I disagree honestly its better for society if people like Swartz are martyred.
As another poster pointed out everything is a felony now. You probably commit felonies everyday without even being aware. If something is illegal and someone does it they should be prosecuted. If we don't want to prosecute people for doing than it should not be illegal in the first, and the law needs to get off the books. Right now we have a legal briar patch, that can be used to find a reason to mess up someones life anytime they become inconvenient. Its fundamentally out of step with the idea of a free society.
Examples like Swartz can be a catalyst for change. I propose we create a "use it or lose it" Constitutional Amendment that would apply to both federal and state criminal codes. If you can convince a judge (in the case of a bench trial) or jury that the prosecutors in whatever jurisdiction are charging you with a crime that:
Prosecutors knew or reasonably should have known that the same breach of law was done be others at least two times in the previous 12 years.
The crime was not prosecuted for reasons other than lack of evidence
That should be considered a sufficient defense requiring you be found innocent of the charge and further voiding the law until the jurisdictions legislative body votes to renew or replace it. 12 years should be enough time that a single governor or president can't use it as back handed way to repeal laws s/he can't get the legislature to agree to do; but should still be an effective way to cull the criminal code of things like sodomy laws that are no longer really an issue, and other hastily enacted legislation of the day.
Because/etc/rc.d/rc.mydb restart was just impossible to use thank goodness we have yet another layer to simplify things for us. Seriously systemd is mostly a solution in search of a problem it does address the boot time issue but does nothing else really better than what has come before.
I think its a pretty fair argument. After WWI the idea of not targeting civilians is simple a non-starter in any symmetric conflict and any asymmetric conflict were you are on the weak end. Look at Iraq, Afghanistan, and Pakistan. Think about all the excess blood and treasure we have investing in avoiding collateral damage to civilians and how many civilians have been maimed or killed anyway.
That is good and perhaps morally correct in a highly asymmetric situation where you have vastly superior capability to fight. I think you can argue anything other than "total war" is immoral when either its an even match or you're out matched.
The most immoral war you can possibly fight is one you can't win. That means you are harming others for ends that cannot possibly be achieved. A freedom fighter must be willing to do what it takes or should do nothing at all. If you are fighting a superior enemy that likely requires considering the use of human shields and civilian targets. It means attacking the means of production even when what the produce is bread stuffs, etc.
Don't misconstrue this as an apology for the terrorists. Most of so labeled individuals by our government are bad dudes who deserve destruction, there are some really sad and pathetically mislabeled folks as well. I simply suggest that if you take the primary cause of your conflict being justification for war as a conceit; than I believe you have an obligation to try and win it.
but you technically would be if you then stepped through the wall and took some of the money inside
If you were going for breaking and entering I think you are missing the "breaking" part. It might be simple trespassing as a bank is private property in most cases a bank is open to the public so you could expect that a big opening in the side of the building was an expected and accepted entry way. So even a trespassing charge might be hard to make stick in the physical world.
The taking of the money would constitute larceny of some form but I don't thank that part fits with the analogy here. Its not like after he logged in he proceeded to download everyone else's personal info, or modify anything in anyway; from what I have ready it seems like he contacted the responsible parties to notify them of the open door pretty much as soon as he spotted it.
So its more like you walk down an alley behind a bank see the giant opening to the vault. Next you step thru just to check there is not glass or anything actually there to prevent just anyone from taking whatever they want. Finally after having not taken, touched, or disturbed anything you immediately march around the front of the building and let the bank manager know there is a huge hole in the side of his vault open to an unwatched alley. You don't ask for anything in return for your trouble, and proceed on about your business having only helped bank. Then they have you arrested the following day.
Yes and no. Macro certainly make it possible to define an objects that can handle any number of data types as inputs simple or otherwise.
What they don't give you that run time duck-typing does is to do something like create a instance of class driver, Fred. Give Fred an argument MaryLoo, an instance of class truck. Later call MaryLoo.Park() and than pass Fred and instance of car, Gina.
