He'd have to convince the court that there was enough likelihood of infringement to issue a subpoena. That is more difficult when you have little to no budget and there may be other, legal ways to write the same software. It's a cpoyright infringement, not a patent infringement, so the code would have to be substantively identical.
Even companies _claiming_ infringement of their software have been very reluctant to show their source code in court. One understandable fear is that it will be copied and spread and lose trade secrets. Another is that it may convince people that they are lyin gthieves, That seems to be what happened when SCO tried to sue various Linux users infringing SCO's licenses for \UNIX source code, While SCO turned out to be mistaken in claiming ownership of SysV UNIX, which still resided with Novell, they were never compelled in court to show the full set of source code they were claiming was infringed.
The lawsuits from SCO were ridiculous, but stretched on for years. I hope this judge pays attention to that lawsuit in exactly how _not_ to handle a software copyright case.
> Why rate increases for the cloud service? The data ought to be encrypted before it even leaves the trusted host and is uploaded onto the cloud.
In that case, you'll wind up paying in the short or longer term in resources. Investing some of your VM's computational resources in local encryption means resources not available for the tasks that the server actually provides, and may require larger instances or longer run time. The encryption winds up costing electricity, if nothing else, and someone will wind up paying extra for that unless your servers are notably overpowered for their task.
I agree that full access to any keys for the cloud provider is a problem. It's why some people encrypt attached storage, and provide the keys manually at boot time. It's also why Java based keystores support manual unlocking of the keys when a Tomcat or similar server is started. That still leaves that startup session requiring manual intervention or a sophisticated "phone home" tool. Unfortunately, the work to provide and support _that_ is not free.
> Do you think that cloud services should be setup in such a way that the provider is even capable of decrypting user data? IMO, the answer should be no.
Encryption, and robust encryption, puts the data at the risk of losing the keys. Even securing the keys in a reliable escrow service leaves them vulnerable both to loss, and to theft. And if you test the performance of encrypted disks, encrypted SSD access, and encrypted network communications, all have significant performance costs and even electrical costs for supporting the additional processing needed. It also makes backups vulnerable to bitrot, where bitrot will break the decryption process where it might have been previously a recoverable error with unencrypted data.
This would mean very real performance losses and rate increases for even the simplest of cloud services. Few businesses are wiling to spend that much even on genuinely increased security.
On review, I was unclear. The arbitrary enforcement of the remaining regulations by the Department of Commerce effectively hinders, robust encryptyon, including the increase of key lengths. Only those technologies deemed "suitable" by the Department of Commerce are allowed export license. The standards are no longer so clear, but similar to those The licensing and approvals necessary to provide robust encryption as a general practice are so burdensome that network equipment vendors find themselves fiscally constrained from providing it, even if it is not specifically banned.
I'm afraid you're mistaken. The first set of regulations were lifted s a violation of First Amendment rights, but they were effectively transferred the US Commerce department. They are still restrictive, and still prevent the activation of ubiquitous encryption at the NIC level.
https://www.federalregister.go... ' Permission to sell network equipment overseas often relies on the installation of backdoors for government access. These keys have even been published wolrwide for various network hardware.
I'm afraid to believe that network hardware and software vendors do _not_ install backdoors at government insistence is to ignore the long history of the major network vendors.
These keys can be lengthened pretty simply. The length of these keys has been kept short through federal regulation, not through overwhelming technological difficulty in lengthening them.
DSA has been failing tests over time. RSA, well tested over time, has kept being battered by regulatory hindrances and federal instance that all crypto must have back doors. That unacceptable insistence has continued to dominate all attempts to standardize encryption at a federal level, including such attempts as the Clipper Chip and (un)Trusted Computing.
The rocket is going one way. The fuel is going the other. The net change in angular momentum for Earth balances that of the rocket, itself, reaching _orbit_ at high angular velocities. When it returns to ground, in a similar orbital plane and is braked by any means, that change in angular momentum is returned by the braking.
Note that if the orbits are not from similar latitudes with correspondingly similar ground velocities of the Earth's own rotation, there can be _fascinating_ effects on the eccentricity of the Earth's rotation and even on Earth's precession. But those re not likely to be large enough, or consistently cumulative enough, to be noticeable in any way.
