Slashdot Mirror


User: causality

causality's activity in the archive.

Stories
0
Comments
4,788
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 4,788

  1. Re:We need Groklaw for the next war, not the last. on Groklaw Shifts Gears, Now Stressing Preservation · · Score: 4, Funny

    The legal system as it is, is the OS of our society.

    That's pretty damned scary.

    I have finally understood it! Society is running Windows! That's why the legal system is slow, overly complex, buggy, expensive, designed by marketing I mean campaign contributions, applies itself to things that are not legal problems, and not under the control of the average end users! Suddenly it makes sense.

    The legal system as it is, is the OS of our society.

    Yeah, that's still pretty scary.

  2. Re:...and TiVo HD on LG High-Def TVs To Stream Netflix Videos · · Score: 2, Insightful

    About 'Instant Queue', it's a security feature. They want you to queue your movies by logging into your account, because they assume you might attach your neighbor's TiVo to the service, but not share your NetFlix account details with them.

    This makes me think of security in general (not just this example of how NetFlix protects their own interests) and how it will apply to this arrangement.

    This is the second paragraph of the fine article:

    In a partnership to be announced Monday, LG Electronics will start selling high-definition TV sets that stream Netflix videos directly from the Internet, without an additional device. The deal marks the first time Netflix's streaming service will be embedded in a television.

    A TV that has a network connection and can use TCP/IP to stream video from NetFlix can also be attacked over the network. The article is extremely light on any sort of technical details. That makes me wonder how "smart" these TVs will be, how much processing power they have, whether they will make use of an embedded general-purpose OS like Windows CE that could be made to do many things (like participating in a botnet) once a compromise has occurred.

    Maybe right now that's not a likely scenario, but wait until this becomes cheaper and more widespread. When everyone or nearly everyone has network-connected appliances we're going to start seeing attacks against them. Those attacks will be largely successful, enough to ensure that malware actively thrives "in the wild", if security is an afterthought. Virus scanners and other removal tools are after-the-compromise damage control only and so they cannot decisively prevent this scenario, no matter how well implemented. This is a chance to learn from the mistakes made with both the culture and implementation of Windows security (I was going to say "PC security" and reconsidered) and avoid the endless "malware vs. antimalware" arms race and the cottage industry that perpetuates it. The only way to do that is to start thinking about this now, from the beginning, and design it that way from the start. That's why it bothers me a bit that I'm not hearing anything about this from the vendors. Anyone who thinks this is absurd or unlikely needs only to look at how quickly digital picture frames were compromised and used to attack other systems.

    I'm not saying that the goal is to have perfectly secure systems. I'm aware that this is a fantasy. What I believe is attainable, though, is to make compromise difficult enough that automated malware cannot thrive in the wild. Building a real security model from the ground up, not as an afterthought now that something's happened, is a good way to do this. Avoiding a monoculture where a single exploit can target tens of millions of machines is another. I think it really would be inexcusable to repeat the mistakes of the past and cause that much grief for that many people when these are no longer new problems that we are facing.

  3. Re:The real problem on The Exact Cause of the Zune Meltdown · · Score: 1

    I think it DOES relate to playing the media. You have to renew your licenses regularly for music that you get on a "rent for $X a month" to make sure you're actually still subscribed. Those licenses are issued to last from date A to date B - it has to check that any DRMed media is within the time period for a valid license.

    Wouldn't that be interesting if the enforcement of DRM is the only reason why a device dedicated to playing media would ever need to worry about things like dates and leap years? "Sorry folks, this show-stopper happened only because we wanted to implement a feature that none of you have asked for and that many of you are vehemently against. We put customers first. Really, we do!"

    I can understand some basic time functions to track minutes/seconds/etc as media is being played, but does anyone know of any reason other than DRM why a media player would need this kind of calendar function? If there are none, then I can't say I'm sad to see a good iteration of the "needless complexity" argument against DRM. Those who are thinkers see such a possibility as an eventuality and incorporate it into their views of the subject, whatever those may be. However, the vast majority of the population needs concrete examples like this before they recognize the potential disadvantages of buying, and thus using their dollars to reward, systems and features that are not in their own interests.

  4. Re:time wasted in pointless tasks.... on Linux In 2009 — Recession vs. GNU · · Score: 1

    But this is unlikely to happen, because these shops make their money repairing broken windows installs

    Could this be an example of the broken window fallacy?

    Ok, you can mod me into oblivion now ...

  5. Re:Kill!!! on Tales From the Support Crypt · · Score: 1

    Actually, i'd go so far as to say it is now way more than just that. There has always been a percentage of the population that unable to apply critical thinking simply due to the way they are. The part that frightens me the most is the trend in the past 20 years towards critical thinking being considered a negative thing. Anyone making consistent use of critical thinking will find out very quickly that thinking is no longer popular. There are a large number of people i KNOW are able to approach problems in this fashion, but refuse to do so as that just isn't popular.

    I'm sorry but if they are that much more concerned about being popular, then either they are cowards or they do not deserve the credit for thinking ability that you are giving them.

    It kinda sucks, but being well adapted socially requires a high tolerance for statements that make absolutely no sense.

    "It is no measure of health to be well adjusted to a profoundly sick society." - J . Krishnamurti.

    At some point you need your own idea of what health (mental and physical) looks like and you need the strength to continuously refine that idea and try to live up to it regardless of what anyone else is doing. This is the fallacy of the current method of defining who is and is not "well-adjusted". It is defined more in terms of what everyone else is doing and less in terms of objective criteria.

