Look, your wife is well served by Windows. My father is well served by MacOS. Great. There are operating systems for them.
I use desktop Linux. I've used desktop Linux since 1996. I use it because it's well suited to my needs, and I do not care who else does or does not use it. If it fits their needs, they can use it. If something else fits their needs, they can use that. As long as there are enough users to keep development going, why would I care about more people adopting Linux?
In fact, changing Linux to make it appeal to your grandmother is just likely to make it less useful to me, because your grandmother and I have different needs. Which is why we just might need to use different operating systems.
So long as the data on the wire are standard, the end node operating system doesn't matter. Use what works for you. Shuttleworth cares about market share because he's in it for a buck. What's in it for the rest of us?
I know what an AK-47 is. I even know something about its general properties. It's a post-WW2 Russian design by a guy named Kalashnikov, and is sometimes called a "Kalashnikov". It was at one time a major Russian infantry weapon, and its popularity has a lot to do with the numbers of them the Russians left around various places as they bugged out. It's optimized for easy manufacturing, with lots of stamped parts and few machined ones (another reason for its popularity). It has a reputation for being very reliable but not especially accurate. Blah blah blah. These are things you need to know to keep up with current events.
I have no idea what the thing looks like, other than that it has a stock, a (relatively short assault-style) barrel, and a protruding magazine. I couldn't distinguish it from, say, an AR-15 without looking it up.
Sure, I've seen pictures of it, but I've seen pictures of lots of rifles. Not being particularly interested in guns, I don't really register their looks or keep track of which one is which.
OK, I just went and looked up a picture. Pretty generic looking. In fact, it looks a hell of a lot like that AR-15(which I also just looked up) if you just glance at it. Meh.
The people who come to Burning Man are NOT the general public; they're a subculture with completely different attitudes. If your boss happens to actually be at Burning Man, it's pretty unlikely that your boss is the kind of person who will then turn around and decide to fire you for, say, being naked at Burning Man. Same for lots of other people who might give you grief for lots of other things. Yes, it could happen, but it's far, far less likely, and probabilities matter.
You can see who's around you at Burning Man (or in any public place, for that matter), and adjust your behavior accordingly. You can't see who might look at a photograph later.
If you don't happen to notice everybody who's around you in a public place, you expose your activities to the relatively limited number of people who are right there, right then. If you don't happen to notice that a photograph is being taken, that exposes your activities to an unlimited number of people, that number of people can grow in the future, and people can easily pass around a credible record of your activities, rather than just gossiping about them. Again, the probability of harm is much greater.
Burning Man isn't a completely public event, in that the attendees are supposed to agree to certain rules, including privacy rules, which do NOT apply in public places in general.
I don't necessarily like the BMO's picture policy, because I think it gives them too much arbitrary power. I'm not even sure it's reasonable to try to address these privacy concerns, or similar concerns in similar public or semi-public settings, at all, because it's damned hard to actually have a useful effect without giving somebody too much power. But it's bogus to pretend the concerns don't exist.
Moving and putting a notice in my profile does NOT free me from Facebook. It's a freakin' social networking site. It doesn't work if everybody doesn't use it.
I have a Facebook account, despite the fact that I loathe everything about the site. Why? Because practically everybody I know uses it to plan events. If I moved, most of those people would just plain not invite me. First of all, they wouldn't look at my profile to see the notice. Secondly, they wouldn't find it worth their trouble. And they'd be right. It would be rude for me to ask them to treat me specially. In fact, the whole value add from something like Facebook events is that you don't have to remember some special contact procedure for each person; it's all just automated.
Maybe I could find a Facebook application to reduce the amount of time I had to spend on the site in order to hear about, discuss, and RSVP for events. Of course, then somebody would try to use Facebook to communicate with me in some other way (again without reading my profile; nobody reads profiles). And I'd never notice. And I'd still be a Facebook user.
It's not just the events application; Facebook actively seeks to increase the number of these lock-ins (and they also try to prevent automation from taking the lock-ins away). Facebook, like all the other social networking systems, manipulates the actions of third parties to force you to use their site. You may think that's legitimate or illegitimate, but it's just stupid to pretend it's not a real effect.
This stuff could all be implemented in self-hosted P2P mode to free people from these lock-ins. That would be trivial... in the same sense of trivial as the sense that appears to be being used here, meaning "completely beyond the comprehension and motivation of the average user, and never gonna happen". Hell, it would also be trivial to have multiple interoperating hosted services with no "king of the hill"... trivial in the sense of "deadly to providers' profit margins, politically impossible, and never gonna happen".
Your first point is very good. It's true that you can't know that something is secure, and maybe it's better to say that nothing is secure, period. I was reacting to my (informed but not demonstrated in this discussion) belief that banks, in general, don't really try very much to audit the quality assurance procedures for software in devices they buy. Although you can't ever be sure something doesn't have problems, you can often be pretty sure it DOES have a bunch of problems, and they don't seem to do a very good job of trying to get that information.
But that's really prejudice on my part. I have no actual knowledge of what any banks have done in this particular case, or of whether the practices I would consider appropriate would have caught this problem. So your point stands, and I'm wrong.
I don't buy your other point, about the bank deciding it's cheaper to not patch the thing and to eat any losses. Or at least I don't buy the idea that disclosure should change the bank's calculation in an important way.
Any disclosure that happens is not under the bank's control. More importantly, the bank can't predict when or if disclosure might happen from some random source, possibly unrelated to this case. The bank also doesn't know who might be inspired to poke around just by the news that this vulnerability exists, and re-find this or another problem. The bank doesn't even know who already knows. All it really knows is that there's a problem, and some unknown and monotonically increasing number of unknown people know what that problem is.
There's just no intellectually respectable way to estimate the probability a vulnerability becoming public to any particular degree within any particular length of time. There isn't even a good measure of "how public" something is in the first place.
I know it's trendy to try to do statistics on that sort of thing, but public disclosure events are so uncommon, in the light of how different they are from one another along so many axes, that it's really not sane to try to guess.
So the conservative position is to always assume that a disclosure is going to happen pretty soon. Given that disclosure is assumed, you may in fact be able to make some valid guesses about how much you can lose, and it may indeed make sense to leave it unpatched.
BUT, the thing is that that second part of the calculus isn't changed by the public disclosure, because disclosure is assumed.
Banks are supposed to be conservative, not so much in that they're not supposed to take risks as in that they're not supposed to take unknown risks. They're supposed to worry about black swans as much as sanely possible. It's not OK to rely on something staying secret, precisely because it's so hard to figure out how likely that is.
