Might be interesting if Mr-CCIE-Man finds himself blackballed now that his name has been publicised in relation to this case. There seem to be as many people against this verdict as for it. No doubt there will be plenty of nerdy types out there who will want nothing to do with the man.
It's an interesting peril that jury service brings with it, especially if you then go about publicising your role on the jury.
Officers arrest people on the suspicion of wrongdoing, not because they are guilty. The state has powers to hold any citizen against their will for a "reasonable time" in most locales. This is (and has to be) legal for the system to function
Ah, but you've incorrectly inducted one thing from another.
An arrest of someone who didn't do it can be lawful on one hand, but it doesn't follow that on the other hand it must be unlawful to resist. Both can be lawful, the general result is that a bunch of people get hurt. The purpose of the idea isn't really to allow people wrongfully arrested to start a firefight to try and stop it, but to protect people wrongfully arrested who (for example) refuse to let themselves be handcuffed and let away quietly for a crime that they know that they didn't commit from being prosecuted merely for not complying with an arrest which (a) they knew to be wrong and (b) turned out to be wrong.
Rolling back to my original post, I deliberately used the word 'wrongful' to avoid any actual legal terms which have existing definitions; wrongful = 'screw up' = 'arresting someone who turned out to be innocent'. Police officers are not omniscient, that is why they're not prosecuted for kidnapping when they arrest the wrong person, but that doesn't mean that arresting the wrong person wasn't a screw-up.
This article for instance, is a very interesting exploration of resisting a false arrest. In essence, it was a common law right, which has been given the chop by all but around 12 states (10 years ago when it was written) through legislation.
hey, I'm pontificating on what people ought to do. The problem is merely that the company isn't complying with my standards.
Or, to put it another way, technically, if the crappy rules are up front, there isn't really a 'problem'; it's just that the rules are crappy, and I'm feeling free to say it.
because you 'win' in as far as you produce the stuff that the people putting the prize up want (if they use your stuff), but don't 'win' in as far as actually getting a prize. I don't think it's unreasonable for losing entrants to expect that their entry won't be subsequently used by the promoter - if it wasn't good enough to win the prize, how is it still good enough to use?
Think of it like an auction, I bid $1m, you bid $1.1m: we don't then each pay the sum we bid, but only you get the item. This is similar but in reverse; the buying price is $1m, and we 'bid' to see who can produce the best software for that much money; but why should the person offering to buy then get both products, and only pay the producer of the better one? That would strike me as a fair way for these competitons to work, but people will continue to be fleeced while a sufficient number of people keep entering competitions on wholely unfair terms.
If you didn't produce the best entry, or entered late, didn't win and that was the end of it, that would be fair enough; but keeping and using entries which didn't win just seems a bit off.
and, I don't know about GPs bank, but mine locked my card after 3 wrong pins (several months apart), so don't go with 1111, 1112, or 1113, and you should be fine.
The only reason the judge doesn't also determine fact in a trial is because that is far too much power to place into the hands of one man.
Then have a 2, or 3 person judging panel.
As to the issue of corruption (which you didn't raise, but I want to cover everything in one post) - it seems that it would be much easier to knobble a one-off jury than to go for a professional judge, and to keep on top of corruption, you rotate the makeup of the panels every trial.
It's effective, there's no one person in complete control of the outcome, it's not easy to corrupt, it's cheap and it has none of that pesky right\wrong nonsense gumming the whole system up. It's a paradise in which justice will flourish.
The point of the jury is to selectively refuse to apply laws. A judge is far better qualified to merely "determine whether the evidence indicates that the law was broken, with intent, and without any mitigating circumstances". If that's all you want in a decision, hold bench trials and save a lot of money for everyone.
correct, but you're supposed to keep all of the others. Also, you're not supposed to have them in a manner which is entirely notional because you don't have the means to force the issue (see restricting prisoners access to the courts).
he was a stupid juror. He failed to use his experience to consider whether it was the right, or appropriate, or professional thing to do. He followed the judge's instruction that they were only to consider the law as written (which is not the case, and defeats the whole object of juries), and voted 'guilty'. Says it in the rather self-important spiel he wrote a few days later.
