And btw, what's to stop prankster from randomly picking sites registered at register.com and sending fake IDSA letters? No problem for the site (cheap registrars are a dime a dozen...), but might become problematic for Register.com if it happens on a large enough scale...
Yes it would. The server can just send back an empty page with a link to the real site if he notices that the referer is salshdot.org. Or send a meta refresh tag. No client side script needed.
> and they use a smart card that is disconnected from the computer to generate 8-digit access codes, no PINs or password is stored on the computer
Be careful here. Smart cards do not automatically mean security, and there are unfortunately many poor implementations around. And btw: if the smart card reader is disconnected from the computer, how does the encrypted data get to the web site?
I used to work for a bank which used a smart card reader for their e-banking product. Officially, the advantage of this solution over plain https would be that even if the user's computer was compromised by a trojan or a virus, his pin and passwords were still secure. However, unfortunately, the bank was too cheap to buy smart card readers with integrated keyboards and displays. Thus, a virus or trojan would just need to grab the cleartext data stream going from the computer's keyboard to the reader, and presto! After pointing out that flaw to my boss, he just said "You're basically right. However, you should understand that the goal is not to provide actual security, but rather to give the customer an impression of security. Customers read about security problems on the internet so frequently, that it takes sth special to convince them that E-banking can be secure. However, the same customers trust the security of smart cards, most already carry several of them in their wallet (credit cards, access badges, ATM cards...). So we just capitalize on their trust in smartcards and integrate one in our solution. Even if it doesn't help security. But don't worry: nobody'll find out, after all not everybody has a PhD in cryptography..." I don't either... but I still noticed.
> As despicable as these guys are, if we are to ban them because they "incite" murder, then banning DeCSS, reverse engineering, and everything else which "incites" law breaking is the next step.
Wait a minute, I have an idea. Why not put up a web page which lists the names, addresses, license plates, and the kitchen sink of the top level MPAA executives who initiated the suits against DeCSS?
A better example would be DNA (the genes). This kind of information has a natural tendency of wanting to spreading as widely as it can, it's called survival of the fittest.
And since pretty much any ISP will ditch you rather than face legal action, the people you've theoretically made upset with their ISP will go to...another ISP.
Guess what... I think this is the whole point. If the ISP is so trigger happy, he deserves to lose customers, that's just applied Darwinism.
Most ISP's will go the path of the least resistence. When faced with threats of legal action, currently the path of least resistance is to cave in. If we want to change that, we can either (1) take away resistance from the path of "standing up" (difficult), or (2) add more resistance to the path of caving in (by muddying the pond with a deluge of phony legalese).
...but only styrofoam lookalikes of clubs. These kinds of hoaxes will be quickly found out: the law office doesn't actually exist, or it does exist but doesn't know of the case, etc. Within days, service will be restored to the hoaxed users, and all it did was put lots of egg on the ISP's face. As the action continues, the omelette will spread to more and more ISPs, and ISPs will be increasingly weary of any legalese letter, especially if the claims are ludicrous (such as "links to links to links to links to DeCSS are illegal").
Well...smashing or breaking a lock would be destruction of property,
Which is not illegal, as long as it is your own property. Just like a DVD is yours to use after you legally bought it, and you don't breach copyright (private viewing, no copies).
The problem is, the DMCA makes circumventing access control devices illegal, even if no other crime is committed. In your example using a gun alone is not illegal, at least in the US (it may be self-defense, or gasp shooting at a target during a sporting event); it is only illegal when used in the commission of another crime (armed robbery, sexual assault, etc.)
Telemarketer: Hello, is Mr. Tosh there? Me: Yes he's here, what is this in relation to? Telemarketer: We'd like to sell him a... Me: Ok, I fetch him, just a minute please Me [leaves receiver off hook, and goes back doing whatever I was doing before] Me [20 minutes later, after a quick glance at my ISDN logs]: Gee, they are getting stupider day by day: this one stayed 13 minutes!
Shouldn't that be: "Tux, the penguin has a new mite". Oh, and does anybody else think that these days our moderators are in a severe need of humor pie?
This attack only works because Slashdot excepts comments submitted using the GET method, rather than POST, which is normally used for forms. This is a very common error unfortunately... Let's just hope that stock trading sites such as E*Trade are more careful about which methods they accept for their forms, or else somebody could abuse this to perform the mother of all stock manipulations. Conceivably, such a poisoned link could be hidden in a < img src="..."> tag, and nobody would even notice...
