Nicely caught. I meant to say "malice" instead of "stupidity". I'm stuck in a two-hour meeting with the project management team at work, so my subsconscious let out a small cry for help in my post.
Well done. Yeah, I suck at car analogies. The thing is, the muffler is an important ingredient in the overall product.
One could argue that the only "key" (pun partly intended) feature is the security of the room protected by the lock as you rightly stated, and yes, it failed to do so. The other pieces would be the management of the cards, auditing of entry to the rooms and the wow factor to the clientele. Could also the argument not be made that it would deter 99.99% of unauthorized access? In most circles, that would be pretty good. This is not a trivial exploit either.
Your analogy has more potential than mine: maybe you expect BMW to get you a Tesla or a new set of country-club friends?
Considering that he went for glory by not providing some professional courtesy (your mileage may vary) and disclosing this to Onity before his Black Hat presentation, he may get suffer potentially a bit by "enabling crimininals to circumvent the protection offered by the lock". It is a Black Hat conference after all, so the motivations and the spirit is a tad different other "community" InfoSec conferences. I won't argue what the right approach is. At the end of the day, the vulnerability probably shouldn't exist, so the fault lies entirely with Onity there.
As well, Onity is asleep at the wheel. It was July when the problem surfaced. In September the thefts happened. It's now November.
Someone in PR and Media Relations at Onity isn't doing their job. R&D is probably working overtime and Legal Affairs is probably writing up something nice to make an example of Cody.
Easy now; don't blame something on stupidity that you assign to sheer incompetence. Or a third variation, towards a quest of more profit!
I can design a super-secure lock. It will cost more to develop, and then it will cost more to produce, which will raise its price. Which in turn will lower my potential customers (90% of folks just want a lock that can be easily managed and is simple for their users). The accounting people said, "Do the simpler version, it will be good enough and return us 87% more profit. BTW, we already printed the brochures so your comments are moot."
If Onity comes up with a more secure model then it could well be that there is a cost associated. Mind you, this is a PR nightmare, so some companies would just eat the cost.
The hotels bought a lock for a specific purpose. It provides a decent detterent. Someone motivated will always find a way in.
Car analogy: You bought the BMW 325 to impress your friends while driving with the collar of your polo shirt up. It turns out that thieves can steal your muffler for the precious precious platinum in the catalyctic converted. The brand new M3 model developed after the news broke out has the muffler protected by the body. Do you expect a free upgrade from BMW?
Doesn't Windows have some of "Windows Validation" when people run WindowsUpdate? Well, revoke the activations at that point for the mistankly-issued keys. I'm sure MS has other ways of disabling a copy.
Big deal. What's the loss here? $20k worth of "licenses"? More, less? Still no big deal. No one is going to lose their job on this one. As we keep saying here in/., a pirated copy is never equal to a lost sale. This is a blip.
Easy to say; harder to do; one also has to account for malice, incompetence and sometimes sheer stupidity. We did the usual screenings (criminal check, education, references, professional employment, etc) for an InfoSec position. Within a week of starting the fellow was surfing dating sites in plain view. Guy used his admin privileges to set up a SSH tunnel and surf off his home compuer. Heard it from a peer and couldn't believe it. Asked HR for permission and verified the browser logs myself. Within two days we asked him to leave the office and not come back.
Mind you, that was the exception although at the time I got pretty down on myself for hiring this person and learned since then that some things are just out of your control. Most of the times we have been fortunate and got some great hires.
Man, I agree 110%. I believe in karma, the submitter will be on the receiving end one day and then he will be a bit more sensitive to others and show some empathy.
And as far as it being a DMCA, it's even worse than the US "model" where at least that model allows for a review every few years of new exceptions that should be made to the digital locks provisions. Canadians get no such reviews and will live with these digital lock rules forever.
From the Geist's summary: "The government has established a regulatory process to allow for new digital lock exceptions, which creates the possibility of Canadians seeking new exceptions to at least match some of the U.S. exceptions on DVDs or streaming video"
I think there's four options here: a) we as consumers push to get these exceptions in place using the process b) we avoid products with digital locks c) we come up with a digital -> analog -> digital conversion solution d) we break the law and risk a max $5,000 fine
I had actually e-mailed my MP directly (a Liberal) and the Minister of Industry Affairs (a Conservative), making it pretty clear about how consumer's rights must be protected.
Looks like the levy on media is there; I guess music downloading will continue being legal in Canada. I'm fine with that.
