Rep. Boucher once again sponsers Slashdot laws
on
DRM Advocate Violates DRM
·
· Score: 3, Informative
And it looks like the bill sponsor is the Representative from Slashdot, Boucher. Seriously, I love this guy (and I'm kinda sad that he represents Virginia instead of my state). Take a look at the list of legislation he's been involved in.
Reading down the list, he's opposed the RIAA, the DMCA, argued for fair use, argued for privacy laws, argued against the broadcast flag, argued against additional RIAA laws (and urged that the RIAA simply lower prices to provide a more appealing product), in favor of allowing features for Linux, worked on weakening the DMCA, pushed an anti-spam law (though admittedly not the most stringent of the proposals), pushed for the Do Not Call List, opposed DoJ anti-P2P propaganda attempts, and been a proponent of pro-VoIP laws. His arguments are quite tech-savvy -- if the man does not understand technology himself, he has some pretty sharp advisors. Many of these stances have been those that oppose major lobbyist groups (direct marketing, RIAA, MPAA, etc).
Stick about a hundred more like him in Congress and throw Orrin Hatch to the wolves and I'd have a damn lot of respect for the legislative branch.
Third of all, the Web has matured a good deal. New HTML extensions and redesigns and new protocols and formats and must-have features aren't just popping out at every turn. MSIE hasn't had significant improvements since 2001 and is still a major player -- that would not have happened in the IE/NS 3.x days.
Not just that, there is a significant threshhold effect even independent of whether or not MS is losing market share. Once a browser gets up around where Firefox is, it becomes important to not use extensions that don't work on it, and the browser graduates from "second class citizen" to "first class citizen".
Also, I think that we can all enjoy and appreciate the fact that MSIE's most recent "improvements" are catch-up features copied from Firefox. In BizLingo, Firefox is currently the leader in the market in technology.
While IT where I work still ships boxes with IE preinstalled, they specifically say "We're fine with you downloading and using free software, like 'Firefox'".
What I'd like to know is why archive.org, king of bulk data transfer, doesn't automatically provide bittorrents of all of their larger files. It would have to save them some stupidly large amount of money in bandwidth costs.
I do not understand the implied connection between CS/philosophy and moral absolutism.
There isn't one, just with my ability to ask the question and get a meaningful, considered response. I'm CS/philosophy as well, and have found that CS/philosophy folks have a tendency to self-analyze with the passion of the philosopher and the rigororous system analysis tools of the computer scientist.
I was just curious as to why you felt that need ethically justified copyright infringement. I'm not arguing with you. I just felt that what you were saying wasn't just a kneejerk response. A moral absolutist would presumably universalize his statement, saying that everyone who has need should be able to infringe -- a moral relativist might do so or might not do so. That's all.
Just to get this out of the way, I am not accusing. I infringe on copyrights myself not infrequently (and I really do have the means to not infringe on most of them).
My point is that the reward that we use to convince people to work in society is the carrot of purchases. If that carrot is no longer present, then it seems like society might cease producing goods.
What I mean is that if you're working on three computers, you have three desktops sitting in front of you, rather than just transparently using three applications that just happen to be running on three computers.
Still, the figures I have given are accurate, and in this country they firmly place me into the category of people who cannot possibly afford to buy CDs and DVDs, while making it ethically acceptable for me to get (and so also invariably give with BT) illegitimate copies over the net, strictly for private use.
(Completely off topic, only asked because your website seemed to indicate that you were a CS/philosophy person.)
It's bedtime for me, mr_e, so I'm afraid that we'll have to cut this short, but I suspect that we'll run into each other in another thread on Slashdot sooner or later.
Well, yes... if you MOVE a file on the same partition, it will retain it's old permissions (as well as any new inherited ones), but if you copy the file (or create a new one) it will get the folders permissions.
[chuckles] Glad we all agree on how things work. Me, I've always been a bit confused by Windows, so I'll just have to take your word on it.
But even on Unix when you move a file it will retain its ownership and permissions. One would think even a Unix admin would understand that detail.
[grin] Yup. And on that same Unix box, the permissions of the containing directory wouldn't be ignored.
What you're effectively saying is "Because unix admins expect it to work one way, and doesn't, that's a bad thing". That's really the same argument as saying "Because Unix doesn't act like Windows, that's a bad thing".
Well, I guess I could have come across like that, though what I meant to say was that it was counterintuitive for anyone that hasn't specifically been told how Microsoft's security scheme works. But, my friend, you're beating a dead horse. I've already agreed, several comments back, that it's a matter of opinion as to whether it's good or bad. I feel that Microsoft's approach is counterintuitive and you do not.
I mean, Windows users expect the clipboard to work everywhere.
Change of topic? Well, fair enough. It's a good thing that Unix uses a superset of Windows clipboard behavior, then, so that Windows users don't need to modify their behavior.
Unix users expect the middle mouse button to copy the current selection.
Not any Unix users that I've met. Every application I've seen does an insert when middle-clicking, not a copy.
There's lots of this kind of stuff that anyone moving from one system to another has to get used to.
For testing a patch to an extremely widely-used consumer app? Sure, that's not an unreasonable amount of time.
Frankly, if for every security vulnerability reported to Microsoft, there was a prompt response followed by a well-tested patch in eight weeks (and we'll be generous and use the oldest bug, as you did), most of us would be *estatic*.
We'd all like more speed, but if a given hole is not actively being exploited or only being exploited on a small scale, releasing a bad patch can cause more damage than it's worth. If this was...well, I guess there aren't really any worms that target Firefox, but if there were, a sort of Code Red for Firefox, where a massive outbreak is spreading, I'd predict that it's a pretty safe statement to say that the Firefox team wouldn't hold onto the patch to bundle into the next bugfix release -- there'd be a patch out as soon as they could finish it.
