Proprietary software is a must in business. First off most software is made inhouse. Does the GPL allow this? Yes, but it makes many lawyers and IT manager at work uncomfortable. What if my company gets bought out? Is that corporation then in violation of the GPL? What if Microsoft does an audit and scares the CIO about *liability protection*?
Then just write your own software, or buy it from MS with all the issues that brings. When I contribute to open source projects I'm happy when some money-making corporation is able to use it and share freely what they've done with it. On the other hand, if some mega-corp wants to use the work that I helped contribute to and keep the results secret, ask me if I care if they end up in legal problems as a result. They're not paying me - I'm not going to lose sleep over how nervous their lawyers are. If they just open-source their own code then they'd have no issues. If proprietary software is a must for them, then they should just buy proprietary software. I just don't want to hear them whining when they have a higher cost structure than a competitor who fully embraces open-source...
That's the theory, but it really wouldn't be terribly difficult to create a partition with a single "a" on it and then brute-force the BIOS until it returns an "a". After 15-20 seed characters have been deciphered the encryption scheme should become apparant.
Uh, you do realize that this is the exact scheme employed to crack the RSA challenges, right? Well, not exactly - what you describe is a chosen plaintext attack. The RSA challenges are a known plaintext attack (they picked the encrypted text).
Note that all of the RSA challenges that use even moderately-difficult ciphers are still unbroken. Distributed.net is working on RC5-72. Nobody uses less than 128 bits for anything important.
The fact is that brute-forcing a modern cipher even when the plaintext is known is VERY difficult. The cipher will almost certainly be a block cipher, so the plaintext will be padded to the nearest block length - so you aren't really just cracking an "a".
Modern ciphers are designed to defeat both known-plaintext and chosen-plaintext attacks. Even if you can get the chip to encrypt text of your choosing and can examine both the input and output of the algorithm freely, it should still take a full brute-force attack to obtain the key. And that key will be VERY long - well beyond the ability of anyone to brute force even with specialized hardware.
Maybe the NSA knows differently, but that would be about it...
That would work if the OS was in the hardware. But the OS is on the HD these days, not in a chip.
Actually, it can work with an OS on the hard drive. At boot time the BIOS would hash the OS that it is loading, and store the hash. The TCPA chip would then use this hash to decide whether to give the OS access to its encryption keys (which are stored on the hard drive, but using a key known only the chip). The same applies to software. The idea is that TCPA is a framework - you don't have to use it, but any software which does use it can protect its memory/storage. Of course, you still have the weakest link principle - if the OS has a buffer overflow you could probably obtain the session keys of the OS and any apps that reside under it, but not keys at the BIOS level and above. A buffer overflow in an application could give you its session keys, but not those of the OS or other apps. Also, there would undoubtedly be decrypted stuff sitting in RAM, and that would be more susceptible to hardware-level attacks. You may or may not be able to get keys, but you might be able to get the protected information itself. That won't be something the average person would try at home, though.
Actually, you could handle 3rd parties easily enough with this sort of model.
Just have the OS keep track of which program created which file, and allow it to decrypt files on request for that program only. You could get at a file if you could find an exploit in that program, of course, or in the OS.
That is the nature of trusted computing. The TCPA-chip hashes the BIOS on boot and gives it access to its protected storage if it hasn't changed. The BIOS hashes the OS and gives it access to its protected storage if it hasn't changed. The OS hashes each running program and grants it access to its protected storage if it hasn't changed. When you're doing a software/OS update the unchanged OS will inspect the update files, and if they're OK it will extract from the update files the expected new hash and send it to the BIOS/TCPA chip with a message stating that this new hash will be acceptable for accessing the old protected storage, then it will patch itself and on reboot the old key will get revoked if the patch worked.
Nothing would stop you from installing linux on such a PC. It just wouldn't be able to access any protected areas on the drive (which is likely to be the entire windows partition). There would need to be some mechanism for handling removable media (probably storing it in an unprotected fs, sans any DRMed content) - otherwise you couldn't read it on another PC unless MS wants to keep some online repository of encryption keys for every floppy that was ever formatted (which actually isn't as hard as it sounds).
Near-perfect DRM / TCPA is actually quite feasible with today's technology. It just has to be built as a well-designed platform from the ground up to be bulletproof. That doesn't mean it will stop the atomic bomb (ie somebody with an electron microscope and a PhD in microprocessor design), but not too many people have those, and if the music industry has to live with them being able to listen to their music in their car CD players I'm guessing they won't lose much sleep over it. In any case, the files will still be watermarked, so they won't be going anywhere...
You made it difficult by stripping off the brackets around 'em in ps output.
Actually, they were never there. Try ps -e sometime. ps aux is BSD syntax, which I'd gotten away from a long time ago (probably from being on some system which didn't understand it at all)...
Uh, that is debatable. It is certainly enforced in the courts, but it isn't really written down anywhere. Certainly it isn't the law in the sense that a law in the constitutional sense is.
There are also newer laws regarding trade secrets and contracts. I'm sorry if you don't think that contract law is actually law.