Diebold (or whoever; I don't know that it's Diebold) customers/partners are primarily banks, which are supposed to be in the business of worrying about securing money. It's negligent for a bank to buy a product without verifying its security. So, yes, they did in some sense cause the problem, or at least they bear a chunk of the blame for it.
If I use an ATM, I am a customer of Diebold's (or whoever's) customer, the bank, not a customer of Diebold. And what I'm paying the bank to do is to secure my transactions. I will admit that I've obviously hired an incompetent bank and am perhaps at fault for doing so, but that doesn't excuse the bank's incompetence. And I think my fault is reduced by the unavailability of banks that actually do their jobs, whereas banks would have access to decent ATMs if it they bothered to demand them.
Where do people get this nonsense? Diebold (or whoever) already charges as much for the ATMs as it can get away with. They don't set prices based on their costs; they set prices based on what customers willl pay, subject only to the proviso that if customers won't pay what it costs to make the product, they won't make the product at all. To a first approximation, in a properly functioning market with competition (and there is competition in ATMs), prices fall to approach marginal cost of production (for the most efficient producer). This doesn't increase marginal cost of production for anybody.
Maybe, except that it's NON-disclosure that actually enables the criminals, and that goes beyond this particular bug and beyond the case of ATMs. Not only does non-disclosure enable ATM manufacturers and whoever else to continue to ignore the problem while the criminals continue to exploit it, but, by ecouraging other companies in similar situations to do the same, it guarantees further problems. To prevent companies in general from ignoring problems, there needs to be a credible threat of disclosure if there isn't prompt action on reported problems. 8 months is way, way more than enough time. In order to maintain the credibility of the threat of disclosure, there needs to actually BE disclosure once in a while, so that companies know they actually have to live up to their responsibilities.
Um, actually, it doesn't cost much, if any, more to install a new directional light instead of a new light that sends a lot of its output somewhere useless... and then you save money on electricity for ever after. In some cases, the savings will even be enough to make it worth replacing an inefficient light just to save the power.
The review also found that nighttime crimes did not decrease more than daytime crimes. This suggests that a theory of street lighting focusing on its role in increasing community pride and informal social control may be more plausible than a theory focusing on increased surveillance and increased deterrence.
So, put the money you'd put into lighting into sprucing up the place in some other way, and you can reasonably hope for the same effect. Maybe a better effect, if you find something more obviously related to making things look cared for.
Your other link ("improves safety") is just an advocacy group (for "Safe Routes to Schools", which, for me, at least, rings all kinds of "think of the children" alarm bells). Lighting isn't even a core issue for them. They claim they get their information from unnamed "experts", and their safety claims for lighting amount to a simple mention once in a whole Web site. Their own references are unavailable for review, as well as being old and, from their titles, multi-subject documents that aren't primary research and probably don't even spend most of their attention on lighting. If you can't find a better citation than that anywhere on the whole Web, I tend to suspect that the whole claim isn't very well supported.
And anything that gets released into the environment and causes any negative effect can reasonably be called "pollution", thanks.
I agree. UBB actually makes a lot of sense, but the UBB structure they're proposing is wrong. If you're going to bill on usage, bill on usage; don't set up some arbitrary cap at which the rate goes insane.
I don't think it's a matter of gouging heavy users, though. Not exactly, anyway. The problem is that the carriers sized their infrastructure on the assumption that the subscriber base would grow a lot, but the data transferred per subscriber would not grow as much as it has. They didn't see mass-scale P2P file sharing coming along, let alone YouTube coming along and replacing cable TV.
So now they have a big, expensive, inadequate infrastructure (and an inadequate pricing model to go with it). The depreciation schedules they based their plans on require that infrastructure to last a long time before it gets replaced, but it's already being overwhelmed.
I think what they're really trying to do is less to gouge heavy users, and more to discourage heavy use entirely, so that they can continue to limp along on their old infrastructure long enough for it to pay for itself.
In other words, they screwed up their market forecasts, and now they want everybody do without improved service until they make their money back based on those flawed forecasts.
Of course it was their screwup in the first place, and most of them (I don't know about Bell or Canada) got a lot of subsidies and tax breaks based on promises of fabulous networks. They then kept as much of that money as they could get away with while building out the cheap network they thought they could get away with. I therefore think they (their shareholders) should really be first in line to eat the costs of writing off the infrastructure they built in error.
Then they can go ahead and do UBB to create a revenue stream to get financing to build a proper network.
Professional athletes, and elite amateurs, do all kinds of hard training that can damage their bodies, either with immediate injuries or with bone and joint problems that may only show up after they've retired. Should training be banned because of the side effects?
I've met Brin in person. I came away feeling like I'd been talked down to by a pretentious twit.
I think he is, in fact, worse in person than in text.
Nonetheless, Brin is still right that there is NO QUESTION that the "more powerful" side WILL have surveillance,
and the only question is whether the "less powerful" side will get anything at all, not
whether the power ends up equal, or even whether the ratio stays the same.
Schneier is completely missing the point.
On the other hand, Brin seems to think that the transparent society won't be so bad, because
people, given access to total information about each other, will learn to be courteous
and restrained in their use of that power, perhaps partly because they'll see their
own foibles reflected in others. There, I think Brin is smoking some serious crack.
Yes, but that's not that important. The same number of individuals will probably die in whatever the event is. If there are 12 billion people on Earth and they all get killed, it's not that much better if there are a million additional people somewhere else who don't get killed. The disaster is still a disaster.
The problem with the idea of terraforming Mars is that there's no good reason to try it in the first place. Why would you want to do a thing like that?
To preempt the most common answers--
It's not going to be a home for the teeming billions of Earth. It would cost too much,
mostly in the form of energy, to transport that many people there. Anyway, it would just
be a stopgap even if transport were free. Geometric growth is still geometric growth.
The amount of time you'd gain may not even be the amount of time it would take to do the
terraform job.
It's not a particularly efficient way to provide a "backup" habitat in case of the
destruction of the human species on Earth. Open-space colonies would be cheaper and
easier. Even
that, of course, is only interesting if you really care about the issue in
the first place. Personally, I don't care very much, definitely
not enough to go to all that trouble. The big problem with species-destroying
events, from my point of view, is the death of all those individuals,
and a backup colony doesn't save many, if any, individuals.
Complete boondoggle. And politically and economically impossible, as well...
That would be true if it were local software that was doing the checks. The idea of the TPM is that you can use it to prove to a remote computer, not under your control, that your machine is running "blessed" software. The bank can verify that you're running an OS it's comfortable with. An online DRM system can refuse to hand over the key to decrypt media unless you prove your computer is "uncompromised" (and therefore won't make a copy of either the key or the media). You can virtualize your end, but you can't virtualize the end that's doing the verification. All any of the software running on your computer is doing is acting as a conduit between the remote server and the TPM. If your software messes with the messages passing back and forth, it just makes the verification fail, and the remote computer refuses to play ball. The remote computer will know if it's talking to a VM.
