> You're in Canada I take it being on Rogers. In the U.S. cable providers don't > make their boxes available to buy at Best Buy, Circuit City, ect. If you did > manage to procure a box (like by keeping one from your cable provider or > buying one on eBay) the new provider would refuse to authorize it on their > systems. In fact, if I remember right, buying digital cable boxes online is > illegal (probably since the boxes are never meant to be sold and therefore are > considered stolen property on the marketplace).
Actually, that's not altogether true. It still is, AFAIK, legal to buy a cable box or PVR with cable support. But to hook it up, you must inform the cable company, and you need to pay for all services you can receive.
Telecommunications Act of 1996 Sec. 629 expressly requires they be made available from sources other than the cable company. Subsequent documents I checked indicate that Congress and the FCC are concerned about 1) cost to consumers and 2) availability of new features. If the service vendor can make themselves the sole source, they can also jack up the prices. I can't say for sure this hasn't been amended since, but I couldn't find anything on Thomas.gov.
Stolen boxes, as you indicated, are another subject.
> I have a friend who was arrested for taking a picture..of course that was in the USSR. > Taking picture in a public place is not a reason to be appraoched by police.
Of course. And, as was noted, he was not approached for taking a picture. He was detained for a number of minor reasons, none of which was sufficient to arouse suspicion individually. He was detained longer than he might have been for several reasons, only -one- of which was picture-taking by associates of his, in peculiar circumstances (normally, teams of people don't go out to photograph tube-stations).
There is a difference between single cause->effect (take picture->get arrested) and multiple circumstantial details used in a decision making process. The picture taking wasn't a "Eureka! I have found a terrorist!" moment, it was a "Hmmm, in addition to all these funny things, here's another that's a bit funny..." moment.
> it would be just silly if everyone was so up in arms over the fact that > someone was take aside, temporarily restrained, searched, and then allowed to > proceed.
Point: he was taken aside, handcuffed, searched, detained for several hours, his apartment was searched and posessions impounded, not all of which may be accounted for. In addition, certain other evidence has not been provided to the writer, Not being familar with UK law, it sounds offhand as if some of it is due under an analogue to the US Freedom Of Information Act, but that's a guess.
> He wasn't abused. No one beat a confession out of him. He wasn't shot.
Right. He may have been detained illegally, however, and the matter remains unresolved.
> I have been selected for a random search when boarding airplanes over the > last two years. Each time I thank the screeners, and I am quite enthusiastic > about being searched. When the search is done, I thank the screeners again, > for I know they're doing something to protect me. They aren't trying to > trample my rights, they're trying to keep me alive.
I have also been stopped by the police in random spot checks, and have never had a problem (US). However, I am white; I know many people who are black, who have not had such pleasant experiences. The fact that -you- have not been mistreated is interesting, but irrelevant, as is the intended purpose of the searches.
> One thing conspicuously missing from the writer's "account" of the search > was why he was handcuffed. This kind of thing does not happen to everyone > who has a knapsack in the London Underground, but it does happen if you're > belligerent when they ask to search you.
I would not count on there being a valid reason for being cuffed; however, you are right that several pieces of information are missing from the writer's account. Certainly, the fact they they charged him with "public nuisance" indicates that there may be more to this than the account indicates.
> Of course, if the writer was belligerent or combative towards the police, do > you think he'd actually mention that fact? Of course not. That would get in > the way of the agenda.
Quite possibly. There are a few other things in the account:
"The police say they can't validate my address. I suggest they ask the security guard where I work, two streets away."
The address problem could be a major red flag. Certainly, in a possible terror situation, not being certain of the person's address or identity is reason to investigate further and keep the person in custody.
"The officer explains what made them change their mind and arrest me....there was a firearms incident at the company where I work [and] staff had also been seen photographing tube stations with a camera phone...as part of a team-building exercise..."
Minor incidents, but certainly reason for police to be sure.
That said, the point about technophiles being considered more suspicious may be valid. The laundry list of confiscated gear is not dissimilar to that in my basement, and some of the "suspicious" actions are pretty normal behavior for geeks.
"I went into the station without looking at the police officers at the entrance or by the gates"; a lot of introverts don't glance around. "I am wearing a jacket 'too warm for the season'"; a lot of geeks are fashion challenged, and wear overly bulky/heavy coats. "I am carrying a bulky rucksack, and kept my rucksack with me at all times"; ditto for a lot of geeks. "I looked at people coming on the platform"; ditto "I played with my phone and then took a paper from inside my jacket"; all standard geek behavior.
That said, it doesn't sound like there is a "police abuse" story hear. Maybe a "police inefficiency" story, and likely a "anti-terror searches aren't working" story. But that's about all.
> If you buy something because of promised features and later the company takes > away some of that capability, do you have some legal basis for claiming false > advertising, or reneging on contract, or something like that?
IANAL, but in the US, yes, you can sue. You -may or may not win-, and if you win, you might not win much.
It would depend on a number of things, on which the court could rule either way. A couple of things the court might consider would be:
- is TiVo a product or a service? - is the right to persist a recording a significant piece of functionality, or not? - what is the value of losing the right to keep recordings longer than [whatever period]
Frankly, I don't think much of the chances of success.
TiVo is a rather inexpensive product, hardware-only. The lost vaue would be minimal. If a TiVo only costs $200, it's hard to justify awarding significant amounts.
The courts would be unlikely to decide that the right to persist the recordings is more than a small percentage of the value of the TiVo, say 5 or 10 percent. So even if you win, all you win is a $20 rebate.
If TiVo is a service, the landscape is a little different, but not much brighter. If rule that the right to persist the recordings is a significant part of the contract value, they might require TiVo to offer the right to cancel without penalty and receive a pro-rated rebate for the unused part of the contract, but that's about as high as I can see the court going on this.
> I think this would be more of a question for people who paid for a lifetime > subscription, but it also throws into the question the value of any future lifetime subscriptions,
You're right that it is more important regarding the lifetime subscriptions.
> because if their contract allows them to start adding restrictions after the fact, is it really of much value?
Actually, most "lifetime" contracts allow for some sort of unilateral modification by the issuer. The issue isn't whether they can alter the contract terms; they can. The question is whether they can alter them in this way, without allowing you to cancel and receive a pro-rated refund. They -probably- would need to offer some sort of cancellation offer, if people pushed it. But that's about as far as they would need to go.
IIRC, the TiVo lifetime contract is tied to the lifetime of the unit, not the purchaser. If so, the courts would probably pro-rate on the basis of expected unit life.
All in all, I think this would be a losing case to pursue. I don't think there is any chance the courts would consider something like this anything more than a minor issue.
> For example: I might be tempted to buy, on DVD, the complete season of "One > Day To Defeat The Terrorists By Whispering Everything", the new hit Fox show, > if I missed various episodes. Fox might release the DVD set with that in mind. > However, if one can simply program their DVR to record every single show, > they're not likely to buy it, especially if they can transfer the show to tape > or DVD-R afterwards.
Sorry, this argument may be correct, but it may not. The reality is that current DVD products are very different from what you get off the air. If I buy the "Buffy the Vampire Slayer" package rather than taping off of FX, I don't get annoying commercials, editing for time, stupid little animated advertisements for stupid programs that not only interfere with the picture, but increasingly interfere with the *&^%$ DIALOGUE!
