As this is, this is no more of a bold invasion of privacy than a "Present" during roll call.
When I was in highschool, attendance was taken at the beginning of each class. Not every second of my being on or within range of school property. It's a subtle, but distinct difference.
Ever get your hands on an old set of encyclopedias? I recently managed to get a collection of 1920 - 1940 electronics technical manuals and various general encycopedias. Its a rather facinating glimpse back on what was considered "fact" at one time.
That's not to say there isn't information that didn't stand the test of time. But there is also quite a variation in focus, facts, and opinion compared to current society and technology.
Hmmm, let's see... someone publishes a review of a service I like that points out some very real flaws backed up with a good example of these flaws. How can I get back at him? I know! I'll call him a pompous jerk and make an irrelivant point about the accuracy of the encyclopedia he used to edit (without providing an actual example of it's problems). That'll get him! (and cet me modded up to boot!)
Of courrse you seemed to have missed the points he was trying to make to the folk like you.
To be fair - the author did plenty to garble his own message. He spent considerable time talking about past failed attempts to produce an online encylcopedia and the apparent popularity of an "educational" method called journaling. And just for effect, he peppered his criticism with plenty of small jabs and slights. Was there a good message to be gleamed from the article? Yes. A shame the author didn't dedicate more time to it instead of being a pompous jerk.
People dont' use software because it's easier not to, thus it's more insecure. That doesn't jibe.
No, it jibes perfectly well. The point is that PGP requires additional effort that most simply will not take. And therefore, the insecure practice of clear-text email is by far the most commonly used system. And thus we have our inverse relationship - a system (email) that could be better secured (pgp) but generally isn't because of the impact of doing so.
If a user wants to encrypt their email, which is NOT REQUIRED, they easily can.
And if you get an encrypted piece of email, you MUST use the system involved to decrypt it. That requires additional effort that has nothing to do with getting a message from point A to B. If you choose not to use PGP to retrieve the message, you lose that message.
Take ssh as a counter example. You can't sniff the line (easily) because you are forced to use the security. User feels no impact.
SSH is a very good example. You're right - minimal impact. SSH does an excellent job. However, in every environment I've been in, telnet is still by far more common (although there is always a push to officially adopt SSH). Running SSH still requires accepting an impact compared to the less-secure alternative.
The inverse relationship between security and convenience applies to all areas of life, including computers.
Sure - there are certainly simularities between the two. This allows for common applications of some principles as well as limited analogies. But it is a mistake to apply all physical security precepts to information security.
For example, the environments of physical and information security are different. Physical security is limted by the laws of physics. And while advances in technology do slowly change the realm of "possible", these changes tend to be limited. Much of physical security is dealing with constants. Within information security, if you don't like the environment... change it. Sure, there are limiting factors to that change. But ultimately, if a specific protocol or system has major issues, one is certainly able to change to something more secure. In short, Infosec allows for a greater degree of change within the environment than what is afforded to physical security.
Depositions in the trial, by people who negotiated the contract between AT&T and SCO, seem to indicate that the Unix copyrights didn't change ownership. SCO just got right to copy, modify, and sell.
One interesting point from Novell was that SCO's role was to further expand on existing Unix business. They were to seek out additional licensees, license, and then pay a considerable amount of that license back to AT&T (now Novell). The cute bit was the "ahem - where's our cut of these license fees that you claim to be collecting?"
What didn't seem to get a lot of attention was the fact that this agreement did not involve existing business. In fact, existing clients were still AT&T's realm. Sun was one of those "old business" licensees. This further adds to the question of just what Sun was licensing and why.
Take pgp and email. There are TONS of plugins for various emali clients to support signing and encrypting email.
A great example. Let's take PGP. It's been available for over a decade. It has been fully integrated (directly or via plugins or scripts) for years. Yet how much do you see it? And of those you do see using it, who are they? In my experience, it is a small subset of technicaly knowlegable individuals or small groups that require encryption and have been told to use PGP. PGP is not used by the masses. Why?
Ultimately, clear-text email is easier. Using PGP requires considerably more effort than not. So the general masses, even those who understand the falibility of clear-text email, tend not to use it unless there is a need to go to the added trouble.
This falls in line with our premis. Increased security impacts usability. That doesn't mean that we couldn't minimize that impact (and PGP's interface couldn't be improved, for example). But even with those considerations, the end user will still feel some kind of impact.
