You're in a bad position. You don't have enough time or resources to deal with this properly. So make your users help you out.
If there's a public forum where you can post information where it will be seen, use it to point out people who are bringing down the network. When the network goes down because of some virus or worm, post a network status update that goes something like this:
"The network outage on April 19th, 2005 was caused by a MegaVirus infection in Jack Smith's computer. You can protect yourself from the MegaVirus by downloading this free virus scanner [include link]."
If Jack keeps showing up in the announcements, his neighbors will get pissed off and egg his car. At the very least he'll get mocked.
"Additionally, what's the motivation for organizations (schools or ISPs) to fight for privacy versus just rolling over?"
Money. Students pay tuition. Students become alumni who donate. ISP customers pay for connectivity. Though they won't admit it, they indirectly make lots of money off of piracy. Being able to boast that you won't roll for the RIAA (feasible if you're a big ISP) will become a increasiblgy desirable as the lawsuits keep ramping up.
Don't think of it as "fighting for privacy rights." Think of it as "protecting their revenue stream."
Heh. My first reaction to the question "Is it time to worry when other security professionals consider you too paranoid?" was to think, "Yes, absolutely."
A security professional lives by his paranoia. If one of them tells me I'm too paranoid, then clearly he's trying to lull me into a false sense of security by making me think my security measures are far beyond what most professionals would consider to be secure. If he wants me to think that I'm secure, then it's a near certainty that I'm not secure, and this means he's probably planning on compromising my network in the near future. Assuming, of course, that he hasn't already found a way in, and just doesn't want me to double check...
Watermarking doesn't work. If the watermark is inaudible, then it can be removed without ruining the music. I can just imagine somecracker killing an afternoon figuring out how to remove it.
Besides, DRM isn't about stopping piracy. Think about it:
- How many tracks have you downloaded via P2P networks?
- How many times have you taken a track that you purchased legally and shared it on a P2P network?
- How many times has an album appeared on the P2P networks before the first DRMed copy was even available for purchase?
DRM isn't about stopping piracy. It's about controlling how honest consumers make use of the content they've purchased/licensed/whatever.
Actually, the analogy is just fine. Tridgell never entered any private property. If he had, McVoy would have had a lawyer on his ass doublequickwise. If some asshole trespasses on my private property to walk his dog, I call the cops and have him dragged off. Or better yet, I confront him myself and if he gives me any crap I shoot him and his dog dead.
McVoy has punished Linus, OSDL, and every single user of the free version of the software. He has done nothing to Tridgell because he can't do anything. Tridgell has't violated any laws or contracts. Tridgell doesn't even use the BitKeeper client, so there's not even a license for McVoy to terminate; discontinuing the free version has zero direct impact on Tridgell.
McVoy is acting like a gangster: he can't touch the guy he's actually pissed at, so he lashes out at other people and says "I have to do this because of that Tridgell guy. Put the pressure on him, or I'll put the pressure on you."
Yeah, a free BitKeeper client is a cool thing, but I doubt the license includes a clause that requires you to suck McVoy's dick every time he gets ticked off. So why the hell are so many people lining up behind Linus to drop to their knees?
What's really sad is that, if the above numbers pan out, this vehicle would actually be more fuel efficient than most cars in the US today, not just the worst of the SUVs.
I don't know exactlyw hat the author's intepretation of "social contract" is, but here's my interpretation: Any social contract that may have existed between the general web browsing population and web advertizers was broken long ago.
My take on the social contract is this: Because of our mutual respect for each other as human beings, we voluntarily act in a way such that we can build and maintain a fair and orderly society. How much respect have the DoubleClicks of the world shown us? How many times have they said, "Hey, most people probably won't like this, so maybe we shouldn't do it?"
The vast majority of the advertisers are for-profit corporations who operate with the goal of maximizing shareholder profits. It is simply not possible to have a social contract with an entity driven purely by profit.
Being late isn't a valid reason to avoid an upgrade, but it's a perfectly valid reason to postpone the upgrade.
If you're heading up an organization with a large installed base, a major systems upgrade like his requires lots of planning and scheduling.
