Great. The next time Slashdot has a story about "identity theft," I expect you to be the first to suggest the more appropriate term "identity copying."
The point is that there was never any reason for 3rd party client developers to believe they could not write a client for these messenger services. Just because it is increasing the use and bandwidth of the service doesn't make it "theft" or "stealing" of bandwidth.
If I set up a web site that is for my customers and you visit it regularly, are you stealing bandwith? Even with a disclaimer that "this site is for my customers only" on the front page, does that suddenly make your visits (and increased bandwidth use) theft. If it does, then you are guilty of a crime.
In the case of identity theft, the victim never told the theif that it was ok to pose as them. Not even in a "as long as it is only for XYZ" context. In the case of companies providing internet services to the general public, it isn't theft if the public uses those services despite the intent.
BUT.. once MSN says that 3rd party (or unlicensed) clients are no longer allowed to use the service and they change the protocol, things change. Now you might get your butt in a sling under the DMCA for "bypassing a security measure."
Sigh. I'm just getting so tired of the bantering around of the words "steal", "theft", etc. They are providing a service and these clients are using the service. Until the company providing the service says "you aren't allowed to use it" nobody is stealing anything.
Ping your damn site on your major ports, and that's all you need.
Sometimes services can lock up to the point where they are not functioning without closing down the port. Something slightly more thurough like nagios should do nicely. ie: Does a simple http request and confirms the reply is ok.
If SCO had filed a copyright infrigement claim, there case would be weakened by not trying to mitigate the "damage" caused by the infringing code.
Doesn't this mean that the longer they refuse to allow Linux developers to see and remove code, the more they hurt their own IP and copyright claims against Linux?
Another thing that bugs me is their claim that they can't release the code snippets without divulging trade secrets. But if the code is already in Linux... what are they trying to keep secret? If the differences are significant enough that SCO can't show them, then how can SCO have any kind of case?
The truth is that if you can't afford to implement your idea, then your idea probably won't be of benefit to society (or you, for that matter.)
I can't agree on this one. Basically you are saying that only big corporations should be able to get paid for inventing something high-tech. I don't think that will promote innovation.
But I do think that in order to be patentable, the idea has to be innovative AND detailed to the point that someone who does have the $ could make it. So "a device capable of transmitting matter as energy and reassembling it as matter" fails the test. A working or near working schematics of a teleportation system should be ok.
Software patents on the other hand should have completely seperate rules. Like you said, copyright protects actual code already. Cost in general is not an issue for implementing an idea in the software world. Even if your idea is for a program that runs on a mainframe, you can probably get an emulator to work with.
The harder and the more I think about it, I can't come up with a valid reason for software patents. I really don't think that eliminating them would hurt software innovation. In fact, in the long term, having them may do more damage than not having any at all.
You are acting like 'diversity' is some sort of panacea.
Actually I think it would just be a lot better than what we have now. Like I said, it won't eliminate viruses. Just like biodiversity doesn't exclude mankind from problems, software diversity wouldn't fix the worlds computer-related woes.
Sure it would cause new headaches. After all, it's easy for a hardware support tech to follow a script for a single operating system when talking to a customer on the phone. Dealing with multiple software programs and operating systems on the individual PC level certainly isn't going to be as easy.
But in the larger environment of the Internet, the overall affect of diversity would be a good thing. And open formats and protocols would take care of most of the interoperability problems you mention. This is really important for an internetworked world.
The intent of the laws, and as they were enforced for a very long time, was to protect a specific implementation of an idea, NOT the idea itself.
Ahh, the good 'ol days. Sigh.
The only problem with that is if you come up with a truly innovative idea but can't afford to implement it, you are SOL.
I don't think I would want to go back to that, but I do think new guidelines need to be set up which stop obvious and general patents. If the idea of patents are to encourage inovation, then patents shouldn't be given for something that isn't innovative.
I also think there should be an innexpensive way to get frivolous pattents revoked. If it costs more to have a patent dismissed, most companies will just pay the owner a licensing fee. And individuals working on open source will suffer since they can't fight the patent claim.
I'd like to argue that lack of diversity on the Internet is a much bigger problem than users who don't patch weekly.
Having everyone running the same version of "secure Linux" with "the perfect web browser" and "the perfect e-mail client" isn't the answer to viruses and worms. A homogonous computing landscape like that might eliminate nearly all viruses and worms. BUT if a hole was found, the virus that exploits it would spread like wildfire. Users would be less careful because they think they can be, and with everyone running the same thing, everyone would have the same vulnerability.
That's why we need diversity on the Internet. We need a lot more diversity than we have now. As long as the unwashed masses are running Windows with Outlook, MS will have to have 100% security in their products. Anything less is asking for the problems we have now. And so far MS is nowhere near 100% in that regard.
That is why we need Linux.. and BSD and OS/X. That's why we need competition. That's why we need multiple Linux distributors who ship with different compiler settings that they think are "best." That's why we need to have choices of web browsers and e-mail clients.