I don't think IBM *will*. (Effective) managers at big business, in my experience, do not go on rabid, vindictive rampages with company money to try to hunt down someone that has pissed them off. The nastiness and political infighting takes a much more subtle tone. Sure, maybe he wouldn't get hired at a company run by some guy that was on the other side of the case, but IBM is not going to drop money to make McBride's life miserable. They got rid of their threat -- there's no money in harassing McBride.
The best choice is probably the computer department at the Massachusetts Institute of Technology (MIT) or Carnegie-Mellon University (CMU).
These two may be the most prestigious and do some kick-ass research, but the day that your university needs to employ some guy that makes autonomous combat robots drive around in the desert in order for you to make an informed judgement on whether or not Windows or Linux has more/less secure code is the day that hell freezes over.
The overwhelming majority of what you learn depends on what you read and do independently (i.e. not just slog through homework) in college. I'd take some guy that's been hacking open source software and is into designing clever systems and reads a lot about computer science way before I'd take some guy from MIT that did the bare minimum to get decent grades and a piece of paper and a hat at the end of four years. The benefit of going to a good research college is that you have a bit of an official award that you looked promising when you came out of high school, and you have access (limited though it may be, given class sizes) to some really intelligent researchers. Oh, and if you want to go into research yourself, you have lots of people with positions and easy paths to follow. And that is pretty much the extent of what the college itself will do for you. The rest, the vast majority of your computer science education, is pretty much up to you. MIT even puts course materials online -- CMU is more stingy, but some professors put their content up.
Besides, I'm pretty sure that CMU would just say "Linux". Microsoft is exceedingly unpopular in that place.
Well, I stand corrected on Palladium, but then I was really considering the TCPA organizations argument, not Microsoft's.
Yup, the TCPA foks are just fine. Well, maybe not, but at least I don't have a problem with them misleading people. What I was complaining about was Microsoft's misleading representation to their customers of Windows security, not with what the TCPA committee is off doing.
Also, I still don't agree with you about the passsword thing. It doesn't take someone that "knows what they're doing" to set a password. The dialog *ASKS* You for one. Yes, if you don't enter one, it would happily continue (until default password complexity restrictions happened in Windows 2003), but I wouldn't really call that a default in the same way you originally phrased it.
[shrug] I'd consider it one, and I've seen hordes of people with "Administrator":"" machines, but if you'd prefer to consider my original statement reworded, fair enough.
As for bypass traverse checking, you also have to turn off object inheritance to set an individual file to different permissions. So one would assume they know what they're doing.
Nope. Create a folder, give it restrictive permissions, grab some file with an "Users Read" DACL, or something else nice and permissive, and dump it in said directory, and you'll notice that any user can bypass directory security. Same holds true up through and including Windows Server 2003.
What you're thinking of happens if you take an insecure directory, dump a file in it without the directory yet being secure (which said paranoid-but-un-assreamed-sysadmin is hopefully not going to do, because he knows that everyone is going to be able to read the file for at least some period of time), and then jack up the security of the DACL on the insecure directory, and will happen *if* inheritance on the file has not been disabled. Well, or if you enable the checkbox to recursively set the permissions. Another funny little quirk of the way the Windows security system works.
Which is getting close to goading me into griping how the biggest enemy of a secure system is overcomplexity, that Windows and its predecessor, VMS, have always had far too complex of a security system for a typical admin to understand or secure (especially when the standard modes of operation are nonintuitive), but I'll hold off.
I will say this -- I know one of the damn few MVPs that actually understands Windows security (I don't, really. I gave up trying to understand it a long time ago, and just stopped treating Windows boxes as trusted computers for my data), and he is one of the most amazingly bright people out there. I really do respect those people who have actually managed to wrap their mind around the Windows security model, because it is one insane beast (and this means a whole lot more than knowing how to fire up Active Directory). People that actually do secure software development on Windows (and do it *right*, which means understanding every nuance and all the holes that exist in Windows) exist in an even higher and more rarefied environment, and are truly demigods. Believe me, it's a lot easier to be a Unix security guru or to write secure Unix software.
The email came from someone they trusted. They'd *never* send them anything dangerous. ARRRGHHH!
Note that there is precisely one OS vendor who controls a vast number of email clients and a less-dominant-but-still-important chunk of email clients, and has the ability to bundle PGP and autogenerate keys at installation and has chosen not to do so for years.
Linux cloned the Unix environment which early on was a multi user networked environment, used by many universities where students could wreak havoc. Many design decisions were made to improve security early on.
And God bless each and every one of 'em for giving me a secure OS today.
Umm.. Windows NT based system (the only Windows system with an Administrator account) have never had a default administrator account with no password.
Keep whacking "Next" in the installer. You'll get an account called "Administrator" and a blank password. It's a default, not something that's preinstalled. You can choose not to have said account, if you know what you're doing. Lots of people just figured that they were running a local box, that no sane consumer OS vendor would do the things I described, and that it would be okay to have a blank password on their physically secure machine. I would have done the same, in their shoes, to be honest.
Also, Palladium was never billed as a way to ensure your computer is secure. It's billed as a way to make your *INFORMATION* more secure. Big difference really.
You sound like an honest engineer who wouldn't mislead folks. Shame that the same can't be said of Microsoft:
PressPass: Specifically, how will "Palladium" enhance security and privacy?
Manferdelli: "Palladium" will greatly reduce the risk of many viruses and spyware -- software that captures and reports information from inside your PC -- and other attacks. Memory in "Palladium" PCs and other devices will run only "trusted" code that is physically isolated, protected, and inaccessible to the rest of the system. Files within the "Palladium" architecture will be encrypted with secret coding specific to each PC, making them useless if stolen or surreptitiously copied.
