I am not mad actually. Personally, I've been enjoying a reasonable debate with someone who until this most recent posting had proposed insightful and well thought out commentary, but suddenly got a bit flamey.
Reload rate per IP = 5 sec min
Which IIS configuration option is this? Which Apache?
Do you have keepalives on? If not, then your pages are going to load very very slowly since you have to wait 5 seconds between each image that loads. If you do, then you open yourself to a resource starvation where many clients keep their connections alive.
Either way, a lot of big ISP's use a single proxy for all their users, and you'd limit those people from that ISP to a page load rate of 1/5s across all users. Maybe it'd work for a small website, but it definately wouldn't work for a big one. In short, it'd be a stop-gap, and nothing more.
Also, it still doesn't matter. Leaving your door unlocked does not make it legal to steal from you. That is to say, failing to protect yourself against an action does not affect the status of that action as being illegal or not. Maybe a really good admin could protect them against all conceivable types of attack. Maybe a moderate admin could have protected them against this type of attack. Maybe they only have a former typing teacher running their servers who only knows how to get the thing running, and doesn't even know what DDoS stands for. It doesn't make it any less of a crime to attack them. Whether or not they could have protected themselves is immaterial, so long as they did not invite the crime (and failing to protect yourself doesn't qualify).
I'll remind you again, the kid's objective was to perform an act (let's avoid pedantry and use the neutral term "act" to mean him taking down the server), and he did so. That act happens to be illegal, no matter how simple the act was. Further, he conspired with others to perform this act because there was sufficient protection to guard against him by himself. If the collective act is illegal, the individual actions are each illegal and carry an additional charge of conspiring to perform that act.
Don't know about you, but I hit the site several times a day looking for the next story.
I do that, but I only end up following maybe 1 in 15 links to the actual article (whole days in a row go by where I'm not actually interested in any of the stories submitted, nor with the discussion [how many more ID vs Science stories^H^H^H^H^H^H^Hflamefests do we need?]) I'd personally be happier if the time to posting on stories went up on average, and the quality went up with it.
I can't imagine it's the same difficulty to approve another editor's story as it is to check the story inbox; there's only a dozen or so stories that make the front page daily, and there's probably hundreds in the inbox. This shouldn't add significantly to the publication time unless there's periods where only one editor is around. Then it shouldn't probably be adding more than a few hours, because it's not like whole days go by with only one editor posting to the home page.
I personally do not pay attention to the links people put up for their name on a story.
That's not the issue. The issue is that there seems to be a class of user who spams the submissions box in order to get their links on the homepage, not so you and I follow them, but rather so Google does. They get massive Google page rank boosting because Slashdot links them so often. Their sites don't really contribute to the net, they're simply an advertising hub that masquerades itself as a legit site. They're spamming the submissions box to make money on each story they put on the home page. Not because they have a lot of news they legitimately want to share. They don't put effort or quality into their submissions but rather focus on quantity over quality.
The cracker's creed is not necessarily legal, moral, or ethical in all circumstances.
They did more than try the doorknob. They wrenched on it as hard as they were able. When the kid by himself wasn't able to turn the knob by his own strength, he got a bunch of other people to put all their strength together and exert a lot more force until it gave. This wasn't a "refresh once a minute to see if the server is up" it was "refresh as fast as you can by as many people as you can get together." In other words, a classic DDoS.
The only way to protect against DDoS is to have sufficient capacity to absorb the DDoS. In really extreme circumstances you build some crazy front-end networks to identify DDoS traffic from legitimate traffic and redirect the DDoS stuff somewhere less harmful. It requires a lot of infrastructure for that, and more importantly it requires a lot of bandwidth.
If you're not expecting an attack, and still want to protect yourself, you have to had admins sitting there 24x7 watching network traffic with IDS systems so they can respond once the nature of a DDoS is identified.
Not everyone should have infrastructure in place to protect against all types of attack. You'll never have perfect protection, but the closer you get to perfect protection, the more expensive it gets. Each organization needs to decide for itself what level of protection is economically feasible given the nature of the services it offers, the criticality of those services to its operation, and the likelihood of being on the receiving end of an attack.
Also, saying, "They deserved to be DDoSed because they didn't protect themselves against it" is like saying, "They deserved to be robbed because they didn't lock the door." Yes, failing to lock your door may be stupid, but it doesn't make it any less of a crime to steal from you. The law establishes that there are understood borders.
The kid *knew* he was doing something that was wrong, he did not have good intentions, it was his intent to bring down the server. He wasn't trying to do something innocuous, he was trying to cause harm. He didn't try the doorknob, he got a crowbar and cranked on it with all his and his friends collective strength.
The dog issue is completely different! An attack dog isn't capable of rational thought, it can't decide, oh, he wants me to attack that guy, why? It just follows orders: it is a weapon.
Ok, what about someone who orders a hit on their spouse? Are they not guilty of murder? They didn't kill their spouse, and the person who did was capable of rational decisions.
If you "graffiti" "Joe is a nigger" on your door, I think it should be completely legal. But to do it on his door is violating his property rights, and should be against the law.
This kid attacked (and incited others to attack) the school's server. This is their front door. He didn't say, "Hey, try to load test my home connection," which would be his own front door.
Also, in a crowded theatre, there can be a fire, and you could be completely incapable of seeing that the fire was there. In a crowded night club that burned down a few years ago near here, there was a real fire on the stage, and the people in the front could tell that was the case, but the people in the back thought it was pyrotechnics (which were being used, and which had malfunctioned), and failed to move so that the people in the front didn't get burned alive. Something like 35 people died because the people by the exit weren't aware there was a problem. You have the same potential if everyone insists on locating the fire and verifying it for themselves before they're willing to leave the building. The people who are by the fire need to shout "Fire" so the people in the back who can't see it get out of the way. When someone shouts fire in a crowded theatre, even if you can't locate the fire, you should still try to leave. You don't have to panic and tromple people, but it's quite possible that you tromple someone who fell down, and never realize it.
