But you'd still be crazy to browse the web from an OS that hasn't had any security updates in years.
Dare I ask why? Unless you know of some security vulnerability in Win 9x's TCP/IP stack, I'm not sure what would be the problem in running Opera 9.51 on Windows 9x. Should you use outdated flash plugins, java plugins, etc? No. But you don't *need* those to browse the web (and odds are good that if you're running Win 9x, you're using a machine that wouldn't work well with the latest flash/java apps anyways).
I wouldn't advocate people go out of their way to use Win 9x for web browsing. But, unless you can describe an actual attack vector instead of general fear mongering, your complaint falls into the same category of bitching about *any* computer accessing the web. All computers have the potential to be exploited (that's a failing, of sorts, of computers). But it'd be nice to hear a bit more pragmatic argument than general handwaving.
Where he isn't right is about OpenBSD - security is a by-product of fixing bugs.
Security is a by-product of a philosophy of "what could go wrong and how do we prevent it proactively"? To that end, I'd say OpenBSD still has a way to go with security. While it might be hard to go through and audit tons of code, it's much harder to create the necessary* provably correct code that one can be sure things can't go wrong. But the OpenBSD philosophy doesn't seem interested in exploring such long-distance considerations, so I'd say it's in the same boat as Linux and Windows. It's just more proactive on the code auditing front.
*It's very difficult to define "necessary" in the scope of a computer system and security. What can go wrong is certainly contextual for many people, so it's quite possible that multiple proofs under multiple well-defined contexts would have to be adopted with people choosing the context best suited to them to obtain the desired security. This, of course, assumes that it's at all possible to prove enough code (I doubt all code needs to be proved) to be certain that, at least within the context of the code**, there is no security problem. AFAIK, we're still very far away from knowing if it's possible.
**The hardware can undermine your code, but you can make allowances for defects in hardware you know about. If the hardware isn't proven correct/consistent, then you will always be on shakey ground no matter how proven your code is. We're still a long ways away from even this. And something like TPM is unlikely to solve the problem.
Use 'unset HISTFILE' every terminal that uses the secret volume.
Are you sure your editor isn't leaving autosaves in/tmp?
Mount/tmp as a ramdisk.
There could even be plain text in your swap partition.
Encrypt your swap with cryptmount*.
It's hard to really know.
Agreed. You failed to mention things like ~/.thumbnails/ or ~/.gimp/tmp/, to name a few. All-in-all, this is exactly why the only safe thing to do is be paranoid and encrypt the whole thing. Even then, though, I'm not sure how feasible it is to create a plausibly deniable full system. That's the sort of thing that'd seem to be nearly a full time job in itself.
*I'd imagine that actually doing so just makes you look extremely guilty, as it shows a real depth to one's paranoia (just like your disable swap and link ~/.bash_history to/dev/null). And at that point, the most paranoid thing to do with Truecrypt would be to take advantage of the "Plausible Deniability" feature. So, it's sort of a Catch-22: the more you try to patch possible leaks, the more clear it is you're trying to patch possible leaks.
My conclusion is that with some basic precautions and common-sense (plus no email and only visiting "well known" websites) it's quite feasible to run a windows box for dedicated applications 24*7 without the overheads of virus protection.
It's interesting you say all that because I have a suggestion for a test. On the one hand, you can use a fully patched Win2k/sp4 machine, but you're required to use Internet Explorer with javascript, java, flash, etc installed. On the other hand, you can use a fully unpatched Windows 2k machine, but it will use a hardware firewall and use the latest of either Firefox or Opera, but have javascript, java, flash, etc disabled for 99% of websites (including youtube, myspace, etc). The only limit on the actual websites visitable is not being allowed to go to known demo websites for exploits or to specially crafted websites by you just to intentional attack one or the other machine. Which machine do you think will become infected first?
My bet is that the fully patched machine will be infected first. Why? Because the two main avenues for attack on a Windows machine are Windows crappy default services being enabled along with tcp/ip stack exploits and javascript/flash/java exploits, especially through Internet Explorer. Truthfully, the same avenues hold for Linux and Mac OS X (minus Internet Explorer).
The core weakness is a lack of robustness in most software. Until that is fixed, then yes, removing as many unknowns as possible greatly reduces the risk. It's a sad commentary, though, that so many hoops have to be jumped through. Perhaps, some day, a group (like OpenBSD) will do a code audit of Firefox (and java, flash, etc) so such fears will be mainly a non-issue.
You give me yours, and I'll give you mine. We can then sue each other in small claims courts.
PS - Btw, yes, I did realize what I was saying meant people could start suing each over. But realistically, just as most people don't sue each other over copyright violations, it's unlikely that most people would sue each other over their contribution to global warming.
I entirely agree. And with the EPA out of the way, the oil companies can be sued into the ground. After all, if Grokster can be sued into the ground based upon contributory copyright violation (and copyright isn't even a right), then certainly oil companies can be sued into the ground based upon contributory property damage (aka all those nasty effects of pollution (poisoning waters, crops, etc) and global warming (flooding, droughts, etc)) and contributory littering (soot, CO2, mercury, etc).
Until now, companies could always claim that the EPA effectively immunized themselves from lawsuits because they were following the law, which itself implies that nothing improper was happening. But if the EPA and its powers don't exist, then one can only really based one's decision on based property law. And I think it's pretty clear (certainly above preponderance of the evidence) that polluting upon others property is illegal and creating a whole industry based upon that is illegal as well.
There are many uses for encryption, such as (as others have suggested elsewhere in this comment section)financial records and almost anything to do with business clients/other peoples data (encryption should have been in use on the disks which were lost in the UK fairly recently).
I think that highlights my point quite well. Just because encryption can be used for financial data doesn't mean much if there's a history of people not using encryption for financial data. In short, that strongly implies that the only people who would bother to use encryption software are the ones with something to hide, ie criminals.
The fact that you hand over a password doesn't matter much. Why? Because (a) law enforcement will figure out that Truecrypt can contain a hidden volume and (b) if the data they do find with your first key isn't incriminating enough, it implies to them that you're using a decoy. Plausible deniability rests upon the presumption that your denial is plausible (obviously). If the vast majority of people don't use encryption and further of those that do, only a small fraction use software that can contain decoys, then a lot of your deniability isn't plausible enough.
You put plausible data into the encrypted volume, when they ask for your password you give it up, they access the encrypted volume and see you got porn/financial stuff/what nots you don't want others to see.
No, I think you're missing the point. Let's assume, for a moment, you're law enforcement. Now, from your perspective, encryption is a means of hiding information from the law.
If encryption is a standard feature that everyone uses, then everyone is hiding information from the law. But, since not everyone is a criminal, that means one can't presume that encryption is equivalent to a criminal hiding criminal activity.
If encryption is a non-standard feature that some people use, then everyone using that encryption might very well be a criminal. In fact, law enforcement very well might believe that encryption is equivalent to a criminal hiding criminal activity. In that case, giving them a second password with "incriminating information" only works if that incriminating information is itself illegal. Unless that's the plan, to trade the possibly 30 year prison sentence for the 5 year prison sentence, then the idea that you can just give a password to data "you don't want others to see" as some means of sating the law enforcement is absurd.
In short, using encryption makes you a criminal. The very fact that you won't turn over the password for the incriminating evidence only proves to them that you're hiding even worse (ie, 30 year prison sentence worthy) data. The only way to actually counter this is to get so many people using the encryption software that the existance of encryption software isn't enough reason for the police to even bother trying to get you to hand over a password, as the encryption software isn't reason enough to to presume anything. Of course, if they have evidence that leads them to you, you're back to the position of them just assuming you're hiding the illegal data somehow.
