This is how software is SUPPOSED to be written and released. You work on it until its ready. Until its perfect. Until everything works exactly the way you want it to, with no flaws. THEN you release a beta test to find those issues that nobody in the development or testing team could find. If designed correctly, most flaws will simply be specific hardware issues that weren't completely tested in house or balancing issues with gameplay. But I played Starcraft and I never saw any major bugs.
First of all, last time I checked, if a law enforcement official asks me to demonstrate something by breaking the law, then arrests me for it, technically thats entrapment.
If the company asks me to demonstrate breaking into their website, then thats the same thing as inviting me into your house then having me arrested for trespassing.
Also understand, that prosecutors don't usually offer plea agreements unless they know they're not going to get anything better. This guy might actually have a good case, the only problem is, the government has the ability to put too much pressure on the average citizen and force them into an easy out.
All that aside, what do we do? Should we not bother to help the world secure itself? Should we just worms and secretly release them so they fix all the problems and we just look the other way knowing that one way or another things will be secure and nobody will probably ever know about it anyways.
How DO we deal with this? Law Enforcement either doesnt' have a clue, or doesn't care, and probably its both. If the only proper actions are illegal (or will be treated as illegal) what can we do? We can try to educate, but I don't think Law Enforcement WANTS to be educated. Nor does anyone else for that matter. They want to just install their insecure microsoft crap and have it work, and microsoft certainly isn't going to take any blame for it.
This is kinda scary.. Imagine you're walking down the street and glance in someone's window and see a crime being committed, you report it, then get arrested for invasion of privacy. How different is this really? Because they involve computers and networks, people don't understand anything, they don't know what to do, so they panic and get law enforcment involved and they take every call so seriously because of those damned "hackers" that the public is so concerned about.
As I see it... we do our jobs. We don't talk to anyone, we just do what we're supposed to do. If we find a problem, we fix it and say nothing or we ignore it and let it fester (especially if its not OUR problem). Don't try to help anyone. If that user is having difficulty with their computer, if you're not responsible for maintaining it, then don't even think of touching it or even advising that user what to do. Tell them they're SOL unless they can find someone else to help them. Or hand them a book and tell them they'll have to figure it out on their own. This is not the world I want to live in, but what choice do we have? How can we risk it anymore?
Boy, am I GLAD he didn't release it. Think of the harm that he could have done to the movie industry. The DMCA DOES work people, see? Now, because of the DMCA, he won't release the specs on breaking the encryption and therefore nobody will be able to produce a product that uses this encryption standard, and the movie industry will be saved.
Of course, this won't stop people from pirating the movies. This will go on as normal, as people who are outright willing to break the law will do so anyways, and if he was able to break the encryption, so will others. But the good news is, it will be ILLEGAL according to the DMCA, so these pirates are officially BAD PEOPLE and therefore will have no effect on the Movie Industry, because they don't count. Only people who can compete count, because they actually have the opportunity of creating products legally without paying licensing fees. The world is a better place with the DMCA indeed.
Ebooks have failed primarily because they provide an inconvienent way to access content online as opposed to a convienent way to access the same information offline, without adding any value to the product.
People like books. I don't care how wired you are, a paperback book will keep you busy for hours without the need for batteries or rechargers or crashing operating systems. Its a medium that has stood the test of time and its unlikely to be replaced entirely for a long LONG time.
So offer to those people the option to read the exact same text on a screen thats hard on the eyes and needs batteries, then throw into that the fact that they're gonna have to read fast so they get it all in in their 10 hour limit and screw around with publishers so their can play their games to prevent any IP theft. They'll sooner go to a book faire and buy the damn thing for 50 cents and be done with it. And what have we accomplished?
Ebooks have an opportunity to offer a more fulfilling multimedia experience. I've seen fan fiction sites on the web that have pictures and play music while you're reading that matches the setting and mood of the story as you read through it. Publishers could have drawn quite a following from this, but instead they choose to quibble over how many people are going to steal their precious works to even bother noticing that nobody is reading them anyways.
This is somewhat off topic, but this article has made several points extremely clear. First of all, we are allowed to take random pictures of people in public and sell them. Someone should walk around that city with a digital camera and take pictures of people and make it obvious enough that they know about it. Eventually, someone will complain, and when they do, point out one of the public cameras and tell them thats what the city is doing, why aren't they complaining about that?
Someone with a lot of guts and no criminal history whatsoever should do this with cops. Whenever you see a police officer, go right up to them and take a picture of them and follow them around at a reasonable distance and continue filming them. What are they going to do? They're doing the same thing to you, its only fair. If they question you about it, hand them a business card, or better yet a big colorful flier linking them to your website and offering to sell them CD's of pictures of police officers in that city. To make it even more interesting, have a crowd of people follow you around with camcorders so any interaction by the police will be recorded. Also, if possible, get a permit from the city to perform artistic observations on the street, so they can't even accuse you of loitering.
Now this is where it really gets fun. Get some of your own face recognition software. It doesnt' have to be perfect, just adaquate and combine the photographs with GPS locations. Then build a database of the daily observed activities of individual police officers. If some public access was allowed to the public recognition systems in question, photographs of cops could be run against databases of wanted individuals until a false positive shows up and then publish that information.
Personally I hope that guy does sue, if only to lose. Specifically he needs to sue whatever stage it was that sold or provided a picture of him to the media without his consent. If the court decides that it is acceptable to do so, then all the preceeding activities should be legal.