In strongly typed language maco's would make it is to create both drivers and truck_drivers; but not both with the same runtime instance. Alternatively driver might be written to accept a instance of automobile; but then both car and truck need to be children of automobile. That probably is the case in any sensible object model dealing with cars and trucks but is not always the case.
More complex situations often leave you facing two classes of objects that don't logically make sense to be derived from a common base class; yet they do share some common functions and properties and you do want to do the same operation on them. Duck-typing lets you decided this thing I have been passed is "enough like" whatever was expected to go on.
An insurance company might insure residences,boats and cars. Maybe a program is being written to see if uses qualify for a total value discount. Depending on what-else the companies libraries do with this data it may or may not make sense for these three classes to roll up to some parent. They all have a.GetLastAppraisalAmt() function. You might want to pass an array of pointers to all the customers owned assets, all the function needs to do is get a total it does not care about anything else. It could just check that every object its passed has.GetLastAppraisalAmt() if it does fine, otherwise raise an exception.
Most people are still missing the point. Facebook sell ads. Everything Facebook does is about either selling more ads or being able to charge more for displaying ads. Their only possible long term revenue stream is advertising.
What do web advertisers want? They want metrics. If you search for movies, or pizza recommendations etc and blow by the page right away they know something about the quality of the targeting algorithms. If you hang out on the page a long time before making any more http requests, chances are they are driving the right data toward you.
Facebook wants to be able to tell their ad clients, that if they wish to target a demographic like male homosexual African American Jews who read comic books, Facebook can effectively do that and Facebook won't be billing them for lots of ad views show to people who really are white satanic single mothers who read about witchcraft.
It comes from the phrase "if it walks like a duck, quacks like a duck than its a duck!"
It differs from the idea of strong typing where the interpreter and compiler will require the object be exactly the declared type or perhaps something inherited from that type.
Automobiles might all have functions: start, stop, accelerate, break, hold, left, right; and properties speed, started.
Car may or may not be inherited from automobile, and it might have more properties and functions, such as LeftTurnSignal. A loosely typed language will allow you to pass a car to a function expecting an automobile. The program might use duck typing to check that is has those properties and functions automobiles are supposed to have. If they do he will proceed to treat it like an automobile, assuming it is so and the program should work fine. If its missing one of those methods he will raise an error. This adds flexibility ( and usually bugs).
The key thing being that he/she must actually write the code to check the existence of the properties and functions, and raise the error. A language that uses strong typing would do it automatically, but cars would need to be automobiles.
Okay maybe he "thought about it" but clearly did not form the intent to name the rest of those names including the kings because he self censored after all.
It would be kinda like being charged with conspiracy to commit a felony here for talking with some friends about how you go about robbing a bank; in a purely hypothetical manor.
use spf records, if an spf exists and the domain on the mail was not relayed by one of the listed mail servers, you can dump it. This should solve the sent from me problem.
I have not bothered to look but I would hazard there are some COTS possibly even open source loyalty card solutions out there.
There are a number of small single locations restaurants around here I have loyalty cards with. These things are printed on perforated card sheets available at any office store, their name, logo, address and YOUR name on the front a simple bar code on the back; they read with a standard Symbol hand scanner on a usually self made looking stand at the register (which is actually a PC with cash drawer USB attachment).
Sure it might be all part of some cloud service but it could just as easily be some collection of python/ruby/vb/vbscript with a local instance of mysql/sqlite/access/SQLExpress behind it.
The thing that works best for me is lots of walking. I love walking and even though it does not use many calories on its own the activity raises metabolism in general.
The other thing is you want to cut the calories so that you are a little bit hungry. You should feel like "I could eat" while on a diet but not so staved its a distraction as you say. If you feel like you are starving you probably are stressing your bodies ability to manage blood sugar etc, and that does likely impair you mentally. People need to keep in mind its a long game too, figure out what number of calories you need to maintain your current weight and probably don't try to target more than 200 to 300 below that. The weight will come off if you keep at it.
