> If it is that vague, what is the difference > between forcing the people running the software > to admit there was a break-in and forcing those > who created the software from admitting there > was a breach in their product?
None. Neither would do a damn thing but complicate the lives of those required to comply. That's why I oppose such laws.
> That just seems inherently unfair unless the > blame does turn out to be theirs.
The blame _is_ theirs. They selected the software, they put up the site, they administered it, and they put the confidential data on it. They may have a claim against their software supplier if he misled them, but that does not lessen their liability for their own actions.
> The article doesn't mention anything about the > secondary emission characteristics of this > fabric.
Because it has essentially none. Heavy high-energy particles such as cosmic rays will zip right through it as if it wasn't there.
> They've tried a new type of radiation shielding > on the ISS made of polyethylene that is supposed > to block without creating secondaries,...
It isn't new and it isn't supposed to block without creating secondaries: it is supposed to block secondaries. Better to get rid of the metal that is creating them in the first place.
>...and I see that's part of this fabric.
Yup. They'll sell lots of their expensive plastic bags.
> However, if this does pan out, it will probably > help with the radiation issues they are currently > having aboard the ISS.
I doubt it. Those problems are due to high-energy particles striking the alumimum hull and producing cascades of high-energy photons. The best solution would be to replace the aluminum with plastic.
I don't understand why they didn't see this coming.
> Also, the article doesn't mention the contingency > where a break-in occurs because of a > software/hardware issue for which there is no > released technical solution (i.e. anyone else who > has software X would be susceptible to the same > type of break-in). This is not good."
If "software X" (e.g., IIS) is broken quit using it. If you can't figure out any way to secure your system short of taking down your server, tough shit. "We can't figure out any other way to do it" is no excuse for compromising your customer's confidential information.
> NOW they're going to make it illegal to not > notify the public. Is telling the world about a > security breach irresponsible or isn't it?
But they are not required to reveal any details. The typical "disclosure" will appear in the legal notices section of a newspaper of record or some such thing and will look like this:
"There was a break-in at Amazon some time in the
last two weeks. Some customer data may have
been compromised."
The problem is with public disclosure rather than notification of those affected. If I have five customers for my consulting service (a sole proprietorship) and a break-in exposes the confidential data of one of them why do I have to tell the world?
We know that we have no way to know if you are correct. When politics is involved it is always best to assume the worst. That's why we have poll watchers inspecting the voting process. Why shouldn't they be able to inspect the software?
> I have not seen an example of a contract or > agreement that is not purposely ambiguous.
You've not seen many contracts, then. Most lawyers strive to eliminate ambiguity.
Any lawyer who puts ambiguity in a contract of adhesion (which these things are) is a fool. The courts will always interpret such ambiguities in the consumer's favor.
> Then why isn't there much enthusiasm for P3P > support in browsers?"
When I care about a site's privacy policy (and sometimes I do) I read it myself. I'm not about to trust my browser to tell me it's ok. When I don't care, I don't care. What good is P3P to me?
> "I'd trust Alice with a loaded gun pointed at me > after she's had 8 drinks and I rear-ended her new > car."
Amusing, but I think it is important to emphasize that it's about whether this person is the rightful possessor of the passphrase for that private key, not whether she is a saint or an axe-murderer.
> What you could possibly have are Authencators at > the event, when people enter the event there ID > and methods of validation can be checked.
This is a very, _very_ bad idea. You should never _ever_ sign the key of someone you have not personally authenticated. What you are suggesting is equivalent to telling me that I should sign Wichert's key because I authenticated Scott and signed his key and he authenticated Wichert and signed his key.
Divide your group of 300 into subgroups of such a size that all members of each subgroup can authenticate all the other members of that group in the time available. Then pick one representative from each subgroup and have these meet and authenticate each other. Now you have a complete web of trust for your group with no chain longer than three links.
> Are the authencators trusted?
Not as substitutes for personal authentication.
> What happens to people without valid id?
If they cannot satisfactorily identify themselves they do not get their keys signed.
> If some piece of your code enables a performance > increase that is essentially independent of the > hardware, you need to keep that code away from > your competitors for as long as you can.
If it is independent of the hardware it need not be in the driver and therefor the GPL question does not apply to it.
> How critical is Panama, anyway; and how easy is > it to route around Panama?
There's lots of dark fiber across North America. I should think that a few threats from organizations such as AT&T and WorldCom to take their business elsewhere (including voice) would cause them to back down.
> Please... there are 60,000 people left working > for WorldCom. All normal people with families, > homes and lives they don't want turned upside > down.
Disbanding a conglomerate means selling off the divisions, not firing all the employees and auction ing the assets. No one needs to lose a job (except the executives).
> It's not fair to say that they are making > software a 'non-asset' as it was never your asset > to begin with. You had only the licence to the > software, not the software itself.
It's not the basic experiment that is trivial. It's the "over the Internet" part. The story would have gotten no coverage had the experimenters been in adjacent rooms.
...Why is it that "scientists have done x over the Internet" is automatically newsworthy? The same demonstration performed over a cable between two adjacent rooms would not have been significantly easier. Stuffing arbitrary data into TCP packets is just not that hard.
> If it is that vague, what is the difference
> between forcing the people running the software
> to admit there was a break-in and forcing those
> who created the software from admitting there
> was a breach in their product?
None. Neither would do a damn thing but complicate the lives of those required to comply. That's why I oppose such laws.
> That just seems inherently unfair unless the
> blame does turn out to be theirs.
The blame _is_ theirs. They selected the software, they put up the site, they administered it, and they put the confidential data on it. They may have a claim against their software supplier if he misled them, but that does not lessen their liability for their own actions.
