Re:DRM will be *needed* by linux
on
Linus on DRM
·
· Score: 1
There are perfectly good reasons to use strong DRM; I'd personally like to see DRM applied to medical records & credit reports.
If you think you need DRM for medical records, please enlighten me exactly what system you envision.
Read one of your insurance policies and deal with significant surgery. Currently, the insurance companies can query your records and send them to "authorized" people. (I had a disc removed last summer so I signed a lot of "so and so may have access to my medical records" forms for the hospital, anesthesiologist, etc)
Now, IIRC, by HIPAA, those people are only supposed to keep those documents for something like 90 days. BUT that's up to their process to ensure. If they violate that law there are repercussions but unless they're audited or hacked who'll know? Since it's an internal policy there's plenty of opportunties to claim it was the fault of a person who's no longer employed, vacations, SARS, etc. and there'll be plenty of warnings, write ups, appeals etc. to keep the fines at bay.
So I'd like to see a strong DRM put on the medical records given to second party organizations so that any misuses were completely intentional and immediately punishable under HIPAA and DMCA.
Credit reports are a different matter; there's no regulations I'm aware of for how long a group can keep a copy of a credit report. This has caused problems for friends of mine whose credit reports were fubared (In one case a 28 year old was listed as owning the same home for 35 years). When they finally got them fixed they still had problems a year later because the organizations they were dealing with were using old credit reports.
DRM would ensure those credit reports expire, forcing organizations to take a fresh look at the person.
If you use the network-login option to a view-only site the problem is that the other companies will want things to be databased so they'll just import it with screen scraping and you have the old-record/internal policy problems. BUT if they can store the files locally using a DRM'd database they can still do all their operations as needed and again are completely culpable if they break the DRM to make non-DRM variants.
Now if you can come up with an equivalent of DRM that doesn't suck, for gosh sakes, keep your mouth closed and run, don't walk, to the patent office! Then if you're an opensource advocate you'll make it freely usable by other open projects. Or if you're more financially motivated you'll provide a freely usable client binary while you make the provider-side system closed & saleable. Or if you turn into a money grubbing capitalist you'll force everybody to buy everything.:)
Re:DRM will be *needed* by linux
on
Linus on DRM
·
· Score: 1
I think you are mistaking the concept of DRM in general with MS Palladium-type DRM in particular. DRM is simply digital rights management; it involves controlling the use of digital data. It can be used in a reasonable fashion or it can be done excessively.
There are perfectly good reasons to use strong DRM; I'd personally like to see DRM applied to medical records & credit reports.
There are bad reasons to use DRM, like keeping people from copying their CDs to a format useful in the car, portable, or PC or making DVD backups impossible.
The big question on good vs. bad is the policy in use. Some of the new digital-walkmans will only use WMA or other proprietary DRMd data: this is bad. Some players will let you move MP3s around at will but not WMAs: this is good.
If you don't like digital data that requires onerous DRM policies, don't buy it. Only use data that has no DRM aspects and be happy. But don't get in the way of the people who do want DRM'd data.
I'll restrict my DRM'd data consumption to things I'd only rent or downloaded for free. But I understand there are times and places for DRM. I'm fine with strong DRM on rental products but I don't want it on anything I purchased and hence own a right to a copy.
So don't use that Linux
on
Linus on DRM
·
· Score: 1
You're describing a black box situation. At this point Linux, *BSD and the other open sources are a sufficiently large base that we can now safely expect there to always be linux-friendly hardware.
Which means the only place this is an issue is a "black box" situation. So let's look at a hypothetical TiVo/XBox clone that runs Linux and has DRM. It won't do anything unless the DRM bit is active. It handles audio,video, plays games, does PVR, the whole shebang. *BUT* everything it touches has DRM on it.
This is not bad. Oh, it may not be your or mine cup of tea, but it's a perfectly valid implementation of Linux. If you don't like it, don't buy it. Or build one yourself without the DRM. While linux is free (as in beer) it's also free (as in speech). We don't have to like what other people say with it but we need to make sure we give them the opportunity to say something we don't like.
DRM will be *needed* by linux
on
Linus on DRM
·
· Score: 5, Interesting
Maybe not now, but later.
Look, you put out a set-top media box running embedded Linux. Assuming it is the multimedia grail (online video/audio playback & capture) it will do more than GPL/opensource codecs. It will NEED to handle WMAs and other proprietary formats that may include a time-locked DRM.
Do I like blanket DRM? No, I want to be able to make backups of my DVDs, CDs, and other purchased materials.
What I don't have a problem with is a box that will D/L the movie I want to watch and store it for a max of 48 hours in a "digital Blockbuster" scenario. And that will eventually happen as digital cable set-top boxes will include hard drives for local caching and they will require DRM on that hardware.
Same thing goes for more and more Point of Sale stations. Signed binary data will be more and more necessary. I'm waiting for the day software compares my signature with the one stored on the credit card's chip. And I'm all for it.
I'll be honest; I want them to be able to choose linux. The other option is that everything becomes Windows. Do you really want every credit card terminal, ATM and terminal to be Windows because it is the only thing that supports DRM?
There are a lot of EEs that work exclusively in software. This is especially true for computer engineers.
While I believe there are plenty of EEs that work in software, I personally feel that Industrials are the most suitable to transition into Software. They are the only ones who are truly trained on algorithmic and process flow thinking. They are used to working completely in the abstract and dealing with devices as abstract functions. They have essentially been programming with macroscopic systems. Industrials have long been derided as the "imaginary" engineer so let them go become virtual engineers.
Most people will say that Comp Sci or EEs are better because the Comp Sci know how to program and EEs know how the circuits work. Irrelevant. Programming is a skill that engineers can learn and the details of the circuit really aren't that important in a world of emulators & virtual machines. Good programming is, I'm told, all about process: how its written, how it works, how it flows. Nobody's better at processes than IEs.
It's basically like the break between civil & mechanical that occurred during the late 19th/early 20th century where those who made static systems became civil & those who made dynamic systems became mechanical. Here, the EE builds the static (circuit) while the SE builds the dynamic (program).
Much as Civil Engineers all learn structural design theory but some learn the LRFD process while others ASFD, the Software Engineer will learn object oriented programming theory, data structures, and communication theory with programming languages as techniques.
