Let's examine some problems, shall we:
-Most servers (if not all) run CGI scripts as a given user (ie: nobody, www, cgi, apache). If that user is a crippled or limited user, then CGI-Shell is useless for running commands other than "ls". If not, then that user could potentially kill things like the server process, which is also bad.
-If all CGI scripts are run as the same user (see above), then anyone has access to files or directories created by another cgi-shell process. After all, they're owned by the same user.
-Cleartext passwords via htpasswd. They didn't even _try_ to use SSL - it's so not hard.
-Man-in-the-middle attack? Anyone could hijack your "shell" session.
-Can anyone say backdoor?
Sure, this is cool to play around with and install on your home machine, but if anyone lets this into a production environment they're on crack. Either install sshd, or don't. But don't try to implement it over CGI.
For Americans: Asterix and Obelix are well-known French cartoon characters (think: Mickey and Goofy).
Only a hell of a lot funnier than that stupid mouse and dog. I'd say a better comparison is Homer and Bart. Mickey and Goofy start to lose their humor once you reach a certain age. Asterix works on so many more levels...
Apparently Macrovision believes there is now enough commercial software being written for Linux -- by companies that want to use encrpyted "unlock" keys to prevent unauthorized used of their precious intellectual property (sigh) -- to make it worth their while to be at LinuxWorld.
Why does this merit a "sigh"? They're not talking about another DRM implementation here - apparently Roblimo doesn't understand this.
Asset and License Management Software has been around for years. In case you're confused, Macrovision is NOT talking about the product activation you see in Windows XP or TurboTax. Rather, they're talking about something like KeyServer, which allows large organizations to buy one copy of Photoshop or something, and "Key" it, so that it can only be unlocked by talking to a KeyServer. This allows you specify the number of concurrent users on the network, and any other number of restrictions (which workstations can use it, etc). This is extremely cost-effective for companies - they buy, say, 5 licenses of photoshop, key it, and then make sure only 5 users can use it at once. Thus, when the BSA comes knocking on the door and says "Hey, you have 100 computers - we demand 100 licenses", they can say "sorry, we enforce concurrent use of no more than 5 copies of the app. Have a nice day." It also prevents employees from stealing a copy of Photoshop and taking it home with them (it won't work). However, this solution is only available on Windows and Mac (and, for the longest time, it was Mac only). I don't see why this is such a problem that it now runs on Linux.
What this means is that WidgetCo, which uses, say, Matlab, and has 200 workstations, can save a ton of money by only purchasing 50 licenses. The MathWorks (matlab makers) won't have a problem with this as long as they can be assured that no more than 50 copies will be running concurrently. (And no, the honor system doesn't work anymore). FLEXlm software (what Macrovision is offering) can help assure this. This setup is what many colleges or large institutions use to assure that commerical software on UNIX is abiding by the terms of their licensing agreements or package deals.
So now WidgetCo can save even more money, because instead of having to buy costly Solaris licenses to run a platform that supports licensing software, they can now use Linux, and yet another big institution will be running GNU/Linux.
I know it would be nice if everyone using Linux also used other GNU software to get their jobs done, but really, there's always going to be commerical software. We should be cheering the fact that there is one less obstacle for large organizations to adopt Linux and still maintain their licensing agreements with the big commercial software firms. In fact, FLEXlm has been around for a long time (at least since '91), but it was only for certain flavors of UNIX (read: Solaris). All that happened is that Macrovision bought out the company, and released a version that runs on Linux. Good for them.
For those who didn't RTFA, one of the points of the article is not only are there unprotected admin interfaces that let you register your own domain (that's what they're talking about - you still can't register.mil through register.com or anything), add a user, and view traffic stats on DoD sites (even "hidden" ones), but that all these pages (including default passwords) are cached by Google.
This implies that even if the DoD fixes the problem, the Google caches will still be available (until they expire or are replaced). Now, in the past, we've heard reports of people being upset that Google cached information. However, this time, the cache contains information pertaining to "national security" (that great new buzzword). I wonder, what will happen? Will these URLs be silently deleted from the cache? Will Google be told that cacheing links is now illegal because it could aid terrorists? Will they be prevented from cacheing.gov and.mil? Will Google be sued out of existence?
We've all found Google caches to be useful, when, say the documentation for an open source project is hosted via 56K modem line in the Czech Republic, for example, or even when a site is Slashdotted, but it'll be interesting to see what happens about this, and how the goverment may over-react.
(Note, if you're too stupid to understand this, I'm not talking about blame here - don't bother saying "Google rulez, the militery is dum asses for leeving these sitez open, u r an idiot...". I'm talking about reprocussions. Certainly Google doesn't "know" what information a link contains when they cache it. Certainly it's the government's fault for leaving open admin pages with default passwords listed on the page. But just because someone isn't at fault, doesn't mean they can't get screwed over.)
If only I could force direct mail marketers to stop snail-mailing me crap all the time. Why does a single 24-year-old guy need coupons for feminine hygiene products?
Actually, I've found direct-mail marketers are the most amenable to taking you off their lists. Their marketing method actually costs them real money each time they send something (well, so do telemarketers, but they probably have deals with the cheap long distance carriers), so they're not interested in sending things to people that don't want them.
When I moved into my new apartment, I got the usual barrage of of "Resident" catalogs and coupon books, and credit card offers with the "low, low rate" of 24% interest. They died down a little, but were still a lot. I called the opt-out number for the credit-bureaus. (888) 5OPT-OUT. It's automated, takes two seconds, and then you just need to fill out and sign a form they send you. That gets you off the free credit offers for all 3 credit bureaus.