I used to go this restaurant, it was smoke house and creamery (interesting combination).
Well the air was so think with sugar from all the ice cream they were making you could taste sweet anytime you opened your mouth. Which made the otherwise sour NC style BBQ really really good. You'd start to feel full just standing waiting for a table.
I am sure they will sell Windows tablets just not Windows RT tablets.
You got to look at it this way. Windows RT exists only as a way for Microsoft to be price competitive and hopefully squeeze Android out without being seen as cannibalizing their higher priced higher margin product Windows. Microsoft biggest fear is droid or some Linux variant successfully moving "up market" and being sold on anyone's top line hardware because if the market place embraces it well, the value of the Windows property declines sharply.
Samsung lives with this reality.
They have customers who *need* windows for compatibility reasons, a large portion of those would not be served by WinRT anyway. They have successful Android product lines they have already done the startup investment in so margin is higher The "tablet PC" space were Windows (proper) lives from a cost of production standpoint is likely going down while prices remain much higher than the "tablet" space.
All sinking money into Windows RT would do is eat into their Droid products market. Their is no reason to do it.
Funny thing I do work in IT security. I pretty familiar with many of the exploit kits out there and regularly work with (I won't drop names) one of the developers of a more popular one.
The thing is while they are fun to play with I don't seem them adding lots of value. I am not suggesting any information be censored here. Publish your whitepaper with details about how an exploit work, publish the source code even! I draw the line a slick little binary with GUI interface. Things like Backtrack just being out there for all to download I think is counter productive. To be totally frank the pentester argument is crap, there are some really go pentesters out there but the vast vast majority are irresponsible, incompetent, or both.
I have stood over the shoulders of these guys and watched them download tools, that they can't authenticate the publisher for, not read any source code, compile, and stopped them right before they were about to execute on secure machines. A good portion of the time these guys ARE the vulnerability.
I have seen guys from one of the big audit firms (again not going name drop) download a binary from the web, from a site not verified by any certificate or anything, not check the said binary matches any known safe hash, and get ready to run it on one of my domain controllers. I asked him to leave after that.
These folks often don't know the first thing about exploit development. If they had to try something on their own they'd be completely in over their heads. I doubt many have even run a debugger or could tell you what a program counter is. I have also had some teams in with folks who were creating exploits against apps we run on the spot they'd never seen those guys are out there too.
From a Blue team perspective a possible vulnerability should be treated the same as a proven one; closed in one way or another as soon as possible.
Samba is less important because windows is more open. Other than hosting cifs shares there is now little you can't do in the server room without Samba. Samba certainly makes things easier in that as others have pointed out "it just works". The fact is today AD is at the core the identity system many enterprises use.
The good news is that with nss_ldap, the mit kerberos package and little else you are off to the races now. It takes a little setup Samba would do for you, but a couple cron jobs to keep kerb TGTs refreshed, some thought about your ldap config, perhaps and AD schema extention or two and you have got what you need.
Its nothing like the bad old days of trying to participate in an NT domain. Its not great Microsoft has played fast and loose with some standards but AD is open enough that foreign clients can participate without specifically designed compatibility layers like Samba.
I did not mean to imply he necessarily was working for them. Although I would not discount that as possibility. I do expect they know who he is one way or another, and as I stated they probably view these java exploits as not a threat to someone who is not most likely already a victim.
My guesses would be one of the following are true:
1. He is direct FBI plant, on the pay roll and informs on his customers. 2. He has a handshake agreement with the FBI to let him run his little racket and make what money he can while they get to gather intelligence. 3. He has not specific relationship with him but they keep a close eye on things; they could pick him up anytime they want but find it more useful to let a small fish like him keep swimming so as to see which sharks get drawn into the vicinity.
