If it was a Mexican _partner_ you'd be right. If it's a Mexican _subsidiary_ you are wrong.
A "subsidiary" is an owned asset. If you own an asset and it was in Brunei and you are here before the court, the court can order you to surrender that asset because you onw it and you are subject to the law where you are.
I don't have to subpoena you in Brunei if I've got you here.
Your only defense is if Mexican law makes it _illegal_ for you to move or copy the asset. In that case you'd have the "the court cannot require me to break the law" defense, which is not the same as the "it's far away" defense Microsoft is attempting.
For instance, lets say Fidelity (a french company) was required, in French court, to produce my financial records for the purpose of auditing Fidelity for alleged misconduct. And let's say Fidelity didn't want to do so. They could resist the production order under various U.S. laws such as HIPPA if my records incidentally contained medical information.
Likewise, if the E.U. privacy regulations covered some or all of these documents then Microsoft _could_ _have_ argued _that_ against the production order. Same for things like Attourney Client Privilege and any number of other things. I work for a company in the U.S. that is a wholly owned subsidiary of a brittish company. But the brittish crown and court cannot successfully supponea any of our non finincial documents because we do defense work and so U.S. law would prevent the export of that material. But the money stuff is fair game.
So too for paper documents. The "that would be illegal" defense cuts very fine. If the documents were in Afghanistan, and printed on pure marijuana leaf, then you could argue against shipping the original documents here because marijuana is illegal here. But the court could then require you to photocopy or fax the documents here on a more legal paper.
Now people have been talking "warrant" vs "subpoena" and I don't actually know for sure which thing is happening. A demand for surrender (subpoena) is different than a warrant to enter and search. This sounds like a subpoena not a warrant, as a warrant woudln't be served to Microsoft here, it would be processed by the foreign government and would be served _there_ by local law enforcement.
Given all that, "the old paper courts" are no different than the current paper courts. The "on a computer" bit is immaterial.
If Microsoft controls the documents personally, or through an agent, and a "subsidiary" is a kind of agent with lots of legal precident, the documents are fair game unless an actual law in the other jurisdiction says they are not. Paper or not.
The question is one of control not format of storage.
If I used a Saudi document escrow or storage service to store my documents, and they stored them in Botswana, there would be at least three jursidictions with the ability to subpoena those documents. Botswana, Saudi Arabia, and Wherever I live (so State of Washington, and U.S.A. federal jurisdictions).
It was _my_ choice to involve the Saudis and they were acting as my agent when they involved Botswana.
Sucks to be me if my documents are not actionable here but against the law there. I got those places involved in my business by doing business with them. That's the nature of actual, personal responsibility.
Really read this sentence: "In essence, President Barack Obama's administration claims that any company with operations in the United States must comply with valid warrants for data, even if the content is stored overseas."
This is a core tenant of law. It is the same legal principle that says the U.S. can prevent and punish a U.S. company from shipping heroin and sex slaves from Afghanistan to Brunei because they _are_ a U.S. company. It's also the same reason that a Brunei court can go after the same company.
If I go to mexico I am bound by Mexican _and_ U.S. Law. You can substitute any countries for any countries in this scenario.
This is also why I am mostly untouchable in Utah and Montana since I've never been in Utah, and I drove through Montana once. But that could change if I started a partnership with someone who lived in Utah. That relationship between them and I could bring many of my details under the jurisdiction of the Utah court.
You step in a river, you get water on you. You splash around in business in a particular country, the law of that country will stick.
Microsoft does business here. The dispute is a dispute here. That Microsoft stores the relevant material there, by accident of fate or by purpose of design, doesn't insulate that material from this court.
Where is the dispute, who created the material, and where are they, and where were they when they made the material. These are not very advanced questions.
It's more or less the same reason that a U.S. court can prosecute a U.S. citizen for "sex toruism" if they do the under-aged nasty in a land where that's supposedly okay, because they did it under the tacit protection of the U.S. because they could call their council and embassy via their citizenship and passport etc.
It's very, very hard to wash off a jurisdiction. One of the reasons the Swiss were so useful for so long is that they just wouldn't say what they were holding. Other jurisdictions could hold you responsible for what they could prove you "must have", but they couldn't ever get the swiss to _be_ that proof because they would simply remain silent.
There is no dispute that Microsoft has these documents. There is no dispute that Microsoft is a U.S. company. There is no dispute that the dispute is taking place in the U.S. So Microsoft's claim is _almost_ pro forma. They don't _want_ to cough up the stuff, but they likely have no belief that this defense will work.
Part of what Microsoft sells here is "if they mess with your bull they'll get _our_ horns, so trust us with your stuff". The very fact of the defense, despite its absurdity, is a feather in their cap.
Microsoft is trying the "you can't hold me responsible for yesterday's shooting because the gun is in my other pants" defense.
The law has _always_ held that if you are before the court, everything relevant to the case is before the court.
If this were not the case then the Tobacco and Asbestos companies could have just said "all those meeting minutes and research records are stored in our warehouse in mexico so ha ha, you all lose." Any company or person, on any issue, could just mail the evidence out of state or out of country and get off scott free.
That just never happened.
Just because the evidence is "on a computer" instead of "printed on paper" doesn't make the "other pants" defense viable.
The court is not reaching across a border. Microsoft is _here_. Microsoft does business _here_. The complaint is _here_, and the court is _here_. The proper legal response to "the other pants" gambit is to tell the guy in his shorts to send someone to go get whatever it is from those pants and bring it back.
Criminals don't just "move" their assets to other countries, they "hide" them because if it can be found it's on the table.
Every court. Every country. Every topic. From the beginning of time.
This isn't a case of the U.S. reaching across a border. Microsoft is _here_. Microsoft is doing business _here_. The court _here_ is ordering microsoft _here_ do produce documents _here_. Microsoft's claims that the docuements are "in their other pants" (e.g. on a server in Ireland) is immaterial because microsoft is _here_ and _microsoft_ owns those documents.