You can shout 'he wasn't stupid, he had a CCIE', but the fact is that he didn't think like a responsible juror and ignore the judge's instruction to not think like a responsible sysadmin. (I make no comment on what a responsible sysadmin ought to conclude about the situation, merely that the juror in question specifically didn't consider the situation in that light, despite being qualified to do so.)
most planes can glid reasonably gracefully back to earth, even if the landing itself is pretty rough. An airship without it's lift bag would fall to earth in the same way that the Vogon Constructor Fleet didn't. The gondola could have parachutes, though, I suppose.
Ok, I'm really quibbling over large fractions but negligible reductions in realistic chance to find the key
See, I even noted that for this particular case it wouldn't make a lot of difference, and was making the more general point that time to crack is not always (number of permutations) x (time to test 1 permutation). For a key of arbitrary size, how willing to risk that the key be found early in the process are you? How about 0.001? Whatever the size of your keyspace, you have to knock a factor of 1000 off your length of time that you assume the key is safe for, because of the chance that the key falls within the first 1000th of the keyspace tested.
Personally, I'd prefer 99.99999%, that's a factor of a million off. If you had some keylength which would take 1,000,000 years to crack entirely, you would still be past your 99.99999% test within a year of cracking.
Now, as I said in the first place, the numbers here are so astronomically large that it won't really make a difference unless you want the risk of the key appearing in the first chunk of keys to be stupifyingly low. But in general, with smaller keys, it may make a difference, and if you were to have (say) 10,000 messages, encrypted using a keyspace which would take a year to get through for each message and all the messages were being attacked at once: Your chances of your entire set of messages actually surviving entirely uncracked, even for a month, would be slim-to-negligible. Even with a 100-year keyspace, something is likely to be cracked long before the century is out.
Or, to put it another way. By defintion, there is a one-in-a-million chance that the key falls within the first millionth of the keyspace to be attacked. In the case of a key which would take a million years to crack, you have a one-in-a-million chance that the key will be cracked within the first year. Is one-in-a-million good enough for you? Say you want the data safe for at least 10 years - you only have a 1-in-100,000 chance of succeeding with my fictional cypher. My point merely being that a large keyspace which would take a really long time to work through does not guarantee that the key won't be broken a substantial time earlier, and that even assuming no weaknesses in algorithms there is this fundamental limit on the guaranteeability of encryption.
There's also an interesting question about having a truly random key. In a truly random key, absolutely anything could come up, including key 0000000000000000001. If you were to assume that there is a substantial risk that whoever tries to crack the key will start at the beginning (being as good a place as any), then you would automatically avoid any key which could be got to within the first 10 years. But if the person trying to crack the encryption assumes that you've assumed that then they don't need to test that first block of keys (but you can hardly use that block, just incase they do check) and suddenly the useable keyspace is smaller - similarly for the block at the end. Now, again, within enormous key sizes, it probably doesn't make a difference, but with smaller sizes, it all chips away at the useable keyspace, and how long a given key can hold out - because the person trying to crack it only has to be right once.
that assumes that you find the key on the last possible combination. Assuming that the key could be anywhere in the space, and that all keys are tried in random order, you need only to have tested half the keyspace before the chance that you have already found the key is 0.5. How unlikely are you willing to say is too unlikely for the key to be found before the entire space is ploughed through?
Ok, I'm really quibbling over large fractions but negligible reductions in realistic chance to find the key, but you can't simply state a key will always take (number of permutations) x (time to test) to crack. You could strike it lucky and take considerably less, which may make a difference with shorter keys.
interestingly, it has been repeatedly explained, on the other side, that information is not property in the tradional sense. Neither side seems to be able to back up their assertions that a password is company property that must be 'returned' (or not).
In any case, returning company property is not as clear cut as you think. If you have a company laptop at home when you're fired, and after you've gone home your former employer wants it back, they have to get a posession order from a court. It's only in defying such an order, or actually attempting to claim the laptop for your own that you're stolen it.