You can also use the technology locally in the way you describe, and people certainly would do so if it every became popular. If they do that, yes, it's hackable as you say. It's probably also hackable without doing the virtualization at all. But that local mode isn't the strongest way to set it up... and, since almost everything interesting is done online these days, having control of what you do online is almost as good as having total control over everything you do with the computer.
I think the real attack on this system is to take advantage of the fact that the "trusted" software itself is going to have bugs. The TPM doesn't check to see that the software is correct, just that it's the expected binary. Not only that, but the TPM itself only checks the BIOS or the bootloader or some such low-level software... that trusted loader is then expected to check the OS kernel, which is then expected to check all the rest of the code that gets loaded, which is then expected to act in the intended way. The chain of trust is long, and the trusted code base is huge, so the assurance is largely theoretical. But virtualization isn't the way to beat it.
You're right. GP knows damned well it's shared bandwidth, you know damned well it's shared, and I know damned well it's shared. GP and I don't know how much it's shared, because many ISPs treat that information as a big secret, and we therefore have very little ability to compare offerings... which is a big problem that needs to be fixed. But, nonetheless, we do know that it's shared, and we have a vague general idea of what we can really expect to get.
You and I and GP are not the issue, though. The issue is the average person to whom this service is marketed, who may or may not understand that there's sharing going on at all, usually isn't in a position to evaluate the real impact of that sharing, and probably doesn't really have a very good idea of what bandwidth is actually being delivered, let alone what might reasonably be expected compared with other ISPs. The only way that average person is even going to know that the
service is a best-efforts service is in fact to read the fine print... and even then it's not
really reasonable to expect that person to know what "best-efforts" does or should mean. I've
been in the Internet industry for 17 years (yes, really), and I'm not sure I know
what's a reasonable best effort... it seems to change depending on the policies of one side
of the deal.
It's not ethical to advertise a number that you know damned well
is going to mislead many customers more than it enlightens them.
That systematic deceptive marketing is the real issue. Either the industry
needs to come up with a non-bogus number (or scorecard or whatever),
or the industry needs to stop advertising link speeds... or, I suppose, the industry
could decide to put all the limitations right there in the ad in the same font
as the maximum bandwidth number...
You appear to have lost track of what the United States is here for. Let
me give you a reminder, starting with a few things it's not.
It's not here to guarantee you a bigger car than the guy
in the next country over.
It's not here to guarantee you a job.
It's not here to let you tell other people how to spend their money.
It's not here to compete with other countries.
It's not here to put you in a master class based on which side of some line on a
fucking map you were born on.
It's here to give people a place to do as they will, and to give everybody a
chance to compete with one another, if they so choose, on a level
playing field. It's here to give them that because they deserve it, because
they're people, not because of where they're from or who their
parents were.
The United States is an instrument created for a purpose. Insofar as it
has lost track of that purpose, it is not worthy of the loyalty of any
human being... and even if it follows that purpose, the true loyalty ought
to be to the purpose, not the country... and sure as hell not to every
fuckwit with an inflated sense of entitlement who happens to have been
born within its borders.
You nativist idiots, the my-country-right-or-wrong assholes, the
xenophobic safety-obsessed cowards,
and all the other lame excuses for Americans who seem to run the joint these
days, are a disgrace to the principles the USA used to think it stood for.
Disclaimer: I know nothing about the issues in this case, other than what
I infer from this report.
Given that he says that he does not believe the hard drive image he examined came from the drive used to do the file sharing, his comments about examining registry keys (or anything else in the image) to determine that the computer wasn't connected via wireless are completely meaningless. The registry keys are stored on the hard disk drive. If this isn't the drive that was used for the sharing, then the contents of the registry on this drive are completely irrelevant to the question of how things were configured when the sharing took place.
That he would be willing to say that the machine wasn't connected via a wireless router, or indeed anything about how it was or wasn't connected when the sharing took place, when he does not believe that the drive image he's examining came from the drive in use during the sharing, and that he doesn't even mention that the registry he's looking at isn't, by his own determination, the relevant registry, completely discredits him. With the drive contents, and therefore the registry, off the table, he has exactly ZERO evidence for the conclusion he reaches about wireless... and he surely knows that. He's deliberately contradicting himself, and that ought to be sanctionable, although I imagine it probably isn't.
Even if he turned around and said that he was wrong, and the image he's looking at was the one in use at the time of the sharing, I don't think I'd be so blithe as he is about saying "Based on how IP addresses are assigned, it is not difficult to determine whether a computer was connected to the Internet via a wireless router". There are a lot of ways to assign IP addresses, and
some devices, like wireless routers, go out of their way to be "invisible" when they participate in some versions of the address assignment process.
Expert opinion is all well and good, but I'd think you'd need more than "because I say so".
He should be forced to provide detailed reasoning to support his claim about wireless. I wouldn't want to reach that sort of conclusion without at least examining the alleged wireless router and its configuration, and he does not mention having access to the router. I'd also have expected him to have looked at which interface drivers were installed and active on the machine, and at whether there were any traces of its having detected wireless hardware. If he did that, he did not see fit to report it. A conclusion based on "how IP addresses are assigned" is really suspicious, and he should be forced to provide a step-by-step explanation of his reasoning about the IP address assignment process... which step-by-step explanation should be subjected to step-by-step expert critique.
... and all that's if there was any sharing on that machine, with that drive or any other drive. How come he's making the conclusory assumption that any sharing took place at all? He himself says that the drive image showed no evidence of any sharing. All he has is Mediasentry screen shots and logs, and at MOST all those can show is that a certain account and IP address were in use. I assume that the reason he wants to conclude that the machine wasn't on wireless is that, if a wireless router had been in use, there's a possibility that a random person in the area might have done the sharing.
Although he's probably right that any installation of file sharing software would, under realistic assumptions about who was trying to "clean up", have left a detectable trace on the drive image, it would be possible for the right sort of highly technical person to wipe out the traces he mentions looking for, as well as other traces he doesn't mention looking for. Even a relatively non-technical person could have wiped them out by completely zeroing the drive and reinstalling... the effect would have been the same as putting in a new drive from the point of view of the image he has.
I too am against a Big Brother society, but I think we are already getting there. The problem is that Big Brother is not the government, but rather any knucklehead with some sort of recording device.
