But, most people store emails like that in non-webmail accounts, too. If they're doing so on a Windows machine, the security of that is probably not >= to the security of doing so on a Yahoo or Gmail account. Most people also have so little clue about security that they may or may even be running AV software, and many of those who do so don't keep it up to date.
As for it being a story, yes, it would have been a story no matter what he found, because he bragged about it. Any time someone does something like that to someone running for high office, it's going to be a story. If someone threatened a candidate with a squirt gun, it would still make the news.
You don't need to be a coder to set those things up, but you do need some level of competence in general systems administration and mail administration in particular, and there's not really any way around that. Sure, some Linux distros make setting those things up relatively easy (Debian and its derivatives are perhaps the best for that), but you still need some idea of what you're doing?
Why? Because email is really complex. So complex that the "Simple" in SMTP could be taken as some kind of inside joke, although it was actually relatively simple back when SMTP was born. Email routing and filtering is many respects the most complex thing done on the Internet. A single script to get all that stuff set up and working would be quite complex and almost certain to not work for everyone. Moreover, getting it set up wouldn't remove the need for ongoing competent administration.
I work for an email security company, and one of the reasons there is so much money in this is because it takes a lot of specialization to be really good at it, and for many businesses it makes the most sense to outsource it to specialists, even when they have top-notch mail admins (many of our customers are Global 2000 companies, and they have really good sysadmins in those kinds of places), email security is something we can do better than they can in most cases, and always more economically.
IANAL either, but I bet the only TOS anyone has to follow when viewing a Facebook page is Facebook's TOS.
That aside, I think there are a few lessons college applicants can draw from this:
1) The oft-repeated advice to not post anything about yourself that you don't want the whole world to know about and use, is very good advice. Heed it;
2) Get used to it; even if your prospective colleges don't google you, it's highly likely that prospective employers will.
Uh, how, exactly, did she "make it so easy to get into the Yahoo account?" I don't know if you have a Yahoo account or not, but if you do, then you know perfectly well that the account holder doesn't choose the password reset questions, Yahoo does. That's probably an inconvenient truth, because it blows your entire premise, but truth it is.
I'd bet it's also pretty likely that she's had this Yahoo account since before she was a governor, or even a mayor. In other words, at the time it was set up, the security level was probably good enough, as it is for the Yahoo account I have.
There is, however, a pretty good security case against Yahoo here, who IMO is guilty of the things of which you accuse Palin. It goes like this:
1) They don't let you make up your own security questions. Bad.
2) The ones they choose for you aren't so hard to break if anybody knows the real name associated with the account and there's much info about you online.
3) The let you reset the password right there online instead of sending a randomly generated new password to the external account associated with the Yahoo account, or sending a password link to the external account. WTF? That's a security failure so basic they should be deeply ashamed of themselves. This is the really huge security failure, the one that let him break into her account. If they'd just sent a new password to her "real" email address, he never could have compromised her account so easily. He would have had to at least try phishing her and/or compromising her external email address.
Of course, if he'd done that, he'd be in even bigger trouble. I hope they make an example of him. Not because he broke into a politician's account, but because he broke into anyone's. I'd want him keel-hauled, hanged, drawn, and quartered if he broke into mine. A shame we don't so that sort of thing anymore.
This is our third kid, we know the drill. She won't have a lot of time for it, but will have some. Our other two are both in school, and babies sleep a lot.
I work for one of the best-known companies in the networking business. We don't test job applicants, at least not in any part of the company that I've worked. Before that, I worked for a very well-known software company. We didn't test there, either. I have directly hired or participated in the interview process for 10 people that we hired. Not only have we not fired any of them, all have excelled.That's because we know how to interview.
Show me people that rely on tests and I'll show you people whose interviewing skills are probably not up to par.
Would I refuse a test? Yes. Have I? Yes. At one prospective employer (the only one where I've ever encountered a test), I arrived at for my interview, was met at the desk by an HR person, and was told we'd start with a test. I politely declined, handed back my visitor badge, and left. That told me at least as much about their competence, and their management style, as any test would have told them about mine. More, in fact.