Now _if_ this were a case where a U.S. Court was ordering a company that was not _here_, say an Irish company that was _there_ in Ierland called Irish Pizza Delivery Co. to cough up emails even though they don't do any business here... that would be a huge over-step. That over-step is because they are _there_, or more correctly _not_ _here_, and the court is _here_.
This is _exactly_ the same reason that the U.S. Tobacco companies and Asbestos companies could not dodge legal responsibility by just shipping their money and internal paperwork to south america as soon as people started coughing.
I know that when I am being data mined I am very likely to pick the funny or ironic answer to any poll. The less intelligent the dumbest option is, the more likely I am to select it. My data is valuable and if you aren't gong to pay a fair price, and you intend to use it to subvert my happiness, I am not likely to go quietly to the slaugter.
I remember some movie where a guy lands in a Gulag and is being forced to make mitten liners. He learns from one of the other guys to sew them shut across the fingers and then hide the sabatoged ones by slipping them into the "already inspected" pile. It is sabatoge and it's faster than making the proper stitch so it's easier to meet the quota.
Lots of people maliciously answer polls and such, or so I suspect, which is why they are such a terrible instrument of governance and polity.
And P.S. if you don't limit people to thinking about tech, well there are _many_ blue species of sting and mant rays, so contextually they might have a point on answering some of those questions. Its that whole ability to read past typos that humans are so gifted with.
So conclusion? Polls suck, they suck slightly more than the pollsters conducting them, um-kay?
The sad truth is that HTML is just an accessory fruit for delivering other seeds of ideas, good and bad. Most of those ideas are capable of hosting infections, particularly DRM, computer viruses, and the kind of porn you wish you could unsee.
The linux kernel is full of gotos. Assembly is bereft blocks and that sort of structure. So "goto" isn't the source of all evil.
Consier this example of the linux goto paradigm below. When taking locks and establsihing component preconditions you can write an optimal routine that does the stepwise creation, and includes the non-conditional cleanup. Then skipping the cleanup if all the parts succede. The example below is trivial, but when it comes to preserving locking orders it solves a hard problem very simply. And if you check out the generated code its very efficent. More so if you hint the compiler that the success case is most likely for each conditional.
So take the simple example and imagine you are building something complex like a network request with data and metadata buffers and the actual request structure itself et al... as the number of parts grow the number of bizarre else conditions you have to use to do stepwise cleanup become bothersome repetitions of code. Its even worse if it's part1 _or_ part2 along with part3 etc. Complexity and repetition of phrases in the elses is plenty of reason to use goto.
complex_thing * hard_thing() { complex_thing * retval = 0; thing_pt1 * pt1 = 0; thing_pt2 * pt2 = 0; if (pt1 = generate_first()) {
if (pt2 = generate_last(pt1)) {
if (retval = generate_final(pt1,pt2)) {
goto success;
}
} } if (pt2) cleanup_last(pt2); if (pt1) cleanup_first(pt1); success: return retval; }
Simply put, there are times when a well-placed goto with a clear purpose and precondition can simplify code and accelerate execution.
Do I use a lot of gotos? no. Probably six C/C++ gotos in the last fifteen years. But when they are the correct tool to use, they can be magical.
Since all machine code is potentially brittle, the argument for using "safety aware languages" is itself brittle. For instance, Ada is safe because it doesn't allow deallocation unless you use ada.unchecked_deallocation(), or in the alternate, build nothing on the heap, or just hope that the Ada implementation has garbage collection, or..., or... etc.
_Someone_ has to do the work to protect whatever the brittleness is at issue.
For years I have used "struct Buffer { char * start, char * end};" instead of just char * string. (thing.end-thing.begin) is faster than strlen() and the constraints are always present. I've got a library full of simple bits that make this work (a wrapper around write(2) and read(2) for example).
Bad code can be written in any language. Java is safe? Well kind of, until you start making circles of referencds and losing them. sounds harmless unles there is a task and open socket in that circular reference and you've left a link back to some structure so that the socket is now able to access some nonsense.
The best tools in the worst hands are far worse than the worst tools in the best hands. Yelling for tools is a specious argument. Someone has to do the work, and that someone may well bone the job.
Snowden: (v) Adding a bit of code, hardware, or operation you know you shoudln't because an authority requires you do so. "Hey honey, I'll be late for dinner, I have to snowden the latest release of firefox."
(n) the sneaky bit of intrusive technology "Hey what's this bit?" "Shhh, that's the snowden."
I know he was the wistleblower, but we should enshrine his deed and the knowledge that this is happening using his name in memoriam.
ASIDE: Your point is mute [look up "moot" before attempting correction. 8-) ]. Enough is enough, and any less is not enough. That's the definition of enough.
Consider: "If you eat enough pudding you'll die"... the only test case is to keep eating pudding till you die. If you stop before you die you didn't eat enough. 8-)
Now the point that all eyeballs are not equal is fine and obvious. It only takes one metaphorical eyeball, connected to the correct brain, to find a bug. So one is enough if the rest of the configuration is suitable, and an infinite number are not enough if they lack the context.
The real difference between FOSS and others is not the quality of the eyeballs but the opportunity for the correctly quipped eyeball to fall on the relevant bit. In closed source applications the right post-eyeball configuration would have to first be part of the set of allowed eyeballs, and it would likely have to be actively paid to look for the bug directly or indirectly since the limited herd of eyeballs all have their assignments.
Pretending that the better solution (FOSS IMHO) is unworkable because it's demonstrably imperfect ignores the fact that the far less functional (NON FOSS IMHO) has a demonstrably worse track record. That comparason and derision is just "false dichotomy" and kind of an example of, perhaps, why you aren't the set of eyeballs in charge.
In non-FOSS circumstances virtually all eyeballs lack the context to find and fix problems because they lack access to the source.
So your argument fails because it implicitly argues against exposure, or argues that exposure isn't enough if the right people aren't looking. The failure isn't one of fact but of position. You offer no counter proposal. You are pissing on the model that exists but offering no alternative. In short you are engaged in venting of some sort but you are apparently not one of the set of eyeballs ready to offer solutions.
