You can choose to define "fined" narrowly enough that this statement is factually correct,
Actually, "fine" is a very well defined trerm like "Bit". A fine is something to pay to the goverment as punishment. Since there was no punishment, it was no fine.
If something feels like a punishment, it doesn't make one. If we would have been punished, tha actual drain on his wallet would have been 100 times of what happened.
Furthermore i find myself in agreement with the court: having an open WLAN puts him and others at risk and usually is a violation of ToS of his provider. He should either secure his WLAN or turn it off: his choice.
Serious case of misleading headline.... The court said: "If you have an open WIFI and someone uses it to fileshare copyright protected material, the owner of the rights may send you a cease and desist letter (effectively insisting that you secure your WIFI) and extract 100,- Euro from you for covering the fees of the legal process."
The user was not fined, he was not punished, he was not ordered to pay for the damages.
CU, Martin
P.S. Who wonders, that lawyers don't get the technical aspects right when the techies confuse the most elemental judical terms....
Please be aware that there is a difference between "free of bugs" and "useable for the intended purpose". This verdict is not new. If you sell a software for purpose "X" and afterwards it turns out that "X" cannot be reached due to limitations, you were always liable (at least here in germany). But several courts have ruled, that no complex software is 100% bug free. There are and will always be bugs. But the software must still be useable for the intended purpose.
The reason is AFAIK not DNSSEC itself, but the process of the introduction. Why should someone delete zone files if not due to changes made to the zones? I would guess, any nameserver gets for each update only a diff and not a full dump. In this case the diff contained empty zones (my guess).
Don't try to understand the modding here. I've given up on that one.
The DE-NIC finallly spoke out. If you don't speak german, the statement doesn't contain anything that wasn't already well known: Yes, there was an problem starting at about 13:00 and it was fixed around 15:45.
We wouldn't need to speculate if the DE-NIC would give out more details. Concerning myself, the DFN NOC holds more credibility than the DE-NIC.
There are hundreds of ways to get a DNSSEC deployment wrong. The error is not disturbing by itself. The time needed for a rollback on any change they made is IMHO. As well as the lack of concept about what to do in case something like this happens. Don't get me started on the information policy...
Once upon a time, the DE-NIC was very respected in the german internet community. But several things happened lately, that let the trust erode. There were internal power struggles, the rising influence of domain traders inside the DE-NIC and the surprising distribution of the two-letter-domain-rush (25% of all domains ending in the hands of a single person). Perhaps this outage will be a wakeup call. If we only count the time spent on customers calling the hotline, the damage for my company is several thousand dollars.
According to my informations (DFN NOC) the problems resulted from a botched experiment with DNSSEC. Unluckily the DE-NIC is still silent about the incident.
It goes against any emotional bone in my body, but i have to vigorously defend a politician.
First: He has not been caught watching any porn. What he watches does not even approach event the most bigoted defintion of porn. If that should be porn, than i would have spent several vacations in a porn camp without noticing.
Second: For doing something else during a boring speech, he has my complete understanding. This makes him do his job neither better nor worse. The speeches are no longer part of the political process. It is more important for a politician (in order to get elected) to kiss some babys or his contributors asses than to give eloquent speeches in parliament. The voters are even more desinterested in those speeches than the politicians.
By borrowing the headline unchallenged,/. is participating in a witch hunt. Even on this site i suspect several readers not to look at the material and to remember just the headlines. I hereby petition Slashdot to change the headline to "State Senator falsely accused of Looking At Porn On Senate Floor".
A friend of mine is a SIP guru and often does presentations on SIP security. He usually shows a slide where all relevant SIP RFCs are listed. The slide (e.g. see here on Page 5) was already very full in 2006.
I think you could easily do that on a linux system today. If the encrypted partitions are mounted with only read permissions of a certain group, and all trusted programs are setguid and a member of that group, wouldn't that do what you wanted?