I don't think this is particularly true. In all walks of life, if something is more usuable, then it tends to be more secure, if only because if it is easier to lock something then people are more likely to lock it.
Ever fumble with keys while trying to get groceries in through the front door? How about trying to get in your car during a rainstorm? Ever realize that you've forgotten or lost those keys? These are examples where increased security decreases usability.
That doesn't mean a secured system has to be a hard to use system. The goal of most security systems is to increase security with minimal impact to usability. Many modern locking systems take advantage of new technology to do this. We can mention proximity smartcards, keyless entry keyfobs, and biometric / PIN systems as methods to deal with the above examples (although none of them are as "easy" as an unlocked door).
It might be worth noting that in some extreme cases, decreasing ease-of-use is a key component of a security system. However, this mostly applies to physical security systems. And while physical security is the easiest source of anologies, it is ultimately a far different beast than information security.
You laugh now. Little do you know that SciFi is working on a new "underwater reality exporation show" to follow Scare Tactics. It may star John Edwards who will spend the first quarter of the show interviewing former residents so that the dive team can be more effective in artifact retreval. Then comes the dive with plenty of fuzzy, badly lit footage. And then the dive team will spend the last quarter of each show arguing over whether a piece of corroded metal is nautical debree or the subframe for an Atlantian lasergun.
Care to point to a RedHat user that was sued? Keep in mind that the lawsuits between SCO and Autozone or Chrysler doesn't involve general complaints over IP found in Linux.
How about a lawsuit over IP found in Windows with one of Microsoft's customers?
Yes, because those last 10% is what gives you problems. If you just go to your local electronic store and buy a Wifi PC Card (both for the Radius servers at work and with WPA for the users home nets, and open or WEP or WPA encrypted customer/coffee shot nets), you buy a MP3 player where you want do up/download music and use it as a portable storage device, you buy a label printer and a scanner for desktop use. Will it all "just work"? Nope.
When you bought your 10% piece of hardware, did you even bother to check what it will work with? Does it require some wierd plug you've never heard of? Does it have drivers for your OS? If that OS is Linux, do they note Linux compatability? And if not, why are you buying it?
I feel the pain. My household systems run either Linux or Win2K. In both cases, I've had hardware that didn't support my desired OS' (or took a bit of work to get more-or-less working).
Having said all that - even when hardware claims support for your OS, things aren't always set. Read hardware reviews. You'll find plenty of cases where a product's drivers have noted issues. And while that's not QUITE the issue here, it does further highlight the fact that a lot of this compatability issue belongs to the hardware manufactorer / vendor.
Buy what supports your system, and supports it well.
It has to be easily installed even by Joe Sixpak, else your support costs will skyrocket. IMO, this is the largest stumbling block for Linux Desktops.
Your support costs are going to skyrocket the minute you start trying to support Joe Sixpak plugging in random hardware and associated software.
As an aside, if this was really an issue, MacOS would have dominant marketshare.
Now... having made those statements, I agree with the general sentiment. I'd like Linux support to be better. But I just don't see it as insightful or productive to demand it of Linux developers.
I seem to remember dsniff had a utility (webspy?) that allowed you to essentially link a browser to a target machine. Your browser would jump about as your target host browsed.
1) Unix's concepts of security were bolted on well after the fact. The interesting thing is that it worked because of the modular mindset found within Unix and its developers.
2) Unix has had its time in the crucible. It was at one time THE holder of resources an attacker would covet (storage space, bandwidth, interesting domains, etc.). It was also largely wide open to a well-educated (or well-scripted) attacker. Then the Internet became a much less-friendly place. Unix took its lumps. Admins began to wake up to the new reality and things began to improve. During this time, many of the tenants of Information Security were formed. It's a shame Microsoft didn't learn from this process.
Enthusiasts and professionals get very concerned over their tools. And no wonder - their ability to do what they do well relies on the availability of quality tools (or at least, tools they are comfortable using).
Sure, a carpenter can likely hew out a basic piece with a hammer and a screwdriver. But they won't produce the quality of work that sets them apart from the average layman.
The saying "a poor workman blames his tools" certainly has a degree of truth to it. But it can lead one to overlook the importance of good tools. An importance that any craftsman will immediately recognize.
Incidently, within the depths of any tech jihad, someone will eventually utter "it's just a tool." They're right. But they miss point - the reason why people would have any passion over "just a tool."
