Until the first world nations stop raping third world nations and supporting tinpot dictators just for the sake of guaranteeing access to their resources, human misery will continue wholesale.
Yes! We need to get out of the way and let the local tinpot dictators get on with raping their own countries without outside interference. Just ask Robert Mugabe! He'll tell you.
Well, just imagine if we hadn't interfered in Iraq, Afghanistan in the 60s, Vietnam, Korea, etc. -- we wouldn't be overextended right now, and could genuinely help out in Zimbabwe if the UN asked us to. In fact, we would actually have enough credibility in the UN to rally support around the idea of taking action in Zimbabwe.
But instead we went chasing 'weapons of mass destruction' and an 'al-qaida in Iraq' that didn't exist there until we turned the country into a pile of rubble. So the man has a point, and his anger is understandable, if not justified.
We barely care enough to try to keep you from starving.
That reminds me of US foreign policy. Taken straight from the "How to make friends and influence people" section.
When you consider how much money Microsoft drains from various countries' economies, it's easy to see how the money could be put to better use.
You seriously overestimate Microsoft. Their annual revenue is in the vicinity of $50 billion. So many companies have higher revenues than this it isn't even funny. Do you want them all to shutter their businesses?
Even if you make the grossly oversimplifying calculation of $50 billion divided by (roughly) 200 countries in the world -- that comes to $250 million per country. On most country's balance sheet, that number is noise. And for the most part, that is actually only divided among developed/developing countries -- Somalia/Zimbabwe/Uganda are hardly spending 100s of millions of dollars on software..
This anti-MS trolling on/. is getting seriously pathetic. You would think MS is peddling arms to the third world, mining conflict diamonds, or exploiting natural resources in the Amazon or in Africa or something. If you really cared one iota about society having "money left over to spend on fixing disease, starvation, etc." you'd first educate yourself on the issues that cause it. Until then, let me disabuse you of one notion -- children in poor African countries are not starving to death because their parents (or even governments) used up all their money on software.
I'm not sure where you got the presidential campaign thing from.
It's called paying attention. Try it sometime.
I am well aware of the Bill Gates for president thing that was going on some time ago. I guess I should be more specific: where did you get the information that this was Bill Gates testing the waters?
And why you're so cynical about his intentions. Have you heard his Harvard speech last year?
No. If you can point me to a transcript I will read it - I cannot receive high-speed internet where I live (except satellite - $80/mo for 9GB/mo - fuck that) and cannot use youtube at all (not even downloading with a download manager.)
Here's the speech. It's actually a really good read.
he doesn't give a fuck about anyone. But go ahead and believe what you want to believe.
You beleive he doesn't give a fuck about anyone. I'm taking his deeds through the foundation at face value. Don't you think you're being a bit unreasonable here? I mean, the google search for his speech took me all of 5 seconds. You seem to be so well-armed with all the negative information you can possibly find, but won't take 5 seconds to see the other side?
Your argument does not in any way justify doing more damage than you are doing repair.
This is the crux of the issue -- why do you say owning that stock does more damage than the good done by the foundation? After all, the good work (the actual work) is very direct, very tangible. The 'bad' is an intangible. I agree with your point about ownership of shares implying that you are a part of what the company is doing. But to support your conclusion you need to measure the 'bad' done without the foundation owning those shares, the 'bad' done with the foundation owning those shares, and then subtract the delta from the good done by the foundation.
My argument is, the delta itself is negligible (i.e. the impact of owning those shares is negligible in terms of actions undertaken by the companies in question) -- therefore the net 'good' is almost intact or largely positive anyhow.
In any case, if you disagree with me, I can accept that. I don't think its wrong to take a principled approach and say that ideally the foundation should not own shares like that. But calling the foundation a front inspite of the measurable positive impact it is having is definitely stretching it, and colored in a bit of good old fashioned "MS is teh sux" attitude.
Because whatever your stance on the issue of ownership of shares, the goal of the foundation is to prevent premature deaths of children in the third world from preventable causes. In their day to day functioning they surely violate some principle or the other that somebody somewhere finds offensive. Should they worry about that, or should they continue to do work that directly goes towards saving lives instead?
There's no need to maximize. In particular, when the investments go directly against the purpose of the foundation, you would have a net negative, in that the existence of the foundation would do more harm than good.