For the record, I agree fully with you on this, and it is my belief that many forms of contracts carry the weight of law (including NDAs in most cases). I also agree that this was not my original assertion.
Yeah, this coming from someone who doesn't think the law is the law.
Uh, I was trying to agree with you on that point in my reply. Sorry if I didn't make it clear.
But hey, if want to believe that violating things that exist in the law books isn't illegal, go ahead.
Uh, did I ever say that violating a law wasn't illegal? I was not aware that the UCC addressed contracts, but if you read the cornell site you linked to you'll note that contracts are actually interpreted under a framework of judicial tradition (common law - which isn't "law" in the code of law sense at all), and state statutes (which are clearly law). The UCC is clearly a modern movement. In any case, I agree that there are some laws regarding contracts, but in general they are a civil matter. In any case, I agree that to the degree a law is broken, an action is illegal (simply by definition).
So Cisco is killing people? What's your point?
See Reductio ad absurdum (a perfectly valid form of argument). Clearly if Cisco was killing people, violating an NDA to stop this action would be ethical (I hope you don't intend to debate this point). Therefore, under some circumstances, violating an NDA is morally right (and laws should be written to reflect this, as it is in the common interest that laws be written in this manner, and the whole purpose of having laws in the first place is for the common good). Once you accept the truth of the position that NDAs aren't the word of God, we've now reduced the debate to whether the particular circumstances warrant a breach. I did not take a position one way or the other on this point - I merely pointed out that in some conceivable set of circumstances the actions in question could be justified. I can't profess to now what exactly has happened in this case.
What law is the NDA in question forcing the person to violate?
See above. You do agree that an NDA that forces you to break the law is invalid, correct? I never said that this was the case here. Only that it isn't as black and white as you make it out to be.
So do you actually have any reason to believe that Cisco/ISS are comitting a crime, or is that just 100% wild, rampant speculation?
I don't speculate that Cisco has created a crime at all. I never said that the researcher's actions were justfied. I only said that they could be under certain circumstances, and that things are not "cut and dried" or "black and white" (my words).
You might want to read what I actually wrote. Your arguments would be good ones if you actually were attacking a position that I actually hold...
Because the PTB that ran the mainframe were incompetent assholes who couldn't support our computing needs properly from a centralized position.
I think the problem was an ivory tower one - the IT group's goals were not aligned with the business units.
I've seen this pattern re-emerging with the re-discovery of shared services in many companies. Here is how the cycle goes:
1. Start with lots of departments running their own mini-data-centers, help desks, etc. 2. Somebody comes to the realization that by centralizing these services the level of service can be increased (24x7 monitoring, professional staff, etc) while the cost is decreased (fewer servers, less headcount overall, staff freed for more strategic work). 3. Company centralizes services - cost of running servers goes from $10M to $500k. Somebody gets promoted. 4. New guy comes in - shaves budget from $500k to $400k. Gets a raise. Lays off 10% of staff, gets a raise. Aims for cost of $100k. Looks into moving servers to elbonia. 5. Business units find help desk cases going from 3 days under #1 to 1 day under #2 to 5/7/9 days under #3. Servers go down - IT gets to it when they get to it. Developers release new code, IT staff installs six months later. 6. New application is being rolled out. Business unit builds own "computer room" to host it to avoid dismal IT group. 7. Wait 5 years - go to step 1...
#2 is where you want to be - central services just make sense. The problem is that once you have one IT budget everybody starts hacking away at it until they actually raise costs by causing everybody to roll their own. Management needs to realize that #2 is optimum, and fund it well. Often budget increases in a central group LOWER overall costs, as it deters business units from reinventing the wheel.
Of course #3 is always acompanied by management edicts forbidding the creation of non-central IT groups. Business areas always find loopholes (10 workers who all do it in their "spare time", "small productivity tools" that aren't classified as IT projects, the Access database that grows to 10 million records, etc.).
In 15 years we'll be right back where we are now...
By revealing that information without permission, he is violating that NDA, which is *illegal*.
Is it? It certainly is a violation of contract and makes you liable for damages, but I don't think it is actually against the law (which is the definintion of illegal).
Hey - I'm not saying it is right, or that Cisco doesn't have a valid civil case. However, I don't think that a criminal statue was broken.
In any case, I'd question the validity of an NDA which required somebody to keep secret a piece of information contrary to a large public good.
For example, if I found out under an NDA that my employer was putting out a product that was killing people, and keeping it quiet, I'd be ethically bound to blow the whistle. I'd think that a court would not award damages to my employer in such a case since there is a significant public interest in allowing people to selectively violate NDAs to blow the whistle.
Certainly an NDA that forces you to break the law (such as by concealing knowledge of a crime) would be void.
So, just because there is an NDA doens't make this cut-and-dried. Now, a lot hinges on the particulars of the case, and I can't say whether it is appropriate to violate the NDA under these circumstances. However, all is not black-and-white in these situations.
And yes, I have a "real job". I have never violated an NDA, and intend to never do so. However, I would feel justified in doing so if I had clear evidence that an employer was committing a crime, or harming people and not doing something about it. I would almost certainly go through official channels first though. You shouldn't blow a whistle when the company is in fact actively trying to resolve the problem (in a reasonable timeframe)...
