The judge will be deciding the damages on the 9 line RangeCheck function which was found to be infringed. So there is a damages phase, of sorts. The 9 lines include some copyrighted blank lines.
FTFY. BTW, if you leave blank lines in YOUR code, expect a call from Oracle's IP investigators.
Signed, ---idontgno, who does all his coding in APL, which doesn't even implement the concept of "blank lines"
But at least you can do that. If Oracle had its way, you couldn't do any of that unless you choose to do it Oracle's way, honoring Oracles crummy field-of-use restrictions, and paying Oracle for expensive TCK testing.
It's one of those "I paid Oracle big bucks and all I got was this lousy trademark" things.
If the APIs are copyrightable, the bytecode spec will also be copyrightable.
That's something I noticed in the Groklaw reporting. Oracle's position was that the copyright on the Java spec made any independent implementation of the spec (i.e., a Java-code-based runtime environment) a copyrighted derived work of Java, and therefore only permissible by explicit Oracle license... which Oracle was always planning on denying Google absent successful negotiations of big fees and onerous terms.
This lead some commentators on Groklaw to a counter-intuitive conclusion: that Google might have been in less trouble if they had just forked the OpenJDK source code base (using GPL-accorded rights) rather than trying for a code-clean reimplementation of specification and API.
I'm imagining that world... and I just see a whole lot of licenses being signed in a hurry.
Good point. The $699 SCO Licences suddenly don't look so bad.
That's my takeaway from this Oracle v. Google fiasco, as it's shaping up: Oracle comes across looking like SCOX except with more money.
Of course, the fact that both plaintiffs in those two cases used the same law firm may be part of the similarity. (The rest of the similarity being the general douchebaggery of the plaintiff firms in question.)
The fact that a computer can be coerced to give up all of its secrets if you have physical access is not the point here.
The main problem is that the secrets needed to deduce the seed of a software token can be uncovered without access to the machine in question. Specifically, the SID of the user's Windows account (easy to find if you have access to the account's AD) and the hostname of the Windows machine (often written on labels, also used as host component of DNS or WINS names). And both quite easily susceptible to social engineering attacks.
Add to that the fact that once you've uncovered the seed, you can program another independent copy of the token software to clone the key generation sequence of the original soft token, in perfect synchronization, so it becomes useless as a distinctive "something you have" 2nd factor.
It's kind of sad and alarming that the components chosen for seed generation are remotely discoverable, and that it's so easy to clone a soft token with a recovered seed value. The former is much harder with a hardware token (if you reach over to me and pick up the RSA hardware token on my ID lanyard, I'm gonna notice, and you'll be lucky if I don't slap your hand away), and the latter seems impossible (you can't jam someone else's seed value into your token, so you can't clone their identity that way).
True. For the Windows software token, you compute the "serial number" (seed) with the Windows account Security ID (SID) and the hostname of the machine the software is installed it. For the hardware token.... you look at the serial number very thoughtfully stamped into the back of the token. But in the latter case, I don't think you can transfer the serial number into another hardware SecurID, so unless you can emulate a HW token using "stolen" serial numbers, you can't clone a HW token, whereas the SW token is reprogrammable with the reverse-engineered token serial, so it is eminently clonable.
What's worse, soft token cloning is remotely exploitable if the attacker can gain enumeration access to the Active Directory hosting the account credentials and knows the target machine's hostname. And that makes the soft-token exploitability worse.
I know this is Slashdot, but this thread is taking "TL;DR" to whole new places.
The news isn't that RSA's algorithm is out in the wild. Without the account-specific sequence generation seed value, the algo is worthless.
The news is that the researches have examined the Windows software version of the access code generator ("software token") and figured out how to extract the seed value out of a specific installation. With that seed value, you can take another copy of the software token and clone the key generation sequence of the first, allowing you to spoof the other token's identity.
This is why most RSA installations I know of also require the use of a PIN concatenated with the token-generated number. That way, coaxing the code out of the software token isn't enough to authenticate as the identity of the person the token is assigned to; you have to guess the PIN as well (maybe by looking under keyboards).
I guess the real story is "soft tokens don't protect their internal secrets as well as hardware tokens".
And what if "your parents resources" happens to be Mommy's company car?
Bad on Mommy, of course, if she let you take the car, since I assume most company car assignments limit authorized drivers to the assigned employee... but again, if Mommy didn't give permission to take out the car, the situation devolves into Grand Theft. So, taking your folks' ride out for a joyride is bad for you and for them. Thanks.
See? If you lower the mental cost of inserting analogies here, people are gonna insert analogies more.
I personally recommend pizza analogies, because they don't burn gasoline like car analogies do. They're not completely carbon-neutral, true, especially the yummy pizzas baked in a wood-fired* oven, but they don't use much petrochemicals.