    I have studied psychology and found it to be superficial and unsatisfying compared to Eastern philosophy (non-theistic philosophy, not religion) in terms of finding real answers to why we have the problems that we do. In fact, manipulating outward behavior is about the only thing at which modern psychology seems to excel. I reject the notion that it should be used for this purpose, as the centrally managed existence is the very antithesis of people who think for themselves and live their own lives. I am not a therapist and I am not a psychologist, so what follows is the product of my own critical thinking and nothing more.

    The number of people I know who are not and have never been on some kind of anti-depressant or other psychological medication is a short list indeed. I believe our society is sick; in fact, "collective madness" is probably not too strong of a term to use. It is quite natural that a healthy person will be unhappy or otherwise suffer from living in a society that is not only sick but also shows no real interest in getting well. For various reasons, we don't really like to deal with underlying causes and put them to rest. So we see each case of this as a list of symptoms and we have become very clever at creating medications that address those symptoms without seriously questioning why they exist and why they are increasing. We give those to people who aren't happy here and tell them to buck up, meanwhile no truly satisfying improvements to the way we live occur. I am not saying that there are no people who truly need to be medicated, only that they didn't get that way in a vacuum.

    It seems to me like this sense of "obvious cognition == bad call" has been on the rise especially in the generations born after 1985. i do not know what happened to overall education in the early 90s in north america (not just schooling but also parental and societal exposures as well), both in canada and the states, but it has destroyed the DESIRE to think critically in a large portion of the younger populace.

    The educational system as we know it today was created by people who wanted to meet the needs of business during the Industrial Revolution. The biggest fear of the Industrial Revolution tycoons was "overproduction", that is, they saw the American traditions of independence and self-sufficiency and the entrepreneurial spirit as tremendous threats to their control of markets that required large initial investments. The current educational system was (openly) designed to produce people who kne

  6. Re:Kill!!! on Tales From the Support Crypt · · Score: 1

    despite my going to school for and being employed as a computer programmer, despite my having played hundreds more hours of video games than her, despite clear visual evidence within the game itself, no suggestion, no explanation, no comment of any sort on my part could convince her that only SOME of the characters we killed would actually drop a weapon. She just HAD to check every single dead body for a weapon, not by looking on screen, but by running over their dead body with her character.

    I think this has more to do with her inability to admit that she was wrong than with your credentials or your competence. Lots of people, especially authority figures and significant others, seem to think that they are saving face or preserving respect by never admitting that they were wrong or made a mistake, when the reality is that refusing to admit when you were wrong when it's painfully obvious is a great way to lose respect. I'm not really sure where this idea comes from. It's as though such people are constantly evaluating everything in terms of "who comes out of this looking superior?" This is a self-imposed limitation like any other. It's a shame because as long as this is true, it guarantees that they will never understand that you can be a human being and make mistakes and learn from them without anyone being superior or inferior to anyone else.

    needless to say, it made the game take quite a bit longer, and killed any desire I had to play video games with her, or try to carry on any rational semi-intelligent conversation. if you don't have that, man, then you've really got less than nothing when the sex runs out ;-)

    As soon as it does run out, that's when you find out whether it was another fling or if you really have something good.

  7. Re:Family Provide Our Best Stories on Tales From the Support Crypt · · Score: 1

    > The GP suspected a virus before he suspected an upside-down mouse because he was giving some benefit of doubt; No, he suspected a virus before he suspected an upside-down mouse because he has roughly the same level of intelligence as his parents, who were having the problem, and that's being charitable.

    There's this idea that smart people cannot make very stupid mistakes and unfortunately, that just isn't so. You can have all the "brainpower" you like and you will still fail if you have bad data, faulty assumptions, bias, or if your emotions/personal feelings are clouding your judgment.

    You're now addressing the motivation or the cause of the benefit of doubt ("benefit of doubt" in the sense of "assumption of competence"). My impression was that the benefit of doubt occurred because of his personal feelings about his parents, in that it may not have been given to a client who is a complete stranger, or maybe it occurred because his parents are otherwise intelligent/skillful in other areas. Meanwhile, you contend that benefit of doubt occurred because of a low level of intelligence. Neither of us really knows the reason why. By that I mean you cannot rigorously prove beyond all doubt what you believe to be the case and neither can I.

    All I was saying is that an assumption of competence (I called this "benefit of doubt") happened and that it greatly complicated the problem-solving, and that he now knows why such benefit of doubt or assumption of competence is so rare. The point I was making really does not depend on why it happened. It could have happened for a third reason that neither of us has thought of and still my point would stand. So, to be honest with you, this looks like you just wanted to put someone down and does not look very much like you are raising an important objection or bringing new information to light.

  8. Re:Kill!!! on Tales From the Support Crypt · · Score: 1

    Whatever problem we have, it is always an imposition on their precious time which never involves teaching us enough so that we won't be in their office in another 6 months

    I would be quite delighted to encounter a user who is interested in learning. That's the kind of person for whom I would go well out of my way to help. Most of the time, they don't know and they don't want to know and they resent the very idea of ever wanting to know. This includes situations where the initial problem would never have happened if they would learn a little more about how to use the system. What the majority of users seem to want is for the administrator to wave a magic wand and solve all of their problems without involving the user at all, even though the fact is that user error is the primary cause of support calls. I call them "permanent newbies" because these are the folks who can use a machine for five years without learning much more about it than what they knew the first day. If you are one of the rare users who accepts the very natural idea of becoming gradually more knowledgable about a machine the more you use it, please understand how unusual this is.

    when we cannot recall the magic incantations since the problem was never fully explained to us in the first place...leading the sainted admins to crack wise knowing inside jokes about the stupidity they manage to put up with (read: instill) in their users.