Well, for starters they'd actually need a mass driver. Depending on how hard it is to build/launch/install/operate one it sounds like a good idea though...
Or, allow for the fines to extend to stockholders. If you could lose not only your $35/per share stock price, but also an extra $300/share fine, that would probably transform corporate governance entirely...
You could have an encryption key burned into the CPU, and that could be used to decrypt a hard drive partition containing session keys for various files on the drive.
Yes, the key is stored somewhere, and yes, in theory you can retrieve it.
However, if properly implemented it will only be possible to obtain the key using hardware-level attacks. Forget downloading some program and executing it - you'll probably need $15k worth of high-end equipment.
In theory a DirecTV box has the decryption key in it, but look at how hard it is to obtain black-market smart cards for them. It is very difficult to crack a smart card, and so very few people are able to do it.
Now, DirecTV is actually far easier to crack than PC-DRM. DirecTV uses one key for their entire stream for a long period of time, so you crack one key you can unlock any unit.
Suppose on the other hand that each unit had a unique key (as envisoned with PC DRM)? Now you need to crack an individual PC. We're talking about pulling out your CPU and mailing it to some underground outfit so that they can mail you back your CPU and the embedded key. How much of a market will there be for that? The 2-way mailing required by this would also make it VERY easy to bust.
Now, it may be the case that the DRM scheme that gets implemented has some weakness which allows less drastic measures to bypass it. However, in theory such a system can be made VERY difficult to defeat.
Yes, but the only urgent part of this project is recovering the data.
In theory for far less you could simply recover the data, test that it was recovered properly, and then stick it on a webpage for anybody in the world to analyze.
Their proposal is to solve the secrets of the universe for $250k. I might suggest that maybe the goal should be to simply transfer the data for $10k, and let somebody else pay for solving the secrets of the universe. The data recovery project is also far more likely to be successful...
Better still - nice envelope with a letter on authentic-looking stationary and a USB drive inside.
The letter says - dear information computing professional, MS would like you to test-drive our latest (insert name of fancy software package here). The enclosed demo will not interfere with any of your existing software, and as a thank-you for trying out our newest offering you can keep this handy 128MB USB drive. Feel free to pass along to your colleages as well.
At work we get demo CDs all the time for various expensive software applications. If you want to do some real industrial espionage send google a USB drive with the latest open source code-profiling tool, or Pfizer a flashy-looking clinical data analysis tool, or whatever.
Do the whole thing in flash so that it looks like something as high-tech as what you'd see in star trek (it isn't like you actually have to write the algorithm - just an animation). It will get passed all over the place to countless managers. And in most companies you can't give a worker-bee access to a system without giving it to their manager, so you have countless management drones with access to systems they never even look at, but your newly-introduced worm can poke around freely...
Actually, this would provide an attack against a computer which decrypts a hard drive using a key supplied at boot time (perhaps via USB key or just a passphrase that is typed).
Such as system is resisted to physical attacks since most of those require shutting down the computer - which causes loss of the decryption key stored in RAM.
This attack would allow you to unlock the computer while it is running, and therefore while the OS still has the drives unlocked. You could possibly just store the key that is in RAM and then shut down the PC and work on the rest of the drive, or you could just copy the whole contents of the drive to remote storage and then work on the rest at home.
I agree that you couldn't just boot up a powered-off computer with an encrypted hard drive and then apply the attack to it. The computer couldn't be booted without the key, unless it is stored internally. If it is stored internally you don't need this new attack at all.
In theory you could just make a whole swarm of cheap 10 cm mirrors that fly in formation and form a composite mirror. The difficulty would be keeping their positions precisely aligned. Something like this would be easier to set up either in a very high orbit or in solar orbit - since the further you get away from gravity the smaller the delta-v you get when moving a few m in any direction.
I'm guessing it will still be far cheaper to build and test the mirrors on Earth though - otherwise you need to construct some kind of facility in space. Then again, if the mirrors are small it might work out - you don't need as much power and the oven doesn't need to be as big. I'm not sure how long the mirrors need to stay warm - you could just put them in "pizza boxes" and park them in orbit until they've set. You could safely move a cooling mirror around in space without worrying too much about vibrations as long as you only apply gentle thrust to it.
However, if you want big mirrors, I'm guessing it will be a long time before we can build them in space...
Actually, they are probably intending to register their protest to protect their trademark. If you don't protect it, you lose it.
Lawsuits don't have to be expensive. They can just type up a few briefs and file them. MS can write 1 million pages of replies, and Vista can just stick with what they already wrote. Judges don't just go by volume of paperwork.
Granted, there is always the risk that they could lose. However, they would clearly be showing their intent to protect their trademark. Even if MS is allowed to use Vista's name (which is likely considering the number of lawers they're going to employ), Vista will still have registered their protest to the use of the mark. Then, in a few years when MS would like Vista to stop using the name themselves, they'll have an essentially-impossible case to make - obviously Vista was there first, and had clearly registered their protest at sharing. No court would rule against Vista after already conceding to MS the right to share the name.