I have spent the last week thinking this over, and spent some time coding a test. Working with a known named hole, I ran a vulnerable version of named on a few of my machines.
I obtained some script kiddy code to open up a shell on the alternate machine and started to modify it. Since I have no desire to be assused of starting a virus of any kind, I have no intention of finishing or releasing this, but I want to have the concept proven in case someone with more guts than I decided to release something similar.
No matter how you look at it, I believe that releasing this worm would be illegal, at least in the US where I live. Knowing this, I'm not going to concern myself with legal issues, but with ethical ones. The purpose of this prototype worm is to exploit the named deamon and obtain a shell on the victim computer. Then it will send over a copy of the worm, along with a nonvulnerable version of named.
On the victim's side, it will make a copy of all programs and configuration files it needs to change and replace them with safe versions. It will then send a message to root on that machine explaining exactly what was done and why, how to reverse the changes in case the worm broke something, and what to do in the future to avoid the same or similar problems. The worm will then
find and exploit 256 more systems within the same network level, one in each subnetwork. For instance, if the worm is currently working at the class A level for the 24.0.0.0/8 network, it will try to find one system in the 24.1.0.0/16 network, one in the 24.2.0.0/16 network, etc. Each progression will work one level lower. This will prevent the same machine from being hit more than twice for every pass the virus makes over the internet. After finding 256 systems, the worm will shut itself down and remove itself.
The important factors of this worm is the fact that it will ONLY be beneficial. If it causes more problems than it solves, it will be seen as another nuisence instead of fixing security holes as it is intended. It is important that root on the machine is notified of any changes. This gives the administrator the opportunity to fix other potential problems and if necessary reload the system. There must be a way that an administrator can leave configuration files on the machine so the worm will function in a limited capacity. The machine operator can therefore prevent the worm from making changes although they will still be notified if there's a security risk.
The worm will only search for and detect a single flaw in a single program, and only use that specific program to exploit the system and only replace that single program. Updating an entire package to fix one program may actually introduce other security problems into the system. Programs
deployed on the system should also be either compiled on that system or staticly linked to prevent any library conflicts.
On a side note, the worm might also want to check for a root kit on the machine and notify root if one exists. If the machine has already been comprimised (which is possible if there are vulnerable programs running), then the machine will need to be reloaded and root needs to know about it. Fixing one program won't make any difference.
Its rather unlikely. Chances are good that while they're breaking into your house, someone else is following you and can easily warn whoever is there to get out if you choose to come home earlier.
Of course, someone ELSE could come by and surprise them all.
What you would lose is the readability. Any symbol in an html file could be reduced to a byte or less depending on the total number of symbols used. Consider a 80 character line of text with
each character a different color. For each character you'd need data approxately equal to:
a
This entire sequence could be compressed into 4 bytes or less, but you would require an html compiler instead of coding it by hand (unless you're one of those crazy people that prefer coding opcodes straight over using C).
The issue with html, and the reason why we don't worry about the inefficiency much is the fact that you could have a rather extensive html file with one link to a single picture, and that picture would easily take up the space of the entire html file.
Proliferation of this standard will require 4 things. Ogg will have to be of equal or better sound quality than mp3. Ogg will have to use comperable or less space than mp3. There will have to be numerous players available for the format, or at least it will need to be supported by all the popular players. And it will need to be used. Personally, if all else is equal, ogg and mp3 can mix on my HD without any problems and other people will see it the same way.
First of all, #2. If a program is secure, it doesn't matter if the port is open. Also, if the system is secure, it won't be able to catch the worm in the first place, and therefore its not a problem.
#4 same issue. If the worm can get in, then you need to be playing a little less quake.
A well designed worm will do the following:
Search for one single hole (lets say a named hole). Install a resident program on the system. Patch the hole. Search out, locate, and infect 100 insecure systems. After infecting 100 other systems, remove itself.
This worm will only infect a machine once. There will be a lot of scanning, but only 100 times and once the first 100 have passed, that machine will never scan again for that vulnerability.
A separate worm should be available for every known exploitable security hole. Obviously here I'm thinking of linux systems, but its a start.
Ideally the scanning could be done to specific blocks of IP addresses in such a way that it will minimize repeated attempts.
I'd set one up myself, but with the current climate of sue first and ask questions later, or worse jail first, ask questions later, I'm not too comfortable about the idea, even if it turns out in the end to be a legal proposition.
Now... find a lot of free anonymous webspace somewhere.... hmm...
-Restil
Re:Badass compression algorithm?
on
Share The Pi!
·
· Score: 2
Actually, all you need to do is FIND it. Not that this is a trivial task, but if you know the position, you can retrieve the digits with multiple ease with a simple fast algorithm (at least if the digits are binary)
However, like you said, FINDING it would take far longer than just sending a damn copy of the thing.:) If we ever had really REALLY fast computers some day, this could do wonders for data compression. Any value could be represented by a simple position.
Of course, if the position was somewhere after a googolplex digits, sending the position would be an order of magnitude more complex than just sending the data.
Too bad the virus seems to have been patched up. I'm not getting sent random files anymore:( But it was rather fun reading through the crap that people store on their harddisks. I just wish I got something more interesting. All I got was a bunch of word files containing poetry and a newsletter for some club. I can see some REAL potential fun with this though if more interesting files were sent.