"Palladium" also will allow users to determine the personal information they reveal online because it allows the user to operate in different "realms" within their PC. Like a set of vaults, realms provide users the assurance that they can securely keep private and public information separate. Each realm will have its own distinct identifiers, policies, and categories of data. This will allow users to provide the credentials necessary to make online transactions while preventing identity theft and unauthorized access to personal data -- such as credit-card numbers -- from the users PC or other device. Even information traveling between a users keyboard and monitor will be protected by "Palladium's" optional hardware architecture. This means keystrokes cant be snooped or spoofed, even by malicious device drivers.
The end result is a system with security similar to a closed-architecture system but with the flexibility of the open Windows platform.
TCPA will be available on all kinds of platforms, not just Windows. Linux is adopting it as well.
Yup, it may be that some Linux vendors will support it. Of course, they aren't billing it as the latest-and-greatest in privacy and security improvement. I don't have a problem with TCPA being available (matter of fact, I strongly suspect that I've done more engineering on TCPA-using systems than you have), I have a problem with consumers being lied to about its role. Macrovision on my TV is a DRM device. It's not a fucking privacy-enhancing system. Neither is TCPA, but Microsoft is billing it as such.
I really don't quite get your problem with Bypass traverse checking. If you set the permissions on a file explicitly, then any OS should honor that. Not doing so would be brain dead, counter-intuitive, and confusing. "I Said give joe access, why isn't it doing it!"
Well, I guess we all have our own opinion as to what's intuitive. I suspect, though, that if I took ten guys that haven't gone through the training that enlightens one as to Microsoft's security decisions, all ten would say that the file shouldn't be accessable. But, all that is really a matter of opinion, so I won't keep pushing it. You've got your interpretation, and I've my own.
The biggest threat to security these days isn't in the OS anymore,
Uh, huh.
Let's see. Windows *has* made some improvements.
Windows 9x got patched, so that it didn't trust the remote end as to the length of the password on a share (and only check that many digits). I remember watching Wargames and thinking "Hollywood sure is unrealistic. Nobody is stupid enough going to build a system where a password can be extracted in linear time by scanning each digit." A couple of years later, after polishing up an exploit I wrote that did exactly that, remotely, over the Internet to 9x boxes, I had to amend that statement with "unless it's Microsoft".
What else has been improved in Windows security? Hmm...oh, yes. There's no longer a default account of "Administrator" with a blank password. Couple that with automatically, by-default enabled (but "invisible" to any users of Microsoft SMB clients) administrative shares and just to spice things up, re-enable any administrative shares that the security-seeeking user has disabled on his last boot, and you had a quite depressing situation, with a huge horde of Windows NT users enthralled with new Internet connection to their computer providing full Administrator rights to every file on their hard drive. To every user on the Internet. Yeah. Microsoft got rid of the default blank password, and then (after claiming that "system administrators were the problem for not putting the Windows machines behind firewalls") added a firewall that could block, by default, any connections to SMB from Internet-routable IP addresses. Instead of securing the thing or disabling it, they slapped a lid over it, so that an intruder has to wait until he penetrates a corporate network to start running hog-wild within. I guess it takes him another five minutes -- he has to shotgun the domain's email addresses with a trojan that opens an http connection to the outbound world and wait for a user inside to run the thing. There might be a cracker somewhere who was stopped by this, I admit.
I *do* notice that Microsoft still grants users "bypass traverse checking" by default. Real intuitive, you know? Jim the Administrator, who is a poor, naive Unix admin, who hasn't yet been ass-reamed by Windows' security architecture, who is used to computers being really simple and logical to securely administer, creates a "private" directory that only he has access to, and sticks documents that people shouldn't get at in said directory. Of course, he doesn't know that if there are any files in there that have DACLs that fail to prevent users from accessing them, Microsoft has cleverly allowed any user to bypass the directory permissions. That's right -- if you know the pathname of an unprotected file somewhere in a protected directory, on a vanilla, out-of-box Windows system, you can cruise right past the restrictions on the directory, ignoring them. Hope you've never, ever accidently granted someone rights on a file when you didn't intend to, because on Windows, being in your private home directory isn't enough to secure that file. Keeps Windows users on their toes, makes things exciting, and makes sure that people don't start expecting intuitive behavior from Microsoft.
Oh, let's see. What else...has been fixed? Well, there was Microsoft's twin Outlook innovations of (a) ramming any email that came in right into a complicated, almost-impossible-to-insecure full-blown HTML renderer with programming language support, and (b) allowing a single click to execute any attachment, and making the UI for "execute" be the same as "open file". Now, the first made cross-site scripting attacks, which were previously kind of limited and boring, turn into massive worm-vulnerable holes that could take down networks every time MSIE has a bug, and made the "Good Times" hoax a reality. The second made sure that, given the infinite supply of people who reasonably expect the OS to prevent a single click in a program regularly used from wiping out their computer, there
I haven't seen one really recently (but my Slashdot reading has dropped recently in favor of technocrat.net), but Slashdot used to have a horrible habit of putting up news that insinuated that [huge storage device] was immediately available, whereas the numbers provided (500 GB! 3TB!) were usually the most optimistic numbers available from some storage researchers extrapolating what might be available as a product in six years based on some new chemical procedure that might theoretically be used for high-density data storage that they just managed to get working once in their laboratory. I'd say that Slashdot's accuracy rate on latest-and-greatest storage news is hovering in the single digits.
Ebbers (not Edwards) is one of a very rare elite -- wealthy white-collar criminals who are getting the book thrown at them. There are very few prosecutions in this arena. It's expensive, you are facing hordes of lawyers, and people wonder why you aren't hauling off murderers.
Ebbers is getting screwed specifically because he was involved in one of a handlful of financial cases that were so egregious that they caught the attention of the popular media, and hence the mind of the public. If you are a politician, and you represent a public outraged over some criminal, you do what you can to have the book thrown at that criminal.
Darl did not piss off anyone other than the statistically insignificant (if vastly disproportionate in influence in the tech world) members of the open source community. My mother has no idea that Darl exists, and there isn't really any way to pack his crimes into a one-sentence damning sound byte that appeals to the public(Ebbers had to deal with pictures of blue collar workers and the sentence "they lost their retirement money"). Nothing scares the shit out of a voting baby boomer like the concept of someone losing their retirement money.
