The encrypted tunnel is created on submit, that is, you can have a login form on an http page and still submit encrypted via SSL if the forms action sends data via https.
A non-HTTPS login page could be modified to submit the data to a different server instead of the bank's - by the time you realise, its too late. Or some JS could be embedded in the page to send the data to a third party *as well* as the bank, and you'd never spot that unless you had firebug open. The latter attack can also be carried out by embedding HTTP objects in an HTTPS page, which isn't especially visible to the end user.
Between generous application of padlock gif's designed to make me feel safe and account specific image letting me know I'm logging into my bank and not some imposter bank... it would be impossible to get hacked. They even say so on their web site.
Remember years ago feeling board and actually getting ahold of one of their "IT" guys informing him of the dangers of requesting credentials directly from a home page loaded via HTTP... His response was... drumroll... it is posted to a secure site so the credentials are encrypted and can't be compromised.
There is no arguing with stupid or those who willfully subvert browser security features for marketing and or checking off security boxes on the compliance chart even if you (should) know better.
Meanwhile I was reasonably impressed by HSBC, who fixed their website in about a day when I told them they were including HTTP objects in the HTTPS login page. That said, they still include some objects from third party servers, over HTTPS (notably, Google advertising). IMHO the browser should warn you if thre are any objects on an HTTPS page that aren't covered by the certificate displayed in the address bar.
"'I know that if the water does overwhelm me I can always open the helmet,' wrote Parmitano about making it to the airlock. 'I'll probably lose consciousness, but in any case that would be better than drowning inside the helmet."
Wow that one cold mofo here.
I believe he was already in the (repressurising) airlock by that point, so whilst taking the helmet off would have been bad, it's not quite the same as doing it in space.
On the other hand, the helmets do have a depressurisation valve which can be opened while in space (Chris Hadfield had to use it to remove contamination from inside his suit while on EVA). ISTR that NASA had considered using that, but had concluded that the surface tension would prevent the water from migrating towards the valve so it wouldn't have worked.
When I went off to college, many of my most IT-savvy freshman colleagues were versed in networks and system administration because they had run the computer labs of their high schools. Some of them had been caught cracking or otherwise mucking about in ways that the school staff lacked the ability to revert and been forced to clean up after themselves, others saw messes and volunteered to help out.
Times have changed - when I did my computer science degree, most of the students were at the geeky end of the spectrum and were there because that's what they were really into. Compare to the present-day cross section of computer science students: most of them are there because computers are seen as a good career. The extra-curricular interest is giving way to people who just want a job.
FB chat is just XMPP and easy to setup in pretty much any messenger anyway.
Empathy on both my workstations has suddenly refused to log into facebook with auth failures over the past few weeks (no, I haven't changed my password). I must get around to looking into it, but it would imply that facebook have changed _something_ WRT XMPP...
Sure it's easy to model the spread of a virus. It's another thing entirely to write one that can run on every commodity access point, with sufficient CPU power to crack all nearby passwords / keys.
Doesn't need to do that: crack the wifi key and you now have access to the whole network. From there you can install on *any* insecure device on the network - be it the AP itself, a Windows workstation, a NAS, smart TV, printer, whatever. If the device in question has its own wireless NIC (which is frequently the case if you've infected something like a laptop or smartphone) then you can find another wifi network, crack that, install on any device you find therein, rinse and repeat. Especially good for devices like laptops and phones which physically move around so can probably infect geographically separated networks (think: home user bringing their infected phone into work - the phone doesn't need to already be authorised to log into the office wifi network for it to sit there all day, every day, cracking the damned thing!).
Perhaps in your part of the world, but outside of the US, Whatsapp is big in some countries. As in used by practically everyone kind of big.
I'm left wondering, network effects being what they are, why people are using Whatsapp instead of Facebook Messenger (given that they're probably already subscribed to Facebook anyway).
After the oil runs out, there won't be any money. Details here. Warning -- it's a harrowing read.
Largely BS in my opinion - the article is based on the assumption that large scale energy production will cease almost entirely (no electricity, no fuel to transport goods, no gas to cook with, etc). This seems pretty unlikely to me - it's entirely possible that energy will become more expensive, but not world-endingly so - we already know we can produce energy from nuclear reactions for a reasonably low price - not "too cheap to meter", but still not insanely expensive. So since we've got a reasonable supply of energy from nuclear power, the problem becomes storing that energy to replace the oil infrastructure; and we know we can do that - you can use electricity to crack water into hydrogen, produce methane and heavier organics from that. It's not that efficient, but it's certainly doable, and it *will* be done if there is no more oil left.