In crowds like that, the crowd is moving in a certain direction, and everyone is shoulder to shoulder. You can't see the floor, and it's probably all you can do to keep your own feet. If you bend over to try to help someone you saw fall, chances are you'll get trompled too, because someone else will be looking over their shoulder at the fire, or looking for their friend or child, and bump into you without realizing it, knocking you under the feet of someone else who can't tell anything but that *something* is under their feet, but they don't know what. There isn't opportunity for rationalizing with the crowd, because every person in that crowd is scared a little bit, and all together they make one very scared, very irrational organism.
I've never seen a crowd which was capable of rational thought, so just like you're guilty if you tell an irrational attack dog to kill someone, you're guilty if you wrecklessly tell an irrational crowd to all move in the same direction (which is effectively what you're doing when you shout fire).
All crimes can be conspired toward, laws do not need a special provision for conspiracy.
He didn't just tell his friends he was going to try to bring down the server, he asked his friends to help him do it since he wasn't able to do so himself.
If you want to try a front-door analogy, then you need to say you slammed your shoulder against my front door, but it held. So you got 100 of your buddies to all slam their shoulders against my front door at the same time (ignoring the mechanics of 100 people simultaneously slamming against a small door), and it broke in.
If the kid did infact cause the disruption, and they have proof that he incited others to do so, it wouldn't be hard to prove that the collective actions of the kid and his accomplices caused any disruptions that occurred.
There's plenty of evidence you could show. For example, "According to our eyewitnesses who just testified, he incited the incident at 7:47 pm, and by 7:50 pm, 32 IP addresses which had not previously shown up in the school logs were each making an average of 30-40 requests per second."
Further, they don't even really have to prove he actually caused any disruption. His intent was clearly to do so, and he engaged others to help him. Conspiracy to commit a crime is itself a crime that carries the same penalties as the crime itself, even if the crime never happened. They can arrest him now on the charge of committing the crime (since their initial evidence provides enough proof to issue a warrant), and if in their investigation they find out that it *was* the video conference, they can ammend the charges at a later date to just the conspiracy charge.
Multiple people working together whose overall action is criminal, but with whom each individual performs no action that by itself is a crime still counts as a crime, and further counts as conspiracy to commit a crime.
If he incited others to collectively commit a crime, even though their individual actions, in isolation, are not criminal, he's still guilty under U.S. law. If the others participating knew the objective (and from the sounds of it, they did, since he expressed his purpose in his plea for help with the act), then they are also guilty.
This is how money laundering is illegal; each step in the laundering process looks innocent in isolation, but taken together represents a crime.
Further, HD-DVD is generally price prohibative. To take advantage of HD-DVD technology, you need a HD TV. For a low-end HD TV, you're going to drop $700-$800, and that's without even having the player. To take full advantage of HD TV, you're going to need a TV in the range of $1,200 to $3,000. It's going to be several years before this stuff really reaches the ranges of cost that most people will invest in, and only at that point will the *consider* it, without any guarantee that it'll really catch on.
Do you know no damage was caused? Do you know they weren't on a limited bandwidth account, and are now facing bandwidth overage charges? Do you know if that same server was used for the district to perform its day-to-day operations, and if employees were unable to perform their job functions as a result?
There's many ways that affecting a denial of service attack can cause financial or material damages, and we don't know enough about the situation to know if those things happened or not. More to the point, this kid didn't know enough about the uses that server is put to, nor its billing approach to know if he would be causing damages by his actions.
I cannot shoot holes in your house, even if I suspect no one is home. Nor can I do so even if your windows are open and I cause no damage to your property. The point is that he was acting with the intent to cause enough harm to the server to knock it off the net, and there can be, and perhaps were real peripheral consequences.
Your rights end where my rights begin. The freedom of speach is not the paramount freedom. Life is. Your right to free speach ends when that speach destroys more paramount rights of others, such as life. And whether or not you like it, shouting fire in a crowded theatre *does* make you solely responsible for any injury or death that occurs. You're responsible not just for your actions themselves, but also for the consequences of your actions, both direct and indirect.
Is it free speach to say "sic 'em boy?" What about when you've got a trained attack dog at your side? Is it freedom of expression to squeeze your finger? What about when it's pressed against the trigger of a gun pointed at my head? Is it freedom of speach to libel someone in the press? To grafiti the "nigger" on an afro-american's front door?
Freedoms of speach and expression have limits even in the most liberal of civilized societies. Otherwise it's simply anarchy, because all crimes could otherwise be claimed as freedoms of expression or freedoms of speach.
Shouting "fire!" is not murder. Who did you kill? You caused some morons to believe you 100% and panic and trample over people. THEY killed those people, not you.
I respect your point of view, but the law disagrees with you. So do I.
If they can demonstrate material damages, yes, for sure, even with out cyber laws. Encouraging any unusual and unnatural behavior which causes material damage is a felony.
If they are on restricted bandwidth, and you encourage people in an unnatural action which causes them to exceed this bandwidth and so incur extra charges, you're responsible for those charges.
Unnatural doesn't mean posting a link. Unnatural *does* mean encouraging people to repeatedly reload the link with the specific intention of taking down the server, as this kid did.
It's not illegal for me to walk into a store. It's not illegal for me to encourage other people to walk into a store. It *is* illegal for me to encourage a thousand people to walk into a store and jump up and down until the floor collapses.
Although this oppinion won't be popular here on the 'dot, the kid effectively incited people to vandalism of some nature, whether in his area this is a misdemeanor or a felony depends a lot on his local laws. Depending on how much damage (eg, man hours to bring the server back up plus bandwidth overage charges) he caused it's definately a felony. If he knowingly spoke to people outside his own state and encouraged them as well, then perhaps it counts as having crossed state borders, and then it's a federal crime.
Let's not delude ourselves, according to the article his objective was vandalism; he deserves a visit from the cops for that.
The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings).
I'd say this needs to be taken with a lot more than a grain of salt; even by their own description, this information is completely meaningless.
Further there's no examination of what the scope of bug reporting is for each OS. For example, perhaps RedHat releases a security update for OpenOffice, and Microsoft releases a security update for Microsoft Office. The former counts as a tick against Linux, while the latter does not count as a tick against Windows. Another vendor might yet also release a security update for StarOffice, and this also counts against Linux, because this vendor distributes a different office suite. Perhaps a third or fourth vendor also releases the same update to OpenOffice as RedHat released (Debian and Ubuntu, similar distros), do these also count against "Linux"?