One could argue as packaged what he is selling amounts to the digital equivalent of criminals tools. There absolutely are laws that bar you from selling tools specifically designed for criminal use. That is why its hard to get lock pick sets etc in many places.
There are plenty of ways to publish the info anyone in the security community without assembling a nice script kiddy / petty criminal ready tool to go cause mayhem with. Yes if you give me a white paper that describes the resulting offsets you got from the fuzzer you wrote, and some memory locations large enough for shell code I can put together a C program in moments to do something nasty, as can tens of thousands of others, but that is the risk of living in a free society. Odds are pretty good you have by not passing out binaries raised the bar enough that the folks who can use the information for evil have other economic opportunities.
Duct tape, a short baton, party mask, toy or real pistol are all things that are perfectly legal to sell by themselves. I bet the local DA will do something about you pretty quickly if you put them all together in one box label "Rape Kit" and attempt market them though.
I have been wondering this ever since this guy surfaced. My assumption now is that he is an FBI honeypot. They don't mind letting a few actual Java/Webstart vuluns into the wild to give them credibility because they (the FBI) are
1. not really in the business of protecting the ordinary citizen.
2. secretly at least of the mostly correct opinion any assets put at risk by these vuluns are either controlled by those up on these things, capable of working around the issues and securing them anyway or operating systems riddled with so many other unmitigated vulnerabilities its mostly irrelevant from a security posture standpoint.
Its all more valuable to them to passively watch what sorta of organized crime folks appear out of the wood work.
For the most part my 'ISP' can't break into my SSL connections. They don't have a certificate authority my machine will trust, so any kind of MTIM they might do without a herculean effort on their part anyway is going to be impossible. These phone users had essentially no idea.
So the moral of the story is DO NOT DO NOT trust that SSL is secure on any device you don't directly control the CA certificates present, and probably you can't trust and SSL code you can't audit to make sure it trusts only the CAs it claims to and actually does validation correctly.
I say we let the market deal with. You get 14 years on Copyrights and Patents. After which you have a choice you can release the IP into the public domain your start being assessed taxes on the value of the asset. The rate would start a %2 and be increased by %2 each year, that is year 15 the rate is %2, year 16 the rate is %4. Until the rate reaches 100% or the owner releases the work to the public domain.
How does the assets get valued? The owner must set a buyout price each year and this would be a matter of public record. The owner would be obligated to accept payment of this stated price from ANY entity and upon payment release the IP to the public domain.
This way creators still get compensated for their creations, unencumbered for a time. If they are still extracting great value from them they can keep them protect but society will gain as well ( gets to collect taxes ) or the owner will be compensated for the residual value of the work and society as a whole will than get benefit from its unencumbered use.
Those 10 vote pieces in each race are divided into tokens:
1x 5 vote piece 2x 2 vote pieces 1x 1 vote pieces
You may abstain from casting any part of your "vote" but you cannot use more than one part on a single candidate. If there are fewer than 4 candidates in a race you will be forced to abstain from casting one or more of the four tokens. The candidate with the most votes wins.
Interesting but what would mean for society if say the winning candidate did so with a negative vote total? We will never know what percentage of votes Obama got because many folks in the middle found the prospect of Romney frightening, due to a handful of more extreme positions the GOP has taken which are deal breakers for them. I know LOTS of people that don't like Obama, enough to refuse a drink with the man, but they still voted for him because they did not want to see Romney in office.
I doubt the winning presidential candidate would actually go negative based on approval rates, and the general tendancy to give the president some beneficent of doubt. Truman was wrong when he said "the buck stops here"; its really the hill that gets the blame heaped on them (rightly so for the most part, I would like to add). Congress folks might very well land a seat with negative ratings, and I think that would be really tough for our society to take.
Slashdot Mirror
Don't know what browser you are using but have you tried pressing F3?
I disagree honestly its better for society if people like Swartz are martyred.