In any case, this was not a question of giving back pseudo-property to the city. This was a case of whether refusing to give the password(s) to someone from the city who wanted them represented a denial of service for the purposes of a statute that was never enacted to deal with situations like this.
Personally, I think the best outcome is for him to get substantially less than time served, and leave the city holding the bag.
because none of us wants to be in the same situation of having to choose between jail and knowingly causing the IT systems of a major city to be b0rked.
it's somewhat terrifying that one person can rule in a manner so blatantly contrary to the interests of justice, and it be the final word on the subject (though, thankfully, he was dissenting here).
Actually, it's equally worrying that Appeals can be denied (especially in capital cases) on any basis other than lack of merit, or that a court will refuse to accept submissions from someone being represented by an attorney when the submission is a request to get rid of said attorney.
If you can't re-assert it at any time, it's not a right. (The conclusion, from the information that you give, is that you therefore don't really have a right to appeal.)
ah, yes, but then you have to gamble that the secrets which you hold are damaging enough that they'll consider leaving you alone (and keeping the secrets safe) to be the best option. (Or, that once they know what it is, they won't work to smother it before it even gets out.)
If you don't tell them what the secret is, then you can let their imaginations run wild as to exactly how damaging it is - they know all the secrets already, and have to gamble how far up the scale the one (or ones) you have is (or are).
The other option, of course, is to use a hybrid approach, and have within the file one damaging secret, and another encrypted file which has the others in it. This leaves them aware that you genuinely have damaging secrets, but leaves them guessing as to what else there is waiting to be released. Or give them 3 or 4 different samples which have clearly come from different sources, so they can't be sure that only one source has been compromised (and pin down the extent of the damage).
it's like someone famous said: 'I sent a dozen of my friends a note saying "all has been discovered and will soon be revealed", and half of them left the country.' It may not be anything to do with the Afghanistan leaks, it may be information personally damagaing to high-ups in government. 90% of them probably have some sort of skeletons, and none can be sure that their skeleton isn't in the file. For Instance; maybe there's a camera in the Oval office (like Nixon's tape recorder) which has captured something potentially embarassing. Obama knows if he's done something embarassing, and if he has, he can't be certain that Wikileaks don't have the video (if such a video exists).
It is so beautiful though. I have thoroughly enjoyed this thread. The innocent naivete of the original poster. The confusion of the geeks wondering if such incompetence is truly possible in someone who figured out how to post a Slashdot story.
I have thoroughly enjoyed watching dozens of geeks, who believe themselves to be technology gurus in general, get so UTTERLY confused about what password was changed and what it normally does and fly off in uncontrollable rage at the original poster over a situation which they have so comprehensively misunderstood. The password which Verizon changed exists only to stop technologically illiterate people who live in the same house from mucking the router up. Assuming that OP was right when he said that WAN access was off, then Verizon has not made ANY APPRECIABLE IMPROVEMENT TO HIS NETWORK SECURITY, all they've done is annoy their customer.
or, save yourself having to remember another password by stopping people from physically breaking into your home to mess with your network, because protecting you against that scenario is ALL THIS PASSWORD DOES! It stops people with lan-side ethernet access to the router (i.e. people who could press the physical button to reset to the default password anyway) from being able to log in and fiddle with the router. It's very unlikely that, if someone is in his house plugged in to his router, he doesn't have more important things to worry about.
it probably has a different password to the actual password which he sets anyway. Verizon logs in to uber-user mode using their secret password (which will probably turn out to be the router's serial number or something equally insecure), and can probably persuade the router to output the string of its admin password. (Or, if they've had the sense to store it sensibly, output the hash of the password - but there's nothing to stop verizon having the hashes of 'password', 'password1' and 'admin1' to hand for comparison.)
Slashdot Mirror
Might be interesting if Mr-CCIE-Man finds himself blackballed now that his name has been publicised in relation to this case. There seem to be as many people against this verdict as for it. No doubt there will be plenty of nerdy types out there who will want nothing to do with the man.