So, vista can spend $500 on some filing fees and just let the case go against them and still accomplish a possible objective.
There is nothing that annoys me more than being in a meeting with somebody and having them pick up their phone. I probably had to wait two days to get my audience with some manager, and I spend half my time just listening to them dealing with others who can't bother to schedule an appointment...
Although you could change all these components idividually, you must admit just changing the whole machine is often a better deal.
However, keep in mind that a computer is only as fast as its weakest link. If the CPU can go up to 4GHz, but the memory bus is so slow that the CPU sits around all day waiting for data, then you might as well save money on that CPU.
Hence, motherboard technology and CPU technology tend to improve hand-in-hand. Ditto for memory speed.
Even if you could double your CPU performance on the same motherboard, would you want to? The only exception would be if you started out with a well-below-cutting-edge CPU to begin with - in which case you could upgrade to what was top-of-the-line at the time and your motherboard would probably still be fine.
In any case, I still find it cheaper to upgrade my own PCs. Why?
1. Keep the optical drives, case, floppy drive, video card (if you're a non-gamer), etc. (Maybe even the power supply if you have a decent one.) That right there is a few hundred dollars saved over anything Dell will sell you.
2. Get a decent motherboard. Performance tests have shown that spending an extra $10 on a motherboard can often improve performance SUBSTANTIALLY (moreso that spending it on CPU/RAM). Big brands know that consumers don't ask about motherboards, and they don't look at benchmarks, so they save the $10. Don't make the same mistake. Likewise, a decent motherboard will often give you technology like firewire/extra USB/etc for literally $10 more. That saves quite a bit when you don't have to run out to walmart for a USB hub.
3. Be able to overclock if you want to - in general a retail motherboard/BIOS gives you far more control over the computer. Don't be a ricer, but feel free to experiment with timings that improve performance on your hardware without wearing things out.
4. Get the components you want. Thinking about dabling with linux? Well, check the compatibility lists and you don't end up with that motherboard which was popular with Dell or Compaq or whoever which has some random glitch with linux. ACPI is nototious for being broken, and if you are using features like powernow you want a system that isn't glitchy. Check out IRC for people groaning...
Honestly, I was surprised that I actually saved money building a PC myself - Dell has access to all kinds of deals that I don't have access to. On the other hand, Dell only sells "genuine" Intel, which handicaps them. Plus, Dell forces you to toss your perfectly good case, floppy, opticals, etc. Oh, you also get penalized for not buying a monitor, and I hope you like your growing collection of keyboards/mice/etc... You may not end up being far ahead on price, but often your performance ends up being better.
And that is why I simply don't answer the phone 80% of the time unless it is a call from somebody that I know would be needing help with a priority project/subproject/whatever. Ditto with emails - however I appreciate that email makes it easier to screen incoming information and quickly decide whether it is worth reading right away.
If I'm deep in thought, off goes the email, and the phone certainly gets ignored.
Work on the stuff you know is important, or at the very least work on the stuff your boss tells you is important. Don't just switch tasks every time somebody adds something to your to-do list. The guy calling on the phone will get taken care of in time. Time management gurus call this taking care of the important rather than just the "urgent." This is the only way things get fixed in the long-term - often the guy screaming for help on the phone is looking for a short term solution.
In fact, I normally prefer email to phone calls. It is less interrupting, and it forces the person who is contacting you to organize their thoughts rather than just randomly spilling them out. Phone is GREAT for conversations, but TERRIBLE for just making requests. Unless you know that the call is going to be very high priority for both parties, I think you're better off just sending an email to schedule a time to make the call, or better still a visit.
In PA the rule is typically that an accident is either charable or it isn't. An accident is not charagable if any of a number of conditions are met, some of which are:
1. You weren't in the car and it was parked legally.
2. The other driver was DUI.
3. You were found by a police officer to be no more than 49% at fault.
4. Your car has damage only to the rear portion of the vehicle, and the other car has damage primarily to the front portion of the vehicle. (Note they worded it this way to lower insurance company wiggle-room - this is pretty objective.)
There are a bunch of others as well. A factor that works against most of these is if you were given a ticket as a result of the accident. I forget the exact rules.
Note that people have accidents as far as insurance is concerned, not cars. So, if you loan your car to a friend who doesn't live with you, and they total it, that doesn't count against you at all, although your friend may be toast with their insurance on their unscratched car.
This is all quite sensible - it is logical that accident-prone individuals pay higher rates. However, if you are merely unlucky that shouldn't count against you.
Proprietary software is a must in business. First off most software is made inhouse. Does the GPL allow this? Yes, but it makes many lawyers and IT manager at work uncomfortable. What if my company gets bought out? Is that corporation then in violation of the GPL? What if Microsoft does an audit and scares the CIO about *liability protection*?
