Partly it's a 40-year-old running joke. Partly it's dead serious.
The part that's a running joke started way back with our Governor Tom McCall, who exhorted people "Come visit Oregon... but please don't stay!" (He wanted tourists, but not a big population gain.) This led to all sorts of amusing effects such as private efforts to sell discounted gasoline to southbound California-plated cars, and - OMG YouTube rules!- some funny local beer commercials from waaay back when Blitz-Weinhard was considered good beer. (You can watch this video for as good an answer as any I'll give. It totally reflects the attitude in its time.)
The dead serious part is not limited to Oregon, but has some truth throughout the western US. It's both cultural and economic.
Economically, the Californian housing market grew in value much faster than most anywhere else west of the rockies. When people decided to leave Cali for whatever reason they'd sell their houses and hit the other markets with outrageous purchasing power. This stirred - and continues to stir - a significant amount of resentment. That tremendous purchasing power also allows Californians to bring along their culture and expectations, imposing it on often sullen and resentful locals in a process known sometimes as Californication. McMansions, strip malls, suburban sprawl, SUV-driving environmentalist poseurs, methamphetamine, gangs, three strikes laws, reckless anti-tax activism, gay pride - all are things commonly attributed (often wrongly) to the influx of Californians over the last few decades.
For my part I focus more on the running joke aspect; the economic and cultural changes are fait accompli so it's no good bitching about them. (And some of the changes brought by Calfornians have been positive, bit you'll rarely get an Oregonian to admit it.)
Currently it's downloadable for under $30US. It's also been shown by one tester to be the most effective backup software for OSX at preserving all data. (Aside from dd, of course.) It's aimed at non-technical users, and those are a significant slice of the OSX user population.
So yeah, I think it's worth paying for and I recommend it unreservedly. While dd may be better for some, they're not the ones asking me for backup software recommendations.
(Like Mr. Jones, I'm also not affiliated with shirt pocket in any way other than being a satisfied customer.)
Robert Watson is apparently the fellow who suggested porting systrace to FreeBSD. Seems like he's been working on this for a long time.
"I hope nobody will take it as a plot of FreeBSD to gain/keep lead over other BSDs."
I shouldn't think so. At least for sysjail, this problem affects "All versions [...] on all architectures." It doesn't seem to be an OpenBSD-specific problem, but with many implementations of systrace(4). If FreeBSD has already fixed their systrace, then presumably the other BSDs will be looking to them for some ideas on fixing the issue.
Although, pinning it to OpenBSD in the headline was good for both demonstrating the seriousness of the issue and for generating more pageviews.:-)
"I have to wonder if people should use it anyway and just accept that for now anyone that knows how can bypass that particular security check"
It'll be interesting to see what the tradeoff is: does the system become more vulnerable overall by using the vulnerable software, or less? Has the layer of security it was supposed to add become another exploit path that's worse than what it was supposed to protect against?
My off-the-cuff inexpert guess is that it will still be valuable for some limited situations, but that in many cases it'll reduce the overall security of the system. I'm looking forward to hearing more from the various teams involved.
Gotta take a stab somewhere. [shrug] To me, 120 continuous seconds of recording seems well more than necessary for reasonable fair use, and well less than necessary for profiting from infringement.
I never tried to fully define it."Most any", "strong indicator" and even "dickheadery" are purposefully vague terms. (In case you hadn't noticed, natural languages are often inexact.)
Fair enough. It's Regal's response that really fries me, though: claiming that their theater managers are untrainable? That's just ridiculous. They should just honestly say "We assume any customer with a camcorder is a crook", not pretend that their employees are idiots just to milk some PR damage control.
Makes me want to go give that article to every Regal manager in my town and ask them "Did you know that corproate thinks you're an idiot?"
But I guess that wouldn't be fair use; they'd probably sue me.
"The only problem is, that's not your decision to make. That's the content owner's decision."
Not in the case of fair use it's not. And - on the facts presented - this looks like a clear example of fair use. (And also a clear example of violating the theater's no-camera policy, but that's not a criminal matter.)
I predict this case will be thrown out or settled in short order. It's got several serious problems. First, there's a strong fair use argument. Second, the theater owner does not hold copyright on the movie, so may have no standing to bring charges of copyright infringement. Third, the actual harm done by this person is very close to nil.
With luck, the DA will decline to prosecute on the grounds that he's got lots of better things to do.. With different luck, the accused will refuse any settlement, demand trial, and establish a fair-use precedent.
