It only affected an old version of IE (IE 5?) and had been patched a very long time ago at the time that exploit was found.
In any event, it's a pity that this code is pretty much only in the hands of those who do not mean well, rather than in the hands of people who would probably submit patches back to Cisco to help make the Internet more secure...
Re:Perhaps Google ought to consider this...
on
Google IPO Swami
·
· Score: 1
I trust the founders. I don't trust those investors who are greedy. The complainers can stuff it, IMHO; no one has to buy so much as a share of it.
Google would not be Google if it had to be a short-term thinking company like the street expects. On the street, a philosophy like Google's is seen as a liability, but it's the primary reason for me to want to buy a chunk and hold onto it long-term. The market can interpret that however it likes, however I intend to put my money where my mouth is; my investment being a vote of confidence in the leadership of Google.
Even if they do eventually tank, I would rather have more companies be like Google, because I have no confidence in a great many of the other companies out there...
Unless your workplace is security-friendly with respect to this, I strongly suggest that you report vulnerabilities like this anonymously.
It's just not a good idea to do otherwise, since people will start to trust you less (even though you're trying to help them...) and you could easily wind up being a suspect should anyone else discover and exploit the flaws you found...:/
And yes, I've submitted pretty much all of the vulnerabilities I've found anonymously. You do have to follow up to make sure they don't ignore it, however.
Are you sure it's SCO acting here? SCO used to be Caldera, but later changed its name (the original IBM lawsuit was Caldera vs. IBM, IIRC) and somehow I thought there was another Caldera now. Or maybe I'm thinking of newSCO/oldSCO...
There are just too damn many Canopy companies which have all continually changed names. Hell! Even the SCO execs don't seem to know which company they are, as some rather schizophrenic web pages and legal filings illustrate (see Groklaw for more info, I know that PJ has spent a loooong time puzzling out which company was which... certainly not an easy task).
Knowledgeable IP litigators have told me they think SCO has less than a 10% chance of prevailing in its cases
I wonder if fool.com is just being nice here, or the lawyers were being cautious (which is reasonable)? An almost 0% chance would certainly be "less than 10%" as well...:]
The irony is that it might be considered a 'business opportunity' to get out of this whole mess while the stock is still worth even as much as it is now...
The stock only ever crawled out of the sewers based on the hype from their FUD; when the FUD is finally fully abated, it's probably heading right back down there once more...
Guys, I hate to break it to you, but I seem to remember some clauses that make parent something other than "funny"...:[
Granted, this is for Macromedia Flash Player 7, but here in section 2.2 you'll find this nice clause:
2. You agree that Macromedia may audit your use of the Software for compliance with these terms at any time, upon reasonable notice. In the event that such audit reveals any use of the Software by you other than in full compliance with the terms of this Agreement, you shall reimburse Macromedia for all reasonable expenses related to such audit in addition to any other liabilities you may incur as a result of such non-compliance.
Now, I could have sworn that some version(s) of Windows or other products like XP had similar clauses, but I can't seem to find them any more. I did find this link to various MS Product EULAs, but none there appear to have an audit clause. Google tells me that they DO have some audit clauses in various other agreements (i.e. some refurbisher's agreement), so maybe they did drop that clause from most of their consumer software. I hope so.
The irony is that congress actually once tried to close that (somewhere in 17 USC is this little clause about how copying something to memory simply to use the damned thing is an ephemeral copy and not really infringing), but the courts just haven't ever made anything much of that, SFAIK:/
Pity, too, I remember reading it and thinking that it was one of the more sensible copyright laws...
You aren't allowed to publish details of ongoing cases that could taint a potential jury pool, and there's no doubt in my mind that that was the entire point of the ACLU's press release. -----
Considering that SCO has demanded a jury trial for SCO vs. IBM, I can only wonder how that's going to turn out... Of course, I do remember the judge drawing them into quarters and SCO mysteriously beginning to STFU to some degree immediately thereafter...
Re:Not solution to slashdot effect, but still grea
on
Freecache
·
· Score: 1
Only on/. could you find someone optimizing code that would be used to bloat web pages. -----
Maybe he is one of the Microsoft Frontpage coders?;]
Only on/. can Microsoft contribute a product to sourceforge and be bashed for it. ----
Nah, I'll give them credit for doing something good here. However, I'll keep my eyes peeled for an ulterior motive. Why? I still don't trust, and for good reason. That's not to say they can't turn around--just look at IBM compared to before.
