"They are also liable for for damage caused by poor design, using known sub-standard components, and bad packaging that leads to damage under normal handling conditions."
Poor design is rather vague. I recall some complaining about the power connector on labtops was mounted directly on the motherboard meaning accidental pull in the power cord could break the motherboard, a much more expensive repair than simple change of connector. But, although everyone can agree that this is suboptimal - or poor - design, almost all models do this to save space and pieces. So the manufacturer was not liable. "Poor design" may be a feature.
"known sub-standard components" - what does this term mean? How do you evaluate a component to sub-standard? Manufacturers may choose to use a sub-standard component to offer a cheaper product, and you as a consumer decide whether to buy sub-standard products. I think there is a quite large margin before such claims can be made successfully.
And bad packaging I think is part of the assembly. And normal handling conditions? Yes, but they do disclaim liability for wear and tear due or excessive use.
I am not saying that you cannot claim the warranty in these cases, only that it is vaguely defined and they have more money for lawyers.
The seller has no say in the conditions of the warranty. The manufacturer is liable and the manufacturer must offer 2 year warranty (EU) on mechanical and electrical devices. But of course they are only liable for damage caused by errors in the manufacturing or assembly of the product.
Of course, the manufacturer cannot be held liable to damage caused by misuse. If you tinker with the product warranty is void. So the question is: Is changing the OS tinkering with the product?
Well, you can't up- or downgrade either or warranty would be void? You may be allowed to downgrade as the product could be tested against older versions of Windows, but no way will you be allowed to upgrade - the manufacturer cannot guarantee that future versions of Windows will not damage the product (ok, that's 8 years away anyway but let's just assume that a new version would make it to the market). Can you patch your OS without voiding warranty? Maybe the security patches for Windows will break the screen too.
This is absurd. Warranty is void only if they can show that changing the OS likely caused the said problem to occur.
Anyway, the seller possibly just follows instructions from the manufacturer, so you can go to the manufacturer with the product for replacement or repair.
There are several fundamental flaws in the arguments in this article:
- He compares OS vulnerabilities of the first 90 days since first release. This doesn't tell us which OS is the most secure at this moment. Merely, it tells that more recent OS's have undergone more testing prior to release.
- He notes 125 known issues with RHEL prior to release compared to 0 for Windows Vista, but of course no vulnerabilities are known prior to release as Vista is closed source and has not been available for public scrutiny, while RHEL is built on available open source code.
But that's not all, differences in how bugs are classified may make some OS's appear more secure - it is known that Microsoft has classified vulnerabilities as bugs thus reducing the "official vulnerability number". Without a strictly uniform and independent classification scheme for bugs, there is simply no data to compare.
A reasonable comparison would compare the OS's vulnerability issues the past 90 days, that is with fully patched systems. Known issues that have not yet been patched should not be included as this simply is caused by the longer time for scrutiny of older OS's. Secondly, bugs must be classified in a coherent manner: Remote root, remote user, local root, local user, DOS etc...
This document is useless in the discussion of which OS is the most secure to run as of today. There is no way that a conclusion can me made in favour of any OS on the list.
It appears that OpenBSD remains the most secure system, and I bet FreeBSD is a strong contender.
In 95/46/EC you have Article 6.e stating that data must be stored for no longer than needed in order to process the data for the purposes the data was collected. Article 7.a requires consent of the data subject or 7.b that processing is required to perform a task on the request of the data subject.
Which, I deduce, means that if you object to data processing or terminate a contract or cancel a request, then there no longer exist the justification for storing data and they must be deleted.
Or at least they must be deleted upon requets: Article 12.b grants the subject right to "as appropriate the rectification, erasure or blocking of data the processing the processing of which does not comply with the provisions of this Directive". But when can this be used? Well, I guess if you have objected to the processing, then processing is against the provisions of the directive and hence data may be deleted - but IANAL.
Now, the directive states some common requirements, but individual member states may add extra conditions and the directive also includes room for exceptions.
Finally, I must correct myself, the directive does mention some controls, but in practice there is no inspection and while guidelines should be "encouraged" I have yet to see these. Investigation is not made until some data subject complains or other evidence shows up. And since there is no requirement to disclose incidents, everything can be kept quiet.
The EU directive is very good when it comes to specifying what 3rd parties may do with private data and giving the citizen rights to control the use of such data:
* The citizen may request information of what data is kept * The citizen may require incorrect data to be corrected * The citizen may require data to be deleted
Further, data must not be shared with states outside EU unless the EU has recognized these as providing adequate protection of personal data. US is not on the list (but Canada is) which is the reason of the current conflict over passenger data on transatlantic flights.
But, the EU directive lacks one think: Supervision. There is no controls implemented, no prior certification of data processing entities, no posterior audit to ensure that data protection is adequately implemented, not even common standards on how data must be protected. AND, there is no obligation to publicly announce data breaches.
Certifying data processing entities and then granting these authorization to handle data is cumbersome and expensive and won't ever happen - fine. But, some control system should be established, and standards or guidelines should be made. Why is there no requirement to encrypt personal data when stored in a non-controlled environment (say mobile devices) and not in use?
And after the data retention directive, which seems also to be on the road into US law, why did they not set strict requirements on protection of these data to ensure that they are only available for the purpose of the retention - investigation of terrorism? Why may companies retain such traffic data and store it unencrypted?