If the vendor is smart, I also get other DVD Extras. The most popular DVD extra being the cheapest to produce, the outtakes.
There is insufficient evidence at this time to state authoritatively that allowing the consumer to record the program and even burn it to DVD significantly reduces DVD sales revenue.
> What we actually need, rather than this rather shakey Supreme Court ruling, > is actual legislation that enshrines certain things people do with content > into law.
> Yes, I'm quite sure that Ebooks in their present form aren't suitable for you. But how can you assume > that everyone has the same needs, restrictions, and requirements as you?
You're right, they don't. But that wasn't the question. The question was, "when will they become mainstream?" To me, that means, "when will they be a serious option in the book purchasing decisions of a majority of the book-buying public?"
I don't dispute that e-books make a -lot- of sense for some people. I'm just pointing out that some of the factors preventing other people from buying aren't merely differences of degree (a little less cost, a little more battery life, a little bigger display), but more significant differences.
I'm not saying that everyine has the same needs as me. I'm saying only a minority of the population has the same needs as the majority of the voices heard on SlashDot; those who buy more stuff for the cool factor.
> The Palm Zire cost around 100 bucks. The screen is hobbled for reading full page text, but it needn't be so.
Great. But that's $100 I don't need to spend at all, for a device you just referred to as 'hobbled'. My last comment was that the readers need to be so cheap they become giveaway items.
When they device isn't hobbled, and costs $25 or less, let me know.
> 1. The conservatism of readers, who just are used to paper books. We can't develop a new > generation of kids who are used to ebook readers because there AREN'T any ebook readers. Catch-22.
Reasonable argument. Which is why I stated that changing the economics of the model to promote usage of e-books is needed. Start by giving away the readers and dropping the price on the books.
Getting the book for $1.50 less than the print version (I checked a few) is not worth the loss of utility or cost of the hardware to many people.
> 2. Publishers, who are terrified of.txt files of their inventory being traded like mp3's.
I agree that's a problem; because, as many people pointed out, trading books is a desired feature. I understand that they don't want people trading e-books. But I can and do legally trade print books, or borrow them from the library.
That's real utility to the consumer, and it needs to be there for me and many others to adopt e-books.
> 3. Hardware manufacturers, who don't see any profit in making $25 dollar ebooks.
Yep, it's a problem. Part of the problem there is that everyone is out for themselves. Publishers can subsidize the hardware, if they wish.
> If you'd like to see how cool an ebook machine could be, take a look at the iPod Nano. Imagine a > bigger screen. Imagine it weighs four ounces, has copious flash memory, and can connect via USB > or maybe ethernet. Imagine it is solar powered. Keep it low powered and simple by only having a b&w screen.
Very cool. I don't factor cool into my buying habits, though.
> Imagine it costs 50-100 dollars. And it's possible with today's technology, given economies of scale.
And that makes it a reasonable cost for something I really want to buy. But I don't, nor do a lot of people. To overcome that indifference, the price needs to be lower. The $25 I mentioned earlier is the -high- end. $10 would be better.
> Imagine ten years from now, when diamond-based chip tech gives us terabyte nonvolatile memory, > eInk gives us paper-like screens with book quality text.
All -very- cool. And all irrelevant to my purchasing decision.
> Imagine the trees not needed for paper. Maybe we can let some oaks grow back, instead of soft pine.
No here you finally hit something I agree with. However, I would dispute whether e-books, even in the reduced price model I mentioned, would have a significant impact on this. We are a long way from paperless, and books don't strike me as the primary culprit here.
Let me know when you have an economically viable, near-term plan for replacing magazines, newspapers, print advertising, junk mail, and all the tedious paperwork for work and business.
I'm not trying to be snarky or flippant; I'm trying to present a view from another side. A side that really doesn't care about cool tech that much. A side that is only going to look at utility and economics.
Those people are the ones you need to woo. And you aren't even close as yet.
Sure, I can reduce the waste of paper using e-books; I can also do it by reading less crap, and not subscribing to magazines and newspapers I really don't have time to read anyway.
All the earlier observations in this thread are correct.
Really, the only reasons for electronic books (not e-books specifically) are the reasons software vendors offer them as free downloads: to reduce expense and speed up delivery. It makes sense for me to download the manual for a piece of hardware, or download developer documentation from Oracle. It's free, and it saves me the trouble of lugging a lot of heavy books.
For smaller books, fiction or books I'll want to read away from my computer, the advantages are almost all on the vendor's side of the transaction. They aren't much cheaper, and the problems of utility have already been noted.
So the question "when will e-books become mainstream" becomes "when will e-books offer the -utility- of paperbacks." And the answer becomes, "when various relatively small technical problems are solved, and when larger licensing and economic problems with the e-book business model are solved, so we can have cheaper e-books and -dirt- cheap readers."
Frankly, I see no way they will become mainstream until they can give away the readers like mousepads.
> If I'm downloading something and middle click to open a few new tabs, every so > often one of them might time out. If that happens then if I go to that tab there's no way of > getting the page I was actually wanting.
Good point. And a simple fix; just put the URL in the location bar at the start.
> Nightly backups of user machines or even storing certain files on servers would solve the problem of > potential loss of data on local drives.
In practice, every IT department I have seen that was certain that they were taking care of this was wrong. Senior staff with the clout to do so had Zip drives with all their data on it. They used non-approved storage locations that weren't backed up. They lied about moving the files to network drives. IT staff lied about verifying the backups, or created new share points for users that weren't part of the backup routine.
"It ain't the things I don't know that get me in trouble; it's the things I do know, that just ain't so."
> You are not there to "grant" the privledge of computing. You are there to "support" it.
Good point, although you stated it more bluntly than I would have.
> The people who do the actual work of the company are the ones who bring the money in.
True, although sometimes this is the IT staff.
> So if they want to open risky attachments, then fine. Harden your network to brace for that and be done with the issue.
The management at most firms I know would not agree with this. It's not enough to harden the network. Users who open risky attachments can lose data from their local drives which is difficult or impossible to replace. Even if the network prevents infection, a great deal of damage can still be done.
I feel that IT support and IT security decision making need to be separate functions. Support people are not the right ones to restrict the actions of the staff, but sometimes it is necessary to do so. And sometimes the people who need to be restricted are the IT support staff.
> There are a lot of considerations that while they may not make your code any better, will sure > make you feel a lot more comfortable while you do it. Being cursed with being the son of a hand > surgeon I know a lot of useless fact about repetative stress injuries and carpal tunnel > syndrome. Almost all kind of injuries like that are fixed by ergonmic improvements ranging from > getting a track ball, to having the right chair.
Absolutely. When I set up my home office a number of years ago, my first three purchases were: [1] a good quality chair, [2] an ergonomic keyboard, and [3] a good-quality trackball.
> The catch is that if you need to patch a critical system file, it's orders of magnitude > more simple to just replace it upon reboot (since nothing's running). Otherwise you need to > close down any applications and services that are using that file. Some system files are used by > the GUI interface itself, at which point you're crossing your fingers and hoping it pops back to > reality during the patch process.