Actually the "Prutian Sepratists" were kicked out of europe for advocating regicide (trying to get someone to kill the king). They were granted title to what is now Verginia but decided to stay where they made landfall instead (not very good sailors). And they didn't come for freedom of religion, they wanted to set up their very own Jonestown (Guyana). It's right there in their name "puritan sepratists".
We don't necessarily have a thing for fear. We have a thing for authoritarianism.
So dear Europe, the next time you decided to export all your religious wacos, don't sent them all to the same place... it weakens the gene-pool.
There just happens to be a high correlation between fear and republicanism, so they run on the more police, more prisons, and to do so the conservative media bias is deliberately miss-sold as a liberal one. It's a self-perpetuating cycle.
On top of that, criminals all want to be cops, but only the petty criminals can make it though the background check. The cirminals want a taste of the power that previously held them down. So you end up with a lot of well armed, otherwise petty criminals ganged up in one profession exercising their egos.
Seriously, just ask your client base not to copy the mag, and maybe even do "pay what you want". It worked really well for The Humble Bundle.
If the product is good and you treat your customer base well, they will pay. IF you don't they wont.
The people who are going to copy it are not the people you want to care about as customers. Count them for ad revenue (like any other advertisement model, the reader is the product as far as the advertisers are concerned so copying is good from that angle.
You just need to find the sweet spot between universally free distribution (for high advert return) and enough direct sales for it's own sake.
You know, when people talk about who was warned about what, they completely forget the sharpshooter falacy. Warn everyone about everyone, then when some one does some one thing you can say "you were warned" because, in the huge pile of everything-squared you can find that nedle in the nedle-stack.
Now all the people who pointed at the nedle demand a bigger nedle-stack full of smaller and smaller nedles.
More signal. But more noise. And more noise per each increment in signal.
And more blame to go around.
There was a song, it has a point. "You have to hold-on loosly but don't let go". There was a movie, and it has a point "the more you tighten your grip the more systems will slip through your fingers." It's like there are all these old aphorisms and they came about for having truth within them. The truth of moderation.
No you wouldn't want to jump from a plane with a solid gold parachute (it'd be too heavy). Golden is a different beast alltogether. A golden parachute could be made out of $20m of rarest silk with all the d-rings made from chocolate diamonds and a harness embroydered with hundreds of untraceable swiss bank account numbers.
In one of the Books of the Malazans series there was a town where, should you default on an obligation the holder of that obligation could decide to to make you swim across the local harbor with bearing the amount of your default strapped to your body in gold. It cost the owed party twice the amount (e.g. his cash out of pocket and the money he'd never get from you) but people were very unlikely to default on obligations. Plus the creditor coudl often make his money back on the side bets for how long it took you to drown... Now _that_ woudl be a system for exiting CEOs.
This "represetation of the artists" will be the DRM and studios... I get your point about the public domain, but who is going to represent the _actual_ artists and other creatives?
since fail2ban would ban the entire NAT(ed) other office if one actor there were to fail-out from a host in that office, it suffers from the same "short coming" as my script in general, and if you know that some particular shop somewhere is behind a nat, why wouldn't you then white-list that address anyway? e.g. using fail2ban is a good way to let one noob at (remote office) lock out everyone at (remote office). Just because it _hasn't_ happened to you yet doesn't mean that you are ready for the case when it does.
That's a real wizzer of a solution there bob...
If you don't already have white-lists (and preferably VPNs) between known good sites you are just a denial-of-service or "I can't remember my password with this hangover" event away from the theoretical firing anyway.
Again, if you don't know how to apply your tools then all solutions that you don't already think are super-duper will seem suspect. Since you don't seem to know the weaknesses of your current solution, and you improperly apply your "wisdom" as analysis of _my_ solution, you are proved doubly wrong.
Cookbook fail to you, good sir...
(P.S. I know, and point out, that the good and bad attempts are counted in the limit. There are reasons. That those reasons don't apply to your case doesn't make _me_ wrong, it makes _you_ short-sighted for assuming that what doesn't work for your case can't possibly be correct for anyone. 8-)
While I do use this at home, I also use it on a number of forward facing servers for business purposes (usually with different thresholds and numbers). I spend very little time at "my desk" so the ability to know that I will always have a computer with a pre-shared key available is quite limited. If I am, say, at a hangar at an airfield and I get an emergency call to check on a host, I can ssh to my own (unprivileged) account and elevate my privileges thereafter. So I, and my very few alternates, can respond from anywhere with no chance of leaking meaningful key material as one might if they tried to match up known/authorized keys (and USB sticks are verboten in many of the places I find myself).
In that usage pattern, if I ended up having to ssh in more than five times in a single hour then things are really not right. (and if I knew that sort of thing was going to happen I _could_ always tweak the rule, but I more often use the multi-session ControlPath etc options to side-step the 5-per-hour limit if larger maintenance comes to the front).
That is, I limit the connections pass-or-fail, because it matches the expected (sparse) use pattern and so also limits the ability of a compromised machine I might use as a source box from spanning into the target machine. For instance I can use a source host and then invalidate it by making a couple extra connections so if, say, I have to use an internet cafe (it's never happened, but it might) or hotel computer or whatever, I can keep a clever follower-on from using a key-logger or whatever, from just using the link agian. [granted he could use the information from a different computer etc and I have other means for dealing with that sort of thing (locking the access account after use until I can get somewhere secure and change the password; single-use passwords on some systems, etc), but in terms of a quick access and then block, this works well.]
Different access models require different tools. Being able to ssh in from just about anywhere has come up as useful. Having several useful ways of closing that door, or having it slammed shut perforce, after the valid use are also important levels in any paradigm.