If that's Big Brother, I think I'm probably for it. The problem with surveillance has always been that one side, the "authority" side, has always had a recording. If that recording was favorable to authority's version of events, it could be released. If it was unfavorable, it could be buried. The imbalance invites abuse.
I would be against a system where only the student had a recording. I wouldn't be as much against it as I would be against a system where only the teacher had a recording, because the teacher is already in a position of great power, but I'd still be against it. I might very well be in favor of a system where everybody had, or at least might have, a recording of everything, all the time.
Yeah, that would mean that there'd be embarrassing footage of all of us, because we've all done stupid things we're not proud of. Maybe it wouldn't be such a big deal, though... it's kind of hard to come down too hard on Joe for his filmed mistakes, when he can dredge up yours. On the other hand, if somebody has a pattern of behavior, it becomes pretty hard to hide it.
Such a system might be too hard on people, too stressful to live with, too unforgiving of the human need to get away with something once in a while. I'd especially be worried about people
getting destroyed over the witch-hunt of the week.
It might also be an improvement over what we have now. The case isn't open and shut... and one could actually do reasonable research to perhaps predict the effects, rather than just having everybody yell about "privacy" like that automatically trumped everything else.
More than anything, kids today need to learn respect for authority. This doesn't mean that authority is always right or infallible, just that kids should be taught to respect and that there are proper channels in which to handle grievances (i.e., posting to youtube is not the proper channel).
Why? What's so special about authority that it deserves this mystical respect you're calling for? Obviously, people in authority are often right about a lot of things (as well as often being wrong). That doesn't mean they should get an iota more consideration than everybody else. Arguably they should get less slack, since they're in a position to abuse their authority.
Yes, users outside my own household, and yes, their written policy is clear about that.
No, no set bandwidth caps beyond "reasonable usage"... and I've never seen unreasonable bandwidth usage, nor has the ISP has ever complained about bandwidth, in years of my doing this. My own personal usage completely dwarfs what anybody's ever done over the WiFi. If bandwidth became a problem, I'd just cap it.
No, no business-grade pricing, but considerably higher than normal consumer pricing.
I know my legal exposure as well as it's possible to know it in my situation. There's a lot of case law that hasn't been established yet. Doing this is not risk-free, but it is not in any way "illegal"... and nothing in the world is risk-free. Every ISP, every business, and every person, has some uncertainty about legal risks, whether they know it or not.
My biggest legal risks are actually in having to defend myself under stupid civil preponderance-of-evidence rules against tort claims that I did something my users actually did. My second-biggest risks are public-nuisance claims, but I think those risks are quite small.
I have almost no legal risk under intercept statutes unless I decided to fight an intercept order, which as a practical matter is a decision I will never have to make... and given that I have a published policy that anybody who wants to can spy on the network anyway, I'd have no problem with just complying anyway. I am technically capable of complying. If I did for some reason decide to fight, it's not obvious that the statutes apply to me, but of course it would be ruinously expensive to argue that in court.
I have some small, but larger than I would like, risk of criminal prosecution by a law enforcement agency that doesn't believe that I really didn't do something my users did, and wants to charge me. It is improbable that such a situation would ever arise, but of course it would be ruinous even if I were found not guilty in court. I just accept that risk.
I am not at present subject to any data retention requirements (at least not under any sane rules of jurisdiction, although you never know what Nowhereistan might try to enforce against you if they got the chance).
I think it's quite improbable that I would have any liability to my users for anything, although again there's little case law.
So, basically, yes, I do know what my legal exposure is, and you don't really know what I know, do you?
So, if most or all AP vendors did in fact start selling devices that were locked down by default (or, say, devices that actually forced the user to decide one way or the other at installation time), would you then favor a system in which opening up an AP was treated as an invitation to use it?
What if, in addition to APs not being open by default, users became more sophisticated over time, and there were fewer cases of people leaving networks open by accident, regardless of the defaults?
I ask because both of those things seem to be slowly getting closer to reality. The problem is that whatever legal system is established now will probably persist regardless. If governments are allowed, today, to set up systems of laws that forbid treating an "open" AP as truly open, we'll still have those laws in the future, whether they make sense or not.
Given how long it will take the laws to get established, how long it will take the technology and the user sophistication to change, and how long it would take to change the laws after they were established, does it still make sense to let the law go in the direction of presuming no permission on open networks?
One problem here is that many legislators, and many of the people who influence them, don't like the idea of open APs regardless of whether the AP operators and their ISPs like them or not. Open APs represent a path of untraceable access to the Internet, and there are a bunch of people who hate anonymous access.
That's another reason why you might not be able to get the laws changed if the underlying situation changed, and why it makes sense, right now, to argue for "open means open".
You're not wishing me "Godspeed" in your actions, or at least not in what you're trying to make the rest of the world do.
You're trying to tell me that the means I've used to make my network available aren't adequate. Furthermore, you're telling my users that those means aren't adequate.
I'm over here with my open AP, telling Joe, via beacons and DHCP, to "Go ahead and use it". And you're telling Joe not to believe anything I say, because I'm only using "technical means" to say it, and some other benighted soul might accidentally be saying the same thing, by the same technical means, and not really mean it.
Furthermore, you're not offering me any really reasonable way I can convince Joe that I really mean my invitation. I don't accept that posting a placard is reasonable... it's an ugly intrusion, and you can't make it visible in all the places the WiFi network covers. I surely don't think that forcing Joe to bug me personally for permission is an acceptable alternative; that would be a huge imposition on both of us, even if he could find me.
How, in any practical sense, is that any different from forbidding me to give Joe access?
You really are suggesting preventing me from giving Joe a gift. I understand that your reason for that is to protect Sally from the consequences of buying a poorly-thought-out product from Jim... but that's wrong. Neither Joe nor I have any contact with Jim or Sally. We're over here at my house, engaging in a consensual gift exchange that harms nobody. What reasonable legal, moral, or cultural norm makes it incumbent on us to give up the very possibility of that because others, elsewhere, can't get their act together in what is, after all, not so complicated a way?
Sure, if Sally screws up, and Joe later goes over to her house and ends up on her AP, and she tells Joe to knock it off, Joe needs to knock it off. Joe should even be neighborly and help her to lock it down. But Joe should intially be able to take Sally's AP's beacons at face value... especially since the damage to Sally in such a case is, realistically, minimal.
It's not an unreasonable expectation that people who deploy a technology should learn at least a little about it.
As for reductio ad absurdium, I thought your assertion that I was completely ignoring legal, moral, and cultural issues to be pretty absurd already. The whole conversation is really about the moral status of various forms of communication, including communication using various technical means.
Um, no, actually, what I'm saying is that I want to retain the right to give a gift. When I give you something, it's not stealing if you accept it.
