country (with a handful of obvious exceptions).
> Well, he did admit to drinking and he did ask to be suspended.
He also said that Miller Light was delicious ?!!
Not sure how this illness is called, but it damn sure has to be a brain disease.
Simply verifying the key (and sound of the voice) on each side match would determine if you've been tapped or not, right?
No, wrong.
It is possible to mount MnM on DH that would yield identical keys at
both ends. That's what GP said - hash needs to cover not just the key,
but all elements of DH exchange.
Here's what they say (it's a bit long, but it's worth reading) -
The Secure Desktop's primary difference from the User Desktop is that only trusted processes running as SYSTEM are allowed to run here (i.e. nothing running as the User's privilege level) and the path to get to the Secure Desktop from the User Desktop must also be trusted through the entire chain.
So what does this experience look like? When you click on a UAC shielded control, your user desktop will appear to dim and the window that caused the elevation request - typically the window you were most recently using - and the elevation UI will be made more prominent. This is to provide you with the highest level of context possible when interacting with the elevation dialog.....
So - again - how exactly are they planning to prevent arbitrary application from mimicing this behaviour ?
It will not need to bother with "Secure Desktop", but rather just make a copy of a screen, dim it, show in a topmost window covering entire screen and then superimposing fake, but otherwise OK looking UAC dialog.