That is why CHIOCE is a good thing when it comes to operating systems and software. Real choice breeds diversity. Believe me, if there were real choices, people would NOT all make the same one. (Real choice does NOT mean having only one OS ship on all PCs with only a single mail client pre-installed and a single web client pre-installed!)
Having choices that work together are why open formats and open standards should be in the headlines (not the crap like this article on user licenses.)
If file formats and network protocols were required to be open, it would eliminate many of the problems we face. Over the past 20 years, incompatibility between formats or protocols has been the #1 thing that I've seen cause people to change their OS. It has also been the #1 cause that I've seen for a change in the software they used.
How many companies are running MS-Office because they "need to be compatible" with customers or corporate? How many switched from WordPerfect for that very reason? How many articles have you seen that review OpenOffice and the #1 complaint (sometimes the only complaint) is incomplete or inconsistent ability to open/save MS-Office files? How many perfectly good software products have vanished because they weren't compatible with propietary products?
If file formats and network protocols were open, then Microsoft would have the chance to do what they are always claiming they want. They'd have the level playing field they always tell the press they want. The level playing field they claim open source advocates try to deny them by trying to pass laws requiring "considering" open source software in government.
In the real world, biodiversity keeps the first fatal disease from coming along and wiping out the entire population. On the Internet software-diversity would do the same thing with viruses and worms. Sure, a virus might still do damage to a section of the population, but it wouldn't have nearly the impact that one does now.
So, software-diversity is critical to the future of the Internet and open formats and standards are needed for it to exist. Maybe it's time for everybody to start demanding these things from their software. And maybe it's time for legislation to demand that software companies open formats and protocols enough to be interoperable... at least if their product has a significant market share.
They're not getting fined for deficiencies in software. They're getting fined for irresponsible behavior. What's wrong with that?
First, I want to say that yes, users who don't take basic steps do cause the majority of problems. If you are actually proactively educating your users on what those steps should be, good for you. But...
Remind me not to let one of my kids ever connect to your network. My biggest issues with the fines are: How do you prove the "irresponsible behavior"? Who defines what is irresponsible?
If my antivirus is set to update every 3 days (fairly reasonable) but I catch and start spreading a virus discovered two days ago, do I get a fine? Now, how about if I update every day, but my update is at 2am and the new virus def came out at 3am? At what point is it irresponsible?
How about if I installed all latest patches, but one of the RPC patches from my software vendor just "doesn't take." I have reason to believe I'm safe, but now I get Blaster and start slamming the LAN. A fine? Can you prove I didn't patch without seizing my PC?
What if I've never even heard of holes in RPC? (or never heard of RPC itself?) Or is it "irresponsible behavior" to not sign up for at least two security e-mail newsletters and read them all when they hit your mailbox?
I hope you see where I'm going with this and don't just dismiss it as a flame. It's difficult for even the best power users to avoid viruses and worms completely, especially on Windows and for a length of time like 4 years. If you never have a single infection over a long term, you may deserve a lot of credit, but there was some luck involved too.
Yes, Microsoft is careful to include the words "although a patch was available" in press releases lately. But that doesn't mean that viruses/worms never exploit holes which don't already have a patch available.
*I* paid for the computers, *I* pay for the bandwidth, and *I* pay for the storage.... Who the hell has the right to tell me I've got to pay the government (or anyone else) to send email?andSo unless you've got some bright idea for distributing that tax money to the folks like me who actually own and operate the equipment, you can take your email tax idea and put it someplace moist and dark
Bravo. Imagine if the taxes were returned to everyone who is already paying for their little piece of the Internet. If the amount collected (assuming it every could be collected efficiently) was low enough to be trivial to users, it likely would barely pay for the beurocracy of the WITA (World Internet Tax Authority) who managed it. The amount paid back to anyone but the biggest corporations would be peanuts and it wouldn't compare to the costs incurred trying to monitor and do the accounting.
US Federal law says that staff who earn part of their wages from tips must be paid at least $2.13/hr....in most places, the staff are very dependant on your tips.
I don't mind tipping in those cases. What bugs me are all those jobs which don't fall under that law and the employees still feel they deserve a tip. While in Chicago recently it seemed like EVERYONE expected a tip. Some of these people were professionals who were almost certainly earning a decent salary.
Even at a clothing store, they had a tip jar by the cash register. The guy was not at all helpful and borderd on being rude. When I paid for my purchase and put away my change, he appeared visible irritated that I didn't leave a tip.
In restaurants or other places where tips are a major part of the wage, I tip for even so-so service. Basically if it's not completely terrible service and the waiter is polite, they'll get a tip. If they are friendly and do a good job, they deserve a really good tip. But if someone already gets a reasonable wage, they'd better really go above and beyond standard service to earn a tip.
Actually, if users were allowed to install software... then the computer *is* usable without admin rights.
Unfortunately, quite a few programs want to do things which require admin privs. So, even running these programs is not possible unless you are an admin. It seems fairly reasonable to require admin rights for installations on anything but home PCs. It doesn't seem reasonable for user-space type programs to require admin rights to even run though.