What is more of a concern is an "energy gap" - a period of time between oil becoming scarce and replacement technologies being built. New power stations take many years to commission, for example. This is far more likely than a long term problem.
There is a significant distinction between no encryption and weak encryption: There is absolutely no way for someone to know whether or not an open AP is a public or private network
Right, but that's a problem for someone else, not for you.
No, I treat that as my problem - I have no expectation of someone not treating my network as a public hotspot if I provided no way for them to know it wasn't.
That is a stupid thing to say, and only a stupid person would say it. It's not damage at all. It's equivalent to picking up someone's car and facing it the other way. It's an annoyance, not damage.
If the person who owns the network isn't very technically literate then it's equivalent to damage - they suddenly won't be able to connect to their own network and will have to hire someone to undo the damage and make it work again. You are making the assumption that everyone knows how to diagnose and fix the problem you're creating which is fundamentally untrue - a significant proportion of the population don't know how to do this and will have to pay someone to do it for them.
Now, if you did that to someone who was depending on it for work, it might cause them actual loss, but someone who is using a network for work and doesn't secure it is an asshole.
Someone who uses weak security on their network either has a legitimate reason for doing so, or doesn't understand the problem. Either way, they are not an asshole - the only asshole in this situation is the person who broke into the network and damaged it in the full knowledge that they were committing a crime.
Many places where I have worked strongly avoid using cloud services for company business. In the education industry in particular, they were quite strong on avoiding remote hosting in order to protect student data. Some places even go so far as to block Google Drive, dropbox, etc entirely.
I work with the education sector and we're increasingly seeing schools moving to cloud services, such as Exchange Online, and even Dropbox and iCloud. No consideration seems to be being made regarding data protection laws, which are almost certainly being broken by using these services (IMHO there's no realistic way to ensure that personal data isn't placed on these services). Also, there seems to be no consideration for the increased load such services place on the internet uplink - suddenly stuff like email (frequently with potentially large attachments) is being shoved over the uplink rather than only over the LAN.
Not really. There's just one: your devices don't support WPA.
Doesn't that constitute a legitimate reason?
Otherwise, you might as well use no encryption.
There is a significant distinction between no encryption and weak encryption: There is absolutely no way for someone to know whether or not an open AP is a public or private network (in fact, many devices will automatically connect to an open AP on the assumption it's a public hotspot, completely removing the user from the equation). Conversely, in order to use a weakly encrypted network, you must make a concious decision to do something that you know is criminal.
Breaking into a network and changing the SSID to let the owner know it can be broken into is akin to chucking a brick through someone's window with a note attached telling them that it's possible to break in through their window, or climbing over their garden fence and spraypainting a note on the side of their house warning them that it's possible to climb over the fence - it's not a "good samaritan" geasture, it's wanton criminal damage.
I think, it's just because proofs are hard to show in these case, until some private info of a canadian will be part of some breach.
Sorry, I forgot to add "here in the UK" to my previous post. I'm unconvinced that (here) the information commissioner's office even cares, so I'm not expecting any kind of enforcement action soon.
It's even a law in Canada to prohibe company with data on canadians people to avoid any storage/transport of these data using any IT infrastrure in the USA.
The data protection act has restrictions on exporting data... In my experience pretty much everyone is ignoring those restrictions when it comes to migrating to "cloud" services, and that's not going to stop until people start getting hit by big fines.
Cracking a WEP key takes minutes and almost zero effort if there is already traffic on the network (and a bit more if there isn't). There may be completely unsecured APs around but whether they are actually as usable as yours depends on 1) the signal quality and 2) how many others are connected to these open APs and sucking up bandwidth.
Smashing a window and entering your home takes minutes and almost zero effort. There may be completely unsecured homes around but whether they are actually as vulnerable depends on 1) the value of anything in the home and 2) how many people are present in the open home at the time.