Gifts get pretty high esteem in most "legal, moral, and cultural" systems, thank you very much. Do you really want
to outlaw them?
You're trying to create a world in which it's essentially impossible for me to ever give the gift of WiFi access, because you're taking away the only way that's available for me to inform the recipient that I intend to give them that gift. You want to be able to hang a "take this free" sign on a network, but not have people take you at your word.
Yes, the "take this free" sign is a technical one. For that matter, a sign on a board would be a technical one, too. Writing is a technology.
The whole concept of wireless Internet access only makes sense in the context of wireless technology. It is therefore completely reasonable to include proper use of that technology in the definition of norms around such access. A person can't even be a party to this argument without having already adopted a bunch of complex wireless technology.
Of course, the above-linked written policy of allowing me to share using WiFi (which policy has been in place more or less unchanged for years) has little to do with bandwidth ratios. Casual WiFi users don't tend to use enough bandwidth to worry about. If the bandwidth became a problem, I'd just cap it. And if any illegal activity is reported to me, I'll deal with it just as any other ISP would.
By the way, I can just about max out my connection if I want to, it turns out. One of the advantages of paying just about triple the market residential rate is that I don't tend to get a lot of heat about my enormous download traffic. Sure, all ISPs oversubscribe their backhaul lines. Some do it more than others.
I used to have a commercial account with another ISP. If my bandwidth needs go up much further, I may need to get one again. Meanwhile, I'll stick with this high-end consumer account, which does indeed, as a matter of written ISP policy, to which I have linked above allow me to run a WiFi endpoint.
As for your point about lawsuits, well, prepoderance of the evidence is a funny thing. It turns out you can get screwed by it in almost any part of your life, on and off the Internet. Some of us aren't cowardly enough to order our lives around the possibility.
Slashdot Mirror
So what?
Look, your wife is well served by Windows. My father is well served by MacOS. Great. There are operating systems for them.
I use desktop Linux. I've used desktop Linux since 1996. I use it because it's well suited to my needs, and I do not care who else does or does not use it. If it fits their needs, they can use it. If something else fits their needs, they can use that. As long as there are enough users to keep development going, why would I care about more people adopting Linux?
In fact, changing Linux to make it appeal to your grandmother is just likely to make it less useful to me, because your grandmother and I have different needs. Which is why we just might need to use different operating systems.
So long as the data on the wire are standard, the end node operating system doesn't matter. Use what works for you. Shuttleworth cares about market share because he's in it for a buck. What's in it for the rest of us?
I know what an AK-47 is. I even know something about its general properties. It's a post-WW2 Russian design by a guy named Kalashnikov, and is sometimes called a "Kalashnikov". It was at one time a major Russian infantry weapon, and its popularity has a lot to do with the numbers of them the Russians left around various places as they bugged out. It's optimized for easy manufacturing, with lots of stamped parts and few machined ones (another reason for its popularity). It has a reputation for being very reliable but not especially accurate. Blah blah blah. These are things you need to know to keep up with current events.
I have no idea what the thing looks like, other than that it has a stock, a (relatively short assault-style) barrel, and a protruding magazine. I couldn't distinguish it from, say, an AR-15 without looking it up.
Sure, I've seen pictures of it, but I've seen pictures of lots of rifles. Not being particularly interested in guns, I don't really register their looks or keep track of which one is which.
OK, I just went and looked up a picture. Pretty generic looking. In fact, it looks a hell of a lot like that AR-15(which I also just looked up) if you just glance at it. Meh.
I don't necessarily like the BMO's picture policy, because I think it gives them too much arbitrary power. I'm not even sure it's reasonable to try to address these privacy concerns, or similar concerns in similar public or semi-public settings, at all, because it's damned hard to actually have a useful effect without giving somebody too much power. But it's bogus to pretend the concerns don't exist.
Moving and putting a notice in my profile does NOT free me from Facebook. It's a freakin' social networking site. It doesn't work if everybody doesn't use it.
I have a Facebook account, despite the fact that I loathe everything about the site. Why? Because practically everybody I know uses it to plan events. If I moved, most of those people would just plain not invite me. First of all, they wouldn't look at my profile to see the notice. Secondly, they wouldn't find it worth their trouble. And they'd be right. It would be rude for me to ask them to treat me specially. In fact, the whole value add from something like Facebook events is that you don't have to remember some special contact procedure for each person; it's all just automated.
Maybe I could find a Facebook application to reduce the amount of time I had to spend on the site in order to hear about, discuss, and RSVP for events. Of course, then somebody would try to use Facebook to communicate with me in some other way (again without reading my profile; nobody reads profiles). And I'd never notice. And I'd still be a Facebook user.
It's not just the events application; Facebook actively seeks to increase the number of these lock-ins (and they also try to prevent automation from taking the lock-ins away). Facebook, like all the other social networking systems, manipulates the actions of third parties to force you to use their site. You may think that's legitimate or illegitimate, but it's just stupid to pretend it's not a real effect.
This stuff could all be implemented in self-hosted P2P mode to free people from these lock-ins. That would be trivial... in the same sense of trivial as the sense that appears to be being used here, meaning "completely beyond the comprehension and motivation of the average user, and never gonna happen". Hell, it would also be trivial to have multiple interoperating hosted services with no "king of the hill"... trivial in the sense of "deadly to providers' profit margins, politically impossible, and never gonna happen".
Your first point is very good. It's true that you can't know that something is secure, and maybe it's better to say that nothing is secure, period. I was reacting to my (informed but not demonstrated in this discussion) belief that banks, in general, don't really try very much to audit the quality assurance procedures for software in devices they buy. Although you can't ever be sure something doesn't have problems, you can often be pretty sure it DOES have a bunch of problems, and they don't seem to do a very good job of trying to get that information.
But that's really prejudice on my part. I have no actual knowledge of what any banks have done in this particular case, or of whether the practices I would consider appropriate would have caught this problem. So your point stands, and I'm wrong.
I don't buy your other point, about the bank deciding it's cheaper to not patch the thing and to eat any losses. Or at least I don't buy the idea that disclosure should change the bank's calculation in an important way.
Any disclosure that happens is not under the bank's control. More importantly, the bank can't predict when or if disclosure might happen from some random source, possibly unrelated to this case. The bank also doesn't know who might be inspired to poke around just by the news that this vulnerability exists, and re-find this or another problem. The bank doesn't even know who already knows. All it really knows is that there's a problem, and some unknown and monotonically increasing number of unknown people know what that problem is.
There's just no intellectually respectable way to estimate the probability a vulnerability becoming public to any particular degree within any particular length of time. There isn't even a good measure of "how public" something is in the first place.
