Getting the code in wouldn't be easy, but it wouldn't be easy in a closed-source project either.
There have been "closed-source" products containing "easter eggs" which themselves ammount to sizable applications. A lesser version of the same thing is where you get "bells and whistles" for which there is little logical reason for there being there. There have also been pieces of proprietary software which contain (even are) malware by design.
Not every process. At least with an employee or contractor you know who wrote the code. Not that every job has a full background check, but you usually need references, a bank account to get paid etc. All you need to contribute to most open-source projects is an email address (and to be able to write good enough code, of course).
If you obtain proprietary software you don't know anything at all about who actually wrote any of the code.
If they were not plugged in they can be dried out and probably used again.
Actually what matters is being depowered, the likes of backup batteries can thrown a spanner in the works here.
I've never seen mold growing on electronics, but if you have mold/mildew you can wash them with a mild bleach/water solution. After they are clean flush them with distilled water and let them dry completely.
If the hardware has been allowed to dry out without first having been cleaned then mould growth is the least of your concerns. Drying out incorrectly is highly likely to cause additional damage. Consider that an aircraft flight recorder recovered from underwater will be sent for examination in a plastic container full of water. Even in the case of salt water...
In contrast, the motivations behind closed source programming are a lot more diverse. If you see your (programming) job as nothing more than a paycheck, if you think your employer sees you as nothing more than a number on a balance sheet, if you never interact with the customers or users of your program, it can be very tempting to put in a logic bomb or virus as a sort of "farewell present" when you get laid off.
In addition there are proprietary software companies which specifically set out to write "malware". Such as XCP, the root kit which Sony BMG got caught distributing on fake CDs a few years back.
My concern was that it's a similar situation with closed v open source; if someone working for a closed software company puts malicious code into a project and they get caught, they lose their job and face legal action, difficulties finding employment in the future etc.
What you are missing here is that it matters from who's POV this code is "malicious". A programmer who puts code into a product under instructions from their employer is unlikely to face sanction for "doing as they were told". No matter how malicious anyone else, including users/customers, might consider it. If anything they'd be risking their jobs by not putting the malicious code in. Or do you honestly think that the bulk of spyware, adware, DRM, etc is down to "rogue programmers"?
Forgive me if I'm being stupid, but this is actually something I worry about. I'm a heavy user of open source, but surely it is true that "anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get" - isn't that kinda the point of open source? And we just hope that someone else notices if the changes are bad?
With OSS you are free to compile whatever you want, however you want.
Sure, many eyes on the source code and all that, and there would be the same risk from employees at closed source organisations - only difference being it's easier to get to work on an open source project,
With OSS you have the ability to audit whatever it is you are running. If you use proprietary software you's have a much harder task doing so, both practically and from a legal POV.
and if you get caught adding bad code, you don't lose your job.
Assuming that it's not a programmer's job to add "bad code" to a piece of proprietary software. DRM, spyware, etc, is only "bad" from the user's POV, To the supplier/vendor it can be (very) good.
I can't see how this guy got caught. If he was running a botnet over IRC, he should have been able to simply log in, issue commands for which target to attack, and disconnect. Or was he posting copy and paste scripts on the chans who then divulged his IP to the feds? Seems like the majority of Anonymous are idiots.
It isn't that hard to find idiots even when it's a requirement they also be Islamic. Consider Nicky Riley, also known as "Mohammad Rashid Saeed-Alim".
Rabid zealots and asshat script kiddies are the kind you _don't_ want your movement to be associated with, because it ruins your whole credibility. That kind of "friends" are literally worse than your enemies.
Assuming they are not actually your enemies pretending to be your "friends" in the first place. The CoS employing agents provocateurs would hardly be a suprise...
people use corporations to protect themselves against legal liability in case they are sued or otherwise break the law.