The digital locks piece is what bothers me, and it's good that a process exists to have the governement re-visit this. So on top of my list will be to copy DVDs so that I can use it my devices. Since format-shifting is permitted then this should be fine on principle.
Michael Geist himself should be commended because he was a solid (constructive) critic and I remember seeing him on CSPAN doing an awesome job explaining the issues to the committee members. He played a BIG part in my opinion to get this bill the way it is.
So it seems that the ToS made the subscriber accountable for any infringement.
First, it's actually pretty clever that they sign and mark the downloads. They should have informed their users, this probably would make a lot of folks pause to begin with.
The "defendant" (who didn't defend himself) could have claimed that his computer was hacked or someone made copies without his permission. The pressure would be on the company to prove that he uploaded the files himself. Car analogy: if someone steals my car from my garage, and runs someone over, am I guilty of the hit'n'run?
Nope. That's why it's still a GRAY-market. There was even Supreme Court decision supporting this (you can look it up, since you have some cool googling skills).
Show me a case where a CANADIAN citizen has prosecuted by a CANADIAN court for infringing against Dish and DirectTV. Lots of a default decisions in US courts for Canadians running sites, HW vendors and against US citizens pirating. Spend some time on http://satscams.com/ to stay up to date. Usually Canadians get hammered (by the Canadian government) because they didn't report taxable income due to their FTA activities (resellers).
Yeah, I thought so. The fact that an American company cannot prove damages from a Canadian consumer pirating the signal, kind of makes this a mute point, doesn't it? It's not like the Canadian can subscribe to Dish or DirectTV, can he?
You wouldn't be working for Bell/Shaw/Cogeco/Rogers, would you? You sound a lot like the folks I run into from those companies.
No, no it isn't. It's not illegal to pirate Dish or DirectTV. It becomes illegal when you try to decrypt Bell or Starchoice signals. If you can, you can even subscribe to an American sat provider if you can convince them to sell you their service. You need an US address.
Mind you, the RCMP has done a great in shutting down a lot of dealers in the gray market, because these devices are CAPABLE of getting Canadian sat provider signals illegally. Lots of choicr in the past. nagra3 may it harder as well.
I hear you. The elements that you have to face is different than what senior management is willing to face. Two sets of rules. They don't mind putting you in harm's way while they spend the day at home watching Sportcenter.
Can't ask your manager for remote access to your terminal and/or tools?
That makes two of us. Politicians? Polls? Police Departments? Poles? Polarities?
Reminds me of an article in a printed newspaper that had the word "coms" in there. Communications? Communists? Commitments? It was hard to figure out even with context.
Agree completely. I actually have a Boxee Box and certainly won't go out and buy this. SInce I do have a capped Internet provider this offers me very little value. OTA/ATSC encrypted signals are okay I suppose, but not exactly a game changer.
I have a cable service and have a PVR.
Basically the Boxee folks thought long and hard to come up with some sort of subcription service. Since they have absolutely no leverage with content providers they decided to lock down this functionality to suit their financial goals rather than the interests of the users. Their argument that people are running out of space is a week one. If they're that keen, provide the cloud-storage as an ADD-ON.
This also explains why they never came out with DVR functionality for the USB-based tuner for the Boxee Box. They had this planned for ages.
Ahhh, step 2. You're right. I'll do better next time. I'll sell shares of my clock radio on Craigslist next. Your cut, because it was your idea, will be 10%. What title do you want in "Lieutenant Dan's Clockradio Company GMBH"? I have dibs on Chief Privacy Officer.
I once valued my microwave at $1,100,000 but ended selling it for $20 on Craigslist. There was disappointment all around.
As well, I once had an idea for a jetpack that I valued at $20 billion AUS dollars ("billion" with a "b"). Unfortunately I sold that idea for a pint of Fosters to work colleague.
Which is useless if the party that wants to monitor you is somewhat sophisticated: a) they have access to your computer remotely (keylogger, screengrabber, remote desktop, etc) b) they can make you think you're accessing Google (MITM)
Slashdot Mirror
Nicely caught. I meant to say "malice" instead of "stupidity". I'm stuck in a two-hour meeting with the project management team at work, so my subsconscious let out a small cry for help in my post.
Well done. Yeah, I suck at car analogies. The thing is, the muffler is an important ingredient in the overall product.
One could argue that the only "key" (pun partly intended) feature is the security of the room protected by the lock as you rightly stated, and yes, it failed to do so. The other pieces would be the management of the cards, auditing of entry to the rooms and the wow factor to the clientele.