I know it's trendy to try to do statistics on that sort of thing, but public disclosure events are so uncommon, in the light of how different they are from one another along so many axes, that it's really not sane to try to guess.
So the conservative position is to always assume that a disclosure is going to happen pretty soon. Given that disclosure is assumed, you may in fact be able to make some valid guesses about how much you can lose, and it may indeed make sense to leave it unpatched.
BUT, the thing is that that second part of the calculus isn't changed by the public disclosure, because disclosure is assumed.
Banks are supposed to be conservative, not so much in that they're not supposed to take risks as in that they're not supposed to take unknown risks. They're supposed to worry about black swans as much as sanely possible. It's not OK to rely on something staying secret, precisely because it's so hard to figure out how likely that is.
Um, actually, it doesn't cost much, if any, more to install a new directional light instead of a new light that sends a lot of its output somewhere useless... and then you save money on electricity for ever after. In some cases, the savings will even be enough to make it worth replacing an inefficient light just to save the power.
From your "deters crime" link:
So, put the money you'd put into lighting into sprucing up the place in some other way, and you can reasonably hope for the same effect. Maybe a better effect, if you find something more obviously related to making things look cared for.
Your other link ("improves safety") is just an advocacy group (for "Safe Routes to Schools", which, for me, at least, rings all kinds of "think of the children" alarm bells). Lighting isn't even a core issue for them. They claim they get their information from unnamed "experts", and their safety claims for lighting amount to a simple mention once in a whole Web site. Their own references are unavailable for review, as well as being old and, from their titles, multi-subject documents that aren't primary research and probably don't even spend most of their attention on lighting. If you can't find a better citation than that anywhere on the whole Web, I tend to suspect that the whole claim isn't very well supported.
And anything that gets released into the environment and causes any negative effect can reasonably be called "pollution", thanks.
How the heck is education a natural monopoly?
I agree. UBB actually makes a lot of sense, but the UBB structure they're proposing is wrong. If you're going to bill on usage, bill on usage; don't set up some arbitrary cap at which the rate goes insane.
I don't think it's a matter of gouging heavy users, though. Not exactly, anyway. The problem is that the carriers sized their infrastructure on the assumption that the subscriber base would grow a lot, but the data transferred per subscriber would not grow as much as it has. They didn't see mass-scale P2P file sharing coming along, let alone YouTube coming along and replacing cable TV.
So now they have a big, expensive, inadequate infrastructure (and an inadequate pricing model to go with it). The depreciation schedules they based their plans on require that infrastructure to last a long time before it gets replaced, but it's already being overwhelmed.
I think what they're really trying to do is less to gouge heavy users, and more to discourage heavy use entirely, so that they can continue to limp along on their old infrastructure long enough for it to pay for itself.
In other words, they screwed up their market forecasts, and now they want everybody do without improved service until they make their money back based on those flawed forecasts.
Of course it was their screwup in the first place, and most of them (I don't know about Bell or Canada) got a lot of subsidies and tax breaks based on promises of fabulous networks. They then kept as much of that money as they could get away with while building out the cheap network they thought they could get away with. I therefore think they (their shareholders) should really be first in line to eat the costs of writing off the infrastructure they built in error.
Then they can go ahead and do UBB to create a revenue stream to get financing to build a proper network.
Professional athletes, and elite amateurs, do all kinds of hard training that can damage their bodies, either with immediate injuries or with bone and joint problems that may only show up after they've retired. Should training be banned because of the side effects?
I've met Brin in person. I came away feeling like I'd been talked down to by a pretentious twit. I think he is, in fact, worse in person than in text.
Nonetheless, Brin is still right that there is NO QUESTION that the "more powerful" side WILL have surveillance, and the only question is whether the "less powerful" side will get anything at all, not whether the power ends up equal, or even whether the ratio stays the same. Schneier is completely missing the point.
On the other hand, Brin seems to think that the transparent society won't be so bad, because people, given access to total information about each other, will learn to be courteous and restrained in their use of that power, perhaps partly because they'll see their own foibles reflected in others. There, I think Brin is smoking some serious crack.
Yes, but that's not that important. The same number of individuals will probably die in whatever the event is. If there are 12 billion people on Earth and they all get killed, it's not that much better if there are a million additional people somewhere else who don't get killed. The disaster is still a disaster.
The problem with the idea of terraforming Mars is that there's no good reason to try it in the first place. Why would you want to do a thing like that?
To preempt the most common answers--
It's not going to be a home for the teeming billions of Earth. It would cost too much, mostly in the form of energy, to transport that many people there. Anyway, it would just be a stopgap even if transport were free. Geometric growth is still geometric growth. The amount of time you'd gain may not even be the amount of time it would take to do the terraform job.
It's not a particularly efficient way to provide a "backup" habitat in case of the destruction of the human species on Earth. Open-space colonies would be cheaper and easier. Even that, of course, is only interesting if you really care about the issue in the first place. Personally, I don't care very much, definitely not enough to go to all that trouble. The big problem with species-destroying events, from my point of view, is the death of all those individuals, and a backup colony doesn't save many, if any, individuals.
Complete boondoggle. And politically and economically impossible, as well...
That would be true if it were local software that was doing the checks. The idea of the TPM is that you can use it to prove to a remote computer, not under your control, that your machine is running "blessed" software. The bank can verify that you're running an OS it's comfortable with. An online DRM system can refuse to hand over the key to decrypt media unless you prove your computer is "uncompromised" (and therefore won't make a copy of either the key or the media). You can virtualize your end, but you can't virtualize the end that's doing the verification. All any of the software running on your computer is doing is acting as a conduit between the remote server and the TPM. If your software messes with the messages passing back and forth, it just makes the verification fail, and the remote computer refuses to play ball. The remote computer will know if it's talking to a VM.
You can also use the technology locally in the way you describe, and people certainly would do so if it every became popular. If they do that, yes, it's hackable as you say. It's probably also hackable without doing the virtualization at all. But that local mode isn't the strongest way to set it up... and, since almost everything interesting is done online these days, having control of what you do online is almost as good as having total control over everything you do with the computer.
I think the real attack on this system is to take advantage of the fact that the "trusted" software itself is going to have bugs. The TPM doesn't check to see that the software is correct, just that it's the expected binary. Not only that, but the TPM itself only checks the BIOS or the bootloader or some such low-level software... that trusted loader is then expected to check the OS kernel, which is then expected to check all the rest of the code that gets loaded, which is then expected to act in the intended way. The chain of trust is long, and the trusted code base is huge, so the assurance is largely theoretical. But virtualization isn't the way to beat it.
