Wait. TFA says they discovered this on July 29, and that their "private investigation into the breach is complete." Only now are they going public with this? How much damage could have already been done in the month of August?
The breach alone creates a huge liability for them. This delay makes it worse, because they can't blame that on some other bad actor.
Intel didn't "unveil" anything -- they accidentally posted a "product change notification" that listed model numbers for upcoming Skylake Xeon processors, then quickly took it down. What we've learned is that the model numbering system will change, maybe in a way that keeps a similar organization but renames things, and maybe in a way that means substantive changes. We can't tell.
In other words, this is semantics. If there's more to be gleaned from the leak, I haven't heard it here.
Actually, the NSA cracked the first 3 of the 4 coded messages themselves, but didn't go public with it until a member of the public had found the solution. Or they claim they did, anyway . . .
I'm just not impressed by this at all. Set aside the "counterattack" issue that all of the/.ers are reacting to, and look at the meat of the article.
At the beginning of the article, he discusses this as a perimeter defense. MSBlaster was only directly penetrating the perimeter of networks that had inbound TCP 135 open. Anybody who is going to take security seriously enough to set up honeypots as a defense against worms is going to close inbound TCP 135. Everybody I know that saw MSBlaster on their network (and I have a bunch of customers that got it) was infected in some other way, either by an infected laptop plugging in internally, or an infected host coming in via VPN. (BTW, I'd love to see a good solution for intrusion detection that works at the point of entry for VPN connections.)
But then he start talking about counterattacks as if this is something you are going to use to protect your uninfected hosts from your infected hosts internally. Even assuming you don't have a switched network, I still can't imagine the IDS that will analyze all internal network traffic and respond in a timely way, especially under the conditions of a worm attack, which typically involves flooding the network.
And all of that are really details. It all depends on being able to detect and respond to worm traffic faster than worm traffic can infect you. If anybody could find a way to do that, they'd integrate it into a firewall product and use it to just cut off this traffic, and everybody would run out and buy it. Rerouting the traffic instead of cutting it off would be just a curiosity that pretty much nobody would care about.
hackers could launch attacks against unprotected systems as early as day's end. "It's going to be trivial," he said. "This is an instant replay of a few weeks ago."
And this post from BugTraq today seems also to suggest that there's no reason this won't be in the wild just about any minute.
At least you did RTFA, and this point is pretty unclear, but when he says:
By providing Open Source software without a warranty, these largest vendors avoid significant costs while increasing their services revenue.
I think you have to take this in the context of an earlier comment, specifically:
IBM and other Linux vendors are reportedly unwilling to provide intellectual property warranties to their customers.
In other words, the warranty he's referring to isn't one about how the software works, or whether it is supported, but rather whether or not the vendor will assert, when you buy the software from them, that you in fact are not violating anybody elses IP rights by using it.
Shortly after the line you quote, he also says:
In the long term, the financial stability of software vendors and the legality of their software products are more important to enterprise customers than free software.
This reinforces the impression that the business model issues he is referring to in the quote in question involve the assertion that open source software is "legal" rather than the assertion that it works, or that it is support.
I've got to say, though, that it took some re-reading to actually follow the attempt at logic in this part of the letter.
No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a grand jury, except in cases arising in the land or naval forces, or in the militia, when in actual service in time of war or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself,
nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.
OK, maybe I'm not really who you are aiming this question at, but probably those folks aren't going to answer, or give the serious and honest answer you're looking for, so I'm what you are going to get.
I patched my home machines probably within 24 hours of the patch being available. I've got a couple of machines, and nobody is depending on their uptime to make a living or maintain a professional corporate image. If only the real world were that easy.
My company lives in the real world. We were hit by this, but pretty lightly, a couple of machines and we were lucky enough to pull the plug on them and cut it off before it spread, mostly because I was monitoring slashdot, and I knew the symptoms of the infection the first time it came up internally.
Our firewall wasn't breached so much as apparently circumvented by a laptop belonging to a user that never accepted the patch -- he got the virus at home, then came to work and plugged in. I assume that just about any company with a firewall at all isn't allowing incoming TCP 135, so I'm guessing that hard-hit companies generally got it this way.
We had identified this patch as critical, even relative to all the other less-critical critical patches. That still meant we had to test it outside of production, which took some time, and we also had to keep an ear to the ground to find out if any of the (many) folks out there who apply patches without testing first had been burned by this one.
When we were satisfied at that point, we had made it available internally to all workstations via SUS -- worst case scenario here if the patch is bad is a lot of re-imaging, but no loss of data, no loss of critical network services, etc. We don't have workstations set to auto-install the patches, so that requires the user to click an install button to complete the process. In many cases, the users had done that. In some, they hadn't.
At that point we started pushing it out to machines via SMS, workstations first, and then starting to patch the servers. (I wish I could give you a timeline for each step here.) Again, we proceeded conservatively, not getting every box at once, and not letting SMS force our servers to reboot after the patch installation, but instead asking various sysadmins to schedule reboots for servers at an acceptable time as soon as possible after the patch was applied.
So, some servers were patched by yesterday. Probably half were not, especially if you count those that were patched but not yet rebooted, which you have to count as not patched, I guess. To my knowledge at this point, we cut this off before any servers were infected, which was really just luck once it was inside the firewall. It could have been worse, but at the same time, many of our boxes were safe by the time yesterday came.
Now, of course, we are frantically patching and rebooting. And if we had been a little more frantic beforehand, we could have easily had it done before yesterday. But little else is getting done today. We've got over 100 Windows servers to deal with here, production, development, testing, IIS, SQL, SMS, DCs, Citrix, physical machines, virtual machines, you name it. It is not trivial to get this job done. And doing it in a hurry is dangerous as well.
And we're lucky. All our boxes are at one location.
I'm looking back at how we handled this, and I think that a little more focus and emphasis and we could have patched everything by now, but the attack could just as easily have come a week sooner, and we'd still be having this conversation.
