*ABSOLUTELY NOTHING* justifies phoning home without having asked the user at some point.
Explicitly. Up front. In his/her face.
"But it was there in the EULA" is a stupid argument. The "ohhh shiny!!11" crowd wouldn't have read it, and most reasonable people cannot be expected to.
How many specific individual questions must Apple ask me about what their products are going to do? Why shouldn't I just be able to say "yes, it's all fine, don't bug me any more"? I don't care if my Apple products phone home, because I've been using Apple products since the 1980s and they have NEVER abused this, as far as I am aware.
My GSM cell phone causes audible noises whenever it's near powered computer speakers or poorly-shielded microphones, produces a weird flickering on my CRT monitor, and I've seen it cause erratic mouse behavior (contextual menus pop up when I'm not touching the mouse). I have no idea what it does to airplanes, but I have to move my phone away from my computer when I take a call, so it's not a load of crap.
I'm sure Apple doesn't mind if people want to buy something like this. The issue is that Apple doesn't want to LIST something like this as being available for sale, because they don't want people who are casually browsing through a selection of apps to find anything that isn't good. There is no mechanism to make it available for sale without listing it in the app store, so the only way to remove the listing was to remove the app entirely.
Might I suggest that if you're no longer interested in supporting these applications, they'd be good candidates for open source? Release the source code under the GPL and give the apps away for free. Users get to use your apps, you get your name known among the community and accumulate some goodwill, other people can do the work of making improvements and releasing new versions and providing support, and you make exactly as much money from sales as you're making now.
Admittedly this is talking about a VERY old version, and Microsoft has removed the article from their knowledge base, but I thought it was damn funny when I found it:
Although the sample Web site and examples in this release use Microsoft Access, we recommend that Microsoft Access be used solely for development purposes and not for production.
This is referring to Access 97, and yes, I did work at an ISP that used an Access 97 database to track all their customers. Shame I wasn't aware of this warning at the time.
Regardless of *whether* a virus could touch the machine, what could it possibly infect? Custom-written election software on top of a stripped-to-the-bones windows OS wouldn't have many attack vectors at all.
Why do you assume the OS is stripped to the bones? If they're incompetent enough to be running antivirus software on an election machine, they're probably not competent enough to lock the system down.
I'd like to see Scantron ballots that are produced by a machine, on the condition that the machine's user interface is easier for the average voter to use and understand than any more traditional system. I'd also like to see a stack of blanks ready to be filled out by hand in case there's a problem with the machine, or if a voter prefers it.
The average consumer, when watching 4:3 standard-definition content on a 16:9 high-definition screen, would rather have it stretched out to fill the screen than see black bars on the sides.
It's rare to see a TV in a public place that isn't configured this way.
And since THAT doesn't look better than what most people already have at home, why should they upgrade? After all, that's what all the hype is about, right?
1. Random access. No rewind, skip to arbitrary scenes, etc. 2. Bonus features. Making-of bits, interviews with directors and actors, deleted scenes, etc.
3. Sustained quality: as VHS tapes wear out, the quality deteriorates, but DVDs play perfectly as long as they don't get scratched. The transition from cassette tapes to CDs already demonstrated how this works. In reality, of course DVDs do get scratched and the result is worse than a worn out VHS tape, but that doesn't happen until long after you've made the purchase.
4. Widescreen format: most people actually preferred pan&scan because letterboxing makes the picture too small on their small TV, but the purists liked the option to keep the original aspect ratio. Some DVDs were available with both formats on the same disc.
5. Alternate language tracks and subtitles: my very small DVD collection includes one French and two Italian films; several of my friends collect Japanese anime. I want to watch it in the original language with subtitles; with VHS you're usually stuck with the lowest-common-denominator option (the dubbed version appeals to the masses, so that's all they sell). On top of that, English subtitles make it easier to follow the dialog in quiet scenes when you can't turn the volume up due to people sleeping in the next room or whatever.