Bottom line: if an organization does not even have basic skills like interviewing wired, such that they have to rely on a test, I don't want to work there. Test-style questions are fine during an initial phone-screen, but once I have passed the phone screen and arrived in person for an interview, I expect that my time will not be wasted. That is not an unreasonable expectation.
However, I don't think organizations that give tests should stop doing so. As I said, it's a useful tool for/me/ to winnow/them/ from consideration.
This is about the best suggestion of the lot, so far. Most of the answers ignore either the time flexibility requirement or the requirement of being different than $DAY_JOB. My wife plays poker and makes some money at it, and it's totally time-independent. Or she did; since she's been pregnant she doesn't have the energy, patience, or concentration, but she'll get back to it after the baby is born.
This assumes, of course, that OP has interest in, and at least modest talent for, poker.
One caveat I'd add is that as online poker gets more and more popular, there are more and more crazies playing, people who watch the highlights of WSOP and WPT events and see somebody like Kido Pham who seems to play any two cards any time (which he doesn't quite do, but he is a very aggressive player) and think that that's how you play poker, for real. These donks can't be making any money, but their willingness to play any two cards all-in is enough to make it a lot harder for a skilled player to make some money, because there are a lot of them and taken in total, they will catch a very lucky turn or river often enough to make your life hard.
It's kind of like how as computers became more and more popular, the skill level of people with computers went down and down.
I was torn between just modding you up and replying to say how right you are.
I've managed a team of eight at my previous company; many of them were more technically qualified than I was in every area, and all of them were more technically qualified than I was in at least one area. But I was a very successful manager there, and among my former staff that stayed on after our acquisition (some voted with their feet, as I did; the company that acquired us wasn't a very pleasant place to work), they have all risen in the company; one has even become the program manager for the product.
I know that being able to code "hello world" was just a simplification, but putting some kind of technical litmus test on technical managers is a risky practice. The greatest attributes of a technical manager are to have a good big picture understanding, to be a good manager of people, to be a very good hirer of people, and to people a good BS filter for her/his staff. It doesn't matter if a technical manager is a great coder (and in fact, transitioning to management is often hard for great coders because it's hard to let go of the coding). I'm not very good at programming, but I'm very good at managing people who are, and I'm pretty good at hiring and keeping people who are, and at keeping their projects on track and focuses. That is the value of a good technical manager.
No kidding. Having KDE 4 be the default in Intrepid Ibex was bad enough (especially with, AFAICT, still no KDE 3.5.10 packages) available), but now this? The KDE 4 default issue was enough to make me install Debian Sid last week on a new machine I got at work last week instead of Kubuntu. I moved from Debian Unstable to *buntu in 2003, while it was still in beta. Ubuntu does a lot of great work and is by and large a truly outstanding distro in its various flavors, so it's really a shame that they are now doing foolish and poorly thought-out things like defaulting to KDE 4 and now this Firefox EULA.
Turns out Debian was right on Iceweasel and Icedove. They're also astute enough to have KDE 4 in experimental, where it belongs, not as the default in Unstable.
WRT Chrome, one of the things it will have to do to "mature" is to be available for platforms other than Windows, and using less memory than IE 8 would also be a start. Might be hard for it to duplicate the rich Firefox ecosystem, too, unless it uses Firefox plugins. Way easier to just use Iceweasel and Icedove and forget the branded versions of Firefox and Thunderbird.
Even more importantly, it needs to have some kind of self-cleaning function, to get the splooge off the walls after a session. Better be fairly waterproof on the inside, too.
No matter how much of a public forum a website may or may not be, the fact of the matter is that neither you nor I have any legal right to freedom of speech on/. or any other site.
What the Constitution has to say about freedom of speech is that the government cannot restrict free speech. Private entities, whether it be you or I on our private websites, or online communities such as/., are free to restrict speech on their property in any way they like.