    If you want to conduct an experiment, try working in a sysadmin type of role. Wait for a user to call you up and attempt to fully explain the nature of the problem to them. Note the hostile response, and note that you are regarded with contempt instead of being perceived as a friendly admin who is willing to take the time to educate and work with users. Wait for nine more calls and receive nine more hostile responses. You will then understand why admins don't do this and you may also understand why people who routinely catch flak from those they are sincerely trying to help might see humor ("wise knowing inside jokes") as one of the healthier ways to deal with this.

    Believe me when I tell you that sysadmins aren't fond of this situation either. If you sincerely want to learn and grow and improve your skills with the tools that you use every day, and are willing to work with the IT department as part of this process, then you are so rare as to be statistically insignificant. I cannot prove this, but I believe that most sysadmins want to work with machines and networks and find themselves working with users instead. Users who so thoroughly resent having a problem in the first place (as though anything else humans do never has problems) that they neither appreciate nor respect the person who is trying to help them. I assure you that no sysadmin has ever tried to imagine the best possible scenario and come up with this one.

  9. Re:Kill!!! on Tales From the Support Crypt · · Score: 1

    I think sometimes it might be the that professions have the perception that someone spent time learning this through apprenticeships or many years at university and are therefore better people than that damned bespectacled nerd who only knows what to do from tinkering with those stupid computers in his parent's basement.

    Formal education is severely overvalued in terms of the actual expertise of those who have it. John Taylor Gatto (or the excellent and much shorter essay here) is a particularly good reference for this, but if you forget everything you think you know about the matter and really look into it, for yourself, as someone who will follow the facts wherever they may lead, you'll find that modern methods of instruction are some of the worst ways to lean anything. I believe that the primary purpose of i.e. college is not to impart knowledge. The primary purpose is to teach you to allow others to run your life and set your schedule and that "the experts" will tell you whether your work is any good and how useful you are. It amounts to obedience training. In a modern society where most human beings are expected to be interchangable, replacable parts of the social machinery of corporations and other large organizations, this has immediate practical value despite what I must call a dehumanizing influence. Either way, my point is that I don't know anyone who has ever carefully thought about the matter who is terribly impressed by credentials alone. It's one of those numerous examples where some of the most important things that we collectively do are not the result of a conscious choice where everyone involved calls things what they are.

    That and while people appreciate their cars or of course, their health, with computers it seems to be more that they HAVE to use it and resent every minute of it.

    I maintain that for a user to have these frustrations and take them out on the guy who's trying to help them, merely because he's a captive audience who is forced to take it, is unjust and indicative of a petty, small-minded individual. If you really want to find out what sort of person you're dealing with, don't look at how they treat their friends or their family or their boss -- look at how they treat a captive audience. If someone's work involves computers and they resent using computers, they should deal with that by either learning to like them or finding another line of work. So, I again think this is a matter of personal responsibility and to be honest with you, these chronological adults who are really nothing more than overgrown children need to grow up and learn what that is.

  10. Re:Kill!!! on Tales From the Support Crypt · · Score: 5, Insightful

    That's actually not a rare incident. I don't even wonder how many readers nod their head to this statement because it's been an endless source to their own frustration.

    One wonders why. Why do people just click away all messages sent to them by the system? I actually remember an incident where I was called to fix "something with the server". Turned out to be a raid6 system that lost three drives and thus didn't work anymore. Now, I hear you say, how can a raid6 system fail? Raid6 can lose two drives and still work. Three drives dying, power surge maybe? No.

    One drive failed, but the hotspare took over. The server beeped, so the beeper was cut off. The server reported dutifully that a drive was blown, which was equally dutifully clicked away without reading it.

    Another drive failed, but it still somehow managed to keep going. No beep this time since even the best beepers fail to work when they are not connected. And finally the whole system failed to provide data, or they'd probably have continued 'til a rebuilt would have been impossible.

    But the real kicker was that I was being yelled at how we dare to sell a Raid6+spare as a system that prevents data loss. It does, when you don't do your best to ignore every information it gives you about an impending catastrophe.

    And this is hardly an isolated case of stupidity. People simply close every warning information they get because "I don't understand it anyway". Without reading it, how do you KNOW whether you understand it?

    I dare you to ask that question. It usually results in more yelling, but no really enlightening answers.

    I think there is an explanation for this, or at least a partial one.

    Microsoft makes a decent keyboard but other than that, I don't use anything Microsoft on my own machines and this has been the case for about ten or eleven years. I'll often go long periods of time without ever using Windows. If not for my friends who use it and ask me for help with problems from time to time, I might have lost the skillset. Because of that, when I do sit down at a Windows machine, I can easily see the contrast between the way things are done on it and the way things are done on other systems.

    One thing about Windows that I find to be a nuisance is that so many non-critical messages will trigger system-modal dialog boxes. The examples of this are too numerous for me to begin to enumerate them here, not to mention it would be a rather boring list, but if you have experience with multiple operating systems then you have probably noticed this too. The problem with this approach is that users quickly grow accustomed to the idea that these messages are not very important and can be safely ignored. It becomes something like the "boy who cried wolf" fable, in that it sets up a situation where the occasional important error message gets ignored. Using Windows XP makes me feel this way; I can only imagine how much more true this is for Vista's UAC system.

