I mean, paying a tech for some hours would be quite expensive. It's not asked too much, that they spent some bucks going to some wine store. Maybe you pay double the price, but the wine won't be bad.
That's a great idea though.. prolly one of the best and most creative i've heard in a while.
Jupp. Hm, now I have to think... I don't like alcoholics much... what else could fit similarly?
Choosing for a wine snob is more difficult and could be a time-wasting, researching, and hunting nightmare for people who don't know much about wine.
Actually it is not that hard. I don't like wine but my sister does. And I have never heard complaints from her (and I would, if the wine I brought was no good). That's by picking a good store (that is, not a cheap one).
You just need to accept to pay double the price: Once for the wine and once for the advice. Works great for me.
(Well, of course, not every time the wine will fit perfectly to her taste, but at least I am sure that it's not a horrible one.)
And the answer to the question I posed is, "It depends on the architecture."
Not really. It only depends on architecture, when you are using assembler. Else, "It depends on your compiler." Ignoring for a moment that you seemingly compared apples with oranges (x *= 2 does something different than x 1, assuming we are talking C syntax here), then, you should assume that your compilier is doing such basic optimazation for you. (gcc, for example does).
Then, if you learn through profiling that you have a problem there, and it isn't a problem with the algorithm, but you really need to start counting cycles, you'd go and write that part in assembler to begin with. No second-guessing your compiler anymore.
While being able to optimize stuff is important, and some optimizations always make sense, ordering your variables (what has brought up this), is utterly useless, if you don't *already know* you need it in the case at hand. Yes, it may matter on some embedded systems (but I was fine without), but when you are not, I'll take better readability anytime.
I already answered to the second part, too. Usually there are work-arounds available. I am not sure which experience you are referring to, but I see professionals to wait for official patches and vendor updates, usually. Applying patches manually seems to be the exception, not the rule.
But let's assume people do what you say and your scenario would happen. Why would this be a vulnerablity? What is the problem? Actually, I see it as another advantage of OOS. With binary software, you *have* to use a work-around until a fix comes, and you *have* to hope that a fix will be part of the next patch-day.
IMHO, it would probably happen as it happened with the Linux kernel some days ago: one good soul offers to maintain a fork with security patches. All is well. Where is the problem again?
"Fork" is often used as a bad word, a worst-case scenario, when it isn't. There are a lot of distributions, and in some way, they are all forks of a lot of packages they contain (any Linux distro still delivering their main kernel unpatched?). The world still stands.
Forks become a problem, if there happen too many and if they happen due to social problems and leave people not cooperating (because then it becomes unrealistic to backport all those patches). But in the scenario you suggest, I see people working together. Someone just taking some load from the main project.
The worm doesn't use a hole within MySQL, but only bad admin passwords. In short, it's a problem with people not a technical one.
But there are mitigating factors: - MySQL allows loading of libraries (UDF) for users with the right privileges (of which root usually is one, of course), which is a powerful feature and that power can be abused. - The worm requires that MySQL is set up for networking, and that the port is freely reachable from the internet.
And, more important from the OSS perspective, where's the patch?
No patch needed. The mitigating factors are configurable (you can disable networking in the config, and restrict accounts to certain hosts; you can compile MySQL without UDF support; and of course, you should have installed a firewall that restricts access to the port, if networking is really required).
Btw, better distributions already come configured this way (if you want UDF support and whatever, you use the MySQL-Max binary).
And what happens when different people release incompatible patches? Is a worm a good way to force a fork in an OSS project, making it less competitive?
Are you trolling? No admin with any clue would use any 3rd party patch (especially when work-arounds are available), but wait for the update from his vendor.
Changing your vendor after such an attack may be a good thing to consider, after security holes have been mishandled several times. But considering 3rd party stuff for an urgent hole only opens you to the equivalent of phishing attacks (nonwithstanding all the other problems such an idea has, like that you can't know the quality of the patch).
My question still is, what do you do if your ISP restricts anything you upload to clear text?
In what context are we working? It's unreasonable for the upstream to restrict everything to clear text. That would shut down any SSL traffic, which includes banking software, all VPNs, which are used by a lot of major companies, all of SSH, which is quite widespread for remote administering, and so on.
In most countries you could probably simply sue your ISP (it's not in the business of censoring). If you say we are talking about a country where the ISP has the backing of the goverment, well, then say so. Then it's not the ISP which is restricting you, but your gov. And if that's the case, then they can simply make the use of any encrypting or anonymizing device a criminal offence no matter what the method is and you have lost anyhow. So that argument is a non-starter.[1] Btw, that's not a purely theoretical point. IMHO, China would be one of the prime candidates for making such laws.
Well, and if you allow SSL, all we have to do is to make a Tor entry node that speaks SSL:)
My idea could go a little further by constantly changing you own IP address, kind of like what happens when you disconnect and reconnect to you ISP.
With Tor, you don't need that. Augmenting your traffic with that of others by being a transfer node has a similar effect without the hassle (well, you have the hassle of giving up bandwith).
I never claimed to be very good at expressing my ideas, so I need all of you to fill in the obvious gaps. I was aware of these things before I posted the first comment. At this point I still believe what I am looking for can only be achieved through wireless, without the internet providers turning you over at the drop of a hat.
Don't take me wrong, I don't think your idea is bad. I just argue that you are wrong to say that it's only possible your way. Tor is at the point where they have shot down most problems and are well aware of the remaining weaknesses. Which are few.
And while I don't understand your idea enough (or have enough details) to say much about it, you have the same problem that you accused Tor of: if the ISP doesn't play along, it won't work.
If you really want to get your idea of the ground, I suggest to write a paper. Present it fully (and not only in chunks as you do here). Also show a threat analysis (which you obviously already did in your head). As a bonus, explicitly list how your solution behaves in the threats others have looked at (i.e. take the Tor paper and take the scenarios they present), so that one has an easy comparison of the merits and flaws.
The first version doesn't need to be perfect. Label it a draft and go through iterations whenever someone presents valid critic. The scientific method needs you to enable others to look at entire idea at once and do the threat analysis themselves. Presenting it here, with a lot of hand-waving does it no good.
With wireless you can pick up and run off the moment you become suspicious of anything wrong. Think of it as mobile SCUD internet.
And another thing is, that it is quite inconvenient. If the method expect someone to run, if something suspicious is going on, there is a problem: why do I have to run? Anonymity should be good enough so that nobody manages to find out my place to begin with. Regardless, if I am supposed to run, it's implied that I am also supposed to not come back to the same place soon. And that implies that I cannot use this kind of anonymity from home. Which is a *major* drawback, because it will prevent widespread adoption.