That's exactly what I'm debating.
For example, in the article linked by GP: at the time of writing, the foundation had somewhere between 100 million to 1 billion dollars invested in BP (one of the oil giants with 'negative' impact going against the work of the foundation).
Now with a market cap of 220 billion dollars, the foundation's investment is somewhere between a 0.5% and 0.05% stake. In other words, they have absolutely no voice in the operation of BP. In fact, it makes absolutely no difference to BP who owns those shares -- they will continue operate exactly the same as always.
Also note, even Gate's entire wealth would not be enough to gain a controlling stake in this company. And the point there is, his personal fortune might be the largest (or third largest) in the world -- but compared to the size of oil giants and other big companies, it pales in comparison and is not a significant bargaining chip. So the theory that he's trying to do something nefarious with his fortune using the foundation as a front basically doesn't hold water.
Just to illustrate my point about big companies, not the market caps of the following: Exxon Mobil: $457Bn, Royal Dutch Shell: $246Bn, Mereck: $80Bn, Pfizer: $117Bn. Spread out among companies of this size, how on earth is the foundation going to have any impact in their running just by buying shares?
I mean, its obvious that most of BillG's wealth given to the foundation must have been MS stock (or some stock anyhow). Given that, the foundation will just bleed dry if they don't invest for maximum profits. And the more profitable their investments, the more impact the foundation can have.
Now owning stock in some company that does bad/evil stuff hardly makes you the perpetrator of the crime. I mean, the company is not going to behave different with/without the investment from the foundation. It makes to difference to them who actually owns their stock (unless it's a question of controlling stakes, proxy votes etc. -- and that didn't seem to be the case in the article you linked).
On top of that, it's really unfair when you say
Now, he is sitting on top of one of the largest fortunes on the planet, in charge of doling out money both to the greedy companies raping the land, and to help people who are being harmed by them.
Because again -- he did not dole out money to the company -- he has not made a loan or a gift to these companies. He's simply using the profits generated from their share price appreciation. And poetically, it goes into the people being harmed by this corporation.
And have you seen the progress being made by GAVI (Global Alliance for Vaccines and Immunization)? They have already prevented over 2.5 million children's deaths in the third world. The Gates Foundation was an active partner in creating and funding GAVI.
When you listen to Gates talk about solving problems for people in the most wretched of conditions, you'll realize -- he's got a different and fresh perspective compared to people who have worked in this field before. He's got a lot to learn from them, but he brings unique skills to the table, and a unique problem-solving ability.
You are inconsistent. If the administrator can get a signing key so can the malware creator. The CA's cannot do such a diligence which would ensure only nice people, no fronts, in practice.
The CA just needs to verify that they are traceable. To that extent they get contact information and credit card billing information. Even if you manage to dupe them and get a code signing cert, the CA can revoke trust if you end up releasing malware signed with that cert. If they don't, they lose credibility, and will not be used by Apple, MS etc. for code signing.
You do not need to hack digital signatures, you need to find a security hole in a signed program. As we know, those are plentiful and none of the measures you give have stopped exploits.
And as I said, digital signatures are not intended to 'solve all security problems'. They are intended to make the vendor traceable, and give you a guarantee that the s/w was not tampered with. At no point did I, or Apple, or anybody, claim that digital signatures remove security holes. Instead of re-typing, let me just quote from my previous post: "You need other measures as well to reduce the holes viruses can attack -- such as address space layout randomization, non-executable memory, source annotations, attack surface reduction, etc. (many more techniques.. several listed in TFA itself). And you still should run a firewall and antivirus."
Those two flaws make the whole system completely useless.
Debunked above. Again, I urge you to read up on these techniques before arguing further. My apologies if I sound rude, but you don't seem to have a grasp of the issue.
Repositories can be hacked in theory, but in practice it has happened extremely rarely. I'll change my view if they start to be broken constantly.
In practice, malware for Ubuntu (linux in general) is non-existant, so you can do pretty much anything you want without much risk. MS doesn't have that luxury and Apple is slowly losing it as well. That's what promted this discussion -- TFA was about mechanisms to keep OS-X malware free. This topic has almost no bearing in the linux world at this point in time.