6. Portability: I can buy a binder that holds 200 discs. Try carting your entire collection of VHS tapes to a friend's house - you just don't do it.
By the way, if anyone's looking for a cheaper SSL cert than Verisign, I've recently been going with RapidSSLOnline, which is a reseller for RapidSSL, also known as GeoTrust, which is accepted by all modern browsers (which does NOT include Netscape 4, or anything with a CA bundle stolen from Netscape 4).
As Kaminsky points out, they verify your identity by... relying on DNS. Specifically, they send e-mail to a common address at your domain (root@example.com, webmaster@example.com, etc.) or a contact address listed in whois (your choice). They also call you (at a phone number you provide) and record your voice, which doesn't really do anything except make it easier for the police to find you after you get caught, but if you're worried about that, you'll buy a pre-paid cell phone with cash. I noticed in the grocery store the other day that they're selling Visa gift cards, which you can buy with cash and then use as a debit card anywhere that takes Visa, without giving any ID to anyone.
Anyway, I'm not affiliated with RapidSSL/GeoTrust or RapidSSLOnline, but they're cheap and their certs work for me.
By the way, RapidSSL/GeoTrust also offers a FreeSSL cert which is valid for one month (and you get to skip the Visa gift card step, since you don't have to pay for it). Be aware that the FreeSSL cert is NOT valid for mail servers, although it works fine for HTTPS.
Right, so Azureus is probably using plain old HTTP (which relies on DNS, which may have been poisoned) to check to see if an update is available, and if so, downloads the.torrent of the update. So, an attacker could hijack the domain of the web server that Azureus is querying to check for updates, and send you a fraudulent.torrent, which Azureus will securely download and install.
I'm completely guessing about using unsecured HTTP; I have no idea what Azureus actually does. I can guarantee that other apps work this way, even if Azureus isn't one of them.
SSL will raise a certificate error unless they have some way of getting a fake cert.
As Kaminsky pointed out, you're correct that browsers do this, but what about other non-browser applications that use SSL? Sure, they SHOULD do this. Do they? Really? Are you sure? How do you know?
These companies are getting free bugtesting and security scanning. They should make something where the class gets paid to demonstrate these vulnerabilities on their software, and then they use the information to write patches and updates.
Some vulnerabilities are in design rather than implementation. A vulnerable implementation can be fixed with a patch; a vulnerable design requires a new design, and it may not be possible to deploy the fix without breaking things. For example, the patch for the DNS exploit announced last month is useless if your DNS server is behind a NAT router. Obviously ISC has no control over how your network is set up; all they can do is patch BIND, and that may not help.
That radial menu tells me these people know nothing about good UI design. It appears to work precisely the same way as a contextual menu, except that you can't see what any of the options are until you mouseover the button, which reveals an icon (possibly with a label, I couldn't tell from the low-res video). The way the option buttons are arranged around the circle, the chances of memorizing precisely which button performs what task are minimal, since it's difficult to distinguish between a button at 7:00 and a button at 8:00 (when the number of buttons is not constant, as it is on a clock face, which is why I can tell the difference between 7:00 and 8:00 there).
Compare this to the standard contextual menu. You can see all the menu options at once (unless there are too many to fit on the screen and they scroll), they all have a text label, they could have an icon as well (they usually don't, but certainly should if the concept can be represented in icon form), and the interface is already familiar to nearly everyone.
I mentioned scrolling when there are too many options in the menu. Imagine the radial menu interface with that many options on it. Imagine how long it would take to hunt through them one at a time to find the one you're looking for.
Uh, that completely depends on how you've chosen to set it up. My DHCP server sees the client ID you send, logs it, and ignores it completely, using only your MAC address to determine what IP address to assign you (either a static IP I've configured, or a dynamic IP from the pool).