[1] While - if your anonymizer works good - they can't get you at first, they can get the one they see the traffic coming from (an ISP, a node, a wireless hotspot, whatever) and shut that down. Sooner or later there is nothing left to grant you anonimity and they will get you.
The only recourse is that the method finds *a lot* of pa
At least half of the questions (if not all) you ask are answered on the Tor homepage and in their papers. Obviously you didn't bother to inform yourself beforehand about what you are talking about.
Come back when you have reduced your list of questions to the ones that aren't answered already.
(Note that most references to German sites, because the topic is about Germany.)
Well, I don't agree on the clarity thing (P3 TKÜV [Telekommunikations-Überwachungsgesetz, the law about wire-tapping that comes to effect in 2005] is quite clear, IMHO). There are some public calls for clarification, but it doesn't look like those actually have doubts about who is affected, they just want to prevent unnecessary confusion (see e.g. this critic, point 3.
But even if we accept that the wording could be clearer, we already have 3 different laws (one for common carriers (Telekommunikationsgesetz, TKG), one for unmoderated services (Teledienstegesetz, TDG) and one for moderated, editorial services like news-sites (Mediendienste-Staatsvertrag, MDStV).
There is a very good chance that the courts will interpret "Telekommunikation" in the TKÜV the same as in the TKG, especially since the TKÜV has several references (in fact, a lot of terms are defined by reference) to the TKG, but none to the TDG or MDStV.
So while there is a different uncertainty, namely whether some service providers (like chats) fall under TDG (most do) or TKG (which they would prefer not to), one can safely ignore TKÜV if one didn't already have to care about TKG.
Additionally, there are several exception clauses (in P3.2), and a Tor node would fall at least under these: - P3.2.1: it doesn't offer a subscriber line (defined by TKÜV P2.2 which refers to TKG P3.9, and TKÜV P2.11, which narrows TKG P3.9 down to subscribers) and only connects two networks - P3.2.5: not more than 1000 subscribers are attached[1]
Ah, and "Telekommunikationsdienstleistungen" (telecom services) are defined in TKG P3.19, which says they have to be commercial. Another point why John Doe wouldn't be affected.
Btw, the law is not about logging (ahead) information as you say, but about providing an ready interface for wire-tapping, for the case a telcom/provider receives a court order: that is, you don't have to log anything due to this law, but only have to "make a full copy of the communication [in question] available" at a transfer point, like on one of your lines. Only if that doesn't work, or you prefer the other way, you can make a logfile.
[1] And no, this has nothing to do with TCP/UDP connections to the computer... if the judge doesn't laugh such an argumentation out at once, just explain to him, that his computer at the home also provides those (considering the TKÜV is clearly advertized at addressing public access providers, he'll get it).
Without any references to back up your claims, it just sounds like a case of paranoia. I am not saying you are wrong, but if you want it spread the message, you should start working on the "convincing" part.
1 a : the moral significance or practical lesson (as of a story) b : a passage pointing out usually in conclusion the lesson to be drawn from a story
That's exactly the point! While you certainly can draw that lesson from Japanese movies, it's not the lesson to be drawn from the author's point of view.
Since in their culture these values are nothing unusual, from their point of view, there are other, more important lessons to be drawn from the stories. So, as the grandparent said, that's not the "moral," [of the stories], that's the background of [the] culture from which it's created. At least most of the time.
I'm calling these films by their English names because I'm speaking English, btw - I don't really see the point in mixing languages up when there is a proper, official English title available.
While I agree with you on using English titles if available, if the Japanese one means nothing to you, there is a point in using the original title.
I don't speak Japanese, nevertheless, once I learned what Mononoke means (vengeful ghost, here probably better "spirit"), I prefer the Japanese title.
I cannot know for sure if it has the same sound for an Japanese speaker, but for me - while it is typical in Japanese stories for names to have related meaning - here the name seems to describe the role and the role to be the name. Completely ignoring the role in the English title of the movie lacks a lot, IMHO.
For me its like translating "The Last of the Mohicans" in a way that it sounds like "The Last of Johns" in another tongue.
Well, enough of that rant...:-)
I don't mean to say that you shouldn't use English titles, but I don't agree that there isn't a point with sticking closer to the original. But maybe that's just me (I am also one who prefers to watch a movie/TV show in the original language, if I am able to).
The overall success rate is far above any other advertising type, as is the cost for such an ad, which is why companies are going to this model.
In general, this is nonsense (there may be exceptions, but I am talking about the average). While the click-through rate is increasing with such advertising, the conversion rate (people actually ordering/filling out forms => orders/clicks) is decreasing.
According to our stats, even the absolute conversion rate (that is, orders/impressions) is usually lower than for reasonable banners. Considering several tests with placement of banners, I consider increased click-rates with obstusive banners simply a side-effect of people wanting to get rid of that thing.
Remember those banners which look like they contain some OS widget like a button? They work(ed) great when you wanted to increase click-rate (in times when pay-per-click was most popular), but people tricked this way to visit a site most likely were only confused and not in the mood of ordering anymore.
To conclude, those banners aren't popular, because they work well, but because some marketing types can make their bosses/clients to believe they work well, by showing that the campaign has increased the number of visitors to the homepage.
Those are the same people who ask for their traditional demographic profiles at a time, when you could easily run campaigns completely to their wanted profile (like, only womans at age 20-25). The US market may differ, but the German market is this way. (The solution, of course, is to turn to creating several virtual profiles for a site, which they can choose from.)
That's like saying the imfamous X10 popups didn't work. They worked so well the company had trouble producing X10 cameras fast enough at one point.
I don't see that as an argument for or against popups. It's an argument for X10 cameras. Unless you have data that shows, that those cameras sold better when advertised as popups vs. banners.
We once had a banner campaign that had 75% click-through rate (when on a not-specialized site 3-4% is considered high). But that wasn't saying anything about banners, but only about the advertized content. At first, we thought we had made an error (like placing the click-tag at the place of the impression-tag). But it was due to it being an ad for snow condition report on the last weekend of skiing season (with the 3 weeks before being with little snow and snowfall expected for this WE).
Does anyone else see the irony that this was modded "offtopic"?
No. "Irony" implies that something different than the expected result happened. I can see nothing unexpected in either - a meta-discussion being considered off-topic, - an off-topic post mentioning the word off-topic itself, - such a post being modded off-topic, -./ mods moderating an on-topic post as off-topic* - even if such a post complains about exactly this (this is./, remember?), - a post (indirectly) forseeing its moderation getting modded real high or real low, - and so on.
Regardless how you spin it, there isn't much irony in how it got modded, especially considering this is Slashdot.
