What level and what type of education do you and your fellow examiners have? Do you routinely divide up work according areas of expertise or knowledge? Do you feel it helps in your decision making process to weed out frivolous applications and approve genuine patents? Do you and your co-workers find time to stay up-to-date on issues surrounding your office's public view such that it helps guide you toward positive ends?
How often do you get applications for simple stuff that clearly has been done by others or are non-innovative, such as using images in an online business, or one-click shopping? If the rate is high, do you suspect that frivolous patents in the US are to blame? If the rate is low, do you attribute this to the overall examination of each application?
but the legislation they're proposing is for non-intrusive techniques (eg, ping floods, DoS a P2P node by remotely clogging up it's bandwidth). The line they've drawn is that they cannot go into the user's machine to delete or modify files, etc. Granted, they provide a cop-out for "accidental" deletions, but I think even congress will see the abuse potential in that.
good thought, and it was tried once. unfortunately, it fell under the category of modifying a machine without permission, which makes it illegal. i think it happened in the late 1980s/early 1990s, buncha hackers got into serious trouble with the fbi over it.
i know. it seems odd. usually they use white candles. one of the sites where the spots showed up was outside a church. it might be something like the candle drips, and maybe a few days later turns black from sunlight, but then again, IANAC (I am not a chemist).
something the cnn article mentioned was use in industrial processes. there are a fair number of factories in camden, you drive past them on I-676 between the Whitman and Franklin Bridges. That's also the general area where these spots showed up.
But something brought up in the first article -- why only recently? Those factories have been there for as long as I can remember, and planes have been landing at PHI airport (another suspicion was jet exhaust) from over South Jersey for a long time as well. For some reason, the candle theory just seems to fit.
i live in the camden/philly area.... on the news last night they said it might be from candlelight vigils. Why residents didnt make a connection between vigils and the spots is beyond me, but like I said above, this is Camden were talking about.
that would make sense. I live in Clementon (next town over from Lindenwold), about a mile up Berlin Rd from the Park. A few years ago I was landing on a flight from Florida to PHI, and saw the big ferris wheel and my house in the same view.
Anyways, I saw on Channel 6 News last night that the blobs have been solved - Parafin Wax most from likely from candlelight vigils and such.
I know that a lot of people blamed programmers for not fixing the problem long before it became a real problem. Many programmers countered that they had tried to fix it (some as far back as the late 1980s), but product managers and such refused to allow work on it, either not seeing the problem or an early example of deadlines over quality.
Finally, we programmers have proof that we considered the problem a good 15 years before it became problematic.
Dirty Jersey also exists not just near NYC, but all the way down the turnpike, enhancing that Dirty Jersey feel to people traveling from say Washington DC to New York. That's why I mentioned comming away from the TP by a few miles.
As mentioned in another post, I grew up in Camden County, about 18 miles from where the blobs are. The area is on the western fringes of the Pine Barrens, and the Barrens are slowly losing their space to urban housing developments.
While I realize the joke you're making, you must live near Newark. Come down south some, and you'll find farmland and the Pine Barrens. It's a few miles off the turnpike.
I go to school in Philadelphia, which is across the river from Camden, and grew up in southern Camden County, NJ, a comfortable 18 miles from Camden's state-leading crime rate and once close-to-nation-leading murder rate.
Anyways, I've seen this story on the local news. One suspicion is jet fuel falling from planes landing at Philly International, but I dont think that explanation holds much as why havent these blobs been there for however many years the airport has been there?
I personally would not be surprised if it's drug related. Philly started a huge crack down on drugs in recent weeks, causing many druggies to leave town. Camden then started their own crack down because that's where many druggies went.
i see your point, but I think that someone will have to look at some of Clarke's other comments and the position he holds within the administration. In particular, the point that refers to cars w/o seatbelts shows that he's good at putting things into terms most people are comfortable with, and suggests to me that he's capable of making similar analogies that will help illustrate his point.
For example: Auto insurance companies, AAA, and the NTSB are the "evil hackers" of the auto industry. Their offense? They safety test cars. Do we condemn such actions by those groups? No. Do auto makers sue and prosecute over revelations of problems? No. Then draw a parrallel between this and a similar situation by security researchers and "evil hackers." They security test products. Should this action be condemned if they followed "good faith?" Should vendors sue/prosecute over revelations of problems?