Especially not educational programs. I would expect the authors of educational programs to realize that normally students aren't going to be allowed admin rights on school PCs.
There's also the problem that the majority of software installations *require* administrator rights.
I can live with the admin rights to install thing. In fact I preffer it. At a school district, you regularly run into software that absolutely will not even run on NT/2000/XP unless the user has full admin rights on the PC. Who in their right mind is going to give full admin rights to 800 Jr. High kids?
No program should require admin access to run unless it is some type of installer or other system admin tool. As long as the computer isn't really usable without admin rights, most home users are always going to run as admin. So in most home user cases, trojans and viruses have free reign of the computer no matter how secure "user mode" may be.
Um. MSBlast was big because it affected all versions of XP/2000, not just those with IIS installed.
I was actually referring to MS security in general and in the case of IIS: Code Red, Code Blue, and the other worms/virusus which have taken advantage of IIS holes. Whenever somebody says MS has a bad security record, the reply is always "There are more viruses/worms for Windows only because it has a 93% market share... there are just more targets."
My argument is that if that were true, and it wasn't the quality of the programming, we should expect to see the same with other software... ie the one with more maket share has more exploits. So Apache with nearly two times the market share should have two times more exploits, worms, viruses and other bugs.
Of course, Win2000 and XP suggest something like that too, but I don't know if any privledges are removed.
I fired up a new laptop with Windows XP Pro and was happy to see it wanted me to set up an account right away. I thought, "well, there is a step the the right directions." I was a bit disappointed to find out aftwards that the account had admin rights AND the default was to log me in automatically on boot.
start blaming those people who actually write the virii or worms.... There will always be overlooked security holes. No matter what you do to lock them, people will find more and use them in a destructive manner.
I just love this type of explanation of why MS is at absolutely ZERO fault for it's security problems. Compare the number of Apache worms/viruses with the number found in IIS. Why are there more in a single year for IIS than for Apache over several years? Why haven't appache worms/viruses brought the Internet to a crawl and hit the newspaper headlines big time?
Oh yeah.. because MS has such a huge market share making more targets. BZZZ.. Apache holds almost 2 times the market share for active web servers! Could it be that MS's IIS isn't as secure? No.. noo... it's because of hackers. It's all their fault.. Poor MS!
Lock your front door and a burglar will pick the lock. Build a better lock and whoops! You forgot to lock the window.
If you are going to use an analogy, try making it fit the facts:
Builder A builds a LOT of houses. To cut costs and because they truley believe they know best... they use locks from RustyLocks.com. They also use an alarm system from AlarmsAreUs.com. The lock experts and alarm system experts say, "Hey, don't use those.. they have a high risk of being compromised!"
Builder A argues that they haven't been compromised yet and that they are good enough for the home-buying public. They continue building tons of houses with these parts in place. They sell the homes with a HUGE profit margin and bill them as secure, safe and full of extras your family will love.
Builder B lets the lock experts design a good lock they think is hard to break. They let the alarm system experts design a good alarm which is hard to bypass. They use these in their houses and find that they don't actually run up costs, but instead lower them. They also put the design of the systems up for public review in case they missed something themselves. They sell the homes for a reasonable price and offer the blueprints and all other design materials to the public in case someone wants to build their own.
Soon building A's homes start getting broken into. They find a fix for the lock's current problem and offer it for free.. they even offer to install the fix. What they don't do is replace the locks with a better designed one because it's too expensive to. Of course this doesn't fix the security system problems or other problems with the locks. In the mean time they blame the crooks and also everyone who is broken into for not fixing their locks.
Because the lock and alarm system guidlines from Builder B are availble to any lock or alarm system expert, they are repeatedly reviewed by those who want. There are enough people willing to review because they live in these homes and want to be safe. Maybe they find problems with the locks, maybe they don't. But if they do, the locks are improved and everyone is told.
Eventually a few of builder B's locks get picked. The lock experts start tearing apart the locks and figure out if fixing them is good enough or if a whole new lock is warranted. Regardless of the answer, they make the new locks available for free with simple instructions on how to replace them.
In the mean time several more break-ins occur in builder A homes.
Builder A's reactive actions result in repeated security incidents. The Builder B community team's proactive actions result in occasional but rare security incidents.
Blame the crooks! Sure, they hold some of the blame, but both builders KNEW the crooks were out there. They both knew the crooks wanted into the houses to get the goodies inside. So, does builder A share any responsibliity? Hmmm... According to your post.. NO.
<grin>Well, if we're telling our old amature electrian stories:</grin>
My did had redone the wiring in our basement some 5 years earlier. My wife is hanging a shirt up to dry on the suspended ceiling and notices a wire (14awg house wiring) with the ends stripped and nothing put back over them to insulate them. She tells me that she thinks it might be dangerous.