Even Jeff Duntemann admits that MSIE supposedly has at least as many bugs are Firefox. Given this reasoning, there's the choice between deploying MSIE (which is proven over and over again to be unsafe and full of security holes), and Firefox (for which nothing is proven).
Of course, this tends to miss the whole issue of monocultures. Whether Firefox is as bug-ridden as MSIE or not is an interesting point, but not the only one. What bugs exist for MSIE are not likely to exist in Mozilla / Firefox. And in a truely mixed environment, this alone creates a speedbump (if not roadblock) for malware.
None of these things matter if no one wants the product in the first place.
But that by itself doesn't say much. Did the product do something nobody needed? Or did the leadership and sales force fail to communicate what the product could do for their customers? Each situation implies slightly different character traits in leadership.
...but for most, it's the Israeli-Palestinian conflict. They see people getting shot, their homes torn down, evicted off their land, and so on, and one of the central tenets of Islam is of kinship -- their suffering is your suffering. And they see us supporting it wholeheartedly, morally and materially. Combine with repressive and corrupt governments in their own home country many of which we also back, (though they certainly can cultivate repression on their own), these tangible things then get linked into said culture war and provides real impetus for action, or at least outrage.
Oddly enough, all the outrage over Isreali actions doesn't apply to oppressive Arabic governments. Unless the US happens to have some agreements with said Arabic government. THEN it's the West interfering. Unless, of course, its providing weapons to attack Isreal.
As one analyst said, "No one is going to strap a bomb to their chest to stop Americans from drinking Budweiser." The devout may never like us, but we can certainly do a lot toward preventing the Abdul Q. Public of these countries from outright hating us.
Sure - it's not about what Americans are doing in their own country. But it is certainly about Baywatch being watched within Arabic borders.
Abdul Q. Public doesn't suddenly decide strapping a bomb to their chest is the way to stop said Baywatch or destroy Isreal. They get their ideas from fundamentalists who, fueled by their fear and hate, do a rather nice job producing propaganda for a largely uneducated and desperate population.
The key is to remove the desperate population by removing the desperation. Not that its an easy thing to do.
I agree that it's a culture war, but keep in mind, were it not for the oil, we could completely withdraw from that region, and our "evil culture" need no longer encroach upon theirs.
I assume by "completely withdraw", you refer to a military presence. Culture isn't always spread with the muzzle of a gun. Western cultural influences can be found throughout the world - even in locations where there are not US troops. There are agressive agents such as missionaries and salesmen. But there are also less-aggressive conduits to change - much of which involves the very people who's culture is being subverted and / or morphed.
Were we hanging out there prior to their discovery of all of that sweet, delicious crude? Not so much.
First, at that time period in history, travel wasn't what it is today. Getting to a region like that wasn't the trivial affair it is with today's air travel. And likewise, it wasn't as easy to import culturaly disruptive medium (ideas, products, media, etc.).
Having said that, the event that defined the United States as a world power involved the Middle East. And that was far from the beginning or end of Western influence in the region (keep in mind that "influence" isn't just a euphanism for military action).
If oil was trading at $0.50 a barrel because it was irrelevant to the world economy then they wouldn't be able to fund very much in the way of terror.
That's exactly what I eluded to when I noted:
The only difference is that they may find it harder to fund their campaign.
The other point here is that it isn't just what the US chooses for an energy policy. If the rest of the world doesn't also find an alternative to oil, the US will continue to act in much the same manner to protect our allie's (and thus our own) interests.
I was thinking the next step was to wire in a Roomba to the shotgun-segway. Talk about "street cleaner".
When I was in highschool, attendance was taken at the beginning of each class. Not every second of my being on or within range of school property. It's a subtle, but distinct difference.
Ever get your hands on an old set of encyclopedias? I recently managed to get a collection of 1920 - 1940 electronics technical manuals and various general encycopedias. Its a rather facinating glimpse back on what was considered "fact" at one time.
That's not to say there isn't information that didn't stand the test of time. But there is also quite a variation in focus, facts, and opinion compared to current society and technology.
Even "unchanging" things change.
To be fair - the author did plenty to garble his own message. He spent considerable time talking about past failed attempts to produce an online encylcopedia and the apparent popularity of an "educational" method called journaling. And just for effect, he peppered his criticism with plenty of small jabs and slights. Was there a good message to be gleamed from the article? Yes. A shame the author didn't dedicate more time to it instead of being a pompous jerk.