The difficult truth is that, in many cases, it is possible to develop an exploit for a vulnerability more quickly than it is possible to adequate test and deploy a patch in a large and complicated corporate environment. You patch as quickly as you safely can while still getting everything else done, and you also take all the other steps you can to mitigate the damage if you get hit. That's the real world.
Wow, great post, great points. I'll beg to differ on the details, but I'm glad to see this kind of discussion here.
Now, let me disagree, up to a point, with a couple of things you said. Actually, let me not so much disagree as point out that you are making some good points, then pushing your logic so far that it has bad consequences -- and that people who actually support those bad consequences like to grab onto arguments just like these to provide support for their views that allows them to tar and feather their opponents.
3. never treat anyone like the plague because he supported someone else. Many people even in America still defend communism, many others have strong religious affiliations of all sorts. None of them are absolutely evil, and evil only lies in the eyes of the beholder.
Yes and no. You are right that nobody is pure, nobody can cast the first stone. But "evil only lies in the eyes of the beholder"? It is possible to believe that (1) everybody is imperfect and that we need to keep an open mind and understand that our own perspective is as "unobjective" as anywhere else's, and that (2) some things are just bad, just wrong.
Evil is a loaded word, but your argument pushes to the point that nobody can point at some bad act (killing thousand by attacked the towers, killing thousands by invading Iraq, etc.) and say it is bad and wrong, and evil if that's your synonym for bad and wrong. Maybe I'll cut somebody some slack for supporting any particular individual (bin Lanen, Bush, etc.), but not for supporting bad acts. When we lose are ability to refer to anything as bad or wrong, the game is over.
4. never support any form of government to the extreme that you impose it on others. Face it, democracy is a total failure in poorer countries where people only vote for the person most seen on TV, which is the richest politician around. The communists were in the same shoes a few years ago.
Again, you begin your point with something that is true, but then your argument carries the logic to a fault.
Yes, democracy fails in many places. Treating the idea of democracy as an icon to worship, and to impose on others by force, is stupid. On the other hand, where people are denied freedom and basic human rights by their government, I will stand up and call that government wrong. I don't give a damn if they get a bicameral legislature with elections every four years (and don't forget the free markets!!!). But I do think that extending freedom and human rights to people elsewhere in worth making sacrifices for here, and those who would deny people these freedoms and rights should be opposed.
Note that I didn't say that we should go in shooting to set up democracy (but only if there's oil and decade-old grudge). But there may be times when using force is appropriate, if the alternative is to stand by watching people suffer and die. (Think Rwanda here.)
There are folks (including non-interventionists on the right and left) who use the "don't impose your form of government" argument to support the argument that other people's freedom is not our concern. I say it is everybody's concern, and I believe I can say this, and still disagree with imposing forms of government.
A few people here have been a little bit too harsh on Davis for what he's trying to do here. PKD's fiction has been more and more widely read in the last 10 years or so, but other non-fiction expressions of his ideas (his journals, his interviews) are still more difficult to find, and when you find them, they are often somewhat incoherent. Davis here is trying to take bits and pieces of that incoherence and turn it into a sort of summary of what PKD's own words said about what he was trying to say and do. It's a decent attempt to summarize a bunch of difficult-to-summarize writing and speaking.
With that said, however, there's a little bit of an (unconscious?) agenda in this "interview" I think. He turns some of PKD's ideas about the world and religion and spirituality into ideas about technology, which really isn't fair or reasonable. Short example:
So technology may actually be staging the emergence of a higher state of consciousness. Why is this happening now?
Information has become alive, with a collective mind of its own independent of our brains.
NO! This isn't PKD talking about technology emerging into consciousness, a la Terminator's SkyNet. For PKD, the prototype of living information was the Torah and the Dead Sea Scrolls, not some piece of technology. It's a very Hegelian view of consciousness and history here, that there's a sort of transcendent and fundamentally spiritual consciousness consisting only of ideas which forms the true substance of the Universe and the medium of history, but the information there isn't bit and bytes in computers; it's ancient Gnostic explanations of the spiritual relationship between God and man and the world.
So that's my one gripe about the article. By trying to make PKD's usually incoherent ramblings coherent, he turned some really strange ideas about God and universe into easier-to-digest ideas about technological development. Aside from that, it was pretty clever.
I keep reading post after post saying that this will be back next year, or this will be funded with "off the books" secret money. I don't for one second doubt that our government operates this way quite frequently, but I'm not so pessimistic.
First off, the point of this project was to mine lots of private sector data, local and state government data, federal government data, etc. This isn't something anybody can easily do secretly. Come on all you/.-reading DBAs out there -- are the feds going to secretly mine your data? Are the black ops going to hack in and load your data into their secret supercomputer -- and then update it daily? I don't think so. Under TIA, the feds would have access through the front door to state and local DBs, credit card and bank info, and more and more. Without TIA, anything they build secretly will have access to far less data, and will be much, much less powerful. In fact, without access to all of that data, the original point ("Total" information) is pretty much wrecked.
Secondly, there's a growing consensus in Congress that TIA goes too far. When they guys who gave us the Patriot Act can agree that a program goes too far in terms of infringing civil liberties, that's really saying something. Let's all relax for 30 seconds here and be grateful that Congress is drawing a line in the sand -- yes, yes, way to late, but still they are putting the administration on notice that it doesn't get absolutely everything it wants, and that's a major change in the momentum of this debate.
With all of that said, "All but dead" is overstating things a bit -- this is a line in a Senate bill that hasn't made it through the horse-trading in conference yet, so anything could still happen. I wouldn't say "All but dead" until it has the president's signature.
There's some confusion here -- let's separate "binding" from "precent". Anything can be a precedent. Binding is another matter.
Circuit courts are a strange system. Each of the circuits covers several states. What a particular circuit rules is always binding in that circuit. By "binding", this means that lower courts (namely, federal district courts) should consider that ruling the "law of the land" when they make their decisions.