Knowing that dear old and wise dad wouldn't have left bare wires above our suspended ceiling, I say, "No, that line is dead... I'll prove it." No, I didn't grab it barehanded. I took a big screwdriver with a think rubber grip and reached towards the wires. Strangly my wife edged out the door a bit. I touched the screwdriver accross the hot and neutral... and was amazed by the incredibly bright flash and zapping noise.
I ducked and ran towards the door as hot sparks bounced down over my back and the entire floor of the room. The brief short had etched away about half of the screwdriver blade. While it was cool in hindsight, I did learn not to make any more assumptions about dad's wiring prowess.
Years later working at at a computer store, we had just received some new shelving. All of us, being the do-it-yourself types, start bolting them to the wall with 2 and half inch (6.35 centimeters.) drywall screws. At one point, the lights started to flicker.
After a little detective work, we found that they only flickered when tightening the most recent screw in the wall. We backed it out to find about a half inch melted off. Being safety concious and no dummies, we promptly moved the screw. Hmm... wonder if that place ever burned down from an electrical fire later.
I don't think they are a reseller of SCO's Unix, with no mention of SCO anywhere on their webpage - how could they be?
One job I had was at a local little computer/network dealer. The owner decided he had to come up with some other revenue stream and took a SCO course and got himself authorized.
We never sold a single copy/server and never used it ourselves. The only advertising we had for it was a little 4 inch x 3 inch window decal that said "SCO Authorized Dealer" that was stuck on the front door.
The law requires all businesses... to disclose any breach of the security..."
To bad he didn't actually breach the security, take some data and then send some kind of proof to the company. As it is he only showed it was possible to.
If we were to leave the finding and patching of security holes, etc. to the companies in question...
Not simply the company, but only those inside who are specifically permitted to test. It is fairly common for people to be fired for "testing" their corporate network or software. They get canned for hacking.
It's sad when somone who reports a bug can be told to sit down and shut up about it or risk jail time if they don't. Just what we need.
Based on this it would be possible for a security expert to find a serious hole in IIS (for example) and then report it. Six months go by and he tells the public that there is a flaw, but can not disclose any details or description. The company denies any flaw.
After a year goes by, the flaw is not only unfixed but now in the next version. Even though he sees millions of copies of insecure software sold, he still couldn't warn the end users for fear of going to jail. Finally somone less "nice" finds the same flaw and a worm that pales Code Red is born.
The idea that a chain of events like this could actually be allowed to occur is rediculous. To any MS lawyers reading... of course MS would NEVER allow a hole to go unpatched for a significant time and I never said otherwise.;)
Example of my new ultra-secure encryption software (only $99.99!): .liaj ni uoy tup ot ACMD eht esu llI dna siht tpyrced ot woh enoemos lleT
If the company bring charges against you, immediately subpoena your HDD and the logs they used against you.
Or don't. Let them have to show that:
The proof is on the drive.
The proof is irifutable.
No data has been altered.
Everyone working on your computer since the event is a trained computer forensics expert.
A valid chain of evidence has been maintained with the drive.
Short of that, a good defense lawyer will make them toss it as evidence. If you want to use the HDD contents as evidence, you'll have to prove the same things about the drive. So I think getting the drive is not an issue.
Then we can assume all the company has left for proof is a log file. Let them prove the log files weren't tainted or that the logging server wasn't hacked for that matter. Let them prove everything about the logs.
Again, I would think a good lawyer would be able to show that any hacker a step above a script kiddie would have created the same logs. Also they would show that a hacked system would create the same logs. But DO get a copy of those logs. Maybe you or your lawyer will find something interesting... like 50 other systems with the same traffic at the same time.
Without any credible and convincing proof the company hardly has any case whether they are charging you, or defending against a wrongful termination suit.
Logs just don't make that good of a proof unless you're using the company's own logs against them. I mean look... to prosecute hackers, the government just about has to get a video tape of the dude in action at the PC. It shouldn't be a lot different in this case.
Mainly though... get a good lawyer.
I'm glad IANAL or this kind of advice could get me in trouble.
it's not going to cause people to rebel against Microsoft, like many of you are hoping....This is going to get blaimed on "hackers".
You got it! Fairly recently I noticed that nearly 100% of the time MS spins Windows problems this way. It's especially true with Outlook. Based on the spin in their press releases and KB articles, all security problems are 100% the fault of those evil hackers. MS on the other hand really isn't responsible for security problems because if it weren't for hackers there would be none.
That's kind of like being a company who builds bank vaults made of wood instead of metal. After all, it's not their fault if it gets broken into. It's those damn bank robbers.
What other industry would people put up with that type of logic?
SCO have announced the final termination of IBM's UNIX license, despite Novell telling them they can't.
Big deal. SCO tells IBM that their license is terminated. IBM gives SCO the finger (it's legal equivelent anyhow.) Now if SCO wants to enforce their license termination, they have to get an injunction against IBM which says they can't sell/license AIX until trial. Short of an injuction it's business as usual for IBM.
