Since when has determining your processor utilization been considered basic competency? Get off you high horse.
I think it's intellectually dishonest to mention processor utilization as though that were the only possible way. I notice this frequently, that people are often rather eager to excuse and defend incompetent users out of some misguided sympathy for them. Real compassion for them would mean teaching, explaining, and providing good references for their edification. It would not mean excusing their failures or sugarcoating their incompetence. Any literate adult can achieve competency with a computer, and most problems that make the network a worse place for everyone directly involve users who lack knowledge, so why the "get off your high horse" spite towards those who expect better?
If anything, I think the "high horse" is the belief that users will always be ignorant, will always be victims of these security issues, and can never overcome them. It is not the belief that they can and should overcome them. That's especially evident to me when you have to (intentionally or otherwise) zero in on one particularly unlikely means of detection because you think ignoring other possibilities helps your case. This is known as confirmation bias, incidentally. In response, I'll give you a plausible scenario for which CPU utilization need not be measured.
I'll give another scenario under which this could have been detected. Here, when I say "firewall", I refer to Komodo, ZoneAlarm, and other software firewalls that are commonly available for Windows and/or free of charge, and are installed on millions of machines.
Running a firewall that could have alerted the user to suspicious/unprompted network activity is basic competency, right up there with running a virus scanner and an anti-spyware scanner. For Windows, these tools can be regarded as "maintainence", and anyone who operates a machine without correctly maintaining it (personally or by seeking help) cannot be rightly called competent. Now, basic competency may or may not correctly interpret that network activity, but that doesn't matter. It doesn't take computer expertise to say "hey, this firewall keeps asking me about things I don't understand and did not set up myself, so maybe I should get this computer looked at by a techie." At that point you're no longer talking about average users and whether they can achieve competency.
Another commenter notes that the language code of the trojan is Chinese.
I think that American businesses should strongly reconsider the merits of having their goods produced in a highly authoritarian state who is known to employ hackers.
I think that would rule out the USA as well, at least at the federal level.
Increasingly, it's not good enough that you said what you did say, and chose not to say what you clearly haven't said.
"SSDs found to be no better than platters!"
Is that true or false? It's true. Given a specific set of parameters, SSDs were found to be no better. So, does that mean they *are* no better? Nope. It means they are better but that the differences between them and platters are such that the bottleneck has changed to something other than the drive. However, the implication is that SSDs have some limit that holds them back.
Where do you draw the line between accurate and limited scope, to a scope so limited that it strongly implies something untrue?
My comment was not intended to cover the actual subject matter of the article (SSD performance with RAID). It was intended only to cover the methods by which this discussion, and other unrelated discussions, unfold and the techniques used by those who participate. It so happens that an example of what I was talking about showed up in a discussion about SSDs but that's the only connection to them.
I take no pleasure in reading something that appears to be intentionally condescending and so seek pleasure elsewhere. 'saving time' is the wrong idea, it is about making the best use of the time available.
Thank you for taking the time to clarify this for me. I hope this discussion wasn't too tedious and I truly appreciate being able to discuss this with you in a calm, non-Flamebait sort of way. With all the other people who are so eager to engage in petty pissing contests, this is most refreshing.
As far as I can tell, this is just a matter of personal taste. My own is a bit different. If a post really is snotty etc., that's an opportunity for me to do something about that if I don't like it. Whenever there is a choice, I'd generally prefer to change (rather than avoid) what I believe is lacking. Sometimes that means directly confronting the tactics used; most of the time it means leading by setting (what I believe to be) a better example.
If I screw that up, the person I deal with will view me as an adversary and will then be unwilling to consider anything I suggest no matter how well-founded. Lots of people just want to be "right", especially when they think (falsely in my case) that you're an adversary who will lord it over them if they admit fault.
If I don't screw that up and do it correctly, then I can give the person something to think about that may even change their mind on how they do things. Those who have done this for me have rendered a great service onto me, and I have learned many things this way. I feel privileged if I can contribute something similar. Even the most stubborn people will often reconsider things if you can overcome their assumption that you operate from a need to make them wrong so you can feel right. To me, the key to this is the recognition that you cannot convince anyone of anything without their active participation.
I see this rather often on Slashdot and elsewhere. It's becoming a part of our collective culture it seems.
Increasingly, it's not good enough that you said what you did say, and chose not to say what you clearly haven't said. There's this unspoken expectation that you also have to actively disclaim things you clearly are not claiming, otherwise some clever individual who really wants to be "right" is going to assume that your lack of a disclaimer amounts to tacit support of whatever was not disclaimed. This leads to a great deal of both intentional trolling and unintentional creation of strawmen. Both invite unnecessary follow-up posts designed to correct unfounded assumptions.
I wonder if this comes from modern politics where the audience is generally "hostile" in the sense that it's eager to twist words and demagogue positions with which it may disagree. That's a poor substitute for good reasoning, for showing that there are substantive reasons to disagree. So much of politics is done by handling complex, nuanced issues with 20-second soundbites that I can see how it happens there. On Slashdot, it seems to lower the quality of discussion for no good reason.
'dear reader' and 'beseech' have every appearance, to me, of attempting to frame the relationship between the writer and the reader.
I suppose the difference is this: I never feel like the way I relate to anything is determined by how someone chooses to exercise their free speech rights. So, he can say whatever he likes, I need not feel that it represents me. It represents only his subjective viewpoint. Whether he's correctly or incorrectly assuming a relationship between the reader and the writer is his problem.
Personally I didn't detect anything nefarious or manipulative there. "Dear reader" and "beseech" are merely antiquated terms that were once much more common. The only thing these indicated to me is that perhaps this person is significantly older than I am, which again isn't something I would frown upon. It would take actual evidence of malicious intent for me to reconsider this.
As far as my tone, sure, it's hard to respond to snottiness without being a little bit snotty. As far as my expectations, I don't expect that they will care much at all about what I think.
I appreciate your honesty. I agree it's difficult to do that, but worthwhile. Most people rarely see an example of snottiness overcome by grace. Usually if snottiness is overcome by anything, it's by someone who's even better at being snotty. It's one of the reasons why the world is the way that it is. Note, I am not agreeing that the GGGP post was actually snotty. I am merely saying that if you're right about that, it's my personal opinion that there are better ways to handle it.