I'm sure I could set it to use the client ID instead, but I'd have to RTFM to figure out how. I know there are some cable companies that use the client ID to determine who you are and won't give you an IP if your client ID isn't one they recognize - or at least there used to be; I haven't encountered this in years. I think @Home used to do it, or maybe I'm thinking of the network AT&T Broadband set up after @Home went out of business and before selling it to Comcast. In any case, it's definitely possible, just not very common.
90% of traffic lights are not internet linked - they are dumb mechanical timers - kinda hard to cyber that
I imagine the other 10% would be more than sufficient, particularly if it happened at about 4:00pm.
Overload the transformers - way easier said than done, but when that usually happens, a breaker pops, you lose a substation - OK, they find the short, away we go
That's why this step comes after causing multiple simultaneous traffic accidents. Google found this; it sounds like you're being overly optimistic about the state of electrical infrastructure in a lot of places.
in my opinion. You do not have the right to torment an individual like this anymore than you have a right to yell "Fire" in a crowded theater or "I have a bomb" in an airport. AT some point, the safety of others does override your right to "free" speech.
I'm pretty sure I have the right to torment someone until they ask me to stop. Were this not the case, the definition of "torment" could too easily be distorted to prohibit all kinds of speech that deserves to be protected.
You can beat your wife every night, and you've broken no law unless she complains. Some women are into that sort of thing, and the government has no business intervening as long as she's enjoying herself. If she's not enjoying herself, then she'd better object.
People are assholes on the Internet. People are assholes in person. Some people like it that way. If you're not one of those people, and you're being harassed, accepting it until you're eventually driven to suicide is clearly not the best response.
#!/usr/bin/perl $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$]; $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
#!/usr/bin/perl for $a(1,46){for $b(0..7){$c=0;$_?hex substr(q), "ef7fa1866706ca", Just another Perl Hacker, ("eff02289402844"),2*$_+$a,2)&2**(7-$b): /..phroggy../ and $c+=2**(7-$_)for(0..7);$d.=chr $c;}}print"$d\n";
Most libraries have recently adopted a policy of destroying your personal information so that it cannot be handed over to the government, even with a warrant. They keep track of who has which items currently checked out, and who owes fines for overdues, but as soon as you return the item (and pay any applicable overdue fine), the record is deleted.
Not all libraries have adopted this policy, and you should check with yours, but as other posters have pointed out, this is the official recommendation of the American Library Association, in reaction to the USA PATRIOT Act. It's too bad, really, because it prevents libraries from being able to do things like allow me to view my own history of what items I've checked out, and it prevents them from turning over records of people legitimately suspected of actual crimes (I'm not sure why such information would be useful to a criminal investigation, but with proper judicial oversight I don't have a problem with it).
Anyway, your history of what you checked out 20 years ago was probably deleted a long time ago, but you should ask your librarian.
First, many of them deal with "Ease of installation." While it is an important concern, most users don't have to deal with this problem. For them, the application is either already installed or just a click away in a package manager.
That was one of the questions: "is it in the standard repositories?" = "is it just a click away in a package manager?" Of course this relies on "is it pre-packaged?"
However, while these are all important aspects of usability from the end user's perspective, they're often completely beyond the control of the developer. If I develop a piece of software, I probably don't get to choose whether your distro's repositories include my package. If I don't use your distro myself, I may not even know how to build a package. That's up to your distro's package maintainers.
I've never used NetBSD, but a Perl script I released is in NetBSD's package thingie, because somebody who does use NetBSD made an OS-specific patch, packaged it up, and submitted it for inclusion. Somebody else did the same for FreeBSD Ports, which I'm also fairly unfamiliar with. This undoubtedly improves the usability for people running those OSes, but as the developer, I had nothing to do with that.
Slashdot Mirror
It can be VERY DANGEROUS to obey the speed limit in some places.
Look at it this way: he did Dave a favor. Would you want to work for a boss like that? ;-)
Note that in airplane mode, nobody can call you, thus defeating much of the purpose of having a phone in the first place.