'We cannot educate theater managers to be judges and juries in what is acceptable. Theater managers cannot distinguish between good and bad stealing.'
"[...] because for some reason the only people we can hire as theater managers are sub-human morons."
What a load of bull. Have a little faith in your employees, guys. If I were a theater manager, I'd be really insulted. Especially since the training isn't that hard. Here, try this:
WHEN A CAMCORDER IS FOUND OPERATING IN YOUR THEATER 1) Pull the customer with the camcorder from the theater. 2) Rewind the clip to see how long it is.
a) Over two minutes? Yep, that's a problem. Seize camera, call the cops, end.
b) Under two minutes? Likely not a problem. Check the previous clips on the camera.
b.1) Previous clips are also of this movie? Seize camera, call the cops, end.
b.2) Previous clips are of something else entirely? Not a problem.
c) Customer refuses to rewind and display camera contets? Seize camera, call the cops, end. 3) Warn customer that cameras are not allowed in the theater at all. 4) Return camera to customer. 5) Boot customer from premises with no refund.
There. It's even small enough to put on a little card your managers can carry around just in case they're forgetful.
"[...] an open-access network would deprive taxpayers of billions of dollars [...]"
Speaking as a taxpayer, it seems to me that a nationwide open-access spectrum would be a very worthwhile thing to get by forgoing those "billions of dollars".
(Nice to see that AT&T is looking out for my interests, though.)
I realize it's not proof-of-concept code - which would of course be ideal - but it is another BSD project leader's opinions on each of many of the errata, with pretty fair specificity. Again, I'm no expert here, but these guys are. One or both might be wrong about any security implications they claim, but they're in a heck of a lot better position to know than I am. Seems like it's foolhardy to dismiss their concerns out of hand, or bet a hardware purchase on the idea that it's some sort of retaliatory press release.
"First off I'm not "Theo-bashing", I'm bashing what Theo is doing."
So in your clause "Raving lunatics like Theo" you'd like the reader to focus on the fact that he's raving, but the reader should basically ignore that you just happen to mention in passing that you think he's a lunatic?
Right, got it. Thanks for the clarification on that.
"Theo read the errata that's public to everyone, and says that he "bets" there may be "potential" security implications."
Well - and I can only speak for myself here - the fact is that I'm an ignorant fuckwit when it comes to the security implications of Intel's hardware errata. I know just enough to know that I cannot read Intel's chip errata and produce an opinion about the security implications that ihas any statistically-significant superiority to random chance. I'd guess that it is highly likely that well in excess of 95% of the general computer-buying public is similarly ignorant.
However, I'm dead certain that Theo knows a great deal more about secure OS design and the implications of these errata than I do. I'm pretty sure he knows more about it than you do, too. (Nothing personal, but I figure there's probably under five thousand people worldwide who have similar expertise at the moment. Odds are you're not among them.) His track record thus far isn't perfect, but it's really fucking good. So if he says that it's likely that some of the flaws will prove exploitable, I'm willing to provisionally trust his predictive opinion.
And it's not like it'll stop me - or most other security-conscious people - from buying Core 2 machines. It will, however, prevent most or all security-conscious admins from deploying such machines in highly security-sensitive roles until the picture becomes more clear. This is not going to be a huge impact on Core 2 sales, because there already were better hardware solutions than Core 2 for both multi-user server roles and for perimeter security roles. The real problem with these alleged security flaws will be in the laptop and desktop markets, because Core 2 is pre-eminent there. Even so, it would only affect the segment of that market that is security-sensitive... which probably is not a huge portion of that market. (As another commenter said, though, the DoD's tech buyers are probably going to have serious headaches.)
So if Theo's goal is to wound Intel - which I doubt - this is not going to leave a big mark in sales. Theo fails it!
Overall, I don't think your theory holds much water. Sure it's possible that he's just being a dick about it just to spite intel. But it's also possible that his expertise leads him to have genuine concern, and his forthrightness leads him to say it plainly. I, for one, am not willing to bet my network security on the chance that the former possibility contains the whole truth behind this.
Look, I know Theo-bashing is a traditional bit of fun, so I hate to rain on your parade. But you should keep in mind that the OpenBSD team is uniquely (or nearly so) positioned to discover and publicize the security implications this sort of flaw. The whole project is security oriented; they don't accept "binary blobs" into security-sensitive roles, which means they look more closely at hardware than most; they operate in a very transparent manner; their user base is supportive of any security-related moves by the devs; their installed base is heavy in security-sensitive roles; and the project is notorious for not giving a damn about political considerations.