At the very least, we could learn from the many US states that require companies to advice customers about data breaches and risk of abuse.
If you choose a BSD style license, you can distribute the compiled code and charge anything you want, you are not obliged to make the source available. What you loose is that you can't charge your client per copy as the license grant them right to create as many as they like. You can't link against GPL code, but you can link against LGPL and BSD code.
This will be just fine in most cases where you have some special programs and custom code and the client really buys your service. Giving them the compiled rather than source just locks in the client so they will buy your service again, whenever a change is needed.
If you go down, creditors cannot take code hostage. You can either release the code or start a new business with the original code. This gives your clients a security of availability.
Hence, using the BSD license for your private projects gives you the best security and clean well understood licensing terms. The likelihood that your program will be distributed without you getting any revenue is limited as long unless it is a well known killer app.
hey, the GPL, LGPL and BSD licenses are there for you to take and use. They have been through the lawyers and are well understood. If you want to write your own code and distribute it under other terms while using/linking against software under any of the mentioned licenses, you need to pay up for the legal advice. Go see a lawyer.
But is it actually beneficial to use proprietary licenses for your code? This really requires you to write some awesome code that everyone wants - enough that they also want to pay you. OK, nice with some ambitions.
Otherwise, as a startup, you may actually advertise it as a security that your software is open source: If you go out of business your code will be available for some one to continue and not in the hands of your creditors. Once you get some solid stuff going then you may change the terms.
OK, let's sue Microsoft for not suing us!!!! I want to collect the compensation for the loss of compensation for a failed lawsuit. It's their duty to sue us so we can rightfully claim our compensation.
is that giving away samples with limited lifetime will introduce your product while maintain the potential customer because the trial product will eventually have to be replaced. But digital copies do not have such limited lifetime. And since any number of copies can be made, you loose not only the client that got a trial copy, but potentially the entire customer base. And those who offer complete trial versions soon find them to be cracked.
The solution seems to be to offer limited versions that will show the client how great the product is, and how much greater it would be if they buy the official release. Say music in 96kbps mp3, it's ok on your iPod in the subway, but put it on your stereo and it sounds awful. Or the word processor with reduced dictionary, limited fonts and doesn't support large fonts - say above 18pt, or doesn't contain the print facility.
Crackers won't add missing data to a trial version of a song, and they won't add missing functionalities to a program.
Drip brewed coffee and french press do not produce the full coffee taste as the water is too cold and only extract some aromas.
August 28 2000 was a significant day in my coffee life as I changed to the Italian Moka Express http://www.bialettishop.com/MokaExpressMain.htm. This radical change followed a change in my perception of what constitutes a true coffee experience after a visit to Italy. Since then I only drink moka or expresso. I bring my own coffee maker on any travels not destined for Italy. There should be left no doubt that a trip to Italy for the coffee experience is a must for the true coffee enthusiast.
I think the best maker is the 2 or 3 cup size, the bigger the makers have higher water:coffee ratio. But the right maker is not enough, you gotta get the right blend of torrefacto and natural roast (torrefacto is made by roasting the beans with sugar). Shop arround to find the blend and roast that you like. Once you have found your coffee pusher, stick with him as he will know your specific taste and preferences and make sure to have your blend.
No. They should make patches available as soon as possible. The argument that administrators needs time to test patches only makes sense if patches are available before rolling these out on production systems, whether patches are published a given day of the month or not doesn't change this.
Making patches available as soon as possible, the administrators can schedule testing and patching as most convenient, maybe weekends are preferred for rolling out patches. And they can decide which patches to fast track, and which to delay to the regular updates according to how their systems are affected.
What should be changed is that Windows update by default should download patches as published and delay installation till shutdown, unless marked critical. A critical update should cause a information message asking the user whether to update the system now or at shutdown. This causes the least user annoyance, and exactly that is what causes systems not to be updated. And of course, the administrator should have the ability to change this behavior to schedule updates at specific times on corporate networks.
It would be better to compare EU15, EU27 and US as these are comparable in population. Denmark is comparable to SF, and it would be interesting to see how SF would be ranked.
Indeed, copyright for the creative business is like software patents for tech. Only, you don't even have to show any originality in your work, just publish to get your rights! I really think that unless it is made clear what fair use is and when a work enters into public domain, copyright will stifle creativity.
Some ideas:
1) Unless the author explicitly claims copyright, the work should be public domain 2) A work should enter into public domain a fixed number of years after first publication
Reg. 1: Creative works should be registered, if not with publishers then with public directories that keep track of who is the owner of a work and assigns an identifier. Without that, it will be impossible to request permission of use or pay royalties to the author. If you can't request permission then it must be granted.
Reg. 2: When everyone can publish it is practically impossible to track down authors and determine when they died. If currently royalties must be paid till 70 after the authors death, then changing that to 100 years after first publication will amount to about the same on average. And everyone will know when the work enters into public domain.
a.kids top level domain does not imply any filtering, it merely makes it possible. Nor does it in itself ensure any standard, such must be set by regulation. But if the objective is to separate kids friendly from non-kids friendly, then it will likely be more effective to create a.kids domain than a.xxx. I don't advocate any of these, I merely suggest which will be the more effective if it really has to be done.