Ubuntu provides thousands of packages (nearly every popular project out there), including non-free (speach) packages, do each of these count against Linux if they have a security update? If so, then we need to keep track of all Windows vulnerabilities across all Windows-runnable software, and I guarantee the track record will look very different.
To compare apples to apples, you need to level the playing field. Compare only security updates of a single Linux distro running a single window manager, and its security updates for Firefox and Thunderbird against the same reportings for Windows and IE. This is an even playing field.
In short, this whole article is simple meaningless FUD, and nothing more.
Firewalls are great in the same way that airbags and seatbelts are great. In a perfectly running, perfectly operated vehicle, they're completely unnecessary. Even in the best circumstance they're at worst a very mild inconvenience, and in the event of a god-forbid, they can save your life. The benefits clearly outweigh the risks. (Note, for purposes of this analogy, I'm not discussing the camps who argue these things cost more lives than they save, the discussion isn't really centered on vehicular life-saving devices, rather on the idea that such devices aren't necessary under perfect circumstances.)
However, running without a firewall at home because you consider your system to be secure is foolish, I don't care how "secure" you've made your systems, for one reason: Zero-Day Exploits. The most security minded, conscientious, and diligent individual in the world can still benefit from the protections afforded by a firewall the next time a worm hits the net for an unpatched security vulnerability.
Just like no matter how well maintained, and how safely you drive your car, there's still the chance you get creamed at a stoplight by a drunk driver.
The sort of work you're talking about (5 or 6 months of working on a project before moving on to another company, maybe some time off) is the "right" way to use contractors. However, not everyone operates that way. There's plenty of folks who are in open ended contracts, making no more after taxes than a regular employee, but without advantage of the ability to establish duration-based seniority, or other niceities such as employer provided health-care. They'll be in these positions for 3, 5, 10 years, at the same company.
The company really is treating them like an employee, but without the legal obligations that are attached to holding an employee. There are companies out there that have more long term open-ended contractors than they have regular employees. It's practically predatory hiring practice, and in honesty, it should not be legal.
I can speak from experience when I say that there are areas where IT skills are only marketable in one or two companies within a reasonable commute distance, and those companies tend to also have a difficult time finding sufficient IT staff. This means that if truly faced with the option of either hiring their contracting IT staffers, or letting them go and replacing them with other IT staffers, they'd have to hire them, or they'd do without sufficient staff. At the same time, without unionizing or a law to make this practice illegal, no individual has the leverage to demand that they be treated fairly as an employee when they've been working for the same company at effectively reduced benefits for 7 or 8 years, because there's not enough tech jobs in the area to risk getting fired.
The management in these companies tends to be unsympathetic since most real employees have "done their time" as a contractor first. These long-term open-ended contractors typically jump at the chance for real employment since it means the same financial compensation, but with the real benefits that being an employee comes with (health care, company-matching retirement plans, etc).
Unfortunately there's major economic impacts to dissolving a corporation as large as Sony. It's cutting off your nose to spite your face. As unfortunate as it is that monolithic companies have this protection, it is in fact a reality that they'll never truly be punnished by government in any way they'll really feel it, because the government's economy can't afford to do so, even all political contributions and illegal sidebar activity aside.
Punnishment for these sort of companies comes from the citizens like you and I. For Christmas, my wife and I bought each other a whole new moderately high end home entertainment system. Although there were some nice Sony offerings on the table for some of our equipment, I'm proud to say that my house has no more direct Sony products today than it did last month (I sortof assume some of the equipment has some Sony parts inside, but there's a lot less I can do about that than avoiding the Sony name brand).
It would be the same with this invention, it would take less gasoline for the more efficient car to make its way out of the artificial dip.
Actually, not quite, at least not with respect to hybrids. The gasoline advantage in hybrid cars is that they reclaim energy in braking that is lost in traditional cars, and this is the energy that fuels the batteries. In the case of traditional cars, the energy being claimed by the ramp (depending on ramp placement) could be energy that was being wasted in the form of heat from the brakes. In a hybrid car under the same circumstance, you're actually taking energy that would have been recollected anyway, meaning that their gas engine will have to run a little more at some later point to recharge the batteries a little more.
Further, I doubt these ramps would be used directly on the highway (they sure look like they'd be a bumpy ride if so), so you're discussing using them in low speed areas, which is where the electric engine in a hybrid shines, and you'd be basically sapping power directly out of their batteries, along with a few energy type conversions, so Newton tells us this would be less efficient on the whole (in the case of hybrids) than simply attaching the lights to the grid, which comes with fewer energy type conversions.
I remember the old adage that my art teachers used to preach to me religiously. Form following function.
If the function of something is to look pretty, then use whatever font size you want, use graphics for text where the font face isn't a web-standard font, and screw the user whose eyes can't read that font size; it's not for them.
However, the number of sites whose primary function is art is certainly a small percentage compared to those sites whose primary function is information dissemination. But dime-a-dozen designers are more concerned with wowing their non-technical customers than they are with following function over form. So they reject this tennent of art & architecture.
The unfortunate result then is that people like me, whose job it is to implement someone's art, and oh-wouldn't-it-be-nice-if-it-was-usable-too, end up producing bad architecture on websites to accomodate design.
It's a weak artist who is constrained by constraints. Saying to someone, "All text should be substitutable in any of a series of standard fonts," and having them fire back, "I can't work like that!" only means that person is too accustomed to print design, where the rules are all different (and where they were probably producing work that people with even mild visual impairments found unreadable anyhow). It also means that they lack sufficient creative willpower to be an effective artist, hence they are one of the dime-a-dozen designers.
I had the pleasure once of working with a web designer who wasn't constrained by these sorts of limitations; she produced beautiful websites that could be resized, whose text was all text, and whose average page weight was like 1/4 that of the other designers. Her sites were implemented faster, easier to maintain, loaded faster, and produced a much higher quality user experience. She never declared, "I find this technical limitation inconvenient, so I'll ignore it," and everyone benefitted.