Which wasn't the original idea behind a "Limited Liability Corporation" in the first place. That was that investors would have their financial liability limited to amount they had invested. Whilst they might end up with stock/share certificates which were effectivly worthless they would have no financial liability. Shareholders would be last on the list of creditors. Which whilst this might mean they would lose their money in the case of a failed business they could still get their money back (even make a profit) where one to cease trading whilst profitable. The idea that a corporation must exist for a long period of time, together with the idea of a corporation protecting its executives from their actions are more recent "innovations".
Let me ask you - would you consider illegally downloading music or stealing a car a more serious crime? Doesn't it seem a bit crazy to you that the penalty for downloading music is harsher than grand theft auto?
Especially considering that someone's car being stolen tends to lead to actual hardship to people. Such as higher insurance premiums and having to manage without the machine they usually use. Whereas downloading music may simply deprive a highly profitable business of a trivial amount of money. IMHO this isn't a meaningful comparison of scale. Better would be between "downloading" and someone stealing a CD from a store.
mainstream pop musicians that have traditionally been the major labels' cash cows are no longer selling because people realize that such throwaway fad music is not worth spending money on.
There's also the little matter of the state of the economy. Which is currently rather FUBAR. In a recession people are likely to have less money to spend on things such as entertainment.
The total revenue from music sales in the USA is less than $10 billion. So if everyone stopped buying music right now and exclusively changed to downloading music from peer-to-peer networks, the total damage would be $10 billion. Actually a lot less, because that $10 billion revenue produces a lot of cost as well.
It's also more complicated since it is not the case that "downloaders" would otherwise be customers. Whilst the industry likes to claim that if people couldn't download they would otherwise buy this is simply a false dichotomy. Since there are plenty of alternative forms of entertainment. Nor does "buying music" equate to buying a music recording.
Isn't that the entire point though? No-one knows what the actual damages are. Not even the RIAA!
Whereas you'd usually expect that the party claiming can come up with at least some kind of figure and some evidence to back it up.
So, how can they stick a number on and get away with it in a court of law?
Without a judge simply dismissing the case...
Especially when it's not fixed,
Whilst you can sue for a non fixed amount there generally has to be some reasoning, understandable to the judge, involved.
You are calling out NYCL for his dollar figures; I am calling out the RIAA for the same thing. Let them prove, without a doubt, that there even were damages, and then we can get on with it.
Unless damages can actually be proven then the amount per damage isn't relevent. Multiplying anything by zero gives the same result:) With the onus being on the plaintiff to present actual evidence.
In my limited experience on this planet, I've found it wise to avoid installing disk controller drivers of all stripes (no pun intended) and video driver updates from Windows Update. Ditto for most drivers - get newer versions directly from creative or realtek or intel or whoever. At Microsoft's best, the results are the same - more commonly, you get an old driver, or a blue-screen on boot.
It's also possible for it to replace a functional driver with one which isn't. Apparently by such daftness as overwriting only some of the files with older versions.
Exception at line ("Then keep chopping it down every two years"): Attempt to chop down an already chopped-down tree.
When you chop it down you are only removing part of the plant. Many trees can regenerate so long as the roots are healthy and the stems arn't cut too often (depends on the species of tree). The practice is known as "coppicing" and has been going on for several thousand years.
Look at issue 43029.
Notice that it is classified as a feature request rather than a bug and its target milestone is only 3.2, despite being first created more than three years ago, having over 200 votes, and numerous comments on this issue and its various duplicates showing how it's a complete showstopper for using most professional grade fonts with PDF export.
This sort of thing isn't uncommon. The difference here is that you can actually see this going on. With a proprietary product you'd have little way to know if a "bug report" has been converted into a "feature request" or how many people wanted it done. I've seen a "bug report" become a "feature request", but once this has happened even the person who originally submitted it can't see what's happening with it.
This is very interesting if you start thinking about how they have accomplished this. "Examining the store's credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology. The bug would read an individual's card number and the corresponding personal identification number, then package and store the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next." So it was wireless - definitely cellular. So each of these bugs would have a subset of a cell phone capable of sending and receiving text/SMS messages and must have a SIM card(as GSM is universal in Europe) to communicate over the local network perhaps using roaming capabilities.