Inventing schemes that makes filtering possible will never close the debate about what to filter or how to classify. My idea with an extra http header leaves the decision on what to filter with the user. The how to classify must be set by some authority, librarians are best suited to decide how. So while Pat Robertson (whoever that is) might not want your kids to read certain material, the choice remains with you.
The big problem is classifying material when so many cultures coexist on the Internet and regulations differ in each country, for this reason classification should not refer to regulation as such but merely a content classification which local regulation can use (and even then content classification is ambiguous).
I think content classification is good, it will enable the end user to decide and control what kind of content is desireable. But that decision should be left to the user.
it is very unlikely that any site would adopt such ideas as moving to a specific port or top level domain on a global scale, basically saying "Don't enter here".
Instead, it is more likely that businesses will adopt the reverse: Invent a means for sites to advertise that they are safe. A ".kids" top level domain would be much more effective than ".xxx", toy stores and other businesses targeting children would make sure to get their site up in that domain to reach their audience.
For the same reason, a technical mean for sites to optionally advertise the content rating should be considered. The current http header lets the client specify a string of preferred languages, this lets servers redirect a request to the best matching language, or accepted formats.
Similarly, one could add a header in the request accepted content classes. The response header should contain the actual classification returned. Servers not returning a classification should be treated as not-rated and may default to block or pass.
The neat thing about this is that search engines will also get the classification header and a search query can restrict to matching classification. This way children won't find undesired results. Also, it provides more granularity, individual URL's can be classified differently.
Of course, there are two problems:
- It can be spoofed - but question is if there is a business incentive to do so.
- Standardizing classification is very difficult, but at national level should be possible. The class codes could be prefixed by the national codes.
Many sites might just remain non-classified, but if schools and institutions say that they only allow classified content, organizations will adopt this to reach their audience. If laws are passed to hold organizations liable for spoofed classification (but not lack of classification) then this might actually work: Those who have a business incentive will get reliable classification and the rest will simply remain unclassified. And no one have to move their domain and reestablish their name.
Theft is a risk, but I think it is much more likely that you'll throw it away! Too heavy.
Really, there are only two situations that you should consider bringing your notebook:
* if you need special applications that you can't expect to find regularly on internet cafes or hostels, and can't run off a cd or usb stick. * you are really not going to travel around, that is, you are going to stay 4-5 places during that year and travel by plane.
The notebook is no advantage for updating your blog - you need to bring an internet connection. I guess 40.000 km cable will do - and 10 times as many runners!
I'd bring a USB stick with putty and my keys, and possibly other apps I'd likely need (winscp). Then I can always upload photos to my home server. Many places will likely offer to burn cd's with your photos if needed, or if you really need a lot of storage, consider buying an external USB disc.
If you really can't live without your notebook, then you need to get a tiny one for two reasons: Low weight and size. If it is small then it fits into a small unsuspicious bag which will reduce your risk of theft. Don't bring it in a standard laptop bag that shout's out "here comes $2000!". Stick to a 13" screen size and absolute max 14, which still fits in a standard school bag.
I have found, being without my notebook is a good therapy against my Internet addiction. Try it - you'll be surprised how much more time you have to actually go out experience things in the country you visit.
No. I would very much like to be able to search including forums for answers to problems. Excluding mailing list archives, forums or blogs would make it much more difficult to find such answers.
Rather, Google should only derank temporarily, they do keep coming back to check the site. So, if the offending material is removed, why don't they reclassify the site to the original? Sure, not from one day to the next, but all sites they index are indexed every month, so some 3 months, say, to verify that the problem has been solved permanently.
It is entirely in the rights of Google to alter their indexing at will, it is unfortunate if your business depends on a free service, so much more is it in your interest to secure your site against abuse.
The same shit happened to me more than two years ago. I not only removed the offending pages, but actually return error code 410 GONE which should mean that all references to the resource should be removed. Despite that, I still see robot queries for these pages, as late as December Google tries to fetch the offending pages, and I also see real user requests to the offending pages - somewhere on the Internet, links must still exist, despite these pages only existed for a month. But I can't find them, and they doesn't show when searching for links to my page.
My site is indexed now, but I have never regained the ranking.
What Google should offer - knowing problems with forum and blog spam - is to temporarily derank the site. If a site is deranked because of such spam a flag should be made in the index, such that next time they come around they will check if the page is still offending.
Google does offer in their webmaster tools both the opportunity to report spam on web pages, to get these pages removed, and to request reinclusion.
While this is up: Are there any portable devices that support FLAC? Or any that supports a firmware upgrade or software upgrade such that FLAC will be available?
1st: The of proof: Say the DDoS is a SYN flod or DNS flodding, then it is impossible to tell which packets where legitimate, but failed because of the attack, and which were part of the attack. But if this is a mail flood or HTTP attack, then it is much easier to prove that this was indeed part of a DDoS - or just part of an attack.
2nd: True, there are plenty of countries in which I don't have the resources to bring the case. But then: Small businesses and individuals which don't do business outside their own country can mitigate the problem: Why allow access from non-potential business partners or customers?
3rd: Yes, your part is almost nil, which is the problem in many attacks today, but then: This year in UK (I think in February) a guy managed to get £300 for a (one) spam mail in a civil suit: Compensation and covering of the costs, with reference to a EU directive. So, if compensation is something in that order - anyone under attack knows it's raining gold!