The other aggravating thing was that in the Boston Area, if you don't subscribe to the Globe, you still get the advertising circulars by direct mail. (Some people love this). However, I got the return address, looked them up in the phone book, and called them. They have a menu option to be removed from their mailing list - press it, and you get a real human being on the other end (that surprised me). She was very nice, and promised that I'd stop receiving the flyers by the end of the month. And indeed I haven't gotten one since.
I still believe Linux is an extension of the Unix paradigm.
He just kept repeating this over and, over, didn't he? Regardless of what the interviewer said. Now, I understand he has to watch what he says when he's on the record, but he came off as totally clueless when he kept saying this over and over. I read the interview like this:
These folks are claiming that the earth is round.
See, the problem is, these people are embracing a circular model, which is ill suited to every day life. Think about it - if you walk outside, you'll have to take into account the curvature of the earth, and really, you're not walking on a flat surface. Imagine the confusion that would cause your brain - your eyes tell you the ground is flat, but your mind knows it isn't.
But, we have people who have sailed and flown around the earth - there's no edge to fall off
I admit, their round view is interesting, but eventually you'll encounter that edge, and you'll fall off. It's far safer to subscribe to our view that earth is flat.
How do you account for the celestial movements observed - they could not exist if the earth was flat.
These observations are flawed - these astronomers are not looking at the whole picture. Sure, they portion they observe is round, but in the big picture, it's flat. We find that users are comfortable with a flat view of the earth, and it's only a matter of time before those astronomers are burned at the stake.
How do you respond to the National Science Foundation's findings that the earth is in fact round?
Those findings are biased. The earth is flat - there's no further discussion on the issue.
It is exactly like those automated speeding ticket cameras, just tell them someone else was driving
Uh, no. In most places, if you lend someone your car, and they get a ticket, you're responsible. You should carefully consider who you're lending you're car to.
Now, if you report your car as stolen (and it actually was stolen), and itshows up on one of those speed cameras, then yes, you can probably get out of the ticket, but not if you just lent it to your lead-foot friend.
We have had to use 10-digit dialing here in the DC area (I am in Alexandria, VA in NoVA) for a while now and I don't see what adding a 1 is going to do...esp. if you add it to each call.
Yeah, same in Boston. We recently got some new area codes added to our local calling area, so we have to dial 10 digits instead of the previous 7. We certainly don't have to dial the '1'.
By contrast, however, in Rhode Island (401 for the whole state), when New England Telephone became NYNEX (yes, it was always a subsidiary, but when they actually changed the name), we had to dial '1' + 7 digits if we were calling outside our local calling area, but within 401. Then they became Bell Atlantic, and we had to dial 1+401+7 digits outside the local calling area (but within 401). Then they became verizon, and now you just dial 7 digits anywhere within 401, and it's up to you to remember whether it's a local call or a toll call.
So, I think basically the "1" is at the whim of the phone companies, and it is no longer the reserved digit signifying "long distance". Unless of course the NYT got it wrong. Someone who works for the phone companies (or has hacked into their switches - Hi Kevin!) should explain to us why New Yorkers need to dial a 1 when they have overlay codes, and those of us elsewhere (Boston, DC) don't.
It's irresponsible to ban an environmentally-friendly transportation vehicle without evidence it is a
threat.
Um, hello?
They're banned on the SIDEWALKS. So are bikes. Why? Because on a crowded sidewalk, you have very little room to maneuver or stop. A kid walking with his parents could let go of Mommy's hand to go look at a toy in a window, and could get hit by a bike. The same thing could happen with a Segway.
If it was an all out ban (ie: "Only terrorists use Segways"), you might have a point, but you don't.
That's hard to square with you previous statement about not judging based in IP address
I said "slightly more inclined to agree". I didn't say "that's a brilliant idea". Nor did I say that lusers only use dialup. I said that there is a lot less accountability with dialup due to free trial accounts. There just is. There's no such thing as "free trials" of DSL or cable (there may be money-back guarantee trials, but that's not the same). When DSL or cable is installed, it's tied to a physical street address and/or phone number - someplace you could send the cops to arrest a spammer. With AOLs free trials (some of which don't even require credit cards now), there's no accountability. Sure, you have the phone number they dialed from, but that's not necessarily the person's residence. There are plenty of devices that spoof Caller Number Delivery. Sure, you have the info they entered for the free trial, but what does that get you? All you know is that M. Mouse, of 123 Main Street, Redmond, WA called into AOL from 555-1234, and sent a bunch of spam to open relays.
That's why I think the port 25 blocking needs to be for people on dynamic IP addresses (dialup, DHCP or PPPoE), and not for people on
fixed IP addresses.
This will stop most luser spam, because most lusers don't have fixed IP internet connections.
Oh, that's nice of you to pass value judgements based on people's IP addresses.
I am not a "luser" (I have probably forgotten more about computing than you know), but I have a dynamic IP address simply because I don't feel like giving ATTBI another $50/month to get a static one. I also have a reason to send mails out on port 25 - I don't use my ATTBI e-mail address, I use my business one. Thus, I send my e-mail through my company's SMTP servers. I certainly have permission to do this, and a legitimate reason, so why should I be punished? I also run an SMTP server (authenticated). Sure people try and send spam though it (every day my syslog is full of Relaying Denied messages), but they fail. When they fail, their address gets blackholed (by me), and passed on to all my friends to be blackholed too).