As far as rejecting internet rambles based on tone, it is a simple time saving measure, there is plenty of other content that may or may not be a more interesting use of time, I will start trying to treat it all fairly when I figure I have read most of it.
I don't really understand this part. I don't have to know all human beings to fairly treat a particular person in front of me. By that standard, no one would ever be fair towards anyone. Clearly there is at least some fairness in the world, so others have found ways to be fair without having to talk to every human on the planet or read every written work on the planet.
I also don't understand the need to save time since reading Slashdot is a leisure activity. In my opinion, it makes no sense to to apply production metrics to it, like the number of posts read per hour or the time spent per post. Of course, it is not necessary that I see this your way, but this isn't the first time I've seen fellow Slashdotters show some concern about their Slashdotting efficiency. It's possible that I'm the oddball here because I don't view it this way.
Simple: Gaining consent within the existing legal framework.
The problem with that is that building upon the existing legal framework amounts to an endorsement of that framework. It gives the illusion that the framework "works" and is not fundamentally broken whenever such products are successful in spite of it. It further entrenches something that really should be reformed.
Besides, there's nothing under the current legal framework that would prevent the copyright holder from releasing a DRM-free electronic copy of a book to a library. They are free to do that anytime they want. For the most part, they prefer to restrict information and it is those restrictions that the legal framework enables.
The main reform I would advocate is a return to a 12-year copyright term. Twelve years was considered adequate back when the most advanced technology for the dissemination of information was movable type. Now during those same twelve years a publisher can produce many more copies at a much lower cost, reach many more people, and make more sales. Yet that's not good enough for them because copyright has become another entitlement. Once this mentality is changed, namely by society's refusal to continue supporting it, I believe that related issues like DRM will rather easily sort themselves out.
I might have read your comment more closely if it wasn't written in an obviously preachy tone.
As it is, you missed me. Sorry.
I didn't find the tone too preachy, perhaps because I've seen far worse. I'd call the GP's post "impassioned" not "preachy", myself. As in, it contains a bit more feeling than a bunch of mathematical equations, but quite a bit less than anything I would consider calling "zealotry". Considering that people who want copyright reform generally view the current system as profoundly unjust and exploitative, I believe GP was rather restrained in his approach.
Even if I thought it was the worst example of pontification ever written, that would never stop me from deriving all possible useful information from it, or from understanding why the author was motivated to write that way. It's not personal, but honestly when I see posts like yours, the first thought that occurs to me is "get over yourself" because it contributes little or nothing. Not everyone is a good writer, and not all good writers agree on how to best reach an audience. Therefore, it makes sense to be willing to give people some slack on this, especially when they're not seeking advice on composition.
The irony is that you're being rather condescending yourself (as if to say "your style isn't worthy of me") while complaining about his tone. At the same time you seem to believe that losing you as an audience is a great loss for which you are sorry; maybe this is a "bandwagon appeal" meant to imply that your disdain represents the majority of readers. It's just the truth that not everyone is going to write in a way that you can personally appreciate. You have no choice about this.
The choice you have is whether a style you dislike is going to be an obstacle for you. You can determine whether a thing like that is going to stop you from participating in an otherwise good discussion, from responding to a post that otherwise makes a number of good points. The GP either has a valid point and a defensible position, or he has no such thing, and this is independent of the tone and style with which it is expressed.
Yes, these people should be punished. But I agree with Spain's prison/court system when they say that prison is for violent crime.
There's other ways to punish people and have them be productive to society, instead of rotting in prison. Sure, there may be special cases, but for the most part if you're not a physical danger to people then there's no need to keep you separated from the population.
Any effort spent punishing them would be better put towards hardening the targets. If you're interested in the prevention of similar events in the future, that is.
Computers are insecure. Networked computers are even more insecure. Windows is the low hanging fruit. I know it sounds tired, but if Linux had the same market share as Windows, you'd see the same kind of cat and mouse game going on between security researchers and malware programmers. If you put Ubuntu 9.10 on 80% of computers connected to the internet, and loaded it up with the 10 or so typical apps that people use (word processors, web browsers, Flash, etc), within six months you'd see vulnerabilities popping up left and right.
It does sound "tired" and I appreciate that you are up-front enough to concede this, but in the same spirit I can admit that it's not unreasonable to wonder it. Still, I have a simple issue with this argument. While it has nowhere near the marketshare of Windows, there are still millions of Linux computers connected to the Internet. Compared to Windows, a disproportionately large number of Linux machines are beefy servers with large amounts of bandwidth. If they were as easy to take over as a home user's Windows machine, they would be more attractive targets. Yet there are no successful viruses or other self-replicating malware programs for Linux in the wild. There are proof-of-concept viruses, but they do not propagate on the Internet.
At the end of the day, it's all software running on an x86 processor. All it takes is one lazy coder, one tired QA guy, or one bad library and you have a zero day exploit. Computers need to execute code. You can only run so many checks on any given input. You can only limit the functionality of a module so much before it becomes useless. You can only bug users with "Are you sure you want to run this?" prompts so many times.
My disagreement here is that you don't need to prompt the user or enable any highly exotic verification to prevent the exploit that is the subject of this article. All you need is some decent sandboxing. Yet one of the most powerful, resourceful, and well-staffed software companies in the world failed to implement it for this version of Windows. Something there does not add up.
If you want an idea of a secure operating, turn your web browser security settings to Prompt/Ask. JavaScript, HTML, XML, EVERYTHING set to prompt. Spend a week browsing the web in that configuration. Let me know how you like it.
In my opinion, you are engaging in quite a bit of hyperbole there. On my Linux system, the "help" function (in my case, a part of KDE) is implemented by binary executables that are owned by the root user while readable and executable (but not writable) by the user who is running them. Firefox, which runs in a similar fashion and also has the privileges of my normal non-root user, cannot affect the KDE online help even if it wanted to. This is an example (and not the best one) of the principle of least privilege. Firefox doesn't need to have the power to modify other parts of the system, so it has no such power. Simple.