"But they're rarely very serious, they rarely actually affect anything in remotely realistic scenarios."
OpenBSD is heavily used in the perimeter security role, and in security-sensitive roles generally. As its OS security gets better, OpenBSD's sensitivity to hardware security flaws gets higher. If there's an architectural flaw that the OS can't cover, OpenBSD's user base needs to know that so they can evaluate their overall security and spec hardware accordingly.
Almost no one else needs to worry about hardware exploits in Core 2 as much as OpenBSD does, because almost every other OS for general-purpose hardware has easier exploit paths. For instance, I'm not worried about this flaw on my home iMac, because my iMac isn't in a security-sensitive role. If an attacker wants my home data, it'd be easier for the attacker to simply break in and steal the whole box.
"They have come a long way from even just a year ago."
The linked video may have been uploded about a year ago, but it cites as its source a PBS production from 1995. (Which, incidentally, is discussing an entirely different airplane, the 777.)
TechnoLust seems like a pretty stand-up guy, and I hear tell the chicks dig him, but I didn't think he was actually addictive. Huh. You think you know a guy...
Yup. In most places it would take some legislative changes to implement.
It's probably true that vote-buying would be a worse problem than inaccurate counting. In Washington (where my brother lives) a ballot with an identifying mark is disqualified. If that were extended to all distinctive marks, then keeping ballot images secret would not be necessary.
(But then people would start arguing over what constitutes a distinctive mark, naturally.)
Slashdot Mirror
Partly it's a 40-year-old running joke. Partly it's dead serious.
The part that's a running joke started way back with our Governor Tom McCall, who exhorted people "Come visit Oregon... but please don't stay!" (He wanted tourists, but not a big population gain.) This led to all sorts of amusing effects such as private efforts to sell discounted gasoline to southbound California-plated cars, and - OMG YouTube rules!- some funny local beer commercials from waaay back when Blitz-Weinhard was considered good beer. (You can watch this video for as good an answer as any I'll give. It totally reflects the attitude in its time.)
The dead serious part is not limited to Oregon, but has some truth throughout the western US. It's both cultural and economic.
Economically, the Californian housing market grew in value much faster than most anywhere else west of the rockies. When people decided to leave Cali for whatever reason they'd sell their houses and hit the other markets with outrageous purchasing power. This stirred - and continues to stir - a significant amount of resentment. That tremendous purchasing power also allows Californians to bring along their culture and expectations, imposing it on often sullen and resentful locals in a process known sometimes as Californication. McMansions, strip malls, suburban sprawl, SUV-driving environmentalist poseurs, methamphetamine, gangs, three strikes laws, reckless anti-tax activism, gay pride - all are things commonly attributed (often wrongly) to the influx of Californians over the last few decades.
For my part I focus more on the running joke aspect; the economic and cultural changes are fait accompli so it's no good bitching about them. (And some of the changes brought by Calfornians have been positive, bit you'll rarely get an Oregonian to admit it.)
"As long as you don't mention you're a Californian!"
But that's why a call center is brilliant! Oregonians have no problem with Californians, so long as they're actually in California.
Ah, kids. There's nothing like having your three-year-old yell "Shut up you stupid asshole!" in the crowded local Costco.
Repeatedly.
While you're wearing a shirt with your workplace's logo prominently displayed on it.
When you work for a local pediatrics clinic.
Yeah.
Just so long as you're not a Californian trying to move here!
"It reticulates splines against already saved data [...]"
Isn't reticulation a proprietary protocol when used on splines, though? You should ask them to open that up.
SuperDuper! is cheap and effective. [shrug]
Currently it's downloadable for under $30US. It's also been shown by one tester to be the most effective backup software for OSX at preserving all data. (Aside from dd, of course.) It's aimed at non-technical users, and those are a significant slice of the OSX user population.
So yeah, I think it's worth paying for and I recommend it unreservedly. While dd may be better for some, they're not the ones asking me for backup software recommendations.
(Like Mr. Jones, I'm also not affiliated with shirt pocket in any way other than being a satisfied customer.)
Robert Watson is apparently the fellow who suggested porting systrace to FreeBSD. Seems like he's been working on this for a long time.
:-)
"I hope nobody will take it as a plot of FreeBSD to gain/keep lead over other BSDs."
I shouldn't think so. At least for sysjail, this problem affects "All versions [...] on all architectures." It doesn't seem to be an OpenBSD-specific problem, but with many implementations of systrace(4). If FreeBSD has already fixed their systrace, then presumably the other BSDs will be looking to them for some ideas on fixing the issue.
