an administrator doesn?t need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin.
I love this analogy. It actually works.
No, actually it doesnt.
An asprin only relieves the symptom, not the cause. If you get a headache from hitting your head against the wall, an asprin won't stop you from continuing to hit your head against the wall, all it will do is let you do it longer.
Perhaps he can answer this though: without exploit code, how do we know the problem is really fixed? Twice to my knowedge MS has released patches that didn't fix the hole they claimed. Publicly available exploits are a failsafe, they provide an independant means of verifying that the hole is actually closed.
This problem discussed in the article is better solved by the type of licensing model Microsoft plans to adopt: subscription software... This way, you have all the advantages of open source
Umm, no I don't.
I don't have the advantage of actually having the source.
With open source, I can fix any bugs, without having to wait for the official fix (an advantage).
With open source, I can learn from the source code.
With open source, I can adapt the source for my own needs - like adding a feature I want that the vendor doesn't feel is necessary/important.
Software subscription gives you ONE of the advantages of open source, but there's no way it gives you ALL of the advantages.
many of the limitations set aside by developers (in the number of pages a document can have in memory, the number of rows a spreadsheet can include) are forecasted not by them but the limitations of the current technology
Yes, but that wasn't the case in your example. Unless you're somehow suggesting that the size of your partition or network share is technologically limited to be smaller than your RAM. If that's the case, you seriously need to look for another career.
Which leads once again to my question: what's a bug and what's a limitation?
That's an easy one to answer, at least in your example.
With the exception of unregistered cripple-ware, if the software allowed you to create the file, it's definitely a bug if it won't let you save it.
in the case of Code Red, not one home user got it. It went after IIS servers.
So sure of that, are you?
Funny, I recently saw a home user that got hit by both Code Red and Nimda. Seems he installed W2K, and just clicked "OK" until the machine booted.. he got both IIS and Index Server.
He had no idea it was there, until I removed it for him.
Pretty much anyone who uses a PC day to day can configure and control a Windows box
This is not as much of an issue as you might think.
First off, in any decent organization, individual users DO NOT configure their own workstations - that's IT's job - there is just too much of a mess that a "regular" user could make, that they are not allowed to do it. So for configuration, the only people that need to be retrained are the IT staff.
Second, "controlling" KDE is pretty much the same as Windows - mouse moves the pointer, click on the icons, etc. Put the appropriate icons on the desktop, and minimal training is required. Apps training is even less of an issue, as all WYSIWYG word processors work basically the same way.
Yes, the biggest hiccup is data transfer - this will consume the largest amount of time and money, but most governments use some form of indexed central storage, which may not need to be changed right away. If they have a database of scanned images (ie. dead-tree paperwork that has been scanned and filed) then the transfer would be pretty painless.
I'm a bit curious as to how they're going to save all that money. If they just stop using whatever software they already have paid for, will they get a refund? Or do they spend huge amounts of money each year on licenses, and that figure represents the savings over several years?
The article mentions that.
They currently use NT. In a year (or so) MS will stop supporting NT, so they'll have to go with XP, or switch to Linux. (You can't have government computers running an unsupported proprietary OS - someone creates the next NIMDA, and there is no way to patch the hole.)
The cost savings mentioned are projected across the entire federal government, (presumably) for MS licenses.
Imagine someone broke into your house and stole your stereo. Later, through your neighbor's window, you see your stereo. You try to reason with your neighbor, but to no avail. Would you not then be justified to break into your neighbors house and reclaim your property?
No, you wouldn't.
You would (quite rightly) be hauled off to jail for break-and-enter, as well as theft.
The correct thing to do in your scenario would be to tell the police what you know, and allow THEM to get your stereo (after obtaining a search warrant.)
Just because someone stole from you, doesn't give you the right to steal.
I could just as easily say that DRM will increase innovation!
You could, but you'd be wrong.
As the music "industry" tightens it's grip, more and more small bands will get greater exposure through places like ampcast.com, garageband.com and javamusic.com
The problem with this is that it ignores the SSSCA.
Under the DMCA, it's illegal to circumvent DRM, or to own a device that could circumvent DRM. Under the SSSCA, you're not allowed to have anything that doesn't enforce DRM.
The implications to this are subtle, but incredibly profound.
Since all devices that don't enforce DRM are illegal, there will be no MP3 players (as we know them today.) Instead there will be MP3DR(TM) players, which will refuse to play anything that does not include DRM information (after all, the only reason that media would not have DRM information would be if this information had been removed.)