At my company, we don't even have that many machines, but major IT projects get planned well in advance. MS sytem upgrades can't even be put on the calendar until after the code has actually shipped, because MS can't be relied upon to make a deadline. By the time SP2 went out, IT's calendar for 2004 was full, and we weren't even going to consider the upgrade until Q1 2005. I imagine a lot of sysadmins out there were in the same position.
There is no consumer demand for "ebooks." Text content distributors want to have the same control over distribution that movie and music distributors are depsrately trying to get.
I own a portable reading device, it's called a PDA. And if some publisher were willing to sell me digital versions of books based on a standard that won't expire with my current OS version I'd already have a massive digital library. I don't need a freaking ebook, gimme a PDF.
Demand isn't what's holding back online book publishing. Once again, those who have a hold on the current means of distribution are loathe to adopt a new method unless they can maintain a similar level of control.
Seriously, I think this guys has his head up his ass. He manages to point out some of Linux's weaknesses, but he doesn't offer any justification for making the leap between "these are some problems facing Linux" and "these problems cannot or will not ever be fixed." But I'm guessing he's not being paid to be right so much as he's being paid to attract attention.
But on the plus side Starter Edition is so thoroughly hindered by artificial restrictions that your Windows box can no longer be 0wn3d, it can only be r3nt3d.
Granted, I don't know the details of the whos and hows of Internet2 access, but it seems from the article and various posts here that lots of university students have pretty much unfettered access to it.
If spammers can pay college students to run relays, how hard do you think it would be to get some kid to log IP addresses for the RIAA in exchange for pizza money? And I'm sure one of the RIAA execs has a child or grandchild attending one of these universities.
Except it's the sequel, and you discover that the nerd didn't really die. Now he's waiting for you in the locker room with powered armor and a gravity gun, and all you've got is a soccer ball and twisted up wet towel.
I was a drooling fanboy chomping at the bit to get HL2, but I won't be getting this expansion pack unless I can play it offline without asking Valve's permission each time. I think online distribution si a wonderful thing, but the way Steam does it is a ripoff for consumers. Valve gets:
- Decreased distribution costs
- Decreased production cost
- No inventory issues (shelf space? not a problem)
- Presumably a dramatic reduction in piracy due to increased authentication
But none of these savings were passed on to users. Valve doesn't give you a CD or manual, they take your money, and spy on you in exchange for the privilege of using their game. Valve gets more, the customer gets less.
This is often brought up in discussions of Steam, but unless they've changed it in the past few months, this is only partially true. I used ZoneAlarm to keep Steam from phoning home, and I could play in offline mode, but after a few days of this HL2 would complain and refuse to start until it had a chance to update.
So yes, you can play in offline mode. For a while. But eventually you have to be connected to the Internet to play the game.
Last weekend I got a new laptop. The first thing I did was repartition and format the drive. Right now I'm dual booting Windows XP and Linux.
I tried installing several distros and settled on Ubuntu because almost everything worked right out of the box (cd?). The SDIO slot doesn't work, but that's of minor concern to me. The big hole in functionality right now is the video driver. I have an ATI X300 Mobile gpu, and I can't get the binary driver to work. So no hardware 3D for me for now.
And while we're holding Linux to the same standard as Windows: With just the install CD for Ubuntu (this was 5.04 RC), I was able to get video (without acceleration), network (wired and wireless), modem, and audio working. I had an install I could use for web browsing, word processing, email, playing music, CD burning, and all of the basics most people spend 95% of their computer time on. I'm a Linux n00b, so I'm still exploring what's on this thing. Yesterday I found the option to configure PalmOS devices, so I'm going to play with that today.
Windows XP gave me none of the above except email and web. I had to go to Dell's web site to download drivers for all of the above devices. Yeah, I guess wordpad technically counts as word processor, but it's no OpenOffice. The Ubuntu install was much easier than the XP install on the same machine.
The dual boot setup was simple. Mounting the NTFS partition wasn't intuitive, but there are step by step instructions on the Ubuntu site. That was a nifty intro to the mounting system.