In other words, "Do as I tell you, or you are a dumb slave"
No: "Enslave yourself and you are a slave."
If you lie, you're a liar. If you enslave yourself, you're a slave. If you fornicate, you're a fornicator.
You're a slave (I am too, btw). That's a fact. Why are you upset with the messenger or inclined to add in judgements about intelligence that aren't stated?
The point of a charity investing a hunk of its money is so that it can exist beyond its initial contributions. If the charity just blows all of its money, its life will last as long as people contribute to it and die the day that stops. On the other hand, if you dump a shit-ton of money into it, have that money start making a healthy interest rate, and just spend the interest, the charity continues on basically forever with its supply of cash always building, or at least remaining the same.
Okay, but *why* should one create a charity with the intent that it exist forever? If the charity has a noble end, it should work towards that end and disband when it has reached its goal.
If it fails to reach its end or it has no end, it should spend what money it has as best it can, not devote itself to itself. Such makes it no longer a charity but a being unto itself. And that's the antithesis to what charity is.
So, I'm not sure I'm getting what the problem is exactly. What's stopping the creation of programName-Setup.exe that will install the package-install (if not already installed) and will launch package-install to actually install programName (along with dependencies)?
As far as users are concerned, it'll just mean two progress bars. One will be for download progress of all packages. The other will be for the install progress of all packages. This isn't at all different from any other network based installer. The only real problem possibly is orphaned packages, but even that is probably fixable by auto removing orphaned packages.
Except for the fact that, AFAIK, the above hasn't been done, what's particularly undoable about it?
... Apple lawyers recognize an extant de jure risk, yes?
Again, yes. And again, that's why BSD-like licenses are selfish, for they attempt to shield the author from all possible damages, even those that arrise from the obvious fallings on the author's part (this goes back to your example of a burglar falling through a skylight). And just like the burglar example, it's probable that common law (if not actual statute) prevents such disclaimers as are found in BSD-like or Apple licenses from applying in actual cases where a person being harmed ever has a reasonable chance of winning; but, that just goes back to there being little to no tort suits over software. Of course, lawyers will write in the legalize just in case it does happen to shield them from liability.
Whilst your first paragraph attempting to contort the application of force into a defense of freedom is pure sophistry -- did you help out the Bush administration with justifications for invading Iraq, perchance?
Non-sequitor. Countries don't have rights. People have rights. People exercising those rights may infringe the rights of others. There is no right to forbid the copying or redistribution of a work. Such is a state created and enforced privilege. Such is why in the US Constitution the basis for copyright is granted as a power to Congres, not listed as a right under the Bill of Rights. Further, the GPL uses the state granted privilege in an attempt to partially restore inherent rights. The courts could, assumedly, state that since the intent of the state is likely to inhibit such rights, one can't use one's privilege is such a way. But, the courts don't seem inclined to infringe upon the privileges of individuals simply because the courts are unhappy with the consequences of individuals exercises those privileges; at least, they're not inclined until the legislators spells out such intent to inhibit such rights.
this deserves some further exposition.
Indeed, if you release source into the public domain you should be held accountable for its use and effects through tort law. An analogy would be that if you allow public access to your private property, you have a duty to ensure a basic standard of safety to those allowed to traverse it. And every so often, indeed, you do hear of some abuse of that, like a burglar who falls through a skylight and successfully sues. But generally, the law of torts functions properly, that if you provide a public service you accept liability for its consequences. Why, indeed, should source code I release be treated any differently than the path through my woods I allow hikers?
Yes, but now you've stumbled across the peculiarity of software in general. How many people have sued *any* software maker for defective software? While there is legal basis under tort law to sue, the face is, it's neither a common practice to sue over software in general when it comes to harm nor apparently is there enough case law to easy allow a person to win if they were to bring suit. EULAs or redistribution licenses are unlikely to shield the author from a legal perspective because, as you note, there is an assumed level of liability for allowing access to an otherwise private thing. But, de facto, the suits just haven't been filed and the risk just isn't there; at least, it isn't there yet.
PS - And obviously, this is all based upon my limited understanding of things as a non-lawyer.
Er, no. The GPL builds upon state protected monopoly rights as well. Otherwise, how could it be enforced?
You're right, but that's a narrow interpretation of intent. As much as the GPL builds upon state protect monopoly rights, it does so as a means to void* said state protected monopoly rights indefinitely for all such licensed code. Things like the public domain and various BSD-like licenses only attempt to void** state protection as far as their own distribution goes. The real end goal by some, but not all, supports of the GPL is to end state protected monopoly rights fully, thereby voiding the concept of enforcement or the need to fight towards the legal use of code from whatever code made available. Considering that such is unlikely to happen any time soon (ie, within the lifetime of most people today), the GPL is the best license so far readily avaiable to avail themselves towards that end.
*This isn't entire true, obviously. The GPL doesn't merely grant reuse/redistribution rights. It comes with it the burden of releasing source code. Obviously, if copyright didn't exist, there are many people who would refuse to release the source code, which would require disassembling binaries to reconstitute source code***. This, btw, is obviously a huge pain in the ass and many who support the GPL are unwilling to allow copyright to disappear completely because the perceived trade-off of legal reuse/redistribution rights of all code versus the actual hurdles introduced from people legally close-sourcing any or all code is too great. Obviously, this is a selfish abuse of state monopoly rights.
**While the public domain does void use of all state monopoly rights, BSD-like licenses are different. Specifically, like the GPL, BSD-like licenses rely upon redistribution rights to obtain indemnity of various kinds. In theory, something released under the public domain that did harm would put the author in legal jeopardy under which they would not be if said code where BSD licensed. Truthfully, except in malicious cases, there is de facto indemnity over public domain code--and in malicious cases, no license or lack there of is likely to help. In short, those who use BSD-like licenses are selfishly covering their ass through abuse of state monopoly rights.
***One could make a derivative of the GPLv2 that removed the source code requirement and the legal liability indemnities. If anything, I believe that this license would actually be more free than a public domain license because it exerts the most effort to usurp the infringement of the inherent right to copy with the least inclusion of other, selfish wants. Now, obviously this license could be said to be selfish on its own too, but then the desire to use one's own inherent rights can obviously be said to be selfish, but justiifable. Certainly, so long as laws are created to infringe such rights, there is no perfect solution.
PS - Yea, I realize, I'm retreading a lot what you've said. I just wanted to, selfishly, spell out the issues more thoroughly.
I think it goes more like, "Geez, with a gun ban, I don't have to bother with a gun. I mean, you can buy a knife anywhere, but gun ownership has all sorts of safeguards and there's been tons of effort to try to keep track of all gun owners. But, everyone has a knife. Everyone is a suspect."
And in response, "Well, yes, this does mean that any two bit hood can rob a store; but those who use guns now may well use a knife instead. But, as rare as armed (with a gun) robbery results in injury or death, the odds of armed (with a knife) robbery resulting in injury or death is even lower; those with a knife will have a harder time attacking since knives are a low-range weapon. So, robberies might go up and store owners might be more defenseless. But, most armed robbers--and armed robbers are the perceived main user of guns in urban areas--are in it for the money. So decreasing resistance is good to decrease physical harm, even if it might increase the overall crime rate."