This means that Joe Garageband will have no outlet to independantly distribute his music. In order to do that, he'd have to buy an MP3DRM license, which (like the CSS licenses) will cost more than his house.
In a world where every piece of technology enforces DRM, independants will have no way to distribute their work.
It will be even worse than the current RIAA oligarchy - today, anyone with a couple of hundred bucks can distribute their own CDs; in a SSSCA-world, that gets changed to anyone with a couple of hundred bucks and an additional hundred thousand dollars can distribute their own DRMCDs.
in order to have a truly "strong" DRM system, you have to tack on strong encryption
This is the most fundamental failing of DRM, and why (in it's current form,) it will never work.
At it's most basic level, encryption (weak or strong) is designed to allow person A to send something to person B without anyone else (person C) being able to view it.
It is not designed to allow person A to decide when and how person B can view it, or whether person B can send it to someone else.
These are two VERY different goals. In the first example, once person B has the data, s/he can view it any time they want, rewrite or mangle, or even send it to someone else (with or without encryption.)
If the goal of DRM is to prevent person B copying the content, then there is no technical way of doing it.
To quote Bruce Schneier, trying to make bits not copyable is like trying to make water not wet. Encrypting the data will not alter this fact.
The problem is, nobody has come up with a way to make bits uncopyable - and the people who believe that encryption will do this simply don't understand encryption.
I was reading this Onion story yesterday, and the problem I see with it, is that it's just too subtle.
Yes, you read that correctly, and I'm not being sarcastic.
I'd bet any major newspaper could run that story word-for-word, and the majority of US sheeple would not only believe it happened, but agree with the "government's" position.
if you don't release your code, you are afraid of people looking at your poorly programmed code
As a programmer, I can say you are 100% correct.
I've written some godawful code in my time (usually while learning a new protocol - like you I've written an SMTP server, but I've also written a POP3 server and HTTP server as well.. all as learning excersises...) and I'd never submit it to public scrutiny (of course, I'd never submit binaries either:o)
But I've contributed to a couple of GPL'ed projects too - usually with code I'm pretty proud of... (except one Roxen module that I wrote while learning Pike - that one was just ugly as sin - I released it because people wanted it:o)
Like many (most?)/. readers, I live outside the US, and am not a US citizen; in theory, US laws should not concern me as long as I remain outside US jurisdiction. Reality proves otherwise, however (witness Jon Johansen and Dmitry Sklyarov, for example.)
My question is this: can non-US citizens help to influence US decision-makers for the greater good, and if so, how?
However, viewed objectively it is nonsense to make a single-user, or even multi-user, system force me to log out just to install drivers. This is poor interface design and nothing else
WRONG
For home use, your assumption is (at best) debatable - separating regular use accounts from system admin accounts is a good way to prevent viruses and trojans, and to make sure that you can't screw up the machine accidentally (rm/* -rf isn't just for Unix.)
For corporate use, it is a neccessity. Even though our salesmen are still stuck in windows land, I praised the day we switched them from Win98 to NT/2000 - yes, we get calls from them saying that "I can't install this program", but it's a small price to pay to prevent them from installing non-work related software, or trashing the machine.
If you stumble onto one of those sites where you're in pop-up hell, put that site into in the Restricted Sites Zone
[sarcasm]
What a great idea! I'm sure glad Microsoft is there to make these wonderful innovations for me!
[/sarcasm]
First, this 'solution' wonderfully misses the point that most people didn't want to go there in the first place - once they get bit by this, then they'd probably never go back again, which makes putting something in the 'twilight zone' pretty pointless.
which leads to point #2: if they DID want to go there, they've already been bitten by the popup monster.. Talk about "closing the barn door after the horses have eaten your children."
Third, I would wager that 99% of people who use IE have no idea what 'security zones' do, or how to put a site into one even if they knew.
That would assume that Adobe's ebook software would or could not interface with existing screen-reader software, nor it would/could interface with any speech synth software. Mighty big IF there.
Not quite.
The whole point of the ebook reeaders (MS's included) are that the text is displayed as a graphic, not text. If it was displayed as text, (which it would need to be, in order to work with a screen reader) then anyone could just use the clipboard to paste the text into Notepad.
Similarly, if the reader had an API to allow a text-to-speech converter, anyone could use that to extract the body of the text. (And because they'd be using an interface to the existing software, then the software would be legal under the DMCA.)