> IME, writing code that is reusable is quite hard. Getting it into a form that using it in another project is worthwhile is costly.
Writing code to do extremely similar or even identical functions 3 times for 3 different projects is much _more_ costly, and each version is likely to have unique bugs. I'm also afraid that it's extremely common. Standardizing poorly integrated code from different companies or different projects covers a great deal of my paycheck and has vastly improved performance and reliability in almost all cases.
What they can, and will, target is privileged credentials in the user's home directory. Linux users, for example, sometimes keep SSH private keys or GPG keys in their home directory. Those now become vulnerable to Windows tools that are poorly secured and allow filesystem access to well defined home directory locations.
Conversely, many careless Windows users run their personal user account with Administrator privileges on their Windows machine, to make certain types of work easier. This makes Linux hosted attack vectors, such as running an SSH daemon, or SFTP, expose critical parts of the native Windows filesystems that the owner of the system may not have thought about.
It's also very much the same problem that CygWin and Windows have shared for years, so it's not a very new attack vector.
> Basically, the only thing it has going for it as anything more than a 16, non-super 18, and Harrier replacement is stealth. If anyone figures out how to break that, it's boned
Or if they can break the bank of the military using them. Programs like the F-35 are so grossly overbudget, and so expensive to equip and maintain, that they genuinely cut into the funding for "boots on the ground" to occupy territory. And the F-35 still remains reliant on grossly expensive replacement parts after _every mission_, especially the tires. The tires are custom made to support the heavy air frame and high landing speeds, and tend to fail if used even twice.
May I assume you mean they are "based in Switzerland"? I don't wish to mock your spelling, I just don't wish to echo that typo.
That is why I mentioned "other government enforced tracking of users". Every hosted service is vulnerable to local government orders. And like anon.penet.fi, they're vulnerable even if the orders are based on fraudulent claims from a criminal or political entity in another nation. Even the Swiss are vulnerable to exposure: their infamous privacy for banking records has been profoundly reduced in recent decades by EU legislation.
> So, no, they are not "giggling", they are very careful to use the limited resources they have only against targets that are high-priority.
I'm afraid this is a common but misleading belief in security circles. The idea that "we are not an important enough target for anyone to hack us" is widespread in industry, software development, and personal computing. Unfortunately, most attackers are not so elite and there are thousands of them active at any time. The script kiddies are _always_ attacking anywhere they can find exposed, and they are publishing botnets. And the wide range of skills and difficulty of prosecution. leaves many clumsy attackers still active, even if they are discovered or exposed.
The result is that many institutions and people, feeling free from targeted and skillful attacks, fail to apply even the most basic security steps. The result is that many if not most PGP or GPG keys can be stolen with a minimum of targeted effort. They can be, and probably are, swept up wholesale much like , SSH private keys, and stored MySQL, Postgresql, and other database passphrases are recorded wholesale by even clumsy malware.
I'm sad to say, yes, I'm personally convinced by having watched it. They consistently rate the worst for truthfulness of any national news publisher.
If it's worth your time, check any level of Fox news reporting about _anything_ where you personally know anyone involved or know the subject matter. It's true even for scientifically verifiable subjects. See http://mediamatters.org/blog/2... as a good example of the problem.
I do apologize for the lack of clarity in my message, I forgot that it would be rendered as markup, so my comments were garbled.
Is an "HTML" tag closed by a "html" tag, a "hTML" tag, or any of the other 14 variants? Yes it is. Multiply the versions of every single tag or case insensitive filename, field, or label of any time and one faces a serious burden merging valid that follows a different style, ensuring that comments about tags are not themselves considered tags by accident, The need to regularize all such code makes code slower, more fragile, and more vulnerable to typographical errors obscured by changes in case.
> A whistleblower is a person who publicizes information his employer or another entity with which he is affiliated does not want published,
Please allow me to differ on this matter. Many "whistleblowers" are political opponents of the people or entities they report on, and go to considerable effort or even encounter danger to expose the behavior. This is also what good reporters do, and it's why Woodward and Bernstein received a Pulitzer Prize for revealing the "Watergate Papers".
> The posters here are also confusing wealth with income. His tax returns will show how much he makes per year (income), not how much he owns (wealth).