This is a way to solve one technical aspect (i would guess you are correct about the technical aspect). The difficult thing is to design a solution that let's you enforce a policy in your enterprise. First it has to run in the environment that is already in place (i regret to inform the audience, that this usually isn't Linux). Second it should help you to enforce the policy and not force you to adopt the policy to the technical limitation of the solution. And third (and most important) the solution has to scale. While it is relatively easy task to secure one PC or even a dozen, it is a hell of a job (real-life example) to do this for 12.000 PCs when you only have 5-6 guys for the IT-security (including firewalls, VPN, virus scanners, certificate manegement, anti spam solutions, RADIUS, WLAN, etc.
Strangely i have made very few enemies on/. though i am often away from the mainstream here. Probably that's why i still wander around here:-). Doing IT (and IT-Security) for 20+ years give me some pointed opinion. E.g. while i like an "Open" in any software name (espescially if they mean it), it does not sanctify that software instantaneously.
Besides in this case i won't be alone. Implementing any kind of effective DLP in the workplace of the average Slashdot-reader, you will make enemies by the dozen. But it's the same with all IT-security stuff. Read the article a few days ago on endpoint sdecurity (disk encryption). Security (with DLP being a subset) is always about policy. Policies are not made to be flexible, they are not ment to be more lax on the (often self rated) knowledgeable guy and they always lead to situations, where their application is only stupid. Good and bad security policies do not differ in that regard. The difference between those two are more subtle and and usually lie within the mindest of the policy maker.
For those companies who have nothing yet and the solution fits, you are correct. The trouble lies within "solution fits". If you are a typical company (e.g. your customer names being sensitive data) it will not help you to learn, that 95% of all employees have on average 23 files containing one of those names. It would help you more to find out, that a file containg more than 50 customer names is stored on an unsecured device (e.g. USB stick). Currently (IMHO) OpenDLP is more a company wide search tool.
Where it could help you: You are a paranoid company developing a new smartphone version. You have specs for the new product and a code name. You want to scan all PCs that nobody has neither stored the Specs nor the code name on a network connected PC. But in this case you would need a Mac version of the software:-). Sorry Steve, couldn't resist.
Hmmm.... While this is usefull for several security functions, it only covers a small part of what i would consider a DLP solution. When (for example) sensitive information has to be allowed on the Notebook or PC of an employee, i want to make sure of several things:
the disk is encrypted (or an alarm is raised),
writing it on a CD or USB-Stick is prevented or (when allowed) the file again again will be encrypted (and can only be read on other company PCs) and
the information is neither sent by email nor uploaded through a web application outside the company.
What i want is a tool that lets me formulate a Policy concerning the aspects mentioned above (and more). E.g. certain information must not be stored localy (covered), that information may be stored when certain security criterias are matched and this information shell not be sent by email (unless employeed confirms this has been cleared with manager X).
Trying to prevent information to be stored on a PC of an employee is only a solution for a subset of the DLP problem. While i think this opensource solution is quite usefull, the name "OpenDLP" led me to expect more.
CU, Martin
P.S. I already see some companies using this to search for the sensitive word "application" on all employeed hard disks;-)
This sounds a lot like the stuff i heard in CS/Mathematics classes more than 20 years ago (Hackbusch, Praktische Analysis, Summer term 1987/88). That course was mandatory then for any CS, Mathematics and Physics student. Has that changed yet? It's about the differences between a number at it's binary representation (and examples about consequences).
I completely agree, that every programmer should know about that. But this is nothing new, it was already important 40 years ago. I'm pretty sure some space probe/missile already got lost due to this problems.
CU, Martin
P.S. It's not only important for programmers (dealing with C, C++, Java, etc.). Several times i was called to debug some "Excel Error" when it turned out to be a floating point restriction.... It would be interesting if you can create a macro that checks for such conditions.
IMHO a private PC has nothing to do inside any enterprise (>1.000 PCs) network. If a PC of an employee/consultant/customer is used, he is placed in a special DMZ. From there he can connect (e.g. by SSL-VPN) to the company network. He has only access to certain ressources. The access to the ressources may vary with "type of authentication", "security level of the pc", etc. Certain actions (e.g. transfer of files) are only allowed through clearing points.