But trust is earned, so a little bit of code on sourceforge isn't a lot to counterbalance the continuing FUD, but if they change their tune and start making a pattern of this, I may reconsider.
I can and have thought up a number of ways to use our IP laws to discourage innovation.
For example, there's some stupid precident where something like 5 notes were supposedly "subconciously copied." I remember that, from the way they decided things, someone calculated that there were only 5,000 some odd different types of music that would be legally recognized under that precident.
Therefore, if you simply make a CD with each variation (and to comply with other wacky precidents and laws, make it a "dramatic" work--e.g. put some kind of story in there with your music, as well as mixing up the order so as to make your creation more creative than a mere listing of all the possible note combinations), and file a copyright on it.
Voila, you've copyrighted all the music. But you probably don't dare distribute any of it, lest you infringe on every pre-existing work, so you play SCO. Manage to get in the media with some wacky press release (Slashdot would be a good target), and spout off about how you intend to use this to stifle musical innovation "because it's clearly not profitable."
Ramble on a bit about how the industry knows what is best for us--"only unoriginal crap sells! so long as they're just rehashing their old works, we feel that they're not deriving anything from ours, and we simply want the music producers to make money, something you cannot do unless you force-feed the public unoriginal music." Thus you're never under obligation to actually sue anyone, though you can make a show of menacing anyone whose music might be original, telling them that it doesn't seem to derive enough from all their old records, so they must have stolen it from you...
Yes, I realize that this is incredibly contorted logic (I must have been reading too many SCO stories here...), but the upshot of it is that you would be using such a copyright registration to (at least attempt) to stifle innovation....
Now then, as for patents? It's harder to find an example of a bottleneck, as above, and these will cost you over $1,000 each in filing fees alone. Still, you seem to be able to patent the most rediculous things. You could always file some nonsense like "n-click shopping, for n greater than one" (note that you can make "shopping" into any other activity, though you might get hillarious results like "3-click bowling") or just "___ over the internet"...
I can even imagine being bored enough to write an "absurd patent generator" in Perl, if I could just think of more such patterns to feed into it:] For irony's sake, one could then patent that nonsense generating algorithm (though proving it useful in commerce might be another hurdle... I wonder if they would buy the thought that putting it on a page with ads and making a grand total of $0.38 from the ads would be enough?:)
Of course, if you really did invent something wonderful, and you could patent up all the possible ways of using it (so that others couldn't just tweak it and get around your patent), you could always just publicize it and say that you have absolutely no intention of ever letting anyone use your invention until the patent expires. If it was software, you might then make it available via your website for *only* those people where your patent doesn't apply...
FUD means "fear, uncertainty and doubt"... e.g. more the thing you'd get if you were hyping GMail as the death of all privacy.
Now then, I don't have inside knowledge, but I now understand more about the laws that the EFF was talking to Google about. You see, there are federal privacy statues (intended originally to cover things more like wiretapping, but they've expanded). Basically, Google is not allowed to reveal the contents of your email to anyone without a warrant (well, okay, the PATRIOT act has weakened that by a lot, and after 180 days of storage OR if you open the email, some protections weaken... read Title III, 18 USC 2510-22 for more information).
What does this mean? Well, I would guess that Google will (basically) give you all the Google sponsored links (e.g. not banner ads) for your email. At least in theory, they will no *nothing* about your email provided you don't click on those links. If you do, they should find out nothing more than the relevant keywords (e.g. they paid to be listed in searches for "foo" and that was the keyword that triggered their text ad to appear next to your email). Also, in theory, they won't know where you came to them via. That is, they won't know if it was from Google's ads on some other site, from a search you did for "foo" or from an email about "foo."
As for the rest of the operational concerns, I can only speculate as to how Google could manage them. I suspect they will simply monitor how much bandwidth you use in a given account. I mean, most normal people don't fill up 1 GB of email in one day, much less forward it to all their friends... I should think that high-volume traffic like that might raise a few red flags.