My point was that placing encryption on a network, however insecure that is, demonstrates that the network is private - anyone who accesses the network has conciously broken into it in the full knowledge that they were committing a crime. Compared to an open network where there may well be no way to know that it wasn't intentionally left open as a hotspot. So, if you break into my network (however trivially) and start screwing with things like SSID settings, I'd want you to be arrested because you were knowlingly committing a crime.
You say that everything using the network is encrypted but that is only half of the problem. The other half is somebody using your network to do (very) illegal things on the internet, all of which you would be potentially liable for. That is, unless you require VPN authentication before allowing internet access.
Where I live, people are not criminally liable for other people's actions, so no, I wouldn't be liable for someone doing something illegal through my network.
Having said that, there are many the times I've been tempted to rename the SSIDs of wireless networks that still use WEP in some vain attempt to knock some sense into the user's head. Never gave into that impulse, but boy, sometimes it was quite a struggle.
There are legitimate reasons for using WEP.
I still use WEP on my home network, because I still have a few devices that simply won't reliably do anything better. I figure that this is largely ok because: 1. Everything I do over the wireless network internally is using encrypted protocols anyway, and I wouldn't be using non-encrypted protocols for transporting sensitive data externally anyway. 2. There are a bunch of my neighbours' completely unsecured APs visible from my house so I figure if someone is interested in cracking a wireless network, they're probably going to go for the easy option and use one of those networks rather than cracking my WEP key.
Whilst I'm of the opinion that if an AP is left completely open, it should be legal to treat it as a public hotspot, I do still think that if you're having to crack some kind of security, however weak, in order to gain access then you need to be arrested and punished because you're clearly stepping over the line. (And yes, cracking someone's WEP key and router password in order to change their SSID counts as stepping over the line).
2. There is most definitely a time limit, which is "defect free for a reasonable amount of time". And for example in the UK, there are general limits.
As I understand it, a product is expected to not break for "a reasonable amount of time" (i.e. through normal wear and tear), but there is no time restriction on _manufacturing/design defects_ (i.e. things that were wrong on the day that you bought it, rather than things which broke at a later date).
A vendor having an incentive to make their product defective so they can charge for fixes doesn't exactly sound like it's in the customer's interest...
I don't think this includes software, or Microsoft will face some legal battles in Europe after April 8.
I'd be curious to know why it wouldn't include software.
As I said, I imagine a court would say it's unreasonable to expect a vendor to engineer fixes forever, but if those fixes are being engineered *anyway* should a vendor be allowed to withhold them from certain customers?
Absolutely... but Oracle have a case with other people redistributing their Solaris patches. I'd say that they've got a legitimate right to the proprietary code that they own.... and Linux is GPL, so that's not a conflict of interest for Oracle. Their goal is "profit at all costs" anyway. That's the only ideology Oracle understands.
I'm curious about the legal situation with respect to bugfixes in the EU: EU warranty law requires the vendor to warrant that a product is free of manufacturing defects, and there is no time limit to this warranty. It could be argued that any bug in software is a "manufacturing defect", and therefore the vendor needs to provide bugfixes forever more. Courts would probably say that it is unreasonable to require the vendor to engineer patches for very old software. *However*, if the patches are already being produced anyway, is it reasonable for the vendor to only allow their current support customers to access the patches, rather than making them freely available to anyone who has bought the defective product in the past?
So whilst I'll agree that the code is proprietary and other people shouldn't be redistributing them without Oracle's permission, I do question whether Oracle shouldn't be legally obliged to provide those patches to everyone who bought Solaris anyway.
Even if the cahrge is approved, if the seller can't prove the buyer took posession, the buyer will win (had an ebay issue where the seller claimed he sent it and I didn't pay his "insurance" fee so it was lost). I approved the charge, but I didn't take possession of the purchased item, so the reverse was upheld.
In the UK, the distance selling requlations make it the seller's responsibility to ensure the goods arrive at their destination undamaged and allow the buyer to return the goods for pretty much any reason they like within 7 days (and unless the seller's T&Cs specifically say they won't cover return postage charges, they also have to pay the postage charges if you decide to return it!). So all the ebayers who claim they won't accept returns or that they're not responsible if the item gets lost/damaged in the post are wrong - the law is most definitely not on their side.
FWIW, the purpose of these regulations is largely to give people similar rights when buying at a distance as they get when buying in a high street shop - e.g. in a shop you would be able to examine the product (for free) before deciding if you want to buy it, and the distance selling regulations mirror this by allowing you to examine a product once it has been delivered and return it if it isn't what you want, since you're not going to be able to examine it before you buy it.