As far as Computer Science goes, well, the classic joke is that any degree that has Science in the title isn't science; it's *a* science. Jokes aside, They will be the equivalent of geologists and metallurgists (computerists?). Scientists evaulate & describe while Engineers design & apply. Engineers build upon the work of Scientists, so a computer scientist will design a new language, algorith, etc and an engineer will figure out when/where to best apply it.
The fallacy in your argument is that there is no such thing as a "real" engineer who is qualified to evaluate a complex software system by virtue of his/her professional accreditation alone.
Actually, that would be a problem with your reading and not my arguement. The crux of my arguement was that I WANT there to be a "real" engineer who IS qualified by virtue of professional accreditation.
And for the inattentive, professional accrediation would include the years of monitored field experience after being degreed as well as passing all the relevant tests.
By the same token, that creature does not exist as there are no accredited software engineers. There are people who I am confident could be accredited but they are not now so they must be subjectively evaluated as either a programmer with engineering knowledge or an engineer with programming knowledge. Subjective evaluation by the laiety is risky.
No one's going to read this at this point but I have to assuage my own conscience. (Damn engineering ethics courses) I will presage this by saying I am a civil designer with a BS in Civil Engineering and 3 years experience about to take the EIT that has spent 8 years in the IT field as (variously) a sys admin, helpdesk, Q/A, sales support, PBX admin, network flunky, and hardware reviewer.
Fallacies 1. It's a meaningless debate because it's just a title.
It is a title, but not a meaningless one. People are breaking the law in most states by claiming to be an engineer/lawyer/doctor/plumber/surveyor/etc if they are not one for the same reason it is illegal to claim to be a police officer. Those titles imply that you will look out for the good of the public and your client (in that order).
There is software out there today that could kill you if it malfunctions (antilock brakes, traffic controls, etc). Today that software is a component in a system and the engineer in charge of the system signed off on it and will be held responsible if it fails. They know it and they take the responsibility seriously.
Claiming that title can put you in a position where your actions could affect others seriously through your negligence or ignorance. I can see a day fast approaching when a CEO hires a tech-school "software engineer" to design a system that winds up killing someone because it was never evaluated by a "real" engineer. I hope that someone isn't me or mine.
2. Engineers only increment known designs and aren't creative.
While 90% of engineering is run-of-the-mill, that 10% requires creative thinking. Sure, I can spec out rehab work & basic residential designs all day in my sleep, but there are times when the Engineer works in the unknown. Build a structure on a new soil type or any device exposed to extreme environments and you will see real engineering at play. And all engineers are expected to be able to deal with that. They may call in people from other disciplines to advise them, but an Engineer will ultimately deal with the situation.
3. Current "software engineers" will have to go back to school.
When the egineering licensure became an issue for the states, there were many qualified people working in the field who did not meet the paper requirements. So there was a grandfather clause that was generally 5-10 years of documented experience and must pass the licensing test like any new graduate. There was also a window of opportunity until the grandfather clause was removed.
Any current programmer who wants to be an engineer would likely be given the opportunity to take the tests. Good luck, you'll need it. Engineers are expected to be multidisciplinary. I had courses from all branches of engineering (Civil, Mechanical, Electrical, Chemical, Industrial) AND Comp. Sci. programming courses (Fortran & C++). The point isn't to say an engineer is competent to practice all fields but that they will be able to understand information from all fields.
The flip side is that a licensed Software Engineer would require the tests for *ALL* engineers to expand. Not a bad thing at all in a software-operated world.
4. Companies will only hire these "licensed" engineers creating artificial demand.
Truth is, most current engineering companies have a significant number of non-engineers: draftsmen, surveyors, technicians, designers, and scientists. Those people do a significant amount of the work, but the Engineer is responsible. (Exception: The surveyor is responsible for the accuracy of the survey, since they should be a licensed Land Surveyor.)
5. Anyone with a degree that has "engineer" in the title is an engineer.
Most states have specific laws regarding the Professions (including the oldest one, but those laws regulate it out of existence typically). The degree is not enough because colleges & universities can lie; just read your spam. You have to get a degree from a university that has pro
For those too lazy to visit the site, this is not a soft cloth. It is two layers of metal foil covered in silicon beads topped with a clear plastic film. Strength should be much higher than mylar and it can be bonded to pretty much any other base material; metal, plastic or glass.
It also comes in multiple colors; the website shows brown spanish tile versions. I've no idea if there's a performance hit for aesthetics but at this point I don't care if it's 5% efficient if people start using it. That's still up to 50 watts/m^2 of pollution free power that wasn't there before.
To properly compare this to normal PV panels, go look at a nice glass enclosed mall. Pay attention to the heavily reinforced angled glass skylights. You'll see lots of angle iron in very particular shapes to keep things solid. That's the kind of crap you have to do with glass-substrate PV. Then there's the whole "cracked by hail" thing to deal with. This stuff may lose a couple of beads but it won't shatter and if the insulating material's good, it won't short out.
This will amount to architectural facade; build your normal structure then bolt this stuff on. The weight will be far less than architectural concrete. From the design it could quite possibly be cut and shaped in the field; a massive bonus to construction. No special order components. Order a couple of spare sections of it and cut/sand to fit.
Re:Your lawyer is a fucking retard
on
Abusing the GPL?
·
· Score: 1
By not being willing to put public pressure on your employer to stop this, you're as culpable as they are.
That's a little harsh, don't you think? This guy's (gal?) post implied they knew it was a violation of the GPL in spirit but couldn't find it in the letter of the GPL. They were asking for advice to counteract a stupid lawyer.
And, no offense, but there's no way I'd publicize the company at this point; they haven't DONE anything wrong. Other than hire a shyster, that is.
The crime is being commited with your full knowledge of the action and the fact that it's illegal. Failure to report your company could leave you personally liable in the future.
IANAL, but this is a GPL violation. L=License=Contract. They may not be legal, but they aren't CRIMINAL. They are CIVIL violations. They could be fined, but not not jailed.
And, as a non-expert, I doubt they could be held responsible. By stating their interpretation of the license they have put the onus on the executives and the legal department. Matter of fact, the executives are EXPECTED to ignore the programmer's legal advice in favor of that given by the licensed, certified expert they hired.
This was a comment to a question in a conference call. I haven't been able to find a full transcript to know exactly what inspired this phrase, but I doubt it's being expressed as it was intended. More than likely someone asked about long term plans and "we'll move to more full functioned, high end, higher average selling price devices" was the intended response.
