in the article, it says they're also gonna set up a bunch of honeypots that act as P2P nodes and appear to be hosting Billboard 100 mp3 files. In reality, those mp3 files are spoofed, and are not the actual songs.
They're gonna use that pot to see who's accessing their network, and if the RIAA should cross the line with that pot, the accessing IP gets blacklisted.
Unfortunately, the loophole is that the RIAA can keep generating IP's out the wazoo, creating a whack-a-mole type of situation.
I agree. At some point there are individuals who simply are not compenent to handle the world of programming, or college in general.
Hearing heard stories from grad students who have TA'd the first year courses at my school, there tend to be four types of students: Those who get it, and those that dont; those that work, and those that dont. Treat as a 2x2 table, every student will fall into one of the four cells, maybe not distinctly, but they will. It should be clear what students in each cell should do, whether it be continue deeper into CS, change majors/tranfer, or drop out right away, drop out a year later.
There are also Java User Groups going up all over as well, and have been for several years. I'm not sure if they were founded by Sun or are funded by them, but Sun does have a website listing info about them, and it seems there are currently 954 of them.
there might be a glitch to that. if the manufacturer directly sold a weapon to a person previously convicted of a gun-related charge, then yes, the manufacturer is liable for failing to perform proper background check. OR, if the manufacturer provided guns to a dealer/distributer/whatever that was previously known to be selling to people previously convicted, they might be liable to that. As for a manufacturer selling directly to a qualified customer, or to a shop that sells to a qualifed customer, then they should not be liable
I'm not familiar with the case you're referring to, so I cant really comment on whether or not it would be precedent setting.
Possible considerations: It may have been the case that the manufacturers paid off the plaintiffs because it was cheaper than defending themselves, in which case that is not a usable precedent because it was out-of-court settlement. OTOH, if a judge ordered the manufacturers to pay damages, then that may be usable precendent.
i am a programmer, and am aware of what an api is. while I am still a college student, I have spent a good amount of time as an intern working in the software industry, and currently spend my time in software research.
when programmers discuss bugs in an api, they are often referring to the implmentation of that api. Very rarely is the interface itself discussed, and when it is, it's fairly obvious. In my post, I never indicated which I was discussing, but given the normalities of discussions between programmers and developers, I think it's safe to assume I was referring to implementation.
if a set of programs uses a particular api, and a bug is found in that api, then all the programs using that api need to be recompiled if they statically linked to it, otherwise only the dll need recompile if dynamically linked. if the interface to the api changes, then the application itself also needs to revised and recompiled, regardless of static or dynamic linkage.
there is a crypto services portion of the os. they go to great lengths, both in the article and in culp's comments in that article, to indicate that this is somehow separate from the api. when this service gets patched, any other application that happened to be using that service would also become immune to SSL bug this article, whether or not that program's developers were aware of the bug.
that said -- it seems odd that IE would be the only app affected. It seems more odd that MS didnt use their own Crypto API in the development of IE and instead developed an os service that does the same thing.
Many non-MS applications use MS's Crypto API, vast majority of them are private applications developed under a contract of some sort. It just plain seems odd that MS didnt use it in their own product, IE. It's like General Motors developing an engine and then not use it in their own cars, instead making it available to other carmakers.
ok, that's probably the argument they're gonna be using. another poster indicated this is like sueing the state highway administration for an accident, or the electric company because of an electrical fire. (others exist, like gas canister makers for arson)
given the size of the companies named as defendants, they're lawyers will argue first amendment and/or make use of scenarios like those previously mentioned.
the MS Crypto API is supposed to used to provide crypto services and protocols to applications and other programs, SSL among them. So why is the OS providing a second implementation when it's already in the Crypto API, or vice versa?
I'm bashing MS because what they've done is re-invent their own wheel.
Phila/South Jersey has had this for about a year now. PATCO, the subway between Philly and Lindenwold, NJ started putting these in their underground tunnels in both Philly and Camden. I havent seen one, as I typically drive, but there was a news article about it on tv that described it.
Re:The simple solution
on
LWCE Wrapup
·
· Score: 1
but then you have a bunch of people looking down the entire time, bumping into each other, wondering aimlessly into the street, etc.
i saw the article earlier today. there are some things I just do not understand here. first some facts:
The bug is in the OS crypto services
It's NOT MS's crypto api
Only IE is affected.