Darl, IIRC, came off of the whole thing rather well, with no liability and plenty of money. And SCO was in the shitter already, so his rep is more of just a CEO willing to try some long shots when not much remains than the guy who killed SCO. He *did* manage the media rather poorly, getting personally involved instead of having a more competent spokesman involved, but that's really the only black mark against him.
Because I choose a medium that's cheap, that means I essentially give up my copyright? I don't think so.
No -- I pointed out above that Stallman wouldn't like that. To clarify my statement, no, I don't think that you should lose copyright, or essentially give it up.
What I think is that *if* you chose to distribute something to the public (and really to the public, not just doing an iTunes and piping something to a customer via HTTPS a la Apple), you should not be able to say "okay, everything's shut off now". Adobe doesn't put Photoshop up for public download, so it isn't an issue, but they could still sell authenticated access to Photoshop. If you're a photographer and want to demonstrate your work, people still can't take your pictures and stick them in magazines and sell them. The only new thing that they would have a right to do is mirror them -- to present them as coming from you, and to provide public access to them.
I just want "putting something on the public Web" to translate legally to "enabling public distribution for an unlimited amount of time" as opposed to "enabling public distribution for a potentially limited amount of time".
The reason why is that the Web suffers from a specific technical problem that is increasingly important as time goes on -- content is transient. It doesn't stay up for long, as people stop funding servers or pass away or any number of things happen. Allowing this sort of fair use, which would *specifically* legalize archive.org and friends, allows technical solutions to be introduced to solve the problem (mirroring, possibly with content-based addressing, historical archives to be kept, etc). Without this form of fair use, Web content becomes simply impossible to reference due to legal barriers, and hence a major benefit of the Web, and the original intended killer feature (ability to use hypertext references) becomes much less useful.
I think that there are very few instances in which people rely specifically on the ability to time-limit public offerings on the Web, and I feel that the benefits of these instances are far outweighed by the need to ensure that the Web can provide valid references. I can think of a few sites that provide some sort of normally-commercial data (pornographic video, fonts) for a limited time, so one would see "Bob's Free Font of the Week" up for a single week. This sort of thing would not be feasible in an environment that allowed mirroring of public content as fair use. However, I just don't see this need as even coming close to the public need to be able to reference and keep documents available.
Trying to apply the "it's easy, so it should be legal" principle is what doesn't make sense.
Laws are made for a reason -- to modify behavior. If a law is not enforceable, then yes, I don't think that law should exist, and it should be necessary for people to produce systems that deal with a different set of rules. I do not think that it should be illegal to be rude to people, because it is unenforceable, and arbitrarily-enforced law is a dangerous thing indeed.
I am not talking about the elimination of commercial use of the Web. I am talking about eliminating a very specific and rarely-used mechanism (time-limited public distribution) to allow another mechanism that I feel is much more important (mirroring to keep references alive and data from being lost).
Google and Web-based forums and mailing list archives have somewhat reduced the value of Dejanews/Google News, but the amount of sheer knowledge that Deja provided from nothingness, from a forum where any post vanished in a week, was astounding. I want that same mechanism to be applicable to the Web.
Or only if that nation is Cuba? Cuba needs to have it's own Tienamen Square Massacre... so in a few years without a repeat they can claim "progress", and have their lobbyists infiltrate the Texas GOP.
Cuba will never, within the generation, have the US embargo ended. This has absolutely nothing to do with communism. Cuba's chances of sparking a communist revolution in the United States died a long time ago. Nor does it have to do with any threat that Cuba poses the United States.
There is a very simple reason.
The President gets to determine what we do WRT Cuba.
The President is elected by electoral college, not popular vote.
All member states of the US currently use an all-or-nothing vote -- you can't win three of five electoral college votes.
This means that the only states at issue in an election are swing states, and large states are much more important.
By far the most important swing state is Florida.
A very large chunk of Florida's voting population are immigrants who were kicked out by/fled Castro's administration. These people hate Castro, and will never accept a relaxing of US stance towards Castro.
So despite the fact that it makes absolutely no sense whatsoever from a national security standpoint to maintain an embargo of Cuba and that the vast majority of the US population really doesn't care one whit about Cuba (or would like to get cheap cigars and a nice nearby vacation spot), we will continue to embargo Cuba at least until Castro is dead, possibly until his regime collapses.
Which sort of sucks, because by doing so we completely screw over a vast number of rather poor neighbors of ours who have done absolutely nothing to us.
While I don't agree with you, that was a very readable and enjoyable post.
I think that Windows will eventually suffer the same slow, withering death that all operating systems of the past have -- the manufacturer decides to increase profits "just a bit". There are so many people locked in for whom it would each cost $N to switch that the manufacturer can easily charge $N/5 for the next release. And then the manufacturer decies to charge $N/4. And at some point, they step over N (at least for some people for whom it isn't so expensive to switch), and those people move. The last remaining loners are usually the ones who end up having to spend exorbant amounts of money to keep their systems working. This has happened with DEC, with IBM, and with any number of "enterprise" software packages.
Linux serves as a possible end to this cycle, because the barrier to switching distributions is simply so low that there isn't much that a distro maker can extort from his customers.
Not to be a dick, but if that's honestly your financial situation, you *really* should not play WoW, no matter how unpleasant it is to stop. There's the financial cost, but more relevantly, it consumes an awful lot of time.
I *do* think that I should be able to freely download any works that are, say, twenty or more years old -- the original label financing recording absolutely was not factoring twenty years of production into their calculations when they were deciding whether or not to try out a new artist.
Slashdot Mirror
And it looks like the bill sponsor is the Representative from Slashdot, Boucher. Seriously, I love this guy (and I'm kinda sad that he represents Virginia instead of my state). Take a look at the list of legislation he's been involved in.