WiFi setup was a breeze, and it Just Worked. It loaded drivers for the modem, but I haven't tested it (haven't used a modem in years). It booted up using my screen's native resolution without me having to tell it (XP, Mandrake, and CentOS all failed in this regard). Accessing the Windows network also Just Worked, and half the time I can't even get my initial Windows installs to do that.
My guess is that it's mostly anti-spyware software that's driving this. If you're among the 90%+ of the Joe Users using IE, it's hard to keep your computer functional without some kind of anti-spyware app.
This tech will likely be abused more often then cookies are since it was developed specifically to counter people who are actively trying to protect their online privacy. If the marketers are lucky, this will work for a little while. Then Ad-Aware, SpyBot, et al will start disabling this, then you're back to square one.
The solution: Don't rely on cookies. My company tracks visits to our site. The most surefire way of tracking is with user logins. Failing that, use a persistent cookie. But if a user doesn't want to give us his/her name and goes through the trouble of deleting cookies, then that's a pretty clear indication that the user doesn't want to be tracked. Any attempt to defy those wishes is likely to incur user hostility.
Whenever I see an article criticising open source software, I do a quick check to see if the author has his head up his ass:
Step 1: Replace the phrase "open source" with "closed source."
Step 2: Replace names of open source products with the names of their closed-source counterparts.
Check if the article's arguments and criticisms still apply. If so, the author hasn't written a critique of open source software, he's written a critique of software, and probably not a terribly insightful one at that.
This is one of the most often overlooked aspects of information security: Not only do you need to make sure that people only have access to the information they need to perform their legitimate functions, you need to make sure the you only have access to the information you need in order to to perform your legitimate functions. All knowledge may be power, but that's only a good thing if you have full control over how that power is used.
I regularly run into trouble with this with our sales/marketing people. I have to convince them that we should collect and store no more information than we have to. If you have information you don't need lying around, then you become a liability to anyone who may depend on that information being secure. You become a weak link and a tempting target because you're less likely to be vigilant about securing information that's not of value to you.
I'm quite astounded that the admin of such a website hadn't considered such things.
They'd be up on bittorrent within under an hour. Sorry to break it to you, but DRM is the only way to sell media on computers without mass piracy.
Your argument might hold water if it weren't for one little glitch: Most popular music, DRMed or not, is available on the P2P networks prior to official release. This means that the pirates already have the content before the first DRMed copy has even been sold. Thus, as an anti-piracy measure, DRM fails utterly.
I've said it before and I'll say it again: DRM is not an anti-piracy measure. The only people who are affected by DRM are people who have already communicated their desire to do the right thing by paying for the product. Pirates already have DRM free copies before legitimate copies are even available.
I did some poking around when this 302 stuff was first mentioned on slashdot, and I was quite chargined to realize that I'd accidentally done this to one of my own sites. Here's what happened:
I have a personal site that used to be on a free web host, but I later moved to my own machine under my own domain. I replaced the index page on the old site with a redirect. So the site used to be at http://freehost.tld/mysite, and now redirects to http://mysite.tld. It's been set up like this for a while.
If you google for the site, http://mysite.tld is nowhere to be seen. The top hit is for http://freehost.tld/mysite, but the preview that Google displays contains the content from http://mysite.tld. By using the redirect, my old site has effectively hijacked the page rank of the new site, and bumped the proper URL out of Google's index. And I did this purely by accident.
This by itself isn't very useful for a scammer. The above situation isn't that big a deal since anyone who clicks still winds up at the proper site. But if a scammer were to set up such a redirect, and then change the redirect based on the user-agent (GoogleBot gets the hijacked site, everyone else gets pr0n), and you now have the large-scale resurrection of search engine spoofing spam.
Slashdot Mirror
Isn't it hard to deliver lots of "RAM" with a small penis?
Easy solution: overclock. It's not the amplitude, it's the frequency, baby.
- What, you want me to sign in before you'll take my money? I don't feel like filling out a form right now...
- You want how much for shipping? I can do better than that...
- Oh, that was the price after rebate...
You can get away with a hell of a lot less when the competition is a few clicks away.You're in a bad position. You don't have enough time or resources to deal with this properly. So make your users help you out.