In short, to presume that all criminals have guns readily avaialble for use or can readily obtain them is silly. And to presume that resisting in all crimes is good is also silly. Of course, I don't feel that the possible advantages outweight the potential losses. But I think this idea that is merely to "level the playing field" without any other consideration really doesn't consider that even with an unlevel playing field, the situation might be physically better for all parties involved. Certainly, trying to simplify it down to "legislators are dumb" doesn't really try to look at the situation with consideration for how the real world works.
Still, supporting the actions of OBL, killing innocents while unprovoked is worthy of that label.
The issue is, it wasn't unprovoked. As much as people might hate OBL or think that the response was out of line, America *did* repeatedly meddle in the affairs of Afghanistan and Saudi Arabia. If one considers that all such meddling was the result of capitalistic interests, then attacking the World *Trade* Center does make sense as a target.
I disagree with your stance on justifying terrorism in war time. See, that's what separates civilized societies from barbarians.
It's funny you say that. America has engaged and/or participated in terrorism not only in wartime but in peacetime (at least, in times of undeclared war). The fact is, war, declared or otherwise, is inherently uncivilized. Hence, pretending that you can apply civilized standards to it is absurd. This is one reason why not only should war be avoided in general but why having undeclared war is so undermining to any claim of civility of a nation.
You, like millions of others, have been duped about Iraq's stability, unless of course you consider a tyrant running the country into the ground to serve his own family and needs for nearly 30 years stable.... Sure, stability is a relative term, and I suppose when compared to the poorest Arab and surrounding countries, it would appear that Iraq was stable leading up to the war, but that simply isn't true. Constant war during the 80s, a war in the early 90s, followed up by 10 years of near-war (complete with a war time deployment for me in the late 90s that never materialized), then again war in the 2000s. Those are NOT the earmarks of a stable country.
Yes, stability is always a relative term. While people may hope and/or assume that countries will exist in a decade, the idea of assured stability is absurd; look no further than the USSR for an example, from the perspective of 1982. If you want to argue that land-grabs make a country unstable, I'd agree. That's why colonialism and imperialism are bad; they make not only the host country but the occupied country unstable. And as for wars, I would tend to agree as well; although, the US has been in "wars "of some nature every decade for the last 60 years. I guess it could be argued that the US is different, for it engages in proxy wars and fights far enough away from its territory with troop levels lower enough to leave enough troops to defend itself; similar things were done during the many wars of Europe during the 1600s-1800s.
So, to clarify, in total war there is inherently instability. But in simple war, this is not necessarily the case. And Iraq has certainly engaged in much more total war than the US has, so I would agree it's more unstable than the US.
That's because Germany and Japan were already industrialized countries, unlike what we are in now.
I see. So, are you trying to argue that either (a) the Marshall Plan wouldn't directly work or (b) something like the Marshall Plan, tailored towards the socioecomic situation, wouldn't work? Because while I can understand the former, I don't understand the latter. And if you're arguing that a Marhall-like Plan is doable, I can only ask why it isn't being done? Unless, of course, you believe engaging in terrorism in Iraq is somehow the way to go to achieve that end.
Blaming the US for destabilizing Iraq and Afghanistan would require Iraq and Afghanistan to have been stable in the first place.
I'm sorry to break it to you, but Iraq *was* stable. Even amongst the suffering caused by a decade of economic sanctions, Saddam's government was still in power and able to keep the populace inline. Now, you could argue that this is a bad thing. But, the issue is one of whether Iraq was stable or not. However, if you meant that Iraq was destabilizing on its region of influence, I'd agree. But, then, so is the US destabilizing on its region of influence. I don't think that makes the US as unstable.
As for Afghanistan, you're right, stability was questionable, at best.
How can advocating the acts of OBL be seen by anybody as anything BUT blaming America first?
I think you missed his point. While there are those who "blame America first" regardless of the situation or circumstance, there are those who in response will claim that just about any blame being laid upon America is ranting from "blame America first" individuals. Both positions are nonsense, as clearly America is neither blameless nor totally blameful for the state of the world. To that end, he was mocking the anti-"blame America first" because the anti-dogma is being used as a smokescreen instead of having to actually consider and discuss the situation.
Regardless of how dastardly one may think a government is, no terrorist has any right to kill 3,000 civilians, FOR ANY REASON
I disagree. As horrible as it is, there are times in war when it is necessary to commit otherwise atrocious acts because it is pragmatically impossible to avoid the killing of uninvolved civilians. The truth is, in few conflicts are there are uninvolved civilians, only different levels of involvement. But, again, the truly uninvolved are sadly the fodder of a war machine involved too much in winning and less in the rights of individuals. Until such time as humans are consistently moral*, I don't see how it's pragmatically possible to avoid the use of guerilla warfare/counterinsurgency/terrorism in warfare.
--especially when the only reason is because one back-assward thinking theology thinks it is better than another back-assward thinking theology.
Do you mean democracy over Islam or Islam over democracy?
*For purposes of this discussion, morality will be defined as at minimally respecting the rights of life, liberty, and the pursuit of happiness.
Regardless, war is uncivilized. Anyone that thinks otherwise should do some research.
Granted. And this leads to the real question that should be asked: "Have tactics in this manual actually been used in a non-war?" When it comes to the US, the answer is yes. This is the real reason why war not only needs to be declared but the power is invested in Congress. None of the actions listed in the Counterinsurgency Manual should be appliable in Iraq.
War is hell. What is worse is when even peace can be treated as war. But, then, it's just another example of wanting wars to be actually declared, criminals to be actually tried, and warrants to be actually properly issued for actual, specific, and reasonable suspicions. It's funny that national security can be so readily used to hide abuses. But, I guess it makes sense if one considers that the US will exist as a nation, regardless of whether it's a democracy or a dictatorship. All hail nationalism over forthright democratic character.
The US response to the attacks was totally illogical because people felt threatened and this caused them to stop using the higher levels of their brains. They instead, reverted to their reptilian "flight or fight" instincts.
A small correction. Their representatives, either through the "rever[sion] to their reptilian... instincts" or through a more calculated choice to do what their constituents wanted, followed through with irrational attacks against Afghanistan* and then Iraq**. Personally, I'm inclined to go along with the latter. Most people, politicians and otherwise, are more willing to sit idly by and agree with the majority on issues than stick their neck out, be it for fear of not being elected or for fear of being physically harmed.
Yes, there was a small chance that a single voice, casting light on the irrationality of the demands of the people would turn that person into a martyr. But, odds are good that one martyr would stop people long enough to realize that their demands *are* irrational. People don't like to get their own hands bloody. They don't want to appear like monsters. Sometimes someone has to stand up and risk death to break the skin on the drumhead.
*The fact is, no matter how much the Taliban was effectively flipping the bird at the US, the US had no reason to go and overthrow a whole government just to kill or capture *one* man. It was *ONE* man that the US was after. Now, it could be the case that in the pursuit of that one man, the US would violate the borders of Afghanistan and get into a conflict with Afghanistan. But, assuming the US's efforts were directed well enough, odds are good that either (a) we would have found that one man and been able to leave without Afghanistan able to do much but whine about the US's actions to the UN or (b) we would have eventually gotten China's or Pakistan's support when that one man left the area, thereby allowing the US to leave (and again still leaving Afghanistan to complain to the UN). Instead, the US clearly had an intent to get rid of the "annoyance" that was the Taliban, and hoped it'd be simple to find said man, disregarding that a part of the reason the Taliban didn't want to try to find said man was because it was so difficult.