Reading down the list, he's opposed the RIAA, the DMCA, argued for fair use, argued for privacy laws, argued against the broadcast flag, argued against additional RIAA laws (and urged that the RIAA simply lower prices to provide a more appealing product), in favor of allowing features for Linux, worked on weakening the DMCA, pushed an anti-spam law (though admittedly not the most stringent of the proposals), pushed for the Do Not Call List, opposed DoJ anti-P2P propaganda attempts, and been a proponent of pro-VoIP laws. His arguments are quite tech-savvy -- if the man does not understand technology himself, he has some pretty sharp advisors. Many of these stances have been those that oppose major lobbyist groups (direct marketing, RIAA, MPAA, etc).
Stick about a hundred more like him in Congress and throw Orrin Hatch to the wolves and I'd have a damn lot of respect for the legislative branch.
Third of all, the Web has matured a good deal. New HTML extensions and redesigns and new protocols and formats and must-have features aren't just popping out at every turn. MSIE hasn't had significant improvements since 2001 and is still a major player -- that would not have happened in the IE/NS 3.x days.
Not just that, there is a significant threshhold effect even independent of whether or not MS is losing market share. Once a browser gets up around where Firefox is, it becomes important to not use extensions that don't work on it, and the browser graduates from "second class citizen" to "first class citizen".
Also, I think that we can all enjoy and appreciate the fact that MSIE's most recent "improvements" are catch-up features copied from Firefox. In BizLingo, Firefox is currently the leader in the market in technology.
While IT where I work still ships boxes with IE preinstalled, they specifically say "We're fine with you downloading and using free software, like 'Firefox'".
I don't know what's funniest -- your post, the fact that you got +5 Funny, or that your username is "Quiet_Desperation"...
What I'd like to know is why archive.org, king of bulk data transfer, doesn't automatically provide bittorrents of all of their larger files. It would have to save them some stupidly large amount of money in bandwidth costs.
I do not understand the implied connection between CS/philosophy and moral absolutism.
There isn't one, just with my ability to ask the question and get a meaningful, considered response. I'm CS/philosophy as well, and have found that CS/philosophy folks have a tendency to self-analyze with the passion of the philosopher and the rigororous system analysis tools of the computer scientist.
I was just curious as to why you felt that need ethically justified copyright infringement. I'm not arguing with you. I just felt that what you were saying wasn't just a kneejerk response. A moral absolutist would presumably universalize his statement, saying that everyone who has need should be able to infringe -- a moral relativist might do so or might not do so. That's all.
Just to get this out of the way, I am not accusing. I infringe on copyrights myself not infrequently (and I really do have the means to not infringe on most of them).
My point is that the reward that we use to convince people to work in society is the carrot of purchases. If that carrot is no longer present, then it seems like society might cease producing goods.
What I mean is that if you're working on three computers, you have three desktops sitting in front of you, rather than just transparently using three applications that just happen to be running on three computers.
Still, the figures I have given are accurate, and in this country they firmly place me into the category of people who cannot possibly afford to buy CDs and DVDs, while making it ethically acceptable for me to get (and so also invariably give with BT) illegitimate copies over the net, strictly for private use.
(Completely off topic, only asked because your website seemed to indicate that you were a CS/philosophy person.)
Are you a moral absolutist?
It's bedtime for me, mr_e, so I'm afraid that we'll have to cut this short, but I suspect that we'll run into each other in another thread on Slashdot sooner or later.
Well, yes... if you MOVE a file on the same partition, it will retain it's old permissions (as well as any new inherited ones), but if you copy the file (or create a new one) it will get the folders permissions.
[chuckles] Glad we all agree on how things work. Me, I've always been a bit confused by Windows, so I'll just have to take your word on it.
But even on Unix when you move a file it will retain its ownership and permissions. One would think even a Unix admin would understand that detail.
[grin] Yup. And on that same Unix box, the permissions of the containing directory wouldn't be ignored.
What you're effectively saying is "Because unix admins expect it to work one way, and doesn't, that's a bad thing". That's really the same argument as saying "Because Unix doesn't act like Windows, that's a bad thing".
Well, I guess I could have come across like that, though what I meant to say was that it was counterintuitive for anyone that hasn't specifically been told how Microsoft's security scheme works. But, my friend, you're beating a dead horse. I've already agreed, several comments back, that it's a matter of opinion as to whether it's good or bad. I feel that Microsoft's approach is counterintuitive and you do not.
I mean, Windows users expect the clipboard to work everywhere.
Change of topic? Well, fair enough. It's a good thing that Unix uses a superset of Windows clipboard behavior, then, so that Windows users don't need to modify their behavior.
Unix users expect the middle mouse button to copy the current selection.
Not any Unix users that I've met. Every application I've seen does an insert when middle-clicking, not a copy.
There's lots of this kind of stuff that anyone moving from one system to another has to get used to.
That certainly is true.
Is 2 months "quickly"?
For testing a patch to an extremely widely-used consumer app? Sure, that's not an unreasonable amount of time.
Frankly, if for every security vulnerability reported to Microsoft, there was a prompt response followed by a well-tested patch in eight weeks (and we'll be generous and use the oldest bug, as you did), most of us would be *estatic*.
We'd all like more speed, but if a given hole is not actively being exploited or only being exploited on a small scale, releasing a bad patch can cause more damage than it's worth. If this was...well, I guess there aren't really any worms that target Firefox, but if there were, a sort of Code Red for Firefox, where a massive outbreak is spreading, I'd predict that it's a pretty safe statement to say that the Firefox team wouldn't hold onto the patch to bundle into the next bugfix release -- there'd be a patch out as soon as they could finish it.
I don't think IBM *will*. (Effective) managers at big business, in my experience, do not go on rabid, vindictive rampages with company money to try to hunt down someone that has pissed them off. The nastiness and political infighting takes a much more subtle tone. Sure, maybe he wouldn't get hired at a company run by some guy that was on the other side of the case, but IBM is not going to drop money to make McBride's life miserable. They got rid of their threat -- there's no money in harassing McBride.