It boils down to "Their website, their rules." You want to say whatever you want on the Internet? Cool. Set up your own server, buy our own bandwidth, and go for it.
What everybody - particularly those least worth listening to - seem to misconstrue about freedom of speech is that anyone owes you a forum. They don't. Nor, especially, does anyone owe anyone an audience. You can talk all you want, but no one has to listen.
Go ahead and mod me OT, but it's Friday and I'm just pissed off to be the last person in the universe who knows the difference between a disclosure statement and a disclaimer.
"This is a cool new toy/tool/product I'm posting on Slashdot, and by the way, I not only work at the company that produces it, I wrote it" is a disclosure.
A disclaimer typically contains language such as "Not responsible for damages resulting from use, or inability to use, this product. Not even if it burns your house, steals your car, drinks your liquor from your old fruit jar, *and* steps on your blue suede shoes."
Disclosure statements are meant to inform the reader of, for example, a potential conflict of interest, and shield the discloser from potential liability (whether legal or just in terms of face) should the disclosure not be made.
Disclaimers are basically just weasel words intended to deny having any liability for, say, the quality or lack thereof, or some product. Or put another way, disclosure is taking responsibility (to some extent, at least, and not always), whereas disclaimers are solely intended to worm out of responsibility that the you probably have, at least morally if not legally. And maybe legally. Not all disclaimers will stand up in court. I wouldn't be surprised if most won't.
I thought they'd traced BSE back to feeding ground-up sheep that were infected with scrapie to cows? Either way, that makes it no less of a screwed-up process.
Microsoft clearly fits the definition of a monopoly.
Don't think so?
Do a little research on Standard Oil, which was broken up in the United States under the Sherman Anti-Trust Act. Standard Oil was not the only oil company in the United States at that time, nor were they the only one that operated gasoline stations. However, their market dominance was such that they were within the definition of a monopoly.
There are other OS, mail server, and office suite vendors out there, to be sure. However, Exchange has a 65% market share (probably more in the global 2000), Windows has 90% of the desktop, and probably more than that in business desktops. Microsoft Office has about a 90% market share, too. It has been so successful, in fact, that "Excel" and "Word" have become generic words in the lexicon of many people. I regularly encounter users who think "Excel" is what you call a spreadsheet program. I have NeoOffice on my wife's Mac and and she calls its spreadsheet Excel all the time. This has become very common.
Yes, Microsoft has a monopoly. You don't need 100% market share to have a monopoly. You just need so much market share that the market is no longer anything like a level playing field for others. The fact that some competitors have been able to survive or even make headway anyway is not testimony against Microsoft being a monopoly or even for a level playing field, but rather testimony to the quality and tenacity of those competitors.
Granted, Microsoft has jumped the shark, but it's still a powerful monopoly.
Not exactly weird. If cracking networks, etc., is your bag, and somebody offers you a high-paying, stable job where you can not only spend your time doing that, but doing it without fear of prosecution, that could be kind of hard to turn down.
Do you really think government anywhere is trustworthy, or that only the US government would use this technique?
This technique isn't even hard. I used to work at an ISP in Japan that once spent the best part of the day off the Internet because an incompetent router admin in the ROK was announcing our IP space. We finally managed to get the guy on the phone, only to find that his ability to either speak or comprehend English was negligible and that he spoke no Japanese at all. By then, he seemed to have some clue that he'd screwed up and said he was working on it (I wouldn't be surprised if he announced routes for other ASes than ours). When my jaw really hit the floor was when he managed to explain that he had done this before. He obviously didn't get reamed by his boss enough the first time he screwed up like that.
As soon as I started reading TFA, I thought "I bet I know how they did it" - and I'm no CCIE level network engineer - and it turned out I was spot on. The technique is simple enough that I'm sure L0pht Heavy Industries 10 years ago were nowhere near the first group to come up with an attack like this. Heck, they probably didn't tell the NSA anything they didn't already know. Any CCIE could devise an attack like that, and so could quite a few people who aren't CCIEs.