I'll also state that nothing says that all Treos won't have a springport. The 270 needs something to set it apart from the 180, and unless it's an ARM processor, I expect it to be the springport.
I almost bought a visorphone, but I don't like Voicestream service plans, the only people who offer the GSM data in my area, despite a Cingular presence. (sigh)
From my experience, VOIP is really not ready to be a company's primary telephony solution; internally or externally. That's not to say it doesn't have uses.
Last year I was doing a little PBX support for a friend who had to move the main office to a new building several miles away while keeping service to a small 4-person warehouse.
The goal was to keep the warehouse on the internal phone net, but the costs were prohibitive. A micro switch still costs several thousand and wasn't guaranteed to provide connectivity to the main PBX's advanced services and the "remote extender" modules that enable the digital phone sets to work remotely required ISDN lines at both sites, an ISDN card installed into the main PBX, and had a hefty monthly reoccurring fee.
Their "solution" was to split a few channels off the PRI for voice, get normal business service on those lines, and simply call into the main office to check voicemail. The warehouse queue was set to out-dial from the main office and do an old rotary hunt until either someone answered or tried all 4 lines and then dumped them to voicemail.
This VOIP solution would have cut out the monthly reoccurring fees for the business lines, still provided full queue activity, a couple of simple scripts could allow email notification of missed calls (since voicemail notification might not be accessible off the SIP phones with their switch), let the PBX keep better call statistics, and cut down on the main office's out-dial usage.
Costs for the VOIP servers would have been readily offset by the monthly reoccurring and the MUX hardware involved. Heck, for only 4 users I expect it wouldn't take more than a commodity PC at each end.
The Simulated Personal Automated Marketing system,
henceforth referred to as SPAM, consists of an
electronic message transmitted to any and all
potential clients. The client will then utilize the included contact information to provide payment.
SPAM maintains corporate security by using private messaging servers (comparable to caller-ID block) or utilizing open public systems. Corporate business plans are further protected by obfuscating data within the message with excessive hyperbole and energetic rhetoric.
SPAM is not dependent upon any particular messaging medium and can utilize existing or forthcoming electronic mediums and formats.
Ohh, I'm so tickled. I could run a *nix on a PPC-platform and have access to MS office natively. (yeah, I know, they'll make it OS-X tool-kit dependent)
Heck, it's not like my desktop machine really needs all those "hard core" *nix features that Nextstep didn't have; that's what my LAN's server is for.
Soon as GCC and the rest of the GNU kit are completely available I won't have any problems running a G4 OS*niX as my pretty desktop machine. Ooh, the option of running X+Gnome, OSX or even the upcoming Aqua. I'm just tingly.
The DECTDMAP is a european wireless ISDN, since the specs I saw supported dual-channel it should get 128kbit. In theory the pad can be a speakerphone with one channel as a phone and the other working data. It uses the wireless link to communicate with a base station. According to the email I received from the company the base station will have modem, ethernet, ISDN, and cable-modem modules. It should link in quite well with most geek networks.
This process is different from the "carpet cleaner" one used on the beaches.
But you are correct, steaming will kill off the local fauna and most flora. However so will the contaminants. The difference is that with rare exceptions inland areas will recover quicker from steaming than conventional techniques because the toxins have decades less time to poison the environment and there will be more time to repopulate.
Beaches automatically qualify as "rare" just like wetlands. They are bordered by environments that are inhospitable to the local life and have to be treated carefully. I didn't say "usable anywhere" when I described the technique for a reason. It's totally ineffective in a soil system that is totally saturated with water, for instance. Used on a wetland you'd get lukewarm gumbo.
However it is one more tool that should be used when appropriate and I feel that it is not being used when it should.
Maybe you've seen the cartoon version where the fox makes a tar baby (literally out of tar) that Br'er Rabbit would get stuck to. While yes, it heavily drew on racist concepts to explain the existence of a tar baby, the term is now used to indicate a sticky problem that is hard to get rid of.
There's a high-speed way to clean highly polluted sites that's been neglected for years that I read about in an engineering magazine (Engineering News Record, IIRC). Unlike conventional filtering techniques or leaching techniques like the trees, this kind pumps pressurized boiling water into specially drilled wells where it turns to steam, vaporizing a huge number of volatile chemicals. The vapor is captured and the toxins distilled out.
It uses far less water than traditional methods (meaning less secondary pollutants) and can clean up a superfund site in about 5 years (at about $3 million/year), as compared to 15-20 years with convention methods at $1 million/year. However since it impacts the annual bottom line harder (even if it saves more money in the long run), few companies will go that route.
If you want alternative or high-speed cleaning methods, push the government to reclassify the cost of clean up in accounting/SEC statements. If the total projected clean-up cost was classifed as a debt it would have a greater impact on their "paper" bottom line. I think. (Anybody who understands SEC annual statements and GAAP policies for handling site clean up want to correct me?)
This stuff is really useful. It's about 3mm diameter plastic tubing filled with the electroluminescent material in powder form. One electrode runs down the center of the strand and a second is wrapped around the inside of the tubing. It's visual output is only about 50-100 candles or so. A pair of AA bateries can run a 3ft length for several hours. The cheapest I've found it is $40 for 5 different colors of 3ft lengths with AA battery packs at www.cosmicspaghetti.com. Right now they've got their St. Paddy's sale of 5 green fibers for $40.
If you want the tech specs, go to: www.livewireent.com. They also sell the fiber but it costs more unless you want bulk. ($1.42/ft but only on full 820ft rolls)
It seems to have the best efficiency running at 80v, 450mw/meter, @2000hz refresh. The effective life of the material is about 800-1000hrs which puts it at 50% output. It can run out to twice that, but the output becomes negligible. It has a maximum "safe" bending radius of about 5 iameters. It can be bent more but you've got a chance of realigning the EL material. It is also moisture sensitive but most of the manufacturered stuff is environmentally sealed (water resistant with shrink-tubing but not necessarily waterproof) You can cut it yourself and just solder the end connections together and put a heat-shrink end on it.
You can also get sheets of this stuff from other vendors. If you're interested I can email you the links I've got.
Ignore the Java! Java wasn't the point! It was an application to test with.
To make you feel better, pretend they used freeware Threadmaster5000 software, a giant program that uses thousands of threads to do something groovey. The Threadmaster team decides to evaluate the bottlenecks their opensource program runs into on Linux.