I don't know about you, but whenever I see a story like this, I always get the impression that "the big corp" is just trying to save face. Indeed, in corporate speak or politics you rarely admit that you made a mistake, or that you backed down off your initial intention because you've underestimated the public's reaction. No, you just say their has been a "misunderstanding", and that you wanted to bring back the feature all along.
Yes, at the point they're now, Mozilla probably can no longer afford to keep the feature off permanently. But expect also that in the future, developers will need to get management's approval before including any controversial features in a milestone, or before discussing them "publically". Yes, Mozilla is an open project, and these goals will be hard to achieve, but rest assured, AOL-TimeWarner will come up with something...
Electricity is a consumable resource which has a real cost to produce. Network access is not "consumed" and generates almost no incremental costs to university.
then what happens when some other student comes along, needs to connect, and can't, because all the ports have been converted to personal drops?
Now that's easy: the student who comes along takes that infamous blue cable, disconnects it, and connects his instead. 10 minutes later, the guy from his dorm room comes down to check why his network connection no longer works. Here he finds half a dozen guys who try to explain him that those connections are not really meant for dorm rooms but rather for those who come to the lab. Case closed.
The fact that this didn't happen either proves that:
Most students at OSU are really well educated, and don't disconnect cables like that
The network ports weren't really that scarce, and this problem simply didn't arise
If someone is blowing the whistle on corruption in business or government, they might also need anonymity.
This is especially relevant in France. Corruption and "gentle" coercion have tradition in France. The government routinely threatens physical violence against anybody who might reveal state secrets, which can be something as trivial as the President de la République having an illegitimate kid.
Back in the old days, the French gummint could prevent the spread of uncomfortable information by threatening the author, then his publisher and finally his printer of abusive "contrôles fiscaux", or worse, by threatening the life of their wives and kids. Now, with the Internet, the government no longer has this ability, and they desperately want it back. The new media allow information travels faster than you can say "écoutes téléphoniques", and if you start threatening people, hundreds more will just mirror. They could easily shut up Jean Edern Hallier who tried to publish the old fashioned way, but a few years later, they couldn't stop Pascal Barbraud.
Hey idiots, everybody understands that the Président de la République may have an extraconjugal lovelife, or *gasp* that he may get old and ill. But nobody understand why you tried so desperately to hide these facts.
Slashdot Mirror
And btw, what's to stop prankster from randomly picking sites registered at register.com and sending fake IDSA letters? No problem for the site (cheap registrars are a dime a dozen...), but might become problematic for Register.com if it happens on a large enough scale...
Yes it would. The server can just send back an empty page with a link to the real site if he notices that the referer is salshdot.org. Or send a meta refresh tag. No client side script needed.
Be careful here. Smart cards do not automatically mean security, and there are unfortunately many poor implementations around. And btw: if the smart card reader is disconnected from the computer, how does the encrypted data get to the web site?
I used to work for a bank which used a smart card reader for their e-banking product. Officially, the advantage of this solution over plain https would be that even if the user's computer was compromised by a trojan or a virus, his pin and passwords were still secure. However, unfortunately, the bank was too cheap to buy smart card readers with integrated keyboards and displays. Thus, a virus or trojan would just need to grab the cleartext data stream going from the computer's keyboard to the reader, and presto! After pointing out that flaw to my boss, he just said "You're basically right. However, you should understand that the goal is not to provide actual security, but rather to give the customer an impression of security. Customers read about security problems on the internet so frequently, that it takes sth special to convince them that E-banking can be secure. However, the same customers trust the security of smart cards, most already carry several of them in their wallet (credit cards, access badges, ATM cards...). So we just capitalize on their trust in smartcards and integrate one in our solution. Even if it doesn't help security. But don't worry: nobody'll find out, after all not everybody has a PhD in cryptography..." I don't either... but I still noticed.
Wait a minute, I have an idea. Why not put up a web page which lists the names, addresses, license plates, and the kitchen sink of the top level MPAA executives who initiated the suits against DeCSS?
And before anybody screams that genetic information is a bad analogy as well, consider that ironically enough, some corporations want to lock up that kind of information too.
Probably it was because of the paragraph before. Maybe the moderator didn't believe the bit about IE "making shopping easier".
Guess what... I think this is the whole point. If the ISP is so trigger happy, he deserves to lose customers, that's just applied Darwinism.