Lastly, concerning the shareholders, I should think that Google has given ample warning of that to investers--e.g. they knew that this is how things were going to be from the get-go, they can't really cry foul when the founders follow through with that. That's not to say that it would necessarily prevent all such lawsuits. Having no rational basis for a suit never stopped people like Darl McBride...:]
I read somewhere that, interestingly, Google is better off if people who share the founders' vision hold on to the company, through good times and bad. I don't know about anyone else, but I hope to put some money in Google and ride it out. If all else fails, I feel like Google is making the net more useful, and I want to be a part of that.
There *may* be an exemption in the DMCA itself, I just cannot remember all of the provisions very well offhand. I think there was some kind of provision for security experts or something like that.
The Library of Congress can grant exemptions. They already have for reversing the wordlists used by netfilters (netnanny, etc.). I would imagine that they would grant an exemption for reversing malware if petitioned to do so. Of course, I don't know that anyone *has* petitioned them to do so, so it might not be that bad an idea...
In order to admit a picture as evidence (at least, in a normal criminal court--I don't know what they have to do in military courts), you generally do three things:
1) Print it. 2) Sign it. 3) Date it.
You then submit that to the court. For reference, my information on this comes from the US DOJ CCIPS page. Note that their position on this is similar to how they treat non-digital photographs--that is, they don't insist on the negatives, but they present developed photos to the court. I believe that they cite more case law in there about that so you can read up on it yourself. I'm still digesting lots of 4th ammendment case law from it, myself...
Give them something more useful to look at, like the contact page. You can tell them why this is unreasonable.
Now then, they're probably right that it would prevent them from being able to protect their works--DRM does not and has not ever worked (and hopefully will never work, since DRM working would imply that all general-purpose devices have been disabled or destroyed...)
Of course, where we disagree is whether this is a Bad Thing [TM]. Obviously, the substantial non-infringing uses (not to mention the crippling effects of DRM schemes when secure, and their futility when insecure) legitimizes the need to be able to crack DRM schemes without fearing that you might have to go to prison because you stripped out the "don't copy" bit.
I could only wish that a judge would rule, with a perverse sense of irony, that the word "effective" when discussing copyright protection devices meant that the device had to actually work (e.g. be un-circumventable), but alas, I don't think that judges are allowed to do that.
In the mean time, why don't they stick to suing people from actual copyright infringement, instead of "protecting" their works with stupidly restrictive schemes?
I mean, I'm just waiting for a "DRM Virus" which makes use of some DRM scheme or another to prevent anti-virus people from reversing or deactivating it. And lest you think I'm kidding that a provision like this could be used by the virus writer, read McClelland v. McGrath, 31 F. Supp. 616 (N.D. Ill. 1998). Even though it might be "the very definition of chutzpah," a kidnapper sued a police officer for unauthorized monitoring of his cell phone. He may not have been able to supress the evidence against him and get off of the kidnapping charge, but there were still civil penalties under 18 USC 2518(10)(a)... This has no bearing on a "DRM virus" but it shows that a judge might still entertain such an arguement, though I seem to remember that the DMCA has some manner of exemption that might cover such things... maybe.
As far as I know, distributers still pay Microsoft on a per PC basis. In other words, they still pay Microsoft for any "naked" PCs they sell. The theory is that this keeps them from under-reporting the number of machines with Windows pre-installed that they sell. The side effect of this is that it costs them the same amount to put Windows on the machine as it does not to, so some of the costs end up passed along to you, anyhow (and Microsoft still makes money whether you buy from them or not)...
I have no idea if this practice has changed yet or not, as I seem to remember Microsoft's agreements with resellers to be rather secretive.
I mean, he decides to fling allegations of "terrorism" when he gets hatemail for being an idiot online, and (worse!) tend to discredit or disbelieve his oh-so-insightful analysis.
Meh, I lost a word in that. Make that "... and (worse!) people tend to discredit or disbelieve his oh-so-insightful analysis." D'oh!
Slashdot Mirror
It only affected an old version of IE (IE 5?) and had been patched a very long time ago at the time that exploit was found.
In any event, it's a pity that this code is pretty much only in the hands of those who do not mean well, rather than in the hands of people who would probably submit patches back to Cisco to help make the Internet more secure...
I trust the founders. I don't trust those investors who are greedy. The complainers can stuff it, IMHO; no one has to buy so much as a share of it.