They're exactly correct. But this post puts somebody's credentials behind their position. :-)
You're right. GP knows damned well it's shared bandwidth, you know damned well it's shared, and I know damned well it's shared. GP and I don't know how much it's shared, because many ISPs treat that information as a big secret, and we therefore have very little ability to compare offerings... which is a big problem that needs to be fixed. But, nonetheless, we do know that it's shared, and we have a vague general idea of what we can really expect to get.
You and I and GP are not the issue, though. The issue is the average person to whom this service is marketed, who may or may not understand that there's sharing going on at all, usually isn't in a position to evaluate the real impact of that sharing, and probably doesn't really have a very good idea of what bandwidth is actually being delivered, let alone what might reasonably be expected compared with other ISPs. The only way that average person is even going to know that the service is a best-efforts service is in fact to read the fine print... and even then it's not really reasonable to expect that person to know what "best-efforts" does or should mean. I've been in the Internet industry for 17 years (yes, really), and I'm not sure I know what's a reasonable best effort... it seems to change depending on the policies of one side of the deal.
It's not ethical to advertise a number that you know damned well is going to mislead many customers more than it enlightens them. That systematic deceptive marketing is the real issue. Either the industry needs to come up with a non-bogus number (or scorecard or whatever), or the industry needs to stop advertising link speeds... or, I suppose, the industry could decide to put all the limitations right there in the ad in the same font as the maximum bandwidth number...
You appear to have lost track of what the United States is here for. Let me give you a reminder, starting with a few things it's not.
It's not here to guarantee you a bigger car than the guy in the next country over.
It's not here to guarantee you a job.
It's not here to let you tell other people how to spend their money.
It's not here to compete with other countries.
It's not here to put you in a master class based on which side of some line on a fucking map you were born on.
It's here to give people a place to do as they will, and to give everybody a chance to compete with one another, if they so choose, on a level playing field. It's here to give them that because they deserve it, because they're people, not because of where they're from or who their parents were.
The United States is an instrument created for a purpose. Insofar as it has lost track of that purpose, it is not worthy of the loyalty of any human being... and even if it follows that purpose, the true loyalty ought to be to the purpose, not the country... and sure as hell not to every fuckwit with an inflated sense of entitlement who happens to have been born within its borders.
You nativist idiots, the my-country-right-or-wrong assholes, the xenophobic safety-obsessed cowards, and all the other lame excuses for Americans who seem to run the joint these days, are a disgrace to the principles the USA used to think it stood for.
You make me sick.
Disclaimer: I know nothing about the issues in this case, other than what I infer from this report.
Given that he says that he does not believe the hard drive image he examined came from the drive used to do the file sharing, his comments about examining registry keys (or anything else in the image) to determine that the computer wasn't connected via wireless are completely meaningless. The registry keys are stored on the hard disk drive. If this isn't the drive that was used for the sharing, then the contents of the registry on this drive are completely irrelevant to the question of how things were configured when the sharing took place.
That he would be willing to say that the machine wasn't connected via a wireless router, or indeed anything about how it was or wasn't connected when the sharing took place, when he does not believe that the drive image he's examining came from the drive in use during the sharing, and that he doesn't even mention that the registry he's looking at isn't, by his own determination, the relevant registry, completely discredits him. With the drive contents, and therefore the registry, off the table, he has exactly ZERO evidence for the conclusion he reaches about wireless... and he surely knows that. He's deliberately contradicting himself, and that ought to be sanctionable, although I imagine it probably isn't.
Even if he turned around and said that he was wrong, and the image he's looking at was the one in use at the time of the sharing, I don't think I'd be so blithe as he is about saying "Based on how IP addresses are assigned, it is not difficult to determine whether a computer was connected to the Internet via a wireless router". There are a lot of ways to assign IP addresses, and some devices, like wireless routers, go out of their way to be "invisible" when they participate in some versions of the address assignment process.
Expert opinion is all well and good, but I'd think you'd need more than "because I say so". He should be forced to provide detailed reasoning to support his claim about wireless. I wouldn't want to reach that sort of conclusion without at least examining the alleged wireless router and its configuration, and he does not mention having access to the router. I'd also have expected him to have looked at which interface drivers were installed and active on the machine, and at whether there were any traces of its having detected wireless hardware. If he did that, he did not see fit to report it. A conclusion based on "how IP addresses are assigned" is really suspicious, and he should be forced to provide a step-by-step explanation of his reasoning about the IP address assignment process... which step-by-step explanation should be subjected to step-by-step expert critique.
Although he's probably right that any installation of file sharing software would, under realistic assumptions about who was trying to "clean up", have left a detectable trace on the drive image, it would be possible for the right sort of highly technical person to wipe out the traces he mentions looking for, as well as other traces he doesn't mention looking for. Even a relatively non-technical person could have wiped them out by completely zeroing the drive and reinstalling... the effect would have been the same as putting in a new drive from the point of view of the image he has.
Anyway, h
If that's Big Brother, I think I'm probably for it. The problem with surveillance has always been that one side, the "authority" side, has always had a recording. If that recording was favorable to authority's version of events, it could be released. If it was unfavorable, it could be buried. The imbalance invites abuse.
I would be against a system where only the student had a recording. I wouldn't be as much against it as I would be against a system where only the teacher had a recording, because the teacher is already in a position of great power, but I'd still be against it. I might very well be in favor of a system where everybody had, or at least might have, a recording of everything, all the time.
Yeah, that would mean that there'd be embarrassing footage of all of us, because we've all done stupid things we're not proud of. Maybe it wouldn't be such a big deal, though... it's kind of hard to come down too hard on Joe for his filmed mistakes, when he can dredge up yours. On the other hand, if somebody has a pattern of behavior, it becomes pretty hard to hide it.
Such a system might be too hard on people, too stressful to live with, too unforgiving of the human need to get away with something once in a while. I'd especially be worried about people getting destroyed over the witch-hunt of the week.
It might also be an improvement over what we have now. The case isn't open and shut... and one could actually do reasonable research to perhaps predict the effects, rather than just having everybody yell about "privacy" like that automatically trumped everything else.
Why? What's so special about authority that it deserves this mystical respect you're calling for? Obviously, people in authority are often right about a lot of things (as well as often being wrong). That doesn't mean they should get an iota more consideration than everybody else. Arguably they should get less slack, since they're in a position to abuse their authority.
Yes, users outside my own household, and yes, their written policy is clear about that.
No, no set bandwidth caps beyond "reasonable usage"... and I've never seen unreasonable bandwidth usage, nor has the ISP has ever complained about bandwidth, in years of my doing this. My own personal usage completely dwarfs what anybody's ever done over the WiFi. If bandwidth became a problem, I'd just cap it.