Could also the argument not be made that it would deter 99.99% of unauthorized access? In most circles, that would be pretty good. This is not a trivial exploit either.
Your analogy has more potential than mine: maybe you expect BMW to get you a Tesla or a new set of country-club friends?
Considering that he went for glory by not providing some professional courtesy (your mileage may vary) and disclosing this to Onity before his Black Hat presentation, he may get suffer potentially a bit by "enabling crimininals to circumvent the protection offered by the lock". It is a Black Hat conference after all, so the motivations and the spirit is a tad different other "community" InfoSec conferences. I won't argue what the right approach is. At the end of the day, the vulnerability probably shouldn't exist, so the fault lies entirely with Onity there.
As well, Onity is asleep at the wheel. It was July when the problem surfaced. In September the thefts happened. It's now November.
Someone in PR and Media Relations at Onity isn't doing their job. R&D is probably working overtime and Legal Affairs is probably writing up something nice to make an example of Cody.
Easy now; don't blame something on stupidity that you assign to sheer incompetence. Or a third variation, towards a quest of more profit!
I can design a super-secure lock. It will cost more to develop, and then it will cost more to produce, which will raise its price. Which in turn will lower my potential customers (90% of folks just want a lock that can be easily managed and is simple for their users). The accounting people said, "Do the simpler version, it will be good enough and return us 87% more profit. BTW, we already printed the brochures so your comments are moot."
If Onity comes up with a more secure model then it could well be that there is a cost associated. Mind you, this is a PR nightmare, so some companies would just eat the cost.
The hotels bought a lock for a specific purpose. It provides a decent detterent. Someone motivated will always find a way in.
Car analogy: You bought the BMW 325 to impress your friends while driving with the collar of your polo shirt up. It turns out that thieves can steal your muffler for the precious precious platinum in the catalyctic converted. The brand new M3 model developed after the news broke out has the muffler protected by the body. Do you expect a free upgrade from BMW?
Doesn't Windows have some of "Windows Validation" when people run WindowsUpdate? Well, revoke the activations at that point for the mistankly-issued keys. I'm sure MS has other ways of disabling a copy.
Big deal. What's the loss here? $20k worth of "licenses"? More, less? Still no big deal. No one is going to lose their job on this one. As we keep saying here in /., a pirated copy is never equal to a lost sale. This is a blip.
It is amusing though.
Kilobyte, Baud, transistor, Rhodesia, and like someone else said "Y2K"
Gawd, GIF?!?!? That's pretty lame.
I haven't bought anything from Valve in years. still waiting for Episode 3.
Easy to say; harder to do; one also has to account for malice, incompetence and sometimes sheer stupidity. We did the usual screenings (criminal check, education, references, professional employment, etc) for an InfoSec position. Within a week of starting the fellow was surfing dating sites in plain view. Guy used his admin privileges to set up a SSH tunnel and surf off his home compuer. Heard it from a peer and couldn't believe it. Asked HR for permission and verified the browser logs myself. Within two days we asked him to leave the office and not come back.
Mind you, that was the exception although at the time I got pretty down on myself for hiring this person and learned since then that some things are just out of your control. Most of the times we have been fortunate and got some great hires.
Man, I agree 110%. I believe in karma, the submitter will be on the receiving end one day and then he will be a bit more sensitive to others and show some empathy.
That's exactly the question that I have.
I always liked the free-for-all.
And as far as it being a DMCA, it's even worse than the US "model" where at least that model allows for a review every few years of new exceptions that should be made to the digital locks provisions. Canadians get no such reviews and will live with these digital lock rules forever.
From the Geist's summary:
"The government has established a regulatory process to allow for new digital lock exceptions, which creates the possibility of Canadians seeking new exceptions to at least match some of the U.S. exceptions on DVDs or streaming video"
I think there's four options here:
a) we as consumers push to get these exceptions in place using the process
b) we avoid products with digital locks
c) we come up with a digital -> analog -> digital conversion solution
d) we break the law and risk a max $5,000 fine
I had actually e-mailed my MP directly (a Liberal) and the Minister of Industry Affairs (a Conservative), making it pretty clear about how consumer's rights must be protected.
Looks like the levy on media is there; I guess music downloading will continue being legal in Canada. I'm fine with that.
The digital locks piece is what bothers me, and it's good that a process exists to have the governement re-visit this. So on top of my list will be to copy DVDs so that I can use it my devices. Since format-shifting is permitted then this should be fine on principle.