Also, if you reuse the named recent table (e.g. "bad_actors" in this example) [or indeed a whole chain if it's not SSH specific if you replace "ACCEPT" with "RETURN"] in different rules you can easily catch a machine on its very first port-scan or on a single attempt to reach a service you know you don't offer (like SMB service) and drop it into the named table. This lets the co-variants of the one rule "gang up" on the bad actor from different parts of your rule set without invoking expensive external processes. For instance if you also --set an IP address as a bad_actor for sending you a SYN/FIN or a broadcast ping then that one host doesn't get to double or triple dip your security.
I would expect to be called on shortcomings... But that didn't happen... Someone who didn't bother to understand the code mis-applied it to his situation and then called that misapplication for being flawed.
See, I responded in a conversational chain about "brute forcing a key" with a basic structure on how to blacklist a brute force attempt source. (and in two other places I did paste the same code since Slashdot doesn't let you easily fold sub-topics, but in each case the conversation was slightly different.)
Now at no time did I say "this will solve all your problems or address all your issues". For example one of the "short-comings" was about logging and the other involved use _inside_ a VPN where connection rates would be intentionally much higher. Neither is a real short-coming as people with even trivial knowledge of program flow and iptables in general would know how to deal with both situations. Things like picking the network interfaces to apply the rules to, and fully understanding that where rules are not desired, they should not be applied. (it's kind of no-duh that way, life). [In fact, if you look at the command I use "ext+" (instead of the default "eth+" et al.) as the interface, which is completely non-standard to deter "cut and paste" application and encourage thought about how the model might be used.
Logging is another issue wholly. Most people collect _way_ more logs than they should and then end up losing their important information in a flood of data. [ASIDE: this is why Gestaltism failed and the Scientific Method came to prominence.] It _shouldn't_ take much brain at all to figure out the various ways that logging would dress onto the skeleton above. On systems with high logging standards I usually replace most-or-all "ACCEPT" rules with a jump to an accept chain that contains uniform "success" logging (e.g. see LOG target --log-prefix element). I like to put failure logging at "the point of failure detection", and only one fail notice, so that I don't have to fish through repeats. Then I let tools (like the way the "recent" match stores the date/time of encounters) do their jobs rather than spending a lot of CPU to re-chew raw logs for no flipping reason at all. [Mil-spec sites will, clearly, have other requirements, which are solved by other means.]
As for the Condescension. That too is a useful tool, applied quite carefully in this case, that makes people think and re-read instead of reflex flame. Now you have jumped valiantly to the defense of some clod, and I decry you for that, because you have amplified his mistake with your opprobrium. This makes you more wrong than him. You have stepped in as arbiter of form with disregard to content. You are pure noise with no signal whatsoever. your single data point is my *horror* repetition of the code in other contexts. You got me. I am willing to put the same idea in front of more than one subset of a conversation. How this must wound the internet, and confuse it beyond its ability to cope. The internet has never seen repetition so foul as I have done here.... oh wait....
I do indeed condescend, to him, and to you. His histrionic, left-handed, and unsupported assertion (q.v. "I would be fired if...") set the tone for what followed and I was willing in whole to treat with him on his terms. Your yappy-dog, I want to seem important too, infantile insertion was not even up to the low bar we were dancing above. Oh good show to you find tagger-along. You have wounded me to the quick with your amazing and subtle support of his shortsightedness. Bravo!
If you don't understand why littering a design pattern/example with noise is just plain bad instruction, perhaps you should retire from the field and take up something that better suits your cook-book-only, can't be bothered to think, self-limiting mentality.
yea, right... so what were those shortcommings again? that one guy didn't like the filter for his monitoring purposes... I fee so wrong for posting now... my shame is endless... whatever shall I do...
Oh yea... remember that if chump don't want the help, chump can ignore the help.
not if one adds logs to ones blocks, which is a different issue entirely.
Again "starting point".. contemplate it. Add "branching" and "core logical structure" and "basic computer programming" to the list of ideas you should work on and the do some reading up boy.
When you particluarly consider that I was addressing a "better way" to do the throttling (e.g. reducing from "4 attempts an hour" to "five attemtps in an hour causes indefinite block") all your plaintive whines are basically immature and off-topic blather.
Just admit that your "but what about (whatever)" statements reveal that you don't particularly know how to generalize yoru knowledge, the buckle down and do some study.
uh... I did... lets look at the command "iptables"... the word is right there... "table"... it's like the third through seventh letters... this is not that tough...
Perhaps the word "sub" confused you with sandwitch making issues?
See, the technique is to add a "--new -chain", which is correct to use synonymously as "table" given the history of the command (e.g. most people don't really try to get all "a chain isn't a table" particularly since I delinated a range in the table that happens to be in just the one chain therein so both words apply equally).
There is this mathematical discipline called "set theory" and a range within a table is itself a table, just as a subset is a set. So the range of the table that lies between the ACCEPT and the subsequent DROP is an ordered space where other directives can be added. If one wanted to log dropped connect attempts one could add "iptables --jump LOG" with no other conditionals or redundant tests right after the ACCEPT directive.
Perhaps you should learn to read before you get all corrective at people.
Maybe I am too old-school referring to a chain as a sub table, but that's where decades of experience tends to become a weight. Us old folks don't bother with distinctions that make no difference. I know that means the ball bounces a litte too fast for the self-obsessed to follow, but what is one to do in these circumstances.
Even more so, if one wanted to log _successful_ connections one could replace the word "ACCEPT" with the word "RETURN" and then place logs or whatnot after the --jump into ssh_throttle itself.
It's called "branching" and we use it in computer sicence all the time to remove things like redundant testing.
The entire table is available for adding logging and whatnot. The (empty) range from the ACCEPT line to the final DROP in the sub table can also be decorated with logging or whatever else you might want to do with the failed packet, and then you only get one log entry per event instead of attempt. That logging or whatever was not germane to the example mechanic.
Slashdot Mirror
If it was a Mexican _partner_ you'd be right. If it's a Mexican _subsidiary_ you are wrong.
A "subsidiary" is an owned asset. If you own an asset and it was in Brunei and you are here before the court, the court can order you to surrender that asset because you onw it and you are subject to the law where you are.
I don't have to subpoena you in Brunei if I've got you here.