Donald Trump made a great deal of his fortune in buying or building, then selling, real estate. State and federal returns require declaration of capital gains on real estate and on stocks when they are sold, and on interest income.
Even in those years when he went bankrupt, he bought and sold property. That will show up even if his losses and deductions meant he spent nothing in taxes.
> "Who was the idiot that thought case insensitivity for tags name was a good idea??" - everyone? reduces human error substantially
As someone who remembers the arguments about this, it _engenders_ human error.. Having to wade through inconsistent, case insensitive source code is an ongoing source of error in all source code, and an ongoing issue with html and mysql an dother case insensitive languages. It's not quite as bad as the confusion of mishandled "camel case" in arbitrarily long function names. Butt was as confusing then as it is now that "" can be rendered as "hTML>", "", "", etc., and that the closing tags need only match the case insensitive version of the tag.
> Fox News gets bent out of shape about something,
Getting "bent out of shape" is not the problem. It's the fraudulent crusades against political, ethical, or ideological opponents. that are the problem.
Fox News repeatedly, and sadly effectively, misreports basic news to anger and mislead their viewers for ideological reasons. There were numerous examples during the conservative furor that led to the Iraq War. Such deceit was present during the "Black Lives Matter" protests, the "Occupy Wall Street" protests, and the Fox reporting on the fraudulent "abortion harvesting" videos about Planned Parenthood.
> Fox News here is merely an example of the pulpit,
The danger is that they represent themselves as a news organization, not a political pulpit. This means that their fraudulent attacks are taken more seriously than those from a more openly political spokesperson.
Stealing PGP keys is its own interesting security problem. It's quite intriguing how many people sill store them on unprotected media, especially on NFS shares without NFSv4 based Kerberized access, because "we trust the people we work with". Stealing them off of build servers for software packages is a particularly enlightening penetration test, or subverting the build servers themselves to publish false packages in a vendor's name.
The penetration of the RHEL and Fedora servers is a very good example of the risk, and of how a security aware vendor deals with it. It was quite interesting at t he time.
Those of us old enough to remember when Usenet was a critical online resource will remember when anon.penet.fi provided a helpful, pseudonymous email and NNTP service. It was invaluable for people discussing issues that were not work safe, ranging from dating services to gender identity to cancer fears to AIDS help to thoughts of suicide. Some typical coverage was done by Wired, quoting the Observer newspaper, at:
What was amazing about most of the press reports at the time was how they failed to identify the incident that caused Julf Helsingius to shut down anon.penet.fi. The incident is better described at:
Simply put, someone kept using anon.penet.fi to post court documents revealing Scientology's inner secrets. The documents are infamous and broadly available online, but 20 years ago they were not so broadly avaialble.
Why do I mention this? Partly because it points out that anonymous, and pseudonymous services, are always at risk from court ordered revelations about their clients. And I mention it partly because it's vital to see press coverage about the events as possibly skewed by fears of retaliation by powerful groups. 20 years ago, man reporters were justifiably _frightened_ of covering Scientology stories. They remembered what had happened to Paulette Cooper, who wrote about them and had bomb threats faked in her name by the cult. Today, press coverage that risks the ire of Fox News or of the Department of Homeland Security or run afoul of the so-called Patriot Act are at similar risks of abusive, extra-judicial censorship with little safe recourse.,
I'm afraid the desire to censor communications is always around. I do look forward to better details about what triggered the closing of GhostMail's free services. I hope it wasn't a similar abuse of authority, but see real reasons to be concerned that it _is_ about Patriot Act or other government enforced tracking of users.
> I for one do not believe the parents involve in these children in hot cars incidents simply forgot they had their children with them while leaving the car.
I can attest that it's happened to me. Not on a blistering hot day, but on a cool one when I was quite tired and the child I was baby sitting for fell asleep. The child was comfortable and reasonably safe, but on a very hot day it could have been tragic. Small children also often nap on car rides, and many parents with small children are chronically sleep deprived. So accidents are unsurprising.
Slashdot Mirror
He'd have to convince the court that there was enough likelihood of infringement to issue a subpoena. That is more difficult when you have little to no budget and there may be other, legal ways to write the same software. It's a cpoyright infringement, not a patent infringement, so the code would have to be substantively identical.