**I don't think I need to say a lot about this, except to point out that if the UN weapons inspector doesn't think there are WMDs, then I'd want more than a few "intelligence reports" that, invariable, will include just about every possibility just to cover their ass. Certainly, I wouldn't start a ground war against a foe who had very limited ability to disperse WMDs except to slow moving, near targets (ie, ground troops), regardless of how "lightning fast" my ground forces were.
PS - This is subject really eats at me a lot. Why? Because GWB was a smuck. Specifically, until the point of 9/11, the media so often reported just how much time he spent vacationing and so little time doing anything relevant. Once 9/11 happened, GWB was so quick to appear for the photo-op and to be the "tough and strong" (not wise and reserved) leader that'd "kick ass and chew bubble gum". Hell, I rather expected GWB to be there and take advantage of the situation as best he could. And the fake bravado was to be expected to an extent, since GWB was not at all regarded as the intellectual type to actually *ever* step outside the "reptilian" brain. But the fact that he took it so far for so long and no one who had a real opportunity to stand up and make it well known how fucked up the situation was becoming (eg. the media for pointing out how much of a smuck Bush was to be hogging the camera to play war games; eg. Congress authorizing anything remotely close to force to Bush after it was clear (a) he wanted to fight wars, not just use the military to get what the US wanted and (b) he really sucked at reaching the intended objective). Of course, even I, a lonely voice, could be blamed because I wasn't shouting at the media or involving myself to effect change early enough or aggressively enough. So, to an extent, I feel a personal shame that I didn't stop it.
Did it have age verification before showing said content?
Doesn't sound like it. Not that it matters. Not even commercial* porn providers require age verification.
Well then...
Contributing to the delinquency of minors, and whatever statutes cover providing pornography to minors as well.
The only major problem with that is, you'd have to actually show (a) the actual minors whose delinquency was contributed to (the "making available" argument doesn't fly) and (b) almost certainly show there was good reason to believe that the judge new he was distributing said content to minors (otherwise most porn mags would be shut down, since obviously if the porn mags weren't printed, you couldn't find minors with them).
In short, you have to consider the judge's position as if he were any other major publisher. Given the repeated attempts to try to "protect" minors on the internet in the past involving porn and how few laws have stood up to Constitutional scrutiny (the only one that comes to mind as accepted is ones involving libraries accpeting federal funds in exchange for having to include anti-porn filters; and assumedly that has to do with it being voluntary to accept funds), it just doesn't seem likely that yet another contorted attempt would work. But, obviously, it's all a matter of taking the judge to court and spending several years until the Supreme Court decides.
*Commercial in this context doesn't just mean "and we want your credit card number". The second one starts receiving money as a result of ads on one's website, one can be called commercial (just like broadcast TV). Assumedly this was a major reason that the age verification laws were discarded, as it would be very unreasonable to have every last website showing a nipple with an ad on it to request a credit card number. And odds are, most people *wouldn't* give a credit card number to the site. The last part, then, severely cripples freedom of speech by abridging the legitimate right of the vast majority to access a site without undue burden. Now, if there were some way to age verify someone in a more trivial fashion on the internet, the courts would probably have a much different interpretation on things.
Check all boxes for which the following collections of statements can reasonably hold: "X causes Y. People have been releasing more X. Hence, people are responsible for causing more Y and are capable of reducing X to reduce Y."
( ) X = Water; Y = Flooding ( ) X = Carbon Dioxide; Y = Global Warming ( ) X = Fire; Y = Fires
If you wish to claim that you can't answer the question at all, you're effectively a sophist, and to that end, arguing/discussing with you is irrelevant. If you wish to claim you can only answer some, then you'll need to provide some reasonable evidence that some aspect of the science involved isn't reasonably certain.
Barring that, an unwillingness to answer is a sign of stalling, not a point of consideration. This includes things like trying to semantically dissect the statements to look for loopholes where they might not apply. The generous use of the word "resonable" was added for that reason. Arguments about how the statements unfairly call for a course of action are irrelevant, since the statements are about what could be done. The fact that one can make further arguments based on the above statements to argue that the only reasonable course of action is to reduce releasing of X isn't a valid argument towards why the above statements aren't valid. Etc. Etc.
PS - The answer would be to check all boxes.
PSS - This is "an open-ended statement". It doesn't call for action, nor does it attempt to ignore new facts as they are discovered, nor does it make claims about the parent post in any fashion, but it all might implicitly make an ad hominem attack involving the intelligence of the parent post. Never the less, it's a simple "open-ended statement".
Arguing over a suble point doesn't make one a troll. The situation comes down to this:
If feature A and feature B combined can cause privilege escalation, then feature A+B are a security vulnerability. If neither feature A nor feature B alone can cause privilege escalation, then feature A isn't a security vulnerability and feature B isn't a security vulnerability. Feature A and feature B *are* security risks because each form a critical part of a security vulnerability. So long as feature A exists and feature B doesn't, feature A isn't a security vulnerability. That doesn't mean feature A shouldn't be corrected in case feature B is discovered/created, but it does make feature A a different thing.
All this talk about "security in layers" is great. Security risks should be corrected, if possible. It still doesn't change what they are.
Now, all this harping over such a fine point might seem an argument of semantics, but I think it's pretty critical to diagnosing Microsoft's advisory. Microsoft isn't in the business, AFAIK, of posting security advisories about vague security risks. More importantly, Microsoft is generally not in the business of pointing out the security vulnerabilities *or* risks in products that aren't theirs. Microsoft, after all, isn't an industry-wide security analyst.
Now, perhaps this is Microsoft's attempt to help protect their platform by informing users about the possible security risk Safari poses. On the optimistic side, that's great. That could mean Microsoft has decided to help protect users, even with the possible fall-out from other companies (and their own) getting bad press and users dumping a variety of insecure products/programs. On the pessimistic side, this is likely a one-off affair on Microsoft's part, designed more to smack Safari down more for the PR value against Apple/Safari. But, the next time IE has a bug that won't be fixed any time soon and could cross the same sort of "security layer", I doubt MS will tell people in a security advisory to stop using IE until the bug is fixed.
In short, if I actually believed Microsoft's goals were noble, I probably wouldn't be harping on the difference between a security risk and a security vulnerability. Sure, I'd still recognize there's a difference. But, I probably wouldn't bother commenting over it to others. But as it stands, nothing justifies Microsoft's behavior in one instance where they won't likely do the same in a virtually identical one later. I'm sorry if you feel that my attempts to call Microsoft out over the seemingly subtle point is seen by you as trolling. To me it's merely an attempt to try to call attention to the abuse of the security advisory system at Microsoft for marketing purposes.
PS - The reason I mentioned all the stuff about the Windows desktop and not blocking "My Computer.exe" is because it might suffice as "feature B". But, if it does and one still wants to call "feature A" a security vulnerability, then "feature B" is too. Since I'd take it to be absurd for the Windows desktop to go through and try to filter out icons in an attempt to prevent that kind of social engineering, I wouldn't consider "feature B" a security risk. So, I'd have to take that to mean that "feature A" isn't either.
Now, perhaps "Safari auto-/dl"+"Safari no download tagging"+"Windows desktop letting icons look identical" is a security vulnerabilty. But, there's no real mention of, in the advisory, to avoid the Windows desktop in general or that that sort of social engineering is the final key to said security vulnerability. After all, until the Windows desktop is "fixed", there's certainly a lot more programs than Safari that have for a long time and still will save files to the desktop without "properly" tagging them or necessarily asking permission first to save. Ie, it still seems very selective of Microsoft to go out of its way to choose Safari to condemn for the practice.