If I hack up a box to provide services in a non-standard way, ie, I modify smb.conf, httpd.conf, and probably other files as well to proprietize "my product", is that a GPL violation?
Only if you distribute your boxes, and don't include a copy of the GPL and source (or an offer of source.)
Not providing source for the mods is only one issue. The other is deliberately concealing the fact that their box used GPL'ed software.
ICMP redirects only work on packets on your local segment - what you propose wouldn't work. Even if the router you're connected to would accept an ICMP redirect from you (unlikely, most ISP's turn this off on their CPE), you would just create a loop, because the packet is STILL destined for your network. (So you'd just end up soaking up even more of your own bandwidth.)
Precisely the kind of roll-over pacifist crap that got us in this position in the first place.
Yeah, that's why all those European countries and Canada were all attacked first, right?
The original poster is correct. Think before you act, and when you do act, do so with tact and diplomacy. Remember Oklahoma City - all the frothing at the mouth about foreign terrorists, and it turned out to be an American.
When you purchase a CD, you are buying it. Period.
This is why it's legal to give it away, or to sell it to a used cd-place when you grow tired of it, or if you don't like it.
If there was some clear sign at the store that said something like "you are not buying this CD, you are licensing it, you have no rights, you are a corporate puppet." Then the argument that "you are buying the right to listen to it" might apply (and I say MIGHT, because contract law implies an agreement negotiated between two parties, and there is clearly no negotiation happening.)
Of course, if there was such a sign, I'm sure that there would be a public outcry.
I love this analogy. It actually works.
No, actually it doesnt.
An asprin only relieves the symptom, not the cause. If you get a headache from hitting your head against the wall, an asprin won't stop you from continuing to hit your head against the wall, all it will do is let you do it longer.
Perhaps he can answer this though: without exploit code, how do we know the problem is really fixed? Twice to my knowedge MS has released patches that didn't fix the hole they claimed. Publicly available exploits are a failsafe, they provide an independant means of verifying that the hole is actually closed.
The one by me is *still* trying to give them away . . .
Pick up a couple for me! I'm in Canada, and I've never seen 'em..
I'll pay shipping, plus $5 for your time.
This problem discussed in the article is better solved by the type of licensing model Microsoft plans to adopt: subscription software ... This way, you have all the advantages of open source
Umm, no I don't.
I don't have the advantage of actually having the source.
With open source, I can fix any bugs, without having to wait for the official fix (an advantage).
With open source, I can learn from the source code.
With open source, I can adapt the source for my own needs - like adding a feature I want that the vendor doesn't feel is necessary/important.
Software subscription gives you ONE of the advantages of open source, but there's no way it gives you ALL of the advantages.
many of the limitations set aside by developers (in the number of pages a document can have in memory, the number of rows a spreadsheet can include) are forecasted not by them but the limitations of the current technology
Yes, but that wasn't the case in your example. Unless you're somehow suggesting that the size of your partition or network share is technologically limited to be smaller than your RAM. If that's the case, you seriously need to look for another career.
Which leads once again to my question: what's a bug and what's a limitation?
That's an easy one to answer, at least in your example.
With the exception of unregistered cripple-ware, if the software allowed you to create the file, it's definitely a bug if it won't let you save it.
You have to consider training. It took my state 3 years to train the gov for NT, before all the machines were actually running.
First off, the questions arises: Switching from what to NT? (switching from WinNT to KDE is a lot less intensive than switching from DOS to Windows.)
Second, since their alternative is to go with XP, they will have to retrain everybody anyway.
Yes, training costs time and money, but it's money they will have to spend anyway.
in the case of Code Red, not one home user got it. It went after IIS servers.
So sure of that, are you?
Funny, I recently saw a home user that got hit by both Code Red and Nimda. Seems he installed W2K, and just clicked "OK" until the machine booted.. he got both IIS and Index Server.
He had no idea it was there, until I removed it for him.
Pretty much anyone who uses a PC day to day can configure and control a Windows box
This is not as much of an issue as you might think.
First off, in any decent organization, individual users DO NOT configure their own workstations - that's IT's job - there is just too much of a mess that a "regular" user could make, that they are not allowed to do it. So for configuration, the only people that need to be retrained are the IT staff.
Second, "controlling" KDE is pretty much the same as Windows - mouse moves the pointer, click on the icons, etc. Put the appropriate icons on the desktop, and minimal training is required. Apps training is even less of an issue, as all WYSIWYG word processors work basically the same way.