Even companies _claiming_ infringement of their software have been very reluctant to show their source code in court. One understandable fear is that it will be copied and spread and lose trade secrets. Another is that it may convince people that they are lyin gthieves, That seems to be what happened when SCO tried to sue various Linux users infringing SCO's licenses for \UNIX source code, While SCO turned out to be mistaken in claiming ownership of SysV UNIX, which still resided with Novell, they were never compelled in court to show the full set of source code they were claiming was infringed.
The lawsuits from SCO were ridiculous, but stretched on for years. I hope this judge pays attention to that lawsuit in exactly how _not_ to handle a software copyright case.
> Why rate increases for the cloud service? The data ought to be encrypted before it even leaves the trusted host and is uploaded onto the cloud.
In that case, you'll wind up paying in the short or longer term in resources. Investing some of your VM's computational resources in local encryption means resources not available for the tasks that the server actually provides, and may require larger instances or longer run time. The encryption winds up costing electricity, if nothing else, and someone will wind up paying extra for that unless your servers are notably overpowered for their task.
I agree that full access to any keys for the cloud provider is a problem. It's why some people encrypt attached storage, and provide the keys manually at boot time. It's also why Java based keystores support manual unlocking of the keys when a Tomcat or similar server is started. That still leaves that startup session requiring manual intervention or a sophisticated "phone home" tool. Unfortunately, the work to provide and support _that_ is not free.
> Do you think that cloud services should be setup in such a way that the provider is even capable of decrypting user data? IMO, the answer should be no.
Encryption, and robust encryption, puts the data at the risk of losing the keys. Even securing the keys in a reliable escrow service leaves them vulnerable both to loss, and to theft. And if you test the performance of encrypted disks, encrypted SSD access, and encrypted network communications, all have significant performance costs and even electrical costs for supporting the additional processing needed. It also makes backups vulnerable to bitrot, where bitrot will break the decryption process where it might have been previously a recoverable error with unencrypted data.
This would mean very real performance losses and rate increases for even the simplest of cloud services. Few businesses are wiling to spend that much even on genuinely increased security.
On review, I was unclear. The arbitrary enforcement of the remaining regulations by the Department of Commerce effectively hinders, robust encryptyon, including the increase of key lengths. Only those technologies deemed "suitable" by the Department of Commerce are allowed export license. The standards are no longer so clear, but similar to those The licensing and approvals necessary to provide robust encryption as a general practice are so burdensome that network equipment vendors find themselves fiscally constrained from providing it, even if it is not specifically banned.
I'm afraid you're mistaken. The first set of regulations were lifted s a violation of First Amendment rights, but they were effectively transferred the US Commerce department. They are still restrictive, and still prevent the activation of ubiquitous encryption at the NIC level.
https://www.federalregister.go...
'
Permission to sell network equipment overseas often relies on the installation of backdoors for government access. These keys have even been published wolrwide for various network hardware.
http://www.defenseone.com/tech...
I'm afraid to believe that network hardware and software vendors do _not_ install backdoors at government insistence is to ignore the long history of the major network vendors.
These keys can be lengthened pretty simply. The length of these keys has been kept short through federal regulation, not through overwhelming technological difficulty in lengthening them.
Besides RSA and DSA?
DSA has been failing tests over time. RSA, well tested over time, has kept being battered by regulatory hindrances and federal instance that all crypto must have back doors. That unacceptable insistence has continued to dominate all attempts to standardize encryption at a federal level, including such attempts as the Clipper Chip and (un)Trusted Computing.
"Plus a constant".
See http://www.pleacher.com/mp/mhu...
> I never heard about people being that stupid when cruise control was introduced into the mainstream.
Look into discussions, and analyses, of "highway hypnosis". Cruise control is often cited as a big contributor to accident rates.
The rocket is going one way. The fuel is going the other. The net change in angular momentum for Earth balances that of the rocket, itself, reaching _orbit_ at high angular velocities. When it returns to ground, in a similar orbital plane and is braked by any means, that change in angular momentum is returned by the braking.
Note that if the orbits are not from similar latitudes with correspondingly similar ground velocities of the Earth's own rotation, there can be _fascinating_ effects on the eccentricity of the Earth's rotation and even on Earth's precession. But those re not likely to be large enough, or consistently cumulative enough, to be noticeable in any way.