Besides, if they were that concerned about such things, they could have worked towar
IE doesn't auto-download files like Safari does. So all this stuff about tagging is at best a red herring you're trying to distract people with.
Every since IE7, downloaded files through IE are automatically tagged as downloaded from the internet. Why? Because it's a "security risk" to access such files, apparently. Truthfully, MS has went the paranoid route and has tried pushing the signing of all executables as means of "safety". Now, from their perspective of paranoia, the failure to tag would be the vulnerability, not so much the auto-downloading. After all, you *can* set IE7 to auto-download files if you want (though, AFAIK, not to the extent of multiple files per link clicked).
Remember, security is all about layers. Not downloading stuff that the user didn't ask to download is one layer. This vulnerability broke that layer, hence makes it easier to break security.
That's all well and good, but that's not quite right. It is a *feature* of Safari to auto-d/l such files. Hence, using Safari amounts to a user asking to auto-d/l such files. Now, you can argue it's a crappy feature or that such a feature doesn't give a user enough control. But, if merely doing things which could lead to a security vulnerability and which don't give user configurable control qualify as a security vulnerability, then virtually *everything* on a computer qualfies. The program didn't *ask* me if it could put a zero in register eax, never gave me the option to configure such, nor did it make consideration that the next instruction, being passed a zero through eax, will lead to a security vulnerability.
No, at some level, you have to acknowledge that the "layers" argument doesn't work. Until you can show an actual way to exploit this feature with another feature/bug to create a security vulnerability, then you're just blowing smoke on what might be. At least you could be blowing somke with something more convincing, like examples of how easy it'd be to execute one of those downloaded files or how how hard it'd be to not simply delete those files or change the download path to somewhere else to reduce the risk.
Slashdot Mirror
Dare I ask why? Unless you know of some security vulnerability in Win 9x's TCP/IP stack, I'm not sure what would be the problem in running Opera 9.51 on Windows 9x. Should you use outdated flash plugins, java plugins, etc? No. But you don't *need* those to browse the web (and odds are good that if you're running Win 9x, you're using a machine that wouldn't work well with the latest flash/java apps anyways).
I wouldn't advocate people go out of their way to use Win 9x for web browsing. But, unless you can describe an actual attack vector instead of general fear mongering, your complaint falls into the same category of bitching about *any* computer accessing the web. All computers have the potential to be exploited (that's a failing, of sorts, of computers). But it'd be nice to hear a bit more pragmatic argument than general handwaving.
Security is a by-product of a philosophy of "what could go wrong and how do we prevent it proactively"? To that end, I'd say OpenBSD still has a way to go with security. While it might be hard to go through and audit tons of code, it's much harder to create the necessary* provably correct code that one can be sure things can't go wrong. But the OpenBSD philosophy doesn't seem interested in exploring such long-distance considerations, so I'd say it's in the same boat as Linux and Windows. It's just more proactive on the code auditing front.
*It's very difficult to define "necessary" in the scope of a computer system and security. What can go wrong is certainly contextual for many people, so it's quite possible that multiple proofs under multiple well-defined contexts would have to be adopted with people choosing the context best suited to them to obtain the desired security. This, of course, assumes that it's at all possible to prove enough code (I doubt all code needs to be proved) to be certain that, at least within the context of the code**, there is no security problem. AFAIK, we're still very far away from knowing if it's possible.
**The hardware can undermine your code, but you can make allowances for defects in hardware you know about. If the hardware isn't proven correct/consistent, then you will always be on shakey ground no matter how proven your code is. We're still a long ways away from even this. And something like TPM is unlikely to solve the problem.
Use 'unset HISTFILE' every terminal that uses the secret volume.
Mount /tmp as a ramdisk.
Encrypt your swap with cryptmount*.
Agreed. You failed to mention things like ~/.thumbnails/ or ~/.gimp/tmp/, to name a few. All-in-all, this is exactly why the only safe thing to do is be paranoid and encrypt the whole thing. Even then, though, I'm not sure how feasible it is to create a plausibly deniable full system. That's the sort of thing that'd seem to be nearly a full time job in itself.
*I'd imagine that actually doing so just makes you look extremely guilty, as it shows a real depth to one's paranoia (just like your disable swap and link ~/.bash_history to /dev/null). And at that point, the most paranoid thing to do with Truecrypt would be to take advantage of the "Plausible Deniability" feature. So, it's sort of a Catch-22: the more you try to patch possible leaks, the more clear it is you're trying to patch possible leaks.
It's interesting you say all that because I have a suggestion for a test. On the one hand, you can use a fully patched Win2k/sp4 machine, but you're required to use Internet Explorer with javascript, java, flash, etc installed. On the other hand, you can use a fully unpatched Windows 2k machine, but it will use a hardware firewall and use the latest of either Firefox or Opera, but have javascript, java, flash, etc disabled for 99% of websites (including youtube, myspace, etc). The only limit on the actual websites visitable is not being allowed to go to known demo websites for exploits or to specially crafted websites by you just to intentional attack one or the other machine. Which machine do you think will become infected first?
My bet is that the fully patched machine will be infected first. Why? Because the two main avenues for attack on a Windows machine are Windows crappy default services being enabled along with tcp/ip stack exploits and javascript/flash/java exploits, especially through Internet Explorer. Truthfully, the same avenues hold for Linux and Mac OS X (minus Internet Explorer).
The core weakness is a lack of robustness in most software. Until that is fixed, then yes, removing as many unknowns as possible greatly reduces the risk. It's a sad commentary, though, that so many hoops have to be jumped through. Perhaps, some day, a group (like OpenBSD) will do a code audit of Firefox (and java, flash, etc) so such fears will be mainly a non-issue.
You give me yours, and I'll give you mine. We can then sue each other in small claims courts.
PS - Btw, yes, I did realize what I was saying meant people could start suing each over. But realistically, just as most people don't sue each other over copyright violations, it's unlikely that most people would sue each other over their contribution to global warming.
I entirely agree. And with the EPA out of the way, the oil companies can be sued into the ground. After all, if Grokster can be sued into the ground based upon contributory copyright violation (and copyright isn't even a right), then certainly oil companies can be sued into the ground based upon contributory property damage (aka all those nasty effects of pollution (poisoning waters, crops, etc) and global warming (flooding, droughts, etc)) and contributory littering (soot, CO2, mercury, etc).
Until now, companies could always claim that the EPA effectively immunized themselves from lawsuits because they were following the law, which itself implies that nothing improper was happening. But if the EPA and its powers don't exist, then one can only really based one's decision on based property law. And I think it's pretty clear (certainly above preponderance of the evidence) that polluting upon others property is illegal and creating a whole industry based upon that is illegal as well.
So, I guess we'll finally here the truth from the government on why aliens from Area 51 made so many homosexuals?
I think that highlights my point quite well. Just because encryption can be used for financial data doesn't mean much if there's a history of people not using encryption for financial data. In short, that strongly implies that the only people who would bother to use encryption software are the ones with something to hide, ie criminals.
The fact that you hand over a password doesn't matter much. Why? Because (a) law enforcement will figure out that Truecrypt can contain a hidden volume and (b) if the data they do find with your first key isn't incriminating enough, it implies to them that you're using a decoy. Plausible deniability rests upon the presumption that your denial is plausible (obviously). If the vast majority of people don't use encryption and further of those that do, only a small fraction use software that can contain decoys, then a lot of your deniability isn't plausible enough.