Since we're currently discussing the legality of this, someone who's brave enough should set up a repository for files we've received and who we received them from, with cross reference links, etc. If someone was infected, theres a good chance that a large quantity of the data stored on his harddisk is available to the internet at large. If all this information was displayed publicly (LEGALLY even), what a nice incentive to switch to a less virus prone operating system.
Just an interesting thought about making criminal the activity of reverse engineering.
I heard a saying once, "Locks are made to keep honest people out". The point here is that if I INSIST on getting in, the lock won't stop me.
The encryption algorithm used is the lock. The law "protects" me against a criminal by making it a crime to break and enter. I can put a $200000 quaduple deadbolt with solid steel reinforement, 20 armed guards, and an alarm system in place if I want to keep people out, or I can buy the cheap $20 padlock that can easily be cut by a bolt cutter. The crime to break in is the same. However, one of these methods is likely to stop that person from breaking in.
A weak encryption scheme is the same as using a cereal box lock as your sole form of protection. Granted, I'll have to break it to get in, and yes, I'll still be as criminally responsible if I do, but you made it extremely easy for me. The point is, you don't HAVE to protect yourself from honest people. Honest people aren't going to steal from you.
Those that WILL steal from you won't be stopped by something as trivial as a plastic lock. You're going to have to put something strong and solid there. You're going to have to PREVENT them from breaking in. And no law is going to do that, only something that is solid and unbreakable will.
If I decide to go around taking apart locks to see which ones I'll be able to break into, I should have that right, because a lock is only SECURE if I'm able to take it apart and still not know how to break it. Encryption is the same.
Of course, the music industry won't be quick to settle for anything less than their $15 per CD fee, but the truth is, since most of the cost of that CD is in the distribution process, the actual cost of the material is rather small, and a fair arbitration panel would recognize that fact. In fact, with napster (or its users as the case may be), ALL of the distribution, packaging, marketing is taken care of by napster and its users. The unaccounted for cost is the royalties to the band.
Ok, so the record companies do pay money for marketing. So what? That should not be a factor when considering the proper fee since without that marketing they might not have ANY sales, in which case they wouldn't have to worry about these issues. In the end, we're looking at what?
I don't remember the exact amounts but from what I recall from old arguments, the artist probably gets about $1 per CD in royalties. Assuming there are 10 songs on the average CD, thats 10 cents per song that the artist recieves. And thats about what napster should be required to pay per song. That amount could ALMOST be completely covered with banner ads, although some revitalization in the banner ad business will be required to really make a go of this. However, marketers have an advantage with napster users. Direct marketing will be effective with them with regards to music. You know exactly which music they're listening to, and if you want to fire off advertising relating directly to that music, the case is likely that someone might actually pay attention to that advertising and it might be worth the cost.
This is actually a very good opportunity for free software to demonstrate its benefits. People who are perfectly happy with their situation rarely do anything to change it. People who seek out freedom are usually fleeing from opression. This is the way of the world. And when they land on this new shore, full of unimaginable opportunities, they'll never look back again.
Don't fret that Free Software picks up rejects from the other software models. At least this way they have a dedicated interest in giving Free software a chance instead of taking one look at the command line and running back crying to their windows.
On the surface, the BSA has a purpose for existing. Piracy does happen. Some businesses do cheat on licenses. More software is being used than companies are being compensated for. To investigate cases where piracy is occuring is more than likely justified. However, that is where the line is drawn.
To harrass or accuse anyone of a crime when there is no evidence that such a crime ever committed is a very BAD idea from a service point of view. You don't harrass your customers to make sure that they're not cheating you out of a few pennies. In a large corporation, even one that spends a lot of time making sure they're 100% compliant, there probably is 1-2% of noncompliant software installed, including software that was installed more times than the licenses allow for, or software for which the licenses were purchased but no supporting documentation exists.
So the BSA threatens this huge corporation. Even at 1%, there is a lot of money to be lost even if the only fees the company will be levied with are the cost of the licenses. Its worth their effort not so much to get thier licenses up to date, but to reorganize their systems so that extra installation of photoshop that nobody uses is uninstalled. If they'll have to spend the money anyways, they don't necessarily have to send it in to the software company that is harrassing them.
It makes perfect sense to move to open source in light of these events. At least you will know that no matter how many times you reinstall that one copy you purchased, nobody will ever bother you about it.
Although this COULD become a problem when we get into nanotechnology and ever nanite needs its own IP address. A body full of these suckers COULD potentially run out of IP addresses.
"No, but you don't understand. I need an extra block of addresses because it is vitally important that I can access nanite #38273749590627
directly from a computer on the other side of the world. A double hop is simply NOT an option guys!"
The big problem with the criminal justice system in this country, is while I can initially refuse to press charges (Yes, Mr. bad person broke into my house, but I told him to, or he was trying to stop a fire from starting, or any number of reasons). However, if I initially tell the cops to hang him, then find out 24 hours later the reason he broke into my house was for a legit reason, I can't easily get the charges dropped. Granted, it would be rather difficult to convict him if I myself got up on the witness stand and told the jury exactly what happened, and its unlikely the prosecution would pursue it that far. But the system doesn't move quickly. It can take months to get from arrest to court room, and while this is a good 6 month process in state cases, it can take years in federal cases (Mitnick, Ok city bombing, etc).
The problem is, he's in jail now, and there's a good chance that this case will never see a trial, but he could be locked up for a long time before somebody decides the case isn't worth pursuing. And there is very little we can do about it, at least with this specific case.