Google would not be Google if it had to be a short-term thinking company like the street expects. On the street, a philosophy like Google's is seen as a liability, but it's the primary reason for me to want to buy a chunk and hold onto it long-term. The market can interpret that however it likes, however I intend to put my money where my mouth is; my investment being a vote of confidence in the leadership of Google.
Even if they do eventually tank, I would rather have more companies be like Google, because I have no confidence in a great many of the other companies out there...
Hmm? I'd expect that you'd just filter out the randomness statistically, somehow, then. Not to mention that those would be fugly.
It would be better to *remove* the information: all redacted portions would be the same width, no matter how much information was removed.
If you're trying to get rid of data, NEVER hide what you can remove...
Uhh, well, they recited a list of disasters caused by bad code at one point, I think.
But the lecture didn't exactly give us a lot of help in actually doing defensive programming so as to actually *avoid* those errors...
Unless your workplace is security-friendly with respect to this, I strongly suggest that you report vulnerabilities like this anonymously.
:/
It's just not a good idea to do otherwise, since people will start to trust you less (even though you're trying to help them...) and you could easily wind up being a suspect should anyone else discover and exploit the flaws you found...
And yes, I've submitted pretty much all of the vulnerabilities I've found anonymously. You do have to follow up to make sure they don't ignore it, however.
Are you sure it's SCO acting here? SCO used to be Caldera, but later changed its name (the original IBM lawsuit was Caldera vs. IBM, IIRC) and somehow I thought there was another Caldera now. Or maybe I'm thinking of newSCO/oldSCO ...
There are just too damn many Canopy companies which have all continually changed names. Hell! Even the SCO execs don't seem to know which company they are, as some rather schizophrenic web pages and legal filings illustrate (see Groklaw for more info, I know that PJ has spent a loooong time puzzling out which company was which... certainly not an easy task).
Knowledgeable IP litigators have told me they think SCO has less than a 10% chance of prevailing in its cases
... :]
I wonder if fool.com is just being nice here, or the lawyers were being cautious (which is reasonable)? An almost 0% chance would certainly be "less than 10%" as well
The irony is that it might be considered a 'business opportunity' to get out of this whole mess while the stock is still worth even as much as it is now...
The stock only ever crawled out of the sewers based on the hype from their FUD; when the FUD is finally fully abated, it's probably heading right back down there once more...
Granted, this is for Macromedia Flash Player 7, but here in section 2.2 you'll find this nice clause:
Now, I could have sworn that some version(s) of Windows or other products like XP had similar clauses, but I can't seem to find them any more. I did find this link to various MS Product EULAs, but none there appear to have an audit clause. Google tells me that they DO have some audit clauses in various other agreements (i.e. some refurbisher's agreement), so maybe they did drop that clause from most of their consumer software. I hope so.
The irony is that congress actually once tried to close that (somewhere in 17 USC is this little clause about how copying something to memory simply to use the damned thing is an ephemeral copy and not really infringing), but the courts just haven't ever made anything much of that, SFAIK :/
Pity, too, I remember reading it and thinking that it was one of the more sensible copyright laws...
You aren't allowed to publish details of ongoing cases that could taint a potential jury pool, and there's no doubt in my mind that that was the entire point of the ACLU's press release.
-----
Considering that SCO has demanded a jury trial for SCO vs. IBM, I can only wonder how that's going to turn out... Of course, I do remember the judge drawing them into quarters and SCO mysteriously beginning to STFU to some degree immediately thereafter...
Only on /. could you find someone optimizing code that would be used to bloat web pages.
;]
-----
Maybe he is one of the Microsoft Frontpage coders?
*cheap shot*
Only on /. can Microsoft contribute a product to sourceforge and be bashed for it.
----
Nah, I'll give them credit for doing something good here. However, I'll keep my eyes peeled for an ulterior motive. Why? I still don't trust, and for good reason. That's not to say they can't turn around--just look at IBM compared to before.
But trust is earned, so a little bit of code on sourceforge isn't a lot to counterbalance the continuing FUD, but if they change their tune and start making a pattern of this, I may reconsider.
I can and have thought up a number of ways to use our IP laws to discourage innovation.
...
...