No, I think you're missing the point. Let's assume, for a moment, you're law enforcement. Now, from your perspective, encryption is a means of hiding information from the law.
If encryption is a standard feature that everyone uses, then everyone is hiding information from the law. But, since not everyone is a criminal, that means one can't presume that encryption is equivalent to a criminal hiding criminal activity.
If encryption is a non-standard feature that some people use, then everyone using that encryption might very well be a criminal. In fact, law enforcement very well might believe that encryption is equivalent to a criminal hiding criminal activity. In that case, giving them a second password with "incriminating information" only works if that incriminating information is itself illegal. Unless that's the plan, to trade the possibly 30 year prison sentence for the 5 year prison sentence, then the idea that you can just give a password to data "you don't want others to see" as some means of sating the law enforcement is absurd.
In short, using encryption makes you a criminal. The very fact that you won't turn over the password for the incriminating evidence only proves to them that you're hiding even worse (ie, 30 year prison sentence worthy) data. The only way to actually counter this is to get so many people using the encryption software that the existance of encryption software isn't enough reason for the police to even bother trying to get you to hand over a password, as the encryption software isn't reason enough to to presume anything. Of course, if they have evidence that leads them to you, you're back to the position of them just assuming you're hiding the illegal data somehow.
No: "Enslave yourself and you are a slave."
If you lie, you're a liar. If you enslave yourself, you're a slave. If you fornicate, you're a fornicator.
You're a slave (I am too, btw). That's a fact. Why are you upset with the messenger or inclined to add in judgements about intelligence that aren't stated?
Okay, but *why* should one create a charity with the intent that it exist forever? If the charity has a noble end, it should work towards that end and disband when it has reached its goal.
If it fails to reach its end or it has no end, it should spend what money it has as best it can, not devote itself to itself. Such makes it no longer a charity but a being unto itself. And that's the antithesis to what charity is.
So, I'm not sure I'm getting what the problem is exactly. What's stopping the creation of programName-Setup.exe that will install the package-install (if not already installed) and will launch package-install to actually install programName (along with dependencies)?
As far as users are concerned, it'll just mean two progress bars. One will be for download progress of all packages. The other will be for the install progress of all packages. This isn't at all different from any other network based installer. The only real problem possibly is orphaned packages, but even that is probably fixable by auto removing orphaned packages.
Except for the fact that, AFAIK, the above hasn't been done, what's particularly undoable about it?
Again, yes. And again, that's why BSD-like licenses are selfish, for they attempt to shield the author from all possible damages, even those that arrise from the obvious fallings on the author's part (this goes back to your example of a burglar falling through a skylight). And just like the burglar example, it's probable that common law (if not actual statute) prevents such disclaimers as are found in BSD-like or Apple licenses from applying in actual cases where a person being harmed ever has a reasonable chance of winning; but, that just goes back to there being little to no tort suits over software. Of course, lawyers will write in the legalize just in case it does happen to shield them from liability.
Non-sequitor. Countries don't have rights. People have rights. People exercising those rights may infringe the rights of others. There is no right to forbid the copying or redistribution of a work. Such is a state created and enforced privilege. Such is why in the US Constitution the basis for copyright is granted as a power to Congres, not listed as a right under the Bill of Rights. Further, the GPL uses the state granted privilege in an attempt to partially restore inherent rights. The courts could, assumedly, state that since the intent of the state is likely to inhibit such rights, one can't use one's privilege is such a way. But, the courts don't seem inclined to infringe upon the privileges of individuals simply because the courts are unhappy with the consequences of individuals exercises those privileges; at least, they're not inclined until the legislators spells out such intent to inhibit such rights.
Yes, but now you've stumbled across the peculiarity of software in general. How many people have sued *any* software maker for defective software? While there is legal basis under tort law to sue, the face is, it's neither a common practice to sue over software in general when it comes to harm nor apparently is there enough case law to easy allow a person to win if they were to bring suit. EULAs or redistribution licenses are unlikely to shield the author from a legal perspective because, as you note, there is an assumed level of liability for allowing access to an otherwise private thing. But, de facto, the suits just haven't been filed and the risk just isn't there; at least, it isn't there yet.
PS - And obviously, this is all based upon my limited understanding of things as a non-lawyer.
You're right, but that's a narrow interpretation of intent. As much as the GPL builds upon state protect monopoly rights, it does so as a means to void* said state protected monopoly rights indefinitely for all such licensed code. Things like the public domain and various BSD-like licenses only attempt to void** state protection as far as their own distribution goes. The real end goal by some, but not all, supports of the GPL is to end state protected monopoly rights fully, thereby voiding the concept of enforcement or the need to fight towards the legal use of code from whatever code made available. Considering that such is unlikely to happen any time soon (ie, within the lifetime of most people today), the GPL is the best license so far readily avaiable to avail themselves towards that end.
*This isn't entire true, obviously. The GPL doesn't merely grant reuse/redistribution rights. It comes with it the burden of releasing source code. Obviously, if copyright didn't exist, there are many people who would refuse to release the source code, which would require disassembling binaries to reconstitute source code***. This, btw, is obviously a huge pain in the ass and many who support the GPL are unwilling to allow copyright to disappear completely because the perceived trade-off of legal reuse/redistribution rights of all code versus the actual hurdles introduced from people legally close-sourcing any or all code is too great. Obviously, this is a selfish abuse of state monopoly rights.
**While the public domain does void use of all state monopoly rights, BSD-like licenses are different. Specifically, like the GPL, BSD-like licenses rely upon redistribution rights to obtain indemnity of various kinds. In theory, something released under the public domain that did harm would put the author in legal jeopardy under which they would not be if said code where BSD licensed. Truthfully, except in malicious cases, there is de facto indemnity over public domain code--and in malicious cases, no license or lack there of is likely to help. In short, those who use BSD-like licenses are selfishly covering their ass through abuse of state monopoly rights.
***One could make a derivative of the GPLv2 that removed the source code requirement and the legal liability indemnities. If anything, I believe that this license would actually be more free than a public domain license because it exerts the most effort to usurp the infringement of the inherent right to copy with the least inclusion of other, selfish wants. Now, obviously this license could be said to be selfish on its own too, but then the desire to use one's own inherent rights can obviously be said to be selfish, but justiifable. Certainly, so long as laws are created to infringe such rights, there is no perfect solution.
PS - Yea, I realize, I'm retreading a lot what you've said. I just wanted to, selfishly, spell out the issues more thoroughly.
I think it goes more like, "Geez, with a gun ban, I don't have to bother with a gun. I mean, you can buy a knife anywhere, but gun ownership has all sorts of safeguards and there's been tons of effort to try to keep track of all gun owners. But, everyone has a knife. Everyone is a suspect."
And in response, "Well, yes, this does mean that any two bit hood can rob a store; but those who use guns now may well use a knife instead. But, as rare as armed (with a gun) robbery results in injury or death, the odds of armed (with a knife) robbery resulting in injury or death is even lower; those with a knife will have a harder time attacking since knives are a low-range weapon. So, robberies might go up and store owners might be more defenseless. But, most armed robbers--and armed robbers are the perceived main user of guns in urban areas--are in it for the money. So decreasing resistance is good to decrease physical harm, even if it might increase the overall crime rate."