Your only defense is if Mexican law makes it _illegal_ for you to move or copy the asset. In that case you'd have the "the court cannot require me to break the law" defense, which is not the same as the "it's far away" defense Microsoft is attempting.
For instance, lets say Fidelity (a french company) was required, in French court, to produce my financial records for the purpose of auditing Fidelity for alleged misconduct. And let's say Fidelity didn't want to do so. They could resist the production order under various U.S. laws such as HIPPA if my records incidentally contained medical information.
Likewise, if the E.U. privacy regulations covered some or all of these documents then Microsoft _could_ _have_ argued _that_ against the production order. Same for things like Attourney Client Privilege and any number of other things. I work for a company in the U.S. that is a wholly owned subsidiary of a brittish company. But the brittish crown and court cannot successfully supponea any of our non finincial documents because we do defense work and so U.S. law would prevent the export of that material. But the money stuff is fair game.
So too for paper documents. The "that would be illegal" defense cuts very fine. If the documents were in Afghanistan, and printed on pure marijuana leaf, then you could argue against shipping the original documents here because marijuana is illegal here. But the court could then require you to photocopy or fax the documents here on a more legal paper.
Now people have been talking "warrant" vs "subpoena" and I don't actually know for sure which thing is happening. A demand for surrender (subpoena) is different than a warrant to enter and search. This sounds like a subpoena not a warrant, as a warrant woudln't be served to Microsoft here, it would be processed by the foreign government and would be served _there_ by local law enforcement.
Given all that, "the old paper courts" are no different than the current paper courts. The "on a computer" bit is immaterial.
If Microsoft controls the documents personally, or through an agent, and a "subsidiary" is a kind of agent with lots of legal precident, the documents are fair game unless an actual law in the other jurisdiction says they are not. Paper or not.
The question is one of control not format of storage.
If I used a Saudi document escrow or storage service to store my documents, and they stored them in Botswana, there would be at least three jursidictions with the ability to subpoena those documents. Botswana, Saudi Arabia, and Wherever I live (so State of Washington, and U.S.A. federal jurisdictions).
It was _my_ choice to involve the Saudis and they were acting as my agent when they involved Botswana.
Sucks to be me if my documents are not actionable here but against the law there. I got those places involved in my business by doing business with them. That's the nature of actual, personal responsibility.
Really read this sentence: "In essence, President Barack Obama's administration claims that any company with operations in the United States must comply with valid warrants for data, even if the content is stored overseas."
This is a core tenant of law. It is the same legal principle that says the U.S. can prevent and punish a U.S. company from shipping heroin and sex slaves from Afghanistan to Brunei because they _are_ a U.S. company. It's also the same reason that a Brunei court can go after the same company.
If I go to mexico I am bound by Mexican _and_ U.S. Law. You can substitute any countries for any countries in this scenario.
This is also why I am mostly untouchable in Utah and Montana since I've never been in Utah, and I drove through Montana once. But that could change if I started a partnership with someone who lived in Utah. That relationship between them and I could bring many of my details under the jurisdiction of the Utah court.
You step in a river, you get water on you. You splash around in business in a particular country, the law of that country will stick.
Microsoft does business here. The dispute is a dispute here. That Microsoft stores the relevant material there, by accident of fate or by purpose of design, doesn't insulate that material from this court.
Where is the dispute, who created the material, and where are they, and where were they when they made the material. These are not very advanced questions.
It's more or less the same reason that a U.S. court can prosecute a U.S. citizen for "sex toruism" if they do the under-aged nasty in a land where that's supposedly okay, because they did it under the tacit protection of the U.S. because they could call their council and embassy via their citizenship and passport etc.
It's very, very hard to wash off a jurisdiction. One of the reasons the Swiss were so useful for so long is that they just wouldn't say what they were holding. Other jurisdictions could hold you responsible for what they could prove you "must have", but they couldn't ever get the swiss to _be_ that proof because they would simply remain silent.
There is no dispute that Microsoft has these documents. There is no dispute that Microsoft is a U.S. company. There is no dispute that the dispute is taking place in the U.S. So Microsoft's claim is _almost_ pro forma. They don't _want_ to cough up the stuff, but they likely have no belief that this defense will work.
Part of what Microsoft sells here is "if they mess with your bull they'll get _our_ horns, so trust us with your stuff". The very fact of the defense, despite its absurdity, is a feather in their cap.
But eventually the documents will be produced.
Microsoft is trying the "you can't hold me responsible for yesterday's shooting because the gun is in my other pants" defense.
The law has _always_ held that if you are before the court, everything relevant to the case is before the court.
If this were not the case then the Tobacco and Asbestos companies could have just said "all those meeting minutes and research records are stored in our warehouse in mexico so ha ha, you all lose." Any company or person, on any issue, could just mail the evidence out of state or out of country and get off scott free.
That just never happened.
Just because the evidence is "on a computer" instead of "printed on paper" doesn't make the "other pants" defense viable.
The court is not reaching across a border. Microsoft is _here_. Microsoft does business _here_. The complaint is _here_, and the court is _here_. The proper legal response to "the other pants" gambit is to tell the guy in his shorts to send someone to go get whatever it is from those pants and bring it back.
Criminals don't just "move" their assets to other countries, they "hide" them because if it can be found it's on the table.
Every court. Every country. Every topic. From the beginning of time.
This is no different.
This isn't a case of the U.S. reaching across a border. Microsoft is _here_. Microsoft is doing business _here_. The court _here_ is ordering microsoft _here_ do produce documents _here_. Microsoft's claims that the docuements are "in their other pants" (e.g. on a server in Ireland) is immaterial because microsoft is _here_ and _microsoft_ owns those documents.
Now _if_ this were a case where a U.S. Court was ordering a company that was not _here_, say an Irish company that was _there_ in Ierland called Irish Pizza Delivery Co. to cough up emails even though they don't do any business here... that would be a huge over-step. That over-step is because they are _there_, or more correctly _not_ _here_, and the court is _here_.
