"And that blank cheque is the problem. Whatever happened to accountability?"
Basically, it means that the contracts go to whoever spends 70% of their money on accountability, auditing, documentation, oversight, and bureaucracy. (i.e. EDS) Which is one of the reason government projects cost so much and are so likely to fail.
There's nothing like a 12:1 beancounter to programmer ratio when you're trying to maintain accountability. No prizes for guessing how productive it is though.
"Since it wasn't a password that was easy to guess, it should be assumed that the son wanted it private."
Option B: nobody with a yahoo email account has an easy to guess password, because anyone who did will have been cracked already, and lost control of the account.
I've seen people hit the "3 guesses per hour" limit on my account for days at a time, even when they had to type in a capttttcha for each guess. There aren't going to be any accounts with easy passwords left.
In the sense that they both transmit information? In what other way are they alike?
"letters are property"
The letters, or the information on them?
"The privacy claim of yahoo is nonsense"
What's nonsense about not revealing someone's email without their permission?
"the click through is standard boilerplate""
Yahoo's TOS has most definitely been written specifically for them
"and is not intended to supersede the rights of heirs"
What rights are they? If there's a law that says heirs should be able to read email, you might have a point. But is there such a law?
"The post office cannot withhold your mail from your heirs"
The post office doesn't store letters
"what gives yahoo that right?"
Why're you still taking about rights? Yahoo doesn't need a "right" to prevent unauthorised people from accessing their email, that's just a normal part of email service.
"I can hang up if I object. No 'rights' are being violated."
The only time I (or many other people) call a call center is because some company has tried to steal from us, overcharge us, has sent spam, has failed to process a transaction properly, etc. Claiming that you have "a choice" to hang-up is quite insulting to anyone in that situation - you presumably mean a choice to be taken to court for a fraudulent phone bill for example, or a choice to allow your credit-card company to pay invalid transactions?
Personally I record all my phone calls. I'm sure it must be legal, because the banks do it. So ontopic at last: Are there any good speech-to-text systems for this sort of thing, which would save having to store ogg files?
"In theory, if you download an MP3 with DRM enabled, Windows Media Player will search your computer for the license. If it doesn't find it, it will go to the URL specified in the MP3. This is part of the DRM spec."
So... this search of your computer for the license...
The one which indicates success or failure by whether it connects to a certain website afterwards...
Is there any way to direct that search to particular filenames?
"Check out the new cleansoftware site for free windows software that is free from spyware, adware etc."
Uh, how would they know? I'm sure they mean well and everything, but if they're recommending closed-source software how can they possibly verify that it's not spyware/adware?
Basically, they're relying on spyware being obvious, easy to detect, or commonly known-about. Apart from the open-source software whch they can check
"This doesn't anonymize the users, does it? Your IP address is still readily available, no?"
So use Konspire, which is an anonymized version of BitTorrent. Or specifically, "deniable steganographic distributed transmission optimised for large data"
"Why do the Wikipedia admins need to lock popular, topical and controversial articles from editing? Is it because these articles somehow attract more vandals than well-meaning passersby and contributors?"
Well, put it this way: I sometimes edit a "normal" wiki, without the page-locking feature. Thousands of pages are vandalised every hour. You can hardly get up for a coffee before the front-page is vandalised again.
Now, wikipedia is better than that, but mostly because it's got so many people tending it. I've seen vandalised articles, done a refresh, and seen it corrected within minutes. But that requires there to be hundreds of people constantly watching edits. I'm quite grateful to Wikipedia that they provide such a well-tended facility that I can use. Blocking IPs, "vandalism in progress" alerts and the like all help too, of course.
As to the contraversial articles, I think yes, they do attract more vandals than contributors. Some people just have nothing better to do (naming no names, but one criminal in particular). Other people might use scripts. Some people may even be paid to vandalise stories (I know the US government has a department of media relations whose job-description involves putting false or misleading stories into the international media, and it would be silly to think that some distasteful countries (again, naming no names, israel) didn't have people whose job it is to present certain topics in a favorable light)
Maybe they're just testing wikipedia. who knows? But I certainly find it surprising when they unprotect these contraversial articles - it must be a bit like opening ornamental gardens in a warzone, and just keeping teams of people ready to pick-up litter or replant beds, walking around behind the vandals as they do their work...
In general, the US goverment doesn't like to compete against private industry based on two predictions about the goverment product:
* It would suck at first.
* Everyone would use it anyway, and so it would suck forever."
So the government can write a library (doesn't even matter if it's Open-Source) -- they must have such a thing anyway, to check the forms, and then nobody has to worry about a government-inspired GUI.