If Clarke were to use something like that to defend his statements, I think more people (and the press) will get a true sense of what's he means. Yeah, there will probably be the typical hype-up that the press is well known for, but in the end I think people (lawmakers especially, believe it or not) will see what's proper.
Incidently, I'm surprised that some companies do try to persecute hole finders. They actually further embarras themselves, and shoot themselves in the foot as other researchers and hackers will stop looking for holes in their products (fearing similar actions from that company against themselves), leading to less secure products from that company, leading to users switching to competitor products (if available) fearing crack attacks.
He might be referring to a groups such as CERT when he says "notifying the government." IMO, bugtraq is just as good, unless the bug is something extremely widespread and you'd like to avoid Code Redisms. (Not that doing so stopped Code Red from being widespread)
General guidelines I'd like to see: (note: when I say 'vendor' I'm also referring to developers of an open-source product)
Email the vendor notice of a found bug, include proof-of-concept exploit if available. Include your list of guidelines on how you want to work this, try not to allow the vendor to dictate terms of going public (or not).
If after 7-9 days no response of any kind is made (aside from automatic responses), send the report to bugtraq and exploit to bugtraq, along with indication that vendor was notified without responding.
If the response is "thanks! we'll get right to this!", sit tight and wait until patch is out. If no patch is out in 30 days or so (unless vendor requests additional time, within reason), send report of bug, but not the exploit, to bugtraq, along with indication of vendor notice and their response, and that you have an exploit. Wait another 10 days or so, if still no patch, send the exploit.
If they say "thanks, but no thanks", promptly send everything to bugtraq.
If a patch is released, wait 7-9 days before divulging everything onto bugtraq.
At each step here, make everything known. When you first notify the vendor, tell them how you are going to respond if things dont happen. When you send to bugtraq, include word that you have notified the vendor and what the vendor's responses have been. This last part is extremely important, as it shows irresponsibility on the part of the vendor, and shows that you have attempted to act in good faith, but have been left with little choice.
NEVER suggest workarounds either publicly or to the vendor, as they provide vendors the ability to make a bug lower priority, and that you risk being wrong, giving users that follow that workaround a false sense of security. Let the vendor be the one to suggest workarounds. Patches are generally ok, but only give them to the vendor/developer, as you dont want to be wrong in what you provide publicly, causing problems for your future notices. (For example, ISS's patch to Apache's recent flaw was incorrect. This means future patches from ISS may not be taken seriously)
Lastly, use normal, well written english. Dont use leet-speak, as it makes you look like a fool, not be taken seriously, or worse, miscommunicating what you mean.
well, look at where the guy came from. Before working for Bush, he worked for Microsoft. Not in product development, but rather the guy in charge of their own LAN, "securing Ft Redmond's internals" as one guy put once. Basically, he's got the experience necessary to make informed statements like he's making now. Before now, he probably couldn't make them because he worked for MS.
the left hand will soon know. Chances are good someone congresscritter is gonna hear this story and instantly think "he's promoting computer crime and break-ins!?" and try to get more info. Net result: They see things from our angle better than they did before.
also, all the spam is clearly scammer stuff and/or things that are just plain too good to be true. at least snail spam is legit and the coupons from pizza place round the corner come in handy.
Bruce Scheneir (sp?) has written about this many times. Most intrusions on computer systems and networks are not the fault of the vendor, it's the fault of the admin who doesnt apply timely patches, not updating virus defs, expectsing the equipment to do all the work for him. Bruce's rationale is that good security is a process, not a product. And he's right. I also think his proposed solution is correct - cracker insurance providers should enforce good security by granting lower rates after they audit a system and certify it secure; higher rates for insecure setups.
good point, but read it this way -- If you pay taxes for it, using it makes your taxes worth it. If you dont use it, it's effectively money down the toilet from your point of view.
Slashdot Mirror
What level and what type of education do you and your fellow examiners have? Do you routinely divide up work according areas of expertise or knowledge? Do you feel it helps in your decision making process to weed out frivolous applications and approve genuine patents? Do you and your co-workers find time to stay up-to-date on issues surrounding your office's public view such that it helps guide you toward positive ends?