Finally, it's no more valid to say, "People who find the website unusable because of their disabilities can simply find another website that provides the same service," than it is to say, "People who find the stairs on our building unusable because of their disabilities can simply find another store to shop in that has the same goods." Although section 508 compliance only applies to government agencies, that's no excuse for weak designers shafting the disabled.
Since Google *wants* to fill every advertising position, my guess is that decreasing your pay-per-click has more to do with how much others have bid than with some scheme to punnish cost reducers. Example, if you were paying $1, and for your experiment you dropped that to $0.50, but 10 other advertisers were each paying $0.75, then you're going to drop pretty drastically in the ranks since there's now 10 other people paying more than you.
Without knowing how much your competing advertisers are bidding, you can't make a lot of inference about unfair ranking practices as there'll always be that unknown.
Well, even though IANAD, I think a little logic can help us identify what would happen here.
New cells come from old cells which split. Aside from minor mutations, new cells have identical DNA from their parent cell. If the graft was healthy, the tissue from the graft would reproduce cells at the same rate as tissue from other parts of the body, or at least at the same rate as normally expected for someone's facial tissue. Cells do not "infect" neighboring cells with their DNA, they only reproduce their DNA through self replication (viruses infect neighboring cells with their RNA, causing the neighboring cells nucleus to reproduce the virus' DNA, but AFAIK this behavior is unique to viruses, and not part of a healthy tissue).
This means that the DNA in the graft would continue to exist for all cells that drew lineage from the graft, while all cells that drew lineage from original tissue would continue to have the patient's original DNA.
Hence we can assume that along the edges of the graft, there'd be some intermingling of cells with different DNA (in a gaussian scatter pattern?), while farther from the edges, we should see only the grafted DNA. Presumably for the entire surface area of the graft, they've removed all the original tissue, and after stem cell stage, cells generally maintain their original organ type, so there should not really be any of the original DNA anywhere but near the edges of the graft.
Probably cells from the graft would generally be weaker than original cells as a result of the patient's immunology being more likely to destroy the foreign cells as mutations than the patient's natural cells. So as a result, over time, the DNA edges of the graft would probably creep inwards, though this would most likely be a scatter pattern with softer edges between the tissues over time, since some of the grafted cells should generate an immunologically unresponsive (not destroyed by the immune system) line. This last bit is purely speculative on my part though.
Even though you're not financially liable, you do have a fair amount of headache associated with this. For example, when I lost my credit card and had it deactivated (found later that day, but not before I deactivated it), I had to update all the subscription services which automatically bill against it. In all, the process was several hours, time which one could save themselves if they simply only shop with sites that provide https support. I was without a card to do things like purchase gasoline or groceries, and I had no mac card to get cash from an ATM since my mac and credit card (debit card actually) were the same.
What if you discover the fraud while on vacation, and your card is already maxed out? You won't be able to get a replacement card until you arrive home, and your vacation could be pretty effectively ruined (including whatever you were trying to pay for when you discovered the fraud, eg, the expensive dinner you just ate, or the hotel room you were trying to pay for).
Also, https does more than provide encryption. It provides identification confirmation. You know with a fair level of certainty that when dealing with an https site, that the owner of the site is who they are claiming to be, because the browser checks the domain name against the certificate. You know that someone hasn't used arp poisoning, a corrupted hosts file, or various other means of hijacking domains for a small set of users in order to intercept your credit card information.
That said, the encryption itself is a worthwhile reason to use https for sensitive information. How many people have unsecured wireless access points? Anyone in range can listen to every communication they do on their network. People who use certain cable connections are able to be spied on by anyone else on the same loop as them, if that person is sufficiently savvy. Then there's the simple case of nefarious or disgruntled network admins at your ISP, their ISP, their ISP, etc, right down to the retailer itself, for whom there could be IT workers who don't have database access, but could sniff the network. There's a lot of people with their thumbs on the communication line here, so there's a lot of potential for abuse. Even if 99.9% of the time none of these people would do so, the potential is still there and is highly mitigated with https.
Further, there have been a few cases where credit card information has been used to retrieve even more sensitive information, such as might be sufficient to commit identity fraud. In all, my point is that the risks posed are greater than simply the financial risks which credit card companies help to mitigate.
Failing to manage your pointers to objects correctly, so the language can identify what objects are no longer in use to be deallocated is not a bug in the language (encapsulated in the browser), it's a failure on the part of the programmer to effectively deallocate objects which they no longer need.
This is an issue that is core to all programming languages which enable you to use references to objects. IE has the same issues from a memory management perspective, because it doesn't represent a failure in the developers of said language, it represents a failure by the programmer.
Web developers have traditionally never had to manage memory in their development practice, because both server-side, and client-side, a page executes, a fixed number of objects is instantiated, and at some point the page ceases execution, but never with some arbitrary number of objects being created. In the case of ajax-based applications, the longer a page is open, the more objects are created and should eventually be destroyed. If you don't clean up your references, how is the language to know that the objects are no longer in use so it can clear up their memory?
Interesting. My copy of Firefox has been up here on this Ubuntu laptop since I booted it. Current uptime: 13 days. Multiple tabs open the whole time. No swap usage, 512 mb of RAM.
My desktop at work, running Windows 2000 has been running Firefox for at least several weeks, though I'm not at it to check its exact uptime. Again, multiple tabs are open. No paged memory, 512 mb of RAM.
On my home desktop, running Windows XP, I don't tend to run Firefox too often since I game with it, and I have my laptop next to me for my browsing needs, but I can't say I've ever had an issue with it using up memory.
Seems to me as if it might be specific websites you're visiting, sites that, for example, have javascript that's allocating and failing to deallocate memory. This is actually pretty common nowadays, since sites have started using Ajax; many web developers aren't accustomed to having to worry about memory management, and end up leaving references to XML objects sitting around so they're not garbage collected.
Can't speak to IE's ability to avoid these memory issues; obviously on my linux laptop, IE doesn't run, and on my desktop, IE locks up every day or so, so it's never able to stay alive long enough to see if it eats ram =)
Slashdot Mirror
I am not mad actually. Personally, I've been enjoying a reasonable debate with someone who until this most recent posting had proposed insightful and well thought out commentary, but suddenly got a bit flamey.