What judge is going to give a preliminary injunction against a company as big as IBM? Especially one that would hurt them financially as bad as this would? Any judge in their right mind wouldn't want to risk the fallout. They'll allow IBM to continue with AIX until SCO proves their case in court.
If (really big IF) SCO wins at trial, they might be able to collect some fees from IBM for the time between terminating the license and the trail. But this just gives a judge more reason to not rule for an injuction now.
If Novell really did retain the right to control how SCO licenses and enforces licenses, then they had the right to tell SCO they couldn't revoke IBM's license. And if that's true, IBM is basically at zero risk of fallout from this. You can be sure IBM's laywers will point these facts out to a judge.
This seems to be a case of SCO crying that they are going to take their ball and go home... when somebody else actually owns the ball and was just lending it to them.
I'm not going to try to delist myself: if anyone tries to use the info to steal my identity it'll only make things harder for them:-)
There doesn't seem to be any use to try to delist ones self anyhow. They don't appear to do anything with the requests except perhaps verify the accuracy of their data. Since they clearly violate their own privacy policy, I would think a lawsuit would be in order, but I don't know any sleazy lawyers ready to take on the challange.;)
Slashdot Mirror
The point is that there was never any reason for 3rd party client developers to believe they could not write a client for these messenger services. Just because it is increasing the use and bandwidth of the service doesn't make it "theft" or "stealing" of bandwidth.
If I set up a web site that is for my customers and you visit it regularly, are you stealing bandwith? Even with a disclaimer that "this site is for my customers only" on the front page, does that suddenly make your visits (and increased bandwidth use) theft. If it does, then you are guilty of a crime.
In the case of identity theft, the victim never told the theif that it was ok to pose as them. Not even in a "as long as it is only for XYZ" context. In the case of companies providing internet services to the general public, it isn't theft if the public uses those services despite the intent.
BUT.. once MSN says that 3rd party (or unlicensed) clients are no longer allowed to use the service and they change the protocol, things change. Now you might get your butt in a sling under the DMCA for "bypassing a security measure."
Sigh. I'm just getting so tired of the bantering around of the words "steal", "theft", etc. They are providing a service and these clients are using the service. Until the company providing the service says "you aren't allowed to use it" nobody is stealing anything.
Sometimes services can lock up to the point where they are not functioning without closing down the port. Something slightly more thurough like nagios should do nicely. ie: Does a simple http request and confirms the reply is ok.
Doesn't this mean that the longer they refuse to allow Linux developers to see and remove code, the more they hurt their own IP and copyright claims against Linux?
Another thing that bugs me is their claim that they can't release the code snippets without divulging trade secrets. But if the code is already in Linux... what are they trying to keep secret? If the differences are significant enough that SCO can't show them, then how can SCO have any kind of case?
I can't agree on this one. Basically you are saying that only big corporations should be able to get paid for inventing something high-tech. I don't think that will promote innovation.
But I do think that in order to be patentable, the idea has to be innovative AND detailed to the point that someone who does have the $ could make it. So "a device capable of transmitting matter as energy and reassembling it as matter" fails the test. A working or near working schematics of a teleportation system should be ok.
Software patents on the other hand should have completely seperate rules. Like you said, copyright protects actual code already. Cost in general is not an issue for implementing an idea in the software world. Even if your idea is for a program that runs on a mainframe, you can probably get an emulator to work with.
The harder and the more I think about it, I can't come up with a valid reason for software patents. I really don't think that eliminating them would hurt software innovation. In fact, in the long term, having them may do more damage than not having any at all.
Actually I think it would just be a lot better than what we have now. Like I said, it won't eliminate viruses. Just like biodiversity doesn't exclude mankind from problems, software diversity wouldn't fix the worlds computer-related woes.
Sure it would cause new headaches. After all, it's easy for a hardware support tech to follow a script for a single operating system when talking to a customer on the phone. Dealing with multiple software programs and operating systems on the individual PC level certainly isn't going to be as easy.
But in the larger environment of the Internet, the overall affect of diversity would be a good thing. And open formats and protocols would take care of most of the interoperability problems you mention. This is really important for an internetworked world.
Ahh, the good 'ol days. Sigh.
The only problem with that is if you come up with a truly innovative idea but can't afford to implement it, you are SOL.
I don't think I would want to go back to that, but I do think new guidelines need to be set up which stop obvious and general patents. If the idea of patents are to encourage inovation, then patents shouldn't be given for something that isn't innovative.
I also think there should be an innexpensive way to get frivolous pattents revoked. If it costs more to have a patent dismissed, most companies will just pay the owner a licensing fee. And individuals working on open source will suffer since they can't fight the patent claim.
Having everyone running the same version of "secure Linux" with "the perfect web browser" and "the perfect e-mail client" isn't the answer to viruses and worms. A homogonous computing landscape like that might eliminate nearly all viruses and worms. BUT if a hole was found, the virus that exploits it would spread like wildfire. Users would be less careful because they think they can be, and with everyone running the same thing, everyone would have the same vulnerability.