What this means is that the law of the land in one circuit (and therefore in one state) may different from that in another. A law found constitutional in one state may be unconstitutional in another. Only the Supreme Court can resolve these differences, and although the S.C. turns down far more cases than it hears, it almost never turns down a case that will resolve a conflict among circuits. And of course, rulings by the S.C. are always binding on all federal courts.
The "only a three judge panel" part is confusing. Usually, when a case is heard in Circuit Court, three judges (from the 10 or 15 or so in that circuit) will hear the case, and the "best out of three" wins. In some rare cases, the entire circuit will sit "in panel" to hear a case -- often if they want to review the finding of a three judge panel that seems out of whack. This is rare. But when the Circuit speaks as a whole in this way, that precent takes precedence over any previous three-panel decision in the circuit in the same case.
As I said, three judge panels are the norm. Their findings are perfect "binding" within the circuit.
Anybody who actually is a lawyer (or just knows better) can feel free to correct me -- I'm in a hurry and didn't have a chance to double-check the finer points, but in gross, this is how it works.
But more relevant to the "instantly familiar" part is that when the New Left radicals started to idolize him, this one image of his face began to appear over and over on posters, t-shirts, magazine covers, everywhere, all variations of this one picture of him. It became a ubiquitous bit of pop-art for several years, and for probably 10 years or so, just about anybody in the U.S. could have seen a rendition of that one image, and known it was Che.
The Cease and Desist in this case referenced in the parent post is for the use of images of cans of SPAM by an individual on his website, not just the term. They also threw in some stuff about domain names that use "spam" in them and so on, which is probably just typical lawyerly overkill. (By the way, does anybody know the outcome of this 5-year old case?)
People keep saying that Hormel hasn't been defending their trademark, but it seems to me that they have established a clear policy on their site about how the feel about their trademark, and they've stuck consistently to it. In short, if you use "spam" generically, they don't care. If you use it in a way that associates it with their product (i.e. images of the product, or SPAM in all caps as they always do it), they'll come after you.
In this case, somebody wants to trademark the name, and they are fighting that. It seems reasonable that two trademarks containing the word "spam" could be more of a threat than widespread, non-trademarked generic usage. Their position seems reasonable and consistent. Maybe wrong, maybe right, but reasonable.
And I think that they should be given a lot of credit for this. It they were really sending out C&D letters consistently for years and years, they'd be one more of the many companies regularly mocked and griped about on/., but they haven't been. They've only taken legal action in rare cases that are more likely to affect them directly. They're using common sense, and keeping their lawyers in check, but not signing away their rights. Let's give them some credit.
eBay cooperates with law enforcement inquiries, as well as other third parties to enforce laws, such as: intellectual property rights, fraud and other rights, to help protect you and the eBay community from bad actors. Therefore, in response to a
verified request by law enforcement or other government officials relating to a criminal investigation or alleged illegal activity, we can (and you authorize us to) disclose your name, city, state, telephone number, email address, UserID history, fraud complaints, and bidding and listing history without a subpoena.
(emphasis added)
They say in this written policy that they will verify the request as coming from law enforcement. This is a contract. If they do not honor it, they are (presumably) subject to legal action, especially if somebody experiences a material loss as a result (maybe unlikely, but still).
I'm not talking about what they do in the real world, or what anybody says in any particular interview. But what they say in writing does have some weight (even if they may choose to disregard it).
This guy lives in Madison, Wisconsin, one of the coolest places in the world to live (speaking as somebody who moved my family just so I could be in Madison). We have 200,000 people, the state capital, one of the largest universities in the country, museums, restaurants, music, malls, traffic (sort of), sprawl (a little bit), more community and more to do than anywhere I ever lived in east cost suburbia.
Say what you want about gaming or anything else, but please stop making a big deal (all of you!) about a throw-away line about "too far from big cities", to conclude that this guy lives on 40 acres in the middle of rural South Dakota. Geez!
</RANT>
OK, South Dakotans who want to respond, feel free to rant on.
what sort of benefit does mankind get from working out twin primes? In fact, do primes do anything for us anyway?
With all due respect, who cares? What sort of benefit does the mankind get from the Mona Lisa? From NASCAR? From owning pets? Need I go on . . . . ?
Why does everything have to be for some benefit? Most math doesn't have an application, not now and not ever. We're doing more math everyday than we'll ever find uses for. Mostly it is an aesthetic pursuit. People like doing it. They like seeing it done. They find it challenging and rewarding. A few people get paid to do it, and some (fewer) get a certain amount of fame from it. That's good enough.
Besides, I can think of much worse ways we could spend our time, but if I really started to go into that, I'd be trolling . . . .
With all due respect to the responses that named some possible free tools . . . . no. I can't recommend anything free.
If you can afford to buy a computer, you can spend the $30 or $40 to get a decent professional anti-virus program. Unlike anything free, your basic McAfee / Norton / etc are going to allow you to configure your machine to automatically update virus definitions without intervention, and are going to basically keep the definitions up to date with virtually every realistic virus threat out there, and they will update the defintions quickly in response to new threats.
I don't believe any free solution can do this for you. It is worth the money. It is the first step that any home Wintel box owner needs to take to prevent the most common security problems (yes, yes, I know, aside from nuking the OS, which isn't an option for most home users, and is clearly not a useful response to this poster, even if it gets you a few funny mod points).
Or, to put it the other way, if you aren't willing to take even this first step, there's very little chance your box is going to stay intact over time.
Bite the bullet and accept that spending the extra bucks is the cost of doing business with MS.
I respect your idealized libertarian (quasi-anarchist?) streak here, but it is unrealistic.
Some background, for those who need it. The first amendment (to take a well-known example) doesn't say "You get the freedom of speech." It says "Congress shall make no law abidging the freedom of speech." In other words, the freedom in question is assumed to pre-exist the Constitution, and the Constitution is just explicitly recognizing it, and declaring it as a limit on governmental power.
But there's a contradiction built in, because the Bill of Rights still enumerates particular rights, and for a couple of centuries courts have been understandably less willing to protect rights that aren't explicitly enumerated (privacy and substantive due process and the backlash against it being the exception that proves the rule) than those that are.