Oooh, looky! The scheduler has problems! But wait! They wrote a patch to the scheduler and performance went up 7%! Oh, aren't the Threadmaster people so nice to the open source community for working on Linux instead of just optimizing their code!
Now re-read that replacing "Threadmaster5000" with IBM Java+Volano, Threadcount with Volanomarks, and Threadmaster team with IBM.
Since we can take Java out of the picture and replace it with something else, it wasn't the point. The point is IBM identified a flaw in the scheduler and proposed a solution complete with code.
1) If you are running one heck of a lot of processes/threads you would expect the time spent in the scheduler to be big.
Yeah, but this is the optimisation phase. As linux goes to bulk-thread tasks it needs to start squeezing out all the performance it can; especially when the code is given to us by a corp.
2) {I am not a hacker but} If they are at the level of seeing improvments in the scheduler by tweaking things like structure layout to improve cacheline localilty then can we sure that the "low performance impact" IBM Kernel trace patch is not having an effect?
This wasn't a linux performance comparison against other OS's where the trace would be a factor. Instead this was a linux vs. linux comparison. The trace is just additional system load that would be equivalent on both systems.
If you move to a many-many scheduling model you *will* reduce the time spent in the kernel scheduler. However, you *will* spend time in your user-land scheduler. Which is the win?
IBM said they didn't know for sure. That's the point. They did the performance groundwork needed to make useful suggestions for hypothesis. Until the improvements are made and tested we won't know for sure. However now there is a test suite that can be used to test any new modifications. And one provided by a corp.
Th G400's are the first really 3d accelerated cards matrox released. The 400's are fairly speedy and from eyeballing a friend's it looks quite comparable to a TNT2 but with prettier graphics.
The downside is their Win drivers aren't full OGL; it's a mini-ICD that's HEAVILY optimized for Quake. Performance isn't bad with other games in D3D, but it is fairly pricey compared to a TNT2; G400's run about $250. But it's got nifty stuff like bump-mapping that make the world just downright gorgeous when it's supported.
Hopefully the DRI driver will be full OGL+bump mapping and that OGL will dribble back to Windows. Hmmm, opensource Linux improving windows. Wasn't this the point?
I think someone touched on this, but this is IMPORTANT since even ZDnet said this: Apache and linux's process based system works better by adding boxes than adding processors/resources in a single box. So here's the deal: figure out how much it costs to buy OS, software, hardware, and setup the system. Determine its optimal performance (which may NOT be peak performance). If Linux still doesn't have SMP at a cost effective level, spec out single CPU boxes and save the cash for entire other systems. (Don't flame me for saying it doesn't work, I'm saying it might be cost effective to not use it until 2.4) If Solaris' cost-performance is better on Sun hardware (duh) then use it. Then, take those numbers and ask ZDNET to append them to their article. We know linux has an automatic $1000 price advantage over NT/Solaris which is about a third the cost of adding another server. I'm not sure about Stronghold's cost vs IIS/NS server/etc, but I'm guessing it's not as expensive as IIS. And with the exception of the "custom" API's (NSAPI, ISAPI), Linux performed as well as the other servers, even with the use of a twitchy old version of caldera. Personally, I'd want to see the addition of a mod_perl'd server to represent the Linux equivalent of NSAPI and ISAPI, but with the bonus that perl stuff is PORTABLE, much more so than NS or IIS-only scripts. If we suggest this right to ZDNET, when they review the new W2k's web server and put it up against a decent server linux (w/kernel 2.4 we can hope) they may add a price/performance index.
I sent these folks an email in early September and here's what I got from Vidar Hokstad (vidarh@screenmedia.no) Director of Technical Development (these are his words, my layout)
*Estimated release date Q1 2000
*Estimated cost: less than USD 500 (very rough estimate, hopefully even cheaper).
*Variations: There's versions of the base station that is ready or in the works that support ISDN, CATV (can replace the cable modem), Ethernet and modems.
I apologize for the length of this post in advance. My military friends call me "the builder of targets" since I'm a civil engineer who does computer work. I have the mindset that everything I do has the distinct possibility of coming under attack and I wish it was a mindset more programmers had.
First: The word "cyber" does not mean what you think. Please have CT mean "Computer Terrorism." Second, a hacker "hacks" code and makes software. A cracker "cracks" security.
The writer does document the type of resources for CNBR but leaves CT out. Let's document the publicly successful crackers' profile and resources:
White male, teens to twenties with borderline obsessive-compulsive traits.
Computer of sufficient horsepower (@ $5,000 US. Assume system is useful for 1-2 years)
Network connection (varies, @ $30/month)
Basic necessities of life (food, caffiene, shelter) (varies, but about $500/month per person)
Time.
Cost to a terrorist group for having and equipping self-motivated crackers is on par with that of arming and supporting any other agent. Training could be an issue, but most crackers are largely self-taught. The difficulty is in finding someone with the correct mindset.
CT is not very appealing to many extremist cults. Damage to human life caused by crackers tends to be low and not incredibly flashy (few fireballs or destroyed buildings). Rather, CT is a tool used by forces who target infrastructure: power grids, airports, communications systems. It harasses an entire populace with a low chance of creating martyrs. This is extremely advantageous to native terrorist groups (a.k.a. rebels) who wish to limit the loss of human life.
It is also a counter/intelligence tool. By co-opting something as basic as email a large amount of information can be intercepted. Further, that data can be corrupted and/or altered. Depending on the subtlety of the data damage, it may take long periods of time before it is caught, making restoration of "pristine" data difficult. A simple example would be modifying satellite images on a file server to conceal enemy forces.
Finally, CT can be a source of funding or resources. Many convicted crackers used their skills at some time to purchase items via mail-order, eliminate bills, or steal credit card numbers. This can turn CT from a costly venture to a financial asset used to fund their more conventional terroristic endeavors.
As to the specific questions:
Dependent on target system, as always. Some systems, like Microsoft operating systems, were "retrofitted" with security. Naturally they cannot compare to systems with security designed in. In certain cases a system can be disabled temporarily with great ease, however most attacks are transitory and should be repairable in 24-48 hours.
The skills are common and widespread. Further, weaknesses in systems are widely disseminated to notify people of their vulnerabilities. Slow administrators leave themselves at risk if they do not implement patches.
Yes, but it's affect will vary from an annoyance to catastrophic failure.
All systems with an active network connection. Even if the software is set to reject all requests, a classic "ping flood" of requests can take so much processor power that the machine ceases to be functional.