That's why we need diversity on the Internet. We need a lot more diversity than we have now. As long as the unwashed masses are running Windows with Outlook, MS will have to have 100% security in their products. Anything less is asking for the problems we have now. And so far MS is nowhere near 100% in that regard.
That is why we need Linux.. and BSD and OS/X. That's why we need competition. That's why we need multiple Linux distributors who ship with different compiler settings that they think are "best." That's why we need to have choices of web browsers and e-mail clients.
That is why CHIOCE is a good thing when it comes to operating systems and software. Real choice breeds diversity. Believe me, if there were real choices, people would NOT all make the same one. (Real choice does NOT mean having only one OS ship on all PCs with only a single mail client pre-installed and a single web client pre-installed!)
Having choices that work together are why open formats and open standards should be in the headlines (not the crap like this article on user licenses.)
If file formats and network protocols were required to be open, it would eliminate many of the problems we face. Over the past 20 years, incompatibility between formats or protocols has been the #1 thing that I've seen cause people to change their OS. It has also been the #1 cause that I've seen for a change in the software they used.
How many companies are running MS-Office because they "need to be compatible" with customers or corporate? How many switched from WordPerfect for that very reason? How many articles have you seen that review OpenOffice and the #1 complaint (sometimes the only complaint) is incomplete or inconsistent ability to open/save MS-Office files? How many perfectly good software products have vanished because they weren't compatible with propietary products?
If file formats and network protocols were open, then Microsoft would have the chance to do what they are always claiming they want. They'd have the level playing field they always tell the press they want. The level playing field they claim open source advocates try to deny them by trying to pass laws requiring "considering" open source software in government.
In the real world, biodiversity keeps the first fatal disease from coming along and wiping out the entire population. On the Internet software-diversity would do the same thing with viruses and worms. Sure, a virus might still do damage to a section of the population, but it wouldn't have nearly the impact that one does now.
So, software-diversity is critical to the future of the Internet and open formats and standards are needed for it to exist. Maybe it's time for everybody to start demanding these things from their software. And maybe it's time for legislation to demand that software companies open formats and protocols enough to be interoperable... at least if their product has a significant market share.
First, I want to say that yes, users who don't take basic steps do cause the majority of problems. If you are actually proactively educating your users on what those steps should be, good for you. But...
Remind me not to let one of my kids ever connect to your network. My biggest issues with the fines are: How do you prove the "irresponsible behavior"? Who defines what is irresponsible?
If my antivirus is set to update every 3 days (fairly reasonable) but I catch and start spreading a virus discovered two days ago, do I get a fine? Now, how about if I update every day, but my update is at 2am and the new virus def came out at 3am? At what point is it irresponsible?
How about if I installed all latest patches, but one of the RPC patches from my software vendor just "doesn't take." I have reason to believe I'm safe, but now I get Blaster and start slamming the LAN. A fine? Can you prove I didn't patch without seizing my PC?
What if I've never even heard of holes in RPC? (or never heard of RPC itself?) Or is it "irresponsible behavior" to not sign up for at least two security e-mail newsletters and read them all when they hit your mailbox?
I hope you see where I'm going with this and don't just dismiss it as a flame. It's difficult for even the best power users to avoid viruses and worms completely, especially on Windows and for a length of time like 4 years. If you never have a single infection over a long term, you may deserve a lot of credit, but there was some luck involved too.
Yes, Microsoft is careful to include the words "although a patch was available" in press releases lately. But that doesn't mean that viruses/worms never exploit holes which don't already have a patch available.
Bravo. Imagine if the taxes were returned to everyone who is already paying for their little piece of the Internet. If the amount collected (assuming it every could be collected efficiently) was low enough to be trivial to users, it likely would barely pay for the beurocracy of the WITA (World Internet Tax Authority) who managed it. The amount paid back to anyone but the biggest corporations would be peanuts and it wouldn't compare to the costs incurred trying to monitor and do the accounting.
I don't mind tipping in those cases. What bugs me are all those jobs which don't fall under that law and the employees still feel they deserve a tip. While in Chicago recently it seemed like EVERYONE expected a tip. Some of these people were professionals who were almost certainly earning a decent salary.
Even at a clothing store, they had a tip jar by the cash register. The guy was not at all helpful and borderd on being rude. When I paid for my purchase and put away my change, he appeared visible irritated that I didn't leave a tip.
In restaurants or other places where tips are a major part of the wage, I tip for even so-so service. Basically if it's not completely terrible service and the waiter is polite, they'll get a tip. If they are friendly and do a good job, they deserve a really good tip. But if someone already gets a reasonable wage, they'd better really go above and beyond standard service to earn a tip.
Unfortunately, quite a few programs want to do things which require admin privs. So, even running these programs is not possible unless you are an admin. It seems fairly reasonable to require admin rights for installations on anything but home PCs. It doesn't seem reasonable for user-space type programs to require admin rights to even run though.