Sure, they should have moved away from MD5 long ago, but there is no reason why they could not do it now.
And do what with it??? Even if they move to SHA256 or something, the repositories are not secured until the hash is signed! There are so many mirrors for repositories. How do you know that the bits some mirror is providing are identical to the master? They could easily modify the source itself to do nasty things, and simply compute a new hash. The signing operation is what gives you the guarantee that the hash was not tampered with. Only the master's public signing key would need to be trusted, and automaticlly it would mean that you can have all the mirrors in the world, but none of them can ever make a change without invalidating the signature. Jeez.. read up on this stuff already instead of arguing for its own sake. You've already had to admit that repositories are insecure (albeit in theory) because of their reliance on MD5. Now if you read up on digital signatures hopefully you'll be able to make the next logical step and realize that in addition to a secure (collision-free) hashing function, you need to sign the hashes with a private key as well. Until then, repositories are not secure. And after that, repositories will be no different than Windows Update .
If the administrator can sign then the whole "needs to be signed" is nothing more than an "ok to press" and therefore will not help a thing. Dude -- you don't know what you're talking about. The administrator would need to acquire a code-signing certificate from one of the certificate authorities listed here: http://msdn.microsoft.com/en-us/library/ms995347.aspx, and use it to sign the installer. A lot of corporations actually choose to do this for their own internal applications. An end user is free to do that as well, but usually would not go through the hassle. The point remains, that the end user with admin credentials does have this option.
The point is that the malware does not need be signed and it still can get the rights of the signed program. Tracing the originator of the malware therefore becomes impossibile. That's not what code-signing is supposed to guard against. Code signing guarantees authenticity, traceability, and that the bits have not been tampered with. You need other measures as well to reduce the holes viruses can attack -- such as address space layout randomization, non-executable memory, source annotations, attack surface reduction, etc. (many more techniques.. several listed in TFA itself). And you still should run a firewall and antivirus. Apologies for flaming, but I think instead of arguing, you should read up on the rationale behind these technologies, and how they work. No single technique will make computing secure. All of them are needed to work in tandem.
BTW, I am quite confident that even if the malware creator could be traced it would help nothing, it would just lead to a "front" or faked information or "China". That's why the list of Certificate Authorities is not endless. Only CA's that do due dilligence when providing a signing certificate will be included in the root of trust. Again -- the administrator is free to make additions if she/he wants to.
This far there have been extremely few hacked repositories, several orders of magnitude less than insecure programs (signed or not). The point is, it's possible to hack into it and put in a tampered binary that passes md5 checking scrutiny. It is not possible to fake a digital signature -- unless you have some ungodly supercomputer generating signing keys for a trial and error approach until you find a key that works. And even that approach can take years with the current state of supercomputing. Or, you can try to find a flaw in the algorithm and implementation for hashing or key-pair generation. Both options are essentially non-options.
The administrator is not the one who has to do the signing If the administrator cannot sign (or install an unsigned stuff) then we have a "trusted" platform. I heavily doubt anyone wants that. Sigh... the administrator can sign unsigned stuff and install it if he/she wants to.
A traceable vendor helps nothing as proved by ActiveX (for example there existed a Microsoft signed ActiveX program with security holes and Microsoft did not revocate their key). There's a difference between malware and insecure software. By your logic we'd need to revoke the keys for Safari, Quicktime, Flash and much much more.
A better approach is having software repositories (like e.g. in Ubuntu). Why is this better?? Ubuntu repositories are inherently insecure. The MD5 hashing algo is prone to collisions, which means a malicious party could hack into a repository and alter an update to do something nasty, and make it still have the same checksum. Nobody downloading the update will know that it changed -- it will pass the integrity check because the hash was the same.
Everyone has seen those surveys which demonstrate that Mac owners tend to be wealthier than other computer users. They would have to be fifteen times wealthier than PC users to make up the difference. Or OS-X would have to require fifteen times less man-hours per exploit, for it to be worth developing exploits on it. (or some combination thereof, but you get the picture).