I had to do it with LoveFilm - its well worth knowing about (and in fact, in my case it was a debit card rather than a credit card and the bank were still happy to charge back the transactions).
I'd signed up for a free trial through lovefilm.com on one of their top tiers and just before the end of the trial I told them to downgrade the account to the pay-as-you-go tier. They said that they can't downgrade it until I send back the 3 DVDs I had, but when I send them back the downgrade would happen automatically. So I sent them back and they immediately sent out another 3 DVDs on the top-tier contract. I complained, they said I needed to send them back again and they really would downgrade me this time. Except they didn't and just sent out yet more DVDs. This kept going on for a while and they started charging my card the full price for the top tier. I complained and informed them in writing that they were not authorised to take another payment from the card. They did anyway. Then they claimed that I couldn't possibly have downgraded for the PAYG contract since that was only available through lovefilm.com and apparently I signed up through amazon.com (errm, no, I signed up through lovefilm.com). They made a partial "good will" refund, but refused to refund me the full amount as they claimed that I had received a service and therefore must pay for it, even though it was a service I had asked them not to provide. In the end I got pissed off enough to ask the bank to make a chargeback - sent all the correspondence to the bank, including my letter telling them they weren't authorised to take a payment. The bank quickly refunded everything lovefilm had charged me.
So in the end I actually ended up better off - all the charges had been refunded and the "good will" payment had still been paid too. If they hadn't been such arses I would've returned it, but I figured that they had wasted so much of my time that I couldn't be arsed to deal with them any more in any way.
Unfortunately, Lovefilm basically have a monopoly on online DVD rentals, and since I'm never going to touch them again it kinda rules me out of being able to rent DVDs online.
Exactly what does enrolling a customer into an unwanted and ridiculously overpriced service has to do with shedding customers?! If the contract is over. Shed the customer. If the contract is not over. Keep up your end of the contract.
Most contracts have termination clauses. If they really wanted to shed a customer, they can just say "I'm sorry, we don't want to be your supplier any more" (and potentially pay a small penalty fee, if the contract says so).
Opting someone in to a paid-for service just seems to be inviting credit card chargebacks (and probably the loss of their merchant account). Furthermore, emailing people to tell them you've opted them in seems particularly unsafe since there's no way to know if that email address is still going to be read by the appropriate person (especially if it dates from the 90s).
It's so typical. Someone offers a service/product for free. People use it and like it. They keep using it. Then the service/product gets changed/removed/etc and everyone yells at the owner about how they feel shafted instead of *thanking* the owner for providing such a useful service for free for so long.
Everyone feels entitled to get whatever they want for free.
No one is entitled to anything above and beyond what the contract says - no contract, no entitlement.
*However*, in just the same way as a customer might be peeved when a supplier sticks rigidly to the contract terms instead of offering some good-will flexibility, a customer of a free service is going to be a bit peeved by this kind of no-notice change to the service... And peeved customers aren't the kind of people to continue to be customers, which is important where you're withdrawing the free service in the hope that many of your "free" customers will move to the paid service - if you pissed them off then they probably won't.
I'll give you a real world example: I have a bunch of servers in datacentres run by Host-It. They are over-priced, but we've been happy with their customer service so haven't switched to a cheaper datacentre. We pay for 12 months of hosting up-front, and about a month after we paid for one of our servers, the server failed and we decided to retire it. Coincidentally, the contract was up for renewal for another of our servers at the same time, so we asked them to transfer the remaining 11 months on the contract for the failed server over to that server. Seemed pretty fair enough to us. They flatly refused - sure, the contract doesn't say they have to do that, but it would seem to be a reasonable thing to do from a good-will perspective. So we had to pay for 11 months of hosting for a server that died (so they haven't actually been hosting it) because they refused to be reasonable and instead stuck rigidly to the contract terms. Now I'm not saying they were in the wrong - far from it, legally speaking they were dead in the right, but their lack of good will has ensured all future servers we commission will be hosted elsewhere.
Slashdot Mirror
The encrypted tunnel is created on submit, that is, you can have a login form on an http page and still submit encrypted via SSL if the forms action sends data via https.