How often do you get applications for simple stuff that clearly has been done by others or are non-innovative, such as using images in an online business, or one-click shopping? If the rate is high, do you suspect that frivolous patents in the US are to blame? If the rate is low, do you attribute this to the overall examination of each application?
load up the page of comments and see an ad of Microsoft Visual Studio .NET.
but the legislation they're proposing is for non-intrusive techniques (eg, ping floods, DoS a P2P node by remotely clogging up it's bandwidth). The line they've drawn is that they cannot go into the user's machine to delete or modify files, etc. Granted, they provide a cop-out for "accidental" deletions, but I think even congress will see the abuse potential in that.
good thought, and it was tried once. unfortunately, it fell under the category of modifying a machine without permission, which makes it illegal. i think it happened in the late 1980s/early 1990s, buncha hackers got into serious trouble with the fbi over it.
try going to slashcode's page on sourceforge and submit that as a feature request. I've done similar for a wireless topic, and also attached an image.
is there gonna be somehting like alt.images.ascii.google on the near horizon??
... is how long until the goatse ascii image tunrs up?
i know. it seems odd. usually they use white candles. one of the sites where the spots showed up was outside a church. it might be something like the candle drips, and maybe a few days later turns black from sunlight, but then again, IANAC (I am not a chemist).
something the cnn article mentioned was use in industrial processes. there are a fair number of factories in camden, you drive past them on I-676 between the Whitman and Franklin Bridges. That's also the general area where these spots showed up.
But something brought up in the first article -- why only recently? Those factories have been there for as long as I can remember, and planes have been landing at PHI airport (another suspicion was jet exhaust) from over South Jersey for a long time as well. For some reason, the candle theory just seems to fit.
i live in the camden/philly area .... on the news last night they said it might be from candlelight vigils. Why residents didnt make a connection between vigils and the spots is beyond me, but like I said above, this is Camden were talking about.
that would make sense. I live in Clementon (next town over from Lindenwold), about a mile up Berlin Rd from the Park. A few years ago I was landing on a flight from Florida to PHI, and saw the big ferris wheel and my house in the same view.
Anyways, I saw on Channel 6 News last night that the blobs have been solved - Parafin Wax most from likely from candlelight vigils and such.
I know that a lot of people blamed programmers for not fixing the problem long before it became a real problem. Many programmers countered that they had tried to fix it (some as far back as the late 1980s), but product managers and such refused to allow work on it, either not seeing the problem or an early example of deadlines over quality.
Finally, we programmers have proof that we considered the problem a good 15 years before it became problematic.
Now, what are we doing about the Y10K problem?
maybe that can solve the India-Pakistan problem....
Dirty Jersey also exists not just near NYC, but all the way down the turnpike, enhancing that Dirty Jersey feel to people traveling from say Washington DC to New York. That's why I mentioned comming away from the TP by a few miles.
As mentioned in another post, I grew up in Camden County, about 18 miles from where the blobs are. The area is on the western fringes of the Pine Barrens, and the Barrens are slowly losing their space to urban housing developments.
He was in NJ recently on a concert tour. I think he performed at the Tweeter Center, which is in Camden.
While I realize the joke you're making, you must live near Newark. Come down south some, and you'll find farmland and the Pine Barrens. It's a few miles off the turnpike.
I go to school in Philadelphia, which is across the river from Camden, and grew up in southern Camden County, NJ, a comfortable 18 miles from Camden's state-leading crime rate and once close-to-nation-leading murder rate.
Anyways, I've seen this story on the local news. One suspicion is jet fuel falling from planes landing at Philly International, but I dont think that explanation holds much as why havent these blobs been there for however many years the airport has been there?
I personally would not be surprised if it's drug related. Philly started a huge crack down on drugs in recent weeks, causing many druggies to leave town. Camden then started their own crack down because that's where many druggies went.
i see your point, but I think that someone will have to look at some of Clarke's other comments and the position he holds within the administration. In particular, the point that refers to cars w/o seatbelts shows that he's good at putting things into terms most people are comfortable with, and suggests to me that he's capable of making similar analogies that will help illustrate his point.