Installing any kind of endpoint security (disk encrpytion, desktop firewall) on a private PC by an enterprise is a recipe for disaster. I am doing endpoint security concepts and projects for several years now. An exact inventory of OS, Hardware, Software installed, etc. is an absolute key element for such a project to succeed. If you use a "this software works for all platforms" approach, the support effort will usually kill you ten times over. Even the best software (Check Point FDE for Enterprises, Truecrypt for private users) has many dependencies: The virus scanner may prevent the boot sector to be written, the keyboard may not be recognised correctly by the Preboot-Auth-Code, certain Boot-Loader may not be interoperable with product of choice or you just may be unlucky.
It is probably cheaper for an enterpise to give a worklplace (e.g. Thin Client, SunRay or cheap Notebook) to an employee (even a temp) than trying to fix his security for or against him
Sincerely yours, Martin
P.S. This is a very, very short summary.... A complete account of experiences and ideas would require days to type. When a customer wants an introduction into the topic, i usually start with an 2-4 hour presentation.
The law is a twisted thing as is and lawyers get to pound it out of shape even further. Add in a little blind respect for people like police and DAs and you have a recipe for disaster where people will willing accept that black is white and up is down. Although "jury will lynch jerk" is pretty easy to predict. That only requires a crude understanding of human nature.
That the law is twisted is a self-evident fact, since the law tries to govern real life and nothing is more twisted than that one. That "blind respect" may be present may be present, but "assigning" it to every juror in the system is as blind as that respect you suspect. But "Jury will lynch jerk" is not as easy to predict. You fall into the same trap of stereotyped thinking you accuse them of doing.
The same people that likely gave Terry grief in school probably did the same in the courtroom.
Of everything i have read about the trial, nothing gave any evidence of a kangaroo court. Terry Childs probably fucked up. Otheres fucked up too, but he did it at one of the worst possible moments. Everyone fucks up once in a while. Mostly it has no or only minor consequences. But sometimes quite a simple fuckup can ruin your life (mostly: not paying attention while driving, but there are other situations too). This is not fair, but nobody ever promised it will. The trial was much fairer than life is. He got his say, a decent defense and a judge who dropped most charges.
The verdict bothers you probably because you can imagine to fuck up in a similar way and that is quite a sobering thought. You may even feel "being right" while doing that kind of mistake. I can too imagine making that mistake Terry made (at least when i was 25), so i can sympathize with him and would also pledge for some lenience concerning the punishment.
But my impression in general is, that the trial was fair, the jury up to the task and his coming punishment partially Terry Childs own fault.
There was once a story on/. about a blog post called "You are not a lawyer". That was a very good one about similarities and (more important) differences between IT and jurisprudence. The similarities are sometimes giving a perceiptive insight while the differences combined with half knowledge may lead to disastrous blunders (this works both ways: "a state attorney once argued about confiscating a router in the logical second a packets passing through and thereby doing an intercept (for which an order is difficult to obtain in germany) by confiscating something (much easier)").
Trying to second guess a jury based on press reports (written by reporters whon don't understand neither IT nor jurisprudence) is something, i try hard to stay safely away from.
Is it the problem of PowerPoint or the one creating the presentation? It seems to me a case of blaiming the technology instead of the user. PowerPoint doesn't create a strategic genius by magic. But i am 100% sure Clausewitz could have created a great PowerPoint presentation "about war".
Honestly, i don't feel very multi-threaded. Once i start doing multiple things at the same time, the context-swicthing screws up my stack and i dump my cores..... Very messy!
selling a thing lost by someone else or buying it and then breaking it, all this would be punishable by law here in germany. A state attorney could use terms like "theft", "fencing" and "malicious mischief".
Are the laws so different in the U.S.? Taking pictures of something you found is OK. But keeping, selling, buying (when knowing it has not been legally obtained) or intentionally breaking it, could get you in trouble.
Slashdot Mirror
You can choose to define "fined" narrowly enough that this statement is factually correct,
Actually, "fine" is a very well defined trerm like "Bit". A fine is something to pay to the goverment as punishment. Since there was no punishment, it was no fine.