Yes, enumerating freedoms can have the effect of implying that we are not free to do anything except what is enumerated. But that's a built-in side effect of the way the Bill of Rights is written. It's even worse since the courts rules that the 14th Amendment "incorporates" much of the Bill of Rights applies to the states. Before the 14th Amendment, it wasn't clear that expressions like "Congress shall make no law" applied to state and local legislative bodies. The Supreme Court used the 14th Amendment to rule that many of the *enumerated* rights in the Bill of Rights now could be enforced as restrictions on state and local legislatures as well. But this explicitly applies only to things enumerated, and even then only the ones the courts have picked and chosen.
In other words, when you (the previous poster) say "I don't want to start to have my freedoms enumerated by a Congress, Court, or Executive.", I'm saying it is already way, way, way too late. Maybe if that attitude was in place in the 1780's we could have a system that works that way. Of course, with that attitude, we'd still have the Articles of Confederation (which might not be such a bad thing from a small-weak-government-is-good point of view). But we don't.
Additionally (and then I'll shut up), legislative acts creating or recognizing rights are often absolutely essential to turn the abstract principles listed in the Constitution into specific and applicable rules and regulations with enforcement mechanisms. Parts of the post-Civil War amendments were widely disregarded until Congress passed the Voting Rights Act almost 100 years later. Now there were clear rules explaining what did and didn't constitute disenfranchising somebody, and a way to enforce it. If you were a black citizen in Mississippi, it was the Voting Rights Act and not the 15th Amendment that actually made it possible for you to relatively safely get to the voting booth, cast a ballot, and be confident that it was counted.
OK, I've gone off topic, but I'll bring it home. Explicitly listing this freedom is a Good Thing. The freedom to use open wireless networks could be seen as competing with the freedom to use your own wireless network without sharing resources with intruders. We need explicit guidance on how to balance these things, and how to enforce the balance we come up with. That's what legislatures are supposed to do with the system we've got, as opposed to the one we might wish we had. That's what they are doing here.
The TNG Universe (and Enterprise) is formulaic, over-produced, slick to the point of featurelessness, and so politically correct it is painful to watch. . . .
I've been watching Trek since the original series. The original was fun, quirky, politically-incorrect for its time, and just plain fun.
What? I'll grant most of what you are saying here, but I can't figure out what you are saying about political correctness here, except it applies to anything you don't like.
If anything, the original Star Trek was quite politically correct. The two basic political themes I see were (1) inclusion, equality, diversity, and (2) exploring without conquering, winning the hearts and minds of everybody we find by virtue of our virtue and our lofty principles. This isn't a bad description of the way America wanted to view itself then.
This is 1966-1969, remember. The Civil Rights Act of 1964 and the Voting Rights Act of 1965 had passed and were being enforced. This is the height of Martin Luther King's activism, and the period where pictures of peaceful marchers being attacked by police dogs were making most of America realize how far out of the mainstream the Jim Crow South had become. Yes, the interracial kiss upset some people, but it wouldn't have happened on mainstream TV if it wasn't time for it.
And the general approach of exploration without colonialism works too. McCarthyism was behind us, but the Cold War was not. We wanted to differentiate ourselves from the Red Menace by our goodness and virtue. While Soviet tanks were rolling into Czechoslavakia, we were trying to win people over with Voice of America broadcasts.
OK, Gulf of Tonkin, American underhandedness, yadda, yadda -- I'm not trying to defend us, but rather speaking to how mainstream America viewed itself at that time. After all, what is political correctness, if it isn't showing us the way we like to think of ourselves. And when I think of Kirk, homemade dagger in hand, poised over the Gorn, but refusing to kill him (Arena, 1/19/1967), I'm thinking that this is exactly how America wanted to view itself at the time.
So I'll agree with basically everything you said about "fun", "quirky", "bold", but not about political correctness. Original Star Trek is a time capsule that preserves the political sentiments of the time quite correctly, thank you very much.
I know nothing about non-U.S. legal systems, and hopefully somebody who knows about Norwegian jurisprudence will answer, but the general principle behind appeals in legal systems is this:
The first court that tries you is the finder of fact. Unless that whole trial is thrown out (and you get a new one), the facts determined in that trial are beyond question in the process. However, the court has to apply rules to the process of the trial and to the facts that come out, in order to get an outcome. Those rules can be both formal laws and legal procedures. (In real life, the line between facts and rules gets blurred, which both sides try to use to their advantage, but that's a different topic.)
Appeals apply to these rules, not the facts. So an appeal isn't just a second chance to start over and get a different trial outcome. It is a challenge that the process in the previous trial was in violation of those rules in some very specific way. (Or, many specific ways, since most appeals are a laundry list of possible violations, hoping the appeals court will find at least one they like.)
This is true already in the U.S. when those found guilty appeal their convictions, or when either party in a civil trial appeals the outcome. This is why appeals often force the original trial to be thrown out: they clarify the application of a rule as it applies to this case, then you have to start over and apply that rule correctly this time.
There's no reason in principle that this couldn't be applied to appealing acquitals as well. In principle, if somebody is acquitted because a judge made a mistake in applying a rule about admissibility of evidence or jury instructions, it might be reasonable to say that the acquital was flawed, and is contrary to justice, and shouldn't be honored.
There's a question of rights, which is a big one. There's also a questions of "That's not how we do it in the U.S.!!!!", which, if it isn't backed up with something else, isn't much of an argument. But I'm just speaking to the principle of appeals in general terms.
All this talk about rights and self-defense and vigilantes and vaccinations and putting down dogs is taking this conversation wildly off course. Computers are property, and this is about property rights.
Computers don't have rights or responsibilities. Processes don't have rights or responsibilities. If computer A attacks computer B (via a worm or whatever else.) and computer B "strikes back", self-defense is a fair metaphor, but it isn't a relevant legal or ethical argument, because the computer don't have rights.