If there's a public forum where you can post information where it will be seen, use it to point out people who are bringing down the network. When the network goes down because of some virus or worm, post a network status update that goes something like this:
"The network outage on April 19th, 2005 was caused by a MegaVirus infection in Jack Smith's computer. You can protect yourself from the MegaVirus by downloading this free virus scanner [include link]."
If Jack keeps showing up in the announcements, his neighbors will get pissed off and egg his car. At the very least he'll get mocked.
"Additionally, what's the motivation for organizations (schools or ISPs) to fight for privacy versus just rolling over?"
Money. Students pay tuition. Students become alumni who donate. ISP customers pay for connectivity. Though they won't admit it, they indirectly make lots of money off of piracy. Being able to boast that you won't roll for the RIAA (feasible if you're a big ISP) will become a increasiblgy desirable as the lawsuits keep ramping up.
Don't think of it as "fighting for privacy rights." Think of it as "protecting their revenue stream."
Heh. My first reaction to the question "Is it time to worry when other security professionals consider you too paranoid?" was to think, "Yes, absolutely."
A security professional lives by his paranoia. If one of them tells me I'm too paranoid, then clearly he's trying to lull me into a false sense of security by making me think my security measures are far beyond what most professionals would consider to be secure. If he wants me to think that I'm secure, then it's a near certainty that I'm not secure, and this means he's probably planning on compromising my network in the near future. Assuming, of course, that he hasn't already found a way in, and just doesn't want me to double check...
Sorry, I've got to go do a secuity audit now.
Watermarking doesn't work. If the watermark is inaudible, then it can be removed without ruining the music. I can just imagine somecracker killing an afternoon figuring out how to remove it.
Besides, DRM isn't about stopping piracy. Think about it:
- How many tracks have you downloaded via P2P networks?
- How many times have you taken a track that you purchased legally and shared it on a P2P network?
- How many times has an album appeared on the P2P networks before the first DRMed copy was even available for purchase?
DRM isn't about stopping piracy. It's about controlling how honest consumers make use of the content they've purchased/licensed/whatever.
Actually, the analogy is just fine. Tridgell never entered any private property. If he had, McVoy would have had a lawyer on his ass doublequickwise. If some asshole trespasses on my private property to walk his dog, I call the cops and have him dragged off. Or better yet, I confront him myself and if he gives me any crap I shoot him and his dog dead.
McVoy has punished Linus, OSDL, and every single user of the free version of the software. He has done nothing to Tridgell because he can't do anything. Tridgell has't violated any laws or contracts. Tridgell doesn't even use the BitKeeper client, so there's not even a license for McVoy to terminate; discontinuing the free version has zero direct impact on Tridgell.
McVoy is acting like a gangster: he can't touch the guy he's actually pissed at, so he lashes out at other people and says "I have to do this because of that Tridgell guy. Put the pressure on him, or I'll put the pressure on you."
Yeah, a free BitKeeper client is a cool thing, but I doubt the license includes a clause that requires you to suck McVoy's dick every time he gets ticked off. So why the hell are so many people lining up behind Linus to drop to their knees?
Anybody remember the name of that company that promised extremely high lossless compression rates on arbitrary files?
What's really sad is that, if the above numbers pan out, this vehicle would actually be more fuel efficient than most cars in the US today, not just the worst of the SUVs.
2004 Average: 20.8 MPG
I don't know exactlyw hat the author's intepretation of "social contract" is, but here's my interpretation: Any social contract that may have existed between the general web browsing population and web advertizers was broken long ago.
My take on the social contract is this: Because of our mutual respect for each other as human beings, we voluntarily act in a way such that we can build and maintain a fair and orderly society. How much respect have the DoubleClicks of the world shown us? How many times have they said, "Hey, most people probably won't like this, so maybe we shouldn't do it?"
The vast majority of the advertisers are for-profit corporations who operate with the goal of maximizing shareholder profits. It is simply not possible to have a social contract with an entity driven purely by profit.
Being late isn't a valid reason to avoid an upgrade, but it's a perfectly valid reason to postpone the upgrade.