Although, pinning it to OpenBSD in the headline was good for both demonstrating the seriousness of the issue and for generating more pageviews.
"I have to wonder if people should use it anyway and just accept that for now anyone that knows how can bypass that particular security check"
It'll be interesting to see what the tradeoff is: does the system become more vulnerable overall by using the vulnerable software, or less? Has the layer of security it was supposed to add become another exploit path that's worse than what it was supposed to protect against?
My off-the-cuff inexpert guess is that it will still be valuable for some limited situations, but that in many cases it'll reduce the overall security of the system. I'm looking forward to hearing more from the various teams involved.
All twelve of them. :)
We yell really loud.
(And I actually yelled "Wow!". We're not a homogenous lot.)
Gotta take a stab somewhere. [shrug] To me, 120 continuous seconds of recording seems well more than necessary for reasonable fair use, and well less than necessary for profiting from infringement.
"Most" is insufficient to define your case.
I never tried to fully define it."Most any", "strong indicator" and even "dickheadery" are purposefully vague terms. (In case you hadn't noticed, natural languages are often inexact.)
Fair enough. It's Regal's response that really fries me, though: claiming that their theater managers are untrainable? That's just ridiculous. They should just honestly say "We assume any customer with a camcorder is a crook", not pretend that their employees are idiots just to milk some PR damage control.
Makes me want to go give that article to every Regal manager in my town and ask them "Did you know that corproate thinks you're an idiot?"
But I guess that wouldn't be fair use; they'd probably sue me.
"The theater staff were not being dickheads, they were just following the corporate policy of having zero tolerance."
Most any zero tolerance policy is, IMHO, a strong indicator of dickheadery in action.
Ah, but did he have permission to use the image?
"The only problem is, that's not your decision to make. That's the content owner's decision."
Not in the case of fair use it's not. And - on the facts presented - this looks like a clear example of fair use. (And also a clear example of violating the theater's no-camera policy, but that's not a criminal matter.)
I predict this case will be thrown out or settled in short order. It's got several serious problems. First, there's a strong fair use argument. Second, the theater owner does not hold copyright on the movie, so may have no standing to bring charges of copyright infringement. Third, the actual harm done by this person is very close to nil.
With luck, the DA will decline to prosecute on the grounds that he's got lots of better things to do.. With different luck, the accused will refuse any settlement, demand trial, and establish a fair-use precedent.
'We cannot educate theater managers to be judges and juries in what is acceptable. Theater managers cannot distinguish between good and bad stealing.'
"[...] because for some reason the only people we can hire as theater managers are sub-human morons."
What a load of bull. Have a little faith in your employees, guys. If I were a theater manager, I'd be really insulted. Especially since the training isn't that hard. Here, try this:
WHEN A CAMCORDER IS FOUND OPERATING IN YOUR THEATER
1) Pull the customer with the camcorder from the theater.
2) Rewind the clip to see how long it is.
a) Over two minutes? Yep, that's a problem. Seize camera, call the cops, end.
b) Under two minutes? Likely not a problem. Check the previous clips on the camera.
b.1) Previous clips are also of this movie? Seize camera, call the cops, end.
b.2) Previous clips are of something else entirely? Not a problem.
c) Customer refuses to rewind and display camera contets? Seize camera, call the cops, end.
3) Warn customer that cameras are not allowed in the theater at all.
4) Return camera to customer.
5) Boot customer from premises with no refund.
There. It's even small enough to put on a little card your managers can carry around just in case they're forgetful.
Actually, the CEO Unquestionably Used Pseudonym to Post Online.
The questionable part was the propriety of him doing so.
Carry on.
"[...] an open-access network would deprive taxpayers of billions of dollars [...]"
Speaking as a taxpayer, it seems to me that a nationwide open-access spectrum would be a very worthwhile thing to get by forgoing those "billions of dollars".
(Nice to see that AT&T is looking out for my interests, though.)
Well, is this better?
I realize it's not proof-of-concept code - which would of course be ideal - but it is another BSD project leader's opinions on each of many of the errata, with pretty fair specificity. Again, I'm no expert here, but these guys are. One or both might be wrong about any security implications they claim, but they're in a heck of a lot better position to know than I am. Seems like it's foolhardy to dismiss their concerns out of hand, or bet a hardware purchase on the idea that it's some sort of retaliatory press release.
"Not knocking him in general but here he hasn't produced anything we didn't know already."