Spying on a large group of Internet users would require tremendous bandwidth and hardware, however - what you might call a rather conspicuous amount of both. It's also not something that would go unnoticed for a really long time by the network engineers at large networks. It might start with a customer complaint of long ping times into their network, or it might start with a neteng looking over the BGP table for something unrelated and thinking, "That's funny" - but it would certainly be noticed. Routing all the traffic for a large AS in, say, the UK through, say, New York, would not go unnoticed for very long.
The best way to conceal an attack like this would be very near the target network. For example, if you were trying to pick off all traffic bound for a regional ISP, you put your sniffing setup in the same colo facility where they are located.
If the target is a national ISP in a large country - the kind that is likely to have multiple ingress points to their network - the attack becomes more complicated. You have to either be in all their colo locations if you want optimum concealment (and if they are large, they probably own the colo, making it trickier to hide what you're doing), or you need to pull all their traffic through your single location, which is more likely to be noticed.
Another good technique for concealing this kind of attack is to not use it all the time. For example, if you know that there are users on Network A on whom you'd like to spy, and that they are communicating with users on Network B, on whom you'd also like to spy, you have a couple of options. One is to randomly announce routes for Network A (and maybe network B at the same time) for some fairly short period of time and at random intervals long enough to let the BGP state go back to normal, and hope you catch something. Another approach is to use some other intelligence sources to figure out the time of day when the communication usually happens and do your intercepts at that time, then turn them off.
If I can think this up - and I've even been out of the neteng business for over 5 years now - the people who do things like that for a living have not only known about it for many years, they were probably thinking "It took L0pht until *1998* to come up with that, and anyone else another 10 years to come up with a usable exploit?!"
They can put it on there, but that doesn't stop me from doing it anyway. EULAs often contain all sorts of things that are highly unlikely to stand up in court, but until someone decides to actually test it in court, the licensor gets away with it.
People *do* sell things marked with "Not for individual retail sale" piecemeal all the time. Unless the seller bought it under a contract from the manufacturer that forbade such resale (note that this would put it under contract law, rather than license, and would give the restriction teeth), there's not much a manufacturer could do about it in most US jurisdictions.
I'll further back this up with a number: 95% of the spam received in China is in Chinese. Still doubt that spamming tools might be available in Chinese?
Actually, Chinese is one of the leading languages for spam. They've got quite a homegrown spam industry there. I work for one of the leading anti-spam vendors, and the Chinese spam problem is so large that we opened a local office in China to deal with it. The big three languages for spam are English, Spanish, and Chinese. I suppose you're now going to suggest it's racist for saying Spanish is a big spamming language too?
Your comment just proves how clueless you are about the spam situation in China.
China is, and has been for several years, a bastion of "bulletproof" hosting. Since you're so clueless about spam, I probably have to explain bulletproof hosting. Bulletproof hosting is a contract with a hosting provider and/or ISP with IP space to burn that doesn't care what you do with that hosting/IP space so long as you pay your bills.
China is also a haven of phishing sites, largely for the same reason and courtesy of a few rogue registrars operating in China.
There's nothing racist about criticizing China for its conduct. What next? You'll be telling us it's racist to criticize Nigeria for being the source of most of the world's 419 spam?
Silly me. I hadn't heard that scammers, spammers, and those who give them shelter constituted a race.
I get my connection from a small city-run cable company on the San Francisco Peninsula. They have a pretty low guaranteed bandwidth, but what I actually get is really good. I can sustain downloads of over 10 megabits/sec at pretty much any time of the day, as long as the FTP site will give me that much.
Slashdot Mirror
Do I? No. Do most people? Probably.
But, most people store emails like that in non-webmail accounts, too. If they're doing so on a Windows machine, the security of that is probably not >= to the security of doing so on a Yahoo or Gmail account. Most people also have so little clue about security that they may or may even be running AV software, and many of those who do so don't keep it up to date.