No, no business-grade pricing, but considerably higher than normal consumer pricing.
I know my legal exposure as well as it's possible to know it in my situation. There's a lot of case law that hasn't been established yet. Doing this is not risk-free, but it is not in any way "illegal"... and nothing in the world is risk-free. Every ISP, every business, and every person, has some uncertainty about legal risks, whether they know it or not.
My biggest legal risks are actually in having to defend myself under stupid civil preponderance-of-evidence rules against tort claims that I did something my users actually did. My second-biggest risks are public-nuisance claims, but I think those risks are quite small.
I have almost no legal risk under intercept statutes unless I decided to fight an intercept order, which as a practical matter is a decision I will never have to make... and given that I have a published policy that anybody who wants to can spy on the network anyway, I'd have no problem with just complying anyway. I am technically capable of complying. If I did for some reason decide to fight, it's not obvious that the statutes apply to me, but of course it would be ruinously expensive to argue that in court.
I have some small, but larger than I would like, risk of criminal prosecution by a law enforcement agency that doesn't believe that I really didn't do something my users did, and wants to charge me. It is improbable that such a situation would ever arise, but of course it would be ruinous even if I were found not guilty in court. I just accept that risk.
I am not at present subject to any data retention requirements (at least not under any sane rules of jurisdiction, although you never know what Nowhereistan might try to enforce against you if they got the chance).
I think it's quite improbable that I would have any liability to my users for anything, although again there's little case law.
So, basically, yes, I do know what my legal exposure is, and you don't really know what I know, do you?
So, if most or all AP vendors did in fact start selling devices that were locked down by default (or, say, devices that actually forced the user to decide one way or the other at installation time), would you then favor a system in which opening up an AP was treated as an invitation to use it?
What if, in addition to APs not being open by default, users became more sophisticated over time, and there were fewer cases of people leaving networks open by accident, regardless of the defaults?
I ask because both of those things seem to be slowly getting closer to reality. The problem is that whatever legal system is established now will probably persist regardless. If governments are allowed, today, to set up systems of laws that forbid treating an "open" AP as truly open, we'll still have those laws in the future, whether they make sense or not.
Given how long it will take the laws to get established, how long it will take the technology and the user sophistication to change, and how long it would take to change the laws after they were established, does it still make sense to let the law go in the direction of presuming no permission on open networks?
One problem here is that many legislators, and many of the people who influence them, don't like the idea of open APs regardless of whether the AP operators and their ISPs like them or not. Open APs represent a path of untraceable access to the Internet, and there are a bunch of people who hate anonymous access. That's another reason why you might not be able to get the laws changed if the underlying situation changed, and why it makes sense, right now, to argue for "open means open".
You're not wishing me "Godspeed" in your actions, or at least not in what you're trying to make the rest of the world do.
You're trying to tell me that the means I've used to make my network available aren't adequate. Furthermore, you're telling my users that those means aren't adequate.
I'm over here with my open AP, telling Joe, via beacons and DHCP, to "Go ahead and use it". And you're telling Joe not to believe anything I say, because I'm only using "technical means" to say it, and some other benighted soul might accidentally be saying the same thing, by the same technical means, and not really mean it.
Furthermore, you're not offering me any really reasonable way I can convince Joe that I really mean my invitation. I don't accept that posting a placard is reasonable... it's an ugly intrusion, and you can't make it visible in all the places the WiFi network covers. I surely don't think that forcing Joe to bug me personally for permission is an acceptable alternative; that would be a huge imposition on both of us, even if he could find me.
How, in any practical sense, is that any different from forbidding me to give Joe access?
You really are suggesting preventing me from giving Joe a gift. I understand that your reason for that is to protect Sally from the consequences of buying a poorly-thought-out product from Jim... but that's wrong. Neither Joe nor I have any contact with Jim or Sally. We're over here at my house, engaging in a consensual gift exchange that harms nobody. What reasonable legal, moral, or cultural norm makes it incumbent on us to give up the very possibility of that because others, elsewhere, can't get their act together in what is, after all, not so complicated a way?
Sure, if Sally screws up, and Joe later goes over to her house and ends up on her AP, and she tells Joe to knock it off, Joe needs to knock it off. Joe should even be neighborly and help her to lock it down. But Joe should intially be able to take Sally's AP's beacons at face value... especially since the damage to Sally in such a case is, realistically, minimal.
It's not an unreasonable expectation that people who deploy a technology should learn at least a little about it.
As for reductio ad absurdium, I thought your assertion that I was completely ignoring legal, moral, and cultural issues to be pretty absurd already. The whole conversation is really about the moral status of various forms of communication, including communication using various technical means.
Um, no, actually, what I'm saying is that I want to retain the right to give a gift. When I give you something, it's not stealing if you accept it.
Gifts get pretty high esteem in most "legal, moral, and cultural" systems, thank you very much. Do you really want to outlaw them?
You're trying to create a world in which it's essentially impossible for me to ever give the gift of WiFi access, because you're taking away the only way that's available for me to inform the recipient that I intend to give them that gift. You want to be able to hang a "take this free" sign on a network, but not have people take you at your word.
Yes, the "take this free" sign is a technical one. For that matter, a sign on a board would be a technical one, too. Writing is a technology.
The whole concept of wireless Internet access only makes sense in the context of wireless technology. It is therefore completely reasonable to include proper use of that technology in the definition of norms around such access. A person can't even be a party to this argument without having already adopted a bunch of complex wireless technology.
http://www.speakeasy.net/netshare/terms/#wifipolic y
Of course, the above-linked written policy of allowing me to share using WiFi (which policy has been in place more or less unchanged for years) has little to do with bandwidth ratios. Casual WiFi users don't tend to use enough bandwidth to worry about. If the bandwidth became a problem, I'd just cap it. And if any illegal activity is reported to me, I'll deal with it just as any other ISP would.
By the way, I can just about max out my connection if I want to, it turns out. One of the advantages of paying just about triple the market residential rate is that I don't tend to get a lot of heat about my enormous download traffic. Sure, all ISPs oversubscribe their backhaul lines. Some do it more than others.
I used to have a commercial account with another ISP. If my bandwidth needs go up much further, I may need to get one again. Meanwhile, I'll stick with this high-end consumer account, which does indeed, as a matter of written ISP policy, to which I have linked above allow me to run a WiFi endpoint.
As for your point about lawsuits, well, prepoderance of the evidence is a funny thing. It turns out you can get screwed by it in almost any part of your life, on and off the Internet. Some of us aren't cowardly enough to order our lives around the possibility.