*I don't consider this thread to be on-topic (as its meta-discussion started with a troll), but let's be open-minded for a moment.
The stable version does NOT have subqueries. Version 4.1 does, but that is still beta quality software.
That not up-to-date. 4.1 isn't considered beta since 2004-06-24 and had it's first production release over a month ago, on 2004-10-23. See here
The transaction support in 4.0 is horrible and slow. Rollbacks are O(n) operations (for InnoDB, that is) etc...
Slow rollbacks are not really a problem, if you don't abuse them. That is, don't write your transactions with failure as an expectation (like inserting a row and waiting if it fails due to a unique key), but do your own checks (most often you don't need additional queries, because you already have the data or can expand an existing query). Not only does that make your queries faster with most databases (even those with good rollback support), but also makes your application more robust (in case of db changes)
[...]When you broaden words like this, they lose their meaning. A DDoS is a specific term.
I didn't broaden the term. I agree that it is a specific term, and I cited two references from the security field where my understanding of the term comes from. What is your excuse?
By your logic, a class-action suit to close an ISP is a DDoS. Or asking people to send in the pre-paid envelopes from junk mail to cost them money is a DDoS.[...] But you're not applying ANY logic or reason to the issue at all. You just want to be "right". If you were using reason, you'd admit:
1. This isn't the same as any previous DDoS in mechanics.
Oh, you mean like "the attack doesn't fit into one of the existing categories for DoS attacks"? (In case you didn't realize: this is a quote directly from the post you replied to)
2. This is very much like a standard DDoS with the exception that it doesn't attempt to directly take down a service.
Like "the spammers themselves will have to pull the plug before the cost explodes [...] there are other DoS attacks out there which effectively work by indirectly forcing the admin to take the machine down herself"?
3. It belongs in the same category of attacks, but is different enough to warrant its own name.
IMO, that belongs to "opinion" not "reasoning".
Sorry, but above looks to me as if you are the one who just wants to be right.
It's like a trojan vs a worm vs a virus vs spyware. They are all the same category of evil software, and they all are similar enough to each other that people have argued whether they are all just virii or something (in fact, smart people *do* call them all virii), but they are all unique enough that it is more useful to use a new name.
Interesting example, but not really fitting: there is a "genus" name, and it's "malware", not "virii"*.
If the net at large chooses to call it a DDoS, fine, nothing I can do about it--it won't be the first time illogic was used to "advance" the language.
I covered that in another reply to you.
* btw, it's "viruses" (English) or "virus" (Latin, long u).
Or it's just a kind of rose which you have never seen before and therefore don't know how to categorize.
I agree (and in fact this is exactly what I'm arguing). This is a different enough attack to warrant a new term (IMO). It's still the same class of attacks (so it's still a rose-like flower, if it isn't a rose).
I am not sure how you spinned that into implying I was agreeing with you, when it's obvious that I do not. A rose-like flower which isn't a rose doesn't belong to to the genus rose. But let's stop that analogy here before it gets too weird.
Note that the term "denial of service" attack doesn't define the means. Cutting your phone line is a DoS, too.
If you broaden the term too much, it loses it's usefulness (unless it's meant to be a broad term, covering many more specific terms, like malware covers: worms, virii, trojans, spyware, etc).
I think this is main point of our disagreement: I didn't broaden the term. This is how the term is understood by security people to begin with. Cutting the phone lines is an explicit example in the SecurityFocus article I I cited to you earlier.
Now, if your argument is that security people make wrong usage of the term, because it counts how the public uses it (like, for example, hacker vs. cracker), then we can stop right here, because we don't have a controversy at facts, but only whether we use technical terms or not.
Was the war in Iraq a DDoS against Saddam? Was MS's integration of IE into Windows a DDoS against Netscape? Is a class action suit a DDoS? Etc. They all fit the definition of the individual words in DDoS strung together, but they don't fit the term.
That's what I pre-empted by "The main reason you could argue that it isn't a DoS is the level of indirection", which you decided not to quote (my signature seems to come into this discussion). You'll note that the level of indirection is quite a lot larger in your examples, which makes them sound ridiculous and look like they strengthen your argument. When they do not. To pick up the analogy again (sorry), it's like saying "would you call a maple tree a rose-like flower?" (well, both still have leaves). Sounds nice, but only distracts from the case at hand.
This screensaver is close enough to a DDoS that it might make sense to broaden the term to cover it, but I'd rather see the term stay specific. Yeah, who am I to argue, right? Well, I'm one voice in the discussion, that's all. If the net at large chooses to lump it into DDoS, fine.
That seems to go with I wondered above: Apparently you are not looking at the technical term, but how the majority understands it.
[...] This attack, though, is quite noble (in this case). Spammers cost the net far more than they pay, and this is not a welcome subsidy. This is really making the spammers pay for the inherent cost of their actions.[...]
I'll stay with the discussion of the term, not the merits of Lycos' method in this thread.
Let me start my answer with an observation: You claimed that "The purpose is not to deny service." (among other things). I called bullshit. Now you are changing focus to the term DDoS. In my reply I did address DDoS only as a side issue. To cite your original statement again:
***READ CAREFULLY***:
1. The purpose is not to deny service. 2. The program is designed to specifically *NOT* deny service.
It's not DDoS or even an attempt at DDoS.
In other words, it looks like your reasoning was that it wasn't trying to deny service, so it cannot be a denial of service attack and therefore no DDoS. I think I showed that your presumption was flawed and therfore your chain of reasoning without fundament (which only means your argument sucked, not that your conclusion is proven wrong).
Now to your current post:
If Lycos started a class-action suit, would you call that a DDoS? It's distributed and unified (like all DDoS's), it seeks to deny service (like all DDoS's).
So you admit that dragging a Spammer to court would seek to deny service, but the Screen Saver does not? Your Honor, I close my case.;)
[...]I bring up these admittedly absurd examples [Irak war, antitrust suit,] because they are all DDoS's under the simple definition of the words in the term, but they are not a DDoS as a term unto itself.
Again, you denied (no pun intended) that the purpose of Lycos' move was to deny service, yet you say even those absurd examples fit the term. I don't mean to ignore the rest of your post, but you contradict yourself so much here, that I don't think it makes to continue with this.
Sorry, but there won't be any one way to stop spam, but there will always be ways to fight it. One method will not cover all bases, but the more methods used, the less frequent we will get spam.
Obviously it isn't redundant, because it would do you good to read it: The problem with Lycos' method isn't really that it won't work with all cases, but that its potential for abuse is too big.
1. The purpose is not to deny service. 2. The program is designed to specifically *NOT* deny service.
It's not DDoS or even an attempt at DDoS.