The best choice is probably the computer department at the Massachusetts Institute of Technology (MIT) or Carnegie-Mellon University (CMU).
These two may be the most prestigious and do some kick-ass research, but the day that your university needs to employ some guy that makes autonomous combat robots drive around in the desert in order for you to make an informed judgement on whether or not Windows or Linux has more/less secure code is the day that hell freezes over.
The overwhelming majority of what you learn depends on what you read and do independently (i.e. not just slog through homework) in college. I'd take some guy that's been hacking open source software and is into designing clever systems and reads a lot about computer science way before I'd take some guy from MIT that did the bare minimum to get decent grades and a piece of paper and a hat at the end of four years. The benefit of going to a good research college is that you have a bit of an official award that you looked promising when you came out of high school, and you have access (limited though it may be, given class sizes) to some really intelligent researchers. Oh, and if you want to go into research yourself, you have lots of people with positions and easy paths to follow. And that is pretty much the extent of what the college itself will do for you. The rest, the vast majority of your computer science education, is pretty much up to you. MIT even puts course materials online -- CMU is more stingy, but some professors put their content up.
Besides, I'm pretty sure that CMU would just say "Linux". Microsoft is exceedingly unpopular in that place.
Well, I stand corrected on Palladium, but then I was really considering the TCPA organizations argument, not Microsoft's.
Yup, the TCPA foks are just fine. Well, maybe not, but at least I don't have a problem with them misleading people. What I was complaining about was Microsoft's misleading representation to their customers of Windows security, not with what the TCPA committee is off doing.
Also, I still don't agree with you about the passsword thing. It doesn't take someone that "knows what they're doing" to set a password. The dialog *ASKS* You for one. Yes, if you don't enter one, it would happily continue (until default password complexity restrictions happened in Windows 2003), but I wouldn't really call that a default in the same way you originally phrased it.
[shrug] I'd consider it one, and I've seen hordes of people with "Administrator":"" machines, but if you'd prefer to consider my original statement reworded, fair enough.
As for bypass traverse checking, you also have to turn off object inheritance to set an individual file to different permissions. So one would assume they know what they're doing.
Nope. Create a folder, give it restrictive permissions, grab some file with an "Users Read" DACL, or something else nice and permissive, and dump it in said directory, and you'll notice that any user can bypass directory security. Same holds true up through and including Windows Server 2003.
What you're thinking of happens if you take an insecure directory, dump a file in it without the directory yet being secure (which said paranoid-but-un-assreamed-sysadmin is hopefully not going to do, because he knows that everyone is going to be able to read the file for at least some period of time), and then jack up the security of the DACL on the insecure directory, and will happen *if* inheritance on the file has not been disabled. Well, or if you enable the checkbox to recursively set the permissions. Another funny little quirk of the way the Windows security system works.
Which is getting close to goading me into griping how the biggest enemy of a secure system is overcomplexity, that Windows and its predecessor, VMS, have always had far too complex of a security system for a typical admin to understand or secure (especially when the standard modes of operation are nonintuitive), but I'll hold off.
I will say this -- I know one of the damn few MVPs that actually understands Windows security (I don't, really. I gave up trying to understand it a long time ago, and just stopped treating Windows boxes as trusted computers for my data), and he is one of the most amazingly bright people out there. I really do respect those people who have actually managed to wrap their mind around the Windows security model, because it is one insane beast (and this means a whole lot more than knowing how to fire up Active Directory). People that actually do secure software development on Windows (and do it *right*, which means understanding every nuance and all the holes that exist in Windows) exist in an even higher and more rarefied environment, and are truly demigods. Believe me, it's a lot easier to be a Unix security guru or to write secure Unix software.
The email came from someone they trusted. They'd *never* send them anything dangerous. ARRRGHHH!
Note that there is precisely one OS vendor who controls a vast number of email clients and a less-dominant-but-still-important chunk of email clients, and has the ability to bundle PGP and autogenerate keys at installation and has chosen not to do so for years.
Linux cloned the Unix environment which early on was a multi user networked environment, used by many universities where students could wreak havoc. Many design decisions were made to improve security early on.
And God bless each and every one of 'em for giving me a secure OS today.
Umm.. Windows NT based system (the only Windows system with an Administrator account) have never had a default administrator account with no password.
Keep whacking "Next" in the installer. You'll get an account called "Administrator" and a blank password. It's a default, not something that's preinstalled. You can choose not to have said account, if you know what you're doing. Lots of people just figured that they were running a local box, that no sane consumer OS vendor would do the things I described, and that it would be okay to have a blank password on their physically secure machine. I would have done the same, in their shoes, to be honest.
Also, Palladium was never billed as a way to ensure your computer is secure. It's billed as a way to make your *INFORMATION* more secure. Big difference really.
You sound like an honest engineer who wouldn't mislead folks. Shame that the same can't be said of Microsoft:
PressPass: Specifically, how will "Palladium" enhance security and privacy?
Manferdelli: "Palladium" will greatly reduce the risk of many viruses and spyware -- software that captures and reports information from inside your PC -- and other attacks. Memory in "Palladium" PCs and other devices will run only "trusted" code that is physically isolated, protected, and inaccessible to the rest of the system. Files within the "Palladium" architecture will be encrypted with secret coding specific to each PC, making them useless if stolen or surreptitiously copied.
"Palladium" also will allow users to determine the personal information they reveal online because it allows the user to operate in different "realms" within their PC. Like a set of vaults, realms provide users the assurance that they can securely keep private and public information separate. Each realm will have its own distinct identifiers, policies, and categories of data. This will allow users to provide the credentials necessary to make online transactions while preventing identity theft and unauthorized access to personal data -- such as credit-card numbers -- from the users PC or other device. Even information traveling between a users keyboard and monitor will be protected by "Palladium's" optional hardware architecture. This means keystrokes cant be snooped or spoofed, even by malicious device drivers.