You'd think someone would notice a "phone" which regularly registers with the network, makes an international call then degregisters. Especially if it's a foreign phone, dosn't appear to move and does this at the same time each day. Even more so if it's lots of "phones" showing this kind of behaviour.
Its extremely inexpensive to buy a SIM card in Pakistan with roaming capabilities - I believe its just a couple of dollars and if the attacker can top up the card remotely so it can sustain these devices forever.
It isn't going to be so cheap to make data calls, even to send SMS messages. Using a sythesised voice definitly should get the attention of the GCHQ people.
In fact, since these banks should be competing with each other, especially now that they've got so much less to offer (as they've burnt down their advantages into the current crisis), their lowered costs from better security should enable them to market themselves to me with a better net income to me.
It might help if national governments were a little more reluctant to bail them out though:)
What if these rings manage to get to the card readers before they're delivered to the merchants. I bet that is what happened here.
In which case you should have at least some of these emitting electromagnetic radiation they should not be. Including trying to make an RF connection when there is nothing they could connect to. (As well as potentially being in range of enterprise grade WIFI kit is capable of detecting and triangulating "rogue devices"). Effectivly these machines come with an inbuilt "neon sign".
Slashdot Mirror
Getting the code in wouldn't be easy, but it wouldn't be easy in a closed-source project either.
There have been "closed-source" products containing "easter eggs" which themselves ammount to sizable applications. A lesser version of the same thing is where you get "bells and whistles" for which there is little logical reason for there being there. There have also been pieces of proprietary software which contain (even are) malware by design.
Not every process. At least with an employee or contractor you know who wrote the code. Not that every job has a full background check, but you usually need references, a bank account to get paid etc. All you need to contribute to most open-source projects is an email address (and to be able to write good enough code, of course).
If you obtain proprietary software you don't know anything at all about who actually wrote any of the code.
If they were not plugged in they can be dried out and probably used again.
Actually what matters is being depowered, the likes of backup batteries can thrown a spanner in the works here.
I've never seen mold growing on electronics, but if you have mold/mildew you can wash them with a mild bleach/water solution. After they are clean flush them with distilled water and let them dry completely.
If the hardware has been allowed to dry out without first having been cleaned then mould growth is the least of your concerns. Drying out incorrectly is highly likely to cause additional damage.
Consider that an aircraft flight recorder recovered from underwater will be sent for examination in a plastic container full of water. Even in the case of salt water...
Closed source products have that problem too; someone could make a forged copy of MS Office that contained malware.
Or Microsoft could deliberatly put malware into MS Office. Though they'd probably try and call it something else, like "anti-piracy" or DRM.
In contrast, the motivations behind closed source programming are a lot more diverse. If you see your (programming) job as nothing more than a paycheck, if you think your employer sees you as nothing more than a number on a balance sheet, if you never interact with the customers or users of your program, it can be very tempting to put in a logic bomb or virus as a sort of "farewell present" when you get laid off.
In addition there are proprietary software companies which specifically set out to write "malware". Such as XCP, the root kit which Sony BMG got caught distributing on fake CDs a few years back.
My concern was that it's a similar situation with closed v open source; if someone working for a closed software company puts malicious code into a project and they get caught, they lose their job and face legal action, difficulties finding employment in the future etc.
What you are missing here is that it matters from who's POV this code is "malicious". A programmer who puts code into a product under instructions from their employer is unlikely to face sanction for "doing as they were told". No matter how malicious anyone else, including users/customers, might consider it. If anything they'd be risking their jobs by not putting the malicious code in.
Or do you honestly think that the bulk of spyware, adware, DRM, etc is down to "rogue programmers"?