Yes. But a lot of that is due to the fact that MS never really structured the system files properly. If they had done so, this would not be the problem it is.
> It's probably technically possible to do certain patches without rebooting
Very possible.
> but you'd have to have a savvy enough user to shut down and bring back dependent services.
Not really. If the installer is properly designed using MS Installer, it should fall back to copy-on-reboot if anything is in use, and alert the user to reboot. It's only the install programs that make assumptions that are a real problem. Instead of falling back to copy-on-reboot, they choke and die with a cryptic error message.
> 1. Find UI. Why does the find dialog appear at the bottom of the screen?
Yeah, it should be movable. I don't see an extension to change this, but I suspect it would be possible to create one.
> 2. Download UI. Here's a case where modeless makes sense (it's never my primary user task), but here we get a dialog box.
I rarely use the download manager UI; I have it set to stay hidden. There are a -lot- of extensions for download modification, though. I suspect this isn't a real problem. Just off a quick search, this one: http://dmextension.mozdev.org/ seems to address this problem well.
> 3. Tabs and new windows. Firefox goes against IE behavior and starts each browser instance from scratch [with regards to back button history - QT]
I think this has got to be a personal preference thing. I actually prefer that it clears when you open a new tab. But then, I very rarely want to go back more than a page or so. That said, I know there are extensions to manage history differently.
> 4. Tabs and modality. The desired illusion of tabs should be to make each tab a virtual browser. > Well this breaks when you bring up a modal dialog within a tab: you can't switch to another > tab. It's an annoyance, not a sin, but when it happens it reinforces my new window habit, and > slaps my wrist on my growing New tab habit.
Again, it doesn't bother me, but I also rarely open a modal dialog. When I do, I make my selection and dismiss it quickly.
> 5. The return of the go menu.
No comment; I never paid any attention to it.
Seems like the bulk of these can be changed with an extension.
> Regarding political participation, perhaps I should have more clearly explained that education > about issues is often a prerequisite for activity. If no one knows about a problem, how are they to get involved?
Of course; no argument. The only area of debate is, "what are and are not legitimate ways to reach out?" I feel that cold calling is not something that should be permitted without restrictions.
> Community outreach and education is vital to grassroots campaigning, and I don't believe the > government should be allowed to put in place a system that limits the opportunity for this.
They already do, of necessity. All sorts of traditional grassroots campaigning is restricted and regulated already, in the US. In many communities, there are limits on quantities and type of campaign signs. There are laws that limit the times, places, and conditions under which literature can be passed out, people can be approached for donations, who may solicit signatures for various purposes and how they may do so. All of these exist, and are necessary, because they can be so easily abused.
Without them, employers can pressure people to support their causes, opposing groups can destroy or obscure each others signs, people can pass out literature in a way thay implies an organizations or a person's support where none is given, etc.
The issue is never going to be "should the government limit opportunities for grassroots campaigning", but "to what degree and in what ways."
> I feel that you are now extending your limited definition of political participation to me.
Not really; I just like to respond to statements that imply "we can all agree that...", when I don't happen to agree. I can accept that my definition doesn't match yours, and I can even work with yours, as long as we can agree at the start that we don't have "the" correct definition.
In my opinion, that lets us back up and start a more productive debate, on common ground, and deal with additional areas of uncertainty. Here's another way of looking at it; I'm not so much against an exemption for campaigning than I am against an exemption (of any sort) passed without debate.
I always feel there are too many sacred cows wandering around, and I like to take pot-shots at them now and then.;>
> I guess, in the end, it depends on whether you consider the telephone lines to be a public or private medium.
Well, the -lines- are public. The receiver in my house is, in my opinion, a private thing, to which I allow limited public access.
> What I'd really like to see is a means by which we can automagically deny telemarketers from > reaching us. They could still try, but they'd never get patched to our personal line. I'm not > sure the phone companies would be able to implement this, however.
Just one brief comment; while I share your views on calls, when comparing how different nations handle [blank], we should always take into account fundamental, real differences between nations.
While the system you mention is a good one, it doesn't scale well with increasing population. The population of the capitol of Norway is about the same as the population of one of the smaller major US cities, Cleveland Ohio.
The entire population of Norway is less than half that of the Greater Chicago Metropolitan Area, and the population of Norway's 8 largest cities is less than half that of Chicago proper.
These differences of scale can make hands-on meetings problematic, at best. Good post, though. Calls aren't the only way to get messages out.
> However, telephone solicitation is very important to business, to charities, and to > political organizations. How do we balance their needs with citizens' wants?
How much value is there in calling people who adamantly do not wish to be called?
> I think it's very important that political groups especially are allowed to reach out to > people in the community.
Why political groups especially? What in your view makes them more special than other groups? Is it because you are concerned about political issues? If so, can't it be argued that charities have an equally legitimate concern with social issues?
> Unfortunately, most people here in the US are ridiculously undereducated about political issues.
No argument. What makes you believe that phone calls are an effective solution to this problem?
> What I'd like to see is a proscription against soliciting over the phone, so that information could still be passed along.
Define solicitation for this purpose. Dictionary.com defines this as: ---
1. To seek to obtain by persuasion, entreaty, or formal application: a candidate who solicited votes among the factory workers.
2. To petition persistently; importune: solicited the neighbors for donations.
3. To entice or incite to evil or illegal action.
4. To approach or accost (a person) with an offer of sexual services. ---
We can eliminate #4, and #3 is useless without defining 'evil'. But what you propose seem to me to fit both 1 and 2.
It seems as if you wish to permit soliciting permission to contact again, and requiring this before soliciting (funds, votes, purchasing, etc) in earnest begins.
> This would help reduce how much certain subsets of the population are taken advantage of by telemarketers.
So would eliminating all calls. I would favor allowing people to opt out entirely.
> It's not that hard to hang up the phone, or to screen calls. I've set my phone to ring silently > if the call is from someone not in my caller ID. I erase telemarketer numbers every couple days.
Actually, you're wrong here. "It's not that hard to hang up the phone..." if and only if a -human being- calls you. If the call is like the majority I get, it is being dialed by a machine, which routes it to a person only -after- you pick up. Often, there is no person available, so I get several dozen calls followed by dead silence before getting the opportunity to tell them not to call again.
"...or to screen calls. I've set my phone to ring silently if the call is from someone not in my caller ID..." -if- you can filter all calls by caller ID. I can't; the majority of legitimate calls I get are from people who have caller ID blocked. Refusing to pick up would (eventually) be the same as saying "I quit; send me my last paycheck."
> At this point, at least here in the US, I am very against any action that would limit political > participation -- it's low enough already.
I don't view cold calling people who don't want to be called as "political participation." YMMV, but please accept that you are applying your own definitions to some common terms. A search of Google on "political participation definition" returns this definition, which pretty much matches mine: "becoming involved in activities such as voting, running for political office, signing petitions and other activities which help citizens make an impact on public or political issues."
While cold calling may certainly be included in "other activities" the fact that it isn't given it's own place in this definition would imply that it isn't central, but peripheral. Again, this is just my definition; but aren't you using just your definition?
> Polling and grassroots campaigning are vital to how our political system operates today, and should not be abrogated.