Typically yes, but some very, very rare attacks can damage hardware; typically drive arrays. This can dramatically slow recovery. Second, a long-term program of CT could implement an exploit that waits for weeks or months before being used, meaning that most backups would possess the vulnerability.
Both. Well managed systems will become harder to attack but there will be more and more systems available to target increasing the likelihood of finding a poorly secured target.
Again, depends on your system. Have external security audits done randomly is the best way to find and secure holes.
Slashdot Mirror
There are perfectly good reasons to use strong DRM; I'd personally like to see DRM applied to medical records & credit reports.
:)
If you think you need DRM for medical records, please enlighten me exactly what system you envision.
Read one of your insurance policies and deal with significant surgery. Currently, the insurance companies can query your records and send them to "authorized" people. (I had a disc removed last summer so I signed a lot of "so and so may have access to my medical records" forms for the hospital, anesthesiologist, etc)
Now, IIRC, by HIPAA, those people are only supposed to keep those documents for something like 90 days. BUT that's up to their process to ensure. If they violate that law there are repercussions but unless they're audited or hacked who'll know? Since it's an internal policy there's plenty of opportunties to claim it was the fault of a person who's no longer employed, vacations, SARS, etc. and there'll be plenty of warnings, write ups, appeals etc. to keep the fines at bay. So I'd like to see a strong DRM put on the medical records given to second party organizations so that any misuses were completely intentional and immediately punishable under HIPAA and DMCA.
Credit reports are a different matter; there's no regulations I'm aware of for how long a group can keep a copy of a credit report. This has caused problems for friends of mine whose credit reports were fubared (In one case a 28 year old was listed as owning the same home for 35 years). When they finally got them fixed they still had problems a year later because the organizations they were dealing with were using old credit reports. DRM would ensure those credit reports expire, forcing organizations to take a fresh look at the person.
If you use the network-login option to a view-only site the problem is that the other companies will want things to be databased so they'll just import it with screen scraping and you have the old-record/internal policy problems. BUT if they can store the files locally using a DRM'd database they can still do all their operations as needed and again are completely culpable if they break the DRM to make non-DRM variants.
Now if you can come up with an equivalent of DRM that doesn't suck, for gosh sakes, keep your mouth closed and run, don't walk, to the patent office! Then if you're an opensource advocate you'll make it freely usable by other open projects. Or if you're more financially motivated you'll provide a freely usable client binary while you make the provider-side system closed & saleable. Or if you turn into a money grubbing capitalist you'll force everybody to buy everything.
I think you are mistaking the concept of DRM in general with MS Palladium-type DRM in particular. DRM is simply digital rights management; it involves controlling the use of digital data. It can be used in a reasonable fashion or it can be done excessively.
There are perfectly good reasons to use strong DRM; I'd personally like to see DRM applied to medical records & credit reports.
There are bad reasons to use DRM, like keeping people from copying their CDs to a format useful in the car, portable, or PC or making DVD backups impossible.
The big question on good vs. bad is the policy in use. Some of the new digital-walkmans will only use WMA or other proprietary DRMd data: this is bad. Some players will let you move MP3s around at will but not WMAs: this is good.
If you don't like digital data that requires onerous DRM policies, don't buy it. Only use data that has no DRM aspects and be happy. But don't get in the way of the people who do want DRM'd data.
I'll restrict my DRM'd data consumption to things I'd only rent or downloaded for free. But I understand there are times and places for DRM. I'm fine with strong DRM on rental products but I don't want it on anything I purchased and hence own a right to a copy.
You're describing a black box situation. At this point Linux, *BSD and the other open sources are a sufficiently large base that we can now safely expect there to always be linux-friendly hardware.
Which means the only place this is an issue is a "black box" situation. So let's look at a hypothetical TiVo/XBox clone that runs Linux and has DRM. It won't do anything unless the DRM bit is active. It handles audio,video, plays games, does PVR, the whole shebang. *BUT* everything it touches has DRM on it.
This is not bad. Oh, it may not be your or mine cup of tea, but it's a perfectly valid implementation of Linux. If you don't like it, don't buy it. Or build one yourself without the DRM. While linux is free (as in beer) it's also free (as in speech). We don't have to like what other people say with it but we need to make sure we give them the opportunity to say something we don't like.
Maybe not now, but later.
Look, you put out a set-top media box running embedded Linux. Assuming it is the multimedia grail (online video/audio playback & capture) it will do more than GPL/opensource codecs. It will NEED to handle WMAs and other proprietary formats that may include a time-locked DRM.
Do I like blanket DRM? No, I want to be able to make backups of my DVDs, CDs, and other purchased materials.
What I don't have a problem with is a box that will D/L the movie I want to watch and store it for a max of 48 hours in a "digital Blockbuster" scenario. And that will eventually happen as digital cable set-top boxes will include hard drives for local caching and they will require DRM on that hardware.
Same thing goes for more and more Point of Sale stations. Signed binary data will be more and more necessary. I'm waiting for the day software compares my signature with the one stored on the credit card's chip. And I'm all for it.
I'll be honest; I want them to be able to choose linux. The other option is that everything becomes Windows. Do you really want every credit card terminal, ATM and terminal to be Windows because it is the only thing that supports DRM?
There are a lot of EEs that work exclusively in software. This is especially true for computer engineers.
While I believe there are plenty of EEs that work in software, I personally feel that Industrials are the most suitable to transition into Software. They are the only ones who are truly trained on algorithmic and process flow thinking. They are used to working completely in the abstract and dealing with devices as abstract functions. They have essentially been programming with macroscopic systems. Industrials have long been derided as the "imaginary" engineer so let them go become virtual engineers.
Most people will say that Comp Sci or EEs are better because the Comp Sci know how to program and EEs know how the circuits work. Irrelevant. Programming is a skill that engineers can learn and the details of the circuit really aren't that important in a world of emulators & virtual machines. Good programming is, I'm told, all about process: how its written, how it works, how it flows. Nobody's better at processes than IEs.
It's basically like the break between civil & mechanical that occurred during the late 19th/early 20th century where those who made static systems became civil & those who made dynamic systems became mechanical. Here, the EE builds the static (circuit) while the SE builds the dynamic (program).
Much as Civil Engineers all learn structural design theory but some learn the LRFD process while others ASFD, the Software Engineer will learn object oriented programming theory, data structures, and communication theory with programming languages as techniques.