Reload rate per IP = 5 sec min
Which IIS configuration option is this? Which Apache?
Do you have keepalives on? If not, then your pages are going to load very very slowly since you have to wait 5 seconds between each image that loads. If you do, then you open yourself to a resource starvation where many clients keep their connections alive.
Either way, a lot of big ISP's use a single proxy for all their users, and you'd limit those people from that ISP to a page load rate of 1/5s across all users. Maybe it'd work for a small website, but it definately wouldn't work for a big one. In short, it'd be a stop-gap, and nothing more.
Also, it still doesn't matter. Leaving your door unlocked does not make it legal to steal from you. That is to say, failing to protect yourself against an action does not affect the status of that action as being illegal or not. Maybe a really good admin could protect them against all conceivable types of attack. Maybe a moderate admin could have protected them against this type of attack. Maybe they only have a former typing teacher running their servers who only knows how to get the thing running, and doesn't even know what DDoS stands for. It doesn't make it any less of a crime to attack them. Whether or not they could have protected themselves is immaterial, so long as they did not invite the crime (and failing to protect yourself doesn't qualify).
I'll remind you again, the kid's objective was to perform an act (let's avoid pedantry and use the neutral term "act" to mean him taking down the server), and he did so. That act happens to be illegal, no matter how simple the act was. Further, he conspired with others to perform this act because there was sufficient protection to guard against him by himself. If the collective act is illegal, the individual actions are each illegal and carry an additional charge of conspiring to perform that act.
Don't know about you, but I hit the site several times a day looking for the next story.
I do that, but I only end up following maybe 1 in 15 links to the actual article (whole days in a row go by where I'm not actually interested in any of the stories submitted, nor with the discussion [how many more ID vs Science stories^H^H^H^H^H^H^Hflamefests do we need?]) I'd personally be happier if the time to posting on stories went up on average, and the quality went up with it.
I can't imagine it's the same difficulty to approve another editor's story as it is to check the story inbox; there's only a dozen or so stories that make the front page daily, and there's probably hundreds in the inbox. This shouldn't add significantly to the publication time unless there's periods where only one editor is around. Then it shouldn't probably be adding more than a few hours, because it's not like whole days go by with only one editor posting to the home page.
I personally do not pay attention to the links people put up for their name on a story.
That's not the issue. The issue is that there seems to be a class of user who spams the submissions box in order to get their links on the homepage, not so you and I follow them, but rather so Google does. They get massive Google page rank boosting because Slashdot links them so often. Their sites don't really contribute to the net, they're simply an advertising hub that masquerades itself as a legit site. They're spamming the submissions box to make money on each story they put on the home page. Not because they have a lot of news they legitimately want to share. They don't put effort or quality into their submissions but rather focus on quantity over quality.
The cracker's creed is not necessarily legal, moral, or ethical in all circumstances.
They did more than try the doorknob. They wrenched on it as hard as they were able. When the kid by himself wasn't able to turn the knob by his own strength, he got a bunch of other people to put all their strength together and exert a lot more force until it gave. This wasn't a "refresh once a minute to see if the server is up" it was "refresh as fast as you can by as many people as you can get together." In other words, a classic DDoS.
The only way to protect against DDoS is to have sufficient capacity to absorb the DDoS. In really extreme circumstances you build some crazy front-end networks to identify DDoS traffic from legitimate traffic and redirect the DDoS stuff somewhere less harmful. It requires a lot of infrastructure for that, and more importantly it requires a lot of bandwidth.
If you're not expecting an attack, and still want to protect yourself, you have to had admins sitting there 24x7 watching network traffic with IDS systems so they can respond once the nature of a DDoS is identified.
Not everyone should have infrastructure in place to protect against all types of attack. You'll never have perfect protection, but the closer you get to perfect protection, the more expensive it gets. Each organization needs to decide for itself what level of protection is economically feasible given the nature of the services it offers, the criticality of those services to its operation, and the likelihood of being on the receiving end of an attack.
Also, saying, "They deserved to be DDoSed because they didn't protect themselves against it" is like saying, "They deserved to be robbed because they didn't lock the door." Yes, failing to lock your door may be stupid, but it doesn't make it any less of a crime to steal from you. The law establishes that there are understood borders.
The kid *knew* he was doing something that was wrong, he did not have good intentions, it was his intent to bring down the server. He wasn't trying to do something innocuous, he was trying to cause harm. He didn't try the doorknob, he got a crowbar and cranked on it with all his and his friends collective strength.
The dog issue is completely different! An attack dog isn't capable of rational thought, it can't decide, oh, he wants me to attack that guy, why? It just follows orders: it is a weapon.
Ok, what about someone who orders a hit on their spouse? Are they not guilty of murder? They didn't kill their spouse, and the person who did was capable of rational decisions.
If you "graffiti" "Joe is a nigger" on your door, I think it should be completely legal. But to do it on his door is violating his property rights, and should be against the law.
This kid attacked (and incited others to attack) the school's server. This is their front door. He didn't say, "Hey, try to load test my home connection," which would be his own front door.
Also, in a crowded theatre, there can be a fire, and you could be completely incapable of seeing that the fire was there. In a crowded night club that burned down a few years ago near here, there was a real fire on the stage, and the people in the front could tell that was the case, but the people in the back thought it was pyrotechnics (which were being used, and which had malfunctioned), and failed to move so that the people in the front didn't get burned alive. Something like 35 people died because the people by the exit weren't aware there was a problem. You have the same potential if everyone insists on locating the fire and verifying it for themselves before they're willing to leave the building. The people who are by the fire need to shout "Fire" so the people in the back who can't see it get out of the way. When someone shouts fire in a crowded theatre, even if you can't locate the fire, you should still try to leave. You don't have to panic and tromple people, but it's quite possible that you tromple someone who fell down, and never realize it.
In crowds like that, the crowd is moving in a certain direction, and everyone is shoulder to shoulder. You can't see the floor, and it's probably all you can do to keep your own feet. If you bend over to try to help someone you saw fall, chances are you'll get trompled too, because someone else will be looking over their shoulder at the fire, or looking for their friend or child, and bump into you without realizing it, knocking you under the feet of someone else who can't tell anything but that *something* is under their feet, but they don't know what. There isn't opportunity for rationalizing with the crowd, because every person in that crowd is scared a little bit, and all together they make one very scared, very irrational organism.