They aren't being abrogated. But why does -anyone- have the r
> The responsibility to the public is to minimise their risk. > > Full disclosure increases risk. Malicious people who would not have known about such > vulnerabilities often learn of them through full disclosure.
Debatable. Before accepting this, I'd want to see them numbers. Let's face it, even a year -after- patches are released, many people are getting hit. There are too many variables in this for me to accept any answer without seeing some real analysis.
And that kind of analysis is a job of work, particularly since vendors and companies hit usually want to keep a lot of the data hush-hush.
> However, by keeping quiet about a vulnerability, you are enabling the vendor - who does not > necessarily have the public's best interests as their primary concern - to put the public at > further risk by not fixing these vulnerabilities promptly.
-Very- true.
> The real question is how long a vendor should be allowed to sit on a vulnerability without fixing > it before they should be considered derelict in their duty to the public. Where is the line drawn > between the two extremes? > > Naturally, this varies from vulnerability to vulnerability, and from vendor to vendor.
Too true.
> A vulnerability that is the result of a badly designed architecture is going to take a lot > longer to fix than a simply buffer overflow. A vendor that has billions in the bank and an army > of programmers should be able to fix things quicker than a vendor that has a handful of programmers. > > So really, there's no single correct answer. The answer is always "it depends". The vendor should > have enough time to be able to fix the issue promptly, but they shouldn't have enough time to > simply put it on the back burner. Unfortunately, the only people capable of determining how much > time is reasonable are the vendors themselves.
Disagreed. I'd like to see an independent board set up with the right to demand the source code and make an estimate themselves. And to force the vendor to stick to that estimate, under penalty of fines, censure, even a "cease and desist" order prohibiting them from selling the product until the patch is released.
Think of the effect that might have had on some vendors. No more damn sales of [cash cow product]; recall everything from stores and don't ship one more unit until the patch is ready. I think a lot of people would find that picture compelling.
> I think that as long as they are responsive to the discoverer, and don't take the piss by taking > years to fix it, the benefit of the doubt should be given to the vendor.
Difficult. Many vendors want to limit their responsibility to these researchers to contacts on their schedule, and only accepting reports from those who sign "agreements" (often involving NDAs and such).
> But at some point, with some vendors, it's likely that the discoverer will have to use their > judgement to decide that the vendor is stringing them along, and it's in the public's best > interests to increase the pressure on the vendor with full disclosure.
-Not disclosing the vulnerability is a bandaid. If one person found it, others can as well. Not disclosing vulnerabilities can -never- be viewed as more than a temporary delaying tactic. Once a vulnerability is known, we can picture a clock that starts a countdown, ticking off the days to an actual exploit.
This countdown starts when the vulnerable system is -released-, not when researchers discover the vulnerability or the vulnerability is discussed openly. Absolutely no one can predict how long we have. For some vulnerabilities, the researchers discover it -after- the black hats, and -one day- is too long to wait for them to report it. The vendor is not necessarily the best judge of this time limit; some vendors seem comfortable with waiting up to 2 or 3 years to release a patch.
-Not disclosing the vulnerability, for a brief time, so that a patch may be created is reasonable. What makes it highly controversial is that no one agrees on what is a reasonable period of time. As indicated above, there is no single right answer to "how long is too long"
-For most vulnerabilities, the issue is not as simple as patched versus unpatched. For -many- vulnerabilities, various workarounds are possible. Proactive system administrators are safer if the vulnerability is reported immediately. Passive or reactive system administrators are arguably safer with delayed reporting. However, the number of systems that fall to vulnerabilities patched months or years previously indicates that delaying disclosure for the benefit of these admins may be a self-defeating tactic.
-Many vendors have very large problems with their security responses. Often, patches disable some functionality or destabilize the application/OS. Other times patches depend on new versions of software, OS upgrades, or exchanging one vulnerability for another. Many people feel that these vendors -cannot- be relied upon to improve without a -very big stick-. Some people want to use immediate disclosure as that stick.
> I'm living in the Netherlands, well known because a big part of the country is below sea level. We > have the same problem here, people building their homes next to big rivers, and then complain if their property gets flooded.
Yes, I was listening to NPR recently, and they had an engineer from the Netherlands talking. He said one reason similar storms haven't caused as much destruction is that the flooding hits more farmland and less housing.
> Bruce's Argument #1) Users have no idea how to decide if a particular signer is trusted or not. > > My comments: True. However in an organization it is the job of the IT/security dept to make that > determination. It shouldn't be left up to users. The IT dept should know not to trust "Snake Oil > Corp.", however anything from "Citrix Corp" should be fairly safe.
This brings up the issue of "what do we mean by 'trust'". Signing allows us to say with some certainty that the code came from Citrix, but why -should- we trust Citrix more than "Snake Oil Corp"?
In order to trust Citrix, we must determine that: -Citrix verifies the integrity of the code, ensuring nothing was added without authorization and testing. -Citrix validates the code to ensure there are no common security flaws. -BIG point: that the context in which the code will be used is appropriate for the needs of the recipient. This is a big issue when reusing code. A large portion of the flaws in MS products are due to careless code reuse. MS has a buffer overflow in a graphics library, and it affects everything.
> Moreover Windows XP SP2 provides provides a mechanism to create a Whitelist of certain trusted > signers, and reject everything else. This is a very powerful security mechanism, and greatly >increase the security in a corporate environment, if the workstations are properly configured. > Having said that, this feature may not be that useful for home user, who can not tell the > difference between Snake Oil and Citrix Corp.
Often useless in a corporate environment. It's a lot of work to verify and maintain. So much so that many major corporations remove all use of authenticode and trust everyone.
> Bruce's Argument #2) Just because a component is signed doesn't mean that it is safe. > > My Comments: I fully agree with this. However Code Signing was never intended for this purpose. > Code signing was design to prove the authenticity and integrity of the code. It was > never designed to certify that the piece is also securely written.
Unfortunately, that is how it is -sold-. This also applies to #3. It results in a false sense of security. The point is, verifying the source of the code is, in isolation, useless. The only reason to verify the code is in order to do smething with it. If the mechanisms for using authentication don't support using that authentication for anything other than identification, they aren't useful.
The biggest problem with Microsoft's implementation of code authentication is that it is really designed to be all-or-nothing. They made the same mistake in IE3, and I expect them to make it again. They divided the world into "people I trust absolutely" and "people I don't know". They started to make progress with IE4 when they added "people I know and -do not trust-", but they still don't understand that you may want to trust people -to a certain point- and no farther.
For example, I often trust a parking lot attendant with my car keys. But that doesn't mean I trust him with the keys to my safe deposit box and my credit cards.
Slashdot Mirror
> You're in Canada I take it being on Rogers. In the U.S. cable providers don't
> make their boxes available to buy at Best Buy, Circuit City, ect. If you did
> manage to procure a box (like by keeping one from your cable provider or
> buying one on eBay) the new provider would refuse to authorize it on their
> systems. In fact, if I remember right, buying digital cable boxes online is
> illegal (probably since the boxes are never meant to be sold and therefore are
> considered stolen property on the marketplace).
Actually, that's not altogether true. It still is, AFAIK, legal to buy a cable box or PVR with cable support. But to hook it up, you must inform the cable company, and you need to pay for all services you can receive.