There's no need for me to enable any extra confirmation dialogs, or anything else in order to achieve this. I simply enjoy it as part of the fundamental design of this operating system. I have a very hard time believing that one of the most well-funded, well-staffed software companies the world has ever seen was not capable of either matching or surpassing this level of robustness. This was already a standard feature of Linux before XP was released. That isn't the sort of "innovation" they keep talking about. It's more like a bad job of playing catch-up now that more recent Windows versions have improved in this area.
Windows is not merely the low-hanging fruit. It's more like the pre-chewed fruit that is already partially digested. Perfect security is of course not possible. But if you want to eliminate all the large botnets and spam networks, that's easy: make Windows security strong enough that automated attacks will not compromise it. Make it
Sheesh, blah blah blah. What your parent said isn't a talking point. His point was much better than yours in less words.
All a researcher has to do is notify MS. Give them a reasonable amount of time that you clearly specify(say a month) and then publicly disclose it.
Your disdain of MS shouldn't erode your common sense.
You have failed to address the issue I raised.
If its users were more discriminating and more willing to expect quality, I would have no reason to disdain MS. You act like any disdain on my part is an opinion or a matter of taste, and not like MS has soundly earned it.
Microsoft is a business. That means they will tend to do whatever makes them the most profit. If selling garbage makes profit for them, then they will sell garbage. If no one is willing to buy garbage, then they will be forced to sell quality. Therefore, Microsoft does whatever its paying customers are willing to put up with.
The point I raise, to restate it for you, is that this multibillion-dollar company with many highly skilled employees has both the expertise and the resources to design their systems in such a way that they do not suffer such vulnerabilities. They don't do this because they can profit without doing this; therefore, why would they go to the trouble when more effort means more expense? They can profit without doing this because their paying customers will tolerate insecure products. They think malware and other system compromises are an inherent aspect of owning a computer. If people who hold this false belief and use their money to support a vendor which caters to this false belief suffer because of this false belief, why should that trouble the rest of us? Are they not reaping what they sow?
Those of you who believe in confidential, discreet disclosure are implying that the effects on the customers should trouble the rest of us. I'm willing to entertain the idea, but to do that I need someone to tell me why Microsoft's customers are not merely reaping what they have sown. You have not addressed this. If you would like to, I'm all ears, but attempting to tell me that Microsoft's security history is irrelevant, that it's unfair to consider its business practices and priorities, or that I should ignore the fact that they have both the knowledge and the resources to deliver more secure products will never work with me. Please save that and your "blah blah blah" handwaving for the pushovers who are impressed by your assertions. As for me, I deal in facts.
Again, if you would like to actually address any of the issues I have raised, I'm all ears. The fact that you dislike my opinions has been noted, but does not constitute a worthy response.
Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug. You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves (not that Prodeus fits this description).
I frequently hear this type of reasoning. It should be listed as a known/cataloged talking point so we can all absorb it once and move on, instead of seeing it rehashed every time this sort of discussion comes up. Sorry but old and well-worn arguments aren't contributing much. They don't have much power to convince anyone who doesn't already subscribe to that viewpoint.
What I don't hear so much about is the incentive provided by full public disclosure. If you know that security vulnerabilities will be disclosed to the public, that this will result in security problems for your customers, that it will cause public humiliation for your company, is this not a strong incentive to secure your software in the first place? Confidential disclosure to the vendor only seems like it lets them off the hook a bit too easily. I'd normally be slow to view it that way, but Microsoft has a long history of such problems despite having tremendous resources it could dedicate to proactively eliminating them. They have the expertise, they have the money, they have the ability; what they lack is the will. There's simply no excuse for allowing a browser to influence bulilt-in OS functions. I view this more like negligence on Microsoft's part and less like an unforeseeable event that could have happened to any vendor.
As far as causing the least harm to the end users, should we be concerned about this in the long run? In the short term this can be quite unpleasant, and I don't enjoy the idea that someone who just wants to get their work done might have problems because of something beyond their immediate control. But it's not entirely beyond their control. Microsoft could not possibly exist were it not for the users who purchase its products.
When its products malfunction in preventable ways, they make the Internet a worse palce for everyone. I may run a relatively secure *nix machine, but I can still receive spam e-mail delivered by compromised Windows machines. So can everyone else. Since the situation could not possibly exist if not for Microsoft's users, is it really an injustice that they catch some flak when the entity they keep financially supporting fails to do its job? If they dislike this, should they not be a bit more careful about how they vote with their wallets and for whom they vote? I know the victim mentality is popular these days, but if you either know or could have known what you're dealing with, and continue to behave as though you do not and cannot know, should you cry fowl when there are negative consequences?
Microsoft has a long history of problems like this. Anyone who deals with them and doesn't know that has simply failed to do their homework. The real "accomplishment" of Microsoft is that they, through their widespread presence, have convinced the general public that exploits, malware, and other security problems are a normal part of operating a computer. I'm not claiming that Microsoft's products are without merit; if they were, even the non-technical masses would not use them. I am merely skeptical of any notion that their positive contributions to this industry have outweighed their business practices and their negative contributions to this industry.
If they haven't done anything beyond circumventing DRM, why should we care? The harm comes from infringing copyrights, not from circumventing DRM. Anti-cirumvention provisions are an "attack the tool" approach that's both ineffective and misguided.
Agreed, but unfortunately that won't stop them from financially (and/or by incarceration) ruining the lives of anyone they can catch doing it. Things like justice and sound policy are the least of their concerns.
It's like the way the Inquisitors obviously did not believe in the power of their religious message, but that didn't stop them from threatening and torturing (and worse) anyone whom they found inconvenient.
I'm not a layer, but for privacy reasons you can't touch someone else property, without their explicit consent.
And no matter what you put in the EULA you still can't get this permission.
You just discovered why I said "if not via EULA, then by some other mechanism". Tell me, do you even read the posts to which you reply? They were not lengthy in this case.
Just because I mention the EULA as one possible way to do the job, does not mean we need to fixate on the EULA as the One And Only Possible Method and discuss it to the exclusion of all other possibilities. My post was asking the question of whether we can get the job done, full-stop. The job would be having a vendor take care of things like malware scans because average users sure as hell aren't doing well in this area. If one method (such as authorization via EULA) won't work, then another can be used. What I'd like to know is what the available, realistic options are or whether there is simply no feasible way of arranging this.