As for it being a story, yes, it would have been a story no matter what he found, because he bragged about it. Any time someone does something like that to someone running for high office, it's going to be a story. If someone threatened a candidate with a squirt gun, it would still make the news.
You don't need to be a coder to set those things up, but you do need some level of competence in general systems administration and mail administration in particular, and there's not really any way around that. Sure, some Linux distros make setting those things up relatively easy (Debian and its derivatives are perhaps the best for that), but you still need some idea of what you're doing?
Why? Because email is really complex. So complex that the "Simple" in SMTP could be taken as some kind of inside joke, although it was actually relatively simple back when SMTP was born. Email routing and filtering is many respects the most complex thing done on the Internet. A single script to get all that stuff set up and working would be quite complex and almost certain to not work for everyone. Moreover, getting it set up wouldn't remove the need for ongoing competent administration.
I work for an email security company, and one of the reasons there is so much money in this is because it takes a lot of specialization to be really good at it, and for many businesses it makes the most sense to outsource it to specialists, even when they have top-notch mail admins (many of our customers are Global 2000 companies, and they have really good sysadmins in those kinds of places), email security is something we can do better than they can in most cases, and always more economically.
IANAL either, but I bet the only TOS anyone has to follow when viewing a Facebook page is Facebook's TOS.
That aside, I think there are a few lessons college applicants can draw from this:
1) The oft-repeated advice to not post anything about yourself that you don't want the whole world to know about and use, is very good advice. Heed it;
2) Get used to it; even if your prospective colleges don't google you, it's highly likely that prospective employers will.
3) If 2, above, bothers you, see 1, above.
Uh, how, exactly, did she "make it so easy to get into the Yahoo account?" I don't know if you have a Yahoo account or not, but if you do, then you know perfectly well that the account holder doesn't choose the password reset questions, Yahoo does. That's probably an inconvenient truth, because it blows your entire premise, but truth it is.
I'd bet it's also pretty likely that she's had this Yahoo account since before she was a governor, or even a mayor. In other words, at the time it was set up, the security level was probably good enough, as it is for the Yahoo account I have.
There is, however, a pretty good security case against Yahoo here, who IMO is guilty of the things of which you accuse Palin. It goes like this:
1) They don't let you make up your own security questions. Bad.
2) The ones they choose for you aren't so hard to break if anybody knows the real name associated with the account and there's much info about you online.
3) The let you reset the password right there online instead of sending a randomly generated new password to the external account associated with the Yahoo account, or sending a password link to the external account. WTF? That's a security failure so basic they should be deeply ashamed of themselves. This is the really huge security failure, the one that let him break into her account. If they'd just sent a new password to her "real" email address, he never could have compromised her account so easily. He would have had to at least try phishing her and/or compromising her external email address.
Of course, if he'd done that, he'd be in even bigger trouble. I hope they make an example of him. Not because he broke into a politician's account, but because he broke into anyone's. I'd want him keel-hauled, hanged, drawn, and quartered if he broke into mine. A shame we don't so that sort of thing anymore.
Nope, third time around. You gotta have something to do for a little down time,and poker is better than Oprah :)
This is our third kid, we know the drill. She won't have a lot of time for it, but will have some. Our other two are both in school, and babies sleep a lot.
I work for one of the best-known companies in the networking business. We don't test job applicants, at least not in any part of the company that I've worked. Before that, I worked for a very well-known software company. We didn't test there, either. I have directly hired or participated in the interview process for 10 people that we hired. Not only have we not fired any of them, all have excelled.That's because we know how to interview.
Show me people that rely on tests and I'll show you people whose interviewing skills are probably not up to par.
Would I refuse a test? Yes. Have I? Yes. At one prospective employer (the only one where I've ever encountered a test), I arrived at for my interview, was met at the desk by an HR person, and was told we'd start with a test. I politely declined, handed back my visitor badge, and left. That told me at least as much about their competence, and their management style, as any test would have told them about mine. More, in fact.