It's an interesting peril that jury service brings with it, especially if you then go about publicising your role on the jury.
I know nothing about cars so I can't give you a car analogy, sorry.
You must be new here...
Officers arrest people on the suspicion of wrongdoing, not because they are guilty. The state has powers to hold any citizen against their will for a "reasonable time" in most locales. This is (and has to be) legal for the system to function
Ah, but you've incorrectly inducted one thing from another.
An arrest of someone who didn't do it can be lawful on one hand, but it doesn't follow that on the other hand it must be unlawful to resist. Both can be lawful, the general result is that a bunch of people get hurt. The purpose of the idea isn't really to allow people wrongfully arrested to start a firefight to try and stop it, but to protect people wrongfully arrested who (for example) refuse to let themselves be handcuffed and let away quietly for a crime that they know that they didn't commit from being prosecuted merely for not complying with an arrest which (a) they knew to be wrong and (b) turned out to be wrong.
Rolling back to my original post, I deliberately used the word 'wrongful' to avoid any actual legal terms which have existing definitions;
wrongful = 'screw up' = 'arresting someone who turned out to be innocent'.
Police officers are not omniscient, that is why they're not prosecuted for kidnapping when they arrest the wrong person, but that doesn't mean that arresting the wrong person wasn't a screw-up.
This article for instance, is a very interesting exploration of resisting a false arrest. In essence, it was a common law right, which has been given the chop by all but around 12 states (10 years ago when it was written) through legislation.
hey, I'm pontificating on what people ought to do. The problem is merely that the company isn't complying with my standards.
Or, to put it another way, technically, if the crappy rules are up front, there isn't really a 'problem'; it's just that the rules are crappy, and I'm feeling free to say it.
because you 'win' in as far as you produce the stuff that the people putting the prize up want (if they use your stuff), but don't 'win' in as far as actually getting a prize. I don't think it's unreasonable for losing entrants to expect that their entry won't be subsequently used by the promoter - if it wasn't good enough to win the prize, how is it still good enough to use?
Think of it like an auction, I bid $1m, you bid $1.1m: we don't then each pay the sum we bid, but only you get the item. This is similar but in reverse; the buying price is $1m, and we 'bid' to see who can produce the best software for that much money; but why should the person offering to buy then get both products, and only pay the producer of the better one?
That would strike me as a fair way for these competitons to work, but people will continue to be fleeced while a sufficient number of people keep entering competitions on wholely unfair terms.
If you didn't produce the best entry, or entered late, didn't win and that was the end of it, that would be fair enough; but keeping and using entries which didn't win just seems a bit off.
otoh, wikileaks might actually publish it first. A conventional newspaper will propably just shop him, and give the letter back to the FBI.
right, so he's made a wrongful arrest, and no free person should have to allow themselves to be subject to a wrongful arrest. Paradox remains.
"This administration"?
and, I don't know about GPs bank, but mine locked my card after 3 wrong pins (several months apart), so don't go with 1111, 1112, or 1113, and you should be fine.
The only reason the judge doesn't also determine fact in a trial is because that is far too much power to place into the hands of one man.
Then have a 2, or 3 person judging panel.
As to the issue of corruption (which you didn't raise, but I want to cover everything in one post) - it seems that it would be much easier to knobble a one-off jury than to go for a professional judge, and to keep on top of corruption, you rotate the makeup of the panels every trial.
It's effective, there's no one person in complete control of the outcome, it's not easy to corrupt, it's cheap and it has none of that pesky right\wrong nonsense gumming the whole system up.
It's a paradise in which justice will flourish.
Why don't you want to implement it?
The point of the jury is to selectively refuse to apply laws. A judge is far better qualified to merely "determine whether the evidence indicates that the law was broken, with intent, and without any mitigating circumstances". If that's all you want in a decision, hold bench trials and save a lot of money for everyone.
correct, but you're supposed to keep all of the others. Also, you're not supposed to have them in a manner which is entirely notional because you don't have the means to force the issue (see restricting prisoners access to the courts).
he was a stupid juror. He failed to use his experience to consider whether it was the right, or appropriate, or professional thing to do. He followed the judge's instruction that they were only to consider the law as written (which is not the case, and defeats the whole object of juries), and voted 'guilty'. Says it in the rather self-important spiel he wrote a few days later.