While I appreciate the 2-3 word statement of the obvious in reply to a more nuanced issue, it unsurprisingly does not address my question.
There are already things with about this level of absurdity in the MS EULA and in those of other proprietary software companies. Why is the removal of Windows infections so highly illegal and/or impossible under current law? If not via EULA, then by some other mechanism, is not (ideally informed) consent the only requirement here? Or is there some legal reason why Microsoft could not conduct malware scans even if they had a signed waiver from the customer?
If it were that easy to check for and find all infections, we wouldn't have them.
This ain't the problem.
The problem is that you are not allowed to fix a computer that isn't yours without the explicit consent of the owner.
When were things like this ever an issue for Microsoft or any other well-lawyered corporation? Just change a few lines of the EULA and suddenly they have all the authorization they need.
I agree.. if you don't like it.. don't do it. No one is forcing you to. Others may not have the same concerns and would be more than happy to do that job, so I'm sure it won't bother them too much.
Those others and their indifference is part of the problem. If this university is doing this, you can bet that others have considered it. If this is successful and does not receive much opposition, others will follow suit. The result is that the people who do care about privacy are going to have fewer ways to protect it. So no one is forcing you to support this right now but when every such institution adopts these requirements, that will change. Of course by that time there'll be little or no hope of doing anything about it because it will be entrenched.
It's similar in some ways to the relative uniformity of cellphone service plans in the USA despite the multiple competing companies that offer it. A few such companies established pricing and service plans and were successful, so others adopted similar business practices. The result is that there's little actual innovation in the industry. None of the cellphone companies has any incentive to rethink their pricing, so I as a customer cannot vote with my wallet if I want, for example, text messaging prices that realistically reflect the actual cost of delivering SMS.
I'm sure there is a whole litany of reasons why an institution wants biometric identification. I'm sure that some of those justifications are reasonable enough. I just don't care, to be honest with you. I don't want to live in a surveillance society. If that means a few more unauthorized users gain access, or if that means a few more criminals avoid detection, I'm fine with that and more than willing to take my chances. Only cowardice would make me feel differently. It is obvious to me that a surveillance society is like a totalitarian state; it is created by means of baby steps. Each baby step down that path looks harmless enough at the time and plenty of useful idiots will sing the mantra of "I've got nothing to hide, so I'll surrender my privacy to anyone who asks." Stop this early when it seems minor and benevolent and you avoid the tremendous problems that become inevitable otherwise.
I used to work at a job that required using an id card to clock in and out. If you left it at home it was a huge hassle to get a temporary id card. Forget it too many times and they started to take disciplinary action. I'd rather use my fingerprint to 'clock in' than try and remember to bring my id card every day when the only function of that card was to clock in and out.
I'm sorry but I believe in fixing problems at their source. This is simple forgetfulness that a little self-discipline can easily solve. The privacy of every member of society that is never coming back once lost is far more important than the very minor inconvenience to you of learning to bring your ID card to work. To say otherwise is supreme selfishness and amounts to forcing your beliefs about privacy on everyone else. Those who like privacy appreciate that about as much as you'd appreciate being forced to practice a religion you don't believe in. I don't think you really are this selfish; I just think you're not considering the full implications of your position.
Privacy is a good default; anyone who doesn't want it can always become an exhibitionist with their personal information if that's what they want to do. I won't try to find ways to stop them since it's their choice and, unlike this slippery slope, doesn't affect me in any way either real or potential. Anyone who thinks that this won't grow and expand if it isn't stopped, who believes that the companies producing biometric machines won't seek new markets and new customers, who really thinks that no one would ever want to retain and datamine such detailed information about your habits and whereabouts, is frankly rather naive.
Somehow I still doubt it will work. People don't like being told they can't have their way and someone will find a way to give them what they want anyways.
Yeah, the 1920s proved that.
I used to think that people don't learn history. They do. What they don't learn is the ability to see how the current, "new" situation is similar to things that have happened before under similar conditions and can be expected to yield the same results. So every new development like this is a surprise to them. When it succeeds only in creating a market (underground, if need be) for non-compliant players that do what the customer wants, I guess the businesses behind this will be surprised too.
If this is all the "executives" can come up with, the company is better off dead. Kill it. Kill it before the USA becomes known as the Zombie Nation.
Too late for that.
or
How to cause millions of Americans to sincerely adopt a particular fashion, mannerism, or style of speech and wholeheartedly believe that this is their true nature and always has been from the moment they were born: get a popular celebrity to do it first. Then they'll passionately defend it as though it were their own idea because they have no real identity; they long ago de-emphasized such things as family and community that could have provided one. You'll be accused of failing to understand if you think there is something wrong with this or question it in any way, not that this should stop you.
There's a historical context to consider. The poster child for "States' Rights" is legalized discrimination against "blacks". I'm sure that's not what you're talking about here, but when you ship content across jurisdictions, you have to think about how it might be viewed by others:-).
Probably because Abraham Lincoln is often remembered as some sort of noble hero, when actually he ignored the highest law of the land to fight an illegal war that caused the deaths of many thousands of people. He was also known for jailing people, and worse, merely for speaking out against his policies, which happened without trial or any other form of due process. So, even the First Amendment didn't mean very much to this President since the war gave him an excuse to ignore it. What John Wilkes Booth did was wrong, but it didn't happen in a vacuum. It probably could have been avoided by impeaching Lincoln; maybe then Booth wouldn't have felt a need to take matters into his own hands.
I know it's history but this is what really established the precedent of a federal government that can and will trample Constitutionally-granted states' rights whenever it wants. A federal government that's willing to kill thousands of people to preserve its ability to do so. A federal government that takes actions not because the Constitution grants it the authority to do so, but because there is not enough political opposition to stop it. A "because we can" government that doesn't care very much about the legitimacy of its authority.