Now, if what you meant to say was "port 25 blocking should be instituted for people on dialup addresses", I might be slightly more inclined to agree with that. There's a lot less accountability with dialup (read: modem) addresses (due to free trial accounts) than there is with cable or DSL. AT&T Worldnet, for example, drops any outgoing packets on the floor destined for port 25 on a machine other than mailhost.att.net Most of the relay attempts I see in my logs are from dialup pools.
So what is the solution? Certainly any time you institute a widespread "solution" (blackholing, port blocking, etc), innocent folks are always going to be punshed. There's lots of chatter about creating a new protocol, but guess what? If it ain't supported by Outlook, you're SOL. Whether you like it or not, no ISP is going to switch from SMTP to a protocol that will alienate a large portion of their clients. And, guess what, MS isn't going to switch from SMTP. Why? Well, at the spam conference, they said they had found the perfect algorithm to filter spam. Of course, they declined to tell us what it was...
I'll say up front that I don't know how iTunes' license agreement works.
Please to be reading the article.
This is not about iTunes license agreement, or about EULAs or shrinkwrap licenses at all. This is about the iTunes SDK license. This is very, very, very different. SDKs or development environments have had licenses long before 40 page EULAs became the standard. You're getting access to information that joeuser doesn't normally get. You're also not getting "software" per se, you're getting documentation, APIs, and maybe some libraries and header files. You're not getting a program you can "run" - you have to contribute your own code to make that.
You make a good argument for why software in general shouldn't have licenses. But that's not what's at issue here.
Funny, when its Microsoft people start complaining about how restrictive their licenses are and squashing inovation etc etc, Apple do the same thing and its "Not their fault if you dont like their license". When Microsoft takes legal action to prevent something being done with the XBox or their software etc, people are up in arms.
Not quite. Certainly, MS licenses are restrictive. Licenses in general are. If they weren't restrictive, there'd be no need for them. Are MS licenses too restrictive? Probably. Does this mean they can be violated? No. If there was an article about Corporation X, which made 500 copies of a Windows 2000 CD, and installed it on all of their computers, and got busted by the BSA or MSFT, I'd be on the side of MS, as much as I'd hate it. Apple licenses do tend to be less restrictive than MS licenses, especially the APSL, which, by nature, is less restrictive.
As for the Xbox mod chip stuff, that's totally different. There was no license involved. That was the DMCA (unless I'm mistaken). That's a whole different issue. If Apple had tried to use the DMCA against iCommune, you're damn right I'd be upset, because the DMCA has no place here. But they didn't. You're comparing Apples and Oranges. (no pun intended)
(Don't bother linking to the articles in which Apple has used the DMCA against people. I don't care. I'm only pointing out they didn't use the DMCA in THIS CASE.)
Apple issued a 'Notice of Breach and Termination of License' to iCommune, who have since pulled the download. Something tells me that they won't be putting it back up anytime soon. Every time I forget about Mac OS X being proprietary, Apple does something to remind me.
Uh, it's not about Mac OS X being proprietary. It's not about the DMCA. It's not about the RIAA. It's not about Big Corporations squashing innovation. It's about the iCommune folks agreeing to a license when they used the API, and violating the terms of that license, and Apple revoking it. Apple is fully within their rights to do this, and I have no sympathy for iCommune at all. They agreed to the license, and they broke the rules. That's just too damn bad.
And it's not like Apple used the DMCA or something to do this. ALl they did was send a letter saying "Hey, you agreed to this license, and now you violated it. Please stop."
Come on people, it's a LICENSE. Just because you don't like the terms of it doesn't mean it's not real. You know that if someone violated the terms of the GPL and got in trouble for it, we'd all be celebrating. When you support the enforcement of one LICENSE and cry foul when another is enforced, you lose a lot of credibility.
Now, if the license was ambiguous, and what icommune did wasn't specifically prohibited, and then Apple tried to claim it was, then I'd be upset. But this is open and shut.
Frankly, I'm getting a little upset about seeing all these stories on/. designed to trick you into thinking someone is stomping on your rights. Like the one about the student who STOLE documents from a law firm. And this one about a LICENSE VIOLATION. What's next? "Man Arrested for Possession of Linux: Police arrest man for breaking into BestBuy and stealing copies of RedHat Linux"
Right, as many people have reminded me, master keys usually only exist for commercial/institutional locks, not residential ones. The concept still applies though.
because it seems a universal garage opener could be used for ill purposes, like opening someone elses garage and steal his stuff,
Not really. Universal garage door openers have a bunch of DIP switches that you need to set to match the frequency and manufacturer of the receiver. I have a Skylink universal opener, and there is one DIP switch for the frequency setting, 8 for the manufacturer, and 8 for the code. Do the math. It would take a long time to try each combination, and I think most people, if they noticed some guy in a car sitting in front of their house for a while, would call the cops.
Thieves do exploit automatic garage door openers, but there are more sophisticated devices that simply scan and capture the signal from a legitimate transmitter and use that to open the door. (That's why most new garage door openers have rolling codes - so the same signal isn't accepted twice in a row).
i dont think you can make a universal key
Yes you can. It's called a master key. You have to be a locksmith, or be really good at social engineering to get one. And it only works for a subset of models of a specific brand of lock. But, yes, if some guy goes to your house, and recognizes that you have a Yale lock, model $foo, then he could likely get a master key for it.
Anyway, back to remotes. This is ridiculous. Skylink is filling a market that wouldn't otherwise exist. When the remote for our garage door opener crapped out (well, it broke in half, but that's another story), I went to get a new one. Quoth the company (after about an hours worth of phone tag) "No, sorry, we don't make replacement remotes for those anymore. Why don't you try a universal remote?"