If something feels like a punishment, it doesn't make one. If we would have been punished, tha actual drain on his wallet would have been 100 times of what happened.
Furthermore i find myself in agreement with the court: having an open WLAN puts him and others at risk and usually is a violation of ToS of his provider. He should either secure his WLAN or turn it off: his choice.
CU, Martin
Serious case of misleading headline.... The court said: "If you have an open WIFI and someone uses it to fileshare copyright protected material, the owner of the rights may send you a cease and desist letter (effectively insisting that you secure your WIFI) and extract 100,- Euro from you for covering the fees of the legal process."
The user was not fined, he was not punished, he was not ordered to pay for the damages.
CU, Martin
P.S. Who wonders, that lawyers don't get the technical aspects right when the techies confuse the most elemental judical terms....
Please be aware that there is a difference between "free of bugs" and "useable for the intended purpose". This verdict is not new. If you sell a software for purpose "X" and afterwards it turns out that "X" cannot be reached due to limitations, you were always liable (at least here in germany). But several courts have ruled, that no complex software is 100% bug free. There are and will always be bugs. But the software must still be useable for the intended purpose.
CU, Martin
The reason is AFAIK not DNSSEC itself, but the process of the introduction. Why should someone delete zone files if not due to changes made to the zones? I would guess, any nameserver gets for each update only a diff and not a full dump. In this case the diff contained empty zones (my guess).
Don't try to understand the modding here. I've given up on that one.
CU, Martin
The DE-NIC finallly spoke out. If you don't speak german, the statement doesn't contain anything that wasn't already well known: Yes, there was an problem starting at about 13:00 and it was fixed around 15:45.
We wouldn't need to speculate if the DE-NIC would give out more details. Concerning myself, the DFN NOC holds more credibility than the DE-NIC.
There are hundreds of ways to get a DNSSEC deployment wrong. The error is not disturbing by itself. The time needed for a rollback on any change they made is IMHO. As well as the lack of concept about what to do in case something like this happens. Don't get me started on the information policy...
CU, Martin
Once upon a time, the DE-NIC was very respected in the german internet community. But several things happened lately, that let the trust erode. There were internal power struggles, the rising influence of domain traders inside the DE-NIC and the surprising distribution of the two-letter-domain-rush (25% of all domains ending in the hands of a single person). Perhaps this outage will be a wakeup call. If we only count the time spent on customers calling the hotline, the damage for my company is several thousand dollars.
CU, Martin
According to my informations (DFN NOC) the problems resulted from a botched experiment with DNSSEC. Unluckily the DE-NIC is still silent about the incident.
Hi,
It goes against any emotional bone in my body, but i have to vigorously defend a politician.
By borrowing the headline unchallenged, /. is participating in a witch hunt. Even on this site i suspect several readers not to look at the material and to remember just the headlines. I hereby petition Slashdot to change the headline to "State Senator falsely accused of Looking At Porn On Senate Floor".
CU, Martin
A friend of mine is a SIP guru and often does presentations on SIP security. He usually shows a slide where all relevant SIP RFCs are listed. The slide (e.g. see here on Page 5) was already very full in 2006.
CU, Martin
I think you could easily do that on a linux system today. If the encrypted partitions are mounted with only read permissions of a certain group, and all trusted programs are setguid and a member of that group, wouldn't that do what you wanted?
This is a way to solve one technical aspect (i would guess you are correct about the technical aspect). The difficult thing is to design a solution that let's you enforce a policy in your enterprise. First it has to run in the environment that is already in place (i regret to inform the audience, that this usually isn't Linux). Second it should help you to enforce the policy and not force you to adopt the policy to the technical limitation of the solution. And third (and most important) the solution has to scale. While it is relatively easy task to secure one PC or even a dozen, it is a hell of a job (real-life example) to do this for 12.000 PCs when you only have 5-6 guys for the IT-security (including firewalls, VPN, virus scanners, certificate manegement, anti spam solutions, RADIUS, WLAN, etc.