No, it jibes perfectly well. The point is that PGP requires additional effort that most simply will not take. And therefore, the insecure practice of clear-text email is by far the most commonly used system. And thus we have our inverse relationship - a system (email) that could be better secured (pgp) but generally isn't because of the impact of doing so.
And if you get an encrypted piece of email, you MUST use the system involved to decrypt it. That requires additional effort that has nothing to do with getting a message from point A to B. If you choose not to use PGP to retrieve the message, you lose that message.
SSH is a very good example. You're right - minimal impact. SSH does an excellent job. However, in every environment I've been in, telnet is still by far more common (although there is always a push to officially adopt SSH). Running SSH still requires accepting an impact compared to the less-secure alternative.
Sure - there are certainly simularities between the two. This allows for common applications of some principles as well as limited analogies. But it is a mistake to apply all physical security precepts to information security.
For example, the environments of physical and information security are different. Physical security is limted by the laws of physics. And while advances in technology do slowly change the realm of "possible", these changes tend to be limited. Much of physical security is dealing with constants. Within information security, if you don't like the environment... change it. Sure, there are limiting factors to that change. But ultimately, if a specific protocol or system has major issues, one is certainly able to change to something more secure. In short, Infosec allows for a greater degree of change within the environment than what is afforded to physical security.
One interesting point from Novell was that SCO's role was to further expand on existing Unix business. They were to seek out additional licensees, license, and then pay a considerable amount of that license back to AT&T (now Novell). The cute bit was the "ahem - where's our cut of these license fees that you claim to be collecting?"
What didn't seem to get a lot of attention was the fact that this agreement did not involve existing business. In fact, existing clients were still AT&T's realm. Sun was one of those "old business" licensees. This further adds to the question of just what Sun was licensing and why.
A great example. Let's take PGP. It's been available for over a decade. It has been fully integrated (directly or via plugins or scripts) for years. Yet how much do you see it? And of those you do see using it, who are they? In my experience, it is a small subset of technicaly knowlegable individuals or small groups that require encryption and have been told to use PGP. PGP is not used by the masses. Why?
Ultimately, clear-text email is easier. Using PGP requires considerably more effort than not. So the general masses, even those who understand the falibility of clear-text email, tend not to use it unless there is a need to go to the added trouble.
This falls in line with our premis. Increased security impacts usability. That doesn't mean that we couldn't minimize that impact (and PGP's interface couldn't be improved, for example). But even with those considerations, the end user will still feel some kind of impact.
Ever fumble with keys while trying to get groceries in through the front door? How about trying to get in your car during a rainstorm? Ever realize that you've forgotten or lost those keys? These are examples where increased security decreases usability.
That doesn't mean a secured system has to be a hard to use system. The goal of most security systems is to increase security with minimal impact to usability. Many modern locking systems take advantage of new technology to do this. We can mention proximity smartcards, keyless entry keyfobs, and biometric / PIN systems as methods to deal with the above examples (although none of them are as "easy" as an unlocked door).
It might be worth noting that in some extreme cases, decreasing ease-of-use is a key component of a security system. However, this mostly applies to physical security systems. And while physical security is the easiest source of anologies, it is ultimately a far different beast than information security.
You laugh now. Little do you know that SciFi is working on a new "underwater reality exporation show" to follow Scare Tactics. It may star John Edwards who will spend the first quarter of the show interviewing former residents so that the dive team can be more effective in artifact retreval. Then comes the dive with plenty of fuzzy, badly lit footage. And then the dive team will spend the last quarter of each show arguing over whether a piece of corroded metal is nautical debree or the subframe for an Atlantian lasergun.
Suddenly, a large number of Slashdot users suspect that they've turned 65 without knowing it.
The address www.foo.bar is the public data. The fact that it might have something to do with a search for "widgets" is not.
The data isn't - but the collection is (formating, presentation, collation, etc.).
Care to point to a RedHat user that was sued? Keep in mind that the lawsuits between SCO and Autozone or Chrysler doesn't involve general complaints over IP found in Linux.
How about a lawsuit over IP found in Windows with one of Microsoft's customers?
When you bought your 10% piece of hardware, did you even bother to check what it will work with? Does it require some wierd plug you've never heard of? Does it have drivers for your OS? If that OS is Linux, do they note Linux compatability? And if not, why are you buying it?