Especially not educational programs. I would expect the authors of educational programs to realize that normally students aren't going to be allowed admin rights on school PCs.
I can live with the admin rights to install thing. In fact I preffer it. At a school district, you regularly run into software that absolutely will not even run on NT/2000/XP unless the user has full admin rights on the PC. Who in their right mind is going to give full admin rights to 800 Jr. High kids?
No program should require admin access to run unless it is some type of installer or other system admin tool. As long as the computer isn't really usable without admin rights, most home users are always going to run as admin. So in most home user cases, trojans and viruses have free reign of the computer no matter how secure "user mode" may be.
I was actually referring to MS security in general and in the case of IIS: Code Red, Code Blue, and the other worms/virusus which have taken advantage of IIS holes. Whenever somebody says MS has a bad security record, the reply is always "There are more viruses/worms for Windows only because it has a 93% market share... there are just more targets."
My argument is that if that were true, and it wasn't the quality of the programming, we should expect to see the same with other software... ie the one with more maket share has more exploits. So Apache with nearly two times the market share should have two times more exploits, worms, viruses and other bugs.
I fired up a new laptop with Windows XP Pro and was happy to see it wanted me to set up an account right away. I thought, "well, there is a step the the right directions." I was a bit disappointed to find out aftwards that the account had admin rights AND the default was to log me in automatically on boot.
I just love this type of explanation of why MS is at absolutely ZERO fault for it's security problems. Compare the number of Apache worms/viruses with the number found in IIS. Why are there more in a single year for IIS than for Apache over several years? Why haven't appache worms/viruses brought the Internet to a crawl and hit the newspaper headlines big time?
Oh yeah.. because MS has such a huge market share making more targets. BZZZ.. Apache holds almost 2 times the market share for active web servers! Could it be that MS's IIS isn't as secure? No.. noo... it's because of hackers. It's all their fault.. Poor MS!
If you are going to use an analogy, try making it fit the facts:
Builder A builds a LOT of houses. To cut costs and because they truley believe they know best... they use locks from RustyLocks.com. They also use an alarm system from AlarmsAreUs.com. The lock experts and alarm system experts say, "Hey, don't use those.. they have a high risk of being compromised!"
Builder A argues that they haven't been compromised yet and that they are good enough for the home-buying public. They continue building tons of houses with these parts in place. They sell the homes with a HUGE profit margin and bill them as secure, safe and full of extras your family will love.
Builder B lets the lock experts design a good lock they think is hard to break. They let the alarm system experts design a good alarm which is hard to bypass. They use these in their houses and find that they don't actually run up costs, but instead lower them. They also put the design of the systems up for public review in case they missed something themselves. They sell the homes for a reasonable price and offer the blueprints and all other design materials to the public in case someone wants to build their own.
Soon building A's homes start getting broken into. They find a fix for the lock's current problem and offer it for free.. they even offer to install the fix. What they don't do is replace the locks with a better designed one because it's too expensive to. Of course this doesn't fix the security system problems or other problems with the locks. In the mean time they blame the crooks and also everyone who is broken into for not fixing their locks.
Because the lock and alarm system guidlines from Builder B are availble to any lock or alarm system expert, they are repeatedly reviewed by those who want. There are enough people willing to review because they live in these homes and want to be safe. Maybe they find problems with the locks, maybe they don't. But if they do, the locks are improved and everyone is told.
Eventually a few of builder B's locks get picked. The lock experts start tearing apart the locks and figure out if fixing them is good enough or if a whole new lock is warranted. Regardless of the answer, they make the new locks available for free with simple instructions on how to replace them.
In the mean time several more break-ins occur in builder A homes.
Builder A's reactive actions result in repeated security incidents. The Builder B community team's proactive actions result in occasional but rare security incidents.
Blame the crooks! Sure, they hold some of the blame, but both builders KNEW the crooks were out there. They both knew the crooks wanted into the houses to get the goodies inside. So, does builder A share any responsibliity? Hmmm... According to your post.. NO.
<grin>Well, if we're telling our old amature electrian stories:</grin>
My did had redone the wiring in our basement some 5 years earlier. My wife is hanging a shirt up to dry on the suspended ceiling and notices a wire (14awg house wiring) with the ends stripped and nothing put back over them to insulate them. She tells me that she thinks it might be dangerous.
Knowing that dear old and wise dad wouldn't have left bare wires above our suspended ceiling, I say, "No, that line is dead... I'll prove it." No, I didn't grab it barehanded. I took a big screwdriver with a think rubber grip and reached towards the wires. Strangly my wife edged out the door a bit. I touched the screwdriver accross the hot and neutral... and was amazed by the incredibly bright flash and zapping noise.
I ducked and ran towards the door as hot sparks bounced down over my back and the entire floor of the room. The brief short had etched away about half of the screwdriver blade. While it was cool in hindsight, I did learn not to make any more assumptions about dad's wiring prowess.