Telecommunications Act of 1996 Sec. 629 expressly requires they be made available from sources other than the cable company. Subsequent documents I checked indicate that Congress and the FCC are concerned about 1) cost to consumers and 2) availability of new features. If the service vendor can make themselves the sole source, they can also jack up the prices. I can't say for sure this hasn't been amended since, but I couldn't find anything on Thomas.gov.
Stolen boxes, as you indicated, are another subject.
> I have a friend who was arrested for taking a picture..of course that was in the USSR.
> Taking picture in a public place is not a reason to be appraoched by police.
Of course. And, as was noted, he was not approached for taking a picture. He was detained for a number of minor reasons, none of which was sufficient to arouse suspicion individually. He was detained longer than he might have been for several reasons, only -one- of which was picture-taking by associates of his, in peculiar circumstances (normally, teams of people don't go out to photograph tube-stations).
There is a difference between single cause->effect (take picture->get arrested) and multiple circumstantial details used in a decision making process. The picture taking wasn't a "Eureka! I have found a terrorist!" moment, it was a "Hmmm, in addition to all these funny things, here's another that's a bit funny..." moment.
> it would be just silly if everyone was so up in arms over the fact that
...there was a firearms incident at the company where I work [and] staff had also been seen photographing tube stations with a camera phone...as part of a team-building exercise..."
> someone was take aside, temporarily restrained, searched, and then allowed to
> proceed.
Point: he was taken aside, handcuffed, searched, detained for several hours, his apartment was searched and posessions impounded, not all of which may be accounted for. In addition, certain other evidence has not been provided to the writer, Not being familar with UK law, it sounds offhand as if some of it is due under an analogue to the US Freedom Of Information Act, but that's a guess.
> He wasn't abused. No one beat a confession out of him. He wasn't shot.
Right. He may have been detained illegally, however, and the matter remains unresolved.
> I have been selected for a random search when boarding airplanes over the
> last two years. Each time I thank the screeners, and I am quite enthusiastic
> about being searched. When the search is done, I thank the screeners again,
> for I know they're doing something to protect me. They aren't trying to
> trample my rights, they're trying to keep me alive.
I have also been stopped by the police in random spot checks, and have never had a problem (US). However, I am white; I know many people who are black, who have not had such pleasant experiences. The fact that -you- have not been mistreated is interesting, but irrelevant, as is the intended purpose of the searches.
> One thing conspicuously missing from the writer's "account" of the search
> was why he was handcuffed. This kind of thing does not happen to everyone
> who has a knapsack in the London Underground, but it does happen if you're
> belligerent when they ask to search you.
I would not count on there being a valid reason for being cuffed; however, you are right that several pieces of information are missing from the writer's account. Certainly, the fact they they charged him with "public nuisance" indicates that there may be more to this than the account indicates.
> Of course, if the writer was belligerent or combative towards the police, do
> you think he'd actually mention that fact? Of course not. That would get in
> the way of the agenda.
Quite possibly. There are a few other things in the account:
"The police say they can't validate my address. I suggest they ask the security guard where I work, two streets away."
The address problem could be a major red flag. Certainly, in a possible terror situation, not being certain of the person's address or identity is reason to investigate further and keep the person in custody.
"The officer explains what made them change their mind and arrest me.
Minor incidents, but certainly reason for police to be sure.
That said, the point about technophiles being considered more suspicious may be valid. The laundry list of confiscated gear is not dissimilar to that in my basement, and some of the "suspicious" actions are pretty normal behavior for geeks.
"I went into the station without looking at the police officers at the entrance or by the gates"; a lot of introverts don't glance around.
"I am wearing a jacket 'too warm for the season'"; a lot of geeks are fashion challenged, and wear overly bulky/heavy coats.
"I am carrying a bulky rucksack, and kept my rucksack with me at all times"; ditto for a lot of geeks.
"I looked at people coming on the platform"; ditto
"I played with my phone and then took a paper from inside my jacket"; all standard geek behavior.
That said, it doesn't sound like there is a "police abuse" story hear. Maybe a "police inefficiency" story, and likely a "anti-terror searches aren't working" story. But that's about all.
I'm sorry, I'm really confused by your reply. Are you replying to the parent of my post?
> And what was preventing copyright holders from releasing videocassette sets
> of entire seasons when the Betamax decision was handed down?
The only thing I see that prevented them is the fact that no one had tried it before, so they did not know they could sell them profitably.
Your other arguments seem to be about the parent post; I would guess you are responding to it.
> If you buy something because of promised features and later the company takes
> away some of that capability, do you have some legal basis for claiming false
> advertising, or reneging on contract, or something like that?
IANAL, but in the US, yes, you can sue. You -may or may not win-, and if you win, you might not win much.
It would depend on a number of things, on which the court could rule either way. A couple of things the court might consider would be:
- is TiVo a product or a service?
- is the right to persist a recording a significant piece of functionality, or not?
- what is the value of losing the right to keep recordings longer than [whatever period]
Frankly, I don't think much of the chances of success.
TiVo is a rather inexpensive product, hardware-only. The lost vaue would be minimal. If a TiVo only costs $200, it's hard to justify awarding significant amounts.
The courts would be unlikely to decide that the right to persist the recordings is more than a small percentage of the value of the TiVo, say 5 or 10 percent. So even if you win, all you win is a $20 rebate.
If TiVo is a service, the landscape is a little different, but not much brighter. If rule that the right to persist the recordings is a significant part of the contract value, they might require TiVo to offer the right to cancel without penalty and receive a pro-rated rebate for the unused part of the contract, but that's about as high as I can see the court going on this.
> I think this would be more of a question for people who paid for a lifetime
> subscription, but it also throws into the question the value of any future lifetime subscriptions,
You're right that it is more important regarding the lifetime subscriptions.
> because if their contract allows them to start adding restrictions after the fact, is it really of much value?
Actually, most "lifetime" contracts allow for some sort of unilateral modification by the issuer. The issue isn't whether they can alter the contract terms; they can. The question is whether they can alter them in this way, without allowing you to cancel and receive a pro-rated refund. They -probably- would need to offer some sort of cancellation offer, if people pushed it. But that's about as far as they would need to go.
IIRC, the TiVo lifetime contract is tied to the lifetime of the unit, not the purchaser. If so, the courts would probably pro-rate on the basis of expected unit life.
All in all, I think this would be a losing case to pursue. I don't think there is any chance the courts would consider something like this anything more than a minor issue.
> For example: I might be tempted to buy, on DVD, the complete season of "One
> Day To Defeat The Terrorists By Whispering Everything", the new hit Fox show,
> if I missed various episodes. Fox might release the DVD set with that in mind.
> However, if one can simply program their DVR to record every single show,
> they're not likely to buy it, especially if they can transfer the show to tape
> or DVD-R afterwards.
Sorry, this argument may be correct, but it may not. The reality is that current DVD products are very different from what you get off the air. If I buy the "Buffy the Vampire Slayer" package rather than taping off of FX, I don't get annoying commercials, editing for time, stupid little animated advertisements for stupid programs that not only interfere with the picture, but increasingly interfere with the *&^%$ DIALOGUE!