You have fallen for them. Just because they say it isn't an attemp to deny service, it doesn't mean it isn't. It's just marketing speak for separating themselves from the "bad word". (I don't mean to judge their idea, but only address how "DDoS" is perceived by the public.)
If they don't want to deny service, let's see what they try. They try to use more traffic, so that the cost rises. They try to raise the costs, so that the spammer cannot afford it / spamming doesn't pay off anymore. They try to make it too expensive, so that the spammer has to pull the plug. Now nobody who "wants" to visit the spammer's site can do so anymore. Sounds like a denial of service to me.
The only thing differing from a common DoS is the level of indirection. And I admit that is arguable. But imagine for a moment, the spammer had a traffic limit. Would maliciously using up his monthly traffic so he'd hit the cap still be no DoS?
In short: Lycos isn't attacking the network bandwith, but the network cost, which still is an attack on the availibility of the network, and therefore the service.
Or it's just a kind of rose which you have never seen before and therefore don't know how to categorize.
Note that the term "denial of service" attack doesn't define the means. Cutting your phone line is a DoS, too.
The main reason you could argue that it isn't a DoS is the level of indirection (Lycos doesn't attack the network, but the cost of the network, and therefore the spammers are made to pull the plug themselves).
The cost of service effectively is a cap for their transfer volume. Now, if it weren't the cost, but a hard cap (like with web hostings), say 100GB, intentionally using up the available transfer volume surely does count as a DoS attack in my book. So while adding enough steps in between will muddy the waters, Lycos intent is clear enough to make this a distributed DoS.
That's not what the term DDoS means. It means you make the service unavailable by inundating the server (or a critical intermediate point) with requests[...] Your stretched definition is not only wrong, but is also a blatent attempt to change the meaning of a term for expediency.
No, you are the one who is wrong. What you describe is a network-based* denial of service attack. There are other types, too. Just because network-based attacks are the most common today, doesn't mean the meaning of DoS has changed. Read any advisory on bugs that makes Apache crash for good, and you'll find the term DoS in a context you just excluded. And the other D just means that the attack is staged from a multitude of computers (and usually implies that it would be hard to do from only one). One definition I found was:
"An attack on a computer system intended to reduce, or entirely block, the level of service that 'legitimate clients' can receive from that system."
"The term can be applied to any situation where an attacker attempts to prevent the use or delivery of a valued resource to its intended audience or customer. It can be implemented via multiple methods, physically and digitally."
So while the attack doesn't fit into one of the existing categories for DoS attacks, it fits the "denial" part well: they attack the cost of the network (the fact that the spammers themselves will have to pull the plug before the cost explodes IMHO doesn't change that character: there are other DoS attacks out there which effectively work by indirectly forcing the admin to take the machine down herself.)
*network-based in this context doesn't mean "anything coming over a network" here, but "concentrating on denying the network-component of the target system".
What law suits? You have to be from England, France, Germany, Italy, Spain, Sweden or the Netherlands to download the program. I imagine Lycos chose these countries for a reason, legal advice being my #1 guess.
Well, anyone who paid attention (e.g. SCO case), would know that Germany is one of the countries where it probably won't take a day until a court holds Lycos to account. Not always, but most of time they get the "the spirit not the letter of the law counts" thing right.
But you are probably right anyhow. Germany is also a country where you can sue someone for 500 Euro per SPAM you got. I guess the game is: if a Spammer wants to take action against Lycos, he has to come out of cover, and so Lycos can smack him.
That's only a hunch, and I am curious if it really plays out like this.
(Oh, btw, I think the term DDOS does fit: denial of service attack doesn't implicate saturation of network, any way of denial works [and the intent counts, not the result]: abusing a bug to make the web server crash, fucking up a database so that shows wrong results, and so on. Making them pull the plug by effectively rising the cost per "wanted" packet may be an innovative way, but the intent is denial nontheless.)
It's an entirely different thing, if they tried to gave the impression, they can force the request without subpoena, but there was no mention of that in the article.
Cops of any variety always try that little trick.
Do you have any reference to support your claim? While it's surely not unheard of that officers try such tricks in personal, I have yet to see one to try that in writing (probably because with paper, you could sue their ass off). I handle requests from authorities regularly and the experience is that they either
1. have a subpoena beforehand and serve it, 2. don't have one, mention it, and ask politely if we require one in order to hand the data out, or 3. are simply ignorant (e.g. cite the completely wrong laws*)
AFAICS, Fyodor has about the same experience, with the exception, that for point 2 he didn't mention whether they were making that clear or whether they possibly tried to trick him.
So I am asking again, because my personal experience is contrary: Can you back up that statement, or are you simply assuming the worst? (And yes, I haven't provided any external reference, either. But then, I am not the one accusing whole professions of misconduct.)
Fyodor is right here to refuse an improperly formed request out of hand - I believe the FBI as a whole to be the "good guys" but there is a real need to keep em honest by never making it trivial for them to invade the privacy of any private citizen if the US.
I already covered that in my previous post. I was not arguing whether Fyodor has that right. Of course he has. And I was not arguing whether he is right resp. whether the FBI has to be kept honest this way (I currently don't care about that part of the debate).
I argued that - in contrast to the original poster (poemofatic) - there is no reason to be upset with the FBI that they sometimes do not get a subpoena before knowing that Fyodor (or whoever else) really wants to see one, if it is the people who teach them that behaviour by not always not asking for one.
A short summary of the past: Cally: I can't imagine many acts more calculated to alienate infosec geeks from the FBI [...] nomadic: Why? What's wrong with a narrowly tailored subpoena [...]? poemofatic: No, the question is "What's wrong with getting a valid subpoena *before* asking for the logs?" catenos: Nothing. [...]it [just] sounds reasonble for the FBI to see if more paperwork can be avoided by asking first [without subpoena, as long as they don't give a false impression] Complain at the people, not the FBI. miu: Cops of any variety always try that little trick. [...] Fyodor is right here to refuse an improperly formed request [...] catenos Can you back that statement? [Well, and the latter was never at question.]
* and no that is not a trick... (e.g. requests from foreign countries citing their local laws... obviously it was simply a standard letter. No malice involved).
If law enforcement doesnt want the public to get away with violating the law, then law enforcement shouldnt be suprised if the public requires law enforcement to follow the law as well. Thus law enforcement can get a subpoena or search warrant, or they can go pound sand.
I don't see a contraction in that (to what I said): The law does not require you to request a subpoena from the FBI. One is free to hand them out the IP address without that. Some people actually do that (willingly). The FBI makes use of that. No laws violated.