Maybe I've been under a rock lately, but I didn't know there were security implications to the bugs. I'm glad he mentioned it.
"First off I'm not "Theo-bashing", I'm bashing what Theo is doing."
So in your clause "Raving lunatics like Theo" you'd like the reader to focus on the fact that he's raving, but the reader should basically ignore that you just happen to mention in passing that you think he's a lunatic?
Right, got it. Thanks for the clarification on that.
"Theo read the errata that's public to everyone, and says that he "bets" there may be "potential" security implications."
Well - and I can only speak for myself here - the fact is that I'm an ignorant fuckwit when it comes to the security implications of Intel's hardware errata. I know just enough to know that I cannot read Intel's chip errata and produce an opinion about the security implications that ihas any statistically-significant superiority to random chance. I'd guess that it is highly likely that well in excess of 95% of the general computer-buying public is similarly ignorant.
However, I'm dead certain that Theo knows a great deal more about secure OS design and the implications of these errata than I do. I'm pretty sure he knows more about it than you do, too. (Nothing personal, but I figure there's probably under five thousand people worldwide who have similar expertise at the moment. Odds are you're not among them.) His track record thus far isn't perfect, but it's really fucking good. So if he says that it's likely that some of the flaws will prove exploitable, I'm willing to provisionally trust his predictive opinion.
And it's not like it'll stop me - or most other security-conscious people - from buying Core 2 machines. It will, however, prevent most or all security-conscious admins from deploying such machines in highly security-sensitive roles until the picture becomes more clear. This is not going to be a huge impact on Core 2 sales, because there already were better hardware solutions than Core 2 for both multi-user server roles and for perimeter security roles. The real problem with these alleged security flaws will be in the laptop and desktop markets, because Core 2 is pre-eminent there. Even so, it would only affect the segment of that market that is security-sensitive... which probably is not a huge portion of that market. (As another commenter said, though, the DoD's tech buyers are probably going to have serious headaches.)
So if Theo's goal is to wound Intel - which I doubt - this is not going to leave a big mark in sales. Theo fails it!
Overall, I don't think your theory holds much water. Sure it's possible that he's just being a dick about it just to spite intel. But it's also possible that his expertise leads him to have genuine concern, and his forthrightness leads him to say it plainly. I, for one, am not willing to bet my network security on the chance that the former possibility contains the whole truth behind this.
"Hasn't anyone noticed these terrible bugs?"
Apparently they have, and now we know too.
Look, I know Theo-bashing is a traditional bit of fun, so I hate to rain on your parade. But you should keep in mind that the OpenBSD team is uniquely (or nearly so) positioned to discover and publicize the security implications this sort of flaw. The whole project is security oriented; they don't accept "binary blobs" into security-sensitive roles, which means they look more closely at hardware than most; they operate in a very transparent manner; their user base is supportive of any security-related moves by the devs; their installed base is heavy in security-sensitive roles; and the project is notorious for not giving a damn about political considerations.
"But they're rarely very serious, they rarely actually affect anything in remotely realistic scenarios."
OpenBSD is heavily used in the perimeter security role, and in security-sensitive roles generally. As its OS security gets better, OpenBSD's sensitivity to hardware security flaws gets higher. If there's an architectural flaw that the OS can't cover, OpenBSD's user base needs to know that so they can evaluate their overall security and spec hardware accordingly.
Almost no one else needs to worry about hardware exploits in Core 2 as much as OpenBSD does, because almost every other OS for general-purpose hardware has easier exploit paths. For instance, I'm not worried about this flaw on my home iMac, because my iMac isn't in a security-sensitive role. If an attacker wants my home data, it'd be easier for the attacker to simply break in and steal the whole box.
"How does he expect Intel to respond?"
Like the professionals they are, I'd think.
"They have come a long way from even just a year ago."
The linked video may have been uploded about a year ago, but it cites as its source a PBS production from 1995. (Which, incidentally, is discussing an entirely different airplane, the 777.)
TechnoLust seems like a pretty stand-up guy, and I hear tell the chicks dig him, but I didn't think he was actually addictive. Huh. You think you know a guy...
Yup. In most places it would take some legislative changes to implement.
It's probably true that vote-buying would be a worse problem than inaccurate counting. In Washington (where my brother lives) a ballot with an identifying mark is disqualified. If that were extended to all distinctive marks, then keeping ballot images secret would not be necessary.
(But then people would start arguing over what constitutes a distinctive mark, naturally.)
It is undoubtedly a tough problem all around.