*And being wood-fired is more carbon-neutral than gas-fired, as well as yummier.
How can he possibly resist the maddening urge to eradicate [his computer] at the mere push of a single button? The beautiful, shiny button? The jolly, candy-like button? Will he hold out, folks? Can he hold out?
(A) Not every jurisdiction enforces very much in the way of vehicle safety and emissions inspection laws, so your "We don't" is unsupportably broad. I could certainly agree with a more factually accurate phrase like "We shouldn't", but that's not very good reinforcement for your absolutist position. Sorry.
(B) Speaking of inspections, are you advocating for public safety inspections of online computing assets? It sure sounds like it. And if so, by whom and using what criteria, and very specifically how do you keep those criteria from devolving into some kind of corporatist rights grab a la pernicious DRM?
And (C), if you're not advocating public net-worthiness inspections of computers, your analogy breaks down, since the virus-infected computers in question have already had their road-safety incident. So, your phrase, more accurately stated, is "We don't let people drive cars on public roads that have already risked the safety of other drivers", in which case the response is "of course not, they're already wrecked."
WTF is wrong with you? And which what part of "recent" did you not understand? Those links you very carefully (lol) pasted in are for the ancient Droid. Which is not sold anywhere in a 1st World nation, and certainly not by Verizon.
Seriously. "February". And not February two years ago. Geez. Think.You simply have no idea what the fuck you're talking about.
And since I know much more than you, what does that make you, other than an asshat troll?
The Startac came out (1996) somewhat before Bell Atlantic renamed itself Verizon Wireless in 1999. As far as I can google, Bell Atlantic had a wireless service which sold and supported, for a brief time, the Startac. So, other then pointless pedantry about a brand name, GPP's statement seems plausible.
I bought my VZW Droid in February, and my wife her Samsung Stratosphere at the same time, and they both came with the same widget. On both phones, it's been updated at least once on the Play market, and it still displays the appropriate monthly usage.
YMMV, of course, and the singular of "data" is not "anecdote", but I would speculate that something is specifically different with your phone or your particular installation of the app.
Best case scenario, they drop this stupid idea and get to keep my business, and in exchange I plunk down some serious moolah on the latest root-and-rom-able Android powerhouse.
We are talking about Verizon, right?
"root-and-rom-able?"
HAHAHAHAHAHAHAHAHA!!!... hahaha... Whoa, that's a good one.
In case you hadn't heard, Verizon specializes in bootlocked fascism. They're proud of it.. I haven't heard of anyone who's successfully unlocked a recent Verizon Android bootblock. Rootable, sure. For now. (Motofail on Droid devices, for instance.) And 2nd-stage loaders like Safestrap will allow you to load and boot an alternate ROM, but not touch the kernel, so I hope you enjoy ICS on a Gingerbread kernel.
Sorry. Verizon is pretty much bondage-and-domination as far as phone openness is concerned. I am functionally satisfied with my VZW Droid 4, but my needs are modest (root + freeze bloatware), but if I really wanted to load Cyanogenmod or Eclipse, I'd have to settle for half-measures.
At what step did Google get involved? It's like you've replaced the "???" step in the "Profit!" sequence with something involving Google.
For all you know, local dealerships or Accura Corp. have some kind of their own "Accura owner's database" and are using it to generate advertising. Google doesn't have anything obvious to do with it, unless you're going to say GMail... in which case, I have to ask... How much email does your father generate about his car? Google can't datamine contents from your email that aren't there.
Seriously. Google is pervasive and intrusive and borderline-evil (which side of the border is left as an exercise for the reader), but c'mon... they're not the NSA or KGB or something.
Accura already knows he owns an Accura, and I'm sure they are MORE than helpful in putting together prospect lists for local dealerships.
Occam's Razor. Don't bring Google into things unnecessarily. They deserve criticism and vigilance for enough as it is.
If I ask for smartphone reviews, I expect smartphone reviews. It does bill itself as your big internet helper.
It is being helpful. It's trying to keep you from making a terrible mistake by being tempted by the unholy delights of the unfaithful.
I think we can consider ourselves lucky. I hear there was a faction in iDevice engineering that wanted Siri to call in the Inquisition if the parishioner asked about heretical subjects like this.
Competence and resistance to manipulation conflict with the interests of the plaintiff in winning the case even with a complete lack of legal validity.
See also "I object on the basis that it makes me look bad!"
Slashdot Mirror
The judge will be deciding the damages on the 9 line RangeCheck function which was found to be infringed. So there is a damages phase, of sorts. The 9 lines include some copyrighted blank lines.
FTFY. BTW, if you leave blank lines in YOUR code, expect a call from Oracle's IP investigators.
Signed,
---idontgno, who does all his coding in APL, which doesn't even implement the concept of "blank lines"
True. You can call it... Dalvik? Or Harmony?