This is _exactly_ the same reason that the U.S. Tobacco companies and Asbestos companies could not dodge legal responsibility by just shipping their money and internal paperwork to south america as soon as people started coughing.
I know that when I am being data mined I am very likely to pick the funny or ironic answer to any poll. The less intelligent the dumbest option is, the more likely I am to select it. My data is valuable and if you aren't gong to pay a fair price, and you intend to use it to subvert my happiness, I am not likely to go quietly to the slaugter.
I remember some movie where a guy lands in a Gulag and is being forced to make mitten liners. He learns from one of the other guys to sew them shut across the fingers and then hide the sabatoged ones by slipping them into the "already inspected" pile. It is sabatoge and it's faster than making the proper stitch so it's easier to meet the quota.
Lots of people maliciously answer polls and such, or so I suspect, which is why they are such a terrible instrument of governance and polity.
And P.S. if you don't limit people to thinking about tech, well there are _many_ blue species of sting and mant rays, so contextually they might have a point on answering some of those questions. Its that whole ability to read past typos that humans are so gifted with.
So conclusion? Polls suck, they suck slightly more than the pollsters conducting them, um-kay?
The sad truth is that HTML is just an accessory fruit for delivering other seeds of ideas, good and bad. Most of those ideas are capable of hosting infections, particularly DRM, computer viruses, and the kind of porn you wish you could unsee.
The linux kernel is full of gotos. Assembly is bereft blocks and that sort of structure. So "goto" isn't the source of all evil.
Consier this example of the linux goto paradigm below. When taking locks and establsihing component preconditions you can write an optimal routine that does the stepwise creation, and includes the non-conditional cleanup. Then skipping the cleanup if all the parts succede. The example below is trivial, but when it comes to preserving locking orders it solves a hard problem very simply. And if you check out the generated code its very efficent. More so if you hint the compiler that the success case is most likely for each conditional.
So take the simple example and imagine you are building something complex like a network request with data and metadata buffers and the actual request structure itself et al... as the number of parts grow the number of bizarre else conditions you have to use to do stepwise cleanup become bothersome repetitions of code. Its even worse if it's part1 _or_ part2 along with part3 etc. Complexity and repetition of phrases in the elses is plenty of reason to use goto.
complex_thing * hard_thing() {
complex_thing * retval = 0;
thing_pt1 * pt1 = 0;
thing_pt2 * pt2 = 0;
if (pt1 = generate_first()) {
if (pt2 = generate_last(pt1)) {
if (retval = generate_final(pt1,pt2)) {
goto success;
}
}
}
if (pt2) cleanup_last(pt2);
if (pt1) cleanup_first(pt1);
success:
return retval;
}
Simply put, there are times when a well-placed goto with a clear purpose and precondition can simplify code and accelerate execution.
Do I use a lot of gotos? no. Probably six C/C++ gotos in the last fifteen years. But when they are the correct tool to use, they can be magical.
Since all machine code is potentially brittle, the argument for using "safety aware languages" is itself brittle. For instance, Ada is safe because it doesn't allow deallocation unless you use ada.unchecked_deallocation(), or in the alternate, build nothing on the heap, or just hope that the Ada implementation has garbage collection, or..., or... etc.
_Someone_ has to do the work to protect whatever the brittleness is at issue.
For years I have used "struct Buffer { char * start, char * end};" instead of just char * string. (thing.end-thing.begin) is faster than strlen() and the constraints are always present. I've got a library full of simple bits that make this work (a wrapper around write(2) and read(2) for example).
Bad code can be written in any language. Java is safe? Well kind of, until you start making circles of referencds and losing them. sounds harmless unles there is a task and open socket in that circular reference and you've left a link back to some structure so that the socket is now able to access some nonsense.
The best tools in the worst hands are far worse than the worst tools in the best hands. Yelling for tools is a specious argument. Someone has to do the work, and that someone may well bone the job.
Snowden:
(v) Adding a bit of code, hardware, or operation you know you shoudln't because an authority requires you do so.
"Hey honey, I'll be late for dinner, I have to snowden the latest release of firefox."
(n) the sneaky bit of intrusive technology
"Hey what's this bit?" "Shhh, that's the snowden."
I know he was the wistleblower, but we should enshrine his deed and the knowledge that this is happening using his name in memoriam.
ASIDE: Your point is mute [look up "moot" before attempting correction. 8-) ]. Enough is enough, and any less is not enough. That's the definition of enough.
Consider: "If you eat enough pudding you'll die"... the only test case is to keep eating pudding till you die. If you stop before you die you didn't eat enough. 8-)
Now the point that all eyeballs are not equal is fine and obvious. It only takes one metaphorical eyeball, connected to the correct brain, to find a bug. So one is enough if the rest of the configuration is suitable, and an infinite number are not enough if they lack the context.
The real difference between FOSS and others is not the quality of the eyeballs but the opportunity for the correctly quipped eyeball to fall on the relevant bit. In closed source applications the right post-eyeball configuration would have to first be part of the set of allowed eyeballs, and it would likely have to be actively paid to look for the bug directly or indirectly since the limited herd of eyeballs all have their assignments.
Pretending that the better solution (FOSS IMHO) is unworkable because it's demonstrably imperfect ignores the fact that the far less functional (NON FOSS IMHO) has a demonstrably worse track record. That comparason and derision is just "false dichotomy" and kind of an example of, perhaps, why you aren't the set of eyeballs in charge.
In non-FOSS circumstances virtually all eyeballs lack the context to find and fix problems because they lack access to the source.
So your argument fails because it implicitly argues against exposure, or argues that exposure isn't enough if the right people aren't looking. The failure isn't one of fact but of position. You offer no counter proposal. You are pissing on the model that exists but offering no alternative. In short you are engaged in venting of some sort but you are apparently not one of the set of eyeballs ready to offer solutions.
Actually the "Prutian Sepratists" were kicked out of europe for advocating regicide (trying to get someone to kill the king). They were granted title to what is now Verginia but decided to stay where they made landfall instead (not very good sailors). And they didn't come for freedom of religion, they wanted to set up their very own Jonestown (Guyana). It's right there in their name "puritan sepratists".