Years later working at at a computer store, we had just received some new shelving. All of us, being the do-it-yourself types, start bolting them to the wall with 2 and half inch (6.35 centimeters.) drywall screws. At one point, the lights started to flicker.
After a little detective work, we found that they only flickered when tightening the most recent screw in the wall. We backed it out to find about a half inch melted off. Being safety concious and no dummies, we promptly moved the screw. Hmm... wonder if that place ever burned down from an electrical fire later.
One job I had was at a local little computer/network dealer. The owner decided he had to come up with some other revenue stream and took a SCO course and got himself authorized.
We never sold a single copy/server and never used it ourselves. The only advertising we had for it was a little 4 inch x 3 inch window decal that said "SCO Authorized Dealer" that was stuck on the front door.
So.... that's how they could be.
To bad he didn't actually breach the security, take some data and then send some kind of proof to the company. As it is he only showed it was possible to.
!gis ruoy tpyrcne syawlA
Not simply the company, but only those inside who are specifically permitted to test. It is fairly common for people to be fired for "testing" their corporate network or software. They get canned for hacking.
It's sad when somone who reports a bug can be told to sit down and shut up about it or risk jail time if they don't. Just what we need.
Based on this it would be possible for a security expert to find a serious hole in IIS (for example) and then report it. Six months go by and he tells the public that there is a flaw, but can not disclose any details or description. The company denies any flaw.
After a year goes by, the flaw is not only unfixed but now in the next version. Even though he sees millions of copies of insecure software sold, he still couldn't warn the end users for fear of going to jail. Finally somone less "nice" finds the same flaw and a worm that pales Code Red is born.
The idea that a chain of events like this could actually be allowed to occur is rediculous. To any MS lawyers reading... of course MS would NEVER allow a hole to go unpatched for a significant time and I never said otherwise. ;)
Example of my new ultra-secure encryption software (only $99.99!):
.liaj ni uoy tup ot ACMD eht esu llI dna siht tpyrced ot woh enoemos lleT
Or don't. Let them have to show that:
- The proof is on the drive.
- The proof is irifutable.
- No data has been altered.
- Everyone working on your computer since the event is a trained computer forensics expert.
- A valid chain of evidence has been maintained with the drive.
Short of that, a good defense lawyer will make them toss it as evidence. If you want to use the HDD contents as evidence, you'll have to prove the same things about the drive. So I think getting the drive is not an issue.Then we can assume all the company has left for proof is a log file. Let them prove the log files weren't tainted or that the logging server wasn't hacked for that matter. Let them prove everything about the logs.
Again, I would think a good lawyer would be able to show that any hacker a step above a script kiddie would have created the same logs. Also they would show that a hacked system would create the same logs. But DO get a copy of those logs. Maybe you or your lawyer will find something interesting... like 50 other systems with the same traffic at the same time.
Without any credible and convincing proof the company hardly has any case whether they are charging you, or defending against a wrongful termination suit.
Logs just don't make that good of a proof unless you're using the company's own logs against them. I mean look... to prosecute hackers, the government just about has to get a video tape of the dude in action at the PC. It shouldn't be a lot different in this case.
Mainly though... get a good lawyer.
I'm glad IANAL or this kind of advice could get me in trouble.
You got it! Fairly recently I noticed that nearly 100% of the time MS spins Windows problems this way. It's especially true with Outlook. Based on the spin in their press releases and KB articles, all security problems are 100% the fault of those evil hackers. MS on the other hand really isn't responsible for security problems because if it weren't for hackers there would be none.
That's kind of like being a company who builds bank vaults made of wood instead of metal. After all, it's not their fault if it gets broken into. It's those damn bank robbers.
What other industry would people put up with that type of logic?
Big deal. SCO tells IBM that their license is terminated. IBM gives SCO the finger (it's legal equivelent anyhow.) Now if SCO wants to enforce their license termination, they have to get an injunction against IBM which says they can't sell/license AIX until trial. Short of an injuction it's business as usual for IBM.
What judge is going to give a preliminary injunction against a company as big as IBM? Especially one that would hurt them financially as bad as this would? Any judge in their right mind wouldn't want to risk the fallout. They'll allow IBM to continue with AIX until SCO proves their case in court.
If (really big IF) SCO wins at trial, they might be able to collect some fees from IBM for the time between terminating the license and the trail. But this just gives a judge more reason to not rule for an injuction now.
If Novell really did retain the right to control how SCO licenses and enforces licenses, then they had the right to tell SCO they couldn't revoke IBM's license. And if that's true, IBM is basically at zero risk of fallout from this. You can be sure IBM's laywers will point these facts out to a judge.
This seems to be a case of SCO crying that they are going to take their ball and go home... when somebody else actually owns the ball and was just lending it to them.
There doesn't seem to be any use to try to delist ones self anyhow. They don't appear to do anything with the requests except perhaps verify the accuracy of their data. Since they clearly violate their own privacy policy, I would think a lawsuit would be in order, but I don't know any sleazy lawyers ready to take on the challange. ;)