I think The Chamberlain Group doesn't actually give a shit about patent infringement (which is what this is about - go read the case). I think what we're seeing in this case, and with Lexmark, and with the many more cases that will come, is the result of desperation. These companies are looking for a quick buck in hard economic times and understandably so. The DMCA has given them a great tool with which to make this quick buck. Now, if Skylink was some new fly-by-nite company from China that was ripping off these remotes, I'd have a little more sympathy for the Chamberlain Group. But they're not. Skylink has been around since _at least_ 1993 (that I know of), and probably longer. There are Skylink products on the shelf of every Home Depot in the country, and they've been there for 5 years (that I know of). I sincerely hope the judge tells The Chamberlain Group to fuck off, but I suspect he won't.
If your system is 0wn3d and used to launch a DDoS attack on AOL (or Slashdot, Kuro5hin, whoever), then AOL should have the right to sue you for damages. Your incompetence caused their loss.
You say you can't afford to pay? Tough. Should have thought of that before you put your insecure system online. You say it's the fault of the manufacturer for selling the insecure system in the first place?
Dude, I'm so glad you're not a lawmaker. Please tell me you're being sarcastic or cynical or something. Let me offer an analogy. I have some fertilizer locker in my garden shed. If someone breaks in, steals it, uses it to build a bomb, and blows up some people, am I responsible? No. No court in the world would convict me. I took reasonable precautions, but the unforseen happened. If I happen to drop some change in the street, and a wino finds it, and that gives him enough money to buy a bottle of booze, and that bottle of booze is one bottle too many and kills him, am I responsible? Of course not.
Now let me offer an example. Suppose I was running OpenBSD a while back. You know, that ueber-secure operating system. Suddenly, it's discovered that there's a remote hole in the default install for the first time ever. And, after the exploit is discovered, but before the patch is released, someone gets in to my system, and uses it to coordinate a DDoS attach on AOL. Am I responsible? Hell no - no patch was available yet.
All right, another example: Suppose I run Linux. I am subscribed to every single security mailing list. I audit my system by hand daily, and by a cron job every hour. I run as few services as possible (say, sshd, and that's it). I apply patches within in minutes of them coming out. Then, I decide to go to the Carribean for a few days for a much needed vacation. While I'm on vacation, with no Internet access, a hole is discovered in OpenSSH. My system is one of the first to be 0wnz0red, and I can't do anything about it. My system is then used as part of a DDoS attach on openbsd.org. Am I responsible because I decided to go on vacation? I hope not.
Even the most responsible of people can have their machines 0wnz0red by pure bad luck. It's called life. Shit happens. You deal with it, and move on. Yes, it's unfortunate. Yes, it's aggravating. But you fucking deal with it. You worry about your systems, and let me worry about mine. I have no problem if my ISP cuts off my service because there was a hole I hadn't patched. I deserve that, and they're protecting their customers. But to say that I'm responsible for anything done with my machine just because I happened to be asleep when a vulnerability was discovered is ridiculous.
As others have pointed out in previous replies, graffiti has a very specific threat to the business (eg, virtually none). The relevant question (money) becomes clear when you compare these two questions:
1) If you show up at your local store and find that someone graffiti'd the wall, would you still buy something there, or would you get in your car and leave?
2) If you hit a website for a retailer and find that someone graffiti'd their front page, would you still buy something there, or would you go someplace else?
Very true. I realized this shortly after I posted. Certainly if you show up at BestBuy and find someone spray-painted it, you're probably going to still buy something, and might even sympathize with them. If you show up at BestBuy.com and find the goatse picture there, you're probably going to go somewhere else, because after all, if they can post that on the web page, maybe they can get your credit card numbers too..
I wonder if there's a law that allows you to prosecute someone for hurting a business. There probably is, although it's probably very broad, which might be a bad thing...
Here's a novel idea - let the punishment be the same as in real life.
If you deface a website, you get the same punishment as you would for spray-painting the front of an office building.
If racial epithets or offensive slogans are involved, it becomes a hate crime.
Delete some data or system files? The same as if you broke into an office and started smashing desks.
Steal some data? The same as if you broke into an office and walked out with some file cabinets.
Having the punishment be the same as in the physical world will eliminate a lot of "Waah, it's not fair, look what they did to the poor 15 year old kid." It will take a lot of people to convince me that breaking into a computer and stealing personnel records is somehow less of a crime than different from breaking into a building and stealing the paper equivalents. By the same token, if a kid thinks it's not ok to spray-paint an office building, but it is ok to deface a website, well, then, that's a pretty stupid kid.
Of course, this is not a black and white issue. In the real world, spray painting a building can be done without breaking and entering. In the electronic world, that's usually not the case - the cracker must break into the system to deface the web page. (Unless, of course, the site has some sort of CGI-based web page update feature with no password set, but that's not too common I bet). Maybe we could make them do something useful, like 200 hours of community service. Or maybe we could have them write the following 1000 times: "L33t haxx0rs are actually dateless retards who, despite their bragging, don't actually drink beer or get pussy."
Short of the defacement of a website, everything else is analagous to real life. Whether you smash a window and steal a file cabinet, or use a root exploit and tar up some data, you're doing the same thing. And since you'll get the same punishment, you'll get (hopefully) thrown in jail for 2-3 years for breaking and entering. This means you'll have a big biker dude named Ripper for your roomate, and they find out that you did your "breaking and entering" not by using a baseball bat, but rather by sitting in front of a computer drinking Mountain Dew and eating day-old pizza, what they'll do to you will be much more punishment than what the government could ever do to you.