As far as Computer Science goes, well, the classic joke is that any degree that has Science in the title isn't science; it's *a* science. Jokes aside, They will be the equivalent of geologists and metallurgists (computerists?). Scientists evaulate & describe while Engineers design & apply. Engineers build upon the work of Scientists, so a computer scientist will design a new language, algorith, etc and an engineer will figure out when/where to best apply it.
Actually, that would be a problem with your reading and not my arguement. The crux of my arguement was that I WANT there to be a "real" engineer who IS qualified by virtue of professional accreditation.
And for the inattentive, professional accrediation would include the years of monitored field experience after being degreed as well as passing all the relevant tests.
By the same token, that creature does not exist as there are no accredited software engineers. There are people who I am confident could be accredited but they are not now so they must be subjectively evaluated as either a programmer with engineering knowledge or an engineer with programming knowledge. Subjective evaluation by the laiety is risky.
No one's going to read this at this point but I have to assuage my own conscience. (Damn engineering ethics courses) I will presage this by saying I am a civil designer with a BS in Civil Engineering and 3 years experience about to take the EIT that has spent 8 years in the IT field as (variously) a sys admin, helpdesk, Q/A, sales support, PBX admin, network flunky, and hardware reviewer.
Fallacies
1. It's a meaningless debate because it's just a title.
It is a title, but not a meaningless one. People are breaking the law in most states by claiming to be an engineer/lawyer/doctor/plumber/surveyor/etc if they are not one for the same reason it is illegal to claim to be a police officer. Those titles imply that you will look out for the good of the public and your client (in that order).
There is software out there today that could kill you if it malfunctions (antilock brakes, traffic controls, etc). Today that software is a component in a system and the engineer in charge of the system signed off on it and will be held responsible if it fails. They know it and they take the responsibility seriously.
Claiming that title can put you in a position where your actions could affect others seriously through your negligence or ignorance. I can see a day fast approaching when a CEO hires a tech-school "software engineer" to design a system that winds up killing someone because it was never evaluated by a "real" engineer. I hope that someone isn't me or mine.
2. Engineers only increment known designs and aren't creative.
While 90% of engineering is run-of-the-mill, that 10% requires creative thinking. Sure, I can spec out rehab work & basic residential designs all day in my sleep, but there are times when the Engineer works in the unknown. Build a structure on a new soil type or any device exposed to extreme environments and you will see real engineering at play. And all engineers are expected to be able to deal with that. They may call in people from other disciplines to advise them, but an Engineer will ultimately deal with the situation.
3. Current "software engineers" will have to go back to school.
When the egineering licensure became an issue for the states, there were many qualified people working in the field who did not meet the paper requirements. So there was a grandfather clause that was generally 5-10 years of documented experience and must pass the licensing test like any new graduate. There was also a window of opportunity until the grandfather clause was removed.
Any current programmer who wants to be an engineer would likely be given the opportunity to take the tests. Good luck, you'll need it. Engineers are expected to be multidisciplinary. I had courses from all branches of engineering (Civil, Mechanical, Electrical, Chemical, Industrial) AND Comp. Sci. programming courses (Fortran & C++). The point isn't to say an engineer is competent to practice all fields but that they will be able to understand information from all fields.
The flip side is that a licensed Software Engineer would require the tests for *ALL* engineers to expand. Not a bad thing at all in a software-operated world.
4. Companies will only hire these "licensed" engineers creating artificial demand.
Truth is, most current engineering companies have a significant number of non-engineers: draftsmen, surveyors, technicians, designers, and scientists. Those people do a significant amount of the work, but the Engineer is responsible. (Exception: The surveyor is responsible for the accuracy of the survey, since they should be a licensed Land Surveyor.)
5. Anyone with a degree that has "engineer" in the title is an engineer.
Most states have specific laws regarding the Professions (including the oldest one, but those laws regulate it out of existence typically). The degree is not enough because colleges & universities can lie; just read your spam. You have to get a degree from a university that has pro
For those too lazy to visit the site, this is not a soft cloth. It is two layers of metal foil covered in silicon beads topped with a clear plastic film. Strength should be much higher than mylar and it can be bonded to pretty much any other base material; metal, plastic or glass.
It also comes in multiple colors; the website shows brown spanish tile versions. I've no idea if there's a performance hit for aesthetics but at this point I don't care if it's 5% efficient if people start using it. That's still up to 50 watts/m^2 of pollution free power that wasn't there before.
To properly compare this to normal PV panels, go look at a nice glass enclosed mall. Pay attention to the heavily reinforced angled glass skylights. You'll see lots of angle iron in very particular shapes to keep things solid. That's the kind of crap you have to do with glass-substrate PV. Then there's the whole "cracked by hail" thing to deal with. This stuff may lose a couple of beads but it won't shatter and if the insulating material's good, it won't short out.
This will amount to architectural facade; build your normal structure then bolt this stuff on. The weight will be far less than architectural concrete. From the design it could quite possibly be cut and shaped in the field; a massive bonus to construction. No special order components. Order a couple of spare sections of it and cut/sand to fit.
By not being willing to put public pressure on your employer to stop this, you're as culpable as they are.
That's a little harsh, don't you think? This guy's (gal?) post implied they knew it was a violation of the GPL in spirit but couldn't find it in the letter of the GPL. They were asking for advice to counteract a stupid lawyer.
And, no offense, but there's no way I'd publicize the company at this point; they haven't DONE anything wrong. Other than hire a shyster, that is.
The crime is being commited with your full knowledge of the action and the fact that it's illegal. Failure to report your company could leave you personally liable in the future.
IANAL, but this is a GPL violation. L=License=Contract. They may not be legal, but they aren't CRIMINAL. They are CIVIL violations. They could be fined, but not not jailed.
And, as a non-expert, I doubt they could be held responsible. By stating their interpretation of the license they have put the onus on the executives and the legal department. Matter of fact, the executives are EXPECTED to ignore the programmer's legal advice in favor of that given by the licensed, certified expert they hired.
This was a comment to a question in a conference call. I haven't been able to find a full transcript to know exactly what inspired this phrase, but I doubt it's being expressed as it was intended. More than likely someone asked about long term plans and "we'll move to more full functioned, high end, higher average selling price devices" was the intended response.
I'll also state that nothing says that all Treos won't have a springport. The 270 needs something to set it apart from the 180, and unless it's an ARM processor, I expect it to be the springport.