Computers are property. More specifically, my computer is my property. I have a right to keep my property, and you have a responsibility to keep your hands off my property, and if you don't keep your end of that agreement, you've broken the law and I can bring the government into it.
Yes, your property rights are violated if my computer has a worm that attacks yours. Maybe the government will acknowledge that and step in, and maybe it won't. If you don't like the way the government handles this, elect somebody who will change it, write a letter to your legislators. But the government's refusal to step in doesn't mean, as Mullen asserts, that the owner of the attacking computer has no responsibility. It just means that the government has opted not to hold him responsible. The only way to fix that is democratically.
But suppose Mullen is right about that, and this person has no responsibility. He says "no responsibility means no rights". Wrong. The constitution says that no person shall be deprived of life, liberty or property without due process of law. In practice, that limits the action of government, not offended sysadmins. But the principle here is that my rights are my rights, and nothing I do, however, bad, foreits them automatically. Maybe, after a fair legal process, society (i.e. government) may decide to take away some of my rights (i.e. lock me up, fine me, whatever). But not before. That's a fundamental part of the social contract which makes us civilized.
Then Mullen makes a different argument: the rights of the many outweight the rights of the few. (Thank you, Spock.) Maybe. But the same principle applies. My rights are my rights. Maybe you can get a court order to require me to donate blood, if it will save 100 lives. But if you take my blood without getting the court order, you have still violated my rights and broken the law.
Now, if the guy who took my blood is a real hero, and believes what he did was right and necessary, then he'll say that going to jail is a small price to pay for saving 100 lives. Good for him. If Mullen really believes this is a case where the law runs contrary to ethics and morality, he can wear a grey hat and illegally hack systems for the greater good. But unless he's willing to wear a black hat, he'd better admit what he's doing it illegal, and a violation of rights, and be prepared to take the punishment when he does it.
Slashdot Mirror
Only because he was addressing his binary friend.
And they were cleverer and funnier, too. http://theoatmeal.com/comics/g...
Wait. TFA says they discovered this on July 29, and that their "private investigation into the breach is complete." Only now are they going public with this? How much damage could have already been done in the month of August? The breach alone creates a huge liability for them. This delay makes it worse, because they can't blame that on some other bad actor.
Intel didn't "unveil" anything -- they accidentally posted a "product change notification" that listed model numbers for upcoming Skylake Xeon processors, then quickly took it down. What we've learned is that the model numbering system will change, maybe in a way that keeps a similar organization but renames things, and maybe in a way that means substantive changes. We can't tell. In other words, this is semantics. If there's more to be gleaned from the leak, I haven't heard it here.
Actually, the NSA cracked the first 3 of the 4 coded messages themselves, but didn't go public with it until a member of the public had found the solution. Or they claim they did, anyway . . .
At the beginning of the article, he discusses this as a perimeter defense. MSBlaster was only directly penetrating the perimeter of networks that had inbound TCP 135 open. Anybody who is going to take security seriously enough to set up honeypots as a defense against worms is going to close inbound TCP 135. Everybody I know that saw MSBlaster on their network (and I have a bunch of customers that got it) was infected in some other way, either by an infected laptop plugging in internally, or an infected host coming in via VPN. (BTW, I'd love to see a good solution for intrusion detection that works at the point of entry for VPN connections.)
But then he start talking about counterattacks as if this is something you are going to use to protect your uninfected hosts from your infected hosts internally. Even assuming you don't have a switched network, I still can't imagine the IDS that will analyze all internal network traffic and respond in a timely way, especially under the conditions of a worm attack, which typically involves flooding the network.
And all of that are really details. It all depends on being able to detect and respond to worm traffic faster than worm traffic can infect you. If anybody could find a way to do that, they'd integrate it into a firewall product and use it to just cut off this traffic, and everybody would run out and buy it. Rerouting the traffic instead of cutting it off would be just a curiosity that pretty much nobody would care about.
Shortly after the line you quote, he also says:
This reinforces the impression that the business model issues he is referring to in the quote in question involve the assertion that open source software is "legal" rather than the assertion that it works, or that it is support.I've got to say, though, that it took some re-reading to actually follow the attempt at logic in this part of the letter.
I patched my home machines probably within 24 hours of the patch being available. I've got a couple of machines, and nobody is depending on their uptime to make a living or maintain a professional corporate image. If only the real world were that easy.
My company lives in the real world. We were hit by this, but pretty lightly, a couple of machines and we were lucky enough to pull the plug on them and cut it off before it spread, mostly because I was monitoring slashdot, and I knew the symptoms of the infection the first time it came up internally.
Our firewall wasn't breached so much as apparently circumvented by a laptop belonging to a user that never accepted the patch -- he got the virus at home, then came to work and plugged in. I assume that just about any company with a firewall at all isn't allowing incoming TCP 135, so I'm guessing that hard-hit companies generally got it this way.
We had identified this patch as critical, even relative to all the other less-critical critical patches. That still meant we had to test it outside of production, which took some time, and we also had to keep an ear to the ground to find out if any of the (many) folks out there who apply patches without testing first had been burned by this one.
When we were satisfied at that point, we had made it available internally to all workstations via SUS -- worst case scenario here if the patch is bad is a lot of re-imaging, but no loss of data, no loss of critical network services, etc. We don't have workstations set to auto-install the patches, so that requires the user to click an install button to complete the process. In many cases, the users had done that. In some, they hadn't.
At that point we started pushing it out to machines via SMS, workstations first, and then starting to patch the servers. (I wish I could give you a timeline for each step here.) Again, we proceeded conservatively, not getting every box at once, and not letting SMS force our servers to reboot after the patch installation, but instead asking various sysadmins to schedule reboots for servers at an acceptable time as soon as possible after the patch was applied.
So, some servers were patched by yesterday. Probably half were not, especially if you count those that were patched but not yet rebooted, which you have to count as not patched, I guess. To my knowledge at this point, we cut this off before any servers were infected, which was really just luck once it was inside the firewall. It could have been worse, but at the same time, many of our boxes were safe by the time yesterday came.