I give up for now.
No surrender accepted :-) Keep on ....
CU, Martin
Strangely i have made very few enemies on /. though i am often away from the mainstream here. Probably that's why i still wander around here :-). Doing IT (and IT-Security) for 20+ years give me some pointed opinion. E.g. while i like an "Open" in any software name (espescially if they mean it), it does not sanctify that software instantaneously.
Besides in this case i won't be alone. Implementing any kind of effective DLP in the workplace of the average Slashdot-reader, you will make enemies by the dozen. But it's the same with all IT-security stuff. Read the article a few days ago on endpoint sdecurity (disk encryption). Security (with DLP being a subset) is always about policy. Policies are not made to be flexible, they are not ment to be more lax on the (often self rated) knowledgeable guy and they always lead to situations, where their application is only stupid. Good and bad security policies do not differ in that regard. The difference between those two are more subtle and and usually lie within the mindest of the policy maker.
CU, Martin
For those companies who have nothing yet and the solution fits, you are correct. The trouble lies within "solution fits". If you are a typical company (e.g. your customer names being sensitive data) it will not help you to learn, that 95% of all employees have on average 23 files containing one of those names. It would help you more to find out, that a file containg more than 50 customer names is stored on an unsecured device (e.g. USB stick). Currently (IMHO) OpenDLP is more a company wide search tool.
Where it could help you: You are a paranoid company developing a new smartphone version. You have specs for the new product and a code name. You want to scan all PCs that nobody has neither stored the Specs nor the code name on a network connected PC. But in this case you would need a Mac version of the software :-). Sorry Steve, couldn't resist.
CU, Martin
Hmmm.... While this is usefull for several security functions, it only covers a small part of what i would consider a DLP solution. When (for example) sensitive information has to be allowed on the Notebook or PC of an employee, i want to make sure of several things:
What i want is a tool that lets me formulate a Policy concerning the aspects mentioned above (and more). E.g. certain information must not be stored localy (covered), that information may be stored when certain security criterias are matched and this information shell not be sent by email (unless employeed confirms this has been cleared with manager X).
Trying to prevent information to be stored on a PC of an employee is only a solution for a subset of the DLP problem. While i think this opensource solution is quite usefull, the name "OpenDLP" led me to expect more.
CU, Martin
P.S. I already see some companies using this to search for the sensitive word "application" on all employeed hard disks ;-)
This sounds a lot like the stuff i heard in CS/Mathematics classes more than 20 years ago (Hackbusch, Praktische Analysis, Summer term 1987/88). That course was mandatory then for any CS, Mathematics and Physics student. Has that changed yet? It's about the differences between a number at it's binary representation (and examples about consequences).
I completely agree, that every programmer should know about that. But this is nothing new, it was already important 40 years ago. I'm pretty sure some space probe/missile already got lost due to this problems.
CU, Martin
P.S. It's not only important for programmers (dealing with C, C++, Java, etc.). Several times i was called to debug some "Excel Error" when it turned out to be a floating point restriction.... It would be interesting if you can create a macro that checks for such conditions.
Hi,
IMHO a private PC has nothing to do inside any enterprise (>1.000 PCs) network. If a PC of an employee/consultant/customer is used, he is placed in a special DMZ. From there he can connect (e.g. by SSL-VPN) to the company network. He has only access to certain ressources. The access to the ressources may vary with "type of authentication", "security level of the pc", etc. Certain actions (e.g. transfer of files) are only allowed through clearing points.
Installing any kind of endpoint security (disk encrpytion, desktop firewall) on a private PC by an enterprise is a recipe for disaster. I am doing endpoint security concepts and projects for several years now. An exact inventory of OS, Hardware, Software installed, etc. is an absolute key element for such a project to succeed. If you use a "this software works for all platforms" approach, the support effort will usually kill you ten times over. Even the best software (Check Point FDE for Enterprises, Truecrypt for private users) has many dependencies: The virus scanner may prevent the boot sector to be written, the keyboard may not be recognised correctly by the Preboot-Auth-Code, certain Boot-Loader may not be interoperable with product of choice or you just may be unlucky.