I almost bought a visorphone, but I don't like Voicestream service plans, the only people who offer the GSM data in my area, despite a Cingular presence. (sigh)
From my experience, VOIP is really not ready to be a company's primary telephony solution; internally or externally. That's not to say it doesn't have uses.
Last year I was doing a little PBX support for a friend who had to move the main office to a new building several miles away while keeping service to a small 4-person warehouse.
The goal was to keep the warehouse on the internal phone net, but the costs were prohibitive. A micro switch still costs several thousand and wasn't guaranteed to provide connectivity to the main PBX's advanced services and the "remote extender" modules that enable the digital phone sets to work remotely required ISDN lines at both sites, an ISDN card installed into the main PBX, and had a hefty monthly reoccurring fee.
Their "solution" was to split a few channels off the PRI for voice, get normal business service on those lines, and simply call into the main office to check voicemail. The warehouse queue was set to out-dial from the main office and do an old rotary hunt until either someone answered or tried all 4 lines and then dumped them to voicemail.
This VOIP solution would have cut out the monthly reoccurring fees for the business lines, still provided full queue activity, a couple of simple scripts could allow email notification of missed calls (since voicemail notification might not be accessible off the SIP phones with their switch), let the PBX keep better call statistics, and cut down on the main office's out-dial usage.
Costs for the VOIP servers would have been readily offset by the monthly reoccurring and the MUX hardware involved. Heck, for only 4 users I expect it wouldn't take more than a commodity PC at each end.
The Simulated Personal Automated Marketing system,
henceforth referred to as SPAM, consists of an
electronic message transmitted to any and all
potential clients. The client will then utilize the included contact information to provide payment.
SPAM maintains corporate security by using private messaging servers (comparable to caller-ID block) or utilizing open public systems. Corporate business plans are further protected by obfuscating data within the message with excessive hyperbole and energetic rhetoric.
SPAM is not dependent upon any particular messaging medium and can utilize existing or forthcoming electronic mediums and formats.
Ohh, I'm so tickled. I could run a *nix on a PPC-platform and have access to MS office natively. (yeah, I know, they'll make it OS-X tool-kit dependent)
Heck, it's not like my desktop machine really needs all those "hard core" *nix features that Nextstep didn't have; that's what my LAN's server is for.
Soon as GCC and the rest of the GNU kit are completely available I won't have any problems running a G4 OS*niX as my pretty desktop machine. Ooh, the option of running X+Gnome, OSX or even the upcoming Aqua. I'm just tingly.
The DECTDMAP is a european wireless ISDN, since the specs I saw supported dual-channel it should get 128kbit. In theory the pad can be a speakerphone with one channel as a phone and the other working data. It uses the wireless link to communicate with a base station. According to the email I received from the company the base station will have modem, ethernet, ISDN, and cable-modem modules. It should link in quite well with most geek networks.
This process is different from the "carpet cleaner" one used on the beaches.
But you are correct, steaming will kill off the local fauna and most flora. However so will the contaminants. The difference is that with rare exceptions inland areas will recover quicker from steaming than conventional techniques because the toxins have decades less time to poison the environment and there will be more time to repopulate.
Beaches automatically qualify as "rare" just like wetlands. They are bordered by environments that are inhospitable to the local life and have to be treated carefully. I didn't say "usable anywhere" when I described the technique for a reason. It's totally ineffective in a soil system that is totally saturated with water, for instance. Used on a wetland you'd get lukewarm gumbo.
However it is one more tool that should be used when appropriate and I feel that it is not being used when it should.
Maybe you've seen the cartoon version where the fox makes a tar baby (literally out of tar) that Br'er Rabbit would get stuck to. While yes, it heavily drew on racist concepts to explain the existence of a tar baby, the term is now used to indicate a sticky problem that is hard to get rid of.
Kind of like racism, I guess.
There's a high-speed way to clean highly polluted sites that's been neglected for years that I read about in an engineering magazine (Engineering News Record, IIRC). Unlike conventional filtering techniques or leaching techniques like the trees, this kind pumps pressurized boiling water into specially drilled wells where it turns to steam, vaporizing a huge number of volatile chemicals. The vapor is captured and the toxins distilled out.
It uses far less water than traditional methods (meaning less secondary pollutants) and can clean up a superfund site in about 5 years (at about $3 million/year), as compared to 15-20 years with convention methods at $1 million/year. However since it impacts the annual bottom line harder (even if it saves more money in the long run), few companies will go that route.
If you want alternative or high-speed cleaning methods, push the government to reclassify the cost of clean up in accounting/SEC statements. If the total projected clean-up cost was classifed as a debt it would have a greater impact on their "paper" bottom line. I think. (Anybody who understands SEC annual statements and GAAP policies for handling site clean up want to correct me?)
If you want the tech specs, go to: www.livewireent.com. They also sell the fiber but it costs more unless you want bulk. ($1.42/ft but only on full 820ft rolls)
It seems to have the best efficiency running at 80v, 450mw/meter, @2000hz refresh. The effective life of the material is about 800-1000hrs which puts it at 50% output. It can run out to twice that, but the output becomes negligible. It has a maximum "safe" bending radius of about 5 iameters. It can be bent more but you've got a chance of realigning the EL material. It is also moisture sensitive but most of the manufacturered stuff is environmentally sealed (water resistant with shrink-tubing but not necessarily waterproof) You can cut it yourself and just solder the end connections together and put a heat-shrink end on it.
You can also get sheets of this stuff from other vendors. If you're interested I can email you the links I've got.
Ignore the Java! Java wasn't the point! It was an application to test with.
To make you feel better, pretend they used freeware Threadmaster5000 software, a giant program that uses thousands of threads to do something groovey. The Threadmaster team decides to evaluate the bottlenecks their opensource program runs into on Linux.
Oooh, looky! The scheduler has problems! But wait! They wrote a patch to the scheduler and performance went up 7%! Oh, aren't the Threadmaster people so nice to the open source community for working on Linux instead of just optimizing their code!
Now re-read that replacing "Threadmaster5000" with IBM Java+Volano, Threadcount with Volanomarks, and Threadmaster team with IBM.
Since we can take Java out of the picture and replace it with something else, it wasn't the point. The point is IBM identified a flaw in the scheduler and proposed a solution complete with code.
Yeah, but this is the optimisation phase. As linux goes to bulk-thread tasks it needs to start squeezing out all the performance it can; especially when the code is given to us by a corp.