In short, to presume that all criminals have guns readily avaialble for use or can readily obtain them is silly. And to presume that resisting in all crimes is good is also silly. Of course, I don't feel that the possible advantages outweight the potential losses. But I think this idea that is merely to "level the playing field" without any other consideration really doesn't consider that even with an unlevel playing field, the situation might be physically better for all parties involved. Certainly, trying to simplify it down to "legislators are dumb" doesn't really try to look at the situation with consideration for how the real world works.
The issue is, it wasn't unprovoked. As much as people might hate OBL or think that the response was out of line, America *did* repeatedly meddle in the affairs of Afghanistan and Saudi Arabia. If one considers that all such meddling was the result of capitalistic interests, then attacking the World *Trade* Center does make sense as a target.
It's funny you say that. America has engaged and/or participated in terrorism not only in wartime but in peacetime (at least, in times of undeclared war). The fact is, war, declared or otherwise, is inherently uncivilized. Hence, pretending that you can apply civilized standards to it is absurd. This is one reason why not only should war be avoided in general but why having undeclared war is so undermining to any claim of civility of a nation.
Yes, stability is always a relative term. While people may hope and/or assume that countries will exist in a decade, the idea of assured stability is absurd; look no further than the USSR for an example, from the perspective of 1982. If you want to argue that land-grabs make a country unstable, I'd agree. That's why colonialism and imperialism are bad; they make not only the host country but the occupied country unstable. And as for wars, I would tend to agree as well; although, the US has been in "wars "of some nature every decade for the last 60 years. I guess it could be argued that the US is different, for it engages in proxy wars and fights far enough away from its territory with troop levels lower enough to leave enough troops to defend itself; similar things were done during the many wars of Europe during the 1600s-1800s.
So, to clarify, in total war there is inherently instability. But in simple war, this is not necessarily the case. And Iraq has certainly engaged in much more total war than the US has, so I would agree it's more unstable than the US.
I see. So, are you trying to argue that either (a) the Marshall Plan wouldn't directly work or (b) something like the Marshall Plan, tailored towards the socioecomic situation, wouldn't work? Because while I can understand the former, I don't understand the latter. And if you're arguing that a Marhall-like Plan is doable, I can only ask why it isn't being done? Unless, of course, you believe engaging in terrorism in Iraq is somehow the way to go to achieve that end.
I'm sorry to break it to you, but Iraq *was* stable. Even amongst the suffering caused by a decade of economic sanctions, Saddam's government was still in power and able to keep the populace inline. Now, you could argue that this is a bad thing. But, the issue is one of whether Iraq was stable or not. However, if you meant that Iraq was destabilizing on its region of influence, I'd agree. But, then, so is the US destabilizing on its region of influence. I don't think that makes the US as unstable.
As for Afghanistan, you're right, stability was questionable, at best.
I think you missed his point. While there are those who "blame America first" regardless of the situation or circumstance, there are those who in response will claim that just about any blame being laid upon America is ranting from "blame America first" individuals. Both positions are nonsense, as clearly America is neither blameless nor totally blameful for the state of the world. To that end, he was mocking the anti-"blame America first" because the anti-dogma is being used as a smokescreen instead of having to actually consider and discuss the situation.
I disagree. As horrible as it is, there are times in war when it is necessary to commit otherwise atrocious acts because it is pragmatically impossible to avoid the killing of uninvolved civilians. The truth is, in few conflicts are there are uninvolved civilians, only different levels of involvement. But, again, the truly uninvolved are sadly the fodder of a war machine involved too much in winning and less in the rights of individuals. Until such time as humans are consistently moral*, I don't see how it's pragmatically possible to avoid the use of guerilla warfare/counterinsurgency/terrorism in warfare.
Do you mean democracy over Islam or Islam over democracy?
*For purposes of this discussion, morality will be defined as at minimally respecting the rights of life, liberty, and the pursuit of happiness.
Granted. And this leads to the real question that should be asked: "Have tactics in this manual actually been used in a non-war?" When it comes to the US, the answer is yes. This is the real reason why war not only needs to be declared but the power is invested in Congress. None of the actions listed in the Counterinsurgency Manual should be appliable in Iraq.
War is hell. What is worse is when even peace can be treated as war. But, then, it's just another example of wanting wars to be actually declared, criminals to be actually tried, and warrants to be actually properly issued for actual, specific, and reasonable suspicions. It's funny that national security can be so readily used to hide abuses. But, I guess it makes sense if one considers that the US will exist as a nation, regardless of whether it's a democracy or a dictatorship. All hail nationalism over forthright democratic character.
18 USC 2257 applies to producers, not distributors. So, unless you're trying to argue that the judge produced some of the mentioned material...
A small correction. Their representatives, either through the "rever[sion] to their reptilian ... instincts" or through a more calculated choice to do what their constituents wanted, followed through with irrational attacks against Afghanistan* and then Iraq**. Personally, I'm inclined to go along with the latter. Most people, politicians and otherwise, are more willing to sit idly by and agree with the majority on issues than stick their neck out, be it for fear of not being elected or for fear of being physically harmed.
Yes, there was a small chance that a single voice, casting light on the irrationality of the demands of the people would turn that person into a martyr. But, odds are good that one martyr would stop people long enough to realize that their demands *are* irrational. People don't like to get their own hands bloody. They don't want to appear like monsters. Sometimes someone has to stand up and risk death to break the skin on the drumhead.
*The fact is, no matter how much the Taliban was effectively flipping the bird at the US, the US had no reason to go and overthrow a whole government just to kill or capture *one* man. It was *ONE* man that the US was after. Now, it could be the case that in the pursuit of that one man, the US would violate the borders of Afghanistan and get into a conflict with Afghanistan. But, assuming the US's efforts were directed well enough, odds are good that either (a) we would have found that one man and been able to leave without Afghanistan able to do much but whine about the US's actions to the UN or (b) we would have eventually gotten China's or Pakistan's support when that one man left the area, thereby allowing the US to leave (and again still leaving Afghanistan to complain to the UN). Instead, the US clearly had an intent to get rid of the "annoyance" that was the Taliban, and hoped it'd be simple to find said man, disregarding that a part of the reason the Taliban didn't want to try to find said man was because it was so difficult.
**I don't think I need to say a lot about this, except to point out that if the UN weapons inspector doesn't think there are WMDs, then I'd want more than a few "intelligence reports" that, invariable, will include just about every possibility just to cover their ass. Certainly, I wouldn't start a ground war against a foe who had very limited ability to disperse WMDs except to slow moving, near targets (ie, ground troops), regardless of how "lightning fast" my ground forces were.
PS - This is subject really eats at me a lot. Why? Because GWB was a smuck. Specifically, until the point of 9/11, the media so often reported just how much time he spent vacationing and so little time doing anything relevant. Once 9/11 happened, GWB was so quick to appear for the photo-op and to be the "tough and strong" (not wise and reserved) leader that'd "kick ass and chew bubble gum". Hell, I rather expected GWB to be there and take advantage of the situation as best he could. And the fake bravado was to be expected to an extent, since GWB was not at all regarded as the intellectual type to actually *ever* step outside the "reptilian" brain. But the fact that he took it so far for so long and no one who had a real opportunity to stand up and make it well known how fucked up the situation was becoming (eg. the media for pointing out how much of a smuck Bush was to be hogging the camera to play war games; eg. Congress authorizing anything remotely close to force to Bush after it was clear (a) he wanted to fight wars, not just use the military to get what the US wanted and (b) he really sucked at reaching the intended objective). Of course, even I, a lonely voice, could be blamed because I wasn't shouting at the media or involving myself to effect change early enough or aggressively enough. So, to an extent, I feel a personal shame that I didn't stop it.