A non-HTTPS login page could be modified to submit the data to a different server instead of the bank's - by the time you realise, its too late. Or some JS could be embedded in the page to send the data to a third party *as well* as the bank, and you'd never spot that unless you had firebug open. The latter attack can also be carried out by embedding HTTP objects in an HTTPS page, which isn't especially visible to the end user.
My bank is secure!!1!!!!
Between generous application of padlock gif's designed to make me feel safe and account specific image letting me know I'm logging into my bank and not some imposter bank... it would be impossible to get hacked. They even say so on their web site.
Remember years ago feeling board and actually getting ahold of one of their "IT" guys informing him of the dangers of requesting credentials directly from a home page loaded via HTTP... His response was ... drumroll... it is posted to a secure site so the credentials are encrypted and can't be compromised.
There is no arguing with stupid or those who willfully subvert browser security features for marketing and or checking off security boxes on the compliance chart even if you (should) know better.
Meanwhile I was reasonably impressed by HSBC, who fixed their website in about a day when I told them they were including HTTP objects in the HTTPS login page. That said, they still include some objects from third party servers, over HTTPS (notably, Google advertising). IMHO the browser should warn you if thre are any objects on an HTTPS page that aren't covered by the certificate displayed in the address bar.
"'I know that if the water does overwhelm me I can always open the helmet,' wrote Parmitano about making it to the airlock. 'I'll probably lose consciousness, but in any case that would be better than drowning inside the helmet."
Wow that one cold mofo here.
I believe he was already in the (repressurising) airlock by that point, so whilst taking the helmet off would have been bad, it's not quite the same as doing it in space.
On the other hand, the helmets do have a depressurisation valve which can be opened while in space (Chris Hadfield had to use it to remove contamination from inside his suit while on EVA). ISTR that NASA had considered using that, but had concluded that the surface tension would prevent the water from migrating towards the valve so it wouldn't have worked.
When I went off to college, many of my most IT-savvy freshman colleagues were versed in networks and system administration because they had run the computer labs of their high schools. Some of them had been caught cracking or otherwise mucking about in ways that the school staff lacked the ability to revert and been forced to clean up after themselves, others saw messes and volunteered to help out.
Times have changed - when I did my computer science degree, most of the students were at the geeky end of the spectrum and were there because that's what they were really into. Compare to the present-day cross section of computer science students: most of them are there because computers are seen as a good career. The extra-curricular interest is giving way to people who just want a job.
FB chat is just XMPP and easy to setup in pretty much any messenger anyway.
Empathy on both my workstations has suddenly refused to log into facebook with auth failures over the past few weeks (no, I haven't changed my password). I must get around to looking into it, but it would imply that facebook have changed _something_ WRT XMPP...
Sure it's easy to model the spread of a virus. It's another thing entirely to write one that can run on every commodity access point, with sufficient CPU power to crack all nearby passwords / keys.
Doesn't need to do that: crack the wifi key and you now have access to the whole network. From there you can install on *any* insecure device on the network - be it the AP itself, a Windows workstation, a NAS, smart TV, printer, whatever. If the device in question has its own wireless NIC (which is frequently the case if you've infected something like a laptop or smartphone) then you can find another wifi network, crack that, install on any device you find therein, rinse and repeat. Especially good for devices like laptops and phones which physically move around so can probably infect geographically separated networks (think: home user bringing their infected phone into work - the phone doesn't need to already be authorised to log into the office wifi network for it to sit there all day, every day, cracking the damned thing!).
Atrium works for me.
Ungodly Churn, almost nobody uses WhatsApp.
Perhaps in your part of the world, but outside of the US, Whatsapp is big in some countries. As in used by practically everyone kind of big.
I'm left wondering, network effects being what they are, why people are using Whatsapp instead of Facebook Messenger (given that they're probably already subscribed to Facebook anyway).
After the oil runs out, there won't be any money. Details here. Warning -- it's a harrowing read.
Largely BS in my opinion - the article is based on the assumption that large scale energy production will cease almost entirely (no electricity, no fuel to transport goods, no gas to cook with, etc). This seems pretty unlikely to me - it's entirely possible that energy will become more expensive, but not world-endingly so - we already know we can produce energy from nuclear reactions for a reasonably low price - not "too cheap to meter", but still not insanely expensive. So since we've got a reasonable supply of energy from nuclear power, the problem becomes storing that energy to replace the oil infrastructure; and we know we can do that - you can use electricity to crack water into hydrogen, produce methane and heavier organics from that. It's not that efficient, but it's certainly doable, and it *will* be done if there is no more oil left.