You MAY be SURPRISED to receive this, but THE OFFICE GIRL said that you were a most TRUSTWORTHY PERSON. I beg you Forgive me for contacting you without prior contacting your office, but I am looking for a WORTHY business PARTNER to donate the sum of USD 124.5 million dollars. I am the son of the FORMER president of the U.S.A GEORGE BUSH who initiated a MILITARY CAMPAIGN in 1991. During this campaign, we discovered HUNDREDS of MILLIONS of DOLLARS stolen from THE REBELS. OUR economy is IN TROUBLE and we MUST get this MONEY overseas before the people DISCOVER it. We will gladly be willing to pay you the SUM of 26 MILLION DOLLARS for ASSISTING US. I pray to GOD that you will HELP US get this MONEY out of the country. ALL we need FROM you is your PASSPORT and SIGNATURE which you can fax to me or my colleauges to initiate the transfer of the MILLIONS of dollars. I remain your most humble SERVANT, and PRAY that you will be OUR SAVIOR.
Slashdot Mirror
That would be "brain".
Let's examine some problems, shall we: -Most servers (if not all) run CGI scripts as a given user (ie: nobody, www, cgi, apache). If that user is a crippled or limited user, then CGI-Shell is useless for running commands other than "ls". If not, then that user could potentially kill things like the server process, which is also bad. -If all CGI scripts are run as the same user (see above), then anyone has access to files or directories created by another cgi-shell process. After all, they're owned by the same user. -Cleartext passwords via htpasswd. They didn't even _try_ to use SSL - it's so not hard. -Man-in-the-middle attack? Anyone could hijack your "shell" session. -Can anyone say backdoor?
Sure, this is cool to play around with and install on your home machine, but if anyone lets this into a production environment they're on crack. Either install sshd, or don't. But don't try to implement it over CGI.
I wonder if this story is just a troll...
Only a hell of a lot funnier than that stupid mouse and dog. I'd say a better comparison is Homer and Bart. Mickey and Goofy start to lose their humor once you reach a certain age. Asterix works on so many more levels...
Very true. Thanks for pointing that out - I neglected to clarify that in my original post....
Why does this merit a "sigh"? They're not talking about another DRM implementation here - apparently Roblimo doesn't understand this.
Asset and License Management Software has been around for years. In case you're confused, Macrovision is NOT talking about the product activation you see in Windows XP or TurboTax. Rather, they're talking about something like KeyServer, which allows large organizations to buy one copy of Photoshop or something, and "Key" it, so that it can only be unlocked by talking to a KeyServer. This allows you specify the number of concurrent users on the network, and any other number of restrictions (which workstations can use it, etc). This is extremely cost-effective for companies - they buy, say, 5 licenses of photoshop, key it, and then make sure only 5 users can use it at once. Thus, when the BSA comes knocking on the door and says "Hey, you have 100 computers - we demand 100 licenses", they can say "sorry, we enforce concurrent use of no more than 5 copies of the app. Have a nice day." It also prevents employees from stealing a copy of Photoshop and taking it home with them (it won't work). However, this solution is only available on Windows and Mac (and, for the longest time, it was Mac only). I don't see why this is such a problem that it now runs on Linux.
What this means is that WidgetCo, which uses, say, Matlab, and has 200 workstations, can save a ton of money by only purchasing 50 licenses. The MathWorks (matlab makers) won't have a problem with this as long as they can be assured that no more than 50 copies will be running concurrently. (And no, the honor system doesn't work anymore). FLEXlm software (what Macrovision is offering) can help assure this. This setup is what many colleges or large institutions use to assure that commerical software on UNIX is abiding by the terms of their licensing agreements or package deals.
So now WidgetCo can save even more money, because instead of having to buy costly Solaris licenses to run a platform that supports licensing software, they can now use Linux, and yet another big institution will be running GNU/Linux.
I know it would be nice if everyone using Linux also used other GNU software to get their jobs done, but really, there's always going to be commerical software. We should be cheering the fact that there is one less obstacle for large organizations to adopt Linux and still maintain their licensing agreements with the big commercial software firms. In fact, FLEXlm has been around for a long time (at least since '91), but it was only for certain flavors of UNIX (read: Solaris). All that happened is that Macrovision bought out the company, and released a version that runs on Linux. Good for them.
This implies that even if the DoD fixes the problem, the Google caches will still be available (until they expire or are replaced). Now, in the past, we've heard reports of people being upset that Google cached information. However, this time, the cache contains information pertaining to "national security" (that great new buzzword). I wonder, what will happen? Will these URLs be silently deleted from the cache? Will Google be told that cacheing links is now illegal because it could aid terrorists? Will they be prevented from cacheing .gov and .mil? Will Google be sued out of existence?
We've all found Google caches to be useful, when, say the documentation for an open source project is hosted via 56K modem line in the Czech Republic, for example, or even when a site is Slashdotted, but it'll be interesting to see what happens about this, and how the goverment may over-react.
(Note, if you're too stupid to understand this, I'm not talking about blame here - don't bother saying "Google rulez, the militery is dum asses for leeving these sitez open, u r an idiot...". I'm talking about reprocussions. Certainly Google doesn't "know" what information a link contains when they cache it. Certainly it's the government's fault for leaving open admin pages with default passwords listed on the page. But just because someone isn't at fault, doesn't mean they can't get screwed over.)