Even a library which just validated forms and returned "correct" or "incorrect" would make it possible for certain types of program to optimise against it (and such a program would still optimise when the next years' validation-library came out)
"Second, it'll probably be patched rather quickly."
(a) "probably"? That would be "still unpatched!!!" in Windows parlance...
(b) we don't expect to have to patch kernels - they're expected to be reliable
(c) even if fixed immediately, it will have been
"it's one of a few holes, compared to the one of many holes found in windows..."
How many holes do you need to breach security? Just the one.
"good like getting rampant Blaster style viruses based on it.."
I don't think virus-writers need any more good luck... But local root vulnerability means they can only compromise a few tens of thousands of people at a time (for example university shell accounts) rather than the whole internet (which would need a remote vulnerability.
"we did find at least one artillery shell with traces of Sarin gas, so there were, strictly speaking, WMDs found in Iraq."
one shell? traces of chemical? mass destruction?
That's like saying a bottle of water is a weapon of mass destruction, because if you had a billion times as much water as you do, you could drown lots of people. (apologies to anyone who's recently been drowned)
At last count (1997), the USA had 30,000 tons of chemical weapons. That's what you call 'weapons of mass destruction'. Not an antique shell that nobody even knew existed until 300,000 people went looking for it. I know farmers' fields in the UK which probably have more unexploded ordnance than that in them.
"Audioscrobbler builds a profile of your musical taste using a plugin for your media player... and generates personalised recommendations."
iRate does a similar thing, working like a radio-station for creative-commons licensed music... Rate songs on a scale 1-5, and it automatically downloads things that you might like.
"Well they managed to raise the cash for the NYT article then they could raise the cash needed for a cert."
Interestingly, MozillaStore.com does have an equifax certificate. I guess that securing that one credit-card transaction is more important than securing all the transactions which will be conducted with the browser being downloaded...
"On the other hand, if you do understand a little about security, you have the option of getting the (in this case win32) binary together with the.asc signature from ftp.mozilla.org, then get gpg, import the appropriate key from a public server, verify the signature and, if matching, run "Firefox Setup 1.0.exe" to install a verified, trusted version of the program."
Hypothetically, if your ISP was transparent-proxying mozilla.org to be their own computer, with ftp.mozilla.org being their FTP server, with their trojaned copy of firefox, signed by a key they created in the name of the mozilla foundation, a key which is signed by other keys they created in the name of other famous people you've never met at a keysigning party, and if hypothetically they were transparent-proxying gnupg.org to be their own website if necessary...
How exactly does that leave you with a "verified trusted version of the program"? At best it leaves you smug in the knowledge that you downloaded the GPG key and checked the signature. But where did the key come from, and how do you know who created it?
For all you know, the winzip_installer.exe you downloaded whilst connected to that ISP might have replaced the mozilla foundation's keys in your PGP keyring or the trusted keys in your browser. Or the debian ISOs you downloaded whilst on that ISP were modified to add an extra public key to the APT system.
Or indeed that the keys don't match at all, and 99% of the "security experts" don't notice because they only check the MD5, if indeed they check anything.
"Downloading software from DePaul University's FireFox mirror doesn't scare me."
(a) Would you download it on a wireless network? (see Defcon demonstration of replying to HTTP packets that were sniffed from the network)
(b) Why would you install unsigned software? Apt checks for signatures. RPM checks for signatures. Every security-critical piece of software comes with PGP signatures. Most other software comes with MD5s displayed on the website. What's the reason for not checking them?
(c) Creating a trojaned copy of something else would be difficult. Creating a trojaned copy of firefox would be relatively easy
Admittedly the article-writer is taking the piss bigtime, and his attempts to paint Internet Explorer in a good light are really stretching the bounds of credibility, but yes, I noticed the Firefox download starting from a domain other than mozilla.org, so I cancelled it. Twice. And then sat there for a while wondering what black magic had caused this download from some foreign website when I was trying to download from mozilla.org
Slashdot Mirror
"And that blank cheque is the problem. Whatever happened to accountability?"
Basically, it means that the contracts go to whoever spends 70% of their money on accountability, auditing, documentation, oversight, and bureaucracy. (i.e. EDS) Which is one of the reason government projects cost so much and are so likely to fail.
There's nothing like a 12:1 beancounter to programmer ratio when you're trying to maintain accountability. No prizes for guessing how productive it is though.
"Since it wasn't a password that was easy to guess, it should be assumed that the son wanted it private."
Option B: nobody with a yahoo email account has an easy to guess password, because anyone who did will have been cracked already, and lost control of the account.
I've seen people hit the "3 guesses per hour" limit on my account for days at a time, even when they had to type in a capttttcha for each guess. There aren't going to be any accounts with easy passwords left.