I feel the pain. My household systems run either Linux or Win2K. In both cases, I've had hardware that didn't support my desired OS' (or took a bit of work to get more-or-less working).
Having said all that - even when hardware claims support for your OS, things aren't always set. Read hardware reviews. You'll find plenty of cases where a product's drivers have noted issues. And while that's not QUITE the issue here, it does further highlight the fact that a lot of this compatability issue belongs to the hardware manufactorer / vendor.
Buy what supports your system, and supports it well.
Your support costs are going to skyrocket the minute you start trying to support Joe Sixpak plugging in random hardware and associated software.
As an aside, if this was really an issue, MacOS would have dominant marketshare.
Now... having made those statements, I agree with the general sentiment. I'd like Linux support to be better. But I just don't see it as insightful or productive to demand it of Linux developers.
I seem to remember dsniff had a utility (webspy?) that allowed you to essentially link a browser to a target machine. Your browser would jump about as your target host browsed.
Maybe you should take a look at ettercap?
If anything, NASA will GET funding from the DoD.
Two quick point:
1) Unix's concepts of security were bolted on well after the fact. The interesting thing is that it worked because of the modular mindset found within Unix and its developers.
2) Unix has had its time in the crucible. It was at one time THE holder of resources an attacker would covet (storage space, bandwidth, interesting domains, etc.). It was also largely wide open to a well-educated (or well-scripted) attacker. Then the Internet became a much less-friendly place. Unix took its lumps. Admins began to wake up to the new reality and things began to improve. During this time, many of the tenants of Information Security were formed. It's a shame Microsoft didn't learn from this process.
Enthusiasts and professionals get very concerned over their tools. And no wonder - their ability to do what they do well relies on the availability of quality tools (or at least, tools they are comfortable using).
Sure, a carpenter can likely hew out a basic piece with a hammer and a screwdriver. But they won't produce the quality of work that sets them apart from the average layman.
The saying "a poor workman blames his tools" certainly has a degree of truth to it. But it can lead one to overlook the importance of good tools. An importance that any craftsman will immediately recognize.
Incidently, within the depths of any tech jihad, someone will eventually utter "it's just a tool." They're right. But they miss point - the reason why people would have any passion over "just a tool."
Of course, this tends to miss the whole issue of monocultures. Whether Firefox is as bug-ridden as MSIE or not is an interesting point, but not the only one. What bugs exist for MSIE are not likely to exist in Mozilla / Firefox. And in a truely mixed environment, this alone creates a speedbump (if not roadblock) for malware.
But that by itself doesn't say much. Did the product do something nobody needed? Or did the leadership and sales force fail to communicate what the product could do for their customers? Each situation implies slightly different character traits in leadership.
Oddly enough, all the outrage over Isreali actions doesn't apply to oppressive Arabic governments. Unless the US happens to have some agreements with said Arabic government. THEN it's the West interfering. Unless, of course, its providing weapons to attack Isreal.
Sure - it's not about what Americans are doing in their own country. But it is certainly about Baywatch being watched within Arabic borders.
Abdul Q. Public doesn't suddenly decide strapping a bomb to their chest is the way to stop said Baywatch or destroy Isreal. They get their ideas from fundamentalists who, fueled by their fear and hate, do a rather nice job producing propaganda for a largely uneducated and desperate population.
The key is to remove the desperate population by removing the desperation. Not that its an easy thing to do.
I assume by "completely withdraw", you refer to a military presence. Culture isn't always spread with the muzzle of a gun. Western cultural influences can be found throughout the world - even in locations where there are not US troops. There are agressive agents such as missionaries and salesmen. But there are also less-aggressive conduits to change - much of which involves the very people who's culture is being subverted and / or morphed.
First, at that time period in history, travel wasn't what it is today. Getting to a region like that wasn't the trivial affair it is with today's air travel. And likewise, it wasn't as easy to import culturaly disruptive medium (ideas, products, media, etc.).
Having said that, the event that defined the United States as a world power involved the Middle East. And that was far from the beginning or end of Western influence in the region (keep in mind that "influence" isn't just a euphanism for military action).
That's exactly what I eluded to when I noted:
The other point here is that it isn't just what the US chooses for an energy policy. If the rest of the world doesn't also find an alternative to oil, the US will continue to act in much the same manner to protect our allie's (and thus our own) interests.