Then just write your own software, or buy it from MS with all the issues that brings. When I contribute to open source projects I'm happy when some money-making corporation is able to use it and share freely what they've done with it. On the other hand, if some mega-corp wants to use the work that I helped contribute to and keep the results secret, ask me if I care if they end up in legal problems as a result. They're not paying me - I'm not going to lose sleep over how nervous their lawyers are. If they just open-source their own code then they'd have no issues. If proprietary software is a must for them, then they should just buy proprietary software. I just don't want to hear them whining when they have a higher cost structure than a competitor who fully embraces open-source...
That's the theory, but it really wouldn't be terribly difficult to create a partition with a single "a" on it and then brute-force the BIOS until it returns an "a". After 15-20 seed characters have been deciphered the encryption scheme should become apparant.
Uh, you do realize that this is the exact scheme employed to crack the RSA challenges, right? Well, not exactly - what you describe is a chosen plaintext attack. The RSA challenges are a known plaintext attack (they picked the encrypted text).
Note that all of the RSA challenges that use even moderately-difficult ciphers are still unbroken. Distributed.net is working on RC5-72. Nobody uses less than 128 bits for anything important.
The fact is that brute-forcing a modern cipher even when the plaintext is known is VERY difficult. The cipher will almost certainly be a block cipher, so the plaintext will be padded to the nearest block length - so you aren't really just cracking an "a".
Modern ciphers are designed to defeat both known-plaintext and chosen-plaintext attacks. Even if you can get the chip to encrypt text of your choosing and can examine both the input and output of the algorithm freely, it should still take a full brute-force attack to obtain the key. And that key will be VERY long - well beyond the ability of anyone to brute force even with specialized hardware.
Maybe the NSA knows differently, but that would be about it...
That would work if the OS was in the hardware. But the OS is on the HD these days, not in a chip.
Actually, it can work with an OS on the hard drive. At boot time the BIOS would hash the OS that it is loading, and store the hash. The TCPA chip would then use this hash to decide whether to give the OS access to its encryption keys (which are stored on the hard drive, but using a key known only the chip). The same applies to software. The idea is that TCPA is a framework - you don't have to use it, but any software which does use it can protect its memory/storage. Of course, you still have the weakest link principle - if the OS has a buffer overflow you could probably obtain the session keys of the OS and any apps that reside under it, but not keys at the BIOS level and above. A buffer overflow in an application could give you its session keys, but not those of the OS or other apps. Also, there would undoubtedly be decrypted stuff sitting in RAM, and that would be more susceptible to hardware-level attacks. You may or may not be able to get keys, but you might be able to get the protected information itself. That won't be something the average person would try at home, though.
Actually, you could handle 3rd parties easily enough with this sort of model.
Just have the OS keep track of which program created which file, and allow it to decrypt files on request for that program only. You could get at a file if you could find an exploit in that program, of course, or in the OS.
That is the nature of trusted computing. The TCPA-chip hashes the BIOS on boot and gives it access to its protected storage if it hasn't changed. The BIOS hashes the OS and gives it access to its protected storage if it hasn't changed. The OS hashes each running program and grants it access to its protected storage if it hasn't changed. When you're doing a software/OS update the unchanged OS will inspect the update files, and if they're OK it will extract from the update files the expected new hash and send it to the BIOS/TCPA chip with a message stating that this new hash will be acceptable for accessing the old protected storage, then it will patch itself and on reboot the old key will get revoked if the patch worked.
Nothing would stop you from installing linux on such a PC. It just wouldn't be able to access any protected areas on the drive (which is likely to be the entire windows partition). There would need to be some mechanism for handling removable media (probably storing it in an unprotected fs, sans any DRMed content) - otherwise you couldn't read it on another PC unless MS wants to keep some online repository of encryption keys for every floppy that was ever formatted (which actually isn't as hard as it sounds).
Near-perfect DRM / TCPA is actually quite feasible with today's technology. It just has to be built as a well-designed platform from the ground up to be bulletproof. That doesn't mean it will stop the atomic bomb (ie somebody with an electron microscope and a PhD in microprocessor design), but not too many people have those, and if the music industry has to live with them being able to listen to their music in their car CD players I'm guessing they won't lose much sleep over it. In any case, the files will still be watermarked, so they won't be going anywhere...
You made it difficult by stripping off the brackets around 'em in ps output.
Actually, they were never there. Try ps -e sometime. ps aux is BSD syntax, which I'd gotten away from a long time ago (probably from being on some system which didn't understand it at all)...
Uhm, common law is still law. Hate to tell you.
Uh, that is debatable. It is certainly enforced in the courts, but it isn't really written down anywhere. Certainly it isn't the law in the sense that a law in the constitutional sense is.
There are also newer laws regarding trade secrets and contracts. I'm sorry if you don't think that contract law is actually law.
For the record, I agree fully with you on this, and it is my belief that many forms of contracts carry the weight of law (including NDAs in most cases). I also agree that this was not my original assertion.
Yeah, this coming from someone who doesn't think the law is the law.
Uh, I was trying to agree with you on that point in my reply. Sorry if I didn't make it clear.
I thought that was funny, but in all honesty, how many people around here can tell you what the following do, and whether they are essential:
ksoftirqd, khelper, kthread, kacpid, kblockd, khubd, kswapd0, kseriod, kjournald, events, pdflush, aio, xfslogd, xfsdatad, xfdbufd, udevd
Are all of these even real userspace processes?