If you're heading up an organization with a large installed base, a major systems upgrade like his requires lots of planning and scheduling. At my company, we don't even have that many machines, but major IT projects get planned well in advance. MS sytem upgrades can't even be put on the calendar until after the code has actually shipped, because MS can't be relied upon to make a deadline. By the time SP2 went out, IT's calendar for 2004 was full, and we weren't even going to consider the upgrade until Q1 2005. I imagine a lot of sysadmins out there were in the same position.
There is no consumer demand for "ebooks." Text content distributors want to have the same control over distribution that movie and music distributors are depsrately trying to get.
I own a portable reading device, it's called a PDA. And if some publisher were willing to sell me digital versions of books based on a standard that won't expire with my current OS version I'd already have a massive digital library. I don't need a freaking ebook, gimme a PDF.
Demand isn't what's holding back online book publishing. Once again, those who have a hold on the current means of distribution are loathe to adopt a new method unless they can maintain a similar level of control.
Y'know, several years ago I read an article making a similar point, except it was a joke:
MICROSOFT SAYS RIVAL LINUX HAS NO FUTURE, SO LINUX INDUSTRY WILL STOP NOW.
Seriously, I think this guys has his head up his ass. He manages to point out some of Linux's weaknesses, but he doesn't offer any justification for making the leap between "these are some problems facing Linux" and "these problems cannot or will not ever be fixed." But I'm guessing he's not being paid to be right so much as he's being paid to attract attention.
How else do you expect them to stretch "To make money" out to fill up an entire page?
Switch page orientation to landscape, increase font size. Can I be a CEO now?
But on the plus side Starter Edition is so thoroughly hindered by artificial restrictions that your Windows box can no longer be 0wn3d, it can only be r3nt3d.
Granted, I don't know the details of the whos and hows of Internet2 access, but it seems from the article and various posts here that lots of university students have pretty much unfettered access to it.
If spammers can pay college students to run relays, how hard do you think it would be to get some kid to log IP addresses for the RIAA in exchange for pizza money? And I'm sure one of the RIAA execs has a child or grandchild attending one of these universities.
Except it's the sequel, and you discover that the nerd didn't really die. Now he's waiting for you in the locker room with powered armor and a gravity gun, and all you've got is a soccer ball and twisted up wet towel.
I was a drooling fanboy chomping at the bit to get HL2, but I won't be getting this expansion pack unless I can play it offline without asking Valve's permission each time. I think online distribution si a wonderful thing, but the way Steam does it is a ripoff for consumers. Valve gets:
- Decreased distribution costs
- Decreased production cost
- No inventory issues (shelf space? not a problem)
- Presumably a dramatic reduction in piracy due to increased authentication
But none of these savings were passed on to users. Valve doesn't give you a CD or manual, they take your money, and spy on you in exchange for the privilege of using their game. Valve gets more, the customer gets less.
This is often brought up in discussions of Steam, but unless they've changed it in the past few months, this is only partially true. I used ZoneAlarm to keep Steam from phoning home, and I could play in offline mode, but after a few days of this HL2 would complain and refuse to start until it had a chance to update.
So yes, you can play in offline mode. For a while. But eventually you have to be connected to the Internet to play the game.
Last weekend I got a new laptop. The first thing I did was repartition and format the drive. Right now I'm dual booting Windows XP and Linux.
I tried installing several distros and settled on Ubuntu because almost everything worked right out of the box (cd?). The SDIO slot doesn't work, but that's of minor concern to me. The big hole in functionality right now is the video driver. I have an ATI X300 Mobile gpu, and I can't get the binary driver to work. So no hardware 3D for me for now.
And while we're holding Linux to the same standard as Windows: With just the install CD for Ubuntu (this was 5.04 RC), I was able to get video (without acceleration), network (wired and wireless), modem, and audio working. I had an install I could use for web browsing, word processing, email, playing music, CD burning, and all of the basics most people spend 95% of their computer time on. I'm a Linux n00b, so I'm still exploring what's on this thing. Yesterday I found the option to configure PalmOS devices, so I'm going to play with that today.