What it once did with violence, it now does with the power of the purse. The racket these days is for the feds to tax the citizens and then give that (i.e. their own) money back to their state if and only if it approves of their policies. It's how we ended up with the near-universal 55mph speed limit, the universal drinking age of 21, and other examples of unconstitutional federal meddling and micromanaging of intrastate affairs (as opposed to the constitutionally-granted regulation of interstate affairs). The concept here is simple. The way they'd like to do things, by directly passing laws to control states, is illegal; so they found another way to indirectly accomplish the same goal. You see this all the time in politics. They have no respect for the Constitution; they just see it as something to find clever ways to maneuver around.
The removal of institutional discrimination against any group of people is a noble goal, but we have to be very careful about the use of "ends justify the means" rationalizations. That kind of thinking is the foundation of every dictatorship and totalitarian state that ever existed. Every seizure of power is always "to stop a threat" or to "protect the children". Everyone who opposes, or even supports it but opposes merely the methods, is always called "unpatriotic". No politician is dumb enough to say "nah, those are just excuses, we really just want power and we'll take it for any reason or no reason at all."
Slashdot Mirror
Since when has determining your processor utilization been considered basic competency? Get off you high horse.
I think it's intellectually dishonest to mention processor utilization as though that were the only possible way. I notice this frequently, that people are often rather eager to excuse and defend incompetent users out of some misguided sympathy for them. Real compassion for them would mean teaching, explaining, and providing good references for their edification. It would not mean excusing their failures or sugarcoating their incompetence. Any literate adult can achieve competency with a computer, and most problems that make the network a worse place for everyone directly involve users who lack knowledge, so why the "get off your high horse" spite towards those who expect better?
If anything, I think the "high horse" is the belief that users will always be ignorant, will always be victims of these security issues, and can never overcome them. It is not the belief that they can and should overcome them. That's especially evident to me when you have to (intentionally or otherwise) zero in on one particularly unlikely means of detection because you think ignoring other possibilities helps your case. This is known as confirmation bias, incidentally. In response, I'll give you a plausible scenario for which CPU utilization need not be measured.
I'll give another scenario under which this could have been detected. Here, when I say "firewall", I refer to Komodo, ZoneAlarm, and other software firewalls that are commonly available for Windows and/or free of charge, and are installed on millions of machines.
Running a firewall that could have alerted the user to suspicious/unprompted network activity is basic competency, right up there with running a virus scanner and an anti-spyware scanner. For Windows, these tools can be regarded as "maintainence", and anyone who operates a machine without correctly maintaining it (personally or by seeking help) cannot be rightly called competent. Now, basic competency may or may not correctly interpret that network activity, but that doesn't matter. It doesn't take computer expertise to say "hey, this firewall keeps asking me about things I don't understand and did not set up myself, so maybe I should get this computer looked at by a techie." At that point you're no longer talking about average users and whether they can achieve competency.
Another commenter notes that the language code of the trojan is Chinese.
I think that American businesses should strongly reconsider the merits of having their goods produced in a highly authoritarian state who is known to employ hackers.
I think that would rule out the USA as well, at least at the federal level.
Increasingly, it's not good enough that you said what you did say, and chose not to say what you clearly haven't said. "SSDs found to be no better than platters!" Is that true or false? It's true. Given a specific set of parameters, SSDs were found to be no better. So, does that mean they *are* no better? Nope. It means they are better but that the differences between them and platters are such that the bottleneck has changed to something other than the drive. However, the implication is that SSDs have some limit that holds them back. Where do you draw the line between accurate and limited scope, to a scope so limited that it strongly implies something untrue?
My comment was not intended to cover the actual subject matter of the article (SSD performance with RAID). It was intended only to cover the methods by which this discussion, and other unrelated discussions, unfold and the techniques used by those who participate. It so happens that an example of what I was talking about showed up in a discussion about SSDs but that's the only connection to them.
I take no pleasure in reading something that appears to be intentionally condescending and so seek pleasure elsewhere. 'saving time' is the wrong idea, it is about making the best use of the time available.
Thank you for taking the time to clarify this for me. I hope this discussion wasn't too tedious and I truly appreciate being able to discuss this with you in a calm, non-Flamebait sort of way. With all the other people who are so eager to engage in petty pissing contests, this is most refreshing.
As far as I can tell, this is just a matter of personal taste. My own is a bit different. If a post really is snotty etc., that's an opportunity for me to do something about that if I don't like it. Whenever there is a choice, I'd generally prefer to change (rather than avoid) what I believe is lacking. Sometimes that means directly confronting the tactics used; most of the time it means leading by setting (what I believe to be) a better example.
If I screw that up, the person I deal with will view me as an adversary and will then be unwilling to consider anything I suggest no matter how well-founded. Lots of people just want to be "right", especially when they think (falsely in my case) that you're an adversary who will lord it over them if they admit fault.
If I don't screw that up and do it correctly, then I can give the person something to think about that may even change their mind on how they do things. Those who have done this for me have rendered a great service onto me, and I have learned many things this way. I feel privileged if I can contribute something similar. Even the most stubborn people will often reconsider things if you can overcome their assumption that you operate from a need to make them wrong so you can feel right. To me, the key to this is the recognition that you cannot convince anyone of anything without their active participation.
I see this rather often on Slashdot and elsewhere. It's becoming a part of our collective culture it seems.
Increasingly, it's not good enough that you said what you did say, and chose not to say what you clearly haven't said. There's this unspoken expectation that you also have to actively disclaim things you clearly are not claiming, otherwise some clever individual who really wants to be "right" is going to assume that your lack of a disclaimer amounts to tacit support of whatever was not disclaimed. This leads to a great deal of both intentional trolling and unintentional creation of strawmen. Both invite unnecessary follow-up posts designed to correct unfounded assumptions.
I wonder if this comes from modern politics where the audience is generally "hostile" in the sense that it's eager to twist words and demagogue positions with which it may disagree. That's a poor substitute for good reasoning, for showing that there are substantive reasons to disagree. So much of politics is done by handling complex, nuanced issues with 20-second soundbites that I can see how it happens there. On Slashdot, it seems to lower the quality of discussion for no good reason.
I suppose the difference is this: I never feel like the way I relate to anything is determined by how someone chooses to exercise their free speech rights. So, he can say whatever he likes, I need not feel that it represents me. It represents only his subjective viewpoint. Whether he's correctly or incorrectly assuming a relationship between the reader and the writer is his problem.