You can shout 'he wasn't stupid, he had a CCIE', but the fact is that he didn't think like a responsible juror and ignore the judge's instruction to not think like a responsible sysadmin. (I make no comment on what a responsible sysadmin ought to conclude about the situation, merely that the juror in question specifically didn't consider the situation in that light, despite being qualified to do so.)
most planes can glid reasonably gracefully back to earth, even if the landing itself is pretty rough. An airship without it's lift bag would fall to earth in the same way that the Vogon Constructor Fleet didn't. The gondola could have parachutes, though, I suppose.
Are you illiterate?
From my original post:
Ok, I'm really quibbling over large fractions but negligible reductions in realistic chance to find the key
See, I even noted that for this particular case it wouldn't make a lot of difference, and was making the more general point that time to crack is not always (number of permutations) x (time to test 1 permutation). For a key of arbitrary size, how willing to risk that the key be found early in the process are you? How about 0.001? Whatever the size of your keyspace, you have to knock a factor of 1000 off your length of time that you assume the key is safe for, because of the chance that the key falls within the first 1000th of the keyspace tested.
Personally, I'd prefer 99.99999%, that's a factor of a million off. If you had some keylength which would take 1,000,000 years to crack entirely, you would still be past your 99.99999% test within a year of cracking.
Now, as I said in the first place, the numbers here are so astronomically large that it won't really make a difference unless you want the risk of the key appearing in the first chunk of keys to be stupifyingly low. But in general, with smaller keys, it may make a difference, and if you were to have (say) 10,000 messages, encrypted using a keyspace which would take a year to get through for each message and all the messages were being attacked at once: Your chances of your entire set of messages actually surviving entirely uncracked, even for a month, would be slim-to-negligible. Even with a 100-year keyspace, something is likely to be cracked long before the century is out.
Or, to put it another way. By defintion, there is a one-in-a-million chance that the key falls within the first millionth of the keyspace to be attacked. In the case of a key which would take a million years to crack, you have a one-in-a-million chance that the key will be cracked within the first year. Is one-in-a-million good enough for you? Say you want the data safe for at least 10 years - you only have a 1-in-100,000 chance of succeeding with my fictional cypher.
My point merely being that a large keyspace which would take a really long time to work through does not guarantee that the key won't be broken a substantial time earlier, and that even assuming no weaknesses in algorithms there is this fundamental limit on the guaranteeability of encryption.
There's also an interesting question about having a truly random key. In a truly random key, absolutely anything could come up, including key 0000000000000000001. If you were to assume that there is a substantial risk that whoever tries to crack the key will start at the beginning (being as good a place as any), then you would automatically avoid any key which could be got to within the first 10 years. But if the person trying to crack the encryption assumes that you've assumed that then they don't need to test that first block of keys (but you can hardly use that block, just incase they do check) and suddenly the useable keyspace is smaller - similarly for the block at the end.
Now, again, within enormous key sizes, it probably doesn't make a difference, but with smaller sizes, it all chips away at the useable keyspace, and how long a given key can hold out - because the person trying to crack it only has to be right once.
that assumes that you find the key on the last possible combination. Assuming that the key could be anywhere in the space, and that all keys are tried in random order, you need only to have tested half the keyspace before the chance that you have already found the key is 0.5. How unlikely are you willing to say is too unlikely for the key to be found before the entire space is ploughed through?
Ok, I'm really quibbling over large fractions but negligible reductions in realistic chance to find the key, but you can't simply state a key will always take (number of permutations) x (time to test) to crack. You could strike it lucky and take considerably less, which may make a difference with shorter keys.
interestingly, it has been repeatedly explained, on the other side, that information is not property in the tradional sense. Neither side seems to be able to back up their assertions that a password is company property that must be 'returned' (or not).