Time for rhetorical questions:
Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API? Why the redundancy? Why cant the OS use the API? Or conversely, why is the API necessary when there's the services are in the OS?
How in the world is IE the only app affected? It seems more to logical to assume that any app using this crypto services are also vulnerable.
i think he meant ramifications of publishing something under GPL. The NSA has followed the GPL terms, in that they published their source code from changes they made to the kernel, something they have to do because of the license.
The complaints he's referring to are probably from industry, and then Microsoft.
I think those complaints are without merit. According to their webpages, SELinux is a prototype, not something of production quality. It's just an implementation of a bunch of research into os security. Some of those ideas they implemented have been around 10+ years w/o ever going into a commercial closed-source OS, so the NSA probably wanted to show industry a proof-of-concept, then have industry produce their own Secure OS's that follow the ideas put forth in SELinux.
My response to the complaints the NSA is getting: Produce your own secure os, then you can talk.
that is exactly what happened here. By refusing the tell them the idea, he violated his agreement that required him to disclose it. The company had full right to terminate and file suit. Though, that may not necessarily have been the best thing for them to do. Had they informed him of the agreement and given him opportunity to reveal before firing him, this case would have a lot more meat on it in favor of DSC/Acatel.
He told me of a similar story with the old game show "Press Your Luck." Three contestants play in turn, a set of squares around the tv screen have a light that jumps around. Contestant must press a button to stop the light, and take whatever the light lands on. Your turn ends when you land on a "whammy".
A guy watched hundreds of episodes and trained his brain to stop on the good squares. The entire show was just him. No other contestant got their turn. Naturally, the producers approached the guy and he admitted to knowing weaknesses in the game and using them to his advantage.
The best way to beat the Casino is to not play at all.
For the moment, I disagree, but that's just me. I've been to Atlantic City to gamble twice in my life, and have put around $80 on the line. I've walked away with about $110, all by playing slots. Granted, that's not much, which is why I disagree at the moment. I'll probably be going again in a few weeks, at which time I be in agreement with that statement:-)
Personally, I think if people succeed at exploiting holes in the casino, they should be entitled to their earnings. Many stories are out there about university profs with phd's in statistics running up high gains, and being forced to return it.
Perhaps the only way to exploit the system (that is, in cases like those we mention) is to not run up a large amount of cash in one fell swoop. Make several trips across multiple days, racking up a sum each trip such that you dont draw attention to yourself.
some years ago I saw a Discovery channel-type show on casino security. aside from all the cameras watching for card swappers and slot tamperers and such, a casino in atlantic city once hired a consultant to check their machines.
The casino had a game similar to the lottery where you had to guess a set of numbers, 8 in this case. A friend wearing a wire watched two rounds, relaying the 16 numbers in order to the truck with the consultant in it. That was all it took to crack the PRNG. Through the friend, they then played the game using the next 8 numbers, and hit it on each one. Naturally, the casino was curious given that such an event had never happened before. The best anyone until then had done was like 3. They got caught by their own demise -- they asked that cash be delivered to their hotel room, which allowed the casino to see who actually won. Had they cashed out the winnings on the spot, they probably would have gotten away with it.
Nowadays, however, if you have a large enough winning, you can ask the casino to write out a check and mail it to you. I live near Atlantic City, and every now and then you hear of someone being followed home and getting mugged (once someone was killed) in their driveway. Granted, it's rare for that to happen, about once every 5-10 years or so, but the risk is enough that I think people would rather not carry a large sum home.
Slashdot Mirror
in the article, it says they're also gonna set up a bunch of honeypots that act as P2P nodes and appear to be hosting Billboard 100 mp3 files. In reality, those mp3 files are spoofed, and are not the actual songs.
They're gonna use that pot to see who's accessing their network, and if the RIAA should cross the line with that pot, the accessing IP gets blacklisted.
Unfortunately, the loophole is that the RIAA can keep generating IP's out the wazoo, creating a whack-a-mole type of situation.
I agree. At some point there are individuals who simply are not compenent to handle the world of programming, or college in general.