    I'm not saying that this fully explains your example involving RAID 6, only that it is a particularly egregious example of a much more general tendency.

  11. Re:Kill!!! on Tales From the Support Crypt · · Score: 1

    There is a reason for that. With Tech support, you're telling them how to do it themselves - and people hate that for whatever reason. They hate the time it takes, or feel like they're being bossed around, or whatever. With a doctor or an electrician, they do the work and just get paid for it. You'll notice people don't argue with the Geek Squad guys nearly as much, because they come out and do the work for you. I think it's a psychological thing more than a career thing.

    Thank you for one of the first real answers to that question I have ever received.

    Personally, I would still fault the user for this because they knew that going into it. They knew before they picked up the telephone that the person on the other end was going to give them instructions and that it was going to take time. They had other options available: they could have taken their computer to a shop or they could have called a company that does on-site support. They made their decision and the tech gets to suffer if they are not happy with the decision they made and that's simply unjust. Doubly so, considering that most tech support inquiries are the direct result of user error and user negligence in the first place. I wouldn't call that a psychological thing or a career thing, I would call it a personal responsibility thing.

  12. Re:Family Provide Our Best Stories on Tales From the Support Crypt · · Score: 4, Insightful

    That's very generous but I'm having a hard time blaming that one on you ...

    I'm guessing you haven't had the joy of supporting users much. It was the first thing I thought of.

    I most certainly have had this "joy". It means I do everything I can do for them (often in spite of them) but it doesn't mean I am responsible for every act of gross negligence or lack of due diligence. It's not like the proper orientation of a mouse is some kind of rare obscure knowledge that only the technically inclined could hope to understand. The GP suspected a virus before he suspected an upside-down mouse because he was giving some benefit of doubt; now you know why benefit of doubt is so rare (I say this with a smile).

    Now, I've made enough stupid mistakes of my own that I would be not only foolish but also hypocritical if I disparaged or insulted the man for the upside-down mouse. But recognizing this fact is a matter of character and does not elevate the event into something greater than what it is. It's a dumb mistake, we all make them sometimes (if not computing then elsewhere), and it's okay to call it what it is. None of that is the GP's fault, so his willingness to take responsibility for it anyway was generous indeed.

    I think I'm writing this because I'm a little weary of this culture of always having to sugar-coat everything. It's okay to see a spade and call it a spade. If someone gets upset over that, they are choosing to do it and it's okay to remain calm instead of joining them. You can make a blunder like that and view it in all its ugly embarassing makes-you-feel-stupid glory and still laugh at it. I greatly prefer that and the character that this attitude cultivates to the artifically sanitized, artifically uniform experience in which no one ever has a chance to get their feelings hurt.

  13. Re:Kill!!! on Tales From the Support Crypt · · Score: 4, Insightful

    To the people who.... 1) Send me screenshots inside a word document 2) Ask what FTP is when they're supposed to be a server admin 3) Can't run a select statement but are supposed to be the DBA. 4) insist the network is up even though we don't see any packets through an *inline* appliance 5) say the problem is super urgent, but then refuse to try anything you say. ... I will be rich when I invent a device to stab someone in the face over the internet.

    I'll never understand what it is about computers that brings out so much of what must be latent stupidity. In your list, number five really captures it. I can't tell you how common that one is although it sounds like you know from experience.

    It seems like no other specialists have that problem on such a routine basis. When someone's doctor says "you have X disease" they generally don't look at him and say "no I don't." When an electrician says that something needs to be rewired, they might get a second opinion but they don't usually argue with the guy. Same deal with mechanics. With almost any other specialist it's understood that if you come to them, it's because you recognize that they know a lot more about medicine, electricity, or auto repair than you do.

    What do techies get? They get uncooperative users who come to you for help and when you give it, they argue with you and bicker and drag their feet every step of the way, insisting that such-and-such can't possibly work, until it does work, at which time they complain about how long it took or they give you some bullshit about how they just tried that and it didn't work for them. Of course there are exceptions, but this is the norm and I can't understand why this applies so much more to computing. What I am talking about has nothing to do with the user's technical expertise or anything like that. It's the simple principle that if you know more about computing or networking than I do, there is no point in seeking my help. No technical expertise is required to understand this simple principle.

    Anyway, for the non-technically inclined who think that we're a bunch of arrogant elitists, this is an example of why we say users are stupid. It's not because we expect them to become experts or even technically knowledgable, it's because we constantly see users complicate simple things, drop all basic standards of common sense and mutual respect, and otherwise engage in behavior that is in no one's interests, particularly theirs.

  14. Re:Family Provide Our Best Stories on Tales From the Support Crypt · · Score: 1

    At my next visit home, I finally can diagnose the problem live instead of over the phone: Dad was holding the mouse upside down.

    True story - lasted for a month before problem was fixed. My fault for not figuring it out sooner.

    Your fault? That's very generous but I'm having a hard time blaming that one on you ...

  15. Re:batteries? on Batteries To Store Wind Energy · · Score: 1

    Batteries need to be replaced, and are composed of a number of undesirable chemicals. Seems like ultra-capacitors might be of use here. Several orders of magnitude more recharge cycles and generally safer. Portability isn't an issue, so they could be as big and heavy as needed.