I've never seen a crowd which was capable of rational thought, so just like you're guilty if you tell an irrational attack dog to kill someone, you're guilty if you wrecklessly tell an irrational crowd to all move in the same direction (which is effectively what you're doing when you shout fire).
All crimes can be conspired toward, laws do not need a special provision for conspiracy.
He didn't just tell his friends he was going to try to bring down the server, he asked his friends to help him do it since he wasn't able to do so himself.
If you want to try a front-door analogy, then you need to say you slammed your shoulder against my front door, but it held. So you got 100 of your buddies to all slam their shoulders against my front door at the same time (ignoring the mechanics of 100 people simultaneously slamming against a small door), and it broke in.
If the kid did infact cause the disruption, and they have proof that he incited others to do so, it wouldn't be hard to prove that the collective actions of the kid and his accomplices caused any disruptions that occurred.
There's plenty of evidence you could show. For example, "According to our eyewitnesses who just testified, he incited the incident at 7:47 pm, and by 7:50 pm, 32 IP addresses which had not previously shown up in the school logs were each making an average of 30-40 requests per second."
Further, they don't even really have to prove he actually caused any disruption. His intent was clearly to do so, and he engaged others to help him. Conspiracy to commit a crime is itself a crime that carries the same penalties as the crime itself, even if the crime never happened. They can arrest him now on the charge of committing the crime (since their initial evidence provides enough proof to issue a warrant), and if in their investigation they find out that it *was* the video conference, they can ammend the charges at a later date to just the conspiracy charge.
Multiple people working together whose overall action is criminal, but with whom each individual performs no action that by itself is a crime still counts as a crime, and further counts as conspiracy to commit a crime.
If he incited others to collectively commit a crime, even though their individual actions, in isolation, are not criminal, he's still guilty under U.S. law. If the others participating knew the objective (and from the sounds of it, they did, since he expressed his purpose in his plea for help with the act), then they are also guilty.
This is how money laundering is illegal; each step in the laundering process looks innocent in isolation, but taken together represents a crime.
Further, HD-DVD is generally price prohibative. To take advantage of HD-DVD technology, you need a HD TV. For a low-end HD TV, you're going to drop $700-$800, and that's without even having the player. To take full advantage of HD TV, you're going to need a TV in the range of $1,200 to $3,000. It's going to be several years before this stuff really reaches the ranges of cost that most people will invest in, and only at that point will the *consider* it, without any guarantee that it'll really catch on.
It all reminds me a lot of laser discs.
Do you know no damage was caused? Do you know they weren't on a limited bandwidth account, and are now facing bandwidth overage charges? Do you know if that same server was used for the district to perform its day-to-day operations, and if employees were unable to perform their job functions as a result?
There's many ways that affecting a denial of service attack can cause financial or material damages, and we don't know enough about the situation to know if those things happened or not. More to the point, this kid didn't know enough about the uses that server is put to, nor its billing approach to know if he would be causing damages by his actions.
I cannot shoot holes in your house, even if I suspect no one is home. Nor can I do so even if your windows are open and I cause no damage to your property. The point is that he was acting with the intent to cause enough harm to the server to knock it off the net, and there can be, and perhaps were real peripheral consequences.
Your rights end where my rights begin. The freedom of speach is not the paramount freedom. Life is. Your right to free speach ends when that speach destroys more paramount rights of others, such as life. And whether or not you like it, shouting fire in a crowded theatre *does* make you solely responsible for any injury or death that occurs. You're responsible not just for your actions themselves, but also for the consequences of your actions, both direct and indirect.
Is it free speach to say "sic 'em boy?" What about when you've got a trained attack dog at your side? Is it freedom of expression to squeeze your finger? What about when it's pressed against the trigger of a gun pointed at my head? Is it freedom of speach to libel someone in the press? To grafiti the "nigger" on an afro-american's front door?
Freedoms of speach and expression have limits even in the most liberal of civilized societies. Otherwise it's simply anarchy, because all crimes could otherwise be claimed as freedoms of expression or freedoms of speach.
Shouting "fire!" is not murder. Who did you kill? You caused some morons to believe you 100% and panic and trample over people. THEY killed those people, not you.
I respect your point of view, but the law disagrees with you. So do I.
If they can demonstrate material damages, yes, for sure, even with out cyber laws. Encouraging any unusual and unnatural behavior which causes material damage is a felony.
If they are on restricted bandwidth, and you encourage people in an unnatural action which causes them to exceed this bandwidth and so incur extra charges, you're responsible for those charges.
Unnatural doesn't mean posting a link. Unnatural *does* mean encouraging people to repeatedly reload the link with the specific intention of taking down the server, as this kid did.
It's not illegal for me to walk into a store. It's not illegal for me to encourage other people to walk into a store. It *is* illegal for me to encourage a thousand people to walk into a store and jump up and down until the floor collapses.
Although this oppinion won't be popular here on the 'dot, the kid effectively incited people to vandalism of some nature, whether in his area this is a misdemeanor or a felony depends a lot on his local laws. Depending on how much damage (eg, man hours to bring the server back up plus bandwidth overage charges) he caused it's definately a felony. If he knowingly spoke to people outside his own state and encouraged them as well, then perhaps it counts as having crossed state borders, and then it's a federal crime.
Let's not delude ourselves, according to the article his objective was vandalism; he deserves a visit from the cops for that.
Well, there's the TV I bought 3 weeks ago:
http://www.crutchfield.com/S-X2rzKsLNny2/cgi-bin/
I'd say this needs to be taken with a lot more than a grain of salt; even by their own description, this information is completely meaningless.
Further there's no examination of what the scope of bug reporting is for each OS. For example, perhaps RedHat releases a security update for OpenOffice, and Microsoft releases a security update for Microsoft Office. The former counts as a tick against Linux, while the latter does not count as a tick against Windows. Another vendor might yet also release a security update for StarOffice, and this also counts against Linux, because this vendor distributes a different office suite. Perhaps a third or fourth vendor also releases the same update to OpenOffice as RedHat released (Debian and Ubuntu, similar distros), do these also count against "Linux"?