Personally I didn't detect anything nefarious or manipulative there. "Dear reader" and "beseech" are merely antiquated terms that were once much more common. The only thing these indicated to me is that perhaps this person is significantly older than I am, which again isn't something I would frown upon. It would take actual evidence of malicious intent for me to reconsider this.
I appreciate your honesty. I agree it's difficult to do that, but worthwhile. Most people rarely see an example of snottiness overcome by grace. Usually if snottiness is overcome by anything, it's by someone who's even better at being snotty. It's one of the reasons why the world is the way that it is. Note, I am not agreeing that the GGGP post was actually snotty. I am merely saying that if you're right about that, it's my personal opinion that there are better ways to handle it.
I don't really understand this part. I don't have to know all human beings to fairly treat a particular person in front of me. By that standard, no one would ever be fair towards anyone. Clearly there is at least some fairness in the world, so others have found ways to be fair without having to talk to every human on the planet or read every written work on the planet.
I also don't understand the need to save time since reading Slashdot is a leisure activity. In my opinion, it makes no sense to to apply production metrics to it, like the number of posts read per hour or the time spent per post. Of course, it is not necessary that I see this your way, but this isn't the first time I've seen fellow Slashdotters show some concern about their Slashdotting efficiency. It's possible that I'm the oddball here because I don't view it this way.
Simple: Gaining consent within the existing legal framework.
The problem with that is that building upon the existing legal framework amounts to an endorsement of that framework. It gives the illusion that the framework "works" and is not fundamentally broken whenever such products are successful in spite of it. It further entrenches something that really should be reformed.
Besides, there's nothing under the current legal framework that would prevent the copyright holder from releasing a DRM-free electronic copy of a book to a library. They are free to do that anytime they want. For the most part, they prefer to restrict information and it is those restrictions that the legal framework enables.
The main reform I would advocate is a return to a 12-year copyright term. Twelve years was considered adequate back when the most advanced technology for the dissemination of information was movable type. Now during those same twelve years a publisher can produce many more copies at a much lower cost, reach many more people, and make more sales. Yet that's not good enough for them because copyright has become another entitlement. Once this mentality is changed, namely by society's refusal to continue supporting it, I believe that related issues like DRM will rather easily sort themselves out.
I might have read your comment more closely if it wasn't written in an obviously preachy tone.
As it is, you missed me. Sorry.
I didn't find the tone too preachy, perhaps because I've seen far worse. I'd call the GP's post "impassioned" not "preachy", myself. As in, it contains a bit more feeling than a bunch of mathematical equations, but quite a bit less than anything I would consider calling "zealotry". Considering that people who want copyright reform generally view the current system as profoundly unjust and exploitative, I believe GP was rather restrained in his approach.
Even if I thought it was the worst example of pontification ever written, that would never stop me from deriving all possible useful information from it, or from understanding why the author was motivated to write that way. It's not personal, but honestly when I see posts like yours, the first thought that occurs to me is "get over yourself" because it contributes little or nothing. Not everyone is a good writer, and not all good writers agree on how to best reach an audience. Therefore, it makes sense to be willing to give people some slack on this, especially when they're not seeking advice on composition.
The irony is that you're being rather condescending yourself (as if to say "your style isn't worthy of me") while complaining about his tone. At the same time you seem to believe that losing you as an audience is a great loss for which you are sorry; maybe this is a "bandwagon appeal" meant to imply that your disdain represents the majority of readers. It's just the truth that not everyone is going to write in a way that you can personally appreciate. You have no choice about this.
The choice you have is whether a style you dislike is going to be an obstacle for you. You can determine whether a thing like that is going to stop you from participating in an otherwise good discussion, from responding to a post that otherwise makes a number of good points. The GP either has a valid point and a defensible position, or he has no such thing, and this is independent of the tone and style with which it is expressed.
Yes, these people should be punished. But I agree with Spain's prison/court system when they say that prison is for violent crime. There's other ways to punish people and have them be productive to society, instead of rotting in prison. Sure, there may be special cases, but for the most part if you're not a physical danger to people then there's no need to keep you separated from the population.
Any effort spent punishing them would be better put towards hardening the targets. If you're interested in the prevention of similar events in the future, that is.
It does sound "tired" and I appreciate that you are up-front enough to concede this, but in the same spirit I can admit that it's not unreasonable to wonder it. Still, I have a simple issue with this argument. While it has nowhere near the marketshare of Windows, there are still millions of Linux computers connected to the Internet. Compared to Windows, a disproportionately large number of Linux machines are beefy servers with large amounts of bandwidth. If they were as easy to take over as a home user's Windows machine, they would be more attractive targets. Yet there are no successful viruses or other self-replicating malware programs for Linux in the wild. There are proof-of-concept viruses, but they do not propagate on the Internet.
My disagreement here is that you don't need to prompt the user or enable any highly exotic verification to prevent the exploit that is the subject of this article. All you need is some decent sandboxing. Yet one of the most powerful, resourceful, and well-staffed software companies in the world failed to implement it for this version of Windows. Something there does not add up.
In my opinion, you are engaging in quite a bit of hyperbole there. On my Linux system, the "help" function (in my case, a part of KDE) is implemented by binary executables that are owned by the root user while readable and executable (but not writable) by the user who is running them. Firefox, which runs in a similar fashion and also has the privileges of my normal non-root user, cannot affect the KDE online help even if it wanted to. This is an example (and not the best one) of the principle of least privilege. Firefox doesn't need to have the power to modify other parts of the system, so it has no such power. Simple.
There's no need for me to enable any extra confirmation dialogs, or anything else in order to achieve this. I simply enjoy it as part of the fundamental design of this operating system. I have a very hard time believing that one of the most well-funded, well-staffed software companies the world has ever seen was not capable of either matching or surpassing this level of robustness. This was already a standard feature of Linux before XP was released. That isn't the sort of "innovation" they keep talking about. It's more like a bad job of playing catch-up now that more recent Windows versions have improved in this area.