It is probably cheaper for an enterpise to give a worklplace (e.g. Thin Client, SunRay or cheap Notebook) to an employee (even a temp) than trying to fix his security for or against him
Sincerely yours, Martin
P.S. This is a very, very short summary.... A complete account of experiences and ideas would require days to type. When a customer wants an introduction into the topic, i usually start with an 2-4 hour presentation.
Hi,
The law is a twisted thing as is and lawyers get to pound it out of shape even further. Add in a little blind respect for people like police and DAs and you have a recipe for disaster where people will willing accept that black is white and up is down. Although "jury will lynch jerk" is pretty easy to predict. That only requires a crude understanding of human nature.
That the law is twisted is a self-evident fact, since the law tries to govern real life and nothing is more twisted than that one. That "blind respect" may be present may be present, but "assigning" it to every juror in the system is as blind as that respect you suspect. But "Jury will lynch jerk" is not as easy to predict. You fall into the same trap of stereotyped thinking you accuse them of doing.
The same people that likely gave Terry grief in school probably did the same in the courtroom.
Of everything i have read about the trial, nothing gave any evidence of a kangaroo court. Terry Childs probably fucked up. Otheres fucked up too, but he did it at one of the worst possible moments. Everyone fucks up once in a while. Mostly it has no or only minor consequences. But sometimes quite a simple fuckup can ruin your life (mostly: not paying attention while driving, but there are other situations too). This is not fair, but nobody ever promised it will. The trial was much fairer than life is. He got his say, a decent defense and a judge who dropped most charges.
The verdict bothers you probably because you can imagine to fuck up in a similar way and that is quite a sobering thought. You may even feel "being right" while doing that kind of mistake. I can too imagine making that mistake Terry made (at least when i was 25), so i can sympathize with him and would also pledge for some lenience concerning the punishment.
But my impression in general is, that the trial was fair, the jury up to the task and his coming punishment partially Terry Childs own fault.
CU, Martin
There was once a story on /. about a blog post called "You are not a lawyer". That was a very good one about similarities and (more important) differences between IT and jurisprudence. The similarities are sometimes giving a perceiptive insight while the differences combined with half knowledge may lead to disastrous blunders (this works both ways: "a state attorney once argued about confiscating a router in the logical second a packets passing through and thereby doing an intercept (for which an order is difficult to obtain in germany) by confiscating something (much easier)").
Trying to second guess a jury based on press reports (written by reporters whon don't understand neither IT nor jurisprudence) is something, i try hard to stay safely away from.
CU, Martin
Is it the problem of PowerPoint or the one creating the presentation? It seems to me a case of blaiming the technology instead of the user. PowerPoint doesn't create a strategic genius by magic. But i am 100% sure Clausewitz could have created a great PowerPoint presentation "about war".
Honestly, i don't feel very multi-threaded. Once i start doing multiple things at the same time, the context-swicthing screws up my stack and i dump my cores..... Very messy!
Multi-Threading, here i come....
I needed the anouncement of the floppy disk demise as reminder that it is not already dead. Bought my last disk at least a decade ago....
Seriously -- who hasn't ever lost their phone or their wallet?
Me.
The only hypothesis that could explain for such an unlikely event is: You have neither wallet nor phone.
CU, Martin :-)
He found it, and that is perfectly legal.
Are you sure? I couldn't imagine such and found this inside Wikipedia: Mislaid Property.
CU, Martin
P.S. I mislaid my mobile phone more often than i can count. I got it back every time (until now), but it was never such interesting bait as this find.
Hi,
selling a thing lost by someone else or buying it and then breaking it, all this would be punishable by law here in germany. A state attorney could use terms like "theft", "fencing" and "malicious mischief".
Are the laws so different in the U.S.? Taking pictures of something you found is OK. But keeping, selling, buying (when knowing it has not been legally obtained) or intentionally breaking it, could get you in trouble.
Besides: IMHO it's bad manners.
CU, Martin