    There is one question I have about supercapacitors and you'd think it would be one of the most basic things about them, yet I have never seen an answer to this. Capacitors, at least the few I have seen, generally want to release their stored energy all at once. How is this addressed when supercapacitors are used? For example, let's say you have a supercapacitor that can power a light bulb for eight hours. How do you make it actually provide a lower current over those eight hours instead of providing all of that energy in a single instant and frying the bulb?

  16. Re:Hostile Action from Spammers on CastleCops Anti-Malware Site Closes Down · · Score: 1

    This point of this quote is that standing militaries (such as we have had here in the US ever since we decided wiping out the natives was more important) are to be avoided, and when needed they should be under civilian control. What this has to do with individual gun ownership, I'm not getting.

    What does it have to do with gun ownership? They are not proposing that (during peacetime) the standing army should be replaced with nothing. They are saying that the standing army should be replaced by everyday citizens who are armed, trained to use their weapons, and ready to assemble and fight if necessary (the Minutemen were an example of this). This is what is meant by the "well-regulated militia" that the Second Amendment refers to. For this to be possible, the citizens need to own their own weapons.

  17. Re:I agree on CastleCops Anti-Malware Site Closes Down · · Score: 2, Interesting
    I always appreciate such a well-reasoned response.

    My only concern is, and I doubt you are part of this, sites like Slashdot seem to carry a strange attitude that because something takes place on a computer, it is immune from law.

    I think much of that comes from the "artificial scarcity" nature of copyright and the repeated extensions to both the duration and severity of copyright law. Our legislators are not carefully evaluating whether or not technology has made this model obsolete and using the results of that evaluation to make any necessary adjustments. Instead, they are applying more and more "brute force" to the law by turning formerly civil matters into criminal matters to appease various monied interests, as though such complex problems could be solved so easily. Not surprisingly, the reaction to this has not been a good one.

    You sometimes see comments from people who whine about a spammer getting 10 years in jail--"they didn't hurt anybody". You'll get a story about some fuckhead getting 5 years for hacking a corporate network and some comments will bitch "they were just learning, and besides people should lock their doors better". All of it silly nonsense that has no place in our industry.

    Part of it too is that the reason why you should have reasonable laws that are not weighted too heavily in favor of any particular group is because when people lose respect for the law, they tend to lose respect for the entire institution. It is trendy these days to "make an example of" people who commit certain crimes and sometimes the question of whether the punishment fits the crime is well-founded. There is also the possibility that a free-for-all network where all forms of computer intrusion are legal will result in more secure systems than would a regulated network where such people are prosecuted. This boils down to a form of Darwinian natural selection. I'm not saying it's a good or desirable possibility, only that it may be true regardless of anyone's personal feelings about it. A spammer getting 10 years doesn't bother me, so long as this is for actual fraud/ID theft and not merely because otherwise legitimate business offers were unsolicited, and so long as we aren't releasing violent offenders early to make room for them like we do in the War on (Some) Drugs. I am not agreeing with or defending the views you mention. I simply find it edifying to understand where viewpoints come from, especially those with which I disagree.

    Tossing your hands up and saying "we give up" means we just blame the user, blame the system admin, or blame anybody but the criminal. Often times they won't even be labeled as criminals, worse they'll manipulate language to make them sound like some kind of modern hero (Hacker vs Cracker is nothing more then straight Orwellian doublespeak). I think such talk is a form of denial and worse a form of insidious propaganda. It is also a byproduct of a more innocent time in our computing history.

    Let's just say for the sake of argument that an Ultimate Solution to the Spam Problem has been found and that this Solution can be absolutely rigorously proven with 100% confidence. If it turns out that the Solution is for the users to alter their computing habits, would you say someone was "blaming the user" if they advocated it? I believe that too much concern for who is at fault, for at whom we can point the finger, is counterproductive. There's a certain visceral satisfaction to it if you need that but it's not good problem-solving, especially if your goal is prevention. It can cause good ideas to be discarded for no reason except that they affect someone other than the perpetrator.

    Look no further then how nature deals with nasty stuff. Study our own immune systems. Study the immune systems found in nature. The two are very similar. How we combat AID's or the common cold are good starting points for how we combat online crimi

  18. Re:Hostile Action from Spammers on CastleCops Anti-Malware Site Closes Down · · Score: 3, Insightful

    I am [was] a volunteer security expert on CastleCops. I helped hundreds of people, but the task was very daunting. Back in the hayday for malware, there were literally hundreds of new posts everyday with problems that would take more than a canned response and a hijackthis log. There was only a handful of us and to be honest, I am surprised that it lasted as long as it did. I know I would get burned out and disappear for a few months then pop back in and try to help a couple people.

    I should preface this by saying that your efforts are noble and should be commended. I am encouraged any time I see people like you who are willing to selflessly try to do something about a problem especially against what must seem like impossible odds. What I would like to see this world become has a lot more of that spirit than the real world does.

    I'll be honest with you and hope that how I genuinely feel about this doesn't appear to you to contradict what I just said. I don't really believe in this kind of solution, not because it's labor-intensive but because it addresses a symptom or a result instead of addressing the underlying problems that keep causing it. In other words, it is damage control and not real prevention.