Probably.
Doesn't sound like it. Not that it matters. Not even commercial* porn providers require age verification.
The only major problem with that is, you'd have to actually show (a) the actual minors whose delinquency was contributed to (the "making available" argument doesn't fly) and (b) almost certainly show there was good reason to believe that the judge new he was distributing said content to minors (otherwise most porn mags would be shut down, since obviously if the porn mags weren't printed, you couldn't find minors with them).
In short, you have to consider the judge's position as if he were any other major publisher. Given the repeated attempts to try to "protect" minors on the internet in the past involving porn and how few laws have stood up to Constitutional scrutiny (the only one that comes to mind as accepted is ones involving libraries accpeting federal funds in exchange for having to include anti-porn filters; and assumedly that has to do with it being voluntary to accept funds), it just doesn't seem likely that yet another contorted attempt would work. But, obviously, it's all a matter of taking the judge to court and spending several years until the Supreme Court decides.
*Commercial in this context doesn't just mean "and we want your credit card number". The second one starts receiving money as a result of ads on one's website, one can be called commercial (just like broadcast TV). Assumedly this was a major reason that the age verification laws were discarded, as it would be very unreasonable to have every last website showing a nipple with an ad on it to request a credit card number. And odds are, most people *wouldn't* give a credit card number to the site. The last part, then, severely cripples freedom of speech by abridging the legitimate right of the vast majority to access a site without undue burden. Now, if there were some way to age verify someone in a more trivial fashion on the internet, the courts would probably have a much different interpretation on things.
Let's do a simple test.
Check all boxes for which the following collections of statements can reasonably hold: "X causes Y. People have been releasing more X. Hence, people are responsible for causing more Y and are capable of reducing X to reduce Y."
( ) X = Water; Y = Flooding
( ) X = Carbon Dioxide; Y = Global Warming
( ) X = Fire; Y = Fires
If you wish to claim that you can't answer the question at all, you're effectively a sophist, and to that end, arguing/discussing with you is irrelevant. If you wish to claim you can only answer some, then you'll need to provide some reasonable evidence that some aspect of the science involved isn't reasonably certain.
Barring that, an unwillingness to answer is a sign of stalling, not a point of consideration. This includes things like trying to semantically dissect the statements to look for loopholes where they might not apply. The generous use of the word "resonable" was added for that reason. Arguments about how the statements unfairly call for a course of action are irrelevant, since the statements are about what could be done. The fact that one can make further arguments based on the above statements to argue that the only reasonable course of action is to reduce releasing of X isn't a valid argument towards why the above statements aren't valid. Etc. Etc.
PS - The answer would be to check all boxes.
PSS - This is "an open-ended statement". It doesn't call for action, nor does it attempt to ignore new facts as they are discovered, nor does it make claims about the parent post in any fashion, but it all might implicitly make an ad hominem attack involving the intelligence of the parent post. Never the less, it's a simple "open-ended statement".
Arguing over a suble point doesn't make one a troll. The situation comes down to this:
If feature A and feature B combined can cause privilege escalation, then feature A+B are a security vulnerability. If neither feature A nor feature B alone can cause privilege escalation, then feature A isn't a security vulnerability and feature B isn't a security vulnerability. Feature A and feature B *are* security risks because each form a critical part of a security vulnerability. So long as feature A exists and feature B doesn't, feature A isn't a security vulnerability. That doesn't mean feature A shouldn't be corrected in case feature B is discovered/created, but it does make feature A a different thing.
All this talk about "security in layers" is great. Security risks should be corrected, if possible. It still doesn't change what they are.
Now, all this harping over such a fine point might seem an argument of semantics, but I think it's pretty critical to diagnosing Microsoft's advisory. Microsoft isn't in the business, AFAIK, of posting security advisories about vague security risks. More importantly, Microsoft is generally not in the business of pointing out the security vulnerabilities *or* risks in products that aren't theirs. Microsoft, after all, isn't an industry-wide security analyst.
Now, perhaps this is Microsoft's attempt to help protect their platform by informing users about the possible security risk Safari poses. On the optimistic side, that's great. That could mean Microsoft has decided to help protect users, even with the possible fall-out from other companies (and their own) getting bad press and users dumping a variety of insecure products/programs. On the pessimistic side, this is likely a one-off affair on Microsoft's part, designed more to smack Safari down more for the PR value against Apple/Safari. But, the next time IE has a bug that won't be fixed any time soon and could cross the same sort of "security layer", I doubt MS will tell people in a security advisory to stop using IE until the bug is fixed.
In short, if I actually believed Microsoft's goals were noble, I probably wouldn't be harping on the difference between a security risk and a security vulnerability. Sure, I'd still recognize there's a difference. But, I probably wouldn't bother commenting over it to others. But as it stands, nothing justifies Microsoft's behavior in one instance where they won't likely do the same in a virtually identical one later. I'm sorry if you feel that my attempts to call Microsoft out over the seemingly subtle point is seen by you as trolling. To me it's merely an attempt to try to call attention to the abuse of the security advisory system at Microsoft for marketing purposes.
PS - The reason I mentioned all the stuff about the Windows desktop and not blocking "My Computer.exe" is because it might suffice as "feature B". But, if it does and one still wants to call "feature A" a security vulnerability, then "feature B" is too. Since I'd take it to be absurd for the Windows desktop to go through and try to filter out icons in an attempt to prevent that kind of social engineering, I wouldn't consider "feature B" a security risk. So, I'd have to take that to mean that "feature A" isn't either.
Now, perhaps "Safari auto-/dl"+"Safari no download tagging"+"Windows desktop letting icons look identical" is a security vulnerabilty. But, there's no real mention of, in the advisory, to avoid the Windows desktop in general or that that sort of social engineering is the final key to said security vulnerability. After all, until the Windows desktop is "fixed", there's certainly a lot more programs than Safari that have for a long time and still will save files to the desktop without "properly" tagging them or necessarily asking permission first to save. Ie, it still seems very selective of Microsoft to go out of its way to choose Safari to condemn for the practice.
Besides, if they were that concerned about such things, they could have worked towar
Every since IE7, downloaded files through IE are automatically tagged as downloaded from the internet. Why? Because it's a "security risk" to access such files, apparently. Truthfully, MS has went the paranoid route and has tried pushing the signing of all executables as means of "safety". Now, from their perspective of paranoia, the failure to tag would be the vulnerability, not so much the auto-downloading. After all, you *can* set IE7 to auto-download files if you want (though, AFAIK, not to the extent of multiple files per link clicked).
That's all well and good, but that's not quite right. It is a *feature* of Safari to auto-d/l such files. Hence, using Safari amounts to a user asking to auto-d/l such files. Now, you can argue it's a crappy feature or that such a feature doesn't give a user enough control. But, if merely doing things which could lead to a security vulnerability and which don't give user configurable control qualify as a security vulnerability, then virtually *everything* on a computer qualfies. The program didn't *ask* me if it could put a zero in register eax, never gave me the option to configure such, nor did it make consideration that the next instruction, being passed a zero through eax, will lead to a security vulnerability.
No, at some level, you have to acknowledge that the "layers" argument doesn't work. Until you can show an actual way to exploit this feature with another feature/bug to create a security vulnerability, then you're just blowing smoke on what might be. At least you could be blowing somke with something more convincing, like examples of how easy it'd be to execute one of those downloaded files or how how hard it'd be to not simply delete those files or change the download path to somewhere else to reduce the risk.