But hey, if want to believe that violating things that exist in the law books isn't illegal, go ahead.
Uh, did I ever say that violating a law wasn't illegal? I was not aware that the UCC addressed contracts, but if you read the cornell site you linked to you'll note that contracts are actually interpreted under a framework of judicial tradition (common law - which isn't "law" in the code of law sense at all), and state statutes (which are clearly law). The UCC is clearly a modern movement. In any case, I agree that there are some laws regarding contracts, but in general they are a civil matter. In any case, I agree that to the degree a law is broken, an action is illegal (simply by definition).
So Cisco is killing people? What's your point?
See Reductio ad absurdum (a perfectly valid form of argument). Clearly if Cisco was killing people, violating an NDA to stop this action would be ethical (I hope you don't intend to debate this point). Therefore, under some circumstances, violating an NDA is morally right (and laws should be written to reflect this, as it is in the common interest that laws be written in this manner, and the whole purpose of having laws in the first place is for the common good). Once you accept the truth of the position that NDAs aren't the word of God, we've now reduced the debate to whether the particular circumstances warrant a breach. I did not take a position one way or the other on this point - I merely pointed out that in some conceivable set of circumstances the actions in question could be justified. I can't profess to now what exactly has happened in this case.
What law is the NDA in question forcing the person to violate?
See above. You do agree that an NDA that forces you to break the law is invalid, correct? I never said that this was the case here. Only that it isn't as black and white as you make it out to be.
So do you actually have any reason to believe that Cisco/ISS are comitting a crime, or is that just 100% wild, rampant speculation?
I don't speculate that Cisco has created a crime at all. I never said that the researcher's actions were justfied. I only said that they could be under certain circumstances, and that things are not "cut and dried" or "black and white" (my words).
You might want to read what I actually wrote. Your arguments would be good ones if you actually were attacking a position that I actually hold...
Because the PTB that ran the mainframe were incompetent assholes who couldn't support our computing needs properly from a centralized position.
I think the problem was an ivory tower one - the IT group's goals were not aligned with the business units.
I've seen this pattern re-emerging with the re-discovery of shared services in many companies. Here is how the cycle goes:
1. Start with lots of departments running their own mini-data-centers, help desks, etc.
2. Somebody comes to the realization that by centralizing these services the level of service can be increased (24x7 monitoring, professional staff, etc) while the cost is decreased (fewer servers, less headcount overall, staff freed for more strategic work).
3. Company centralizes services - cost of running servers goes from $10M to $500k. Somebody gets promoted.
4. New guy comes in - shaves budget from $500k to $400k. Gets a raise. Lays off 10% of staff, gets a raise. Aims for cost of $100k. Looks into moving servers to elbonia.
5. Business units find help desk cases going from 3 days under #1 to 1 day under #2 to 5/7/9 days under #3. Servers go down - IT gets to it when they get to it. Developers release new code, IT staff installs six months later.
6. New application is being rolled out. Business unit builds own "computer room" to host it to avoid dismal IT group.
7. Wait 5 years - go to step 1...
#2 is where you want to be - central services just make sense. The problem is that once you have one IT budget everybody starts hacking away at it until they actually raise costs by causing everybody to roll their own. Management needs to realize that #2 is optimum, and fund it well. Often budget increases in a central group LOWER overall costs, as it deters business units from reinventing the wheel.
Of course #3 is always acompanied by management edicts forbidding the creation of non-central IT groups. Business areas always find loopholes (10 workers who all do it in their "spare time", "small productivity tools" that aren't classified as IT projects, the Access database that grows to 10 million records, etc.).
In 15 years we'll be right back where we are now...
By revealing that information without permission, he is violating that NDA, which is *illegal*.
Is it? It certainly is a violation of contract and makes you liable for damages, but I don't think it is actually against the law (which is the definintion of illegal).
Hey - I'm not saying it is right, or that Cisco doesn't have a valid civil case. However, I don't think that a criminal statue was broken.
In any case, I'd question the validity of an NDA which required somebody to keep secret a piece of information contrary to a large public good.
For example, if I found out under an NDA that my employer was putting out a product that was killing people, and keeping it quiet, I'd be ethically bound to blow the whistle. I'd think that a court would not award damages to my employer in such a case since there is a significant public interest in allowing people to selectively violate NDAs to blow the whistle.
Certainly an NDA that forces you to break the law (such as by concealing knowledge of a crime) would be void.
So, just because there is an NDA doens't make this cut-and-dried. Now, a lot hinges on the particulars of the case, and I can't say whether it is appropriate to violate the NDA under these circumstances. However, all is not black-and-white in these situations.
And yes, I have a "real job". I have never violated an NDA, and intend to never do so. However, I would feel justified in doing so if I had clear evidence that an employer was committing a crime, or harming people and not doing something about it. I would almost certainly go through official channels first though. You shouldn't blow a whistle when the company is in fact actively trying to resolve the problem (in a reasonable timeframe)...