Bottom line: if an organization does not even have basic skills like interviewing wired, such that they have to rely on a test, I don't want to work there. Test-style questions are fine during an initial phone-screen, but once I have passed the phone screen and arrived in person for an interview, I expect that my time will not be wasted. That is not an unreasonable expectation.
However, I don't think organizations that give tests should stop doing so. As I said, it's a useful tool for /me/ to winnow /them/ from consideration.
This is about the best suggestion of the lot, so far. Most of the answers ignore either the time flexibility requirement or the requirement of being different than $DAY_JOB. My wife plays poker and makes some money at it, and it's totally time-independent. Or she did; since she's been pregnant she doesn't have the energy, patience, or concentration, but she'll get back to it after the baby is born.
This assumes, of course, that OP has interest in, and at least modest talent for, poker.
One caveat I'd add is that as online poker gets more and more popular, there are more and more crazies playing, people who watch the highlights of WSOP and WPT events and see somebody like Kido Pham who seems to play any two cards any time (which he doesn't quite do, but he is a very aggressive player) and think that that's how you play poker, for real. These donks can't be making any money, but their willingness to play any two cards all-in is enough to make it a lot harder for a skilled player to make some money, because there are a lot of them and taken in total, they will catch a very lucky turn or river often enough to make your life hard.
It's kind of like how as computers became more and more popular, the skill level of people with computers went down and down.
I was torn between just modding you up and replying to say how right you are.
I've managed a team of eight at my previous company; many of them were more technically qualified than I was in every area, and all of them were more technically qualified than I was in at least one area. But I was a very successful manager there, and among my former staff that stayed on after our acquisition (some voted with their feet, as I did; the company that acquired us wasn't a very pleasant place to work), they have all risen in the company; one has even become the program manager for the product.
I know that being able to code "hello world" was just a simplification, but putting some kind of technical litmus test on technical managers is a risky practice. The greatest attributes of a technical manager are to have a good big picture understanding, to be a good manager of people, to be a very good hirer of people, and to people a good BS filter for her/his staff. It doesn't matter if a technical manager is a great coder (and in fact, transitioning to management is often hard for great coders because it's hard to let go of the coding). I'm not very good at programming, but I'm very good at managing people who are, and I'm pretty good at hiring and keeping people who are, and at keeping their projects on track and focuses. That is the value of a good technical manager.
No kidding. Having KDE 4 be the default in Intrepid Ibex was bad enough (especially with, AFAICT, still no KDE 3.5.10 packages) available), but now this? The KDE 4 default issue was enough to make me install Debian Sid last week on a new machine I got at work last week instead of Kubuntu. I moved from Debian Unstable to *buntu in 2003, while it was still in beta. Ubuntu does a lot of great work and is by and large a truly outstanding distro in its various flavors, so it's really a shame that they are now doing foolish and poorly thought-out things like defaulting to KDE 4 and now this Firefox EULA.
Turns out Debian was right on Iceweasel and Icedove. They're also astute enough to have KDE 4 in experimental, where it belongs, not as the default in Unstable.
WRT Chrome, one of the things it will have to do to "mature" is to be available for platforms other than Windows, and using less memory than IE 8 would also be a start. Might be hard for it to duplicate the rich Firefox ecosystem, too, unless it uses Firefox plugins. Way easier to just use Iceweasel and Icedove and forget the branded versions of Firefox and Thunderbird.
Even more importantly, it needs to have some kind of self-cleaning function, to get the splooge off the walls after a session. Better be fairly waterproof on the inside, too.
Bzzzzt!
No matter how much of a public forum a website may or may not be, the fact of the matter is that neither you nor I have any legal right to freedom of speech on /. or any other site.
What the Constitution has to say about freedom of speech is that the government cannot restrict free speech. Private entities, whether it be you or I on our private websites, or online communities such as /., are free to restrict speech on their property in any way they like.
It boils down to "Their website, their rules." You want to say whatever you want on the Internet? Cool. Set up your own server, buy our own bandwidth, and go for it.