As I said: Don't complain about the FBI, if your problem is with the people handing out IPs without subpoena.
Slashdot Mirror
..or they don't know anything about wine.
:)
Then they should simply go to someone who does.
I mean, paying a tech for some hours would be quite expensive. It's not asked too much, that they spent some bucks going to some wine store. Maybe you pay double the price, but the wine won't be bad.
That's a great idea though.. prolly one of the best and most creative i've heard in a while.
Jupp. Hm, now I have to think... I don't like alcoholics much... what else could fit similarly?
Choosing for a wine snob is more difficult and could be a time-wasting, researching, and hunting nightmare for people who don't know much about wine.
Actually it is not that hard. I don't like wine but my sister does. And I have never heard complaints from her (and I would, if the wine I brought was no good). That's by picking a good store (that is, not a cheap one).
You just need to accept to pay double the price: Once for the wine and once for the advice. Works great for me.
(Well, of course, not every time the wine will fit perfectly to her taste, but at least I am sure that it's not a horrible one.)
And the answer to the question I posed is, "It depends on the architecture."
Not really. It only depends on architecture, when you are using assembler. Else, "It depends on your compiler." Ignoring for a moment that you seemingly compared apples with oranges (x *= 2 does something different than x 1, assuming we are talking C syntax here), then, you should assume that your compilier is doing such basic optimazation for you. (gcc, for example does).
Then, if you learn through profiling that you have a problem there, and it isn't a problem with the algorithm, but you really need to start counting cycles, you'd go and write that part in assembler to begin with. No second-guessing your compiler anymore.
While being able to optimize stuff is important, and some optimizations always make sense, ordering your variables (what has brought up this), is utterly useless, if you don't *already know* you need it in the case at hand. Yes, it may matter on some embedded systems (but I was fine without), but when you are not, I'll take better readability anytime.
I already answered to the second part, too. Usually there are work-arounds available. I am not sure which experience you are referring to, but I see professionals to wait for official patches and vendor updates, usually. Applying patches manually seems to be the exception, not the rule.
But let's assume people do what you say and your scenario would happen. Why would this be a vulnerablity? What is the problem? Actually, I see it as another advantage of OOS. With binary software, you *have* to use a work-around until a fix comes, and you *have* to hope that a fix will be part of the next patch-day.
IMHO, it would probably happen as it happened with the Linux kernel some days ago: one good soul offers to maintain a fork with security patches. All is well. Where is the problem again?
"Fork" is often used as a bad word, a worst-case scenario, when it isn't. There are a lot of distributions, and in some way, they are all forks of a lot of packages they contain (any Linux distro still delivering their main kernel unpatched?). The world still stands.
Forks become a problem, if there happen too many and if they happen due to social problems and leave people not cooperating (because then it becomes unrealistic to backport all those patches). But in the scenario you suggest, I see people working together. Someone just taking some load from the main project.
We've got the source code. Where's the hole?
The worm doesn't use a hole within MySQL, but only bad admin passwords. In short, it's a problem with people not a technical one.
But there are mitigating factors:
- MySQL allows loading of libraries (UDF) for users with the right privileges (of which root usually is one, of course), which is a powerful feature and that power can be abused.
- The worm requires that MySQL is set up for networking, and that the port is freely reachable from the internet.
And, more important from the OSS perspective, where's the patch?
No patch needed. The mitigating factors are configurable (you can disable networking in the config, and restrict accounts to certain hosts; you can compile MySQL without UDF support; and of course, you should have installed a firewall that restricts access to the port, if networking is really required).
Btw, better distributions already come configured this way (if you want UDF support and whatever, you use the MySQL-Max binary).
And what happens when different people release incompatible patches? Is a worm a good way to force a fork in an OSS project, making it less competitive?
Are you trolling? No admin with any clue would use any 3rd party patch (especially when work-arounds are available), but wait for the update from his vendor.
Changing your vendor after such an attack may be a good thing to consider, after security holes have been mishandled several times. But considering 3rd party stuff for an urgent hole only opens you to the equivalent of phishing attacks (nonwithstanding all the other problems such an idea has, like that you can't know the quality of the patch).
That comment isn't insightful, it's just plain stupid.
Well, I think it was meant as funny, but the mods didn't get it.
My question still is, what do you do if your ISP restricts anything you upload to clear text?
:)
In what context are we working? It's unreasonable for the upstream to restrict everything to clear text. That would shut down any SSL traffic, which includes banking software, all VPNs, which are used by a lot of major companies, all of SSH, which is quite widespread for remote administering, and so on.
In most countries you could probably simply sue your ISP (it's not in the business of censoring). If you say we are talking about a country where the ISP has the backing of the goverment, well, then say so. Then it's not the ISP which is restricting you, but your gov. And if that's the case, then they can simply make the use of any encrypting or anonymizing device a criminal offence no matter what the method is and you have lost anyhow. So that argument is a non-starter.[1] Btw, that's not a purely theoretical point. IMHO, China would be one of the prime candidates for making such laws.
Well, and if you allow SSL, all we have to do is to make a Tor entry node that speaks SSL
My idea could go a little further by constantly changing you own IP address, kind of like what happens when you disconnect and reconnect to you ISP.
With Tor, you don't need that. Augmenting your traffic with that of others by being a transfer node has a similar effect without the hassle (well, you have the hassle of giving up bandwith).
I never claimed to be very good at expressing my ideas, so I need all of you to fill in the obvious gaps. I was aware of these things before I posted the first comment. At this point I still believe what I am looking for can only be achieved through wireless, without the internet providers turning you over at the drop of a hat.
Don't take me wrong, I don't think your idea is bad. I just argue that you are wrong to say that it's only possible your way. Tor is at the point where they have shot down most problems and are well aware of the remaining weaknesses. Which are few.
And while I don't understand your idea enough (or have enough details) to say much about it, you have the same problem that you accused Tor of: if the ISP doesn't play along, it won't work.
If you really want to get your idea of the ground, I suggest to write a paper. Present it fully (and not only in chunks as you do here). Also show a threat analysis (which you obviously already did in your head). As a bonus, explicitly list how your solution behaves in the threats others have looked at (i.e. take the Tor paper and take the scenarios they present), so that one has an easy comparison of the merits and flaws.
The first version doesn't need to be perfect. Label it a draft and go through iterations whenever someone presents valid critic. The scientific method needs you to enable others to look at entire idea at once and do the threat analysis themselves. Presenting it here, with a lot of hand-waving does it no good.
With wireless you can pick up and run off the moment you become suspicious of anything wrong. Think of it as mobile SCUD internet.