From everything I've been reading at places like Microsoft MSDN forums it is sadly shaping up to be nothing more than Vista SP2 with in all likelihood even MORE DRM,and according to some a "software as a service"(SaaS) model is seriously being considered. From the talk what most will get is a "Win7 Basic" and you'll have to whip out your CC for any "add ons" which from the sound of things will be stuff folks are used to getting for free,like support for "advanced gaming technologies"(DirectX) and "enhanced multimedia"(A DRM laden MCE shell). You got any links to back this up? DRM has literally become a FUD buzzword..
it will be just as buggy and dragged down with DRM crap you can't get rid of as Vista, and will retain the Vista "take 3 steps what you're used to doing in 1" layout that has my customers buying XP machines from me left and right. I assume you mean UAC and WGA? Yes, MS has certainly not said anything about getting rid of them (and they should definitely never get rid of UAC -- it's brilliant). Are there some specific bugs you're referring to, or is this just one of those "M$ is teh sux" posts?
One can only hope someone in power will see what a pisspoor job that Ballmer is doing filling Gate's shoes and they'll fire his ass and take a new path,perhaps replacing him with the uber efficient head of the Office team. Ballmer (the CEO) put Steven Sinofsky (the uber efficient head of the Office team) in charge of Windows 7. Ballmer was never the head of Windows development. Here's a link about it.
Dude -- please, for the love of god, tell me you don't believe the propaganda on roughly drafted (Daniel Eran Dilger's site).
The motive behind malware is the same as any other commercial software -- commerce (just in a different form). The malware authors make money either by getting personal info (identity theft) or by creating bot clusters -- the bot clusters are generally used to threaten some company with a DOS attack if they don't cough up dough (blackmail essentially).
Now that being the case, if Windows has 93% marketshare, OS-X 6%, and Linux 1% -- what platform will you choose to attack? The equation is changing for OS-X as Mac sales have been on fire for some time now, and that's why malware authors are (very slowly) starting to target it as well. It will still be some time before their share really grabs malware author's attentions, but is certainly no longer wise for OS-X users to assume they are 'automatically safe' because of their OS choice.
Unfortunately signing does not help. At all. As I mentioned in another post, signing ensures the following:
- The identity of the vendor for random-installer.exe
- That the bits have not been tampered on their journey from the vendor to you (needed because you could have got the bits via bittorrent, website download, usb drive, etc.)
- The vendor is traceable (through their registration with the certificate authority) so if their software is indeed malware, they can be brought to book.
Or at least not as long as any of the signed modules contain a single security hole. That's a separate issue. Obviously signing is not a panacea, and you still need due diligence (thread models, pen testing, attack surface reduction, etc.)
Besides only administrator should be able to install modules, making him to sign them will not stop anything, just makes things harder. The administrator is not the one who has to do the signing -- it's the software vendor who signs this. If you're not aware of that, it's possible you don't understand how code signing works. Secondly, you need to consider that most users (parents, grandparents, etc.) simply won't know if a certain software is safe to install -- they simply don't have the knowledge to make that decision. This makes it easy for them by essentially not requiring them to make a decision at all.
The issue is: whose interests should the OS serve: the OS maker, the user, or (in the case of malware) anyone who manages to get their code onto the machine? From the point of view of the OS maker's lawyers. the OS maker.
IANAL, but as I understand the argument, in order to protect the user's interest, the OS must protect itself from the user, just in case he does something stupid, like authorize the installation of a malicious driver. Otherwise, said user might sue the OS maker, claiming "You put code signing in the OS to protect me from malicious code, so why did it not project me?" Actually the thinking is along very different lines. Think about what it takes to know if random-installer.exe you just downloaded is malware, or not:
Is the software from the vendor who claimed to have written it?
Can we track this vendor down and sue them, if the software turns out to be malware
If we're downloading s/w from a different site (bittorrent or download.com) how do we know it was not tampered with, before we downloaded it?
Digital signatures are intended to address these problems:
- The hash in the signature tells you the software has not been modified in any way.
- The signature on the hash (using PKI) tells you that the vendor is indeed who they claim to be.
- If the software still turns out to be malware -- you can contact the Root CA, ask them for the business registered with them under that name, and serve them notice.
Isn't that excactly the same stuff Microsoft talked about years ago and many ppl on slashdot cried "foul!" about it? Where Microsoft went wrong with code signing, is that insist the code be signed by them, because the user or administrator is an enemy (i.e. might install a video driver that doesn't respect DRM).