Why do Americans even drink milk anyway? And why isn't it irradiated?
*ABSOLUTELY NOTHING* justifies phoning home without having asked the user at some point.
Explicitly.
Up front.
In his/her face.
"But it was there in the EULA" is a stupid argument. The "ohhh shiny!!11" crowd wouldn't have read it, and most reasonable people cannot be expected to.
How many specific individual questions must Apple ask me about what their products are going to do? Why shouldn't I just be able to say "yes, it's all fine, don't bug me any more"? I don't care if my Apple products phone home, because I've been using Apple products since the 1980s and they have NEVER abused this, as far as I am aware.
My GSM cell phone causes audible noises whenever it's near powered computer speakers or poorly-shielded microphones, produces a weird flickering on my CRT monitor, and I've seen it cause erratic mouse behavior (contextual menus pop up when I'm not touching the mouse). I have no idea what it does to airplanes, but I have to move my phone away from my computer when I take a call, so it's not a load of crap.
I'm sure Apple doesn't mind if people want to buy something like this. The issue is that Apple doesn't want to LIST something like this as being available for sale, because they don't want people who are casually browsing through a selection of apps to find anything that isn't good. There is no mechanism to make it available for sale without listing it in the app store, so the only way to remove the listing was to remove the app entirely.
Might I suggest that if you're no longer interested in supporting these applications, they'd be good candidates for open source? Release the source code under the GPL and give the apps away for free. Users get to use your apps, you get your name known among the community and accumulate some goodwill, other people can do the work of making improvements and releasing new versions and providing support, and you make exactly as much money from sales as you're making now.
Admittedly this is talking about a VERY old version, and Microsoft has removed the article from their knowledge base, but I thought it was damn funny when I found it:
Although the sample Web site and examples in this release use Microsoft Access, we recommend that Microsoft Access be used solely for development purposes and not for production.
archive.org copy
This is referring to Access 97, and yes, I did work at an ISP that used an Access 97 database to track all their customers. Shame I wasn't aware of this warning at the time.
Regardless of *whether* a virus could touch the machine, what could it possibly infect? Custom-written election software on top of a stripped-to-the-bones windows OS wouldn't have many attack vectors at all.
Why do you assume the OS is stripped to the bones? If they're incompetent enough to be running antivirus software on an election machine, they're probably not competent enough to lock the system down.
I'd like to see Scantron ballots that are produced by a machine, on the condition that the machine's user interface is easier for the average voter to use and understand than any more traditional system. I'd also like to see a stack of blanks ready to be filled out by hand in case there's a problem with the machine, or if a voter prefers it.
The average consumer, when watching 4:3 standard-definition content on a 16:9 high-definition screen, would rather have it stretched out to fill the screen than see black bars on the sides.
It's rare to see a TV in a public place that isn't configured this way.
And since THAT doesn't look better than what most people already have at home, why should they upgrade? After all, that's what all the hype is about, right?
1. Random access. No rewind, skip to arbitrary scenes, etc.
2. Bonus features. Making-of bits, interviews with directors and actors, deleted scenes, etc.
3. Sustained quality: as VHS tapes wear out, the quality deteriorates, but DVDs play perfectly as long as they don't get scratched. The transition from cassette tapes to CDs already demonstrated how this works. In reality, of course DVDs do get scratched and the result is worse than a worn out VHS tape, but that doesn't happen until long after you've made the purchase.
4. Widescreen format: most people actually preferred pan&scan because letterboxing makes the picture too small on their small TV, but the purists liked the option to keep the original aspect ratio. Some DVDs were available with both formats on the same disc.
5. Alternate language tracks and subtitles: my very small DVD collection includes one French and two Italian films; several of my friends collect Japanese anime. I want to watch it in the original language with subtitles; with VHS you're usually stuck with the lowest-common-denominator option (the dubbed version appeals to the masses, so that's all they sell). On top of that, English subtitles make it easier to follow the dialog in quiet scenes when you can't turn the volume up due to people sleeping in the next room or whatever.