The REAL problem is, we raise our voices when someone has been wronged, which DOES have effect, but it doesn't have immediate effect. The problem is he got arrested in the first place, which means the laws are broken. Even if he's locked away for years, there is no restitution from the government because they've done no wrong, legally speaking. They had a proper case, a clear violation of a valid law (even if its a stupid one).
There are three possibilities here. We wait patiently for this law to get repealed. Look back carefully and see how many laws have been repealed lately. I mean, REALLY LOOK. You're not going to find many. At the very least, we're not going to accomplish anything by simply talking. We're too small of a minority to gain the proper attention. Which leads us to the second possibility.
Run for office. Get yourself elected to a position where, while you might not have enough influence to get the laws reversed, you will have a position you can argue against it in an open forum. The press will listen. Congress will listen, because you're in their face, and they can't simply walk away then. Even if you don't get elected, you can manipulate the issue into a major campaign issue and the issue will get discussed at length. People will hear.
The third possibility is we keep the law as it is. We stay away from politics all together. Instead we focus on the companies and take drastic measures to make sure that nobody will use the products of any company that implements encryption for the purpose of preventing competition. Ok. So how do we do THIS?
Well, thats not easy, but there are ways. The problem is, it will require a lot of us to be extremely ruthless. We will have to write free virus scanners that will locate this rogue software and complain to the user that they're using software could potentially be illegal, and cite court cases where people have been jailed for using such software. A lot of people could be scared into not running such software, or at the very least, they might pay attention, which means that congress might actually start paying attention. The problem is we might get into a situation where this is abused beyond the point where it does any real good but instead creates more problems than it solves.
In addition. We, as a community, all of us, need to write letters (snail and email) to the important people at every software company, promising that if they EVER do something as stupid as Adobe has done, you will no longer purchase any products they produce, and you will encourage all your friends and employeer to not use them either. The same will happen if they attempt to use a protection scheme that uses the DMCA to keep people from reverse engineering their products. If a product uses encryption legitimately, that algorithim should be disclosed, as any adaquate encryption algorithm should be unbreakable anyways. There is no reason to protect it otherwise unless they're trying to be anticompetitive.
And another thing. Adobe needs to make a massive display of goodwill VERY soon. Along the lines of fully funding the defense costs (top of the line) to this poor prisoner, along with adaquate compensation for his trouble and a sincere public apology. If they don't, they need to be destroyed. Any legal means we can, we need to make sure that company goes down the toilet, which is better than they deserve. It must be made an example out of so no other corporation that has an interest in making money will ever be so bold to try something as stupid ever again.
What makes you think that they're not USING your system? Certainly, they might not be formatting your HD or erasing your files, but consider the fact that if they have root access to your machine and you don't know about it, then its a perfect location to work from while they scan and exploit other systems.
While they have access to your systems, they can also sniff out passwords and gain access to other systems on your network, they can eavesdrop or log outgoing traffic and listen for something interesting, all of which they can do without ever making themselves known to the victim.
The attacker may never do anything "malicious" to a system that he comprimises, but I can tell you for sure, no part of his activities can be attributed to "good will".
These *do* hit at 20, 30, 50 thousand miles per second
I'll give you the benefit of the doubt and assume you meant miles and not thousand miles. 50 thousand miles per second is a little less than 1/3 the speed of light. If any large rock hit the Earth going THAT fast, there'd be a lot more to worry about than a crater and nuclear winter.
Meteors typically enter the atmosphere at 20-70 miles per SECOND, not hour. Terminal velocity doesn't really apply to meteors, the meteor hits the ground or burns up long before it can slow down enough to reach terminal velocity.
However, 100-200 mph is probably not a typo for mps. For a rock (of any size) to be travelling fast enough to enter the atmosphere at that speed, it would have to originate from outside the solar system, since that speed is to fast to remain in any orbit of the Sun without escaping the solar system.
Therefore it is quite safe to say that the reporters are getting funny numbers from someplace, likely they just made it up, but THAT's never happened before, right?:)
Reading about the idea for slowing down the port scanners gave me another idea. I'm not positive how port scanners work, and I don't plan to do any extensive research to find out right now, but I
know that to function they typically make a connection to every port they want to probe and see if they can complete a connection. Those scanners that are trying to be stealthy might not complete the connection after this point, but others might continue to at least recieve data about what server is running on that port. And this gives me an idea.
Set up a LOT of servers on random unused ports on every system that will answer any incoming connections and print out a LOT of data VERY VERY slowly, such that it would send one character at a time and send each packet one byte at a time with lots of delay time in between. Make it short enough so the port scanner doesn't time out and give up, but will sit there and happily lap up the characters as they come through one at a time over a period of hours. This way, if a non-threaded portscanner were to stumble onto one of these machines it would essentially take that port scanner out of operation until the operator discovered the problem. Granted, this trick could be overcome with software on the portscanner side, but it might make the attacks a lot less fruitful for a while.
Reformating really isn't the worst thing that could happen. It'll hurt anyone who doesn't keep backups, but they're likely to get hit by a random non-virus windows bug anyways. Something that is really nasty would SLOWLY corrupt documents, so they get backed up and it will be months before the damage is realized and simply restoring the previous night's backup won't work, because you never know what's dangerous and what isn't and how far back it goes and what other payload is sitting around waiting.
Slashdot Mirror
This is how software is SUPPOSED to be written and released. You work on it until its ready. Until its perfect. Until everything works exactly the way you want it to, with no flaws. THEN you release a beta test to find those issues that nobody in the development or testing team could find. If designed correctly, most flaws will simply be specific hardware issues that weren't completely tested in house or balancing issues with gameplay. But I played Starcraft and I never saw any major bugs.