If the vendor is smart, I also get other DVD Extras. The most popular DVD extra being the cheapest to produce, the outtakes.
There is insufficient evidence at this time to state authoritatively that allowing the consumer to record the program and even burn it to DVD significantly reduces DVD sales revenue.
> What we actually need, rather than this rather shakey Supreme Court ruling,
> is actual legislation that enshrines certain things people do with content
> into law.
Agreed.
> Yes, I'm quite sure that Ebooks in their present form aren't suitable for you. But how can you assume
> that everyone has the same needs, restrictions, and requirements as you?
You're right, they don't. But that wasn't the question. The question was, "when will they become mainstream?" To me, that means, "when will they be a serious option in the book purchasing decisions of a majority of the book-buying public?"
I don't dispute that e-books make a -lot- of sense for some people. I'm just pointing out that some of the factors preventing other people from buying aren't merely differences of degree (a little less cost, a little more battery life, a little bigger display), but more significant differences.
I'm not saying that everyine has the same needs as me. I'm saying only a minority of the population has the same needs as the majority of the voices heard on SlashDot; those who buy more stuff for the cool factor.
Thanks for your comments.
> The Palm Zire cost around 100 bucks. The screen is hobbled for reading full page text, but it needn't be so.
.txt files of their inventory being traded like mp3's.
Great. But that's $100 I don't need to spend at all, for a device you just referred to as 'hobbled'. My last comment was that the readers need to be so cheap they become giveaway items.
When they device isn't hobbled, and costs $25 or less, let me know.
> 1. The conservatism of readers, who just are used to paper books. We can't develop a new
> generation of kids who are used to ebook readers because there AREN'T any ebook readers. Catch-22.
Reasonable argument. Which is why I stated that changing the economics of the model to promote usage of e-books is needed. Start by giving away the readers and dropping the price on the books.
Getting the book for $1.50 less than the print version (I checked a few) is not worth the loss of utility or cost of the hardware to many people.
> 2. Publishers, who are terrified of
I agree that's a problem; because, as many people pointed out, trading books is a desired feature. I understand that they don't want people trading e-books. But I can and do legally trade print books, or borrow them from the library.
That's real utility to the consumer, and it needs to be there for me and many others to adopt e-books.
> 3. Hardware manufacturers, who don't see any profit in making $25 dollar ebooks.
Yep, it's a problem. Part of the problem there is that everyone is out for themselves. Publishers can subsidize the hardware, if they wish.
> If you'd like to see how cool an ebook machine could be, take a look at the iPod Nano. Imagine a
> bigger screen. Imagine it weighs four ounces, has copious flash memory, and can connect via USB
> or maybe ethernet. Imagine it is solar powered. Keep it low powered and simple by only having a b&w screen.
Very cool. I don't factor cool into my buying habits, though.
> Imagine it costs 50-100 dollars. And it's possible with today's technology, given economies of scale.
And that makes it a reasonable cost for something I really want to buy. But I don't, nor do a lot of people. To overcome that indifference, the price needs to be lower. The $25 I mentioned earlier is the -high- end. $10 would be better.
> Imagine ten years from now, when diamond-based chip tech gives us terabyte nonvolatile memory,
> eInk gives us paper-like screens with book quality text.
All -very- cool. And all irrelevant to my purchasing decision.
> Imagine the trees not needed for paper. Maybe we can let some oaks grow back, instead of soft pine.
No here you finally hit something I agree with. However, I would dispute whether e-books, even in the reduced price model I mentioned, would have a significant impact on this. We are a long way from paperless, and books don't strike me as the primary culprit here.
Let me know when you have an economically viable, near-term plan for replacing magazines, newspapers, print advertising, junk mail, and all the tedious paperwork for work and business.
I'm not trying to be snarky or flippant; I'm trying to present a view from another side. A side that really doesn't care about cool tech that much. A side that is only going to look at utility and economics.
Those people are the ones you need to woo. And you aren't even close as yet.
Sure, I can reduce the waste of paper using e-books; I can also do it by reading less crap, and not subscribing to magazines and newspapers I really don't have time to read anyway.
All the earlier observations in this thread are correct.
Really, the only reasons for electronic books (not e-books specifically) are the reasons software vendors offer them as free downloads: to reduce expense and speed up delivery. It makes sense for me to download the manual for a piece of hardware, or download developer documentation from Oracle. It's free, and it saves me the trouble of lugging a lot of heavy books.
For smaller books, fiction or books I'll want to read away from my computer, the advantages are almost all on the vendor's side of the transaction. They aren't much cheaper, and the problems of utility have already been noted.
So the question "when will e-books become mainstream" becomes "when will e-books offer the -utility- of paperbacks." And the answer becomes, "when various relatively small technical problems are solved, and when larger licensing and economic problems with the e-book business model are solved, so we can have cheaper e-books and -dirt- cheap readers."
Frankly, I see no way they will become mainstream until they can give away the readers like mousepads.
> If I'm downloading something and middle click to open a few new tabs, every so
> often one of them might time out. If that happens then if I go to that tab there's no way of
> getting the page I was actually wanting.
Good point. And a simple fix; just put the URL in the location bar at the start.
> Is there one that just gets rid of the download manager? I prefer the old-style dialogs as seen in IE or NS4.
Anyone? Personally, I use a stand-alone downloader for all but small files.
> Nightly backups of user machines or even storing certain files on servers would solve the problem of
> potential loss of data on local drives.
In practice, every IT department I have seen that was certain that they were taking care of this was wrong. Senior staff with the clout to do so had Zip drives with all their data on it. They used non-approved storage locations that weren't backed up. They lied about moving the files to network drives. IT staff lied about verifying the backups, or created new share points for users that weren't part of the backup routine.
"It ain't the things I don't know that get me in trouble; it's the things I do know, that just ain't so."
> IT departments are dangerous if arrogant
Actually, arrogance can be a danger in any department. Most of the firms led into bankruptcy seem to be led by toweringly arrogant people.
> You are not there to "grant" the privledge of computing. You are there to "support" it.
Good point, although you stated it more bluntly than I would have.
> The people who do the actual work of the company are the ones who bring the money in.
True, although sometimes this is the IT staff.
> So if they want to open risky attachments, then fine. Harden your network to brace for that and be done with the issue.
The management at most firms I know would not agree with this. It's not enough to harden the network. Users who open risky attachments can lose data from their local drives which is difficult or impossible to replace. Even if the network prevents infection, a great deal of damage can still be done.
I feel that IT support and IT security decision making need to be separate functions. Support people are not the right ones to restrict the actions of the staff, but sometimes it is necessary to do so. And sometimes the people who need to be restricted are the IT support staff.
> There are a lot of considerations that while they may not make your code any better, will sure
> make you feel a lot more comfortable while you do it. Being cursed with being the son of a hand
> surgeon I know a lot of useless fact about repetative stress injuries and carpal tunnel
> syndrome. Almost all kind of injuries like that are fixed by ergonmic improvements ranging from
> getting a track ball, to having the right chair.
Absolutely. When I set up my home office a number of years ago, my first three purchases were: [1] a good quality chair, [2] an ergonomic keyboard, and [3] a good-quality trackball.