4th: You're still liable, negligence just increases the risk that someone will hold you liable for illicit actions. Negligence becomes a problem between you, your insurance company and the vendor.
Given 3, there are other problems that I find much greater: Proving the accuracy of you logs.
Now, think liability in other types of attack: Say some cracker breaks in and steal secrets, destroy data or otherwise cause service interruption.
The losses in such a case are potentially much bigger. The target, knowing they don't have to track down all the way to the very end in order to bring the case in court, will be more likely to bring the case to win compensation. This means that individual users will do more to reduce their risk of being victim not because of their own losses but because of the potential damage they can be held liable for. How many times have I heard people say they don't care about security because they have nothing secret on their computer?
So, introducing liability will improve security. And this will also have the positive effect in the cases of DDoS and similar where cost of investigation does not match the possible win.
And insurance companies will be there to offer the insurance you need - even allowing you to install whatever you like. It's just a question of assessing the risks and the costs. They might have you pay the first $1000 damage - this gives you a clear incentive not to be too ignorant. And ignorant aunt Alice will pay certified people to install her computer and not the neighbors 11 year old son.
You have to keep in mind that products are currently not designed with liability in mind: Everyone disclaims liability, it is not fair to introduce liability all the way through from one day to another: Everything would grind to a halt. Rather than starting at the end user, start with the vendors and the ISP's. They have the expertise and resources to make a big difference.
But, the positive side is: A new market will be created, where security is a feature, and people will evaluate security along with other features when choosing their product.
I think your right to be ignorant stops where your ignorance causes harm or damage to others. Freedom comes with responsibility, you can't enjoy the freedom and then pull out "infinite stupidity" as excuse when someone comes to hold you responsible for your actions. If ignorance served as the universally acceptable excuse for any action that causes harm, where would we be? Ignorance of the law doesn't give you the right to break it.
You're defending those making the attack possible at the expense of the target victim. While these "ignorant mediators" are also victims of abuse, I don't think it's fair to clear them of responsibility. As much as they are victims, they are also part of the problem, and they are the only ones capable of taking action to solve that part of the problem.
I think that we very much agree: As the situation is now, imposing liability upon the individual is unfair. The individual has no means of evaluating the product and the vendor disclaims all liability for it. I don't like the word "penalizing" because it indicates a criminal penalty, I like liability, indicating the covering the economic costs of compromise.
The idea of liability is to create an incentive to act for those able to:
The software vendor will have an incentive to create better software from the start, and ensure that software is updated ASAP when flaws are known. Currently, there is no such incentive, vendors don't need to patch a flaw and often postpone it to next release or regular update unless an exploit is found in the wild. The customer will have an incentive to read and follow the instructions and keep his system up to date to avoid abuse.
I think this is important, because, even if you are unaware of a compromise, you are the one with the power to secure your system. No one else can secure your system without breaking the law. So, you should be liable for making sure that your system is secure. If you secure your system following all the instructions given, then liability is transfered to the vendor.
I don't particularly advocate open source as the solution, although I use my favorite flavor. I advocate liability unless it is open source. I believe you should only be able to disclaim liability if you also disclaim all rights to control the product - ie. open source. But one could choose to publish the source code to disclaim liability, yet maintain copyright and impose restrictions on redistribution.
Back to aunt's and uncle's lack of understanding: You are defending ignorance, and I can't accept ignorance as an excuse for negligence (as in "oh, I didn't think that WMD could kill a lot of people, how stupid of me not to secure the code. Well shit happens"). If you don't know what you are doing, don't do it. If you do it anyway, you're liable. If you feel a need to cover your ass, get an insurance.
We generally accept that people should have drivers licenses and flight certificates before using these vehicles, because of the potential damage they can cause. Why is it acceptable to have your uncle and aunt terrorize the Internet with their ignorance?
Before you reply: Please remember, all of the above assumes that liability is applied all the way up to the vendor.
BTW: For those who disagree with me, here's the weak point in my argument: The problem is that one vendor selling one product will accept liability for that product - unless the users tinker with it! But pc's are general purpose products - made for tinkering.
And of course a software vendor have no way of testing all the possible combinations with other software to ensure that it works correctly. Hence, software vendors can with reasonable legitimacy say: But you installed product B and we won't accept liability if that product is also installed.
Microsoft actually does address this issue, when you install software not signed by Microsoft a warning is issued. Some vendors pay Microsoft to sign their software, others don't care. The warning is that the product may not be trustable, but really it could be: Installing this product will void warranty.
The OS vendor will have full control of who get's the magic signature, and every one else will void warranty. This is perfect if you want to defend a monopoly.
Then take for example the case where a user listens to a CD with copy protection from Sony which installs a root kit. Then the pc is compromised, and figuring out whether to blame Microsoft or Sony becomes tricky: Did the hacker exploit the Sony rootkit or did he use a bug in Windows?
So, unless we can find a balanced way of imposing liability on software vendors, it could cause the end of the "general purpose" pc. Instead, one would have to purchase a pc for wrinting documents, and another for e-mail.
Slashdot Mirror
"They are also liable for for damage caused by poor design, using known sub-standard components, and bad packaging that leads to damage under normal handling conditions."