But at least you can do that. If Oracle had its way, you couldn't do any of that unless you choose to do it Oracle's way, honoring Oracles crummy field-of-use restrictions, and paying Oracle for expensive TCK testing.
It's one of those "I paid Oracle big bucks and all I got was this lousy trademark" things.
If the APIs are copyrightable, the bytecode spec will also be copyrightable.
That's something I noticed in the Groklaw reporting. Oracle's position was that the copyright on the Java spec made any independent implementation of the spec (i.e., a Java-code-based runtime environment) a copyrighted derived work of Java, and therefore only permissible by explicit Oracle license... which Oracle was always planning on denying Google absent successful negotiations of big fees and onerous terms.
This lead some commentators on Groklaw to a counter-intuitive conclusion: that Google might have been in less trouble if they had just forked the OpenJDK source code base (using GPL-accorded rights) rather than trying for a code-clean reimplementation of specification and API.
I'm imagining that world... and I just see a whole lot of licenses being signed in a hurry.
Good point. The $699 SCO Licences suddenly don't look so bad.
That's my takeaway from this Oracle v. Google fiasco, as it's shaping up: Oracle comes across looking like SCOX except with more money.
Of course, the fact that both plaintiffs in those two cases used the same law firm may be part of the similarity. (The rest of the similarity being the general douchebaggery of the plaintiff firms in question.)
The fact that a computer can be coerced to give up all of its secrets if you have physical access is not the point here.
The main problem is that the secrets needed to deduce the seed of a software token can be uncovered without access to the machine in question. Specifically, the SID of the user's Windows account (easy to find if you have access to the account's AD) and the hostname of the Windows machine (often written on labels, also used as host component of DNS or WINS names). And both quite easily susceptible to social engineering attacks.
Add to that the fact that once you've uncovered the seed, you can program another independent copy of the token software to clone the key generation sequence of the original soft token, in perfect synchronization, so it becomes useless as a distinctive "something you have" 2nd factor.
It's kind of sad and alarming that the components chosen for seed generation are remotely discoverable, and that it's so easy to clone a soft token with a recovered seed value. The former is much harder with a hardware token (if you reach over to me and pick up the RSA hardware token on my ID lanyard, I'm gonna notice, and you'll be lucky if I don't slap your hand away), and the latter seems impossible (you can't jam someone else's seed value into your token, so you can't clone their identity that way).
True. For the Windows software token, you compute the "serial number" (seed) with the Windows account Security ID (SID) and the hostname of the machine the software is installed it. For the hardware token.... you look at the serial number very thoughtfully stamped into the back of the token. But in the latter case, I don't think you can transfer the serial number into another hardware SecurID, so unless you can emulate a HW token using "stolen" serial numbers, you can't clone a HW token, whereas the SW token is reprogrammable with the reverse-engineered token serial, so it is eminently clonable.
What's worse, soft token cloning is remotely exploitable if the attacker can gain enumeration access to the Active Directory hosting the account credentials and knows the target machine's hostname. And that makes the soft-token exploitability worse.
I know this is Slashdot, but this thread is taking "TL;DR" to whole new places.
The news isn't that RSA's algorithm is out in the wild. Without the account-specific sequence generation seed value, the algo is worthless.
The news is that the researches have examined the Windows software version of the access code generator ("software token") and figured out how to extract the seed value out of a specific installation. With that seed value, you can take another copy of the software token and clone the key generation sequence of the first, allowing you to spoof the other token's identity.
This is why most RSA installations I know of also require the use of a PIN concatenated with the token-generated number. That way, coaxing the code out of the software token isn't enough to authenticate as the identity of the person the token is assigned to; you have to guess the PIN as well (maybe by looking under keyboards).
I guess the real story is "soft tokens don't protect their internal secrets as well as hardware tokens".
And what if "your parents resources" happens to be Mommy's company car?
Bad on Mommy, of course, if she let you take the car, since I assume most company car assignments limit authorized drivers to the assigned employee... but again, if Mommy didn't give permission to take out the car, the situation devolves into Grand Theft. So, taking your folks' ride out for a joyride is bad for you and for them. Thanks.
See? If you lower the mental cost of inserting analogies here, people are gonna insert analogies more.
I personally recommend pizza analogies, because they don't burn gasoline like car analogies do. They're not completely carbon-neutral, true, especially the yummy pizzas baked in a wood-fired* oven, but they don't use much petrochemicals.
*And being wood-fired is more carbon-neutral than gas-fired, as well as yummier.
No. WV is the US state of West Virginia. Although I hadn't heard they were dabbling in government-owned automotive companies. Go figure.
But if the warning comes with a nice download link to fix the problem, that they can just click and make it all go away...