Now, of course, we are frantically patching and rebooting. And if we had been a little more frantic beforehand, we could have easily had it done before yesterday. But little else is getting done today. We've got over 100 Windows servers to deal with here, production, development, testing, IIS, SQL, SMS, DCs, Citrix, physical machines, virtual machines, you name it. It is not trivial to get this job done. And doing it in a hurry is dangerous as well.
And we're lucky. All our boxes are at one location. I'm looking back at how we handled this, and I think that a little more focus and emphasis and we could have patched everything by now, but the attack could just as easily have come a week sooner, and we'd still be having this conversation.
The difficult truth is that, in many cases, it is possible to develop an exploit for a vulnerability more quickly than it is possible to adequate test and deploy a patch in a large and complicated corporate environment. You patch as quickly as you safely can while still getting everything else done, and you also take all the other steps you can to mitigate the damage if you get hit. That's the real world.
Now, let me disagree, up to a point, with a couple of things you said. Actually, let me not so much disagree as point out that you are making some good points, then pushing your logic so far that it has bad consequences -- and that people who actually support those bad consequences like to grab onto arguments just like these to provide support for their views that allows them to tar and feather their opponents.
Yes and no. You are right that nobody is pure, nobody can cast the first stone. But "evil only lies in the eyes of the beholder"? It is possible to believe that (1) everybody is imperfect and that we need to keep an open mind and understand that our own perspective is as "unobjective" as anywhere else's, and that (2) some things are just bad, just wrong.Evil is a loaded word, but your argument pushes to the point that nobody can point at some bad act (killing thousand by attacked the towers, killing thousands by invading Iraq, etc.) and say it is bad and wrong, and evil if that's your synonym for bad and wrong. Maybe I'll cut somebody some slack for supporting any particular individual (bin Lanen, Bush, etc.), but not for supporting bad acts. When we lose are ability to refer to anything as bad or wrong, the game is over.
Again, you begin your point with something that is true, but then your argument carries the logic to a fault.Yes, democracy fails in many places. Treating the idea of democracy as an icon to worship, and to impose on others by force, is stupid. On the other hand, where people are denied freedom and basic human rights by their government, I will stand up and call that government wrong. I don't give a damn if they get a bicameral legislature with elections every four years (and don't forget the free markets!!!). But I do think that extending freedom and human rights to people elsewhere in worth making sacrifices for here, and those who would deny people these freedoms and rights should be opposed.
Note that I didn't say that we should go in shooting to set up democracy (but only if there's oil and decade-old grudge). But there may be times when using force is appropriate, if the alternative is to stand by watching people suffer and die. (Think Rwanda here.)
There are folks (including non-interventionists on the right and left) who use the "don't impose your form of government" argument to support the argument that other people's freedom is not our concern. I say it is everybody's concern, and I believe I can say this, and still disagree with imposing forms of government.
With that said, however, there's a little bit of an (unconscious?) agenda in this "interview" I think. He turns some of PKD's ideas about the world and religion and spirituality into ideas about technology, which really isn't fair or reasonable. Short example:
NO! This isn't PKD talking about technology emerging into consciousness, a la Terminator's SkyNet. For PKD, the prototype of living information was the Torah and the Dead Sea Scrolls, not some piece of technology. It's a very Hegelian view of consciousness and history here, that there's a sort of transcendent and fundamentally spiritual consciousness consisting only of ideas which forms the true substance of the Universe and the medium of history, but the information there isn't bit and bytes in computers; it's ancient Gnostic explanations of the spiritual relationship between God and man and the world.So that's my one gripe about the article. By trying to make PKD's usually incoherent ramblings coherent, he turned some really strange ideas about God and universe into easier-to-digest ideas about technological development. Aside from that, it was pretty clever.
First off, the point of this project was to mine lots of private sector data, local and state government data, federal government data, etc. This isn't something anybody can easily do secretly. Come on all you /.-reading DBAs out there -- are the feds going to secretly mine your data? Are the black ops going to hack in and load your data into their secret supercomputer -- and then update it daily? I don't think so. Under TIA, the feds would have access through the front door to state and local DBs, credit card and bank info, and more and more. Without TIA, anything they build secretly will have access to far less data, and will be much, much less powerful. In fact, without access to all of that data, the original point ("Total" information) is pretty much wrecked.
Secondly, there's a growing consensus in Congress that TIA goes too far. When they guys who gave us the Patriot Act can agree that a program goes too far in terms of infringing civil liberties, that's really saying something. Let's all relax for 30 seconds here and be grateful that Congress is drawing a line in the sand -- yes, yes, way to late, but still they are putting the administration on notice that it doesn't get absolutely everything it wants, and that's a major change in the momentum of this debate.
With all of that said, "All but dead" is overstating things a bit -- this is a line in a Senate bill that hasn't made it through the horse-trading in conference yet, so anything could still happen. I wouldn't say "All but dead" until it has the president's signature.
There's some confusion here -- let's separate "binding" from "precent". Anything can be a precedent. Binding is another matter.
Circuit courts are a strange system. Each of the circuits covers several states. What a particular circuit rules is always binding in that circuit. By "binding", this means that lower courts (namely, federal district courts) should consider that ruling the "law of the land" when they make their decisions.
What this means is that the law of the land in one circuit (and therefore in one state) may different from that in another. A law found constitutional in one state may be unconstitutional in another. Only the Supreme Court can resolve these differences, and although the S.C. turns down far more cases than it hears, it almost never turns down a case that will resolve a conflict among circuits. And of course, rulings by the S.C. are always binding on all federal courts.
The "only a three judge panel" part is confusing. Usually, when a case is heard in Circuit Court, three judges (from the 10 or 15 or so in that circuit) will hear the case, and the "best out of three" wins. In some rare cases, the entire circuit will sit "in panel" to hear a case -- often if they want to review the finding of a three judge panel that seems out of whack. This is rare. But when the Circuit speaks as a whole in this way, that precent takes precedence over any previous three-panel decision in the circuit in the same case.