> The catch is that if you need to patch a critical system file, it's orders of magnitude
> more simple to just replace it upon reboot (since nothing's running). Otherwise you need to
> close down any applications and services that are using that file. Some system files are used by
> the GUI interface itself, at which point you're crossing your fingers and hoping it pops back to
> reality during the patch process.
Yes. But a lot of that is due to the fact that MS never really structured the system files properly. If they had done so, this would not be the problem it is.
> It's probably technically possible to do certain patches without rebooting
Very possible.
> but you'd have to have a savvy enough user to shut down and bring back dependent services.
Not really. If the installer is properly designed using MS Installer, it should fall back to copy-on-reboot if anything is in use, and alert the user to reboot. It's only the install programs that make assumptions that are a real problem. Instead of falling back to copy-on-reboot, they choke and die with a cryptic error message.
Thanks for posting the content, AC.
A few responses:
> 1. Find UI. Why does the find dialog appear at the bottom of the screen?
Yeah, it should be movable. I don't see an extension to change this, but I suspect it would be possible to create one.
> 2. Download UI. Here's a case where modeless makes sense (it's never my primary user task), but here we get a dialog box.
I rarely use the download manager UI; I have it set to stay hidden. There are a -lot- of extensions for download modification, though. I suspect this isn't a real problem. Just off a quick search, this one:
http://dmextension.mozdev.org/ seems to address this problem well.
> 3. Tabs and new windows. Firefox goes against IE behavior and starts each browser instance from scratch [with regards to back button history - QT]
I think this has got to be a personal preference thing. I actually prefer that it clears when you open a new tab. But then, I very rarely want to go back more than a page or so. That said, I know there are extensions to manage history differently.
> 4. Tabs and modality. The desired illusion of tabs should be to make each tab a virtual browser.
> Well this breaks when you bring up a modal dialog within a tab: you can't switch to another
> tab. It's an annoyance, not a sin, but when it
happens it reinforces my new window habit, and
> slaps my wrist on my growing New tab habit.
Again, it doesn't bother me, but I also rarely open a modal dialog. When I do, I make my selection and dismiss it quickly.
> 5. The return of the go menu.
No comment; I never paid any attention to it.
Seems like the bulk of these can be changed with an extension.
Thanks for your response.
;>
;>
> Regarding political participation, perhaps I should have more clearly explained that education
> about issues is often a prerequisite for activity. If no one knows about a problem, how are they to get involved?
Of course; no argument. The only area of debate is, "what are and are not legitimate ways to reach out?" I feel that cold calling is not something that should be permitted without restrictions.
> Community outreach and education is vital to grassroots campaigning, and I don't believe the
> government should be allowed to put in place a system that limits the opportunity for this.
They already do, of necessity. All sorts of traditional grassroots campaigning is restricted and regulated already, in the US. In many communities, there are limits on quantities and type of campaign signs. There are laws that limit the times, places, and conditions under which literature can be passed out, people can be approached for donations, who may solicit signatures for various purposes and how they may do so. All of these exist, and are necessary, because they can be so easily abused.
Without them, employers can pressure people to support their causes, opposing groups can destroy or obscure each others signs, people can pass out literature in a way thay implies an organizations or a person's support where none is given, etc.
The issue is never going to be "should the government limit opportunities for grassroots campaigning", but "to what degree and in what ways."
> I feel that you are now extending your limited definition of political participation to me.
Not really; I just like to respond to statements that imply "we can all agree that...", when I don't happen to agree. I can accept that my definition doesn't match yours, and I can even work with yours, as long as we can agree at the start that we don't have "the" correct definition.
In my opinion, that lets us back up and start a more productive debate, on common ground, and deal with additional areas of uncertainty. Here's another way of looking at it; I'm not so much against an exemption for campaigning than I am against an exemption (of any sort) passed without debate.
I always feel there are too many sacred cows wandering around, and I like to take pot-shots at them now and then.
> I guess, in the end, it depends on whether you consider the telephone lines to be a public or private medium.
Well, the -lines- are public. The receiver in my house is, in my opinion, a private thing, to which I allow limited public access.
> What I'd really like to see is a means by which we can automagically deny telemarketers from
> reaching us. They could still try, but they'd never get patched to our personal line. I'm not
> sure the phone companies would be able to implement this, however.
Not without a fight
They already had some over caller id.
Just one brief comment; while I share your views on calls, when comparing how different nations handle [blank], we should always take into account fundamental, real differences between nations.
While the system you mention is a good one, it doesn't scale well with increasing population. The population of the capitol of Norway is about the same as the population of one of the smaller major US cities, Cleveland Ohio.
The entire population of Norway is less than half that of the Greater Chicago Metropolitan Area, and the population of Norway's 8 largest cities is less than half that of Chicago proper.
These differences of scale can make hands-on meetings problematic, at best. Good post, though. Calls aren't the only way to get messages out.
> However, telephone solicitation is very important to business, to charities, and to
> political organizations. How do we balance their needs with citizens' wants?
How much value is there in calling people who adamantly do not wish to be called?
> I think it's very important that political groups especially are allowed to reach out to
> people in the community.
Why political groups especially? What in your view makes them more special than other groups? Is it because you are concerned about political issues? If so, can't it be argued that charities have an equally legitimate concern with social issues?
> Unfortunately, most people here in the US are ridiculously undereducated about political issues.
No argument. What makes you believe that phone calls are an effective solution to this problem?
> What I'd like to see is a proscription against soliciting over the phone, so that information could still be passed along.
Define solicitation for this purpose. Dictionary.com defines this as:
---
1. To seek to obtain by persuasion, entreaty, or formal application: a candidate who solicited votes among the factory workers.
2. To petition persistently; importune: solicited the neighbors for donations.
3. To entice or incite to evil or illegal action.
4. To approach or accost (a person) with an offer of sexual services.
---
We can eliminate #4, and #3 is useless without defining 'evil'. But what you propose seem to me to fit both 1 and 2.
It seems as if you wish to permit soliciting permission to contact again, and requiring this before soliciting (funds, votes, purchasing, etc) in earnest begins.
> This would help reduce how much certain subsets of the population are taken advantage of by telemarketers.
So would eliminating all calls. I would favor allowing people to opt out entirely.
> It's not that hard to hang up the phone, or to screen calls. I've set my phone to ring silently
> if the call is from someone not in my caller ID. I erase telemarketer numbers every couple days.
Actually, you're wrong here. "It's not that hard to hang up the phone..." if and only if a -human being- calls you. If the call is like the majority I get, it is being dialed by a machine, which routes it to a person only -after- you pick up. Often, there is no person available, so I get several dozen calls followed by dead silence before getting the opportunity to tell them not to call again.
"...or to screen calls. I've set my phone to ring silently if the call is from someone not in my caller ID..." -if- you can filter all calls by caller ID. I can't; the majority of legitimate calls I get are from people who have caller ID blocked. Refusing to pick up would (eventually) be the same as saying "I quit; send me my last paycheck."
> At this point, at least here in the US, I am very against any action that would limit political
> participation -- it's low enough already.
I don't view cold calling people who don't want to be called as "political participation." YMMV, but please accept that you are applying your own definitions to some common terms. A search of Google on "political participation definition" returns this definition, which pretty much matches mine: "becoming involved in activities such as voting, running for political office, signing petitions and other activities which help citizens make an impact on public or political issues."