Windows is not merely the low-hanging fruit. It's more like the pre-chewed fruit that is already partially digested. Perfect security is of course not possible. But if you want to eliminate all the large botnets and spam networks, that's easy: make Windows security strong enough that automated attacks will not compromise it. Make it
Sheesh, blah blah blah. What your parent said isn't a talking point. His point was much better than yours in less words. All a researcher has to do is notify MS. Give them a reasonable amount of time that you clearly specify(say a month) and then publicly disclose it. Your disdain of MS shouldn't erode your common sense.
You have failed to address the issue I raised.
If its users were more discriminating and more willing to expect quality, I would have no reason to disdain MS. You act like any disdain on my part is an opinion or a matter of taste, and not like MS has soundly earned it.
Microsoft is a business. That means they will tend to do whatever makes them the most profit. If selling garbage makes profit for them, then they will sell garbage. If no one is willing to buy garbage, then they will be forced to sell quality. Therefore, Microsoft does whatever its paying customers are willing to put up with.
The point I raise, to restate it for you, is that this multibillion-dollar company with many highly skilled employees has both the expertise and the resources to design their systems in such a way that they do not suffer such vulnerabilities. They don't do this because they can profit without doing this; therefore, why would they go to the trouble when more effort means more expense? They can profit without doing this because their paying customers will tolerate insecure products. They think malware and other system compromises are an inherent aspect of owning a computer. If people who hold this false belief and use their money to support a vendor which caters to this false belief suffer because of this false belief, why should that trouble the rest of us? Are they not reaping what they sow?
Those of you who believe in confidential, discreet disclosure are implying that the effects on the customers should trouble the rest of us. I'm willing to entertain the idea, but to do that I need someone to tell me why Microsoft's customers are not merely reaping what they have sown. You have not addressed this. If you would like to, I'm all ears, but attempting to tell me that Microsoft's security history is irrelevant, that it's unfair to consider its business practices and priorities, or that I should ignore the fact that they have both the knowledge and the resources to deliver more secure products will never work with me. Please save that and your "blah blah blah" handwaving for the pushovers who are impressed by your assertions. As for me, I deal in facts.
Again, if you would like to actually address any of the issues I have raised, I'm all ears. The fact that you dislike my opinions has been noted, but does not constitute a worthy response.
Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug. You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves (not that Prodeus fits this description).
I frequently hear this type of reasoning. It should be listed as a known/cataloged talking point so we can all absorb it once and move on, instead of seeing it rehashed every time this sort of discussion comes up. Sorry but old and well-worn arguments aren't contributing much. They don't have much power to convince anyone who doesn't already subscribe to that viewpoint.
What I don't hear so much about is the incentive provided by full public disclosure. If you know that security vulnerabilities will be disclosed to the public, that this will result in security problems for your customers, that it will cause public humiliation for your company, is this not a strong incentive to secure your software in the first place? Confidential disclosure to the vendor only seems like it lets them off the hook a bit too easily. I'd normally be slow to view it that way, but Microsoft has a long history of such problems despite having tremendous resources it could dedicate to proactively eliminating them. They have the expertise, they have the money, they have the ability; what they lack is the will. There's simply no excuse for allowing a browser to influence bulilt-in OS functions. I view this more like negligence on Microsoft's part and less like an unforeseeable event that could have happened to any vendor.
As far as causing the least harm to the end users, should we be concerned about this in the long run? In the short term this can be quite unpleasant, and I don't enjoy the idea that someone who just wants to get their work done might have problems because of something beyond their immediate control. But it's not entirely beyond their control. Microsoft could not possibly exist were it not for the users who purchase its products.
When its products malfunction in preventable ways, they make the Internet a worse palce for everyone. I may run a relatively secure *nix machine, but I can still receive spam e-mail delivered by compromised Windows machines. So can everyone else. Since the situation could not possibly exist if not for Microsoft's users, is it really an injustice that they catch some flak when the entity they keep financially supporting fails to do its job? If they dislike this, should they not be a bit more careful about how they vote with their wallets and for whom they vote? I know the victim mentality is popular these days, but if you either know or could have known what you're dealing with, and continue to behave as though you do not and cannot know, should you cry fowl when there are negative consequences?
Microsoft has a long history of problems like this. Anyone who deals with them and doesn't know that has simply failed to do their homework. The real "accomplishment" of Microsoft is that they, through their widespread presence, have convinced the general public that exploits, malware, and other security problems are a normal part of operating a computer. I'm not claiming that Microsoft's products are without merit; if they were, even the non-technical masses would not use them. I am merely skeptical of any notion that their positive contributions to this industry have outweighed their business practices and their negative contributions to this industry.
Agreed, but unfortunately that won't stop them from financially (and/or by incarceration) ruining the lives of anyone they can catch doing it. Things like justice and sound policy are the least of their concerns.
It's like the way the Inquisitors obviously did not believe in the power of their religious message, but that didn't stop them from threatening and torturing (and worse) anyone whom they found inconvenient.
I'm not a layer, but for privacy reasons you can't touch someone else property, without their explicit consent. And no matter what you put in the EULA you still can't get this permission.
You just discovered why I said "if not via EULA, then by some other mechanism". Tell me, do you even read the posts to which you reply? They were not lengthy in this case.
Just because I mention the EULA as one possible way to do the job, does not mean we need to fixate on the EULA as the One And Only Possible Method and discuss it to the exclusion of all other possibilities. My post was asking the question of whether we can get the job done, full-stop. The job would be having a vendor take care of things like malware scans because average users sure as hell aren't doing well in this area. If one method (such as authorization via EULA) won't work, then another can be used. What I'd like to know is what the available, realistic options are or whether there is simply no feasible way of arranging this.
EULA != law
While I appreciate the 2-3 word statement of the obvious in reply to a more nuanced issue, it unsurprisingly does not address my question.
There are already things with about this level of absurdity in the MS EULA and in those of other proprietary software companies. Why is the removal of Windows infections so highly illegal and/or impossible under current law? If not via EULA, then by some other mechanism, is not (ideally informed) consent the only requirement here? Or is there some legal reason why Microsoft could not conduct malware scans even if they had a signed waiver from the customer?
We can, just as soon as XKCD makes a comic about Seinfeld.
If it were that easy to check for and find all infections, we wouldn't have them.
This ain't the problem. The problem is that you are not allowed to fix a computer that isn't yours without the explicit consent of the owner.