> The article doesn't mention anything about the
...and I see that's part of this fabric.
> secondary emission characteristics of this
> fabric.
Because it has essentially none. Heavy high-energy particles such as cosmic rays will zip right through it as if it wasn't there.
> They've tried a new type of radiation shielding
> on the ISS made of polyethylene that is supposed
> to block without creating secondaries,...
It isn't new and it isn't supposed to block without creating secondaries: it is supposed to block secondaries. Better to get rid of the metal that is creating them in the first place.
>
Yup. They'll sell lots of their expensive plastic bags.
> Strength, high density of electrons, flexibility
> (similar to tire rubber), and wearable?
Just like a plastic bag. And just as effective.
> However, if this does pan out, it will probably
> help with the radiation issues they are currently
> having aboard the ISS.
I doubt it. Those problems are due to high-energy particles striking the alumimum hull and producing cascades of high-energy photons. The best solution would be to replace the aluminum with plastic.
I don't understand why they didn't see this coming.
> Also, the article doesn't mention the contingency
> where a break-in occurs because of a
> software/hardware issue for which there is no
> released technical solution (i.e. anyone else who
> has software X would be susceptible to the same
> type of break-in). This is not good."
If "software X" (e.g., IIS) is broken quit using it. If you can't figure out any way to secure your system short of taking down your server, tough shit. "We can't figure out any other way to do it" is no excuse for compromising your customer's confidential information.
> NOW they're going to make it illegal to not
> notify the public. Is telling the world about a
> security breach irresponsible or isn't it?
But they are not required to reveal any details. The typical "disclosure" will appear in the legal notices section of a newspaper of record or some such thing and will look like this:
"There was a break-in at Amazon some time in the
last two weeks. Some customer data may have
been compromised."
> I don't see the problem with this.
The problem is with public disclosure rather than notification of those affected. If I have five customers for my consulting service (a sole proprietorship) and a break-in exposes the confidential data of one of them why do I have to tell the world?
> Does RH scour the source code they distribute?
I review the source code of my Debian packages.
> Well, that's why you have peer review, software
...but there's no guaruntee of the competance of
> test engineers (that test for security, not just
> breaking bugs).
How do you know that your closed source vendor has that? Do you take the salesman's word?
>
> those eyes.
No, but the large number makes it likely that at least one set will be competent. Where's the guarantee with closed source?
> Do you know something that I don't?
We know that we have no way to know if you are correct. When politics is involved it is always best to assume the worst. That's why we have poll watchers inspecting the voting process. Why shouldn't they be able to inspect the software?
> I have not seen an example of a contract or
> agreement that is not purposely ambiguous.
You've not seen many contracts, then. Most lawyers strive to eliminate ambiguity.
Any lawyer who puts ambiguity in a contract of adhesion (which these things are) is a fool. The courts will always interpret such ambiguities in the consumer's favor.
> Then why isn't there much enthusiasm for P3P
> support in browsers?"
When I care about a site's privacy policy (and sometimes I do) I read it myself. I'm not about to trust my browser to tell me it's ok. When I don't care, I don't care. What good is P3P to me?
> "I'd trust Alice with a loaded gun pointed at me
> after she's had 8 drinks and I rear-ended her new
> car."
Amusing, but I think it is important to emphasize that it's about whether this person is the rightful possessor of the passphrase for that private key, not whether she is a saint or an axe-murderer.
> What you could possibly have are Authencators at
> the event, when people enter the event there ID
> and methods of validation can be checked.
This is a very, _very_ bad idea. You should never _ever_ sign the key of someone you have not personally authenticated. What you are suggesting is equivalent to telling me that I should sign Wichert's key because I authenticated Scott and signed his key and he authenticated Wichert and signed his key.
Divide your group of 300 into subgroups of such a size that all members of each subgroup can authenticate all the other members of that group in the time available. Then pick one representative from each subgroup and have these meet and authenticate each other. Now you have a complete web of trust for your group with no chain longer than three links.
> Are the authencators trusted?
Not as substitutes for personal authentication.
> What happens to people without valid id?
If they cannot satisfactorily identify themselves they do not get their keys signed.
> If some piece of your code enables a performance
> increase that is essentially independent of the
> hardware, you need to keep that code away from
> your competitors for as long as you can.
If it is independent of the hardware it need not be in the driver and therefor the GPL question does not apply to it.
> How critical is Panama, anyway; and how easy is
> it to route around Panama?
There's lots of dark fiber across North America.
I should think that a few threats from organizations such as AT&T and WorldCom to take their business elsewhere (including voice) would cause them to back down.
When I saw the headline I visualised _real_ pipeline mass transit: people being pumped through pipes.
You really should take a look at the Hurd.
> Please... there are 60,000 people left working
> for WorldCom. All normal people with families,
> homes and lives they don't want turned upside
> down.
Disbanding a conglomerate means selling off the divisions, not firing all the employees and auction ing the assets. No one needs to lose a job (except the executives).
> ...or something like webmin or linuxconf in HTTP
> mode. Either way, you're still running a GUI.
Not on the server.
> It's not fair to say that they are making
> software a 'non-asset' as it was never your asset
> to begin with. You had only the licence to the
> software, not the software itself.
A transferable license is an asset.
It's not the basic experiment that is trivial. It's the "over the Internet" part. The story would have gotten no coverage had the experimenters been in adjacent rooms.
Debian. See http://www.debian.org/ports/powerpc/ and http://penguinppc.org/ .
...Why is it that "scientists have done x over the Internet" is automatically newsworthy? The same demonstration performed over a cable between two adjacent rooms would not have been significantly easier. Stuffing arbitrary data into TCP packets is just not that hard.
Reuters "stole" nothing and infringed no intellectual property rights.