Poor design is rather vague. I recall some complaining about the power connector on labtops was mounted directly on the motherboard meaning accidental pull in the power cord could break the motherboard, a much more expensive repair than simple change of connector. But, although everyone can agree that this is suboptimal - or poor - design, almost all models do this to save space and pieces. So the manufacturer was not liable. "Poor design" may be a feature.
"known sub-standard components" - what does this term mean? How do you evaluate a component to sub-standard? Manufacturers may choose to use a sub-standard component to offer a cheaper product, and you as a consumer decide whether to buy sub-standard products. I think there is a quite large margin before such claims can be made successfully.
And bad packaging I think is part of the assembly. And normal handling conditions? Yes, but they do disclaim liability for wear and tear due or excessive use.
I am not saying that you cannot claim the warranty in these cases, only that it is vaguely defined and they have more money for lawyers.
The seller has no say in the conditions of the warranty. The manufacturer is liable and the manufacturer must offer 2 year warranty (EU) on mechanical and electrical devices. But of course they are only liable for damage caused by errors in the manufacturing or assembly of the product.
Of course, the manufacturer cannot be held liable to damage caused by misuse. If you tinker with the product warranty is void. So the question is: Is changing the OS tinkering with the product?
Well, you can't up- or downgrade either or warranty would be void? You may be allowed to downgrade as the product could be tested against older versions of Windows, but no way will you be allowed to upgrade - the manufacturer cannot guarantee that future versions of Windows will not damage the product (ok, that's 8 years away anyway but let's just assume that a new version would make it to the market). Can you patch your OS without voiding warranty? Maybe the security patches for Windows will break the screen too.
This is absurd. Warranty is void only if they can show that changing the OS likely caused the said problem to occur.
Anyway, the seller possibly just follows instructions from the manufacturer, so you can go to the manufacturer with the product for replacement or repair.
There are several fundamental flaws in the arguments in this article:
- He compares OS vulnerabilities of the first 90 days since first release. This doesn't tell us which OS is the most secure at this moment. Merely, it tells that more recent OS's have undergone more testing prior to release.
- He notes 125 known issues with RHEL prior to release compared to 0 for Windows Vista, but of course no vulnerabilities are known prior to release as Vista is closed source and has not been available for public scrutiny, while RHEL is built on available open source code.
But that's not all, differences in how bugs are classified may make some OS's appear more secure - it is known that Microsoft has classified vulnerabilities as bugs thus reducing the "official vulnerability number". Without a strictly uniform and independent classification scheme for bugs, there is simply no data to compare.
A reasonable comparison would compare the OS's vulnerability issues the past 90 days, that is with fully patched systems. Known issues that have not yet been patched should not be included as this simply is caused by the longer time for scrutiny of older OS's. Secondly, bugs must be classified in a coherent manner: Remote root, remote user, local root, local user, DOS etc...
This document is useless in the discussion of which OS is the most secure to run as of today. There is no way that a conclusion can me made in favour of any OS on the list.
It appears that OpenBSD remains the most secure system, and I bet FreeBSD is a strong contender.
It is not explicit, but as I understand it, it is implied. I just quickly reviewed the directives (95/46/EC):
? uri=CELEX:31995L0046:EN:HTML
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do
In 95/46/EC you have Article 6.e stating that data must be stored for no longer than needed in order to process the data for the purposes the data was collected. Article 7.a requires consent of the data subject or 7.b that processing is required to perform a task on the request of the data subject.
Which, I deduce, means that if you object to data processing or terminate a contract or cancel a request, then there no longer exist the justification for storing data and they must be deleted.
Or at least they must be deleted upon requets: Article 12.b grants the subject right to "as appropriate the rectification, erasure or blocking of data the processing the processing of which does not comply with the provisions of this Directive". But when can this be used? Well, I guess if you have objected to the processing, then processing is against the provisions of the directive and hence data may be deleted - but IANAL.
Now, the directive states some common requirements, but individual member states may add extra conditions and the directive also includes room for exceptions.
Finally, I must correct myself, the directive does mention some controls, but in practice there is no inspection and while guidelines should be "encouraged" I have yet to see these. Investigation is not made until some data subject complains or other evidence shows up. And since there is no requirement to disclose incidents, everything can be kept quiet.
The EU directive is very good when it comes to specifying what 3rd parties may do with private data and giving the citizen rights to control the use of such data:
* The citizen may request information of what data is kept
* The citizen may require incorrect data to be corrected
* The citizen may require data to be deleted
Further, data must not be shared with states outside EU unless the EU has recognized these as providing adequate protection of personal data. US is not on the list (but Canada is) which is the reason of the current conflict over passenger data on transatlantic flights.
But, the EU directive lacks one think: Supervision. There is no controls implemented, no prior certification of data processing entities, no posterior audit to ensure that data protection is adequately implemented, not even common standards on how data must be protected. AND, there is no obligation to publicly announce data breaches.
Certifying data processing entities and then granting these authorization to handle data is cumbersome and expensive and won't ever happen - fine. But, some control system should be established, and standards or guidelines should be made. Why is there no requirement to encrypt personal data when stored in a non-controlled environment (say mobile devices) and not in use?
And after the data retention directive, which seems also to be on the road into US law, why did they not set strict requirements on protection of these data to ensure that they are only available for the purpose of the retention - investigation of terrorism? Why may companies retain such traffic data and store it unencrypted?