Michael Geist himself should be commended because he was a solid (constructive) critic and I remember seeing him on CSPAN doing an awesome job explaining the issues to the committee members. He played a BIG part in my opinion to get this bill the way it is.
This is in Canada. So it's typical we would blame the Federal Conservatives, Harper, and his oil-pleasing cronies.
Personally I blame the various unions and the inefficient healthcare sector with their monumental waste.
So it seems that the ToS made the subscriber accountable for any infringement.
First, it's actually pretty clever that they sign and mark the downloads. They should have informed their users, this probably would make a lot of folks pause to begin with.
The "defendant" (who didn't defend himself) could have claimed that his computer was hacked or someone made copies without his permission. The pressure would be on the company to prove that he uploaded the files himself.
Car analogy: if someone steals my car from my garage, and runs someone over, am I guilty of the hit'n'run?
Interesting; I didn't catch that and I actually RTFA. So were Mendoza and Magana trespassing themselves?
Nope. That's why it's still a GRAY-market. There was even Supreme Court decision supporting this (you can look it up, since you have some cool googling skills).
Show me a case where a CANADIAN citizen has prosecuted by a CANADIAN court for infringing against Dish and DirectTV. Lots of a default decisions in US courts for Canadians running sites, HW vendors and against US citizens pirating. Spend some time on http://satscams.com/ to stay up to date. Usually Canadians get hammered (by the Canadian government) because they didn't report taxable income due to their FTA activities (resellers).
Yeah, I thought so. The fact that an American company cannot prove damages from a Canadian consumer pirating the signal, kind of makes this a mute point, doesn't it? It's not like the Canadian can subscribe to Dish or DirectTV, can he?
You wouldn't be working for Bell/Shaw/Cogeco/Rogers, would you? You sound a lot like the folks I run into from those companies.
No, no it isn't. It's not illegal to pirate Dish or DirectTV. It becomes illegal when you try to decrypt Bell or Starchoice signals. If you can, you can even subscribe to an American sat provider if you can convince them to sell you their service. You need an US address.
Mind you, the RCMP has done a great in shutting down a lot of dealers in the gray market, because these devices are CAPABLE of getting Canadian sat provider signals illegally. Lots of choicr in the past. nagra3 may it harder as well.
I hear you. The elements that you have to face is different than what senior management is willing to face. Two sets of rules. They don't mind putting you in harm's way while they spend the day at home watching Sportcenter.
Can't ask your manager for remote access to your terminal and/or tools?
Hate the game, not the player. Universities need to get smarter in protecting publically-funded IP.
Palm readers, Farmer's Almanac, anyone who publishes a book about Nostradamus, etc ...
This is beyond ridiculous. It's just stupid.
That makes two of us. Politicians? Polls? Police Departments? Poles? Polarities?
Reminds me of an article in a printed newspaper that had the word "coms" in there. Communications? Communists? Commitments? It was hard to figure out even with context.
Agree completely. I actually have a Boxee Box and certainly won't go out and buy this. SInce I do have a capped Internet provider this offers me very little value. OTA/ATSC encrypted signals are okay I suppose, but not exactly a game changer.
I have a cable service and have a PVR.
Basically the Boxee folks thought long and hard to come up with some sort of subcription service. Since they have absolutely no leverage with content providers they decided to lock down this functionality to suit their financial goals rather than the interests of the users. Their argument that people are running out of space is a week one. If they're that keen, provide the cloud-storage as an ADD-ON.
This also explains why they never came out with DVR functionality for the USB-based tuner for the Boxee Box. They had this planned for ages.
I'm going to pass.
Ahhh, step 2. You're right. I'll do better next time. I'll sell shares of my clock radio on Craigslist next. Your cut, because it was your idea, will be 10%. What title do you want in "Lieutenant Dan's Clockradio Company GMBH"? I have dibs on Chief Privacy Officer.
I once valued my microwave at $1,100,000 but ended selling it for $20 on Craigslist. There was disappointment all around.
As well, I once had an idea for a jetpack that I valued at $20 billion AUS dollars ("billion" with a "b"). Unfortunately I sold that idea for a pint of Fosters to work colleague.
Which is useless if the party that wants to monitor you is somewhat sophisticated:
a) they have access to your computer remotely (keylogger, screengrabber, remote desktop, etc)
b) they can make you think you're accessing Google (MITM)