:] For irony's sake, one could then patent that nonsense generating algorithm (though proving it useful in commerce might be another hurdle... I wonder if they would buy the thought that putting it on a page with ads and making a grand total of $0.38 from the ads would be enough? :)
For example, there's some stupid precident where something like 5 notes were supposedly "subconciously copied." I remember that, from the way they decided things, someone calculated that there were only 5,000 some odd different types of music that would be legally recognized under that precident.
Therefore, if you simply make a CD with each variation (and to comply with other wacky precidents and laws, make it a "dramatic" work--e.g. put some kind of story in there with your music, as well as mixing up the order so as to make your creation more creative than a mere listing of all the possible note combinations), and file a copyright on it.
Voila, you've copyrighted all the music. But you probably don't dare distribute any of it, lest you infringe on every pre-existing work, so you play SCO. Manage to get in the media with some wacky press release (Slashdot would be a good target), and spout off about how you intend to use this to stifle musical innovation "because it's clearly not profitable."
Ramble on a bit about how the industry knows what is best for us--"only unoriginal crap sells! so long as they're just rehashing their old works, we feel that they're not deriving anything from ours, and we simply want the music producers to make money, something you cannot do unless you force-feed the public unoriginal music." Thus you're never under obligation to actually sue anyone, though you can make a show of menacing anyone whose music might be original, telling them that it doesn't seem to derive enough from all their old records, so they must have stolen it from you...
Yes, I realize that this is incredibly contorted logic (I must have been reading too many SCO stories here...), but the upshot of it is that you would be using such a copyright registration to (at least attempt) to stifle innovation.
Now then, as for patents? It's harder to find an example of a bottleneck, as above, and these will cost you over $1,000 each in filing fees alone. Still, you seem to be able to patent the most rediculous things. You could always file some nonsense like "n-click shopping, for n greater than one" (note that you can make "shopping" into any other activity, though you might get hillarious results like "3-click bowling") or just "___ over the internet"
I can even imagine being bored enough to write an "absurd patent generator" in Perl, if I could just think of more such patterns to feed into it
Of course, if you really did invent something wonderful, and you could patent up all the possible ways of using it (so that others couldn't just tweak it and get around your patent), you could always just publicize it and say that you have absolutely no intention of ever letting anyone use your invention until the patent expires. If it was software, you might then make it available via your website for *only* those people where your patent doesn't apply...
The only two programs I (personally) vouch for in this area are AdAware, and SpyBot S&D.
-----
I agree; I just don't trust the others, due to all the fakes, and I don't have time to try and reverse engineer all the other programs out there.
Though if anyone can give me some convincing reasons to use other programs/evidence that they are or are not spyware, I'm listening.
Of course, the main reason I'd want to set up a blog is in the futile hope that I would get to try the Gmail beta :]
What? It's not like I honestly think that anyone cares about what I ate for breakfast; 99% of blogs (if not more...) are simply not worth reading.
No, but he will be once he can find a few pounds of neodymium magnets to strap to himself ;]
Good point.
;]
We should fax them our junkmail
FUD means "fear, uncertainty and doubt" ... e.g. more the thing you'd get if you were hyping GMail as the death of all privacy.
:]
Now then, I don't have inside knowledge, but I now understand more about the laws that the EFF was talking to Google about. You see, there are federal privacy statues (intended originally to cover things more like wiretapping, but they've expanded). Basically, Google is not allowed to reveal the contents of your email to anyone without a warrant (well, okay, the PATRIOT act has weakened that by a lot, and after 180 days of storage OR if you open the email, some protections weaken... read Title III, 18 USC 2510-22 for more information).
What does this mean? Well, I would guess that Google will (basically) give you all the Google sponsored links (e.g. not banner ads) for your email. At least in theory, they will no *nothing* about your email provided you don't click on those links. If you do, they should find out nothing more than the relevant keywords (e.g. they paid to be listed in searches for "foo" and that was the keyword that triggered their text ad to appear next to your email). Also, in theory, they won't know where you came to them via. That is, they won't know if it was from Google's ads on some other site, from a search you did for "foo" or from an email about "foo."
As for the rest of the operational concerns, I can only speculate as to how Google could manage them. I suspect they will simply monitor how much bandwidth you use in a given account. I mean, most normal people don't fill up 1 GB of email in one day, much less forward it to all their friends... I should think that high-volume traffic like that might raise a few red flags.