We don't necessarily have a thing for fear. We have a thing for authoritarianism.
So dear Europe, the next time you decided to export all your religious wacos, don't sent them all to the same place... it weakens the gene-pool.
There just happens to be a high correlation between fear and republicanism, so they run on the more police, more prisons, and to do so the conservative media bias is deliberately miss-sold as a liberal one. It's a self-perpetuating cycle.
On top of that, criminals all want to be cops, but only the petty criminals can make it though the background check. The cirminals want a taste of the power that previously held them down. So you end up with a lot of well armed, otherwise petty criminals ganged up in one profession exercising their egos.
Seriously, just ask your client base not to copy the mag, and maybe even do "pay what you want". It worked really well for The Humble Bundle.
If the product is good and you treat your customer base well, they will pay. IF you don't they wont.
The people who are going to copy it are not the people you want to care about as customers. Count them for ad revenue (like any other advertisement model, the reader is the product as far as the advertisers are concerned so copying is good from that angle.
You just need to find the sweet spot between universally free distribution (for high advert return) and enough direct sales for it's own sake.
And don't be a dick.
You know, when people talk about who was warned about what, they completely forget the sharpshooter falacy. Warn everyone about everyone, then when some one does some one thing you can say "you were warned" because, in the huge pile of everything-squared you can find that nedle in the nedle-stack.
Now all the people who pointed at the nedle demand a bigger nedle-stack full of smaller and smaller nedles.
More signal. But more noise. And more noise per each increment in signal.
And more blame to go around.
There was a song, it has a point. "You have to hold-on loosly but don't let go". There was a movie, and it has a point "the more you tighten your grip the more systems will slip through your fingers." It's like there are all these old aphorisms and they came about for having truth within them. The truth of moderation.
More isn't better, it likely never was.
No you wouldn't want to jump from a plane with a solid gold parachute (it'd be too heavy). Golden is a different beast alltogether. A golden parachute could be made out of $20m of rarest silk with all the d-rings made from chocolate diamonds and a harness embroydered with hundreds of untraceable swiss bank account numbers.
In one of the Books of the Malazans series there was a town where, should you default on an obligation the holder of that obligation could decide to to make you swim across the local harbor with bearing the amount of your default strapped to your body in gold. It cost the owed party twice the amount (e.g. his cash out of pocket and the money he'd never get from you) but people were very unlikely to default on obligations. Plus the creditor coudl often make his money back on the side bets for how long it took you to drown... Now _that_ woudl be a system for exiting CEOs.
This "represetation of the artists" will be the DRM and studios... I get your point about the public domain, but who is going to represent the _actual_ artists and other creatives?
Stupider than that... grandparent says "GOP aka Republicans"... so not only does he not know what the GOP is, he was unable to read the whole post.
since fail2ban would ban the entire NAT(ed) other office if one actor there were to fail-out from a host in that office, it suffers from the same "short coming" as my script in general, and if you know that some particular shop somewhere is behind a nat, why wouldn't you then white-list that address anyway? e.g. using fail2ban is a good way to let one noob at (remote office) lock out everyone at (remote office). Just because it _hasn't_ happened to you yet doesn't mean that you are ready for the case when it does.
That's a real wizzer of a solution there bob...
If you don't already have white-lists (and preferably VPNs) between known good sites you are just a denial-of-service or "I can't remember my password with this hangover" event away from the theoretical firing anyway.
Again, if you don't know how to apply your tools then all solutions that you don't already think are super-duper will seem suspect. Since you don't seem to know the weaknesses of your current solution, and you improperly apply your "wisdom" as analysis of _my_ solution, you are proved doubly wrong.
Cookbook fail to you, good sir...
(P.S. I know, and point out, that the good and bad attempts are counted in the limit. There are reasons. That those reasons don't apply to your case doesn't make _me_ wrong, it makes _you_ short-sighted for assuming that what doesn't work for your case can't possibly be correct for anyone. 8-)
While I do use this at home, I also use it on a number of forward facing servers for business purposes (usually with different thresholds and numbers). I spend very little time at "my desk" so the ability to know that I will always have a computer with a pre-shared key available is quite limited. If I am, say, at a hangar at an airfield and I get an emergency call to check on a host, I can ssh to my own (unprivileged) account and elevate my privileges thereafter. So I, and my very few alternates, can respond from anywhere with no chance of leaking meaningful key material as one might if they tried to match up known/authorized keys (and USB sticks are verboten in many of the places I find myself).
In that usage pattern, if I ended up having to ssh in more than five times in a single hour then things are really not right. (and if I knew that sort of thing was going to happen I _could_ always tweak the rule, but I more often use the multi-session ControlPath etc options to side-step the 5-per-hour limit if larger maintenance comes to the front).
That is, I limit the connections pass-or-fail, because it matches the expected (sparse) use pattern and so also limits the ability of a compromised machine I might use as a source box from spanning into the target machine. For instance I can use a source host and then invalidate it by making a couple extra connections so if, say, I have to use an internet cafe (it's never happened, but it might) or hotel computer or whatever, I can keep a clever follower-on from using a key-logger or whatever, from just using the link agian. [granted he could use the information from a different computer etc and I have other means for dealing with that sort of thing (locking the access account after use until I can get somewhere secure and change the password; single-use passwords on some systems, etc), but in terms of a quick access and then block, this works well.]
Different access models require different tools. Being able to ssh in from just about anywhere has come up as useful. Having several useful ways of closing that door, or having it slammed shut perforce, after the valid use are also important levels in any paradigm.
Also, if you reuse the named recent table (e.g. "bad_actors" in this example) [or indeed a whole chain if it's not SSH specific if you replace "ACCEPT" with "RETURN"] in different rules you can easily catch a machine on its very first port-scan or on a single attempt to reach a service you know you don't offer (like SMB service) and drop it into the named table. This lets the co-variants of the one rule "gang up" on the bad actor from different parts of your rule set without invoking expensive external processes. For instance if you also --set an IP address as a bad_actor for sending you a SYN/FIN or a broadcast ping then that one host doesn't get to double or triple dip your security.