Well, for starters they'd actually need a mass driver. Depending on how hard it is to build/launch/install/operate one it sounds like a good idea though...
I don't think so - they would just use mutual funds (like they do already), except these would specialize in liability protection.
Likewise people would only invest in well-audited companies, and everybody would seek the use of auditors who actually have teeth...
If a public company breaks the law, is it fair to punish the unknowing shareholders by "suspending operations" of the company?
Sure. They made the mistake of buying a stock for a company that wasn't properly audited.
Granted, right now, no company is properly audited. However, that would change in a big hurry if shareholders were liable...
Or, allow for the fines to extend to stockholders. If you could lose not only your $35/per share stock price, but also an extra $300/share fine, that would probably transform corporate governance entirely...
Not necessarily.
You could have an encryption key burned into the CPU, and that could be used to decrypt a hard drive partition containing session keys for various files on the drive.
Yes, the key is stored somewhere, and yes, in theory you can retrieve it.
However, if properly implemented it will only be possible to obtain the key using hardware-level attacks. Forget downloading some program and executing it - you'll probably need $15k worth of high-end equipment.
In theory a DirecTV box has the decryption key in it, but look at how hard it is to obtain black-market smart cards for them. It is very difficult to crack a smart card, and so very few people are able to do it.
Now, DirecTV is actually far easier to crack than PC-DRM. DirecTV uses one key for their entire stream for a long period of time, so you crack one key you can unlock any unit.
Suppose on the other hand that each unit had a unique key (as envisoned with PC DRM)? Now you need to crack an individual PC. We're talking about pulling out your CPU and mailing it to some underground outfit so that they can mail you back your CPU and the embedded key. How much of a market will there be for that? The 2-way mailing required by this would also make it VERY easy to bust.
Now, it may be the case that the DRM scheme that gets implemented has some weakness which allows less drastic measures to bypass it. However, in theory such a system can be made VERY difficult to defeat.
Yes, but the only urgent part of this project is recovering the data.
In theory for far less you could simply recover the data, test that it was recovered properly, and then stick it on a webpage for anybody in the world to analyze.
Their proposal is to solve the secrets of the universe for $250k. I might suggest that maybe the goal should be to simply transfer the data for $10k, and let somebody else pay for solving the secrets of the universe. The data recovery project is also far more likely to be successful...
True, although the USB key would work on a PC with non-admin rights.
That is certainly true, I guess I meant Linux distros like Redhat, Debian, etc.
You mean, Redhat, Debian, Gentoo , etc.?
Better still - nice envelope with a letter on authentic-looking stationary and a USB drive inside.
The letter says - dear information computing professional, MS would like you to test-drive our latest (insert name of fancy software package here). The enclosed demo will not interfere with any of your existing software, and as a thank-you for trying out our newest offering you can keep this handy 128MB USB drive. Feel free to pass along to your colleages as well.
At work we get demo CDs all the time for various expensive software applications. If you want to do some real industrial espionage send google a USB drive with the latest open source code-profiling tool, or Pfizer a flashy-looking clinical data analysis tool, or whatever.
Do the whole thing in flash so that it looks like something as high-tech as what you'd see in star trek (it isn't like you actually have to write the algorithm - just an animation). It will get passed all over the place to countless managers. And in most companies you can't give a worker-bee access to a system without giving it to their manager, so you have countless management drones with access to systems they never even look at, but your newly-introduced worm can poke around freely...
Actually, this would provide an attack against a computer which decrypts a hard drive using a key supplied at boot time (perhaps via USB key or just a passphrase that is typed).
Such as system is resisted to physical attacks since most of those require shutting down the computer - which causes loss of the decryption key stored in RAM.
This attack would allow you to unlock the computer while it is running, and therefore while the OS still has the drives unlocked. You could possibly just store the key that is in RAM and then shut down the PC and work on the rest of the drive, or you could just copy the whole contents of the drive to remote storage and then work on the rest at home.
I agree that you couldn't just boot up a powered-off computer with an encrypted hard drive and then apply the attack to it. The computer couldn't be booted without the key, unless it is stored internally. If it is stored internally you don't need this new attack at all.
In theory you could just make a whole swarm of cheap 10 cm mirrors that fly in formation and form a composite mirror. The difficulty would be keeping their positions precisely aligned. Something like this would be easier to set up either in a very high orbit or in solar orbit - since the further you get away from gravity the smaller the delta-v you get when moving a few m in any direction.
I'm guessing it will still be far cheaper to build and test the mirrors on Earth though - otherwise you need to construct some kind of facility in space. Then again, if the mirrors are small it might work out - you don't need as much power and the oven doesn't need to be as big. I'm not sure how long the mirrors need to stay warm - you could just put them in "pizza boxes" and park them in orbit until they've set. You could safely move a cooling mirror around in space without worrying too much about vibrations as long as you only apply gentle thrust to it.
However, if you want big mirrors, I'm guessing it will be a long time before we can build them in space...
Actually, they are probably intending to register their protest to protect their trademark. If you don't protect it, you lose it.