In any case, returning company property is not as clear cut as you think. If you have a company laptop at home when you're fired, and after you've gone home your former employer wants it back, they have to get a posession order from a court. It's only in defying such an order, or actually attempting to claim the laptop for your own that you're stolen it.
In any case, this was not a question of giving back pseudo-property to the city. This was a case of whether refusing to give the password(s) to someone from the city who wanted them represented a denial of service for the purposes of a statute that was never enacted to deal with situations like this.
Personally, I think the best outcome is for him to get substantially less than time served, and leave the city holding the bag.
because none of us wants to be in the same situation of having to choose between jail and knowingly causing the IT systems of a major city to be b0rked.
it's somewhat terrifying that one person can rule in a manner so blatantly contrary to the interests of justice, and it be the final word on the subject (though, thankfully, he was dissenting here).
Actually, it's equally worrying that Appeals can be denied (especially in capital cases) on any basis other than lack of merit, or that a court will refuse to accept submissions from someone being represented by an attorney when the submission is a request to get rid of said attorney.
you effectively waive your right to appeal.
If you can't re-assert it at any time, it's not a right. (The conclusion, from the information that you give, is that you therefore don't really have a right to appeal.)
ah, yes, but then you have to gamble that the secrets which you hold are damaging enough that they'll consider leaving you alone (and keeping the secrets safe) to be the best option. (Or, that once they know what it is, they won't work to smother it before it even gets out.)
If you don't tell them what the secret is, then you can let their imaginations run wild as to exactly how damaging it is - they know all the secrets already, and have to gamble how far up the scale the one (or ones) you have is (or are).
The other option, of course, is to use a hybrid approach, and have within the file one damaging secret, and another encrypted file which has the others in it. This leaves them aware that you genuinely have damaging secrets, but leaves them guessing as to what else there is waiting to be released. Or give them 3 or 4 different samples which have clearly come from different sources, so they can't be sure that only one source has been compromised (and pin down the extent of the damage).
it's like someone famous said: 'I sent a dozen of my friends a note saying "all has been discovered and will soon be revealed", and half of them left the country.'
It may not be anything to do with the Afghanistan leaks, it may be information personally damagaing to high-ups in government. 90% of them probably have some sort of skeletons, and none can be sure that their skeleton isn't in the file. For Instance; maybe there's a camera in the Oval office (like Nixon's tape recorder) which has captured something potentially embarassing. Obama knows if he's done something embarassing, and if he has, he can't be certain that Wikileaks don't have the video (if such a video exists).
Or it could be a bluff.
It is so beautiful though. I have thoroughly enjoyed this thread. The innocent naivete of the original poster. The confusion of the geeks wondering if such incompetence is truly possible in someone who figured out how to post a Slashdot story.
I have thoroughly enjoyed watching dozens of geeks, who believe themselves to be technology gurus in general, get so UTTERLY confused about what password was changed and what it normally does and fly off in uncontrollable rage at the original poster over a situation which they have so comprehensively misunderstood. The password which Verizon changed exists only to stop technologically illiterate people who live in the same house from mucking the router up. Assuming that OP was right when he said that WAN access was off, then Verizon has not made ANY APPRECIABLE IMPROVEMENT TO HIS NETWORK SECURITY, all they've done is annoy their customer.
or, save yourself having to remember another password by stopping people from physically breaking into your home to mess with your network, because protecting you against that scenario is ALL THIS PASSWORD DOES! It stops people with lan-side ethernet access to the router (i.e. people who could press the physical button to reset to the default password anyway) from being able to log in and fiddle with the router. It's very unlikely that, if someone is in his house plugged in to his router, he doesn't have more important things to worry about.
it probably has a different password to the actual password which he sets anyway. Verizon logs in to uber-user mode using their secret password (which will probably turn out to be the router's serial number or something equally insecure), and can probably persuade the router to output the string of its admin password. (Or, if they've had the sense to store it sensibly, output the hash of the password - but there's nothing to stop verizon having the hashes of 'password', 'password1' and 'admin1' to hand for comparison.)