What is more of a concern is an "energy gap" - a period of time between oil becoming scarce and replacement technologies being built. New power stations take many years to commission, for example. This is far more likely than a long term problem.
There is a significant distinction between no encryption and weak encryption: There is absolutely no way for someone to know whether or not an open AP is a public or private network
Right, but that's a problem for someone else, not for you.
No, I treat that as my problem - I have no expectation of someone not treating my network as a public hotspot if I provided no way for them to know it wasn't.
That is a stupid thing to say, and only a stupid person would say it. It's not damage at all. It's equivalent to picking up someone's car and facing it the other way. It's an annoyance, not damage.
If the person who owns the network isn't very technically literate then it's equivalent to damage - they suddenly won't be able to connect to their own network and will have to hire someone to undo the damage and make it work again. You are making the assumption that everyone knows how to diagnose and fix the problem you're creating which is fundamentally untrue - a significant proportion of the population don't know how to do this and will have to pay someone to do it for them.
Now, if you did that to someone who was depending on it for work, it might cause them actual loss, but someone who is using a network for work and doesn't secure it is an asshole.
Someone who uses weak security on their network either has a legitimate reason for doing so, or doesn't understand the problem. Either way, they are not an asshole - the only asshole in this situation is the person who broke into the network and damaged it in the full knowledge that they were committing a crime.
Many places where I have worked strongly avoid using cloud services for company business. In the education industry in particular, they were quite strong on avoiding remote hosting in order to protect student data.
Some places even go so far as to block Google Drive, dropbox, etc entirely.
I work with the education sector and we're increasingly seeing schools moving to cloud services, such as Exchange Online, and even Dropbox and iCloud. No consideration seems to be being made regarding data protection laws, which are almost certainly being broken by using these services (IMHO there's no realistic way to ensure that personal data isn't placed on these services). Also, there seems to be no consideration for the increased load such services place on the internet uplink - suddenly stuff like email (frequently with potentially large attachments) is being shoved over the uplink rather than only over the LAN.
There are legitimate reasons for using WEP.
Not really. There's just one: your devices don't support WPA.
Doesn't that constitute a legitimate reason?
Otherwise, you might as well use no encryption.
There is a significant distinction between no encryption and weak encryption: There is absolutely no way for someone to know whether or not an open AP is a public or private network (in fact, many devices will automatically connect to an open AP on the assumption it's a public hotspot, completely removing the user from the equation). Conversely, in order to use a weakly encrypted network, you must make a concious decision to do something that you know is criminal.
Breaking into a network and changing the SSID to let the owner know it can be broken into is akin to chucking a brick through someone's window with a note attached telling them that it's possible to break in through their window, or climbing over their garden fence and spraypainting a note on the side of their house warning them that it's possible to climb over the fence - it's not a "good samaritan" geasture, it's wanton criminal damage.
I think, it's just because proofs are hard to show in these case, until some private info of a canadian will be part of some breach .
Sorry, I forgot to add "here in the UK" to my previous post. I'm unconvinced that (here) the information commissioner's office even cares, so I'm not expecting any kind of enforcement action soon.
It's even a law in Canada to prohibe company with data on canadians people to avoid any storage/transport of these data using any IT infrastrure in the USA.
The data protection act has restrictions on exporting data... In my experience pretty much everyone is ignoring those restrictions when it comes to migrating to "cloud" services, and that's not going to stop until people start getting hit by big fines.
Cracking a WEP key takes minutes and almost zero effort if there is already traffic on the network (and a bit more if there isn't). There may be completely unsecured APs around but whether they are actually as usable as yours depends on 1) the signal quality and 2) how many others are connected to these open APs and sucking up bandwidth.
Smashing a window and entering your home takes minutes and almost zero effort. There may be completely unsecured homes around but whether they are actually as vulnerable depends on 1) the value of anything in the home and 2) how many people are present in the open home at the time.