Actually, I've found direct-mail marketers are the most amenable to taking you off their lists. Their marketing method actually costs them real money each time they send something (well, so do telemarketers, but they probably have deals with the cheap long distance carriers), so they're not interested in sending things to people that don't want them.
When I moved into my new apartment, I got the usual barrage of of "Resident" catalogs and coupon books, and credit card offers with the "low, low rate" of 24% interest. They died down a little, but were still a lot. I called the opt-out number for the credit-bureaus. (888) 5OPT-OUT. It's automated, takes two seconds, and then you just need to fill out and sign a form they send you. That gets you off the free credit offers for all 3 credit bureaus.
The other aggravating thing was that in the Boston Area, if you don't subscribe to the Globe, you still get the advertising circulars by direct mail. (Some people love this). However, I got the return address, looked them up in the phone book, and called them. They have a menu option to be removed from their mailing list - press it, and you get a real human being on the other end (that surprised me). She was very nice, and promised that I'd stop receiving the flyers by the end of the month. And indeed I haven't gotten one since.
He just kept repeating this over and, over, didn't he? Regardless of what the interviewer said. Now, I understand he has to watch what he says when he's on the record, but he came off as totally clueless when he kept saying this over and over. I read the interview like this:
These folks are claiming that the earth is round.
See, the problem is, these people are embracing a circular model, which is ill suited to every day life. Think about it - if you walk outside, you'll have to take into account the curvature of the earth, and really, you're not walking on a flat surface. Imagine the confusion that would cause your brain - your eyes tell you the ground is flat, but your mind knows it isn't.
But, we have people who have sailed and flown around the earth - there's no edge to fall off
I admit, their round view is interesting, but eventually you'll encounter that edge, and you'll fall off. It's far safer to subscribe to our view that earth is flat.
How do you account for the celestial movements observed - they could not exist if the earth was flat.
These observations are flawed - these astronomers are not looking at the whole picture. Sure, they portion they observe is round, but in the big picture, it's flat. We find that users are comfortable with a flat view of the earth, and it's only a matter of time before those astronomers are burned at the stake.
How do you respond to the National Science Foundation's findings that the earth is in fact round?
Those findings are biased. The earth is flat - there's no further discussion on the issue.
Uh, no. In most places, if you lend someone your car, and they get a ticket, you're responsible. You should carefully consider who you're lending you're car to.
Now, if you report your car as stolen (and it actually was stolen), and itshows up on one of those speed cameras, then yes, you can probably get out of the ticket, but not if you just lent it to your lead-foot friend.
Yeah, same in Boston. We recently got some new area codes added to our local calling area, so we have to dial 10 digits instead of the previous 7. We certainly don't have to dial the '1'.
By contrast, however, in Rhode Island (401 for the whole state), when New England Telephone became NYNEX (yes, it was always a subsidiary, but when they actually changed the name), we had to dial '1' + 7 digits if we were calling outside our local calling area, but within 401. Then they became Bell Atlantic, and we had to dial 1+401+7 digits outside the local calling area (but within 401). Then they became verizon, and now you just dial 7 digits anywhere within 401, and it's up to you to remember whether it's a local call or a toll call.
So, I think basically the "1" is at the whim of the phone companies, and it is no longer the reserved digit signifying "long distance". Unless of course the NYT got it wrong. Someone who works for the phone companies (or has hacked into their switches - Hi Kevin!) should explain to us why New Yorkers need to dial a 1 when they have overlay codes, and those of us elsewhere (Boston, DC) don't.
Um, hello?
They're banned on the SIDEWALKS. So are bikes. Why? Because on a crowded sidewalk, you have very little room to maneuver or stop. A kid walking with his parents could let go of Mommy's hand to go look at a toy in a window, and could get hit by a bike. The same thing could happen with a Segway.
If it was an all out ban (ie: "Only terrorists use Segways"), you might have a point, but you don't.
I said "slightly more inclined to agree". I didn't say "that's a brilliant idea". Nor did I say that lusers only use dialup. I said that there is a lot less accountability with dialup due to free trial accounts. There just is. There's no such thing as "free trials" of DSL or cable (there may be money-back guarantee trials, but that's not the same). When DSL or cable is installed, it's tied to a physical street address and/or phone number - someplace you could send the cops to arrest a spammer. With AOLs free trials (some of which don't even require credit cards now), there's no accountability. Sure, you have the phone number they dialed from, but that's not necessarily the person's residence. There are plenty of devices that spoof Caller Number Delivery. Sure, you have the info they entered for the free trial, but what does that get you? All you know is that M. Mouse, of 123 Main Street, Redmond, WA called into AOL from 555-1234, and sent a bunch of spam to open relays.
This will stop most luser spam, because most lusers don't have fixed IP internet connections.
Oh, that's nice of you to pass value judgements based on people's IP addresses.
I am not a "luser" (I have probably forgotten more about computing than you know), but I have a dynamic IP address simply because I don't feel like giving ATTBI another $50/month to get a static one. I also have a reason to send mails out on port 25 - I don't use my ATTBI e-mail address, I use my business one. Thus, I send my e-mail through my company's SMTP servers. I certainly have permission to do this, and a legitimate reason, so why should I be punished? I also run an SMTP server (authenticated). Sure people try and send spam though it (every day my syslog is full of Relaying Denied messages), but they fail. When they fail, their address gets blackholed (by me), and passed on to all my friends to be blackholed too).