Lastly, concerning the shareholders, I should think that Google has given ample warning of that to investers--e.g. they knew that this is how things were going to be from the get-go, they can't really cry foul when the founders follow through with that. That's not to say that it would necessarily prevent all such lawsuits. Having no rational basis for a suit never stopped people like Darl McBride...
I read somewhere that, interestingly, Google is better off if people who share the founders' vision hold on to the company, through good times and bad. I don't know about anyone else, but I hope to put some money in Google and ride it out. If all else fails, I feel like Google is making the net more useful, and I want to be a part of that.
There *may* be an exemption in the DMCA itself, I just cannot remember all of the provisions very well offhand. I think there was some kind of provision for security experts or something like that.
The Library of Congress can grant exemptions. They already have for reversing the wordlists used by netfilters (netnanny, etc.). I would imagine that they would grant an exemption for reversing malware if petitioned to do so. Of course, I don't know that anyone *has* petitioned them to do so, so it might not be that bad an idea...
In order to admit a picture as evidence (at least, in a normal criminal court--I don't know what they have to do in military courts), you generally do three things:
1) Print it.
2) Sign it.
3) Date it.
You then submit that to the court. For reference, my information on this comes from the US DOJ CCIPS page. Note that their position on this is similar to how they treat non-digital photographs--that is, they don't insist on the negatives, but they present developed photos to the court. I believe that they cite more case law in there about that so you can read up on it yourself. I'm still digesting lots of 4th ammendment case law from it, myself...
Bah, why the crappy flash intro page?
... This has no bearing on a "DRM virus" but it shows that a judge might still entertain such an arguement, though I seem to remember that the DMCA has some manner of exemption that might cover such things... maybe.
Give them something more useful to look at, like the contact page. You can tell them why this is unreasonable.
Now then, they're probably right that it would prevent them from being able to protect their works--DRM does not and has not ever worked (and hopefully will never work, since DRM working would imply that all general-purpose devices have been disabled or destroyed...)
Of course, where we disagree is whether this is a Bad Thing [TM]. Obviously, the substantial non-infringing uses (not to mention the crippling effects of DRM schemes when secure, and their futility when insecure) legitimizes the need to be able to crack DRM schemes without fearing that you might have to go to prison because you stripped out the "don't copy" bit.
I could only wish that a judge would rule, with a perverse sense of irony, that the word "effective" when discussing copyright protection devices meant that the device had to actually work (e.g. be un-circumventable), but alas, I don't think that judges are allowed to do that.
In the mean time, why don't they stick to suing people from actual copyright infringement, instead of "protecting" their works with stupidly restrictive schemes?
I mean, I'm just waiting for a "DRM Virus" which makes use of some DRM scheme or another to prevent anti-virus people from reversing or deactivating it. And lest you think I'm kidding that a provision like this could be used by the virus writer, read McClelland v. McGrath, 31 F. Supp. 616 (N.D. Ill. 1998). Even though it might be "the very definition of chutzpah," a kidnapper sued a police officer for unauthorized monitoring of his cell phone. He may not have been able to supress the evidence against him and get off of the kidnapping charge, but there were still civil penalties under 18 USC 2518(10)(a)
What happens when someone ports it to Windows and someone else releases the PizzaBlaster worm?
Distributed Denial of Pizza?
The authors would be hunted down by every programmer on the planet, including me!
Oh well, if they're like other programmers, they'd starve to death if they went long enough without pizza and the ramen reserves didn't hold out...
As far as I know, distributers still pay Microsoft on a per PC basis. In other words, they still pay Microsoft for any "naked" PCs they sell. The theory is that this keeps them from under-reporting the number of machines with Windows pre-installed that they sell. The side effect of this is that it costs them the same amount to put Windows on the machine as it does not to, so some of the costs end up passed along to you, anyhow (and Microsoft still makes money whether you buy from them or not) ...
I have no idea if this practice has changed yet or not, as I seem to remember Microsoft's agreements with resellers to be rather secretive.
I mean, he decides to fling allegations of "terrorism" when he gets hatemail for being an idiot online, and (worse!) tend to discredit or disbelieve his oh-so-insightful analysis.
Meh, I lost a word in that. Make that "... and (worse!) people tend to discredit or disbelieve his oh-so-insightful analysis." D'oh!