Keep up the good work Blizzard.
-Restil
First of all, last time I checked, if a law enforcement official asks me to demonstrate something by breaking the law, then arrests me for it, technically thats entrapment.
If the company asks me to demonstrate breaking into their website, then thats the same thing as inviting me into your house then having me arrested for trespassing.
Also understand, that prosecutors don't usually offer plea agreements unless they know they're not going to get anything better. This guy might actually have a good case, the only problem is, the government has the ability to put too much pressure on the average citizen and force them into an easy out.
All that aside, what do we do? Should we not bother to help the world secure itself? Should we just worms and secretly release them so they fix all the problems and we just look the other way knowing that one way or another things will be secure and nobody will probably ever know about it anyways.
How DO we deal with this? Law Enforcement either doesnt' have a clue, or doesn't care, and probably its both. If the only proper actions are illegal (or will be treated as illegal) what can we do? We can try to educate, but I don't think Law Enforcement WANTS to be educated. Nor does anyone else for that matter. They want to just install their insecure microsoft crap and have it work, and microsoft certainly isn't going to take any blame for it.
This is kinda scary.. Imagine you're walking down the street and glance in someone's window and see a crime being committed, you report it, then get arrested for invasion of privacy. How different is this really? Because they involve computers and networks, people don't understand anything, they don't know what to do, so they panic and get law enforcment involved and they take every call so seriously because of those damned "hackers" that the public is so concerned about.
As I see it... we do our jobs. We don't talk to anyone, we just do what we're supposed to do. If we find a problem, we fix it and say nothing or we ignore it and let it fester (especially if its not OUR problem). Don't try to help anyone. If that user is having difficulty with their computer, if you're not responsible for maintaining it, then don't even think of touching it or even advising that user what to do. Tell them they're SOL unless they can find someone else to help them. Or hand them a book and tell them they'll have to figure it out on their own. This is not the world I want to live in, but what choice do we have? How can we risk it anymore?
-Restil
Boy, am I GLAD he didn't release it. Think of the harm that he could have done to the movie industry. The DMCA DOES work people, see? Now, because of the DMCA, he won't release the specs on breaking the encryption and therefore nobody will be able to produce a product that uses this encryption standard, and the movie industry will be saved.
Of course, this won't stop people from pirating the movies. This will go on as normal, as people who are outright willing to break the law will do so anyways, and if he was able to break the encryption, so will others. But the good news is, it will be ILLEGAL according to the DMCA, so these pirates are officially BAD PEOPLE and therefore will have no effect on the Movie Industry, because they don't count. Only people who can compete count, because they actually have the opportunity of creating products legally without paying licensing fees. The world is a better place with the DMCA indeed.
-Restil
(This is sarcasm. moderate appropriately)
Ebooks have failed primarily because they provide an inconvienent way to access content online as opposed to a convienent way to access the same information offline, without adding any value to the product.
People like books. I don't care how wired you are, a paperback book will keep you busy for hours without the need for batteries or rechargers or crashing operating systems. Its a medium that has stood the test of time and its unlikely to be replaced entirely for a long LONG time.
So offer to those people the option to read the exact same text on a screen thats hard on the eyes and needs batteries, then throw into that the fact that they're gonna have to read fast so they get it all in in their 10 hour limit and screw around with publishers so their can play their games to prevent any IP theft. They'll sooner go to a book faire and buy the damn thing for 50 cents and be done with it. And what have we accomplished?
Ebooks have an opportunity to offer a more fulfilling multimedia experience. I've seen fan fiction sites on the web that have pictures and play music while you're reading that matches the setting and mood of the story as you read through it. Publishers could have drawn quite a following from this, but instead they choose to quibble over how many people are going to steal their precious works to even bother noticing that nobody is reading them anyways.
-Restil
This is somewhat off topic, but this article has made several points extremely clear. First of all, we are allowed to take random pictures of people in public and sell them. Someone should walk around that city with a digital camera and take pictures of people and make it obvious enough that they know about it. Eventually, someone will complain, and when they do, point out one of the public cameras and tell them thats what the city is doing, why aren't they complaining about that?
Someone with a lot of guts and no criminal history whatsoever should do this with cops. Whenever you see a police officer, go right up to them and take a picture of them and follow them around at a reasonable distance and continue filming them. What are they going to do? They're doing the same thing to you, its only fair. If they question you about it, hand them a business card, or better yet a big colorful flier linking them to your website and offering to sell them CD's of pictures of police officers in that city. To make it even more interesting, have a crowd of people follow you around with camcorders so any interaction by the police will be recorded. Also, if possible, get a permit from the city to perform artistic observations on the street, so they can't even accuse you of loitering.
Now this is where it really gets fun. Get some of your own face recognition software. It doesnt' have to be perfect, just adaquate and combine the photographs with GPS locations. Then build a database of the daily observed activities of individual police officers. If some public access was allowed to the public recognition systems in question, photographs of cops could be run against databases of wanted individuals until a false positive shows up and then publish that information.
Personally I hope that guy does sue, if only to lose. Specifically he needs to sue whatever stage it was that sold or provided a picture of him to the media without his consent. If the court decides that it is acceptable to do so, then all the preceeding activities should be legal.
-Restil
I have spent the last week thinking this over, and spent some time coding a test. Working with a known named hole, I ran a vulnerable version of named on a few of my machines.