Ubuntu provides thousands of packages (nearly every popular project out there), including non-free (speach) packages, do each of these count against Linux if they have a security update? If so, then we need to keep track of all Windows vulnerabilities across all Windows-runnable software, and I guarantee the track record will look very different.
To compare apples to apples, you need to level the playing field. Compare only security updates of a single Linux distro running a single window manager, and its security updates for Firefox and Thunderbird against the same reportings for Windows and IE. This is an even playing field.
In short, this whole article is simple meaningless FUD, and nothing more.
Firewalls are great in the same way that airbags and seatbelts are great. In a perfectly running, perfectly operated vehicle, they're completely unnecessary. Even in the best circumstance they're at worst a very mild inconvenience, and in the event of a god-forbid, they can save your life. The benefits clearly outweigh the risks. (Note, for purposes of this analogy, I'm not discussing the camps who argue these things cost more lives than they save, the discussion isn't really centered on vehicular life-saving devices, rather on the idea that such devices aren't necessary under perfect circumstances.)
However, running without a firewall at home because you consider your system to be secure is foolish, I don't care how "secure" you've made your systems, for one reason: Zero-Day Exploits. The most security minded, conscientious, and diligent individual in the world can still benefit from the protections afforded by a firewall the next time a worm hits the net for an unpatched security vulnerability.
Just like no matter how well maintained, and how safely you drive your car, there's still the chance you get creamed at a stoplight by a drunk driver.
The sort of work you're talking about (5 or 6 months of working on a project before moving on to another company, maybe some time off) is the "right" way to use contractors. However, not everyone operates that way. There's plenty of folks who are in open ended contracts, making no more after taxes than a regular employee, but without advantage of the ability to establish duration-based seniority, or other niceities such as employer provided health-care. They'll be in these positions for 3, 5, 10 years, at the same company.
The company really is treating them like an employee, but without the legal obligations that are attached to holding an employee. There are companies out there that have more long term open-ended contractors than they have regular employees. It's practically predatory hiring practice, and in honesty, it should not be legal.
I can speak from experience when I say that there are areas where IT skills are only marketable in one or two companies within a reasonable commute distance, and those companies tend to also have a difficult time finding sufficient IT staff. This means that if truly faced with the option of either hiring their contracting IT staffers, or letting them go and replacing them with other IT staffers, they'd have to hire them, or they'd do without sufficient staff. At the same time, without unionizing or a law to make this practice illegal, no individual has the leverage to demand that they be treated fairly as an employee when they've been working for the same company at effectively reduced benefits for 7 or 8 years, because there's not enough tech jobs in the area to risk getting fired.
The management in these companies tends to be unsympathetic since most real employees have "done their time" as a contractor first. These long-term open-ended contractors typically jump at the chance for real employment since it means the same financial compensation, but with the real benefits that being an employee comes with (health care, company-matching retirement plans, etc).
Unfortunately there's major economic impacts to dissolving a corporation as large as Sony. It's cutting off your nose to spite your face. As unfortunate as it is that monolithic companies have this protection, it is in fact a reality that they'll never truly be punnished by government in any way they'll really feel it, because the government's economy can't afford to do so, even all political contributions and illegal sidebar activity aside.
Punnishment for these sort of companies comes from the citizens like you and I. For Christmas, my wife and I bought each other a whole new moderately high end home entertainment system. Although there were some nice Sony offerings on the table for some of our equipment, I'm proud to say that my house has no more direct Sony products today than it did last month (I sortof assume some of the equipment has some Sony parts inside, but there's a lot less I can do about that than avoiding the Sony name brand).
It would be the same with this invention, it would take less gasoline for the more efficient car to make its way out of the artificial dip.
Actually, not quite, at least not with respect to hybrids. The gasoline advantage in hybrid cars is that they reclaim energy in braking that is lost in traditional cars, and this is the energy that fuels the batteries. In the case of traditional cars, the energy being claimed by the ramp (depending on ramp placement) could be energy that was being wasted in the form of heat from the brakes. In a hybrid car under the same circumstance, you're actually taking energy that would have been recollected anyway, meaning that their gas engine will have to run a little more at some later point to recharge the batteries a little more.
Further, I doubt these ramps would be used directly on the highway (they sure look like they'd be a bumpy ride if so), so you're discussing using them in low speed areas, which is where the electric engine in a hybrid shines, and you'd be basically sapping power directly out of their batteries, along with a few energy type conversions, so Newton tells us this would be less efficient on the whole (in the case of hybrids) than simply attaching the lights to the grid, which comes with fewer energy type conversions.
Another sibling of your comment pointed out that there's a "Permanent Link" link in the left column on all articles that provides this feature.
I remember the old adage that my art teachers used to preach to me religiously. Form following function.
If the function of something is to look pretty, then use whatever font size you want, use graphics for text where the font face isn't a web-standard font, and screw the user whose eyes can't read that font size; it's not for them.
However, the number of sites whose primary function is art is certainly a small percentage compared to those sites whose primary function is information dissemination. But dime-a-dozen designers are more concerned with wowing their non-technical customers than they are with following function over form. So they reject this tennent of art & architecture.
The unfortunate result then is that people like me, whose job it is to implement someone's art, and oh-wouldn't-it-be-nice-if-it-was-usable-too, end up producing bad architecture on websites to accomodate design.
It's a weak artist who is constrained by constraints. Saying to someone, "All text should be substitutable in any of a series of standard fonts," and having them fire back, "I can't work like that!" only means that person is too accustomed to print design, where the rules are all different (and where they were probably producing work that people with even mild visual impairments found unreadable anyhow). It also means that they lack sufficient creative willpower to be an effective artist, hence they are one of the dime-a-dozen designers.
I had the pleasure once of working with a web designer who wasn't constrained by these sorts of limitations; she produced beautiful websites that could be resized, whose text was all text, and whose average page weight was like 1/4 that of the other designers. Her sites were implemented faster, easier to maintain, loaded faster, and produced a much higher quality user experience. She never declared, "I find this technical limitation inconvenient, so I'll ignore it," and everyone benefitted.