Forgive me if I'm being stupid, but this is actually something I worry about. I'm a heavy user of open source, but surely it is true that "anybody can change the source of a project, submit it, and you never know what kind of compiled binary you're going to get" - isn't that kinda the point of open source? And we just hope that someone else notices if the changes are bad?
With OSS you are free to compile whatever you want, however you want.
Sure, many eyes on the source code and all that, and there would be the same risk from employees at closed source organisations - only difference being it's easier to get to work on an open source project,
With OSS you have the ability to audit whatever it is you are running. If you use proprietary software you's have a much harder task doing so, both practically and from a legal POV.
and if you get caught adding bad code, you don't lose your job.
Assuming that it's not a programmer's job to add "bad code" to a piece of proprietary software. DRM, spyware, etc, is only "bad" from the user's POV, To the supplier/vendor it can be (very) good.
Scientology isn't a business, it's a scam.
:)
It's not like the two are mutually exclusive.
They sell things which don't work, brainwash the people to whom they sell their things, and harass people whom they can't sell their things to.
There are software companies who'd fit that description
How about one that involves priests who can magically transform cookies into human flesh which the followers then eat? Think that would fly?
If you want flying there's one involving a construct made out of pasta.
I can't see how this guy got caught. If he was running a botnet over IRC, he should have been able to simply log in, issue commands for which target to attack, and disconnect. Or was he posting copy and paste scripts on the chans who then divulged his IP to the feds? Seems like the majority of Anonymous are idiots.
It isn't that hard to find idiots even when it's a requirement they also be Islamic. Consider Nicky Riley, also known as "Mohammad Rashid Saeed-Alim".
Rabid zealots and asshat script kiddies are the kind you _don't_ want your movement to be associated with, because it ruins your whole credibility. That kind of "friends" are literally worse than your enemies.
Assuming they are not actually your enemies pretending to be your "friends" in the first place. The CoS employing agents provocateurs would hardly be a suprise...
people use corporations to protect themselves against legal liability in case they are sued or otherwise break the law.
Which wasn't the original idea behind a "Limited Liability Corporation" in the first place. That was that investors would have their financial liability limited to amount they had invested. Whilst they might end up with stock/share certificates which were effectivly worthless they would have no financial liability. Shareholders would be last on the list of creditors. Which whilst this might mean they would lose their money in the case of a failed business they could still get their money back (even make a profit) where one to cease trading whilst profitable.
The idea that a corporation must exist for a long period of time, together with the idea of a corporation protecting its executives from their actions are more recent "innovations".
Let me ask you - would you consider illegally downloading music or stealing a car a more serious crime? Doesn't it seem a bit crazy to you that the penalty for downloading music is harsher than grand theft auto?
Especially considering that someone's car being stolen tends to lead to actual hardship to people. Such as higher insurance premiums and having to manage without the machine they usually use. Whereas downloading music may simply deprive a highly profitable business of a trivial amount of money.
IMHO this isn't a meaningful comparison of scale. Better would be between "downloading" and someone stealing a CD from a store.
mainstream pop musicians that have traditionally been the major labels' cash cows are no longer selling because people realize that such throwaway fad music is not worth spending money on.
There's also the little matter of the state of the economy. Which is currently rather FUBAR. In a recession people are likely to have less money to spend on things such as entertainment.
The total revenue from music sales in the USA is less than $10 billion. So if everyone stopped buying music right now and exclusively changed to downloading music from peer-to-peer networks, the total damage would be $10 billion. Actually a lot less, because that $10 billion revenue produces a lot of cost as well.
It's also more complicated since it is not the case that "downloaders" would otherwise be customers. Whilst the industry likes to claim that if people couldn't download they would otherwise buy this is simply a false dichotomy. Since there are plenty of alternative forms of entertainment. Nor does "buying music" equate to buying a music recording.
Isn't that the entire point though? No-one knows what the actual damages are. Not even the RIAA!
:) With the onus being on the plaintiff to present actual evidence.
Whereas you'd usually expect that the party claiming can come up with at least some kind of figure and some evidence to back it up.