As I said, three judge panels are the norm. Their findings are perfect "binding" within the circuit.
Anybody who actually is a lawyer (or just knows better) can feel free to correct me -- I'm in a hurry and didn't have a chance to double-check the finer points, but in gross, this is how it works.
But more relevant to the "instantly familiar" part is that when the New Left radicals started to idolize him, this one image of his face began to appear over and over on posters, t-shirts, magazine covers, everywhere, all variations of this one picture of him. It became a ubiquitous bit of pop-art for several years, and for probably 10 years or so, just about anybody in the U.S. could have seen a rendition of that one image, and known it was Che.
And it showed up in about a million different variations -- and apparently some of them are still around.
People keep saying that Hormel hasn't been defending their trademark, but it seems to me that they have established a clear policy on their site about how the feel about their trademark, and they've stuck consistently to it. In short, if you use "spam" generically, they don't care. If you use it in a way that associates it with their product (i.e. images of the product, or SPAM in all caps as they always do it), they'll come after you.
In this case, somebody wants to trademark the name, and they are fighting that. It seems reasonable that two trademarks containing the word "spam" could be more of a threat than widespread, non-trademarked generic usage. Their position seems reasonable and consistent. Maybe wrong, maybe right, but reasonable.
And I think that they should be given a lot of credit for this. It they were really sending out C&D letters consistently for years and years, they'd be one more of the many companies regularly mocked and griped about on /., but they haven't been. They've only taken legal action in rare cases that are more likely to affect them directly. They're using common sense, and keeping their lawyers in check, but not signing away their rights. Let's give them some credit.
They say in this written policy that they will verify the request as coming from law enforcement. This is a contract. If they do not honor it, they are (presumably) subject to legal action, especially if somebody experiences a material loss as a result (maybe unlikely, but still).
I'm not talking about what they do in the real world, or what anybody says in any particular interview. But what they say in writing does have some weight (even if they may choose to disregard it).
IANAL, yadda.
Apparently msnbot.com has been owned by Go Daddy Software since April of 2002, according to the WHOIS entry. Maybe they knew something we didn't?
I'm sure when MS sues Go Daddy Software over this, it will show up here on /.
Middle of nowhere? Middle of nowhere???!!!
This guy lives in Madison, Wisconsin, one of the coolest places in the world to live (speaking as somebody who moved my family just so I could be in Madison). We have 200,000 people, the state capital, one of the largest universities in the country, museums, restaurants, music, malls, traffic (sort of), sprawl (a little bit), more community and more to do than anywhere I ever lived in east cost suburbia.
Say what you want about gaming or anything else, but please stop making a big deal (all of you!) about a throw-away line about "too far from big cities", to conclude that this guy lives on 40 acres in the middle of rural South Dakota. Geez!
</RANT>
OK, South Dakotans who want to respond, feel free to rant on.
Why does everything have to be for some benefit? Most math doesn't have an application, not now and not ever. We're doing more math everyday than we'll ever find uses for. Mostly it is an aesthetic pursuit. People like doing it. They like seeing it done. They find it challenging and rewarding. A few people get paid to do it, and some (fewer) get a certain amount of fame from it. That's good enough.
Besides, I can think of much worse ways we could spend our time, but if I really started to go into that, I'd be trolling . . . .
If you can afford to buy a computer, you can spend the $30 or $40 to get a decent professional anti-virus program. Unlike anything free, your basic McAfee / Norton / etc are going to allow you to configure your machine to automatically update virus definitions without intervention, and are going to basically keep the definitions up to date with virtually every realistic virus threat out there, and they will update the defintions quickly in response to new threats.
I don't believe any free solution can do this for you. It is worth the money. It is the first step that any home Wintel box owner needs to take to prevent the most common security problems (yes, yes, I know, aside from nuking the OS, which isn't an option for most home users, and is clearly not a useful response to this poster, even if it gets you a few funny mod points).
Or, to put it the other way, if you aren't willing to take even this first step, there's very little chance your box is going to stay intact over time.
Bite the bullet and accept that spending the extra bucks is the cost of doing business with MS.
Some background, for those who need it. The first amendment (to take a well-known example) doesn't say "You get the freedom of speech." It says "Congress shall make no law abidging the freedom of speech." In other words, the freedom in question is assumed to pre-exist the Constitution, and the Constitution is just explicitly recognizing it, and declaring it as a limit on governmental power.
But there's a contradiction built in, because the Bill of Rights still enumerates particular rights, and for a couple of centuries courts have been understandably less willing to protect rights that aren't explicitly enumerated (privacy and substantive due process and the backlash against it being the exception that proves the rule) than those that are.
Yes, enumerating freedoms can have the effect of implying that we are not free to do anything except what is enumerated. But that's a built-in side effect of the way the Bill of Rights is written. It's even worse since the courts rules that the 14th Amendment "incorporates" much of the Bill of Rights applies to the states. Before the 14th Amendment, it wasn't clear that expressions like "Congress shall make no law" applied to state and local legislative bodies. The Supreme Court used the 14th Amendment to rule that many of the *enumerated* rights in the Bill of Rights now could be enforced as restrictions on state and local legislatures as well. But this explicitly applies only to things enumerated, and even then only the ones the courts have picked and chosen.
In other words, when you (the previous poster) say "I don't want to start to have my freedoms enumerated by a Congress, Court, or Executive.", I'm saying it is already way, way, way too late. Maybe if that attitude was in place in the 1780's we could have a system that works that way. Of course, with that attitude, we'd still have the Articles of Confederation (which might not be such a bad thing from a small-weak-government-is-good point of view). But we don't.