6. Portability: I can buy a binder that holds 200 discs. Try carting your entire collection of VHS tapes to a friend's house - you just don't do it.
By the way, if anyone's looking for a cheaper SSL cert than Verisign, I've recently been going with RapidSSLOnline, which is a reseller for RapidSSL, also known as GeoTrust, which is accepted by all modern browsers (which does NOT include Netscape 4, or anything with a CA bundle stolen from Netscape 4).
As Kaminsky points out, they verify your identity by... relying on DNS. Specifically, they send e-mail to a common address at your domain (root@example.com, webmaster@example.com, etc.) or a contact address listed in whois (your choice). They also call you (at a phone number you provide) and record your voice, which doesn't really do anything except make it easier for the police to find you after you get caught, but if you're worried about that, you'll buy a pre-paid cell phone with cash. I noticed in the grocery store the other day that they're selling Visa gift cards, which you can buy with cash and then use as a debit card anywhere that takes Visa, without giving any ID to anyone.
Anyway, I'm not affiliated with RapidSSL/GeoTrust or RapidSSLOnline, but they're cheap and their certs work for me.
By the way, RapidSSL/GeoTrust also offers a FreeSSL cert which is valid for one month (and you get to skip the Visa gift card step, since you don't have to pay for it). Be aware that the FreeSSL cert is NOT valid for mail servers, although it works fine for HTTPS.
Right, so Azureus is probably using plain old HTTP (which relies on DNS, which may have been poisoned) to check to see if an update is available, and if so, downloads the .torrent of the update. So, an attacker could hijack the domain of the web server that Azureus is querying to check for updates, and send you a fraudulent .torrent, which Azureus will securely download and install.
I'm completely guessing about using unsecured HTTP; I have no idea what Azureus actually does. I can guarantee that other apps work this way, even if Azureus isn't one of them.
SSL will raise a certificate error unless they have some way of getting a fake cert.
As Kaminsky pointed out, you're correct that browsers do this, but what about other non-browser applications that use SSL? Sure, they SHOULD do this. Do they? Really? Are you sure? How do you know?
These companies are getting free bugtesting and security scanning. They should make something where the class gets paid to demonstrate these vulnerabilities on their software, and then they use the information to write patches and updates.
Some vulnerabilities are in design rather than implementation. A vulnerable implementation can be fixed with a patch; a vulnerable design requires a new design, and it may not be possible to deploy the fix without breaking things. For example, the patch for the DNS exploit announced last month is useless if your DNS server is behind a NAT router. Obviously ISC has no control over how your network is set up; all they can do is patch BIND, and that may not help.
That radial menu tells me these people know nothing about good UI design. It appears to work precisely the same way as a contextual menu, except that you can't see what any of the options are until you mouseover the button, which reveals an icon (possibly with a label, I couldn't tell from the low-res video). The way the option buttons are arranged around the circle, the chances of memorizing precisely which button performs what task are minimal, since it's difficult to distinguish between a button at 7:00 and a button at 8:00 (when the number of buttons is not constant, as it is on a clock face, which is why I can tell the difference between 7:00 and 8:00 there).
Compare this to the standard contextual menu. You can see all the menu options at once (unless there are too many to fit on the screen and they scroll), they all have a text label, they could have an icon as well (they usually don't, but certainly should if the concept can be represented in icon form), and the interface is already familiar to nearly everyone.
I mentioned scrolling when there are too many options in the menu. Imagine the radial menu interface with that many options on it. Imagine how long it would take to hunt through them one at a time to find the one you're looking for.
Uh, that completely depends on how you've chosen to set it up. My DHCP server sees the client ID you send, logs it, and ignores it completely, using only your MAC address to determine what IP address to assign you (either a static IP I've configured, or a dynamic IP from the pool).