At the very least, we could learn from the many US states that require companies to advice customers about data breaches and risk of abuse.
If you choose a BSD style license, you can distribute the compiled code and charge anything you want, you are not obliged to make the source available. What you loose is that you can't charge your client per copy as the license grant them right to create as many as they like. You can't link against GPL code, but you can link against LGPL and BSD code.
This will be just fine in most cases where you have some special programs and custom code and the client really buys your service. Giving them the compiled rather than source just locks in the client so they will buy your service again, whenever a change is needed.
If you go down, creditors cannot take code hostage. You can either release the code or start a new business with the original code. This gives your clients a security of availability.
Hence, using the BSD license for your private projects gives you the best security and clean well understood licensing terms. The likelihood that your program will be distributed without you getting any revenue is limited as long unless it is a well known killer app.
hey, the GPL, LGPL and BSD licenses are there for you to take and use. They have been through the lawyers and are well understood. If you want to write your own code and distribute it under other terms while using/linking against software under any of the mentioned licenses, you need to pay up for the legal advice. Go see a lawyer.
But is it actually beneficial to use proprietary licenses for your code? This really requires you to write some awesome code that everyone wants - enough that they also want to pay you. OK, nice with some ambitions.
Otherwise, as a startup, you may actually advertise it as a security that your software is open source: If you go out of business your code will be available for some one to continue and not in the hands of your creditors. Once you get some solid stuff going then you may change the terms.
OK, let's sue Microsoft for not suing us!!!! I want to collect the compensation for the loss of compensation for a failed lawsuit. It's their duty to sue us so we can rightfully claim our compensation.
is that giving away samples with limited lifetime will introduce your product while maintain the potential customer because the trial product will eventually have to be replaced. But digital copies do not have such limited lifetime. And since any number of copies can be made, you loose not only the client that got a trial copy, but potentially the entire customer base. And those who offer complete trial versions soon find them to be cracked.
The solution seems to be to offer limited versions that will show the client how great the product is, and how much greater it would be if they buy the official release. Say music in 96kbps mp3, it's ok on your iPod in the subway, but put it on your stereo and it sounds awful. Or the word processor with reduced dictionary, limited fonts and doesn't support large fonts - say above 18pt, or doesn't contain the print facility.
Crackers won't add missing data to a trial version of a song, and they won't add missing functionalities to a program.
Drip brewed coffee and french press do not produce the full coffee taste as the water is too cold and only extract some aromas.
August 28 2000 was a significant day in my coffee life as I changed to the Italian Moka Express http://www.bialettishop.com/MokaExpressMain.htm. This radical change followed a change in my perception of what constitutes a true coffee experience after a visit to Italy. Since then I only drink moka or expresso. I bring my own coffee maker on any travels not destined for Italy. There should be left no doubt that a trip to Italy for the coffee experience is a must for the true coffee enthusiast.
I think the best maker is the 2 or 3 cup size, the bigger the makers have higher water:coffee ratio. But the right maker is not enough, you gotta get the right blend of torrefacto and natural roast (torrefacto is made by roasting the beans with sugar). Shop arround to find the blend and roast that you like. Once you have found your coffee pusher, stick with him as he will know your specific taste and preferences and make sure to have your blend.
No. They should make patches available as soon as possible. The argument that administrators needs time to test patches only makes sense if patches are available before rolling these out on production systems, whether patches are published a given day of the month or not doesn't change this.
Making patches available as soon as possible, the administrators can schedule testing and patching as most convenient, maybe weekends are preferred for rolling out patches. And they can decide which patches to fast track, and which to delay to the regular updates according to how their systems are affected.
What should be changed is that Windows update by default should download patches as published and delay installation till shutdown, unless marked critical. A critical update should cause a information message asking the user whether to update the system now or at shutdown. This causes the least user annoyance, and exactly that is what causes systems not to be updated. And of course, the administrator should have the ability to change this behavior to schedule updates at specific times on corporate networks.
It would be better to compare EU15, EU27 and US as these are comparable in population. Denmark is comparable to SF, and it would be interesting to see how SF would be ranked.
Indeed, copyright for the creative business is like software patents for tech. Only, you don't even have to show any originality in your work, just publish to get your rights! I really think that unless it is made clear what fair use is and when a work enters into public domain, copyright will stifle creativity.
Some ideas:
1) Unless the author explicitly claims copyright, the work should be public domain
2) A work should enter into public domain a fixed number of years after first publication
Reg. 1: Creative works should be registered, if not with publishers then with public directories that keep track of who is the owner of a work and assigns an identifier. Without that, it will be impossible to request permission of use or pay royalties to the author. If you can't request permission then it must be granted.
Reg. 2: When everyone can publish it is practically impossible to track down authors and determine when they died. If currently royalties must be paid till 70 after the authors death, then changing that to 100 years after first publication will amount to about the same on average. And everyone will know when the work enters into public domain.
a .kids top level domain does not imply any filtering, it merely makes it possible. Nor does it in itself ensure any standard, such must be set by regulation. But if the objective is to separate kids friendly from non-kids friendly, then it will likely be more effective to create a .kids domain than a .xxx. I don't advocate any of these, I merely suggest which will be the more effective if it really has to be done.