    If you study computer security, one (very sound) idea you will come across is the notion that once a machine has been compromised, the only way to ever trust that machine again is to reformat the hard drive and reinstall the operating system from known good media. To our detriment, the way security is generally handled flies in the face of this observation. There is a plethora of virus removal tools and spyware removal tools provided by what has become quite the cottage industry. These tools operate by detecting and attempting to remove known malware from a system that has been compromised. After the malware is removed, the system continues to be used even after it has been both compromised and proven to be configured/operated in an insecure fashion. This is perfect for the antivirus companies because the job can never be finally completed. Under this model, there will always be work in the form of finding, analyzing, and creating signatures and heuristics for new malware. Work that someone will have to be paid to do. What was a volunteer effort that caused burnout for you equates to $$$ dollar signs for them.

    What is needed is a proper security system built into the OS that can prevent the compromise from happening in the first place. Windows can be found on the vast, vast majority of computers and Windows has no such security system (whether anyone else has or does not have such a system is not my point; this isn't intended to be a Unix vs. Windows debate). Further, no one in the security industry is really interested in providing one because by doing so they would kill their own market. If Microsoft tried to implement something like that, something far more effective and less of a "band-aid" than UAC, they would receive tremendous pressure to desist from an entire industry. What further complicates the problem is that there is a very large and very ignorant userbase which does not understand these issues and does not care to learn about them. Because of that, they have come to accept this as normal and "just the way things are done", as though entering into an malware vs. antimalware arms race that cannot possibly be won is an inherent feature of computing.

    I hate to say it but I think this will have to get worse before anyone will be truly interested in making it get better. Call me cynical for saying so if you will, but as a culture we're not very big on dealing with foreseeable problems while they are still relatively small and managable and prefer to ignore them until they become a crisis first. I have said for some time that perhaps the best thing that could happen would be a wake-up call in the form of a virus/trojan/worm that infects a machine, spreads itself rapidly to other machines, and then destructively formats

  19. Re:Your premise is wrong on CastleCops Anti-Malware Site Closes Down · · Score: 1

    The solution is *not* to just toss your hands up and say "we give up", the solution is to lock these fuckers up and toss the key.

    My real response to you is this post but I also wanted to ask you something.

    What I am advocating is that we should attempt to understand the real nature of the problem before we even begin to think about implementing any solutions. This may include a willingness to question what we think we know about it since the "conventional wisdom" has thus far gotten us nowhere. It might also include an examination of history to see if people have faced problems that had similar underlying principles, even if those problems were radically different in outward appearance. If any such examples are found, we should consider the attempted solutions and whether they had any success. In short, we need to know as much as we can about what we're dealing with and we should learn from the mistakes of others as much as possible.

    My question is, what part of this constitutes "tossing your hands up and saying 'we give up'"? In light of my question, do you still believe that this is what I am advocating? I understand your righteous anger and your desire to see spammers punished, but these things are in vain if they cause you to take hasty action that cannot bring about your goal.

  20. Re:Your premise is wrong on CastleCops Anti-Malware Site Closes Down · · Score: 5, Interesting

    Spamming V1aG4 isn't were the money is at. The big money is in identity theft, espionage and pump & dump schemes. These crimes are committed by using botnets that host phishing sites, send out phishing spam, and use scripts to log into bank accounts and broker accounts.

    It is an economic problem, yes. It is *not* analogous to prohibition. This stuff *is* criminal and the crimes committed cost tens billions of dollars each year. The solution is *not* to just toss your hands up and say "we give up", the solution is to lock these fuckers up and toss the key. We, as a society, need to clamp down on these fuckers before they do something that really screws with us. And don't kid yourself either, these people are sitting on top of some of the most powerful distributed computers on the planet.

    Chicken Bone Spammers, V1agr4 and R0l3x W4tches is old school 1998 thinking. That crap is the little leagues. The big money is in "professional," massive, highly organized, sometimes government funded crime. This is the big leagues and the assholes playing in it need to be stopped.

    But that's exactly why new laws aren't going to work. What you're talking about there is fraud. Fraud is fraud; it's not something new just because the means of communication was a networked computer. Fraud is already universally illegal (everywhere or nearly everywhere) and this hasn't stopped the type of spam that you mention. Why? Because these criminals are finding it to be very profitable.

    The laws that imprison or execute people for things like rape and murder have some deterrent effect on would-be criminals because there is generally no enormous economic incentive to rape and murder people and the desire to do those things is widely recognized as aberrant and pathological. Contrast that with spam (any kind) where there is a strong economic incentive (it's only getting worse so it's obviously profitable) and the desire to make money is generally valued and encouraged by our society -- the problem with spam is the destructive method by which that desire is satisfied, not the desire itself. In my mind, that's the difference between enforcable laws and unenforcable laws.

    I believe that my previous point was sound and still applies here. The only thing your clarification changes is the application of the term "demand". Whereas before, demand constituted people who purchase items from spammers, now it also describes people who want to connect a computer to a network that is known to be hostile without learning how use it securely (botnets), people who want to make transactions without careful authentication (phishing), and people who want to get rich quick or who think that some random spammer with a stock tip really has their best interests at heart (scams). Whether such people are genuine victims or merely suffering the consequences of poor decision-making makes no difference to the spammer. A large (enough) number of people who keep doing these things despite all of the warnings against them and all of the information available is indistinguishable from the usual sense of the word "demand" as far as spammers are concerned.