I'm sure I could set it to use the client ID instead, but I'd have to RTFM to figure out how. I know there are some cable companies that use the client ID to determine who you are and won't give you an IP if your client ID isn't one they recognize - or at least there used to be; I haven't encountered this in years. I think @Home used to do it, or maybe I'm thinking of the network AT&T Broadband set up after @Home went out of business and before selling it to Comcast. In any case, it's definitely possible, just not very common.
90% of traffic lights are not internet linked - they are dumb mechanical timers - kinda hard to cyber that
I imagine the other 10% would be more than sufficient, particularly if it happened at about 4:00pm.
Overload the transformers - way easier said than done, but when that usually happens, a breaker pops, you lose a substation - OK, they find the short, away we go
That's why this step comes after causing multiple simultaneous traffic accidents. Google found this; it sounds like you're being overly optimistic about the state of electrical infrastructure in a lot of places.
in my opinion. You do not have the right to torment an individual like this anymore than you have a right to yell "Fire" in a crowded theater or "I have a bomb" in an airport. AT some point, the safety of others does override your right to "free" speech.
I'm pretty sure I have the right to torment someone until they ask me to stop. Were this not the case, the definition of "torment" could too easily be distorted to prohibit all kinds of speech that deserves to be protected.
You can beat your wife every night, and you've broken no law unless she complains. Some women are into that sort of thing, and the government has no business intervening as long as she's enjoying herself. If she's not enjoying herself, then she'd better object.
People are assholes on the Internet. People are assholes in person. Some people like it that way. If you're not one of those people, and you're being harassed, accepting it until you're eventually driven to suicide is clearly not the best response.
Sure, but if we were to build an air-tight structure, it'd be nice to know we'd have something to fill it with.
#!/usr/bin/perl
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
#!/usr/bin/perl
for $a(1,46){for $b(0..7){$c=0;$_?hex substr(q), "ef7fa1866706ca",
Just another Perl Hacker, ("eff02289402844"),2*$_+$a,2)&2**(7-$b):
/..phroggy../ and $c+=2**(7-$_)for(0..7);$d.=chr $c;}}print"$d\n";
Most libraries have recently adopted a policy of destroying your personal information so that it cannot be handed over to the government, even with a warrant. They keep track of who has which items currently checked out, and who owes fines for overdues, but as soon as you return the item (and pay any applicable overdue fine), the record is deleted.
Not all libraries have adopted this policy, and you should check with yours, but as other posters have pointed out, this is the official recommendation of the American Library Association, in reaction to the USA PATRIOT Act. It's too bad, really, because it prevents libraries from being able to do things like allow me to view my own history of what items I've checked out, and it prevents them from turning over records of people legitimately suspected of actual crimes (I'm not sure why such information would be useful to a criminal investigation, but with proper judicial oversight I don't have a problem with it).
Anyway, your history of what you checked out 20 years ago was probably deleted a long time ago, but you should ask your librarian.
First, many of them deal with "Ease of installation." While it is an important concern, most users don't have to deal with this problem. For them, the application is either already installed or just a click away in a package manager.
That was one of the questions: "is it in the standard repositories?" = "is it just a click away in a package manager?" Of course this relies on "is it pre-packaged?"
However, while these are all important aspects of usability from the end user's perspective, they're often completely beyond the control of the developer. If I develop a piece of software, I probably don't get to choose whether your distro's repositories include my package. If I don't use your distro myself, I may not even know how to build a package. That's up to your distro's package maintainers.
I've never used NetBSD, but a Perl script I released is in NetBSD's package thingie, because somebody who does use NetBSD made an OS-specific patch, packaged it up, and submitted it for inclusion. Somebody else did the same for FreeBSD Ports, which I'm also fairly unfamiliar with. This undoubtedly improves the usability for people running those OSes, but as the developer, I had nothing to do with that.