2) {I am not a hacker but} If they are at the level of seeing improvments in the scheduler by tweaking things like structure layout to improve cacheline localilty then can we sure that the "low performance impact" IBM Kernel trace patch is not having an effect?
This wasn't a linux performance comparison against other OS's where the trace would be a factor. Instead this was a linux vs. linux comparison. The trace is just additional system load that would be equivalent on both systems.
If you move to a many-many scheduling model you *will* reduce the time spent in the kernel scheduler. However, you *will* spend time in your user-land scheduler. Which is the win?
IBM said they didn't know for sure. That's the point. They did the performance groundwork needed to make useful suggestions for hypothesis. Until the improvements are made and tested we won't know for sure. However now there is a test suite that can be used to test any new modifications. And one provided by a corp.
This is sooo neat.
Th G400's are the first really 3d accelerated cards matrox released. The 400's are fairly speedy and from eyeballing a friend's it looks quite comparable to a TNT2 but with prettier graphics.
The downside is their Win drivers aren't full OGL; it's a mini-ICD that's HEAVILY optimized for Quake. Performance isn't bad with other games in D3D, but it is fairly pricey compared to a TNT2; G400's run about $250. But it's got nifty stuff like bump-mapping that make the world just downright gorgeous when it's supported.
Hopefully the DRI driver will be full OGL+bump mapping and that OGL will dribble back to Windows. Hmmm, opensource Linux improving windows. Wasn't this the point?
I think someone touched on this, but this is IMPORTANT since even ZDnet said this:
Apache and linux's process based system works better by adding boxes than adding processors/resources in a single box.
So here's the deal: figure out how much it costs to buy OS, software, hardware, and setup the system. Determine its optimal performance (which may NOT be peak performance). If Linux still doesn't have SMP at a cost effective level, spec out single CPU boxes and save the cash for entire other systems. (Don't flame me for saying it doesn't work, I'm saying it might be cost effective to not use it until 2.4) If Solaris' cost-performance is better on Sun hardware (duh) then use it.
Then, take those numbers and ask ZDNET to append them to their article.
We know linux has an automatic $1000 price advantage over NT/Solaris which is about a third the cost of adding another server. I'm not sure about Stronghold's cost vs IIS/NS server/etc, but I'm guessing it's not as expensive as IIS. And with the exception of the "custom" API's (NSAPI, ISAPI), Linux performed as well as the other servers, even with the use of a twitchy old version of caldera.
Personally, I'd want to see the addition of a mod_perl'd server to represent the Linux equivalent of NSAPI and ISAPI, but with the bonus that perl stuff is PORTABLE, much more so than NS or IIS-only scripts.
If we suggest this right to ZDNET, when they review the new W2k's web server and put it up against a decent server linux (w/kernel 2.4 we can hope) they may add a price/performance index.
Now THAT was fast! I guess seeing a massive surge of web traffic will get your attention, though.
Any hints as to who'll be bundling the pad? (please say I can use the service "at home" since I just got a cable modem from them!)
I sent these folks an email in early September and here's what I got from Vidar Hokstad (vidarh@screenmedia.no) Director of Technical Development (these are his words, my layout)
*Estimated release date Q1 2000
*Estimated cost: less than USD 500 (very rough estimate, hopefully even cheaper).
*Variations: There's versions of the base station that is ready or in the works that support ISDN, CATV (can replace the cable modem), Ethernet and modems.
*Includes a POP3 mail reader
My military friends call me "the builder of targets" since I'm a civil engineer who does computer work. I have the mindset that everything I do has the distinct possibility of coming under attack and I wish it was a mindset more programmers had.
First: The word "cyber" does not mean what you think. Please have CT mean "Computer Terrorism." Second, a hacker "hacks" code and makes software. A cracker "cracks" security.
The writer does document the type of resources for CNBR but leaves CT out. Let's document the publicly successful crackers' profile and resources:
- White male, teens to twenties with borderline obsessive-compulsive traits.
- Computer of sufficient horsepower (@ $5,000 US. Assume system is useful for 1-2 years)
- Network connection (varies, @ $30/month)
- Basic necessities of life (food, caffiene, shelter) (varies, but about $500/month per person)
- Time.
Cost to a terrorist group for having and equipping self-motivated crackers is on par with that of arming and supporting any other agent. Training could be an issue, but most crackers are largely self-taught. The difficulty is in finding someone with the correct mindset.CT is not very appealing to many extremist cults. Damage to human life caused by crackers tends to be low and not incredibly flashy (few fireballs or destroyed buildings). Rather, CT is a tool used by forces who target infrastructure: power grids, airports, communications systems. It harasses an entire populace with a low chance of creating martyrs. This is extremely advantageous to native terrorist groups (a.k.a. rebels) who wish to limit the loss of human life.
It is also a counter/intelligence tool. By co-opting something as basic as email a large amount of information can be intercepted. Further, that data can be corrupted and/or altered. Depending on the subtlety of the data damage, it may take long periods of time before it is caught, making restoration of "pristine" data difficult. A simple example would be modifying satellite images on a file server to conceal enemy forces.
Finally, CT can be a source of funding or resources. Many convicted crackers used their skills at some time to purchase items via mail-order, eliminate bills, or steal credit card numbers. This can turn CT from a costly venture to a financial asset used to fund their more conventional terroristic endeavors.
As to the specific questions:
- Dependent on target system, as always. Some systems, like Microsoft operating systems, were "retrofitted" with security. Naturally they cannot compare to systems with security designed in.
- The skills are common and widespread. Further, weaknesses in systems are widely disseminated to notify people of their vulnerabilities. Slow administrators leave themselves at risk if they do not implement patches.
- Yes, but it's affect will vary from an annoyance to catastrophic failure.
- All systems with an active network connection. Even if the software is set to reject all requests, a classic "ping flood" of requests can take so much processor power that the machine ceases to be functional.
- Typically yes, but some very, very rare attacks can damage hardware; typically drive arrays. This can dramatically slow recovery.
- Both. Well managed systems will become harder to attack but there will be more and more systems available to target increasing the likelihood of finding a poorly secured target.
- Again, depends on your system. Have external security audits done randomly is the best way to find and secure holes.
-James McPherson kilroy @ ntr . netIn certain cases a system can be disabled temporarily with great ease, however most attacks are transitory and should be repairable in 24-48 hours.
Second, a long-term program of CT could implement an exploit that waits for weeks or months before being used, meaning that most backups would possess the vulnerability.