As another poster pointed out everything is a felony now. You probably commit felonies everyday without even being aware. If something is illegal and someone does it they should be prosecuted. If we don't want to prosecute people for doing than it should not be illegal in the first, and the law needs to get off the books. Right now we have a legal briar patch, that can be used to find a reason to mess up someones life anytime they become inconvenient. Its fundamentally out of step with the idea of a free society.
Examples like Swartz can be a catalyst for change. I propose we create a "use it or lose it" Constitutional Amendment that would apply to both federal and state criminal codes. If you can convince a judge (in the case of a bench trial) or jury that the prosecutors in whatever jurisdiction are charging you with a crime that:
The crime was not prosecuted for reasons other than lack of evidence
That should be considered a sufficient defense requiring you be found innocent of the charge and further voiding the law until the jurisdictions legislative body votes to renew or replace it. 12 years should be enough time that a single governor or president can't use it as back handed way to repeal laws s/he can't get the legislature to agree to do; but should still be an effective way to cull the criminal code of things like sodomy laws that are no longer really an issue, and other hastily enacted legislation of the day.
Because /etc/rc.d/rc.mydb restart was just impossible to use thank goodness we have yet another layer to simplify things for us. Seriously systemd is mostly a solution in search of a problem it does address the boot time issue but does nothing else really better than what has come before.
I think its a pretty fair argument. After WWI the idea of not targeting civilians is simple a non-starter in any symmetric conflict and any asymmetric conflict were you are on the weak end. Look at Iraq, Afghanistan, and Pakistan. Think about all the excess blood and treasure we have investing in avoiding collateral damage to civilians and how many civilians have been maimed or killed anyway.
That is good and perhaps morally correct in a highly asymmetric situation where you have vastly superior capability to fight. I think you can argue anything other than "total war" is immoral when either its an even match or you're out matched.
The most immoral war you can possibly fight is one you can't win. That means you are harming others for ends that cannot possibly be achieved.
A freedom fighter must be willing to do what it takes or should do nothing at all. If you are fighting a superior enemy that likely requires considering the use of human shields and civilian targets. It means attacking the means of production even when what the produce is bread stuffs, etc.
Don't misconstrue this as an apology for the terrorists. Most of so labeled individuals by our government are bad dudes who deserve destruction, there are some really sad and pathetically mislabeled folks as well. I simply suggest that if you take the primary cause of your conflict being justification for war as a conceit; than I believe you have an obligation to try and win it.
but you technically would be if you then stepped through the wall and took some of the money inside
If you were going for breaking and entering I think you are missing the "breaking" part. It might be simple trespassing as a bank is private property in most cases a bank is open to the public so you could expect that a big opening in the side of the building was an expected and accepted entry way. So even a trespassing charge might be hard to make stick in the physical world.
The taking of the money would constitute larceny of some form but I don't thank that part fits with the analogy here. Its not like after he logged in he proceeded to download everyone else's personal info, or modify anything in anyway; from what I have ready it seems like he contacted the responsible parties to notify them of the open door pretty much as soon as he spotted it.
So its more like you walk down an alley behind a bank see the giant opening to the vault. Next you step thru just to check there is not glass or anything actually there to prevent just anyone from taking whatever they want. Finally after having not taken, touched, or disturbed anything you immediately march around the front of the building and let the bank manager know there is a huge hole in the side of his vault open to an unwatched alley. You don't ask for anything in return for your trouble, and proceed on about your business having only helped bank. Then they have you arrested the following day.
Yes and no. Macro certainly make it possible to define an objects that can handle any number of data types as inputs simple or otherwise.
What they don't give you that run time duck-typing does is to do something like create a instance of class driver, Fred. Give Fred an argument MaryLoo, an instance of class truck. Later call MaryLoo.Park() and than pass Fred and instance of car, Gina.
In strongly typed language maco's would make it is to create both drivers and truck_drivers; but not both with the same runtime instance. Alternatively driver might be written to accept a instance of automobile; but then both car and truck need to be children of automobile. That probably is the case in any sensible object model dealing with cars and trucks but is not always the case.