"Emails are like letters"
In the sense that they both transmit information? In what other way are they alike?
"letters are property"
The letters, or the information on them?
"The privacy claim of yahoo is nonsense"
What's nonsense about not revealing someone's email without their permission?
"the click through is standard boilerplate""
Yahoo's TOS has most definitely been written specifically for them
"and is not intended to supersede the rights of heirs"
What rights are they? If there's a law that says heirs should be able to read email, you might have a point. But is there such a law?
"The post office cannot withhold your mail from your heirs"
The post office doesn't store letters
"what gives yahoo that right?"
Why're you still taking about rights? Yahoo doesn't need a "right" to prevent unauthorised people from accessing their email, that's just a normal part of email service.
"I can hang up if I object. No 'rights' are being violated."
The only time I (or many other people) call a call center is because some company has tried to steal from us, overcharge us, has sent spam, has failed to process a transaction properly, etc. Claiming that you have "a choice" to hang-up is quite insulting to anyone in that situation - you presumably mean a choice to be taken to court for a fraudulent phone bill for example, or a choice to allow your credit-card company to pay invalid transactions?
Personally I record all my phone calls. I'm sure it must be legal, because the banks do it. So ontopic at last: Are there any good speech-to-text systems for this sort of thing, which would save having to store ogg files?
"Just once, I'd like to see a "Completely Impractical guide to something"
A Practical Guide to Securing Windows NT Servers and Workstations
"In theory, if you download an MP3 with DRM enabled, Windows Media Player will search your computer for the license. If it doesn't find it, it will go to the URL specified in the MP3. This is part of the DRM spec."
So... this search of your computer for the license...
The one which indicates success or failure by whether it connects to a certain website afterwards...
Is there any way to direct that search to particular filenames?
"Check out the new cleansoftware site for free windows software that is free from spyware, adware etc."
Uh, how would they know? I'm sure they mean well and everything, but if they're recommending closed-source software how can they possibly verify that it's not spyware/adware?
Basically, they're relying on spyware being obvious, easy to detect, or commonly known-about. Apart from the open-source software whch they can check
"This doesn't anonymize the users, does it? Your IP address is still readily available, no?"
So use Konspire, which is an anonymized version of BitTorrent. Or specifically, "deniable steganographic distributed transmission optimised for large data"
"Does anyone know who this ["a well-known crackpot wrote a Wikipedia page about himself"] is referring to?"
;)
Oh thanks, as if slashdot didn't have enough trolls without asking for a sollog discussion...
"Why do the Wikipedia admins need to lock popular, topical and controversial articles from editing? Is it because these articles somehow attract more vandals than well-meaning passersby and contributors?"
Well, put it this way: I sometimes edit a "normal" wiki, without the page-locking feature. Thousands of pages are vandalised every hour. You can hardly get up for a coffee before the front-page is vandalised again.
Now, wikipedia is better than that, but mostly because it's got so many people tending it. I've seen vandalised articles, done a refresh, and seen it corrected within minutes. But that requires there to be hundreds of people constantly watching edits. I'm quite grateful to Wikipedia that they provide such a well-tended facility that I can use. Blocking IPs, "vandalism in progress" alerts and the like all help too, of course.
As to the contraversial articles, I think yes, they do attract more vandals than contributors. Some people just have nothing better to do (naming no names, but one criminal in particular). Other people might use scripts. Some people may even be paid to vandalise stories (I know the US government has a department of media relations whose job-description involves putting false or misleading stories into the international media, and it would be silly to think that some distasteful countries (again, naming no names, israel) didn't have people whose job it is to present certain topics in a favorable light)
Maybe they're just testing wikipedia. who knows? But I certainly find it surprising when they unprotect these contraversial articles - it must be a bit like opening ornamental gardens in a warzone, and just keeping teams of people ready to pick-up litter or replant beds, walking around behind the vandals as they do their work...
So... do we get any points if these show a degree confluence?
"And a car with the wheels nailed to the ground, the doors welded and all the windows painted over is pretty safe from theves."
You don't live in Manchester, do you?
"Although to be fair my default browser (FireFox) was unaffected ;)"
p.s. we got the exploit to upload a trojaned copy of firefox onto your machine. Best regards!
In general, the US goverment doesn't like to compete against private industry based on two predictions about the goverment product:
* It would suck at first.
* Everyone would use it anyway, and so it would suck forever."
So the government can write a library (doesn't even matter if it's Open-Source) -- they must have such a thing anyway, to check the forms, and then nobody has to worry about a government-inspired GUI.
Even a library which just validated forms and returned "correct" or "incorrect" would make it possible for certain types of program to optimise against it (and such a program would still optimise when the next years' validation-library came out)
"Second, it'll probably be patched rather quickly."