And another thing is, that it is quite inconvenient. If the method expect someone to run, if something suspicious is going on, there is a problem: why do I have to run? Anonymity should be good enough so that nobody manages to find out my place to begin with. Regardless, if I am supposed to run, it's implied that I am also supposed to not come back to the same place soon. And that implies that I cannot use this kind of anonymity from home. Which is a *major* drawback, because it will prevent widespread adoption.
[1] While - if your anonymizer works good - they can't get you at first, they can get the one they see the traffic coming from (an ISP, a node, a wireless hotspot, whatever) and shut that down. Sooner or later there is nothing left to grant you anonimity and they will get you.
The only recourse is that the method finds *a lot* of pa
At least half of the questions (if not all) you ask are answered on the Tor homepage and in their papers. Obviously you didn't bother to inform yourself beforehand about what you are talking about.
Come back when you have reduced your list of questions to the ones that aren't answered already.
(Note that most references to German sites, because the topic is about Germany.)
Well, I don't agree on the clarity thing (P3 TKÜV [Telekommunikations-Überwachungsgesetz, the law about wire-tapping that comes to effect in 2005] is quite clear, IMHO). There are some public calls for clarification, but it doesn't look like those actually have doubts about who is affected, they just want to prevent unnecessary confusion (see e.g. this critic, point 3.
But even if we accept that the wording could be clearer, we already have 3 different laws (one for common carriers (Telekommunikationsgesetz, TKG), one for unmoderated services (Teledienstegesetz, TDG) and one for moderated, editorial services like news-sites (Mediendienste-Staatsvertrag, MDStV).
There is a very good chance that the courts will interpret "Telekommunikation" in the TKÜV the same as in the TKG, especially since the TKÜV has several references (in fact, a lot of terms are defined by reference) to the TKG, but none to the TDG or MDStV.
So while there is a different uncertainty, namely whether some service providers (like chats) fall under TDG (most do) or TKG (which they would prefer not to), one can safely ignore TKÜV if one didn't already have to care about TKG.
Additionally, there are several exception clauses (in P3.2), and a Tor node would fall at least under these:
- P3.2.1: it doesn't offer a subscriber line (defined by TKÜV P2.2 which refers to TKG P3.9, and TKÜV P2.11, which narrows TKG P3.9 down to subscribers) and only connects two networks
- P3.2.5: not more than 1000 subscribers are attached[1]
Ah, and "Telekommunikationsdienstleistungen" (telecom services) are defined in TKG P3.19, which says they have to be commercial. Another point why John Doe wouldn't be affected.
Btw, the law is not about logging (ahead) information as you say, but about providing an ready interface for wire-tapping, for the case a telcom/provider receives a court order: that is, you don't have to log anything due to this law, but only have to "make a full copy of the communication [in question] available" at a transfer point, like on one of your lines. Only if that doesn't work, or you prefer the other way, you can make a logfile.
[1] And no, this has nothing to do with TCP/UDP connections to the computer... if the judge doesn't laugh such an argumentation out at once, just explain to him, that his computer at the home also provides those (considering the TKÜV is clearly advertized at addressing public access providers, he'll get it).
Without any references to back up your claims, it just sounds like a case of paranoia. I am not saying you are wrong, but if you want it spread the message, you should start working on the "convincing" part.
1 a : the moral significance or practical lesson (as of a story) b : a passage pointing out usually in conclusion the lesson to be drawn from a story
That's exactly the point! While you certainly can draw that lesson from Japanese movies, it's not the lesson to be drawn from the author's point of view.
Since in their culture these values are nothing unusual, from their point of view, there are other, more important lessons to be drawn from the stories. So, as the grandparent said, that's not the "moral," [of the stories], that's the background of [the] culture from which it's created. At least most of the time.
I'm calling these films by their English names because I'm speaking English, btw - I don't really see the point in mixing languages up when there is a proper, official English title available.
:-)
While I agree with you on using English titles if available, if the Japanese one means nothing to you, there is a point in using the original title.
I don't speak Japanese, nevertheless, once I learned what Mononoke means (vengeful ghost, here probably better "spirit"), I prefer the Japanese title.
I cannot know for sure if it has the same sound for an Japanese speaker, but for me - while it is typical in Japanese stories for names to have related meaning - here the name seems to describe the role and the role to be the name. Completely ignoring the role in the English title of the movie lacks a lot, IMHO.
For me its like translating "The Last of the Mohicans" in a way that it sounds like "The Last of Johns" in another tongue.
Well, enough of that rant...
I don't mean to say that you shouldn't use English titles, but I don't agree that there isn't a point with sticking closer to the original. But maybe that's just me (I am also one who prefers to watch a movie/TV show in the original language, if I am able to).
The overall success rate is far above any other advertising type, as is the cost for such an ad, which is why companies are going to this model.
In general, this is nonsense (there may be exceptions, but I am talking about the average). While the click-through rate is increasing with such advertising, the conversion rate (people actually ordering/filling out forms => orders/clicks) is decreasing.
According to our stats, even the absolute conversion rate (that is, orders/impressions) is usually lower than for reasonable banners. Considering several tests with placement of banners, I consider increased click-rates with obstusive banners simply a side-effect of people wanting to get rid of that thing.
Remember those banners which look like they contain some OS widget like a button? They work(ed) great when you wanted to increase click-rate (in times when pay-per-click was most popular), but people tricked this way to visit a site most likely were only confused and not in the mood of ordering anymore.
To conclude, those banners aren't popular, because they work well, but because some marketing types can make their bosses/clients to believe they work well, by showing that the campaign has increased the number of visitors to the homepage.
Those are the same people who ask for their traditional demographic profiles at a time, when you could easily run campaigns completely to their wanted profile (like, only womans at age 20-25). The US market may differ, but the German market is this way. (The solution, of course, is to turn to creating several virtual profiles for a site, which they can choose from.)
That's like saying the imfamous X10 popups didn't work. They worked so well the company had trouble producing X10 cameras fast enough at one point.
I don't see that as an argument for or against popups. It's an argument for X10 cameras. Unless you have data that shows, that those cameras sold better when advertised as popups vs. banners.
We once had a banner campaign that had 75% click-through rate (when on a not-specialized site 3-4% is considered high). But that wasn't saying anything about banners, but only about the advertized content. At first, we thought we had made an error (like placing the click-tag at the place of the impression-tag). But it was due to it being an ad for snow condition report on the last weekend of skiing season (with the 3 weeks before being with little snow and snowfall expected for this WE).
Does anyone else see the irony that this was modded "offtopic"?