Now, if what you meant to say was "port 25 blocking should be instituted for people on dialup addresses", I might be slightly more inclined to agree with that. There's a lot less accountability with dialup (read: modem) addresses (due to free trial accounts) than there is with cable or DSL. AT&T Worldnet, for example, drops any outgoing packets on the floor destined for port 25 on a machine other than mailhost.att.net Most of the relay attempts I see in my logs are from dialup pools.
So what is the solution? Certainly any time you institute a widespread "solution" (blackholing, port blocking, etc), innocent folks are always going to be punshed. There's lots of chatter about creating a new protocol, but guess what? If it ain't supported by Outlook, you're SOL. Whether you like it or not, no ISP is going to switch from SMTP to a protocol that will alienate a large portion of their clients. And, guess what, MS isn't going to switch from SMTP. Why? Well, at the spam conference, they said they had found the perfect algorithm to filter spam. Of course, they declined to tell us what it was...
Please to be reading the article.
This is not about iTunes license agreement, or about EULAs or shrinkwrap licenses at all. This is about the iTunes SDK license. This is very, very, very different. SDKs or development environments have had licenses long before 40 page EULAs became the standard. You're getting access to information that joeuser doesn't normally get. You're also not getting "software" per se, you're getting documentation, APIs, and maybe some libraries and header files. You're not getting a program you can "run" - you have to contribute your own code to make that.
You make a good argument for why software in general shouldn't have licenses. But that's not what's at issue here.
test
Not quite. Certainly, MS licenses are restrictive. Licenses in general are. If they weren't restrictive, there'd be no need for them. Are MS licenses too restrictive? Probably. Does this mean they can be violated? No. If there was an article about Corporation X, which made 500 copies of a Windows 2000 CD, and installed it on all of their computers, and got busted by the BSA or MSFT, I'd be on the side of MS, as much as I'd hate it. Apple licenses do tend to be less restrictive than MS licenses, especially the APSL, which, by nature, is less restrictive.
As for the Xbox mod chip stuff, that's totally different. There was no license involved. That was the DMCA (unless I'm mistaken). That's a whole different issue. If Apple had tried to use the DMCA against iCommune, you're damn right I'd be upset, because the DMCA has no place here. But they didn't. You're comparing Apples and Oranges. (no pun intended)
(Don't bother linking to the articles in which Apple has used the DMCA against people. I don't care. I'm only pointing out they didn't use the DMCA in THIS CASE.)
Uh, it's not about Mac OS X being proprietary. It's not about the DMCA. It's not about the RIAA. It's not about Big Corporations squashing innovation. It's about the iCommune folks agreeing to a license when they used the API, and violating the terms of that license, and Apple revoking it. Apple is fully within their rights to do this, and I have no sympathy for iCommune at all. They agreed to the license, and they broke the rules. That's just too damn bad.
And it's not like Apple used the DMCA or something to do this. ALl they did was send a letter saying "Hey, you agreed to this license, and now you violated it. Please stop."
Come on people, it's a LICENSE. Just because you don't like the terms of it doesn't mean it's not real. You know that if someone violated the terms of the GPL and got in trouble for it, we'd all be celebrating. When you support the enforcement of one LICENSE and cry foul when another is enforced, you lose a lot of credibility.
Now, if the license was ambiguous, and what icommune did wasn't specifically prohibited, and then Apple tried to claim it was, then I'd be upset. But this is open and shut.
Frankly, I'm getting a little upset about seeing all these stories on /. designed to trick you into thinking someone is stomping on your rights. Like the one about the student who STOLE documents from a law firm. And this one about a LICENSE VIOLATION. What's next? "Man Arrested for Possession of Linux: Police arrest man for breaking into BestBuy and stealing copies of RedHat Linux"
s/house/company/g;
Not really. Universal garage door openers have a bunch of DIP switches that you need to set to match the frequency and manufacturer of the receiver. I have a Skylink universal opener, and there is one DIP switch for the frequency setting, 8 for the manufacturer, and 8 for the code. Do the math. It would take a long time to try each combination, and I think most people, if they noticed some guy in a car sitting in front of their house for a while, would call the cops.
Thieves do exploit automatic garage door openers, but there are more sophisticated devices that simply scan and capture the signal from a legitimate transmitter and use that to open the door. (That's why most new garage door openers have rolling codes - so the same signal isn't accepted twice in a row).
i dont think you can make a universal key
Yes you can. It's called a master key. You have to be a locksmith, or be really good at social engineering to get one. And it only works for a subset of models of a specific brand of lock. But, yes, if some guy goes to your house, and recognizes that you have a Yale lock, model $foo, then he could likely get a master key for it.
Anyway, back to remotes. This is ridiculous. Skylink is filling a market that wouldn't otherwise exist. When the remote for our garage door opener crapped out (well, it broke in half, but that's another story), I went to get a new one. Quoth the company (after about an hours worth of phone tag) "No, sorry, we don't make replacement remotes for those anymore. Why don't you try a universal remote?"
I think The Chamberlain Group doesn't actually give a shit about patent infringement (which is what this is about - go read the case). I think what we're seeing in this case, and with Lexmark, and with the many more cases that will come, is the result of desperation. These companies are looking for a quick buck in hard economic times and understandably so. The DMCA has given them a great tool with which to make this quick buck. Now, if Skylink was some new fly-by-nite company from China that was ripping off these remotes, I'd have a little more sympathy for the Chamberlain Group. But they're not. Skylink has been around since _at least_ 1993 (that I know of), and probably longer. There are Skylink products on the shelf of every Home Depot in the country, and they've been there for 5 years (that I know of). I sincerely hope the judge tells The Chamberlain Group to fuck off, but I suspect he won't.