> IME, writing code that is reusable is quite hard. Getting it into a form that using it in another project is worthwhile is costly.
Writing code to do extremely similar or even identical functions 3 times for 3 different projects is much _more_ costly, and each version is likely to have unique bugs. I'm also afraid that it's extremely common. Standardizing poorly integrated code from different companies or different projects covers a great deal of my paycheck and has vastly improved performance and reliability in almost all cases.
What they can, and will, target is privileged credentials in the user's home directory. Linux users, for example, sometimes keep SSH private keys or GPG keys in their home directory. Those now become vulnerable to Windows tools that are poorly secured and allow filesystem access to well defined home directory locations.
Conversely, many careless Windows users run their personal user account with Administrator privileges on their Windows machine, to make certain types of work easier. This makes Linux hosted attack vectors, such as running an SSH daemon, or SFTP, expose critical parts of the native Windows filesystems that the owner of the system may not have thought about.
It's also very much the same problem that CygWin and Windows have shared for years, so it's not a very new attack vector.
> Basically, the only thing it has going for it as anything more than a 16, non-super 18, and Harrier replacement is stealth. If anyone figures out how to break that, it's boned
Or if they can break the bank of the military using them. Programs like the F-35 are so grossly overbudget, and so expensive to equip and maintain, that they genuinely cut into the funding for "boots on the ground" to occupy territory. And the F-35 still remains reliant on grossly expensive replacement parts after _every mission_, especially the tires. The tires are custom made to support the heavy air frame and high landing speeds, and tend to fail if used even twice.
May I assume you mean they are "based in Switzerland"? I don't wish to mock your spelling, I just don't wish to echo that typo.
That is why I mentioned "other government enforced tracking of users". Every hosted service is vulnerable to local government orders. And like anon.penet.fi, they're vulnerable even if the orders are based on fraudulent claims from a criminal or political entity in another nation. Even the Swiss are vulnerable to exposure: their infamous privacy for banking records has been profoundly reduced in recent decades by EU legislation.
> So, no, they are not "giggling", they are very careful to use the limited resources they have only against targets that are high-priority.
I'm afraid this is a common but misleading belief in security circles. The idea that "we are not an important enough target for anyone to hack us" is widespread in industry, software development, and personal computing. Unfortunately, most attackers are not so elite and there are thousands of them active at any time. The script kiddies are _always_ attacking anywhere they can find exposed, and they are publishing botnets. And the wide range of skills and difficulty of prosecution. leaves many clumsy attackers still active, even if they are discovered or exposed.
The result is that many institutions and people, feeling free from targeted and skillful attacks, fail to apply even the most basic security steps. The result is that many if not most PGP or GPG keys can be stolen with a minimum of targeted effort. They can be, and probably are, swept up wholesale much like , SSH private keys, and stored MySQL, Postgresql, and other database passphrases are recorded wholesale by even clumsy malware.
I'm sad to say, yes, I'm personally convinced by having watched it. They consistently rate the worst for truthfulness of any national news publisher.
If it's worth your time, check any level of Fox news reporting about _anything_ where you personally know anyone involved or know the subject matter. It's true even for scientifically verifiable subjects. See http://mediamatters.org/blog/2... as a good example of the problem.
Thank you for reminding me of the distinction.
I do apologize for the lack of clarity in my message, I forgot that it would be rendered as markup, so my comments were garbled.
Is an "HTML" tag closed by a "html" tag, a "hTML" tag, or any of the other 14 variants? Yes it is. Multiply the versions of every single tag or case insensitive filename, field, or label of any time and one faces a serious burden merging valid that follows a different style, ensuring that comments about tags are not themselves considered tags by accident, The need to regularize all such code makes code slower, more fragile, and more vulnerable to typographical errors obscured by changes in case.
> A whistleblower is a person who publicizes information his employer or another entity with which he is affiliated does not want published,
Please allow me to differ on this matter. Many "whistleblowers" are political opponents of the people or entities they report on, and go to considerable effort or even encounter danger to expose the behavior. This is also what good reporters do, and it's why Woodward and Bernstein received a Pulitzer Prize for revealing the "Watergate Papers".