./ mods moderating an on-topic post as off-topic* ./, remember?),
No. "Irony" implies that something different than the expected result happened. I can see nothing unexpected in either
- a meta-discussion being considered off-topic,
- an off-topic post mentioning the word off-topic itself,
- such a post being modded off-topic,
-
- even if such a post complains about exactly this (this is
- a post (indirectly) forseeing its moderation getting modded real high or real low,
- and so on.
Regardless how you spin it, there isn't much irony in how it got modded, especially considering this is Slashdot.
*I don't consider this thread to be on-topic (as its meta-discussion started with a troll), but let's be open-minded for a moment.
The stable version does NOT have subqueries. Version 4.1 does, but that is still beta quality software.
That not up-to-date. 4.1 isn't considered beta since 2004-06-24 and had it's first production release over a month ago, on 2004-10-23. See here
The transaction support in 4.0 is horrible and slow. Rollbacks are O(n) operations (for InnoDB, that is) etc...
Slow rollbacks are not really a problem, if you don't abuse them. That is, don't write your transactions with failure as an expectation (like inserting a row and waiting if it fails due to a unique key), but do your own checks (most often you don't need additional queries, because you already have the data or can expand an existing query). Not only does that make your queries faster with most databases (even those with good rollback support), but also makes your application more robust (in case of db changes)
[...]When you broaden words like this, they lose their meaning. A DDoS is a specific term.
I didn't broaden the term. I agree that it is a specific term, and I cited two references from the security field where my understanding of the term comes from. What is your excuse?
By your logic, a class-action suit to close an ISP is a DDoS. Or asking people to send in the pre-paid envelopes from junk mail to cost them money is a DDoS.[...] But you're not applying ANY logic or reason to the issue at all. You just want to be "right". If you were using reason, you'd admit:
1. This isn't the same as any previous DDoS in mechanics.
Oh, you mean like "the attack doesn't fit into one of the existing categories for DoS attacks"? (In case you didn't realize: this is a quote directly from the post you replied to)
2. This is very much like a standard DDoS with the exception that it doesn't attempt to directly take down a service.
Like "the spammers themselves will have to pull the plug before the cost explodes [...] there are other DoS attacks out there which effectively work by indirectly forcing the admin to take the machine down herself"?
3. It belongs in the same category of attacks, but is different enough to warrant its own name.
IMO, that belongs to "opinion" not "reasoning".
Sorry, but above looks to me as if you are the one who just wants to be right.
It's like a trojan vs a worm vs a virus vs spyware. They are all the same category of evil software, and they all are similar enough to each other that people have argued whether they are all just virii or something (in fact, smart people *do* call them all virii), but they are all unique enough that it is more useful to use a new name.
Interesting example, but not really fitting: there is a "genus" name, and it's "malware", not "virii"*.
If the net at large chooses to call it a DDoS, fine, nothing I can do about it--it won't be the first time illogic was used to "advance" the language.
I covered that in another reply to you.
* btw, it's "viruses" (English) or "virus" (Latin, long u).
I am not sure how you spinned that into implying I was agreeing with you, when it's obvious that I do not. A rose-like flower which isn't a rose doesn't belong to to the genus rose. But let's stop that analogy here before it gets too weird.If you broaden the term too much, it loses it's usefulness (unless it's meant to be a broad term, covering many more specific terms, like malware covers: worms, virii, trojans, spyware, etc).
I think this is main point of our disagreement: I didn't broaden the term. This is how the term is understood by security people to begin with. Cutting the phone lines is an explicit example in the SecurityFocus article I I cited to you earlier.
Now, if your argument is that security people make wrong usage of the term, because it counts how the public uses it (like, for example, hacker vs. cracker), then we can stop right here, because we don't have a controversy at facts, but only whether we use technical terms or not.
Was the war in Iraq a DDoS against Saddam? Was MS's integration of IE into Windows a DDoS against Netscape? Is a class action suit a DDoS? Etc. They all fit the definition of the individual words in DDoS strung together, but they don't fit the term.
That's what I pre-empted by "The main reason you could argue that it isn't a DoS is the level of indirection", which you decided not to quote (my signature seems to come into this discussion). You'll note that the level of indirection is quite a lot larger in your examples, which makes them sound ridiculous and look like they strengthen your argument. When they do not. To pick up the analogy again (sorry), it's like saying "would you call a maple tree a rose-like flower?" (well, both still have leaves). Sounds nice, but only distracts from the case at hand.
This screensaver is close enough to a DDoS that it might make sense to broaden the term to cover it, but I'd rather see the term stay specific. Yeah, who am I to argue, right? Well, I'm one voice in the discussion, that's all. If the net at large chooses to lump it into DDoS, fine.
That seems to go with I wondered above: Apparently you are not looking at the technical term, but how the majority understands it.
[...] This attack, though, is quite noble (in this case). Spammers cost the net far more than they pay, and this is not a welcome subsidy. This is really making the spammers pay for the inherent cost of their actions.[...]
I'll stay with the discussion of the term, not the merits of Lycos' method in this thread.
Let me start my answer with an observation: You claimed that "The purpose is not to deny service." (among other things). I called bullshit. Now you are changing focus to the term DDoS. In my reply I did address DDoS only as a side issue. To cite your original statement again:
;)
***READ CAREFULLY***:
1. The purpose is not to deny service.
2. The program is designed to specifically *NOT* deny service.
It's not DDoS or even an attempt at DDoS.
In other words, it looks like your reasoning was that it wasn't trying to deny service, so it cannot be a denial of service attack and therefore no DDoS. I think I showed that your presumption was flawed and therfore your chain of reasoning without fundament (which only means your argument sucked, not that your conclusion is proven wrong).
Now to your current post:
If Lycos started a class-action suit, would you call that a DDoS? It's distributed and unified (like all DDoS's), it seeks to deny service (like all DDoS's).
So you admit that dragging a Spammer to court would seek to deny service, but the Screen Saver does not? Your Honor, I close my case.
[...]I bring up these admittedly absurd examples [Irak war, antitrust suit,] because they are all DDoS's under the simple definition of the words in the term, but they are not a DDoS as a term unto itself.
Again, you denied (no pun intended) that the purpose of Lycos' move was to deny service, yet you say even those absurd examples fit the term. I don't mean to ignore the rest of your post, but you contradict yourself so much here, that I don't think it makes to continue with this.
Mod parent down -1, redundant.
Sorry, but there won't be any one way to stop spam, but there will always be ways to fight it. One method will not cover all bases, but the more methods used, the less frequent we will get spam.
Obviously it isn't redundant, because it would do you good to read it: The problem with Lycos' method isn't really that it won't work with all cases, but that its potential for abuse is too big.
***READ CAREFULLY***:
1. The purpose is not to deny service.
2. The program is designed to specifically *NOT* deny service.
It's not DDoS or even an attempt at DDoS.