For example: Auto insurance companies, AAA, and the NTSB are the "evil hackers" of the auto industry. Their offense? They safety test cars. Do we condemn such actions by those groups? No. Do auto makers sue and prosecute over revelations of problems? No. Then draw a parrallel between this and a similar situation by security researchers and "evil hackers." They security test products. Should this action be condemned if they followed "good faith?" Should vendors sue/prosecute over revelations of problems?
If Clarke were to use something like that to defend his statements, I think more people (and the press) will get a true sense of what's he means. Yeah, there will probably be the typical hype-up that the press is well known for, but in the end I think people (lawmakers especially, believe it or not) will see what's proper.
Incidently, I'm surprised that some companies do try to persecute hole finders. They actually further embarras themselves, and shoot themselves in the foot as other researchers and hackers will stop looking for holes in their products (fearing similar actions from that company against themselves), leading to less secure products from that company, leading to users switching to competitor products (if available) fearing crack attacks.
General guidelines I'd like to see: (note: when I say 'vendor' I'm also referring to developers of an open-source product)
- Email the vendor notice of a found bug, include proof-of-concept exploit if available. Include your list of guidelines on how you want to work this, try not to allow the vendor to dictate terms of going public (or not).
- If after 7-9 days no response of any kind is made (aside from automatic responses), send the report to bugtraq and exploit to bugtraq, along with indication that vendor was notified without responding.
- If the response is "thanks! we'll get right to this!", sit tight and wait until patch is out. If no patch is out in 30 days or so (unless vendor requests additional time, within reason), send report of bug, but not the exploit, to bugtraq, along with indication of vendor notice and their response, and that you have an exploit. Wait another 10 days or so, if still no patch, send the exploit.
- If they say "thanks, but no thanks", promptly send everything to bugtraq.
- If a patch is released, wait 7-9 days before divulging everything onto bugtraq.
At each step here, make everything known. When you first notify the vendor, tell them how you are going to respond if things dont happen. When you send to bugtraq, include word that you have notified the vendor and what the vendor's responses have been. This last part is extremely important, as it shows irresponsibility on the part of the vendor, and shows that you have attempted to act in good faith, but have been left with little choice.NEVER suggest workarounds either publicly or to the vendor, as they provide vendors the ability to make a bug lower priority, and that you risk being wrong, giving users that follow that workaround a false sense of security. Let the vendor be the one to suggest workarounds. Patches are generally ok, but only give them to the vendor/developer, as you dont want to be wrong in what you provide publicly, causing problems for your future notices. (For example, ISS's patch to Apache's recent flaw was incorrect. This means future patches from ISS may not be taken seriously)
Lastly, use normal, well written english. Dont use leet-speak, as it makes you look like a fool, not be taken seriously, or worse, miscommunicating what you mean.
well, look at where the guy came from. Before working for Bush, he worked for Microsoft. Not in product development, but rather the guy in charge of their own LAN, "securing Ft Redmond's internals" as one guy put once. Basically, he's got the experience necessary to make informed statements like he's making now. Before now, he probably couldn't make them because he worked for MS.
the left hand will soon know. Chances are good someone congresscritter is gonna hear this story and instantly think "he's promoting computer crime and break-ins!?" and try to get more info. Net result: They see things from our angle better than they did before.
a *LOT* less than I do spam
also, all the spam is clearly scammer stuff and/or things that are just plain too good to be true. at least snail spam is legit and the coupons from pizza place round the corner come in handy.
would keep my inbox spam free if they charged 37 cents per email
right on.
Bruce Scheneir (sp?) has written about this many times. Most intrusions on computer systems and networks are not the fault of the vendor, it's the fault of the admin who doesnt apply timely patches, not updating virus defs, expectsing the equipment to do all the work for him. Bruce's rationale is that good security is a process, not a product. And he's right. I also think his proposed solution is correct - cracker insurance providers should enforce good security by granting lower rates after they audit a system and certify it secure; higher rates for insecure setups.
good point, but read it this way -- If you pay taxes for it, using it makes your taxes worth it. If you dont use it, it's effectively money down the toilet from your point of view.