    What I am telling you is that so long as this is the case, you can make the penalty for this type of fraud as severe as you like and it will make no difference, for all of the reasons I have outlined in my previous post. It is prohibition because there is a large enough demand to make $ACTIVITY profitable and you are trying to eradicate $ACTIVITY by punishing $SUPPLIER in an effort to destroy $AVAILABILITY. It will fail for all of the reasons why more traditional forms of prohibition have failed.

    Remember that you don't need perfectly knowledgable users running perfectly secure systems so that online fraud is completely impossible; you just need knowledgable enough users running secure enough systems to make fraud difficult enough that it's no longer profitable. Accomplishing this is merely very difficult; catching, prosecuting, and punishing enough spammers to achieve anything resembling "stopping spam" is utterly impossible.

  21. Re:Hostile Action from Spammers on CastleCops Anti-Malware Site Closes Down · · Score: 5, Insightful

    Either we need a lot more volunteers, or we need to start imposing the the death sentence on convicted spammers and get the root problem solved.

    That'll stop spam about as well as prison terms and (sometimes) death sentences have stopped drug traffickers. What you are dealing with is not a technological problem, which is why spam filters and anti-malware efforts have not ended spam. You're not dealing with a legal problem either because even if new laws to punish spammers somehow worked perfectly, and they won't, that could only change the jurisdiction from which the spam is being sent. Not to mention that if spamming becomes riskier because more spammers are caught and punished, you will actually make it more profitable for the ones that don't get caught (possibly those from other jurisdictions) because you will have removed their competitors.

    This is an economic problem. The interesting thing about economic problems is that so long as there is sufficient demand for something, the suppliers will amaze you with both their ingenuity and their willingness to take risks to deliver it. We saw this with alcohol prohibition, we see this now with the War on (Some) Drugs, and we're also seeing it now with spam. The real problem with spam is that the spammers' costs are extremely low and there are enough idiots who buy from them to make it profitable. Punishing spammers amounts to a form of prohibition. Prohibition has never worked (they can't even keep illegal drugs out of prisons) and it's not going to start working now. It really amazes me that so many human beings can understand human nature so poorly that it was ever even tried, let alone that it continues today despite any social costs and that there are still people who would suggest applying this failed idea to more novel problems. When we, collectively, try something and find out that it has never worked and is never going to work, we think the solution to that is to try harder instead of trying something else. It's like a cross between that saying about having only a hammer and perceiving everything as a nail and that saying about the definition of insanity.

    If the goal is to catch a tiny percentage of them and feel vindicated while your inbox continues to fill up with spam, the "crime and punishment" approach will do. If your goal is to end spam, then your only real option is to reduce the number of people willing to buy from spammers (the demand) until spamming is no longer profitable. Like many others, I have some ideas but I don't have the solution. At this stage though, I think that what's missing is a sound understanding of the problem.

  22. Re:Star Wars tech? on 30 Years of Star Wars Technology · · Score: 0

    All that said, yes, Star Wars isn't tech-focused, Trek is. Except for lightsabers. If someone can make an actual lightsaber, I would sell my soul to them for one.

    Dear Sir,

    With the many recent advances in infernal technology, my minions have finally managed a technological breakthrough. A laser-like energy beam of nearly infinite power can now be created and confined to a three-foot "blade". Human stupidity is the most hellish thing known to us on Earth, and so the device uses human stupidity as a power source. We anticipate that you will never deplete this source of energy due to its overabundance (and that was not easy to achieve but then you silly humans created mass media and did half our work for us). The unit is handheld and fashioned into a convenient handle with an on/off switch. In short, we have created your lightsaber.

    Your lightsaber will be delivered to you promptly. Of course, your kind and generous offer of your eternal soul will be very much appreciated. To quote one of you humans who went by the name of Bill Hicks, normally "eternal suffering awaits those who question God's infinite love" and so most of the souls we receive are quite surprised to be here. You will have a special place in my realm because your offer was made knowingly and willfully. This is most pleasing indeed. Ha ha ha!

    Sincerely,


    Satan
    Your New Eternal Lord and Master

    P.S. Enjoy the lightsaber!

  23. Re:Exactly what is vulnerable? on MS Issues Critical SQL Server Flaw Warning · · Score: 1

    In that case, with the added clarification, I have to say, there's no way a Unix sysadmin can just come up and admin a Windows Server. It seems like they can because they can "click around", but doing it "right", it requires experience and/or training, in which case, both will be lost in the other's environment (again though: since the basic tasks will require absolutely no training in Windows, it may give the impression that the Unix sysadmin "can admin a Windows box". They cannot, there's just less to learn).

    I think the one advantage the *nix admins have in this case is that in a *nix OS, you generally cannot get away with no understanding of what you are working with (sure there's Ubuntu and its good GUI tools, but I'm not talking so much about a desktop environment). Just an example, you really cannot use iptables to configure the Linux firewall at all unless you have a good working knowledge of TCP/IP. If you have a good working knowledge of TCP/IP, you should be able to handle the Windows firewall (either built-in or any third-party firewall) even if you've never seen it before. Windows admins who come to *nix have no such advantage.