My point was that placing encryption on a network, however insecure that is, demonstrates that the network is private - anyone who accesses the network has conciously broken into it in the full knowledge that they were committing a crime. Compared to an open network where there may well be no way to know that it wasn't intentionally left open as a hotspot. So, if you break into my network (however trivially) and start screwing with things like SSID settings, I'd want you to be arrested because you were knowlingly committing a crime.
You say that everything using the network is encrypted but that is only half of the problem. The other half is somebody using your network to do (very) illegal things on the internet, all of which you would be potentially liable for. That is, unless you require VPN authentication before allowing internet access.
Where I live, people are not criminally liable for other people's actions, so no, I wouldn't be liable for someone doing something illegal through my network.
Having said that, there are many the times I've been tempted to rename the SSIDs of wireless networks that still use WEP in some vain attempt to knock some sense into the user's head. Never gave into that impulse, but boy, sometimes it was quite a struggle.
There are legitimate reasons for using WEP.
I still use WEP on my home network, because I still have a few devices that simply won't reliably do anything better. I figure that this is largely ok because:
1. Everything I do over the wireless network internally is using encrypted protocols anyway, and I wouldn't be using non-encrypted protocols for transporting sensitive data externally anyway.
2. There are a bunch of my neighbours' completely unsecured APs visible from my house so I figure if someone is interested in cracking a wireless network, they're probably going to go for the easy option and use one of those networks rather than cracking my WEP key.
Whilst I'm of the opinion that if an AP is left completely open, it should be legal to treat it as a public hotspot, I do still think that if you're having to crack some kind of security, however weak, in order to gain access then you need to be arrested and punished because you're clearly stepping over the line. (And yes, cracking someone's WEP key and router password in order to change their SSID counts as stepping over the line).
2. There is most definitely a time limit, which is "defect free for a reasonable amount of time". And for example in the UK, there are general limits.
As I understand it, a product is expected to not break for "a reasonable amount of time" (i.e. through normal wear and tear), but there is no time restriction on _manufacturing/design defects_ (i.e. things that were wrong on the day that you bought it, rather than things which broke at a later date).
A vendor having an incentive to make their product defective so they can charge for fixes doesn't exactly sound like it's in the customer's interest...
I don't think this includes software, or Microsoft will face some legal battles in Europe after April 8.
I'd be curious to know why it wouldn't include software.
As I said, I imagine a court would say it's unreasonable to expect a vendor to engineer fixes forever, but if those fixes are being engineered *anyway* should a vendor be allowed to withhold them from certain customers?
Absolutely... but Oracle have a case with other people redistributing their Solaris patches. I'd say that they've got a legitimate right to the proprietary code that they own.... and Linux is GPL, so that's not a conflict of interest for Oracle. Their goal is "profit at all costs" anyway. That's the only ideology Oracle understands.
I'm curious about the legal situation with respect to bugfixes in the EU: EU warranty law requires the vendor to warrant that a product is free of manufacturing defects, and there is no time limit to this warranty. It could be argued that any bug in software is a "manufacturing defect", and therefore the vendor needs to provide bugfixes forever more. Courts would probably say that it is unreasonable to require the vendor to engineer patches for very old software. *However*, if the patches are already being produced anyway, is it reasonable for the vendor to only allow their current support customers to access the patches, rather than making them freely available to anyone who has bought the defective product in the past?
So whilst I'll agree that the code is proprietary and other people shouldn't be redistributing them without Oracle's permission, I do question whether Oracle shouldn't be legally obliged to provide those patches to everyone who bought Solaris anyway.
Even if the cahrge is approved, if the seller can't prove the buyer took posession, the buyer will win (had an ebay issue where the seller claimed he sent it and I didn't pay his "insurance" fee so it was lost). I approved the charge, but I didn't take possession of the purchased item, so the reverse was upheld.
In the UK, the distance selling requlations make it the seller's responsibility to ensure the goods arrive at their destination undamaged and allow the buyer to return the goods for pretty much any reason they like within 7 days (and unless the seller's T&Cs specifically say they won't cover return postage charges, they also have to pay the postage charges if you decide to return it!). So all the ebayers who claim they won't accept returns or that they're not responsible if the item gets lost/damaged in the post are wrong - the law is most definitely not on their side.
FWIW, the purpose of these regulations is largely to give people similar rights when buying at a distance as they get when buying in a high street shop - e.g. in a shop you would be able to examine the product (for free) before deciding if you want to buy it, and the distance selling regulations mirror this by allowing you to examine a product once it has been delivered and return it if it isn't what you want, since you're not going to be able to examine it before you buy it.