The end result is a system with security similar to a closed-architecture system but with the flexibility of the open Windows platform.
TCPA will be available on all kinds of platforms, not just Windows. Linux is adopting it as well.
Yup, it may be that some Linux vendors will support it. Of course, they aren't billing it as the latest-and-greatest in privacy and security improvement. I don't have a problem with TCPA being available (matter of fact, I strongly suspect that I've done more engineering on TCPA-using systems than you have), I have a problem with consumers being lied to about its role. Macrovision on my TV is a DRM device. It's not a fucking privacy-enhancing system. Neither is TCPA, but Microsoft is billing it as such.
I really don't quite get your problem with Bypass traverse checking. If you set the permissions on a file explicitly, then any OS should honor that. Not doing so would be brain dead, counter-intuitive, and confusing. "I Said give joe access, why isn't it doing it!"
Well, I guess we all have our own opinion as to what's intuitive. I suspect, though, that if I took ten guys that haven't gone through the training that enlightens one as to Microsoft's security decisions, all ten would say that the file shouldn't be accessable. But, all that is really a matter of opinion, so I won't keep pushing it. You've got your interpretation, and I've my own.
The biggest threat to security these days isn't in the OS anymore,
Uh, huh.
Let's see. Windows *has* made some improvements.
Windows 9x got patched, so that it didn't trust the remote end as to the length of the password on a share (and only check that many digits). I remember watching Wargames and thinking "Hollywood sure is unrealistic. Nobody is stupid enough going to build a system where a password can be extracted in linear time by scanning each digit." A couple of years later, after polishing up an exploit I wrote that did exactly that, remotely, over the Internet to 9x boxes, I had to amend that statement with "unless it's Microsoft".
What else has been improved in Windows security? Hmm...oh, yes. There's no longer a default account of "Administrator" with a blank password. Couple that with automatically, by-default enabled (but "invisible" to any users of Microsoft SMB clients) administrative shares and just to spice things up, re-enable any administrative shares that the security-seeeking user has disabled on his last boot, and you had a quite depressing situation, with a huge horde of Windows NT users enthralled with new Internet connection to their computer providing full Administrator rights to every file on their hard drive. To every user on the Internet. Yeah. Microsoft got rid of the default blank password, and then (after claiming that "system administrators were the problem for not putting the Windows machines behind firewalls") added a firewall that could block, by default, any connections to SMB from Internet-routable IP addresses. Instead of securing the thing or disabling it, they slapped a lid over it, so that an intruder has to wait until he penetrates a corporate network to start running hog-wild within. I guess it takes him another five minutes -- he has to shotgun the domain's email addresses with a trojan that opens an http connection to the outbound world and wait for a user inside to run the thing. There might be a cracker somewhere who was stopped by this, I admit.
I *do* notice that Microsoft still grants users "bypass traverse checking" by default. Real intuitive, you know? Jim the Administrator, who is a poor, naive Unix admin, who hasn't yet been ass-reamed by Windows' security architecture, who is used to computers being really simple and logical to securely administer, creates a "private" directory that only he has access to, and sticks documents that people shouldn't get at in said directory. Of course, he doesn't know that if there are any files in there that have DACLs that fail to prevent users from accessing them, Microsoft has cleverly allowed any user to bypass the directory permissions. That's right -- if you know the pathname of an unprotected file somewhere in a protected directory, on a vanilla, out-of-box Windows system, you can cruise right past the restrictions on the directory, ignoring them. Hope you've never, ever accidently granted someone rights on a file when you didn't intend to, because on Windows, being in your private home directory isn't enough to secure that file. Keeps Windows users on their toes, makes things exciting, and makes sure that people don't start expecting intuitive behavior from Microsoft.
Oh, let's see. What else...has been fixed? Well, there was Microsoft's twin Outlook innovations of (a) ramming any email that came in right into a complicated, almost-impossible-to-insecure full-blown HTML renderer with programming language support, and (b) allowing a single click to execute any attachment, and making the UI for "execute" be the same as "open file". Now, the first made cross-site scripting attacks, which were previously kind of limited and boring, turn into massive worm-vulnerable holes that could take down networks every time MSIE has a bug, and made the "Good Times" hoax a reality. The second made sure that, given the infinite supply of people who reasonably expect the OS to prevent a single click in a program regularly used from wiping out their computer, there
I haven't seen one really recently (but my Slashdot reading has dropped recently in favor of technocrat.net), but Slashdot used to have a horrible habit of putting up news that insinuated that [huge storage device] was immediately available, whereas the numbers provided (500 GB! 3TB!) were usually the most optimistic numbers available from some storage researchers extrapolating what might be available as a product in six years based on some new chemical procedure that might theoretically be used for high-density data storage that they just managed to get working once in their laboratory. I'd say that Slashdot's accuracy rate on latest-and-greatest storage news is hovering in the single digits.
No, he really isn't.
Ebbers (not Edwards) is one of a very rare elite -- wealthy white-collar criminals who are getting the book thrown at them. There are very few prosecutions in this arena. It's expensive, you are facing hordes of lawyers, and people wonder why you aren't hauling off murderers.
Ebbers is getting screwed specifically because he was involved in one of a handlful of financial cases that were so egregious that they caught the attention of the popular media, and hence the mind of the public. If you are a politician, and you represent a public outraged over some criminal, you do what you can to have the book thrown at that criminal.
Darl did not piss off anyone other than the statistically insignificant (if vastly disproportionate in influence in the tech world) members of the open source community. My mother has no idea that Darl exists, and there isn't really any way to pack his crimes into a one-sentence damning sound byte that appeals to the public(Ebbers had to deal with pictures of blue collar workers and the sentence "they lost their retirement money"). Nothing scares the shit out of a voting baby boomer like the concept of someone losing their retirement money.