Inventing schemes that makes filtering possible will never close the debate about what to filter or how to classify. My idea with an extra http header leaves the decision on what to filter with the user. The how to classify must be set by some authority, librarians are best suited to decide how. So while Pat Robertson (whoever that is) might not want your kids to read certain material, the choice remains with you.
The big problem is classifying material when so many cultures coexist on the Internet and regulations differ in each country, for this reason classification should not refer to regulation as such but merely a content classification which local regulation can use (and even then content classification is ambiguous).
I think content classification is good, it will enable the end user to decide and control what kind of content is desireable. But that decision should be left to the user.
it is very unlikely that any site would adopt such ideas as moving to a specific port or top level domain on a global scale, basically saying "Don't enter here".
Instead, it is more likely that businesses will adopt the reverse: Invent a means for sites to advertise that they are safe. A ".kids" top level domain would be much more effective than ".xxx", toy stores and other businesses targeting children would make sure to get their site up in that domain to reach their audience.
For the same reason, a technical mean for sites to optionally advertise the content rating should be considered. The current http header lets the client specify a string of preferred languages, this lets servers redirect a request to the best matching language, or accepted formats.
Similarly, one could add a header in the request accepted content classes. The response header should contain the actual classification returned. Servers not returning a classification should be treated as not-rated and may default to block or pass.
The neat thing about this is that search engines will also get the classification header and a search query can restrict to matching classification. This way children won't find undesired results. Also, it provides more granularity, individual URL's can be classified differently.
Of course, there are two problems:
- It can be spoofed - but question is if there is a business incentive to do so.
- Standardizing classification is very difficult, but at national level should be possible. The class codes could be prefixed by the national codes.
Many sites might just remain non-classified, but if schools and institutions say that they only allow classified content, organizations will adopt this to reach their audience. If laws are passed to hold organizations liable for spoofed classification (but not lack of classification) then this might actually work: Those who have a business incentive will get reliable classification and the rest will simply remain unclassified. And no one have to move their domain and reestablish their name.
Theft is a risk, but I think it is much more likely that you'll throw it away! Too heavy.
Really, there are only two situations that you should consider bringing your notebook:
* if you need special applications that you can't expect to find regularly on internet cafes or hostels, and can't run off a cd or usb stick.
* you are really not going to travel around, that is, you are going to stay 4-5 places during that year and travel by plane.
The notebook is no advantage for updating your blog - you need to bring an internet connection. I guess 40.000 km cable will do - and 10 times as many runners!
I'd bring a USB stick with putty and my keys, and possibly other apps I'd likely need (winscp). Then I can always upload photos to my home server. Many places will likely offer to burn cd's with your photos if needed, or if you really need a lot of storage, consider buying an external USB disc.
If you really can't live without your notebook, then you need to get a tiny one for two reasons: Low weight and size. If it is small then it fits into a small unsuspicious bag which will reduce your risk of theft. Don't bring it in a standard laptop bag that shout's out "here comes $2000!". Stick to a 13" screen size and absolute max 14, which still fits in a standard school bag.
I have found, being without my notebook is a good therapy against my Internet addiction. Try it - you'll be surprised how much more time you have to actually go out experience things in the country you visit.
Who knows if aliens use Google maps?
No. I would very much like to be able to search including forums for answers to problems. Excluding mailing list archives, forums or blogs would make it much more difficult to find such answers.
Rather, Google should only derank temporarily, they do keep coming back to check the site. So, if the offending material is removed, why don't they reclassify the site to the original? Sure, not from one day to the next, but all sites they index are indexed every month, so some 3 months, say, to verify that the problem has been solved permanently.
It is entirely in the rights of Google to alter their indexing at will, it is unfortunate if your business depends on a free service, so much more is it in your interest to secure your site against abuse.
The same shit happened to me more than two years ago. I not only removed the offending pages, but actually return error code 410 GONE which should mean that all references to the resource should be removed. Despite that, I still see robot queries for these pages, as late as December Google tries to fetch the offending pages, and I also see real user requests to the offending pages - somewhere on the Internet, links must still exist, despite these pages only existed for a month. But I can't find them, and they doesn't show when searching for links to my page.
My site is indexed now, but I have never regained the ranking.
What Google should offer - knowing problems with forum and blog spam - is to temporarily derank the site. If a site is deranked because of such spam a flag should be made in the index, such that next time they come around they will check if the page is still offending.
Google does offer in their webmaster tools both the opportunity to report spam on web pages, to get these pages removed, and to request reinclusion.
The iPod supports FLAC? Out of the box? It's not on the list of supported formats, only Apple lossless. I haven't bought one for this very reason.
While this is up: Are there any portable devices that support FLAC? Or any that supports a firmware upgrade or software upgrade such that FLAC will be available?
You have some good points.
1st: The of proof: Say the DDoS is a SYN flod or DNS flodding, then it is impossible to tell which packets where legitimate, but failed because of the attack, and which were part of the attack. But if this is a mail flood or HTTP attack, then it is much easier to prove that this was indeed part of a DDoS - or just part of an attack.
2nd: True, there are plenty of countries in which I don't have the resources to bring the case. But then: Small businesses and individuals which don't do business outside their own country can mitigate the problem: Why allow access from non-potential business partners or customers?