So, how can they stick a number on and get away with it in a court of law?
Without a judge simply dismissing the case...
Especially when it's not fixed,
Whilst you can sue for a non fixed amount there generally has to be some reasoning, understandable to the judge, involved.
You are calling out NYCL for his dollar figures; I am calling out the RIAA for the same thing. Let them prove, without a doubt, that there even were damages, and then we can get on with it.
Unless damages can actually be proven then the amount per damage isn't relevent. Multiplying anything by zero gives the same result
In my limited experience on this planet, I've found it wise to avoid installing disk controller drivers of all stripes (no pun intended) and video driver updates from Windows Update. Ditto for most drivers - get newer versions directly from creative or realtek or intel or whoever. At Microsoft's best, the results are the same - more commonly, you get an old driver, or a blue-screen on boot.
It's also possible for it to replace a functional driver with one which isn't. Apparently by such daftness as overwriting only some of the files with older versions.
Exception at line ("Then keep chopping it down every two years"): Attempt to chop down an already chopped-down tree.
When you chop it down you are only removing part of the plant. Many trees can regenerate so long as the roots are healthy and the stems arn't cut too often (depends on the species of tree). The practice is known as "coppicing" and has been going on for several thousand years.
you are NOT allowed in any case to store the cardholder verification number.
That's really going to stop someone (individual or corporation) from misusing credit card details if they can get their hands on them.
Look at issue 43029.
Notice that it is classified as a feature request rather than a bug and its target milestone is only 3.2, despite being first created more than three years ago, having over 200 votes, and numerous comments on this issue and its various duplicates showing how it's a complete showstopper for using most professional grade fonts with PDF export.
This sort of thing isn't uncommon. The difference here is that you can actually see this going on. With a proprietary product you'd have little way to know if a "bug report" has been converted into a "feature request" or how many people wanted it done.
I've seen a "bug report" become a "feature request", but once this has happened even the person who originally submitted it can't see what's happening with it.
And it goes further, what if they manage to change the embedded code on a device. You'd never even know it was done.
Until the first such device is found.
Look at the Diebold mess for a clear example.
The difference is that it is often fairly easy for people to take their custom to a different supermarket.
This is very interesting if you start thinking about how they have accomplished this. "Examining the store's credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology. The bug would read an individual's card number and the corresponding personal identification number, then package and store the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next." So it was wireless - definitely cellular. So each of these bugs would have a subset of a cell phone capable of sending and receiving text/SMS messages and must have a SIM card(as GSM is universal in Europe) to communicate over the local network perhaps using roaming capabilities.
You'd think someone would notice a "phone" which regularly registers with the network, makes an international call then degregisters. Especially if it's a foreign phone, dosn't appear to move and does this at the same time each day. Even more so if it's lots of "phones" showing this kind of behaviour.
Its extremely inexpensive to buy a SIM card in Pakistan with roaming capabilities - I believe its just a couple of dollars and if the attacker can top up the card remotely so it can sustain these devices forever.
It isn't going to be so cheap to make data calls, even to send SMS messages. Using a sythesised voice definitly should get the attention of the GCHQ people.
In fact, since these banks should be competing with each other, especially now that they've got so much less to offer (as they've burnt down their advantages into the current crisis), their lowered costs from better security should enable them to market themselves to me with a better net income to me.
:)
It might help if national governments were a little more reluctant to bail them out though
If an American bank were to issue Visa smart cards with a pocket-carried one-time-PIN generator, would you really switch to them?
Arn't all US banks now effectivly owned by the US Government anyway...
What if these rings manage to get to the card readers before they're delivered to the merchants. I bet that is what happened here.
In which case you should have at least some of these emitting electromagnetic radiation they should not be. Including trying to make an RF connection when there is nothing they could connect to. (As well as potentially being in range of enterprise grade WIFI kit is capable of detecting and triangulating "rogue devices").
Effectivly these machines come with an inbuilt "neon sign".