    There are philosophical differences between Windows and *nix that relate to this. This is very general and I am aware of that, but I would say that *nix assumes not only that you know what you're doing but that you want to know, while Windows assumes that you need to be protected from the inconvenience of actually having to know what you're doing. You don't put it the way I did, of course, but you reflect this observation in your comments about who would fare better if they had to "wing it". It's like the saying "Unix doesn't try to stop you from doing something stupid because that would also stop you from doing something clever". Well, the Windows equivalent of that saying would be "Windows wants to stop you from doing something stupid even at the cost of stopping you from doing something clever". Also with many things *nix-related, I came to understand why things were done that way, to the point that if it did not exist and I were creating it, I would have done it that way myself because it's a sound design. Contrast this with many aspects of Windows where the reason why something is done that way is likely to be answered by the marketing department or some focus group. That may sound like a small gripe but it creates a real disconnect when you attempt to understand the system as a whole instead of memorizing a set of commands/procedures. For someone with a *nix background coming to Windows, this just means more looking around before desired options are found. For a Windows admin coming to *nix, this might mean being faced for the first time with something that should be understood as an integrated, holistic system instead of the sum of its parts or (worse) a black box.

    The promise of Microsoft's marketing, that these things can be made so "easy to use" that you can correctly use and administer them without understanding them is unrealistic. If TCP/IP, or database servers, or Web servers, or whatever are needlessly complex, then find a simpler way to implement them. However, if the complexity is needful (that is, irreducible) and is an inherent part of what you are doing, trying to replace it with dumbed-down systems with the intent that less-knowledgable people will use it is just asking for the sort of security/reliability mess that much of modern computing has become.

  24. Re:So much for time off on MS Issues Critical SQL Server Flaw Warning · · Score: 1

    Which is why I think that we should all agree on a standard 90 day rule and press the security researchers to enforce it. That way any company that gets a vulnerability reported knows EXACTLY how long they have to get either a patch or a work around out the door, and anyone who releases before the 90 days is up should be looked down upon for making the web more dangerous for us all. Because as it is now MSFT and any other company can just sit on their collective asses and when the vulnerability finally gets disclosed claim they "didn't have enough time" and then harp upon the guy who found it for being "irresponsible" for not sitting on it. With a standard 90 days there isn't any confusion or doubt as to when the news is being released.

    You got told of a new vulnerability? You have 90 days from today, no more, no less. And if a company can't get off their collectives asses and put out a patch or at least a work around then they suck and deserve whatever they get. And if they screamed "irresponsible" then everyone would simply say "everyone else gets theirs done in the standard 90 days, why the hell can't you?" instead of the worthless blame game that goes on now.

    Ninety days sounds like an excessively long time to me, considering that the (largely unpaid volunteers of the) open-source community typically patch high-profile remotely-exploitable vulnerabilities in a matter of hours. In my opinion, 30 days would be quite generous. This is especially true when you consider that it's always possible that the black hats have also independently discovered $VULNERABILITY and are quietly exploiting what almost no one else even knows about.

    If you are dealing with an entity that wants to play blame games, the only part you can change is what or whom they blame. So right now they can blame the discloser for being "irresponsible" (generally defined as "caring more about security than the vendor does"). Unfortunately under your system, they would simply claim that the disclosure is not yet 90 days old, or maybe they'll pull a Bill Clinton and dispute the definition of the word "is". They'll say almost anything that lets them save face, secure in the knowledge that the average user has neither the technical knowledge nor the critical thinking ability nor the willingness to call them on it. When you're dealing with a fundamentally dishonest entity, it is easy to force them to become more ingenuitive when they lie and misrepresent while it is nearly impossible to force them to become honest and open. The only real solution is to refuse to deal with fundamentally dishonest entities.

    I think lots of other people have noticed this and have decided to say "fuck 'em", which is why so many who discover vulnerabilities immediately go public with them. Microsoft is either crazy or stupid if they don't think that other security researchers are looking at how they blew off Bernhard Mueller and deciding that there's no point in trying to work with them. They can blame everyone and everything else as much as they want to but in many ways the vendors are their own worst enemies.

  25. Re:So much for time off on MS Issues Critical SQL Server Flaw Warning · · Score: 2, Insightful

    If you want someone to blame, blame Bernhard Mueller who knew about and told MSFT about the bug in April and waited until NOW to disclose it to the world. He says in the article that MSFT started blowing him off in September, yet he waits until NOW to disclose? The least the ass could have done is waited until after Xmas IMHO. If the damn thing has been sitting there since April without a major attack it could have waited a few more weeks. Or if he really had a giant bug up his butt to disclose he could have done it in the first weeks of November after being blown off by MSFT for a month. Releasing the details NOW just seems kinda shitty to me.

    In the long run I think what he did was for the best. Microsoft has talked a good game lately about security and how much they value it, so you'd think they would appreciate information like this and would quickly use it. I mean, think about it. Lots of people who discover vulnerabilities immediately go public with them. I don't think there's anything wrong with that, but it has to be one hell of an inconvenience to the vendor. Here you have someone who was willing to work with the vendor and gave them far more than enough time to use his information and handle this in a much smoother way and they blew him off.

    It's a shame that predictable situations that could have been easily handled often have to become big problems before anyone decides to address them, but this is often the case. The worse this one is and the more problems it causes, the more pressure there is on Microsoft to stop ignoring people who want to work with them on security issues. I am no fan of Microsoft and I personally don't like Windows, but there is a bigger picture here. No matter how I feel about them, many millions of people use Microsoft products or depend on servers that run Microsoft software and they stand to experience preventable problems when known security issues are not fixed. The Internet is a shared resource; the more secure these users are, the better the network is for everyone. There's really no excuse for how Microsoft handled this one. I don't personally use their products, but if I did, this would make me reconsider.