Darl, IIRC, came off of the whole thing rather well, with no liability and plenty of money. And SCO was in the shitter already, so his rep is more of just a CEO willing to try some long shots when not much remains than the guy who killed SCO. He *did* manage the media rather poorly, getting personally involved instead of having a more competent spokesman involved, but that's really the only black mark against him.
Because I choose a medium that's cheap, that means I essentially give up my copyright? I don't think so.
No -- I pointed out above that Stallman wouldn't like that. To clarify my statement, no, I don't think that you should lose copyright, or essentially give it up.
What I think is that *if* you chose to distribute something to the public (and really to the public, not just doing an iTunes and piping something to a customer via HTTPS a la Apple), you should not be able to say "okay, everything's shut off now". Adobe doesn't put Photoshop up for public download, so it isn't an issue, but they could still sell authenticated access to Photoshop. If you're a photographer and want to demonstrate your work, people still can't take your pictures and stick them in magazines and sell them. The only new thing that they would have a right to do is mirror them -- to present them as coming from you, and to provide public access to them.
I just want "putting something on the public Web" to translate legally to "enabling public distribution for an unlimited amount of time" as opposed to "enabling public distribution for a potentially limited amount of time".
The reason why is that the Web suffers from a specific technical problem that is increasingly important as time goes on -- content is transient. It doesn't stay up for long, as people stop funding servers or pass away or any number of things happen. Allowing this sort of fair use, which would *specifically* legalize archive.org and friends, allows technical solutions to be introduced to solve the problem (mirroring, possibly with content-based addressing, historical archives to be kept, etc). Without this form of fair use, Web content becomes simply impossible to reference due to legal barriers, and hence a major benefit of the Web, and the original intended killer feature (ability to use hypertext references) becomes much less useful.
I think that there are very few instances in which people rely specifically on the ability to time-limit public offerings on the Web, and I feel that the benefits of these instances are far outweighed by the need to ensure that the Web can provide valid references. I can think of a few sites that provide some sort of normally-commercial data (pornographic video, fonts) for a limited time, so one would see "Bob's Free Font of the Week" up for a single week. This sort of thing would not be feasible in an environment that allowed mirroring of public content as fair use. However, I just don't see this need as even coming close to the public need to be able to reference and keep documents available.
Trying to apply the "it's easy, so it should be legal" principle is what doesn't make sense.
Laws are made for a reason -- to modify behavior. If a law is not enforceable, then yes, I don't think that law should exist, and it should be necessary for people to produce systems that deal with a different set of rules. I do not think that it should be illegal to be rude to people, because it is unenforceable, and arbitrarily-enforced law is a dangerous thing indeed.
I am not talking about the elimination of commercial use of the Web. I am talking about eliminating a very specific and rarely-used mechanism (time-limited public distribution) to allow another mechanism that I feel is much more important (mirroring to keep references alive and data from being lost).
Google and Web-based forums and mailing list archives have somewhat reduced the value of Dejanews/Google News, but the amount of sheer knowledge that Deja provided from nothingness, from a forum where any post vanished in a week, was astounding. I want that same mechanism to be applicable to the Web.
Or only if that nation is Cuba? Cuba needs to have it's own Tienamen Square Massacre... so in a few years without a repeat they can claim "progress", and have their lobbyists infiltrate the Texas GOP.
Cuba will never, within the generation, have the US embargo ended. This has absolutely nothing to do with communism. Cuba's chances of sparking a communist revolution in the United States died a long time ago. Nor does it have to do with any threat that Cuba poses the United States.
There is a very simple reason.
The President gets to determine what we do WRT Cuba.
The President is elected by electoral college, not popular vote.
All member states of the US currently use an all-or-nothing vote -- you can't win three of five electoral college votes.
This means that the only states at issue in an election are swing states, and large states are much more important.
By far the most important swing state is Florida.
A very large chunk of Florida's voting population are immigrants who were kicked out by/fled Castro's administration. These people hate Castro, and will never accept a relaxing of US stance towards Castro.
So despite the fact that it makes absolutely no sense whatsoever from a national security standpoint to maintain an embargo of Cuba and that the vast majority of the US population really doesn't care one whit about Cuba (or would like to get cheap cigars and a nice nearby vacation spot), we will continue to embargo Cuba at least until Castro is dead, possibly until his regime collapses.
Which sort of sucks, because by doing so we completely screw over a vast number of rather poor neighbors of ours who have done absolutely nothing to us.
Like threw for through and setup for set up or a instead of an.
You should quote words when you are referring to the word itself and not their meaning. For instance:
Like "threw" for "through" and "setup" for "set up" or "a" instead of "an".
(I'm waiting for someone to call me out on using British style for the placement of my period and quote marks in the preceeding sentence...)
While I don't agree with you, that was a very readable and enjoyable post.
I think that Windows will eventually suffer the same slow, withering death that all operating systems of the past have -- the manufacturer decides to increase profits "just a bit". There are so many people locked in for whom it would each cost $N to switch that the manufacturer can easily charge $N/5 for the next release. And then the manufacturer decies to charge $N/4. And at some point, they step over N (at least for some people for whom it isn't so expensive to switch), and those people move. The last remaining loners are usually the ones who end up having to spend exorbant amounts of money to keep their systems working. This has happened with DEC, with IBM, and with any number of "enterprise" software packages.
Linux serves as a possible end to this cycle, because the barrier to switching distributions is simply so low that there isn't much that a distro maker can extort from his customers.
Not to be a dick, but if that's honestly your financial situation, you *really* should not play WoW, no matter how unpleasant it is to stop. There's the financial cost, but more relevantly, it consumes an awful lot of time.
I *do* think that I should be able to freely download any works that are, say, twenty or more years old -- the original label financing recording absolutely was not factoring twenty years of production into their calculations when they were deciding whether or not to try out a new artist.