I had to do it with LoveFilm - its well worth knowing about (and in fact, in my case it was a debit card rather than a credit card and the bank were still happy to charge back the transactions).
I'd signed up for a free trial through lovefilm.com on one of their top tiers and just before the end of the trial I told them to downgrade the account to the pay-as-you-go tier. They said that they can't downgrade it until I send back the 3 DVDs I had, but when I send them back the downgrade would happen automatically. So I sent them back and they immediately sent out another 3 DVDs on the top-tier contract. I complained, they said I needed to send them back again and they really would downgrade me this time. Except they didn't and just sent out yet more DVDs. This kept going on for a while and they started charging my card the full price for the top tier. I complained and informed them in writing that they were not authorised to take another payment from the card. They did anyway. Then they claimed that I couldn't possibly have downgraded for the PAYG contract since that was only available through lovefilm.com and apparently I signed up through amazon.com (errm, no, I signed up through lovefilm.com). They made a partial "good will" refund, but refused to refund me the full amount as they claimed that I had received a service and therefore must pay for it, even though it was a service I had asked them not to provide. In the end I got pissed off enough to ask the bank to make a chargeback - sent all the correspondence to the bank, including my letter telling them they weren't authorised to take a payment. The bank quickly refunded everything lovefilm had charged me.
So in the end I actually ended up better off - all the charges had been refunded and the "good will" payment had still been paid too. If they hadn't been such arses I would've returned it, but I figured that they had wasted so much of my time that I couldn't be arsed to deal with them any more in any way.
Unfortunately, Lovefilm basically have a monopoly on online DVD rentals, and since I'm never going to touch them again it kinda rules me out of being able to rent DVDs online.
In a free market there is no fraud.
Fraud is illegal. In a free market, nothing is illegal. So yes, you're right. But so what?
In a free market where "nothing is illegal", a company committing large scale fraud would likely have their directors shot or offices firebombed...
Exactly what does enrolling a customer into an unwanted and ridiculously overpriced service has to do with shedding customers?! If the contract is over. Shed the customer. If the contract is not over. Keep up your end of the contract.
Most contracts have termination clauses. If they really wanted to shed a customer, they can just say "I'm sorry, we don't want to be your supplier any more" (and potentially pay a small penalty fee, if the contract says so).
Opting someone in to a paid-for service just seems to be inviting credit card chargebacks (and probably the loss of their merchant account). Furthermore, emailing people to tell them you've opted them in seems particularly unsafe since there's no way to know if that email address is still going to be read by the appropriate person (especially if it dates from the 90s).
It's so typical. Someone offers a service/product for free. People use it and like it. They keep using it. Then the service/product gets changed/removed/etc and everyone yells at the owner about how they feel shafted instead of *thanking* the owner for providing such a useful service for free for so long.
Everyone feels entitled to get whatever they want for free.
No one is entitled to anything above and beyond what the contract says - no contract, no entitlement.
*However*, in just the same way as a customer might be peeved when a supplier sticks rigidly to the contract terms instead of offering some good-will flexibility, a customer of a free service is going to be a bit peeved by this kind of no-notice change to the service... And peeved customers aren't the kind of people to continue to be customers, which is important where you're withdrawing the free service in the hope that many of your "free" customers will move to the paid service - if you pissed them off then they probably won't.
I'll give you a real world example: I have a bunch of servers in datacentres run by Host-It. They are over-priced, but we've been happy with their customer service so haven't switched to a cheaper datacentre. We pay for 12 months of hosting up-front, and about a month after we paid for one of our servers, the server failed and we decided to retire it. Coincidentally, the contract was up for renewal for another of our servers at the same time, so we asked them to transfer the remaining 11 months on the contract for the failed server over to that server. Seemed pretty fair enough to us. They flatly refused - sure, the contract doesn't say they have to do that, but it would seem to be a reasonable thing to do from a good-will perspective. So we had to pay for 11 months of hosting for a server that died (so they haven't actually been hosting it) because they refused to be reasonable and instead stuck rigidly to the contract terms. Now I'm not saying they were in the wrong - far from it, legally speaking they were dead in the right, but their lack of good will has ensured all future servers we commission will be hosted elsewhere.