I obtained some script kiddy code to open up a shell on the alternate machine and started to modify it. Since I have no desire to be assused of starting a virus of any kind, I have no intention of finishing or releasing this, but I want to have the concept proven in case someone with more guts than I decided to release something similar.
No matter how you look at it, I believe that releasing this worm would be illegal, at least in the US where I live. Knowing this, I'm not going to concern myself with legal issues, but with ethical ones. The purpose of this prototype worm is to exploit the named deamon and obtain a shell on the victim computer. Then it will send over a copy of the worm, along with a nonvulnerable version of named.
On the victim's side, it will make a copy of all programs and configuration files it needs to change and replace them with safe versions. It will then send a message to root on that machine explaining exactly what was done and why, how to reverse the changes in case the worm broke something, and what to do in the future to avoid the same or similar problems. The worm will then
find and exploit 256 more systems within the same network level, one in each subnetwork. For instance, if the worm is currently working at the class A level for the 24.0.0.0/8 network, it will try to find one system in the 24.1.0.0/16 network, one in the 24.2.0.0/16 network, etc. Each progression will work one level lower. This will prevent the same machine from being hit more than twice for every pass the virus makes over the internet. After finding 256 systems, the worm will shut itself down and remove itself.
The important factors of this worm is the fact that it will ONLY be beneficial. If it causes more problems than it solves, it will be seen as another nuisence instead of fixing security holes as it is intended. It is important that root on the machine is notified of any changes. This gives the administrator the opportunity to fix other potential problems and if necessary reload the system. There must be a way that an administrator can leave configuration files on the machine so the worm will function in a limited capacity. The machine operator can therefore prevent the worm from making changes although they will still be notified if there's a security risk.
The worm will only search for and detect a single flaw in a single program, and only use that specific program to exploit the system and only replace that single program. Updating an entire package to fix one program may actually introduce other security problems into the system. Programs
deployed on the system should also be either compiled on that system or staticly linked to prevent any library conflicts.
On a side note, the worm might also want to check for a root kit on the machine and notify root if one exists. If the machine has already been comprimised (which is possible if there are vulnerable programs running), then the machine will need to be reloaded and root needs to know about it. Fixing one program won't make any difference.
Am I completely off my rocker here? Comments?
-Restil
Its rather unlikely. Chances are good that while they're breaking into your house, someone else is following you and can easily warn whoever is there to get out if you choose to come home earlier.
Of course, someone ELSE could come by and surprise them all.
-Restil
What you would lose is the readability. Any symbol in an html file could be reduced to a byte or less depending on the total number of symbols used. Consider a 80 character line of text with
each character a different color. For each character you'd need data approxately equal to:
a
This entire sequence could be compressed into 4 bytes or less, but you would require an html compiler instead of coding it by hand (unless you're one of those crazy people that prefer coding opcodes straight over using C).
The issue with html, and the reason why we don't worry about the inefficiency much is the fact that you could have a rather extensive html file with one link to a single picture, and that picture would easily take up the space of the entire html file.
-Restil
The script I've been reading.. there are no clones in the second movie. THey don't come about until the 3rd.. I must be missing something...
-Restil
Proliferation of this standard will require 4 things. Ogg will have to be of equal or better sound quality than mp3. Ogg will have to use comperable or less space than mp3. There will have to be numerous players available for the format, or at least it will need to be supported by all the popular players. And it will need to be used. Personally, if all else is equal, ogg and mp3 can mix on my HD without any problems and other people will see it the same way.
-Restil
First of all, #2. If a program is secure, it doesn't matter if the port is open. Also, if the system is secure, it won't be able to catch the worm in the first place, and therefore its not a problem.
#4 same issue. If the worm can get in, then you need to be playing a little less quake.
A well designed worm will do the following:
Search for one single hole (lets say a named hole). Install a resident program on the system. Patch the hole. Search out, locate, and infect 100 insecure systems. After infecting 100 other systems, remove itself.
This worm will only infect a machine once. There will be a lot of scanning, but only 100 times and once the first 100 have passed, that machine will never scan again for that vulnerability.
A separate worm should be available for every known exploitable security hole. Obviously here I'm thinking of linux systems, but its a start.
Ideally the scanning could be done to specific blocks of IP addresses in such a way that it will minimize repeated attempts.
-Restil
I'd set one up myself, but with the current climate of sue first and ask questions later, or worse jail first, ask questions later, I'm not too comfortable about the idea, even if it turns out in the end to be a legal proposition.
Now... find a lot of free anonymous webspace somewhere.... hmm...
-Restil
Actually, all you need to do is FIND it. Not that this is a trivial task, but if you know the position, you can retrieve the digits with multiple ease with a simple fast algorithm (at least if the digits are binary)
:) If we ever had really REALLY fast computers some day, this could do wonders for data compression. Any value could be represented by a simple position.
However, like you said, FINDING it would take far longer than just sending a damn copy of the thing.
Of course, if the position was somewhere after a googolplex digits, sending the position would be an order of magnitude more complex than just sending the data.
Forget I said anything.
-Restil
Too bad the virus seems to have been patched up. I'm not getting sent random files anymore :( But it was rather fun reading through the crap that people store on their harddisks. I just wish I got something more interesting. All I got was a bunch of word files containing poetry and a newsletter for some club. I can see some REAL potential fun with this though if more interesting files were sent.