You say you can't afford to pay? Tough. Should have thought of that before you put your insecure system online. You say it's the fault of the manufacturer for selling the insecure system in the first place?
Dude, I'm so glad you're not a lawmaker. Please tell me you're being sarcastic or cynical or something. Let me offer an analogy. I have some fertilizer locker in my garden shed. If someone breaks in, steals it, uses it to build a bomb, and blows up some people, am I responsible? No. No court in the world would convict me. I took reasonable precautions, but the unforseen happened. If I happen to drop some change in the street, and a wino finds it, and that gives him enough money to buy a bottle of booze, and that bottle of booze is one bottle too many and kills him, am I responsible? Of course not.
Now let me offer an example. Suppose I was running OpenBSD a while back. You know, that ueber-secure operating system. Suddenly, it's discovered that there's a remote hole in the default install for the first time ever. And, after the exploit is discovered, but before the patch is released, someone gets in to my system, and uses it to coordinate a DDoS attach on AOL. Am I responsible? Hell no - no patch was available yet.
All right, another example: Suppose I run Linux. I am subscribed to every single security mailing list. I audit my system by hand daily, and by a cron job every hour. I run as few services as possible (say, sshd, and that's it). I apply patches within in minutes of them coming out. Then, I decide to go to the Carribean for a few days for a much needed vacation. While I'm on vacation, with no Internet access, a hole is discovered in OpenSSH. My system is one of the first to be 0wnz0red, and I can't do anything about it. My system is then used as part of a DDoS attach on openbsd.org. Am I responsible because I decided to go on vacation? I hope not.
Even the most responsible of people can have their machines 0wnz0red by pure bad luck. It's called life. Shit happens. You deal with it, and move on. Yes, it's unfortunate. Yes, it's aggravating. But you fucking deal with it. You worry about your systems, and let me worry about mine. I have no problem if my ISP cuts off my service because there was a hole I hadn't patched. I deserve that, and they're protecting their customers. But to say that I'm responsible for anything done with my machine just because I happened to be asleep when a vulnerability was discovered is ridiculous.
Hey! Now we know what Stage 2 is!
1) Collect Underpants
2) Implant RFID tags
3) Profit!!!
1) If you show up at your local store and find that someone graffiti'd the wall, would you still buy something there, or would you get in your car and leave?
2) If you hit a website for a retailer and find that someone graffiti'd their front page, would you still buy something there, or would you go someplace else?
Very true. I realized this shortly after I posted. Certainly if you show up at BestBuy and find someone spray-painted it, you're probably going to still buy something, and might even sympathize with them. If you show up at BestBuy.com and find the goatse picture there, you're probably going to go somewhere else, because after all, if they can post that on the web page, maybe they can get your credit card numbers too..
I wonder if there's a law that allows you to prosecute someone for hurting a business. There probably is, although it's probably very broad, which might be a bad thing...
Having the punishment be the same as in the physical world will eliminate a lot of "Waah, it's not fair, look what they did to the poor 15 year old kid." It will take a lot of people to convince me that breaking into a computer and stealing personnel records is somehow less of a crime than different from breaking into a building and stealing the paper equivalents. By the same token, if a kid thinks it's not ok to spray-paint an office building, but it is ok to deface a website, well, then, that's a pretty stupid kid.
Of course, this is not a black and white issue. In the real world, spray painting a building can be done without breaking and entering. In the electronic world, that's usually not the case - the cracker must break into the system to deface the web page. (Unless, of course, the site has some sort of CGI-based web page update feature with no password set, but that's not too common I bet). Maybe we could make them do something useful, like 200 hours of community service. Or maybe we could have them write the following 1000 times: "L33t haxx0rs are actually dateless retards who, despite their bragging, don't actually drink beer or get pussy."
Short of the defacement of a website, everything else is analagous to real life. Whether you smash a window and steal a file cabinet, or use a root exploit and tar up some data, you're doing the same thing. And since you'll get the same punishment, you'll get (hopefully) thrown in jail for 2-3 years for breaking and entering. This means you'll have a big biker dude named Ripper for your roomate, and they find out that you did your "breaking and entering" not by using a baseball bat, but rather by sitting in front of a computer drinking Mountain Dew and eating day-old pizza, what they'll do to you will be much more punishment than what the government could ever do to you.
And I'd have gotten away with it, too, if it weren't for you meddling kids^H^H^H^Hgeeks.
Mr. IRAQI PERSON,
You MAY be SURPRISED to receive this, but THE OFFICE GIRL said that you were a most TRUSTWORTHY PERSON. I beg you Forgive me for contacting you without prior contacting your office, but I am looking for a WORTHY business PARTNER to donate the sum of USD 124.5 million dollars. I am the son of the FORMER president of the U.S.A GEORGE BUSH who initiated a MILITARY CAMPAIGN in 1991. During this campaign, we discovered HUNDREDS of MILLIONS of DOLLARS stolen from THE REBELS. OUR economy is IN TROUBLE and we MUST get this MONEY overseas before the people DISCOVER it. We will gladly be willing to pay you the SUM of 26 MILLION DOLLARS for ASSISTING US. I pray to GOD that you will HELP US get this MONEY out of the country. ALL we need FROM you is your PASSPORT and SIGNATURE which you can fax to me or my colleauges to initiate the transfer of the MILLIONS of dollars. I remain your most humble SERVANT, and PRAY that you will be OUR SAVIOR.
SINCERELY,
MR. PRESIDENT GEORGE W. BUSH