More complex situations often leave you facing two classes of objects that don't logically make sense to be derived from a common base class; yet they do share some common functions and properties and you do want to do the same operation on them. Duck-typing lets you decided this thing I have been passed is "enough like" whatever was expected to go on.
An insurance company might insure residences,boats and cars. Maybe a program is being written to see if uses qualify for a total value discount. Depending on what-else the companies libraries do with this data it may or may not make sense for these three classes to roll up to some parent. They all have a .GetLastAppraisalAmt() function. You might want to pass an array of pointers to all the customers owned assets, all the function needs to do is get a total it does not care about anything else. It could just check that every object its passed has .GetLastAppraisalAmt() if it does fine, otherwise raise an exception.
Most people are still missing the point. Facebook sell ads. Everything Facebook does is about either selling more ads or being able to charge more for displaying ads. Their only possible long term revenue stream is advertising.
What do web advertisers want? They want metrics. If you search for movies, or pizza recommendations etc and blow by the page right away they know something about the quality of the targeting algorithms. If you hang out on the page a long time before making any more http requests, chances are they are driving the right data toward you.
Facebook wants to be able to tell their ad clients, that if they wish to target a demographic like male homosexual African American Jews who read comic books, Facebook can effectively do that and Facebook won't be billing them for lots of ad views show to people who really are white satanic single mothers who read about witchcraft.
It comes from the phrase "if it walks like a duck, quacks like a duck than its a duck!"
It differs from the idea of strong typing where the interpreter and compiler will require the object be exactly the declared type or perhaps something inherited from that type.
Automobiles might all have functions: start, stop, accelerate, break, hold, left, right; and properties speed, started.
Car may or may not be inherited from automobile, and it might have more properties and functions, such as LeftTurnSignal. A loosely typed language will allow you to pass a car to a function expecting an automobile. The program might use duck typing to check that is has those properties and functions automobiles are supposed to have. If they do he will proceed to treat it like an automobile, assuming it is so and the program should work fine. If its missing one of those methods he will raise an error. This adds flexibility ( and usually bugs).
The key thing being that he/she must actually write the code to check the existence of the properties and functions, and raise the error. A language that uses strong typing would do it automatically, but cars would need to be automobiles.
Okay maybe he "thought about it" but clearly did not form the intent to name the rest of those names including the kings because he self censored after all.
It would be kinda like being charged with conspiracy to commit a felony here for talking with some friends about how you go about robbing a bank; in a purely hypothetical manor.
I think this is going to be the undoing of the iPhone as well. Some of the new droid handhelds can do split screen.
I saw a co-worked demo watching a video while texting, and actually though "I kinda want that.."
If you are watching a video on a long bus ride, it sucks to have someone text you the iPhone.
Single mothers still have a maiden name, it just also happens to be their current name.
use spf records, if an spf exists and the domain on the mail was not relayed by one of the listed mail servers, you can dump it. This should solve the sent from me problem.
I have not bothered to look but I would hazard there are some COTS possibly even open source loyalty card solutions out there.
There are a number of small single locations restaurants around here I have loyalty cards with. These things are printed on perforated card sheets available at any office store, their name, logo, address and YOUR name on the front a simple bar code on the back; they read with a standard Symbol hand scanner on a usually self made looking stand at the register (which is actually a PC with cash drawer USB attachment).
Sure it might be all part of some cloud service but it could just as easily be some collection of python/ruby/vb/vbscript with a local instance of mysql/sqlite/access/SQLExpress behind it.
The thing that works best for me is lots of walking. I love walking and even though it does not use many calories on its own the activity raises metabolism in general.