Since we're currently discussing the legality of this, someone who's brave enough should set up a repository for files we've received and who we received them from, with cross reference links, etc. If someone was infected, theres a good chance that a large quantity of the data stored on his harddisk is available to the internet at large. If all this information was displayed publicly (LEGALLY even), what a nice incentive to switch to a less virus prone operating system.
-Restil
Just an interesting thought about making criminal the activity of reverse engineering.
I heard a saying once, "Locks are made to keep honest people out". The point here is that if I INSIST on getting in, the lock won't stop me.
The encryption algorithm used is the lock. The law "protects" me against a criminal by making it a crime to break and enter. I can put a $200000 quaduple deadbolt with solid steel reinforement, 20 armed guards, and an alarm system in place if I want to keep people out, or I can buy the cheap $20 padlock that can easily be cut by a bolt cutter. The crime to break in is the same. However, one of these methods is likely to stop that person from breaking in.
A weak encryption scheme is the same as using a cereal box lock as your sole form of protection. Granted, I'll have to break it to get in, and yes, I'll still be as criminally responsible if I do, but you made it extremely easy for me. The point is, you don't HAVE to protect yourself from honest people. Honest people aren't going to steal from you.
Those that WILL steal from you won't be stopped by something as trivial as a plastic lock. You're going to have to put something strong and solid there. You're going to have to PREVENT them from breaking in. And no law is going to do that, only something that is solid and unbreakable will.
If I decide to go around taking apart locks to see which ones I'll be able to break into, I should have that right, because a lock is only SECURE if I'm able to take it apart and still not know how to break it. Encryption is the same.
-Restil
Of course, the music industry won't be quick to settle for anything less than their $15 per CD fee, but the truth is, since most of the cost of that CD is in the distribution process, the actual cost of the material is rather small, and a fair arbitration panel would recognize that fact. In fact, with napster (or its users as the case may be), ALL of the distribution, packaging, marketing is taken care of by napster and its users. The unaccounted for cost is the royalties to the band.
Ok, so the record companies do pay money for marketing. So what? That should not be a factor when considering the proper fee since without that marketing they might not have ANY sales, in which case they wouldn't have to worry about these issues. In the end, we're looking at what?
I don't remember the exact amounts but from what I recall from old arguments, the artist probably gets about $1 per CD in royalties. Assuming there are 10 songs on the average CD, thats 10 cents per song that the artist recieves. And thats about what napster should be required to pay per song. That amount could ALMOST be completely covered with banner ads, although some revitalization in the banner ad business will be required to really make a go of this. However, marketers have an advantage with napster users. Direct marketing will be effective with them with regards to music. You know exactly which music they're listening to, and if you want to fire off advertising relating directly to that music, the case is likely that someone might actually pay attention to that advertising and it might be worth the cost.
-Restil
This is actually a very good opportunity for free software to demonstrate its benefits. People who are perfectly happy with their situation rarely do anything to change it. People who seek out freedom are usually fleeing from opression. This is the way of the world. And when they land on this new shore, full of unimaginable opportunities, they'll never look back again.
Don't fret that Free Software picks up rejects from the other software models. At least this way they have a dedicated interest in giving Free software a chance instead of taking one look at the command line and running back crying to their windows.
-Restil
On the surface, the BSA has a purpose for existing. Piracy does happen. Some businesses do cheat on licenses. More software is being used than companies are being compensated for. To investigate cases where piracy is occuring is more than likely justified. However, that is where the line is drawn.
To harrass or accuse anyone of a crime when there is no evidence that such a crime ever committed is a very BAD idea from a service point of view. You don't harrass your customers to make sure that they're not cheating you out of a few pennies. In a large corporation, even one that spends a lot of time making sure they're 100% compliant, there probably is 1-2% of noncompliant software installed, including software that was installed more times than the licenses allow for, or software for which the licenses were purchased but no supporting documentation exists.
So the BSA threatens this huge corporation. Even at 1%, there is a lot of money to be lost even if the only fees the company will be levied with are the cost of the licenses. Its worth their effort not so much to get thier licenses up to date, but to reorganize their systems so that extra installation of photoshop that nobody uses is uninstalled. If they'll have to spend the money anyways, they don't necessarily have to send it in to the software company that is harrassing them.
It makes perfect sense to move to open source in light of these events. At least you will know that no matter how many times you reinstall that one copy you purchased, nobody will ever bother you about it.
-Restil
2^48 actually.
Although this COULD become a problem when we get into nanotechnology and ever nanite needs its own IP address. A body full of these suckers COULD potentially run out of IP addresses.
"No, but you don't understand. I need an extra block of addresses because it is vitally important that I can access nanite #38273749590627
directly from a computer on the other side of the world. A double hop is simply NOT an option guys!"
Enough for anyone. Humph!
-Restil
The big problem with the criminal justice system in this country, is while I can initially refuse to press charges (Yes, Mr. bad person broke into my house, but I told him to, or he was trying to stop a fire from starting, or any number of reasons). However, if I initially tell the cops to hang him, then find out 24 hours later the reason he broke into my house was for a legit reason, I can't easily get the charges dropped. Granted, it would be rather difficult to convict him if I myself got up on the witness stand and told the jury exactly what happened, and its unlikely the prosecution would pursue it that far. But the system doesn't move quickly. It can take months to get from arrest to court room, and while this is a good 6 month process in state cases, it can take years in federal cases (Mitnick, Ok city bombing, etc).