3rd: Yes, your part is almost nil, which is the problem in many attacks today, but then: This year in UK (I think in February) a guy managed to get £300 for a (one) spam mail in a civil suit: Compensation and covering of the costs, with reference to a EU directive. So, if compensation is something in that order - anyone under attack knows it's raining gold!
4th: You're still liable, negligence just increases the risk that someone will hold you liable for illicit actions. Negligence becomes a problem between you, your insurance company and the vendor.
Given 3, there are other problems that I find much greater: Proving the accuracy of you logs.
Now, think liability in other types of attack: Say some cracker breaks in and steal secrets, destroy data or otherwise cause service interruption.
The losses in such a case are potentially much bigger. The target, knowing they don't have to track down all the way to the very end in order to bring the case in court, will be more likely to bring the case to win compensation. This means that individual users will do more to reduce their risk of being victim not because of their own losses but because of the potential damage they can be held liable for. How many times have I heard people say they don't care about security because they have nothing secret on their computer?
So, introducing liability will improve security. And this will also have the positive effect in the cases of DDoS and similar where cost of investigation does not match the possible win.
And insurance companies will be there to offer the insurance you need - even allowing you to install whatever you like. It's just a question of assessing the risks and the costs. They might have you pay the first $1000 damage - this gives you a clear incentive not to be too ignorant. And ignorant aunt Alice will pay certified people to install her computer and not the neighbors 11 year old son.
You have to keep in mind that products are currently not designed with liability in mind: Everyone disclaims liability, it is not fair to introduce liability all the way through from one day to another: Everything would grind to a halt. Rather than starting at the end user, start with the vendors and the ISP's. They have the expertise and resources to make a big difference.
But, the positive side is: A new market will be created, where security is a feature, and people will evaluate security along with other features when choosing their product.
I think your right to be ignorant stops where your ignorance causes harm or damage to others. Freedom comes with responsibility, you can't enjoy the freedom and then pull out "infinite stupidity" as excuse when someone comes to hold you responsible for your actions. If ignorance served as the universally acceptable excuse for any action that causes harm, where would we be? Ignorance of the law doesn't give you the right to break it.
You're defending those making the attack possible at the expense of the target victim. While these "ignorant mediators" are also victims of abuse, I don't think it's fair to clear them of responsibility. As much as they are victims, they are also part of the problem, and they are the only ones capable of taking action to solve that part of the problem.
I think that we very much agree: As the situation is now, imposing liability upon the individual is unfair. The individual has no means of evaluating the product and the vendor disclaims all liability for it. I don't like the word "penalizing" because it indicates a criminal penalty, I like liability, indicating the covering the economic costs of compromise.
The idea of liability is to create an incentive to act for those able to:
The software vendor will have an incentive to create better software from the start, and ensure that software is updated ASAP when flaws are known. Currently, there is no such incentive, vendors don't need to patch a flaw and often postpone it to next release or regular update unless an exploit is found in the wild. The customer will have an incentive to read and follow the instructions and keep his system up to date to avoid abuse.
I think this is important, because, even if you are unaware of a compromise, you are the one with the power to secure your system. No one else can secure your system without breaking the law. So, you should be liable for making sure that your system is secure. If you secure your system following all the instructions given, then liability is transfered to the vendor.
I don't particularly advocate open source as the solution, although I use my favorite flavor. I advocate liability unless it is open source. I believe you should only be able to disclaim liability if you also disclaim all rights to control the product - ie. open source. But one could choose to publish the source code to disclaim liability, yet maintain copyright and impose restrictions on redistribution.
Back to aunt's and uncle's lack of understanding: You are defending ignorance, and I can't accept ignorance as an excuse for negligence (as in "oh, I didn't think that WMD could kill a lot of people, how stupid of me not to secure the code. Well shit happens"). If you don't know what you are doing, don't do it. If you do it anyway, you're liable. If you feel a need to cover your ass, get an insurance.
We generally accept that people should have drivers licenses and flight certificates before using these vehicles, because of the potential damage they can cause. Why is it acceptable to have your uncle and aunt terrorize the Internet with their ignorance?
Before you reply: Please remember, all of the above assumes that liability is applied all the way up to the vendor.
BTW: For those who disagree with me, here's the weak point in my argument: The problem is that one vendor selling one product will accept liability for that product - unless the users tinker with it! But pc's are general purpose products - made for tinkering.
And of course a software vendor have no way of testing all the possible combinations with other software to ensure that it works correctly. Hence, software vendors can with reasonable legitimacy say: But you installed product B and we won't accept liability if that product is also installed.
Microsoft actually does address this issue, when you install software not signed by Microsoft a warning is issued. Some vendors pay Microsoft to sign their software, others don't care. The warning is that the product may not be trustable, but really it could be: Installing this product will void warranty.
The OS vendor will have full control of who get's the magic signature, and every one else will void warranty. This is perfect if you want to defend a monopoly.
Then take for example the case where a user listens to a CD with copy protection from Sony which installs a root kit. Then the pc is compromised, and figuring out whether to blame Microsoft or Sony becomes tricky: Did the hacker exploit the Sony rootkit or did he use a bug in Windows?
So, unless we can find a balanced way of imposing liability on software vendors, it could cause the end of the "general purpose" pc. Instead, one would have to purchase a pc for wrinting documents, and another for e-mail.