The other thing is you want to cut the calories so that you are a little bit hungry. You should feel like "I could eat" while on a diet but not so staved its a distraction as you say. If you feel like you are starving you probably are stressing your bodies ability to manage blood sugar etc, and that does likely impair you mentally. People need to keep in mind its a long game too, figure out what number of calories you need to maintain your current weight and probably don't try to target more than 200 to 300 below that. The weight will come off if you keep at it.
pull mass out of fat air
I used to go this restaurant, it was smoke house and creamery (interesting combination).
Well the air was so think with sugar from all the ice cream they were making you could taste sweet anytime you opened your mouth. Which made the otherwise sour NC style BBQ really really good. You'd start to feel full just standing waiting for a table.
I am sure they will sell Windows tablets just not Windows RT tablets.
You got to look at it this way. Windows RT exists only as a way for Microsoft to be price competitive and hopefully squeeze Android out without being seen as cannibalizing their higher priced higher margin product Windows. Microsoft biggest fear is droid or some Linux variant successfully moving "up market" and being sold on anyone's top line hardware because if the market place embraces it well, the value of the Windows property declines sharply.
Samsung lives with this reality.
They have customers who *need* windows for compatibility reasons, a large portion of those would not be served by WinRT anyway.
They have successful Android product lines they have already done the startup investment in so margin is higher
The "tablet PC" space were Windows (proper) lives from a cost of production standpoint is likely going down while prices remain much higher than the "tablet" space.
All sinking money into Windows RT would do is eat into their Droid products market. Their is no reason to do it.
Funny thing I do work in IT security. I pretty familiar with many of the exploit kits out there and regularly work with (I won't drop names) one of the developers of a more popular one.
The thing is while they are fun to play with I don't seem them adding lots of value. I am not suggesting any information be censored here. Publish your whitepaper with details about how an exploit work, publish the source code even! I draw the line a slick little binary with GUI interface. Things like Backtrack just being out there for all to download I think is counter productive. To be totally frank the pentester argument is crap, there are some really go pentesters out there but the vast vast majority are irresponsible, incompetent, or both.
I have stood over the shoulders of these guys and watched them download tools, that they can't authenticate the publisher for, not read any source code, compile, and stopped them right before they were about to execute on secure machines. A good portion of the time these guys ARE the vulnerability.
I have seen guys from one of the big audit firms (again not going name drop) download a binary from the web, from a site not verified by any certificate or anything, not check the said binary matches any known safe hash, and get ready to run it on one of my domain controllers. I asked him to leave after that.
These folks often don't know the first thing about exploit development. If they had to try something on their own they'd be completely in over their heads. I doubt many have even run a debugger or could tell you what a program counter is. I have also had some teams in with folks who were creating exploits against apps we run on the spot they'd never seen those guys are out there too.
From a Blue team perspective a possible vulnerability should be treated the same as a proven one; closed in one way or another as soon as possible.
Samba is less important because windows is more open. Other than hosting cifs shares there is now little you can't do in the server room without Samba. Samba certainly makes things easier in that as others have pointed out "it just works". The fact is today AD is at the core the identity system many enterprises use.
The good news is that with nss_ldap, the mit kerberos package and little else you are off to the races now. It takes a little setup Samba would do for you, but a couple cron jobs to keep kerb TGTs refreshed, some thought about your ldap config, perhaps and AD schema extention or two and you have got what you need.
Its nothing like the bad old days of trying to participate in an NT domain. Its not great Microsoft has played fast and loose with some standards but AD is open enough that foreign clients can participate without specifically designed compatibility layers like Samba.
I did not mean to imply he necessarily was working for them. Although I would not discount that as possibility. I do expect they know who he is one way or another, and as I stated they probably view these java exploits as not a threat to someone who is not most likely already a victim.
My guesses would be one of the following are true:
1. He is direct FBI plant, on the pay roll and informs on his customers.
2. He has a handshake agreement with the FBI to let him run his little racket and make what money he can while they get to gather intelligence.
3. He has not specific relationship with him but they keep a close eye on things; they could pick him up anytime they want but find it more useful to let a small fish like him keep swimming so as to see which sharks get drawn into the vicinity.