Finally, it's no more valid to say, "People who find the website unusable because of their disabilities can simply find another website that provides the same service," than it is to say, "People who find the stairs on our building unusable because of their disabilities can simply find another store to shop in that has the same goods." Although section 508 compliance only applies to government agencies, that's no excuse for weak designers shafting the disabled.
Since Google *wants* to fill every advertising position, my guess is that decreasing your pay-per-click has more to do with how much others have bid than with some scheme to punnish cost reducers. Example, if you were paying $1, and for your experiment you dropped that to $0.50, but 10 other advertisers were each paying $0.75, then you're going to drop pretty drastically in the ranks since there's now 10 other people paying more than you.
Without knowing how much your competing advertisers are bidding, you can't make a lot of inference about unfair ranking practices as there'll always be that unknown.
Well, even though IANAD, I think a little logic can help us identify what would happen here.
New cells come from old cells which split. Aside from minor mutations, new cells have identical DNA from their parent cell. If the graft was healthy, the tissue from the graft would reproduce cells at the same rate as tissue from other parts of the body, or at least at the same rate as normally expected for someone's facial tissue. Cells do not "infect" neighboring cells with their DNA, they only reproduce their DNA through self replication (viruses infect neighboring cells with their RNA, causing the neighboring cells nucleus to reproduce the virus' DNA, but AFAIK this behavior is unique to viruses, and not part of a healthy tissue).
This means that the DNA in the graft would continue to exist for all cells that drew lineage from the graft, while all cells that drew lineage from original tissue would continue to have the patient's original DNA.
Hence we can assume that along the edges of the graft, there'd be some intermingling of cells with different DNA (in a gaussian scatter pattern?), while farther from the edges, we should see only the grafted DNA. Presumably for the entire surface area of the graft, they've removed all the original tissue, and after stem cell stage, cells generally maintain their original organ type, so there should not really be any of the original DNA anywhere but near the edges of the graft.
Probably cells from the graft would generally be weaker than original cells as a result of the patient's immunology being more likely to destroy the foreign cells as mutations than the patient's natural cells. So as a result, over time, the DNA edges of the graft would probably creep inwards, though this would most likely be a scatter pattern with softer edges between the tissues over time, since some of the grafted cells should generate an immunologically unresponsive (not destroyed by the immune system) line. This last bit is purely speculative on my part though.
Even though you're not financially liable, you do have a fair amount of headache associated with this. For example, when I lost my credit card and had it deactivated (found later that day, but not before I deactivated it), I had to update all the subscription services which automatically bill against it. In all, the process was several hours, time which one could save themselves if they simply only shop with sites that provide https support. I was without a card to do things like purchase gasoline or groceries, and I had no mac card to get cash from an ATM since my mac and credit card (debit card actually) were the same.
What if you discover the fraud while on vacation, and your card is already maxed out? You won't be able to get a replacement card until you arrive home, and your vacation could be pretty effectively ruined (including whatever you were trying to pay for when you discovered the fraud, eg, the expensive dinner you just ate, or the hotel room you were trying to pay for).
Also, https does more than provide encryption. It provides identification confirmation. You know with a fair level of certainty that when dealing with an https site, that the owner of the site is who they are claiming to be, because the browser checks the domain name against the certificate. You know that someone hasn't used arp poisoning, a corrupted hosts file, or various other means of hijacking domains for a small set of users in order to intercept your credit card information.
That said, the encryption itself is a worthwhile reason to use https for sensitive information. How many people have unsecured wireless access points? Anyone in range can listen to every communication they do on their network. People who use certain cable connections are able to be spied on by anyone else on the same loop as them, if that person is sufficiently savvy. Then there's the simple case of nefarious or disgruntled network admins at your ISP, their ISP, their ISP, etc, right down to the retailer itself, for whom there could be IT workers who don't have database access, but could sniff the network. There's a lot of people with their thumbs on the communication line here, so there's a lot of potential for abuse. Even if 99.9% of the time none of these people would do so, the potential is still there and is highly mitigated with https.
Further, there have been a few cases where credit card information has been used to retrieve even more sensitive information, such as might be sufficient to commit identity fraud. In all, my point is that the risks posed are greater than simply the financial risks which credit card companies help to mitigate.
Failing to manage your pointers to objects correctly, so the language can identify what objects are no longer in use to be deallocated is not a bug in the language (encapsulated in the browser), it's a failure on the part of the programmer to effectively deallocate objects which they no longer need.
This is an issue that is core to all programming languages which enable you to use references to objects. IE has the same issues from a memory management perspective, because it doesn't represent a failure in the developers of said language, it represents a failure by the programmer.
Web developers have traditionally never had to manage memory in their development practice, because both server-side, and client-side, a page executes, a fixed number of objects is instantiated, and at some point the page ceases execution, but never with some arbitrary number of objects being created. In the case of ajax-based applications, the longer a page is open, the more objects are created and should eventually be destroyed. If you don't clean up your references, how is the language to know that the objects are no longer in use so it can clear up their memory?
Interesting. My copy of Firefox has been up here on this Ubuntu laptop since I booted it. Current uptime: 13 days. Multiple tabs open the whole time. No swap usage, 512 mb of RAM.
My desktop at work, running Windows 2000 has been running Firefox for at least several weeks, though I'm not at it to check its exact uptime. Again, multiple tabs are open. No paged memory, 512 mb of RAM.
On my home desktop, running Windows XP, I don't tend to run Firefox too often since I game with it, and I have my laptop next to me for my browsing needs, but I can't say I've ever had an issue with it using up memory.
Seems to me as if it might be specific websites you're visiting, sites that, for example, have javascript that's allocating and failing to deallocate memory. This is actually pretty common nowadays, since sites have started using Ajax; many web developers aren't accustomed to having to worry about memory management, and end up leaving references to XML objects sitting around so they're not garbage collected.
Can't speak to IE's ability to avoid these memory issues; obviously on my linux laptop, IE doesn't run, and on my desktop, IE locks up every day or so, so it's never able to stay alive long enough to see if it eats ram =)