I would expect to be called on shortcomings... But that didn't happen... Someone who didn't bother to understand the code mis-applied it to his situation and then called that misapplication for being flawed.
See, I responded in a conversational chain about "brute forcing a key" with a basic structure on how to blacklist a brute force attempt source. (and in two other places I did paste the same code since Slashdot doesn't let you easily fold sub-topics, but in each case the conversation was slightly different.)
Now at no time did I say "this will solve all your problems or address all your issues". For example one of the "short-comings" was about logging and the other involved use _inside_ a VPN where connection rates would be intentionally much higher. Neither is a real short-coming as people with even trivial knowledge of program flow and iptables in general would know how to deal with both situations. Things like picking the network interfaces to apply the rules to, and fully understanding that where rules are not desired, they should not be applied. (it's kind of no-duh that way, life). [In fact, if you look at the command I use "ext+" (instead of the default "eth+" et al.) as the interface, which is completely non-standard to deter "cut and paste" application and encourage thought about how the model might be used.
Logging is another issue wholly. Most people collect _way_ more logs than they should and then end up losing their important information in a flood of data. [ASIDE: this is why Gestaltism failed and the Scientific Method came to prominence.] It _shouldn't_ take much brain at all to figure out the various ways that logging would dress onto the skeleton above. On systems with high logging standards I usually replace most-or-all "ACCEPT" rules with a jump to an accept chain that contains uniform "success" logging (e.g. see LOG target --log-prefix element). I like to put failure logging at "the point of failure detection", and only one fail notice, so that I don't have to fish through repeats. Then I let tools (like the way the "recent" match stores the date/time of encounters) do their jobs rather than spending a lot of CPU to re-chew raw logs for no flipping reason at all. [Mil-spec sites will, clearly, have other requirements, which are solved by other means.]
As for the Condescension. That too is a useful tool, applied quite carefully in this case, that makes people think and re-read instead of reflex flame. Now you have jumped valiantly to the defense of some clod, and I decry you for that, because you have amplified his mistake with your opprobrium. This makes you more wrong than him. You have stepped in as arbiter of form with disregard to content. You are pure noise with no signal whatsoever. your single data point is my *horror* repetition of the code in other contexts. You got me. I am willing to put the same idea in front of more than one subset of a conversation. How this must wound the internet, and confuse it beyond its ability to cope. The internet has never seen repetition so foul as I have done here.... oh wait....
I do indeed condescend, to him, and to you. His histrionic, left-handed, and unsupported assertion (q.v. "I would be fired if...") set the tone for what followed and I was willing in whole to treat with him on his terms. Your yappy-dog, I want to seem important too, infantile insertion was not even up to the low bar we were dancing above. Oh good show to you find tagger-along. You have wounded me to the quick with your amazing and subtle support of his shortsightedness. Bravo!
If you don't understand why littering a design pattern/example with noise is just plain bad instruction, perhaps you should retire from the field and take up something that better suits your cook-book-only, can't be bothered to think, self-limiting mentality.
yea, right... so what were those shortcommings again? that one guy didn't like the filter for his monitoring purposes... I fee so wrong for posting now... my shame is endless... whatever shall I do...
Oh yea... remember that if chump don't want the help, chump can ignore the help.
not if one adds logs to ones blocks, which is a different issue entirely.
Again "starting point".. contemplate it. Add "branching" and "core logical structure" and "basic computer programming" to the list of ideas you should work on and the do some reading up boy.
When you particluarly consider that I was addressing a "better way" to do the throttling (e.g. reducing from "4 attempts an hour" to "five attemtps in an hour causes indefinite block") all your plaintive whines are basically immature and off-topic blather.
Just admit that your "but what about (whatever)" statements reveal that you don't particularly know how to generalize yoru knowledge, the buckle down and do some study.
uh... I did... lets look at the command "iptables"... the word is right there... "table"... it's like the third through seventh letters... this is not that tough...
Perhaps the word "sub" confused you with sandwitch making issues?
See, the technique is to add a "--new -chain", which is correct to use synonymously as "table" given the history of the command (e.g. most people don't really try to get all "a chain isn't a table" particularly since I delinated a range in the table that happens to be in just the one chain therein so both words apply equally).
There is this mathematical discipline called "set theory" and a range within a table is itself a table, just as a subset is a set. So the range of the table that lies between the ACCEPT and the subsequent DROP is an ordered space where other directives can be added. If one wanted to log dropped connect attempts one could add "iptables --jump LOG" with no other conditionals or redundant tests right after the ACCEPT directive.
Perhaps you should learn to read before you get all corrective at people.
Maybe I am too old-school referring to a chain as a sub table, but that's where decades of experience tends to become a weight. Us old folks don't bother with distinctions that make no difference. I know that means the ball bounces a litte too fast for the self-obsessed to follow, but what is one to do in these circumstances.
Even more so, if one wanted to log _successful_ connections one could replace the word "ACCEPT" with the word "RETURN" and then place logs or whatnot after the --jump into ssh_throttle itself.
It's called "branching" and we use it in computer sicence all the time to remove things like redundant testing.
one size does not fit all. If you don't know how to ajust filters, or how to spot when a solution is not for you, just come out and say so.
You look foolish when you bleat that what someone offers doesn't work for your specific case and so decry it as unilaterally unsound.
Grow up.
The entire table is available for adding logging and whatnot. The (empty) range from the ACCEPT line to the final DROP in the sub table can also be decorated with logging or whatever else you might want to do with the failed packet, and then you only get one log entry per event instead of attempt. That logging or whatever was not germane to the example mechanic.
I do. Instead of parsing a long log I just "cat /proc/net/xt_recent/bad_actors" instead of parsing the hell out of a log file looking for nuggets.
The hard was isn't always the best way.