What everybody - particularly those least worth listening to - seem to misconstrue about freedom of speech is that anyone owes you a forum. They don't. Nor, especially, does anyone owe anyone an audience. You can talk all you want, but no one has to listen.
Absolutely. Those poor 419ers won't have to go to the Internet cafe anymore.
Wonderful. I'd rather see Google working getting all the cables to Africa cut. Surely they can afford a special ops submarine with all their money.
Go ahead and mod me OT, but it's Friday and I'm just pissed off to be the last person in the universe who knows the difference between a disclosure statement and a disclaimer.
"This is a cool new toy/tool/product I'm posting on Slashdot, and by the way, I not only work at the company that produces it, I wrote it" is a disclosure.
A disclaimer typically contains language such as "Not responsible for damages resulting from use, or inability to use, this product. Not even if it burns your house, steals your car, drinks your liquor from your old fruit jar, *and* steps on your blue suede shoes."
Disclosure statements are meant to inform the reader of, for example, a potential conflict of interest, and shield the discloser from potential liability (whether legal or just in terms of face) should the disclosure not be made.
Disclaimers are basically just weasel words intended to deny having any liability for, say, the quality or lack thereof, or some product. Or put another way, disclosure is taking responsibility (to some extent, at least, and not always), whereas disclaimers are solely intended to worm out of responsibility that the you probably have, at least morally if not legally. And maybe legally. Not all disclaimers will stand up in court. I wouldn't be surprised if most won't.
Point, set, and match :-)
Q: If a tree falls on a mime in the forest, does it makes a sound?
A: Who cares, as long as he's dead?
Wow, if French entertainment is even worse than ours, it must be truly something awful :p
I thought they'd traced BSE back to feeding ground-up sheep that were infected with scrapie to cows? Either way, that makes it no less of a screwed-up process.
Microsoft clearly fits the definition of a monopoly.
Don't think so?
Do a little research on Standard Oil, which was broken up in the United States under the Sherman Anti-Trust Act. Standard Oil was not the only oil company in the United States at that time, nor were they the only one that operated gasoline stations. However, their market dominance was such that they were within the definition of a monopoly.
There are other OS, mail server, and office suite vendors out there, to be sure. However, Exchange has a 65% market share (probably more in the global 2000), Windows has 90% of the desktop, and probably more than that in business desktops. Microsoft Office has about a 90% market share, too. It has been so successful, in fact, that "Excel" and "Word" have become generic words in the lexicon of many people. I regularly encounter users who think "Excel" is what you call a spreadsheet program. I have NeoOffice on my wife's Mac and and she calls its spreadsheet Excel all the time. This has become very common.
Yes, Microsoft has a monopoly. You don't need 100% market share to have a monopoly. You just need so much market share that the market is no longer anything like a level playing field for others. The fact that some competitors have been able to survive or even make headway anyway is not testimony against Microsoft being a monopoly or even for a level playing field, but rather testimony to the quality and tenacity of those competitors.
Granted, Microsoft has jumped the shark, but it's still a powerful monopoly.
Not exactly weird. If cracking networks, etc., is your bag, and somebody offers you a high-paying, stable job where you can not only spend your time doing that, but doing it without fear of prosecution, that could be kind of hard to turn down.
s/The US Government is/governments are/
There, fixed that for ya.
Do you really think government anywhere is trustworthy, or that only the US government would use this technique?
This technique isn't even hard. I used to work at an ISP in Japan that once spent the best part of the day off the Internet because an incompetent router admin in the ROK was announcing our IP space. We finally managed to get the guy on the phone, only to find that his ability to either speak or comprehend English was negligible and that he spoke no Japanese at all. By then, he seemed to have some clue that he'd screwed up and said he was working on it (I wouldn't be surprised if he announced routes for other ASes than ours). When my jaw really hit the floor was when he managed to explain that he had done this before. He obviously didn't get reamed by his boss enough the first time he screwed up like that.