Additionally (and then I'll shut up), legislative acts creating or recognizing rights are often absolutely essential to turn the abstract principles listed in the Constitution into specific and applicable rules and regulations with enforcement mechanisms. Parts of the post-Civil War amendments were widely disregarded until Congress passed the Voting Rights Act almost 100 years later. Now there were clear rules explaining what did and didn't constitute disenfranchising somebody, and a way to enforce it. If you were a black citizen in Mississippi, it was the Voting Rights Act and not the 15th Amendment that actually made it possible for you to relatively safely get to the voting booth, cast a ballot, and be confident that it was counted.
OK, I've gone off topic, but I'll bring it home. Explicitly listing this freedom is a Good Thing. The freedom to use open wireless networks could be seen as competing with the freedom to use your own wireless network without sharing resources with intruders. We need explicit guidance on how to balance these things, and how to enforce the balance we come up with. That's what legislatures are supposed to do with the system we've got, as opposed to the one we might wish we had. That's what they are doing here.
If anything, the original Star Trek was quite politically correct. The two basic political themes I see were (1) inclusion, equality, diversity, and (2) exploring without conquering, winning the hearts and minds of everybody we find by virtue of our virtue and our lofty principles. This isn't a bad description of the way America wanted to view itself then.
This is 1966-1969, remember. The Civil Rights Act of 1964 and the Voting Rights Act of 1965 had passed and were being enforced. This is the height of Martin Luther King's activism, and the period where pictures of peaceful marchers being attacked by police dogs were making most of America realize how far out of the mainstream the Jim Crow South had become. Yes, the interracial kiss upset some people, but it wouldn't have happened on mainstream TV if it wasn't time for it.
And the general approach of exploration without colonialism works too. McCarthyism was behind us, but the Cold War was not. We wanted to differentiate ourselves from the Red Menace by our goodness and virtue. While Soviet tanks were rolling into Czechoslavakia, we were trying to win people over with Voice of America broadcasts.
OK, Gulf of Tonkin, American underhandedness, yadda, yadda -- I'm not trying to defend us, but rather speaking to how mainstream America viewed itself at that time. After all, what is political correctness, if it isn't showing us the way we like to think of ourselves. And when I think of Kirk, homemade dagger in hand, poised over the Gorn, but refusing to kill him (Arena, 1/19/1967), I'm thinking that this is exactly how America wanted to view itself at the time.
So I'll agree with basically everything you said about "fun", "quirky", "bold", but not about political correctness. Original Star Trek is a time capsule that preserves the political sentiments of the time quite correctly, thank you very much.
I know nothing about non-U.S. legal systems, and hopefully somebody who knows about Norwegian jurisprudence will answer, but the general principle behind appeals in legal systems is this:
The first court that tries you is the finder of fact. Unless that whole trial is thrown out (and you get a new one), the facts determined in that trial are beyond question in the process. However, the court has to apply rules to the process of the trial and to the facts that come out, in order to get an outcome. Those rules can be both formal laws and legal procedures. (In real life, the line between facts and rules gets blurred, which both sides try to use to their advantage, but that's a different topic.)
Appeals apply to these rules, not the facts. So an appeal isn't just a second chance to start over and get a different trial outcome. It is a challenge that the process in the previous trial was in violation of those rules in some very specific way. (Or, many specific ways, since most appeals are a laundry list of possible violations, hoping the appeals court will find at least one they like.)
This is true already in the U.S. when those found guilty appeal their convictions, or when either party in a civil trial appeals the outcome. This is why appeals often force the original trial to be thrown out: they clarify the application of a rule as it applies to this case, then you have to start over and apply that rule correctly this time.
There's no reason in principle that this couldn't be applied to appealing acquitals as well. In principle, if somebody is acquitted because a judge made a mistake in applying a rule about admissibility of evidence or jury instructions, it might be reasonable to say that the acquital was flawed, and is contrary to justice, and shouldn't be honored.
There's a question of rights, which is a big one. There's also a questions of "That's not how we do it in the U.S.!!!!", which, if it isn't backed up with something else, isn't much of an argument. But I'm just speaking to the principle of appeals in general terms.
IANAL, yadda.
Computers don't have rights or responsibilities. Processes don't have rights or responsibilities. If computer A attacks computer B (via a worm or whatever else.) and computer B "strikes back", self-defense is a fair metaphor, but it isn't a relevant legal or ethical argument, because the computer don't have rights.
Computers are property. More specifically, my computer is my property. I have a right to keep my property, and you have a responsibility to keep your hands off my property, and if you don't keep your end of that agreement, you've broken the law and I can bring the government into it.
Yes, your property rights are violated if my computer has a worm that attacks yours. Maybe the government will acknowledge that and step in, and maybe it won't. If you don't like the way the government handles this, elect somebody who will change it, write a letter to your legislators. But the government's refusal to step in doesn't mean, as Mullen asserts, that the owner of the attacking computer has no responsibility. It just means that the government has opted not to hold him responsible. The only way to fix that is democratically.
But suppose Mullen is right about that, and this person has no responsibility. He says "no responsibility means no rights". Wrong. The constitution says that no person shall be deprived of life, liberty or property without due process of law. In practice, that limits the action of government, not offended sysadmins. But the principle here is that my rights are my rights, and nothing I do, however, bad, foreits them automatically. Maybe, after a fair legal process, society (i.e. government) may decide to take away some of my rights (i.e. lock me up, fine me, whatever). But not before. That's a fundamental part of the social contract which makes us civilized.
Then Mullen makes a different argument: the rights of the many outweight the rights of the few. (Thank you, Spock.) Maybe. But the same principle applies. My rights are my rights. Maybe you can get a court order to require me to donate blood, if it will save 100 lives. But if you take my blood without getting the court order, you have still violated my rights and broken the law.
Now, if the guy who took my blood is a real hero, and believes what he did was right and necessary, then he'll say that going to jail is a small price to pay for saving 100 lives. Good for him. If Mullen really believes this is a case where the law runs contrary to ethics and morality, he can wear a grey hat and illegally hack systems for the greater good. But unless he's willing to wear a black hat, he'd better admit what he's doing it illegal, and a violation of rights, and be prepared to take the punishment when he does it.
IANAL, yadda.