When were things like this ever an issue for Microsoft or any other well-lawyered corporation? Just change a few lines of the EULA and suddenly they have all the authorization they need.
It was incredibly good for the economy, if by "economy" you mean "campaign funds."
This is a much bigger threat to freedom and democracy than terrorism ever could be.
I wish I could attribute the saying, but here is how I've heard it said: If your law requires a police state to enforce, then your law is a bad law.
The very fact that these meetings were held in secret was a dead giveaway that nothing in our interests is going on in there.
You can thank sound bites and modern politics for that.
Those others and their indifference is part of the problem. If this university is doing this, you can bet that others have considered it. If this is successful and does not receive much opposition, others will follow suit. The result is that the people who do care about privacy are going to have fewer ways to protect it. So no one is forcing you to support this right now but when every such institution adopts these requirements, that will change. Of course by that time there'll be little or no hope of doing anything about it because it will be entrenched.
It's similar in some ways to the relative uniformity of cellphone service plans in the USA despite the multiple competing companies that offer it. A few such companies established pricing and service plans and were successful, so others adopted similar business practices. The result is that there's little actual innovation in the industry. None of the cellphone companies has any incentive to rethink their pricing, so I as a customer cannot vote with my wallet if I want, for example, text messaging prices that realistically reflect the actual cost of delivering SMS.
I'm sure there is a whole litany of reasons why an institution wants biometric identification. I'm sure that some of those justifications are reasonable enough. I just don't care, to be honest with you. I don't want to live in a surveillance society. If that means a few more unauthorized users gain access, or if that means a few more criminals avoid detection, I'm fine with that and more than willing to take my chances. Only cowardice would make me feel differently. It is obvious to me that a surveillance society is like a totalitarian state; it is created by means of baby steps. Each baby step down that path looks harmless enough at the time and plenty of useful idiots will sing the mantra of "I've got nothing to hide, so I'll surrender my privacy to anyone who asks." Stop this early when it seems minor and benevolent and you avoid the tremendous problems that become inevitable otherwise.
I'm sorry but I believe in fixing problems at their source. This is simple forgetfulness that a little self-discipline can easily solve. The privacy of every member of society that is never coming back once lost is far more important than the very minor inconvenience to you of learning to bring your ID card to work. To say otherwise is supreme selfishness and amounts to forcing your beliefs about privacy on everyone else. Those who like privacy appreciate that about as much as you'd appreciate being forced to practice a religion you don't believe in. I don't think you really are this selfish; I just think you're not considering the full implications of your position.
Privacy is a good default; anyone who doesn't want it can always become an exhibitionist with their personal information if that's what they want to do. I won't try to find ways to stop them since it's their choice and, unlike this slippery slope, doesn't affect me in any way either real or potential. Anyone who thinks that this won't grow and expand if it isn't stopped, who believes that the companies producing biometric machines won't seek new markets and new customers, who really thinks that no one would ever want to retain and datamine such detailed information about your habits and whereabouts, is frankly rather naive.
It seems that lately every manufacturer is trying to impose new standard in order to maximize their future sales.
I guess creating quality products that people want to buy and delivering them at competitive prices is not exciting enough anymore.
Yeah, the 1920s proved that.
I used to think that people don't learn history. They do. What they don't learn is the ability to see how the current, "new" situation is similar to things that have happened before under similar conditions and can be expected to yield the same results. So every new development like this is a surprise to them. When it succeeds only in creating a market (underground, if need be) for non-compliant players that do what the customer wants, I guess the businesses behind this will be surprised too.
Too late for that.
or
How to cause millions of Americans to sincerely adopt a particular fashion, mannerism, or style of speech and wholeheartedly believe that this is their true nature and always has been from the moment they were born: get a popular celebrity to do it first. Then they'll passionately defend it as though it were their own idea because they have no real identity; they long ago de-emphasized such things as family and community that could have provided one. You'll be accused of failing to understand if you think there is something wrong with this or question it in any way, not that this should stop you.
There's a historical context to consider. The poster child for "States' Rights" is legalized discrimination against "blacks". I'm sure that's not what you're talking about here, but when you ship content across jurisdictions, you have to think about how it might be viewed by others :-).
Probably because Abraham Lincoln is often remembered as some sort of noble hero, when actually he ignored the highest law of the land to fight an illegal war that caused the deaths of many thousands of people. He was also known for jailing people, and worse, merely for speaking out against his policies, which happened without trial or any other form of due process. So, even the First Amendment didn't mean very much to this President since the war gave him an excuse to ignore it. What John Wilkes Booth did was wrong, but it didn't happen in a vacuum. It probably could have been avoided by impeaching Lincoln; maybe then Booth wouldn't have felt a need to take matters into his own hands.
I know it's history but this is what really established the precedent of a federal government that can and will trample Constitutionally-granted states' rights whenever it wants. A federal government that's willing to kill thousands of people to preserve its ability to do so. A federal government that takes actions not because the Constitution grants it the authority to do so, but because there is not enough political opposition to stop it. A "because we can" government that doesn't care very much about the legitimacy of its authority.
What it once did with violence, it now does with the power of the purse. The racket these days is for the feds to tax the citizens and then give that (i.e. their own) money back to their state if and only if it approves of their policies. It's how we ended up with the near-universal 55mph speed limit, the universal drinking age of 21, and other examples of unconstitutional federal meddling and micromanaging of intrastate affairs (as opposed to the constitutionally-granted regulation of interstate affairs). The concept here is simple. The way they'd like to do things, by directly passing laws to control states, is illegal; so they found another way to indirectly accomplish the same goal. You see this all the time in politics. They have no respect for the Constitution; they just see it as something to find clever ways to maneuver around.
The removal of institutional discrimination against any group of people is a noble goal, but we have to be very careful about the use of "ends justify the means" rationalizations. That kind of thinking is the foundation of every dictatorship and totalitarian state that ever existed. Every seizure of power is always "to stop a threat" or to "protect the children". Everyone who opposes, or even supports it but opposes merely the methods, is always called "unpatriotic". No politician is dumb enough to say "nah, those are just excuses, we really just want power and we'll take it for any reason or no reason at all."