Most ISP's will go the path of the least resistence. When faced with threats of legal action, currently the path of least resistance is to cave in. If we want to change that, we can either (1) take away resistance from the path of "standing up" (difficult), or (2) add more resistance to the path of caving in (by muddying the pond with a deluge of phony legalese).
...but only styrofoam lookalikes of clubs. These kinds of hoaxes will be quickly found out: the law office doesn't actually exist, or it does exist but doesn't know of the case, etc. Within days, service will be restored to the hoaxed users, and all it did was put lots of egg on the ISP's face. As the action continues, the omelette will spread to more and more ISPs, and ISPs will be increasingly weary of any legalese letter, especially if the claims are ludicrous (such as "links to links to links to links to DeCSS are illegal").
...is it still legal to link to a site that links to a DeCSS site? Such as this?
Does this mean that the MPAA will sue them over http://a1.g.akamaitech.net/6/6/6/6/www.free-dvd.or g.lu/
?
distribute its contents around the Web. Yet http://a1.g.akamaitech.n et/6/6/6/6/www.bluescreen.org.lu/. does work as expected, at least if you surf on '98.
Which is not illegal, as long as it is your own property. Just like a DVD is yours to use after you legally bought it, and you don't breach copyright (private viewing, no copies).
The problem is, the DMCA makes circumventing access control devices illegal, even if no other crime is committed. In your example using a gun alone is not illegal, at least in the US (it may be self-defense, or gasp shooting at a target during a sporting event); it is only illegal when used in the commission of another crime (armed robbery, sexual assault, etc.)
Telemarketer: Hello, is Mr. Tosh there?
Me: Yes he's here, what is this in relation to?
Telemarketer: We'd like to sell him a...
Me: Ok, I fetch him, just a minute please
Me [leaves receiver off hook, and goes back doing whatever I was doing before]
Me [20 minutes later, after a quick glance at my ISDN logs]: Gee, they are getting stupider day by day: this one stayed 13 minutes!
Interesting... Is it possible to apply for a trademark online, and how much does it cost?
See here. Isn't he cute?
Shouldn't that be: "Tux, the penguin has a new mite". Oh, and does anybody else think that these days our moderators are in a severe need of humor pie?
...when he tried to urinate in its mouth, as a stoopid schoolboy's wager.
This attack only works because Slashdot excepts comments submitted using the GET method, rather than POST, which is normally used for forms. This is a very common error unfortunately... Let's just hope that stock trading sites such as E*Trade are more careful about which methods they accept for their forms, or else somebody could abuse this to perform the mother of all stock manipulations. Conceivably, such a poisoned link could be hidden in a < img src="..."> tag, and nobody would even notice...
Yes, at the point they're now, Mozilla probably can no longer afford to keep the feature off permanently. But expect also that in the future, developers will need to get management's approval before including any controversial features in a milestone, or before discussing them "publically". Yes, Mozilla is an open project, and these goals will be hard to achieve, but rest assured, AOL-TimeWarner will come up with something...
... how do they know to which address to send the shirt?
Electricity is a consumable resource which has a real cost to produce. Network access is not "consumed" and generates almost no incremental costs to university.
Now that's easy: the student who comes along takes that infamous blue cable, disconnects it, and connects his instead. 10 minutes later, the guy from his dorm room comes down to check why his network connection no longer works. Here he finds half a dozen guys who try to explain him that those connections are not really meant for dorm rooms but rather for those who come to the lab. Case closed.
The fact that this didn't happen either proves that:
- Most students at OSU are really well educated, and don't disconnect cables like that
- The network ports weren't really that scarce, and this problem simply didn't arise
Personally, I think it was 2.This is especially relevant in France. Corruption and "gentle" coercion have tradition in France. The government routinely threatens physical violence against anybody who might reveal state secrets, which can be something as trivial as the President de la République having an illegitimate kid.
Back in the old days, the French gummint could prevent the spread of uncomfortable information by threatening the author, then his publisher and finally his printer of abusive "contrôles fiscaux", or worse, by threatening the life of their wives and kids. Now, with the Internet, the government no longer has this ability, and they desperately want it back. The new media allow information travels faster than you can say "écoutes téléphoniques", and if you start threatening people, hundreds more will just mirror. They could easily shut up Jean Edern Hallier who tried to publish the old fashioned way, but a few years later, they couldn't stop Pascal Barbraud.
Hey idiots, everybody understands that the Président de la République may have an extraconjugal lovelife, or *gasp* that he may get old and ill. But nobody understand why you tried so desperately to hide these facts.
Except if the technology is a dangerous one...