Yes, the biggest hiccup is data transfer - this will consume the largest amount of time and money, but most governments use some form of indexed central storage, which may not need to be changed right away. If they have a database of scanned images (ie. dead-tree paperwork that has been scanned and filed) then the transfer would be pretty painless.
I'm a bit curious as to how they're going to save all that money. If they just stop using whatever software they already have paid for, will they get a refund? Or do they spend huge amounts of money each year on licenses, and that figure represents the savings over several years?
The article mentions that.
They currently use NT. In a year (or so) MS will stop supporting NT, so they'll have to go with XP, or switch to Linux. (You can't have government computers running an unsupported proprietary OS - someone creates the next NIMDA, and there is no way to patch the hole.)
The cost savings mentioned are projected across the entire federal government, (presumably) for MS licenses.
Imagine someone broke into your house and stole your stereo. Later, through your neighbor's window, you see your stereo. You try to reason with your neighbor, but to no avail. Would you not then be justified to break into your neighbors house and reclaim your property?
No, you wouldn't.
You would (quite rightly) be hauled off to jail for break-and-enter, as well as theft.
The correct thing to do in your scenario would be to tell the police what you know, and allow THEM to get your stereo (after obtaining a search warrant.)
Just because someone stole from you, doesn't give you the right to steal.
I could just as easily say that DRM will increase innovation!
You could, but you'd be wrong.
As the music "industry" tightens it's grip, more and more small bands will get greater exposure through places like ampcast.com, garageband.com and javamusic.com
The problem with this is that it ignores the SSSCA.
Under the DMCA, it's illegal to circumvent DRM, or to own a device that could circumvent DRM. Under the SSSCA, you're not allowed to have anything that doesn't enforce DRM.
The implications to this are subtle, but incredibly profound.
Since all devices that don't enforce DRM are illegal, there will be no MP3 players (as we know them today.) Instead there will be MP3DR(TM) players, which will refuse to play anything that does not include DRM information (after all, the only reason that media would not have DRM information would be if this information had been removed.)
This means that Joe Garageband will have no outlet to independantly distribute his music. In order to do that, he'd have to buy an MP3DRM license, which (like the CSS licenses) will cost more than his house.
In a world where every piece of technology enforces DRM, independants will have no way to distribute their work.
It will be even worse than the current RIAA oligarchy - today, anyone with a couple of hundred bucks can distribute their own CDs; in a SSSCA-world, that gets changed to anyone with a couple of hundred bucks and an additional hundred thousand dollars can distribute their own DRMCDs.
in order to have a truly "strong" DRM system, you have to tack on strong encryption
This is the most fundamental failing of DRM, and why (in it's current form,) it will never work.
At it's most basic level, encryption (weak or strong) is designed to allow person A to send something to person B without anyone else (person C) being able to view it.
It is not designed to allow person A to decide when and how person B can view it, or whether person B can send it to someone else.
These are two VERY different goals. In the first example, once person B has the data, s/he can view it any time they want, rewrite or mangle, or even send it to someone else (with or without encryption.)
If the goal of DRM is to prevent person B copying the content, then there is no technical way of doing it.
To quote Bruce Schneier, trying to make bits not copyable is like trying to make water not wet. Encrypting the data will not alter this fact.
The problem is, nobody has come up with a way to make bits uncopyable - and the people who believe that encryption will do this simply don't understand encryption.
I was reading this Onion story yesterday, and the problem I see with it, is that it's just too subtle.
Yes, you read that correctly, and I'm not being sarcastic.
I'd bet any major newspaper could run that story word-for-word, and the majority of US sheeple would not only believe it happened, but agree with the "government's" position.
It's just too subtle.
Might be a good resource, if I could actually view the PDF's
A stock Slackware 8.0 install (which I notice happens to be your distro of choice) just gives blank pages.
Perhaps you could include some documentation on how to view the pages?
if you don't release your code, you are afraid of people looking at your poorly programmed code
:o)
:o)
As a programmer, I can say you are 100% correct.