No, wait. Prior art. The bad guys have already beat us to it.
I guess the only responsible thing we can do is freak them out and then disconnect 'em and put 'em out of our misery.
C'mon, you know it's inevitable.
Sea water is less watery and tastier, even with bilge flushings of millions of dwts of crude old carriers.
(A) Not every jurisdiction enforces very much in the way of vehicle safety and emissions inspection laws, so your "We don't" is unsupportably broad. I could certainly agree with a more factually accurate phrase like "We shouldn't", but that's not very good reinforcement for your absolutist position. Sorry.
(B) Speaking of inspections, are you advocating for public safety inspections of online computing assets? It sure sounds like it. And if so, by whom and using what criteria, and very specifically how do you keep those criteria from devolving into some kind of corporatist rights grab a la pernicious DRM?
And (C), if you're not advocating public net-worthiness inspections of computers, your analogy breaks down, since the virus-infected computers in question have already had their road-safety incident. So, your phrase, more accurately stated, is "We don't let people drive cars on public roads that have already risked the safety of other drivers", in which case the response is "of course not, they're already wrecked."
Great. Some of the mouth-breathing trolls around here drool so hard they're gonna live forever, with or without coffee.
There really is a lot of activity going on, just not necessarily the same interests that most people have.
So, it's like Slashdot, except slower and fewer dupes?
WTF is wrong with you? And which what part of "recent" did you not understand? Those links you very carefully (lol) pasted in are for the ancient Droid. Which is not sold anywhere in a 1st World nation, and certainly not by Verizon.
Seriously. "February". And not February two years ago. Geez. Think.You simply have no idea what the fuck you're talking about.
And since I know much more than you, what does that make you, other than an asshat troll?
The Startac came out (1996) somewhat before Bell Atlantic renamed itself Verizon Wireless in 1999. As far as I can google, Bell Atlantic had a wireless service which sold and supported, for a brief time, the Startac. So, other then pointless pedantry about a brand name, GPP's statement seems plausible.
I bought my VZW Droid in February, and my wife her Samsung Stratosphere at the same time, and they both came with the same widget. On both phones, it's been updated at least once on the Play market, and it still displays the appropriate monthly usage.
YMMV, of course, and the singular of "data" is not "anecdote", but I would speculate that something is specifically different with your phone or your particular installation of the app.
Best case scenario, they drop this stupid idea and get to keep my business, and in exchange I plunk down some serious moolah on the latest root-and-rom-able Android powerhouse.
We are talking about Verizon, right?
"root-and-rom-able?"
HAHAHAHAHAHAHAHAHA!!!... hahaha... Whoa, that's a good one.
In case you hadn't heard, Verizon specializes in bootlocked fascism. They're proud of it.. I haven't heard of anyone who's successfully unlocked a recent Verizon Android bootblock. Rootable, sure. For now. (Motofail on Droid devices, for instance.) And 2nd-stage loaders like Safestrap will allow you to load and boot an alternate ROM, but not touch the kernel, so I hope you enjoy ICS on a Gingerbread kernel.
Sorry. Verizon is pretty much bondage-and-domination as far as phone openness is concerned. I am functionally satisfied with my VZW Droid 4, but my needs are modest (root + freeze bloatware), but if I really wanted to load Cyanogenmod or Eclipse, I'd have to settle for half-measures.
More like, "Waiting for Diablo III to let me log in."
Wait.
Wait wait wait.
At what step did Google get involved? It's like you've replaced the "???" step in the "Profit!" sequence with something involving Google.
For all you know, local dealerships or Accura Corp. have some kind of their own "Accura owner's database" and are using it to generate advertising. Google doesn't have anything obvious to do with it, unless you're going to say GMail... in which case, I have to ask... How much email does your father generate about his car? Google can't datamine contents from your email that aren't there.
Seriously. Google is pervasive and intrusive and borderline-evil (which side of the border is left as an exercise for the reader), but c'mon... they're not the NSA or KGB or something.
Accura already knows he owns an Accura, and I'm sure they are MORE than helpful in putting together prospect lists for local dealerships.
Occam's Razor. Don't bring Google into things unnecessarily. They deserve criticism and vigilance for enough as it is.
Does anyone think Facebook's privacy will be improved by a massive infusion of investment?
If I ask for smartphone reviews, I expect smartphone reviews. It does bill itself as your big internet helper.
It is being helpful. It's trying to keep you from making a terrible mistake by being tempted by the unholy delights of the unfaithful.
I think we can consider ourselves lucky. I hear there was a faction in iDevice engineering that wanted Siri to call in the Inquisition if the parishioner asked about heretical subjects like this.
Competence and resistance to manipulation conflict with the interests of the plaintiff in winning the case even with a complete lack of legal validity.
See also "I object on the basis that it makes me look bad!"