The problem is, he's in jail now, and there's a good chance that this case will never see a trial, but he could be locked up for a long time before somebody decides the case isn't worth pursuing. And there is very little we can do about it, at least with this specific case.
The REAL problem is, we raise our voices when someone has been wronged, which DOES have effect, but it doesn't have immediate effect. The problem is he got arrested in the first place, which means the laws are broken. Even if he's locked away for years, there is no restitution from the government because they've done no wrong, legally speaking. They had a proper case, a clear violation of a valid law (even if its a stupid one).
There are three possibilities here. We wait patiently for this law to get repealed. Look back carefully and see how many laws have been repealed lately. I mean, REALLY LOOK. You're not going to find many. At the very least, we're not going to accomplish anything by simply talking. We're too small of a minority to gain the proper attention. Which leads us to the second possibility.
Run for office. Get yourself elected to a position where, while you might not have enough influence to get the laws reversed, you will have a position you can argue against it in an open forum. The press will listen. Congress will listen, because you're in their face, and they can't simply walk away then. Even if you don't get elected, you can manipulate the issue into a major campaign issue and the issue will get discussed at length. People will hear.
The third possibility is we keep the law as it is. We stay away from politics all together. Instead we focus on the companies and take drastic measures to make sure that nobody will use the products of any company that implements encryption for the purpose of preventing competition. Ok. So how do we do THIS?
Well, thats not easy, but there are ways. The problem is, it will require a lot of us to be extremely ruthless. We will have to write free virus scanners that will locate this rogue software and complain to the user that they're using software could potentially be illegal, and cite court cases where people have been jailed for using such software. A lot of people could be scared into not running such software, or at the very least, they might pay attention, which means that congress might actually start paying attention. The problem is we might get into a situation where this is abused beyond the point where it does any real good but instead creates more problems than it solves.
In addition. We, as a community, all of us, need to write letters (snail and email) to the important people at every software company, promising that if they EVER do something as stupid as Adobe has done, you will no longer purchase any products they produce, and you will encourage all your friends and employeer to not use them either. The same will happen if they attempt to use a protection scheme that uses the DMCA to keep people from reverse engineering their products. If a product uses encryption legitimately, that algorithim should be disclosed, as any adaquate encryption algorithm should be unbreakable anyways. There is no reason to protect it otherwise unless they're trying to be anticompetitive.
And another thing. Adobe needs to make a massive display of goodwill VERY soon. Along the lines of fully funding the defense costs (top of the line) to this poor prisoner, along with adaquate compensation for his trouble and a sincere public apology. If they don't, they need to be destroyed. Any legal means we can, we need to make sure that company goes down the toilet, which is better than they deserve. It must be made an example out of so no other corporation that has an interest in making money will ever be so bold to try something as stupid ever again.
-Restil
What makes you think that they're not USING your system? Certainly, they might not be formatting your HD or erasing your files, but consider the fact that if they have root access to your machine and you don't know about it, then its a perfect location to work from while they scan and exploit other systems.
While they have access to your systems, they can also sniff out passwords and gain access to other systems on your network, they can eavesdrop or log outgoing traffic and listen for something interesting, all of which they can do without ever making themselves known to the victim.
The attacker may never do anything "malicious" to a system that he comprimises, but I can tell you for sure, no part of his activities can be attributed to "good will".
-Restil
I'll give you the benefit of the doubt and assume you meant miles and not thousand miles. 50 thousand miles per second is a little less than 1/3 the speed of light. If any large rock hit the Earth going THAT fast, there'd be a lot more to worry about than a crater and nuclear winter.
-Restil
Meteors typically enter the atmosphere at 20-70 miles per SECOND, not hour. Terminal velocity doesn't really apply to meteors, the meteor hits the ground or burns up long before it can slow down enough to reach terminal velocity.
:)
However, 100-200 mph is probably not a typo for mps. For a rock (of any size) to be travelling fast enough to enter the atmosphere at that speed, it would have to originate from outside the solar system, since that speed is to fast to remain in any orbit of the Sun without escaping the solar system.
Therefore it is quite safe to say that the reporters are getting funny numbers from someplace, likely they just made it up, but THAT's never happened before, right?
-Restil
Reading about the idea for slowing down the port scanners gave me another idea. I'm not positive how port scanners work, and I don't plan to do any extensive research to find out right now, but I
know that to function they typically make a connection to every port they want to probe and see if they can complete a connection. Those scanners that are trying to be stealthy might not complete the connection after this point, but others might continue to at least recieve data about what server is running on that port. And this gives me an idea.
Set up a LOT of servers on random unused ports on every system that will answer any incoming connections and print out a LOT of data VERY VERY slowly, such that it would send one character at a time and send each packet one byte at a time with lots of delay time in between. Make it short enough so the port scanner doesn't time out and give up, but will sit there and happily lap up the characters as they come through one at a time over a period of hours. This way, if a non-threaded portscanner were to stumble onto one of these machines it would essentially take that port scanner out of operation until the operator discovered the problem. Granted, this trick could be overcome with software on the portscanner side, but it might make the attacks a lot less fruitful for a while.
-Restil
Reformating really isn't the worst thing that could happen. It'll hurt anyone who doesn't keep backups, but they're likely to get hit by a random non-virus windows bug anyways. Something that is really nasty would SLOWLY corrupt documents, so they get backed up and it will be months before the damage is realized and simply restoring the previous night's backup won't work, because you never know what's dangerous and what isn't and how far back it goes and what other payload is sitting around waiting.
-Restil