> The posters here are also confusing wealth with income. His tax returns will show how much he makes per year (income), not how much he owns (wealth).
Donald Trump made a great deal of his fortune in buying or building, then selling, real estate. State and federal returns require declaration of capital gains on real estate and on stocks when they are sold, and on interest income.
Even in those years when he went bankrupt, he bought and sold property. That will show up even if his losses and deductions meant he spent nothing in taxes.
> "Who was the idiot that thought case insensitivity for tags name was a good idea??" - everyone? reduces human error substantially
As someone who remembers the arguments about this, it _engenders_ human error.. Having to wade through inconsistent, case insensitive source code is an ongoing source of error in all source code, and an ongoing issue with html and mysql an dother case insensitive languages. It's not quite as bad as the confusion of mishandled "camel case" in arbitrarily long function names. Butt was as confusing then as it is now that "" can be rendered as "hTML>", "", "", etc., and that the closing tags need only match the case insensitive version of the tag.
> Fox News gets bent out of shape about something,
Getting "bent out of shape" is not the problem. It's the fraudulent crusades against political, ethical, or ideological opponents. that are the problem.
Fox News repeatedly, and sadly effectively, misreports basic news to anger and mislead their viewers for ideological reasons. There were numerous examples during the conservative furor that led to the Iraq War. Such deceit was present during the "Black Lives Matter" protests, the "Occupy Wall Street" protests, and the Fox reporting on the fraudulent "abortion harvesting" videos about Planned Parenthood.
> Fox News here is merely an example of the pulpit,
The danger is that they represent themselves as a news organization, not a political pulpit. This means that their fraudulent attacks are taken more seriously than those from a more openly political spokesperson.
> But if you encrypt email with PGP/GnuPG
Stealing PGP keys is its own interesting security problem. It's quite intriguing how many people sill store them on unprotected media, especially on NFS shares without NFSv4 based Kerberized access, because "we trust the people we work with". Stealing them off of build servers for software packages is a particularly enlightening penetration test, or subverting the build servers themselves to publish false packages in a vendor's name.
The penetration of the RHEL and Fedora servers is a very good example of the risk, and of how a security aware vendor deals with it. It was quite interesting at t he time.
https://www.redhat.com/archive...
Those of us old enough to remember when Usenet was a critical online resource will remember when anon.penet.fi provided a helpful, pseudonymous email and NNTP service. It was invaluable for people discussing issues that were not work safe, ranging from dating services to gender identity to cancer fears to AIDS help to thoughts of suicide. Some typical coverage was done by Wired, quoting the Observer newspaper, at:
http://www.wired.com/1996/11/a...
What was amazing about most of the press reports at the time was how they failed to identify the incident that caused Julf Helsingius to shut down anon.penet.fi. The incident is better described at:
http://articles.latimes.com/19...
Simply put, someone kept using anon.penet.fi to post court documents revealing Scientology's inner secrets. The documents are infamous and broadly available online, but 20 years ago they were not so broadly avaialble.
Why do I mention this? Partly because it points out that anonymous, and pseudonymous services, are always at risk from court ordered revelations about their clients. And I mention it partly because it's vital to see press coverage about the events as possibly skewed by fears of retaliation by powerful groups. 20 years ago, man reporters were justifiably _frightened_ of covering Scientology stories. They remembered what had happened to Paulette Cooper, who wrote about them and had bomb threats faked in her name by the cult. Today, press coverage that risks the ire of Fox News or of the Department of Homeland Security or run afoul of the so-called Patriot Act are at similar risks of abusive, extra-judicial censorship with little safe recourse.,
I'm afraid the desire to censor communications is always around. I do look forward to better details about what triggered the closing of GhostMail's free services. I hope it wasn't a similar abuse of authority, but see real reasons to be concerned that it _is_ about Patriot Act or other government enforced tracking of users.
> I for one do not believe the parents involve in these children in hot cars incidents simply forgot they had their children with them while leaving the car.
I can attest that it's happened to me. Not on a blistering hot day, but on a cool one when I was quite tired and the child I was baby sitting for fell asleep. The child was comfortable and reasonably safe, but on a very hot day it could have been tragic. Small children also often nap on car rides, and many parents with small children are chronically sleep deprived. So accidents are unsurprising.