(a) "probably"? That would be "still unpatched!!!" in Windows parlance...
(b) we don't expect to have to patch kernels - they're expected to be reliable
(c) even if fixed immediately, it will have been
"it's one of a few holes, compared to the one of many holes found in windows..."
How many holes do you need to breach security? Just the one.
"good like getting rampant Blaster style viruses based on it.."
I don't think virus-writers need any more good luck... But local root vulnerability means they can only compromise a few tens of thousands of people at a time (for example university shell accounts) rather than the whole internet (which would need a remote vulnerability.
"I'm a developer for these chips, and I have to say, this is much ado about nothing."
"I'm from Intel... I'm here to help."
Philip and Alex's Guide to Web Publishing - Great book.
"The site does host files, and those files are used for the sole purpose of unauthorized downloading of copyrighted material"
(a) Who put those files there? Was it the tracker site or their user?
(b) Did the tracker site make any illegal copies (i.e. was anyone's copyright infringed by the site?)
(c) Is referring to something the same as making a copy of it?
"we did find at least one artillery shell with traces of Sarin gas, so there were, strictly speaking, WMDs found in Iraq."
one shell? traces of chemical? mass destruction?
That's like saying a bottle of water is a weapon of mass destruction, because if you had a billion times as much water as you do, you could drown lots of people. (apologies to anyone who's recently been drowned)
At last count (1997), the USA had 30,000 tons of chemical weapons. That's what you call 'weapons of mass destruction'. Not an antique shell that nobody even knew existed until 300,000 people went looking for it. I know farmers' fields in the UK which probably have more unexploded ordnance than that in them.
"Audioscrobbler builds a profile of your musical taste using a plugin for your media player ... and generates personalised recommendations."
iRate does a similar thing, working like a radio-station for creative-commons licensed music... Rate songs on a scale 1-5, and it automatically downloads things that you might like.
"Well they managed to raise the cash for the NYT article then they could raise the cash needed for a cert."
Interestingly, MozillaStore.com does have an equifax certificate. I guess that securing that one credit-card transaction is more important than securing all the transactions which will be conducted with the browser being downloaded...
"On the other hand, if you do understand a little about security, you have the option of getting the (in this case win32) binary together with the .asc signature from ftp.mozilla.org, then get gpg, import the appropriate key from a public server, verify the signature and, if matching, run "Firefox Setup 1.0.exe" to install a verified, trusted version of the program."
Hypothetically, if your ISP was transparent-proxying mozilla.org to be their own computer, with ftp.mozilla.org being their FTP server, with their trojaned copy of firefox, signed by a key they created in the name of the mozilla foundation, a key which is signed by other keys they created in the name of other famous people you've never met at a keysigning party, and if hypothetically they were transparent-proxying gnupg.org to be their own website if necessary...
How exactly does that leave you with a "verified trusted version of the program"? At best it leaves you smug in the knowledge that you downloaded the GPG key and checked the signature. But where did the key come from, and how do you know who created it?
For all you know, the winzip_installer.exe you downloaded whilst connected to that ISP might have replaced the mozilla foundation's keys in your PGP keyring or the trusted keys in your browser. Or the debian ISOs you downloaded whilst on that ISP were modified to add an extra public key to the APT system.
Or indeed that the keys don't match at all, and 99% of the "security experts" don't notice because they only check the MD5, if indeed they check anything.
"Downloading software from DePaul University's FireFox mirror doesn't scare me."
(a) Would you download it on a wireless network? (see Defcon demonstration of replying to HTTP packets that were sniffed from the network)
(b) Why would you install unsigned software? Apt checks for signatures. RPM checks for signatures. Every security-critical piece of software comes with PGP signatures. Most other software comes with MD5s displayed on the website. What's the reason for not checking them?
(c) Creating a trojaned copy of something else would be difficult. Creating a trojaned copy of firefox would be relatively easy
Admittedly the article-writer is taking the piss bigtime, and his attempts to paint Internet Explorer in a good light are really stretching the bounds of credibility, but yes, I noticed the Firefox download starting from a domain other than mozilla.org, so I cancelled it. Twice. And then sat there for a while wondering what black magic had caused this download from some foreign website when I was trying to download from mozilla.org
"Strangely I've never seen one bit of spam on my abuse@ account..."
If you've got control of your DNS, you should be able to receive mail with address@ftc.gov.yourdomain.com or such-like.
"I've just come up with a better idea. How about [long description of complex timekeeping system...]"
Howabout we use seconds since 1970? It can't fail, especially as nothing happened before 1900, nor will anything happen after 2038