While cold calling may certainly be included in "other activities" the fact that it isn't given it's own place in this definition would imply that it isn't central, but peripheral. Again, this is just my definition; but aren't you using just your definition?
> Polling and grassroots campaigning are vital to how our political system operates today, and should not be abrogated.
They aren't being abrogated. But why does -anyone- have the r
> The responsibility to the public is to minimise their risk.
>
> Full disclosure increases risk. Malicious people who would not have known about such
> vulnerabilities often learn of them through full disclosure.
Debatable. Before accepting this, I'd want to see them numbers. Let's face it, even a year -after- patches are released, many people are getting hit. There are too many variables in this for me to accept any answer without seeing some real analysis.
And that kind of analysis is a job of work, particularly since vendors and companies hit usually want to keep a lot of the data hush-hush.
> However, by keeping quiet about a vulnerability, you are enabling the vendor - who does not
> necessarily have the public's best interests as their primary concern - to put the public at
> further risk by not fixing these vulnerabilities promptly.
-Very- true.
> The real question is how long a vendor should be allowed to sit on a vulnerability without fixing
> it before they should be considered derelict in their duty to the public. Where is the line drawn
> between the two extremes?
>
> Naturally, this varies from vulnerability to vulnerability, and from vendor to vendor.
Too true.
> A vulnerability that is the result of a badly designed architecture is going to take a lot
> longer to fix than a simply buffer overflow. A vendor that has billions in the bank and an army
> of programmers should be able to fix things quicker than a vendor that has a handful of programmers.
>
> So really, there's no single correct answer. The answer is always "it depends". The vendor should
> have enough time to be able to fix the issue promptly, but they shouldn't have enough time to
> simply put it on the back burner. Unfortunately, the only people capable of determining how much
> time is reasonable are the vendors themselves.
Disagreed. I'd like to see an independent board set up with the right to demand the source code and make an estimate themselves. And to force the vendor to stick to that estimate, under penalty of fines, censure, even a "cease and desist" order prohibiting them from selling the product until the patch is released.
Think of the effect that might have had on some vendors. No more damn sales of [cash cow product]; recall everything from stores and don't ship one more unit until the patch is ready. I think a lot of people would find that picture compelling.
> I think that as long as they are responsive to the discoverer, and don't take the piss by taking
> years to fix it, the benefit of the doubt should be given to the vendor.
Difficult. Many vendors want to limit their responsibility to these researchers to contacts on their schedule, and only accepting reports from those who sign "agreements" (often involving NDAs and such).
> But at some point, with some vendors, it's likely that the discoverer will have to use their
> judgement to decide that the vendor is stringing them along, and it's in the public's best
> interests to increase the pressure on the vendor with full disclosure.
There are several issues.
-Not disclosing the vulnerability is a bandaid. If one person found it, others can as well. Not disclosing vulnerabilities can -never- be viewed as more than a temporary delaying tactic. Once a vulnerability is known, we can picture a clock that starts a countdown, ticking off the days to an actual exploit.
This countdown starts when the vulnerable system is -released-, not when researchers discover the vulnerability or the vulnerability is discussed openly. Absolutely no one can predict how long we have. For some vulnerabilities, the researchers discover it -after- the black hats, and -one day- is too long to wait for them to report it. The vendor is not necessarily the best judge of this time limit; some vendors seem comfortable with waiting up to 2 or 3 years to release a patch.
-Not disclosing the vulnerability, for a brief time, so that a patch may be created is reasonable. What makes it highly controversial is that no one agrees on what is a reasonable period of time. As indicated above, there is no single right answer to "how long is too long"
-For most vulnerabilities, the issue is not as simple as patched versus unpatched. For -many- vulnerabilities, various workarounds are possible. Proactive system administrators are safer if the vulnerability is reported immediately. Passive or reactive system administrators are arguably safer with delayed reporting. However, the number of systems that fall to vulnerabilities patched months or years previously indicates that delaying disclosure for the benefit of these admins may be a self-defeating tactic.
-Many vendors have very large problems with their security responses. Often, patches disable some functionality or destabilize the application/OS. Other times patches depend on new versions of software, OS upgrades, or exchanging one vulnerability for another. Many people feel that these vendors -cannot- be relied upon to improve without a -very big stick-. Some people want to use immediate disclosure as that stick.
Comments?
> I'm living in the Netherlands, well known because a big part of the country is below sea level. We
> have the same problem here, people building their homes next to big rivers, and then complain if their property gets flooded.
Yes, I was listening to NPR recently, and they had an engineer from the Netherlands talking. He said one reason similar storms haven't caused as much destruction is that the flooding hits more farmland and less housing.
It's annoying, but this is the same Ninth Circuit Court whose rulings are often overturned on appeal by the Supreme Court.
> Bruce's Argument #1) Users have no idea how to decide if a particular signer is trusted or not.
>
> My comments: True. However in an organization it is the job of the IT/security dept to make that
> determination. It shouldn't be left up to users. The IT dept should know not to trust "Snake Oil
> Corp.", however anything from "Citrix Corp" should be fairly safe.
This brings up the issue of "what do we mean by 'trust'". Signing allows us to say with some certainty that the code came from Citrix, but why -should- we trust Citrix more than "Snake Oil Corp"?
In order to trust Citrix, we must determine that:
-Citrix verifies the integrity of the code, ensuring nothing was added without authorization and testing.
-Citrix validates the code to ensure there are no common security flaws.
-BIG point: that the context in which the code will be used is appropriate for the needs of the recipient. This is a big issue when reusing code. A large portion of the flaws in MS products are due to careless code reuse. MS has a buffer overflow in a graphics library, and it affects everything.
> Moreover Windows XP SP2 provides provides a mechanism to create a Whitelist of certain trusted
> signers, and reject everything else. This is a very powerful security mechanism, and greatly
>increase the security in a corporate environment, if the workstations are properly configured.
> Having said that, this feature may not be that useful for home user, who can not tell the
> difference between Snake Oil and Citrix Corp.
Often useless in a corporate environment. It's a lot of work to verify and maintain. So much so that many major corporations remove all use of authenticode and trust everyone.
> Bruce's Argument #2) Just because a component is signed doesn't mean that it is safe.
>
> My Comments: I fully agree with this. However Code Signing was never intended for this purpose.
> Code signing was design to prove the authenticity and integrity of the code. It was
> never designed to certify that the piece is also securely written.
Unfortunately, that is how it is -sold-. This also applies to #3. It results in a false sense of security. The point is, verifying the source of the code is, in isolation, useless. The only reason to verify the code is in order to do smething with it. If the mechanisms for using authentication don't support using that authentication for anything other than identification, they aren't useful.
The biggest problem with Microsoft's implementation of code authentication is that it is really designed to be all-or-nothing. They made the same mistake in IE3, and I expect them to make it again. They divided the world into "people I trust absolutely" and "people I don't know". They started to make progress with IE4 when they added "people I know and -do not trust-", but they still don't understand that you may want to trust people -to a certain point- and no farther.
For example, I often trust a parking lot attendant with my car keys. But that doesn't mean I trust him with the keys to my safe deposit box and my credit cards.