One could argue as packaged what he is selling amounts to the digital equivalent of criminals tools. There absolutely are laws that bar you from selling tools specifically designed for criminal use. That is why its hard to get lock pick sets etc in many places.
There are plenty of ways to publish the info anyone in the security community without assembling a nice script kiddy / petty criminal ready tool to go cause mayhem with. Yes if you give me a white paper that describes the resulting offsets you got from the fuzzer you wrote, and some memory locations large enough for shell code I can put together a C program in moments to do something nasty, as can tens of thousands of others, but that is the risk of living in a free society. Odds are pretty good you have by not passing out binaries raised the bar enough that the folks who can use the information for evil have other economic opportunities.
Duct tape, a short baton, party mask, toy or real pistol are all things that are perfectly legal to sell by themselves. I bet the local DA will do something about you pretty quickly if you put them all together in one box label "Rape Kit" and attempt market them though.
I have been wondering this ever since this guy surfaced. My assumption now is that he is an FBI honeypot. They don't mind letting a few actual Java/Webstart vuluns into the wild to give them credibility because they (the FBI) are
1. not really in the business of protecting the ordinary citizen.
2. secretly at least of the mostly correct opinion any assets put at risk by these vuluns are either controlled by those up on these things, capable of working around the issues and securing them anyway or operating systems riddled with so many other unmitigated vulnerabilities its mostly irrelevant from a security posture standpoint.
Its all more valuable to them to passively watch what sorta of organized crime folks appear out of the wood work.
For the most part my 'ISP' can't break into my SSL connections. They don't have a certificate authority my machine will trust, so any kind of MTIM they might do without a herculean effort on their part anyway is going to be impossible. These phone users had essentially no idea.
So the moral of the story is DO NOT DO NOT trust that SSL is secure on any device you don't directly control the CA certificates present, and probably you can't trust and SSL code you can't audit to make sure it trusts only the CAs it claims to and actually does validation correctly.
I say we let the market deal with. You get 14 years on Copyrights and Patents. After which you have a choice you can release the IP into the public domain your start being assessed taxes on the value of the asset. The rate would start a %2 and be increased by %2 each year, that is year 15 the rate is %2, year 16 the rate is %4. Until the rate reaches 100% or the owner releases the work to the public domain.
How does the assets get valued? The owner must set a buyout price each year and this would be a matter of public record. The owner would be obligated to accept payment of this stated price from ANY entity and upon payment release the IP to the public domain.
This way creators still get compensated for their creations, unencumbered for a time. If they are still extracting great value from them they can keep them protect but society will gain as well ( gets to collect taxes ) or the owner will be compensated for the residual value of the work and society as a whole will than get benefit from its unencumbered use.
I would like to make this proposal.
Every citizen gets 10 votes pieces in a race...
Those 10 vote pieces in each race are divided into tokens:
1x 5 vote piece
2x 2 vote pieces
1x 1 vote pieces
You may abstain from casting any part of your "vote" but you cannot use more than one part on a single candidate. If there are fewer than 4 candidates in a race you will be forced to abstain from casting one or more of the four tokens. The candidate with the most votes wins.
Interesting but what would mean for society if say the winning candidate did so with a negative vote total? We will never know what percentage of votes Obama got because many folks in the middle found the prospect of Romney frightening, due to a handful of more extreme positions the GOP has taken which are deal breakers for them. I know LOTS of people that don't like Obama, enough to refuse a drink with the man, but they still voted for him because they did not want to see Romney in office.
I doubt the winning presidential candidate would actually go negative based on approval rates, and the general tendancy to give the president some beneficent of doubt. Truman was wrong when he said "the buck stops here"; its really the hill that gets the blame heaped on them (rightly so for the most part, I would like to add). Congress folks might very well land a seat with negative ratings, and I think that would be really tough for our society to take.