You have fallen for them. Just because they say it isn't an attemp to deny service, it doesn't mean it isn't. It's just marketing speak for separating themselves from the "bad word". (I don't mean to judge their idea, but only address how "DDoS" is perceived by the public.)
If they don't want to deny service, let's see what they try. They try to use more traffic, so that the cost rises. They try to raise the costs, so that the spammer cannot afford it / spamming doesn't pay off anymore. They try to make it too expensive, so that the spammer has to pull the plug. Now nobody who "wants" to visit the spammer's site can do so anymore. Sounds like a denial of service to me.
The only thing differing from a common DoS is the level of indirection. And I admit that is arguable. But imagine for a moment, the spammer had a traffic limit. Would maliciously using up his monthly traffic so he'd hit the cap still be no DoS?
In short: Lycos isn't attacking the network bandwith, but the network cost, which still is an attack on the availibility of the network, and therefore the service.
Or it's just a kind of rose which you have never seen before and therefore don't know how to categorize.
Note that the term "denial of service" attack doesn't define the means. Cutting your phone line is a DoS, too.
The main reason you could argue that it isn't a DoS is the level of indirection (Lycos doesn't attack the network, but the cost of the network, and therefore the spammers are made to pull the plug themselves).
The cost of service effectively is a cap for their transfer volume. Now, if it weren't the cost, but a hard cap (like with web hostings), say 100GB, intentionally using up the available transfer volume surely does count as a DoS attack in my book. So while adding enough steps in between will muddy the waters, Lycos intent is clear enough to make this a distributed DoS.
That's not what the term DDoS means. It means you make the service unavailable by inundating the server (or a critical intermediate point) with requests[...] Your stretched definition is not only wrong, but is also a blatent attempt to change the meaning of a term for expediency.
No, you are the one who is wrong. What you describe is a network-based* denial of service attack. There are other types, too. Just because network-based attacks are the most common today, doesn't mean the meaning of DoS has changed. Read any advisory on bugs that makes Apache crash for good, and you'll find the term DoS in a context you just excluded. And the other D just means that the attack is staged from a multitude of computers (and usually implies that it would be hard to do from only one). One definition I found was:
"An attack on a computer system intended to reduce, or entirely block, the level of service that 'legitimate clients' can receive from that system."
And SecurityFocus describes it as
"The term can be applied to any situation where an attacker attempts to prevent the use or delivery of a valued resource to its intended audience or customer. It can be implemented via multiple methods, physically and digitally."
So while the attack doesn't fit into one of the existing categories for DoS attacks, it fits the "denial" part well: they attack the cost of the network (the fact that the spammers themselves will have to pull the plug before the cost explodes IMHO doesn't change that character: there are other DoS attacks out there which effectively work by indirectly forcing the admin to take the machine down herself.)
*network-based in this context doesn't mean "anything coming over a network" here, but "concentrating on denying the network-component of the target system".
What law suits? You have to be from England, France, Germany, Italy, Spain, Sweden or the Netherlands to download the program. I imagine Lycos chose these countries for a reason, legal advice being my #1 guess.
Well, anyone who paid attention (e.g. SCO case), would know that Germany is one of the countries where it probably won't take a day until a court holds Lycos to account. Not always, but most of time they get the "the spirit not the letter of the law counts" thing right.
But you are probably right anyhow. Germany is also a country where you can sue someone for 500 Euro per SPAM you got. I guess the game is: if a Spammer wants to take action against Lycos, he has to come out of cover, and so Lycos can smack him.
That's only a hunch, and I am curious if it really plays out like this.
(Oh, btw, I think the term DDOS does fit: denial of service attack doesn't implicate saturation of network, any way of denial works [and the intent counts, not the result]: abusing a bug to make the web server crash, fucking up a database so that shows wrong results, and so on. Making them pull the plug by effectively rising the cost per "wanted" packet may be an innovative way, but the intent is denial nontheless.)
Do you have any reference to support your claim? While it's surely not unheard of that officers try such tricks in personal, I have yet to see one to try that in writing (probably because with paper, you could sue their ass off). I handle requests from authorities regularly and the experience is that they either
1. have a subpoena beforehand and serve it,
2. don't have one, mention it, and ask politely if we require one in order to hand the data out, or
3. are simply ignorant (e.g. cite the completely wrong laws*)
AFAICS, Fyodor has about the same experience, with the exception, that for point 2 he didn't mention whether they were making that clear or whether they possibly tried to trick him.
So I am asking again, because my personal experience is contrary: Can you back up that statement, or are you simply assuming the worst? (And yes, I haven't provided any external reference, either. But then, I am not the one accusing whole professions of misconduct.)
Fyodor is right here to refuse an improperly formed request out of hand - I believe the FBI as a whole to be the "good guys" but there is a real need to keep em honest by never making it trivial for them to invade the privacy of any private citizen if the US.
I already covered that in my previous post. I was not arguing whether Fyodor has that right. Of course he has. And I was not arguing whether he is right resp. whether the FBI has to be kept honest this way (I currently don't care about that part of the debate).
I argued that - in contrast to the original poster (poemofatic) - there is no reason to be upset with the FBI that they sometimes do not get a subpoena before knowing that Fyodor (or whoever else) really wants to see one, if it is the people who teach them that behaviour by not always not asking for one.
A short summary of the past:
Cally: I can't imagine many acts more calculated to alienate infosec geeks from the FBI [...]
nomadic: Why? What's wrong with a narrowly tailored subpoena [...]?
poemofatic: No, the question is "What's wrong with getting a valid subpoena *before* asking for the logs?"
catenos: Nothing. [...]it [just] sounds reasonble for the FBI to see if more paperwork can be avoided by asking first [without subpoena, as long as they don't give a false impression] Complain at the people, not the FBI.
miu: Cops of any variety always try that little trick. [...] Fyodor is right here to refuse an improperly formed request [...]
catenos Can you back that statement? [Well, and the latter was never at question.]
* and no that is not a trick... (e.g. requests from foreign countries citing their local laws... obviously it was simply a standard letter. No malice involved).
If law enforcement doesnt want the public to get away with violating the law, then law enforcement shouldnt be suprised if the public requires law enforcement to follow the law as well. Thus law enforcement can get a subpoena or search warrant, or they can go pound sand.
I don't see a contraction in that (to what I said): The law does not require you to request a subpoena from the FBI. One is free to hand them out the IP address without that. Some people actually do that (willingly). The FBI makes use of that. No laws violated.
As I said: Don't complain about the FBI, if your problem is with the people handing out IPs without subpoena.