Hearing heard stories from grad students who have TA'd the first year courses at my school, there tend to be four types of students: Those who get it, and those that dont; those that work, and those that dont. Treat as a 2x2 table, every student will fall into one of the four cells, maybe not distinctly, but they will. It should be clear what students in each cell should do, whether it be continue deeper into CS, change majors/tranfer, or drop out right away, drop out a year later.
well, the government kinda already competes with corporate america. Take the us postal service as an example. It competes with FedEX and UPS.
wow!! that announcement looks great!
/var/www/html/pgp/conn.php on line 7
/var/www/html/pgp/conn.php on line 7
Warning: Too many connections in
Warning: MySQL Connection Failed: Too many connections in
Error: Could not connect to MySql
Fly-by Hackings?
There are also Java User Groups going up all over as well, and have been for several years. I'm not sure if they were founded by Sun or are funded by them, but Sun does have a website listing info about them, and it seems there are currently 954 of them.
er, i meant reading brainwaves for purpose of securing airplanes. it's too early still...
sounds like marketroids were at work here. i think reading brainwaves would fall under "products that violate laws of physics"
same could be done with Linus....
there might be a glitch to that. if the manufacturer directly sold a weapon to a person previously convicted of a gun-related charge, then yes, the manufacturer is liable for failing to perform proper background check. OR, if the manufacturer provided guns to a dealer/distributer/whatever that was previously known to be selling to people previously convicted, they might be liable to that. As for a manufacturer selling directly to a qualified customer, or to a shop that sells to a qualifed customer, then they should not be liable
I'm not familiar with the case you're referring to, so I cant really comment on whether or not it would be precedent setting.
Possible considerations: It may have been the case that the manufacturers paid off the plaintiffs because it was cheaper than defending themselves, in which case that is not a usable precedent because it was out-of-court settlement. OTOH, if a judge ordered the manufacturers to pay damages, then that may be usable precendent.
Lastly: IANAL.
i am a programmer, and am aware of what an api is. while I am still a college student, I have spent a good amount of time as an intern working in the software industry, and currently spend my time in software research.
when programmers discuss bugs in an api, they are often referring to the implmentation of that api. Very rarely is the interface itself discussed, and when it is, it's fairly obvious. In my post, I never indicated which I was discussing, but given the normalities of discussions between programmers and developers, I think it's safe to assume I was referring to implementation.
if a set of programs uses a particular api, and a bug is found in that api, then all the programs using that api need to be recompiled if they statically linked to it, otherwise only the dll need recompile if dynamically linked. if the interface to the api changes, then the application itself also needs to revised and recompiled, regardless of static or dynamic linkage.
there is a crypto services portion of the os. they go to great lengths, both in the article and in culp's comments in that article, to indicate that this is somehow separate from the api. when this service gets patched, any other application that happened to be using that service would also become immune to SSL bug this article, whether or not that program's developers were aware of the bug.
that said -- it seems odd that IE would be the only app affected. It seems more odd that MS didnt use their own Crypto API in the development of IE and instead developed an os service that does the same thing.
Many non-MS applications use MS's Crypto API, vast majority of them are private applications developed under a contract of some sort. It just plain seems odd that MS didnt use it in their own product, IE. It's like General Motors developing an engine and then not use it in their own cars, instead making it available to other carmakers.
well, several of the companies named in the suit are as large as some of the record labels sueing them. AT&T, Sprint, etc wont be pushed over easily.
here's one way....
[If | When] they legalize DoS'ing P2P, launch attacks against the RIAA's "P2P" node (www.riaa.org) to "impair the use" of "copyrighted" DoS tools.
ok, that's probably the argument they're gonna be using. another poster indicated this is like sueing the state highway administration for an accident, or the electric company because of an electrical fire. (others exist, like gas canister makers for arson)
given the size of the companies named as defendants, they're lawyers will argue first amendment and/or make use of scenarios like those previously mentioned.
what legal requirement do all those ISPs have to block those sites to begin with? If there's none, RIAA has no case whatsoever.
the MS Crypto API is supposed to used to provide crypto services and protocols to applications and other programs, SSL among them. So why is the OS providing a second implementation when it's already in the Crypto API, or vice versa?