Windows XP gave me none of the above except email and web. I had to go to Dell's web site to download drivers for all of the above devices. Yeah, I guess wordpad technically counts as word processor, but it's no OpenOffice. The Ubuntu install was much easier than the XP install on the same machine.
The dual boot setup was simple. Mounting the NTFS partition wasn't intuitive, but there are step by step instructions on the Ubuntu site. That was a nifty intro to the mounting system.
WiFi setup was a breeze, and it Just Worked. It loaded drivers for the modem, but I haven't tested it (haven't used a modem in years). It booted up using my screen's native resolution without me having to tell it (XP, Mandrake, and CentOS all failed in this regard). Accessing the Windows network also Just Worked, and half the time I can't even get my initial Windows installs to do that.
So far so good.
My guess is that it's mostly anti-spyware software that's driving this. If you're among the 90%+ of the Joe Users using IE, it's hard to keep your computer functional without some kind of anti-spyware app.
This tech will likely be abused more often then cookies are since it was developed specifically to counter people who are actively trying to protect their online privacy. If the marketers are lucky, this will work for a little while. Then Ad-Aware, SpyBot, et al will start disabling this, then you're back to square one.
The solution: Don't rely on cookies. My company tracks visits to our site. The most surefire way of tracking is with user logins. Failing that, use a persistent cookie. But if a user doesn't want to give us his/her name and goes through the trouble of deleting cookies, then that's a pretty clear indication that the user doesn't want to be tracked. Any attempt to defy those wishes is likely to incur user hostility.
Whenever I see an article criticising open source software, I do a quick check to see if the author has his head up his ass:
Step 1: Replace the phrase "open source" with "closed source."
Step 2: Replace names of open source products with the names of their closed-source counterparts.
Check if the article's arguments and criticisms still apply. If so, the author hasn't written a critique of open source software, he's written a critique of software, and probably not a terribly insightful one at that.
This is one of the most often overlooked aspects of information security: Not only do you need to make sure that people only have access to the information they need to perform their legitimate functions, you need to make sure the you only have access to the information you need in order to to perform your legitimate functions. All knowledge may be power, but that's only a good thing if you have full control over how that power is used.
I regularly run into trouble with this with our sales/marketing people. I have to convince them that we should collect and store no more information than we have to. If you have information you don't need lying around, then you become a liability to anyone who may depend on that information being secure. You become a weak link and a tempting target because you're less likely to be vigilant about securing information that's not of value to you.
I'm quite astounded that the admin of such a website hadn't considered such things.
They'd be up on bittorrent within under an hour. Sorry to break it to you, but DRM is the only way to sell media on computers without mass piracy.
Your argument might hold water if it weren't for one little glitch: Most popular music, DRMed or not, is available on the P2P networks prior to official release. This means that the pirates already have the content before the first DRMed copy has even been sold. Thus, as an anti-piracy measure, DRM fails utterly.
I've said it before and I'll say it again: DRM is not an anti-piracy measure. The only people who are affected by DRM are people who have already communicated their desire to do the right thing by paying for the product. Pirates already have DRM free copies before legitimate copies are even available.
I did some poking around when this 302 stuff was first mentioned on slashdot, and I was quite chargined to realize that I'd accidentally done this to one of my own sites. Here's what happened:
I have a personal site that used to be on a free web host, but I later moved to my own machine under my own domain. I replaced the index page on the old site with a redirect. So the site used to be at http://freehost.tld/mysite, and now redirects to http://mysite.tld. It's been set up like this for a while.
If you google for the site, http://mysite.tld is nowhere to be seen. The top hit is for http://freehost.tld/mysite, but the preview that Google displays contains the content from http://mysite.tld. By using the redirect, my old site has effectively hijacked the page rank of the new site, and bumped the proper URL out of Google's index. And I did this purely by accident.
This by itself isn't very useful for a scammer. The above situation isn't that big a deal since anyone who clicks still winds up at the proper site. But if a scammer were to set up such a redirect, and then change the redirect based on the user-agent (GoogleBot gets the hijacked site, everyone else gets pr0n), and you now have the large-scale resurrection of search engine spoofing spam.