Lawsuits don't have to be expensive. They can just type up a few briefs and file them. MS can write 1 million pages of replies, and Vista can just stick with what they already wrote. Judges don't just go by volume of paperwork.
Granted, there is always the risk that they could lose. However, they would clearly be showing their intent to protect their trademark. Even if MS is allowed to use Vista's name (which is likely considering the number of lawers they're going to employ), Vista will still have registered their protest to the use of the mark. Then, in a few years when MS would like Vista to stop using the name themselves, they'll have an essentially-impossible case to make - obviously Vista was there first, and had clearly registered their protest at sharing. No court would rule against Vista after already conceding to MS the right to share the name.
So, vista can spend $500 on some filing fees and just let the case go against them and still accomplish a possible objective.
There is nothing that annoys me more than being in a meeting with somebody and having them pick up their phone. I probably had to wait two days to get my audience with some manager, and I spend half my time just listening to them dealing with others who can't bother to schedule an appointment...
Although you could change all these components idividually, you must admit just changing the whole machine is often a better deal.
However, keep in mind that a computer is only as fast as its weakest link. If the CPU can go up to 4GHz, but the memory bus is so slow that the CPU sits around all day waiting for data, then you might as well save money on that CPU.
Hence, motherboard technology and CPU technology tend to improve hand-in-hand. Ditto for memory speed.
Even if you could double your CPU performance on the same motherboard, would you want to? The only exception would be if you started out with a well-below-cutting-edge CPU to begin with - in which case you could upgrade to what was top-of-the-line at the time and your motherboard would probably still be fine.
In any case, I still find it cheaper to upgrade my own PCs. Why?
1. Keep the optical drives, case, floppy drive, video card (if you're a non-gamer), etc. (Maybe even the power supply if you have a decent one.) That right there is a few hundred dollars saved over anything Dell will sell you.
2. Get a decent motherboard. Performance tests have shown that spending an extra $10 on a motherboard can often improve performance SUBSTANTIALLY (moreso that spending it on CPU/RAM). Big brands know that consumers don't ask about motherboards, and they don't look at benchmarks, so they save the $10. Don't make the same mistake. Likewise, a decent motherboard will often give you technology like firewire/extra USB/etc for literally $10 more. That saves quite a bit when you don't have to run out to walmart for a USB hub.
3. Be able to overclock if you want to - in general a retail motherboard/BIOS gives you far more control over the computer. Don't be a ricer, but feel free to experiment with timings that improve performance on your hardware without wearing things out.
4. Get the components you want. Thinking about dabling with linux? Well, check the compatibility lists and you don't end up with that motherboard which was popular with Dell or Compaq or whoever which has some random glitch with linux. ACPI is nototious for being broken, and if you are using features like powernow you want a system that isn't glitchy. Check out IRC for people groaning...
Honestly, I was surprised that I actually saved money building a PC myself - Dell has access to all kinds of deals that I don't have access to. On the other hand, Dell only sells "genuine" Intel, which handicaps them. Plus, Dell forces you to toss your perfectly good case, floppy, opticals, etc. Oh, you also get penalized for not buying a monitor, and I hope you like your growing collection of keyboards/mice/etc... You may not end up being far ahead on price, but often your performance ends up being better.
Just some random thoughts...
And that is why I simply don't answer the phone 80% of the time unless it is a call from somebody that I know would be needing help with a priority project/subproject/whatever. Ditto with emails - however I appreciate that email makes it easier to screen incoming information and quickly decide whether it is worth reading right away.
If I'm deep in thought, off goes the email, and the phone certainly gets ignored.
Work on the stuff you know is important, or at the very least work on the stuff your boss tells you is important. Don't just switch tasks every time somebody adds something to your to-do list. The guy calling on the phone will get taken care of in time. Time management gurus call this taking care of the important rather than just the "urgent." This is the only way things get fixed in the long-term - often the guy screaming for help on the phone is looking for a short term solution.
In fact, I normally prefer email to phone calls. It is less interrupting, and it forces the person who is contacting you to organize their thoughts rather than just randomly spilling them out. Phone is GREAT for conversations, but TERRIBLE for just making requests. Unless you know that the call is going to be very high priority for both parties, I think you're better off just sending an email to schedule a time to make the call, or better still a visit.
But that is just my two cents...
In PA the rule is typically that an accident is either charable or it isn't. An accident is not charagable if any of a number of conditions are met, some of which are:
1. You weren't in the car and it was parked legally.
2. The other driver was DUI.
3. You were found by a police officer to be no more than 49% at fault.
4. Your car has damage only to the rear portion of the vehicle, and the other car has damage primarily to the front portion of the vehicle. (Note they worded it this way to lower insurance company wiggle-room - this is pretty objective.)
There are a bunch of others as well. A factor that works against most of these is if you were given a ticket as a result of the accident. I forget the exact rules.
Note that people have accidents as far as insurance is concerned, not cars. So, if you loan your car to a friend who doesn't live with you, and they total it, that doesn't count against you at all, although your friend may be toast with their insurance on their unscratched car.
This is all quite sensible - it is logical that accident-prone individuals pay higher rates. However, if you are merely unlucky that shouldn't count against you.