I'm bashing MS because what they've done is re-invent their own wheel.
Phila/South Jersey has had this for about a year now. PATCO, the subway between Philly and Lindenwold, NJ started putting these in their underground tunnels in both Philly and Camden. I havent seen one, as I typically drive, but there was a news article about it on tv that described it.
but then you have a bunch of people looking down the entire time, bumping into each other, wondering aimlessly into the street, etc.
- The bug is in the OS crypto services
- It's NOT MS's crypto api
- Only IE is affected.
Time for rhetorical questions:Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API? Why the redundancy? Why cant the OS use the API? Or conversely, why is the API necessary when there's the services are in the OS?
How in the world is IE the only app affected? It seems more to logical to assume that any app using this crypto services are also vulnerable.
i think he meant ramifications of publishing something under GPL. The NSA has followed the GPL terms, in that they published their source code from changes they made to the kernel, something they have to do because of the license.
The complaints he's referring to are probably from industry, and then Microsoft.
I think those complaints are without merit. According to their webpages, SELinux is a prototype, not something of production quality. It's just an implementation of a bunch of research into os security. Some of those ideas they implemented have been around 10+ years w/o ever going into a commercial closed-source OS, so the NSA probably wanted to show industry a proof-of-concept, then have industry produce their own Secure OS's that follow the ideas put forth in SELinux.
My response to the complaints the NSA is getting: Produce your own secure os, then you can talk.
that means CmdrTaco reduces his spam intake to around 500/day.
... the Million Geek March. If only we could get a million geeks away from their machines.
that is exactly what happened here. By refusing the tell them the idea, he violated his agreement that required him to disclose it. The company had full right to terminate and file suit. Though, that may not necessarily have been the best thing for them to do. Had they informed him of the agreement and given him opportunity to reveal before firing him, this case would have a lot more meat on it in favor of DSC/Acatel.
i told a co-worker the story in my post.
:-)
He told me of a similar story with the old game show "Press Your Luck." Three contestants play in turn, a set of squares around the tv screen have a light that jumps around. Contestant must press a button to stop the light, and take whatever the light lands on. Your turn ends when you land on a "whammy".
A guy watched hundreds of episodes and trained his brain to stop on the good squares. The entire show was just him. No other contestant got their turn. Naturally, the producers approached the guy and he admitted to knowing weaknesses in the game and using them to his advantage.
The best way to beat the Casino is to not play at all.
For the moment, I disagree, but that's just me. I've been to Atlantic City to gamble twice in my life, and have put around $80 on the line. I've walked away with about $110, all by playing slots. Granted, that's not much, which is why I disagree at the moment. I'll probably be going again in a few weeks, at which time I be in agreement with that statement
Personally, I think if people succeed at exploiting holes in the casino, they should be entitled to their earnings. Many stories are out there about university profs with phd's in statistics running up high gains, and being forced to return it.
Perhaps the only way to exploit the system (that is, in cases like those we mention) is to not run up a large amount of cash in one fell swoop. Make several trips across multiple days, racking up a sum each trip such that you dont draw attention to yourself.
some years ago I saw a Discovery channel-type show on casino security. aside from all the cameras watching for card swappers and slot tamperers and such, a casino in atlantic city once hired a consultant to check their machines.
The casino had a game similar to the lottery where you had to guess a set of numbers, 8 in this case. A friend wearing a wire watched two rounds, relaying the 16 numbers in order to the truck with the consultant in it. That was all it took to crack the PRNG. Through the friend, they then played the game using the next 8 numbers, and hit it on each one. Naturally, the casino was curious given that such an event had never happened before. The best anyone until then had done was like 3. They got caught by their own demise -- they asked that cash be delivered to their hotel room, which allowed the casino to see who actually won. Had they cashed out the winnings on the spot, they probably would have gotten away with it.
Nowadays, however, if you have a large enough winning, you can ask the casino to write out a check and mail it to you. I live near Atlantic City, and every now and then you hear of someone being followed home and getting mugged (once someone was killed) in their driveway. Granted, it's rare for that to happen, about once every 5-10 years or so, but the risk is enough that I think people would rather not carry a large sum home.