As soon as I started reading TFA, I thought "I bet I know how they did it" - and I'm no CCIE level network engineer - and it turned out I was spot on. The technique is simple enough that I'm sure L0pht Heavy Industries 10 years ago were nowhere near the first group to come up with an attack like this. Heck, they probably didn't tell the NSA anything they didn't already know. Any CCIE could devise an attack like that, and so could quite a few people who aren't CCIEs.
Spying on a large group of Internet users would require tremendous bandwidth and hardware, however - what you might call a rather conspicuous amount of both. It's also not something that would go unnoticed for a really long time by the network engineers at large networks. It might start with a customer complaint of long ping times into their network, or it might start with a neteng looking over the BGP table for something unrelated and thinking, "That's funny" - but it would certainly be noticed. Routing all the traffic for a large AS in, say, the UK through, say, New York, would not go unnoticed for very long.
The best way to conceal an attack like this would be very near the target network. For example, if you were trying to pick off all traffic bound for a regional ISP, you put your sniffing setup in the same colo facility where they are located.
If the target is a national ISP in a large country - the kind that is likely to have multiple ingress points to their network - the attack becomes more complicated. You have to either be in all their colo locations if you want optimum concealment (and if they are large, they probably own the colo, making it trickier to hide what you're doing), or you need to pull all their traffic through your single location, which is more likely to be noticed.
Another good technique for concealing this kind of attack is to not use it all the time. For example, if you know that there are users on Network A on whom you'd like to spy, and that they are communicating with users on Network B, on whom you'd also like to spy, you have a couple of options. One is to randomly announce routes for Network A (and maybe network B at the same time) for some fairly short period of time and at random intervals long enough to let the BGP state go back to normal, and hope you catch something. Another approach is to use some other intelligence sources to figure out the time of day when the communication usually happens and do your intercepts at that time, then turn them off.
If I can think this up - and I've even been out of the neteng business for over 5 years now - the people who do things like that for a living have not only known about it for many years, they were probably thinking "It took L0pht until *1998* to come up with that, and anyone else another 10 years to come up with a usable exploit?!"
They can put it on there, but that doesn't stop me from doing it anyway. EULAs often contain all sorts of things that are highly unlikely to stand up in court, but until someone decides to actually test it in court, the licensor gets away with it.
People *do* sell things marked with "Not for individual retail sale" piecemeal all the time. Unless the seller bought it under a contract from the manufacturer that forbade such resale (note that this would put it under contract law, rather than license, and would give the restriction teeth), there's not much a manufacturer could do about it in most US jurisdictions.
I'll further back this up with a number: 95% of the spam received in China is in Chinese. Still doubt that spamming tools might be available in Chinese?
Actually, Chinese is one of the leading languages for spam. They've got quite a homegrown spam industry there. I work for one of the leading anti-spam vendors, and the Chinese spam problem is so large that we opened a local office in China to deal with it. The big three languages for spam are English, Spanish, and Chinese. I suppose you're now going to suggest it's racist for saying Spanish is a big spamming language too?
Your comment just proves how clueless you are about the spam situation in China.
China is, and has been for several years, a bastion of "bulletproof" hosting. Since you're so clueless about spam, I probably have to explain bulletproof hosting. Bulletproof hosting is a contract with a hosting provider and/or ISP with IP space to burn that doesn't care what you do with that hosting/IP space so long as you pay your bills.
China is also a haven of phishing sites, largely for the same reason and courtesy of a few rogue registrars operating in China.
There's nothing racist about criticizing China for its conduct. What next? You'll be telling us it's racist to criticize Nigeria for being the source of most of the world's 419 spam?
Silly me. I hadn't heard that scammers, spammers, and those who give them shelter constituted a race.
I get my connection from a small city-run cable company on the San Francisco Peninsula. They have a pretty low guaranteed bandwidth, but what I actually get is really good. I can sustain downloads of over 10 megabits/sec at pretty much any time of the day, as long as the FTP site will give me that much.