I've written some godawful code in my time (usually while learning a new protocol - like you I've written an SMTP server, but I've also written a POP3 server and HTTP server as well.. all as learning excersises...) and I'd never submit it to public scrutiny (of course, I'd never submit binaries either
But I've contributed to a couple of GPL'ed projects too - usually with code I'm pretty proud of... (except one Roxen module that I wrote while learning Pike - that one was just ugly as sin - I released it because people wanted it
Like many (most?) /. readers, I live outside the US, and am not a US citizen; in theory, US laws should not concern me as long as I remain outside US jurisdiction. Reality proves otherwise, however (witness Jon Johansen and Dmitry Sklyarov, for example.)
My question is this: can non-US citizens help to influence US decision-makers for the greater good, and if so, how?
However, viewed objectively it is nonsense to make a single-user, or even multi-user, system force me to log out just to install drivers. This is poor interface design and nothing else
/* -rf isn't just for Unix.)
WRONG
For home use, your assumption is (at best) debatable - separating regular use accounts from system admin accounts is a good way to prevent viruses and trojans, and to make sure that you can't screw up the machine accidentally (rm
For corporate use, it is a neccessity. Even though our salesmen are still stuck in windows land, I praised the day we switched them from Win98 to NT/2000 - yes, we get calls from them saying that "I can't install this program", but it's a small price to pay to prevent them from installing non-work related software, or trashing the machine.
If you stumble onto one of those sites where you're in pop-up hell, put that site into in the Restricted Sites Zone
[sarcasm]
What a great idea! I'm sure glad Microsoft is there to make these wonderful innovations for me!
[/sarcasm]
First, this 'solution' wonderfully misses the point that most people didn't want to go there in the first place - once they get bit by this, then they'd probably never go back again, which makes putting something in the 'twilight zone' pretty pointless.
which leads to point #2: if they DID want to go there, they've already been bitten by the popup monster.. Talk about "closing the barn door after the horses have eaten your children."
Third, I would wager that 99% of people who use IE have no idea what 'security zones' do, or how to put a site into one even if they knew.
That would assume that Adobe's ebook software would or could not interface with existing screen-reader software, nor it would/could interface with any speech synth software. Mighty big IF there.
Not quite.
The whole point of the ebook reeaders (MS's included) are that the text is displayed as a graphic, not text. If it was displayed as text, (which it would need to be, in order to work with a screen reader) then anyone could just use the clipboard to paste the text into Notepad.
Similarly, if the reader had an API to allow a text-to-speech converter, anyone could use that to extract the body of the text. (And because they'd be using an interface to the existing software, then the software would be legal under the DMCA.)
I told my local CIA recruiter that a modified deflector dish or a recursive algorithm will be satisfactory for most any problem.
You forgot about adjusting the shield harmonics!
It was on local TV (Canadian) last night.
:o)
Not bad.. definitely "grittier" than the other series. Bakula did a good job of portraying Archer.
I'd watch it again
It's been awhile since I've used it, but Scotty/Tkined did an OK job... it's open-source, extensible, and you can import your own icons.
take a look at it at http://wwwhome.cs.utwente.nl/~schoenw/scotty/
If I hack up a box to provide services in a non-standard way, ie, I modify smb.conf, httpd.conf, and probably other files as well to proprietize "my product", is that a GPL violation?
Only if you distribute your boxes, and don't include a copy of the GPL and source (or an offer of source.)
Not providing source for the mods is only one issue. The other is deliberately concealing the fact that their box used GPL'ed software.
No.
ICMP redirects only work on packets on your local segment - what you propose wouldn't work. Even if the router you're connected to would accept an ICMP redirect from you (unlikely, most ISP's turn this off on their CPE), you would just create a loop, because the packet is STILL destined for your network. (So you'd just end up soaking up even more of your own bandwidth.)
Precisely the kind of roll-over pacifist crap that got us in this position in the first place.
Yeah, that's why all those European countries and Canada were all attacked first, right?
The original poster is correct. Think before you act, and when you do act, do so with tact and diplomacy. Remember Oklahoma City - all the frothing at the mouth about foreign terrorists, and it turned out to be an American.
If I'm not mistaken you do not "own the CD"
You are mistaken.
When you purchase a CD, you are buying it. Period.
This is why it's legal to give it away, or to sell it to a used cd-place when you grow tired of it, or if you don't like it.
If there was some clear sign at the store that said something like "you are not buying this CD, you are licensing it, you have no rights, you are a corporate puppet." Then the argument that "you are buying the right to listen to it" might apply (and I say MIGHT, because contract law implies an agreement negotiated between two parties, and there is clearly no negotiation happening.)
Of course, if there was such a sign, I'm sure that there would be a public outcry.