Code signing is harmless if the machine's administrator is the ultimate authority. Take a look at CertMgr.exe (specifically, play around with the 'import' function). The administrator is the ultimate authority, and this is the case in XP/2003/Vista/2008.
The issue is: whose interests should the OS serve: the OS maker, the user, or (in the case of malware) anyone who manages to get their code onto the machine? If the OS designer answers that question correctly, then there's no problem with code signing (or other whitelisting approaches). I agree. I think you have to admit that MS has addressed these concerns.
Naturally, the author of TFA got it wrong:
Most kernel extensions are from Apple anyway and for the few common 3rd party ones, they should be required to get a code signing certificate. Required by whom? A certificate from whom? And the amount of trust delegated to this CA is what? I'd say the author got it right. Your concern is valid, but it's orthogonal to the point of TFA. Code signing is a Good Thing and Apple might implement it -- that's the point of TFA. The third-party approach is the correct way to do it -- that's your point.
What's sad is the number of people on/. that crucify MS without realizing that their implementation has already addressed all the things they are complaining about (and has done so from day 1).
Pride in what you do and a sense of corporate individuality is a huge factor in determining the loyalty of employees.
I agree, but I think you overestimate this effect. In Apple, with Ive and Jobs generally being the public faces, it's rare for the guys in the trenches to get noticed. Not everybody's ego is pleased with a pat on the back. They need public accolades, more money, or a mix of both.
Also, as sexy as Apple's products are, they don't have a very large lineup. There's no dearth of sexy products in the rest of the tech. world, and people do often move -- we'd probably be surprised at the number of people who have worked for at least 2 companies out of Apple, Google, and MS.
The numbers in TFA (Glassdoor) are based on a sample set that's way too small to be a statistically "representative sample". So we don't even know if Apple engineers really are paid less than the average silicon valley employee.
The one effect the article seems to miss: Apple's stock has been on fire for some time now. So if Apple employees are getting stock awards and have a decent employee stock purchase plan, the raw salary numbers aren't telling us the whole story.
I think you'll find that, outside of the copyright industry, few people are concerned about that; I certainly am not. I know you're not concerned about it -- you're just trying to justify downloading stuff for free. There's no such thing as a copyright industry. The industry you might have been meaning to refer to is the artists, producers, game studios, software companies.
Do you really refuse to purchase them? I mean, you say you do, but if you won't believe me when I say I don't mind paying for things, why should I believe you? That's fine dude -- you don't have to beleive me. I pointed out deficiencies in current DRM implementations, wholeheartedly agreed that they infringe on our rights, can be misused to restrict competition. I suggested to another poster to simply never ever buy a DRMd track. After all that, I honestly don't care if you beleive me or not. I do think you're trying to divert attention from your own cheapness at this point though.
you've said here suggests that you support the main principle behind DRM: that taking away consumer freedom is justified if it helps someone make a profit. Really now? Everything I said? Do you mean the part where I said that FairPlay and PlaysForSure infringe on our right to Fair Use? Or where I cited our right to do Time Shifing? Or where I asked that the government and/or courts clearly identify our rights so that we can go after DRM systems that infringe on them? Or wait -- you're probably talking about the part where I said it should be illegal for a company to not license a DRM system (and there should be caps on the licensing fees) to force interoperability? Go re-read my posts.
Look, this is getting beyond ridiculous. I can come to grips with the fact that I'm not going to be able to change your mind on this issue. I tried really hard. I appreciate that this conversation was more or less clean -- if anything I got frustrated an made a couple of unnecessary personal comments, and I apologize. Go ahead and do as you please (as if you wanted my approval anyway). If you get caught, it's just too bad I guess. I can't honestly say I wish you well -- I really hope you do get caught. But I don't see the point of continuing this thread -- it's clear you and I will never see eye to eye on this topic.
You seem to be acknowledging that, as indicated by common sense, no one can own these numbers. But you then seem to be claiming that a person can own the thing that's encoded in them, and that this gives them the right to stop the spread of the numbers. I'm arguing, that as indicated by common sense, you never knew the number, the product represented by the number is property, and you owe the creator if you solicit and download this property.
I'm not adding any layer of abstraction. As usual, you're just refusing to see the obvious big picture, and sticking to your pedantic "it's just a number" claim.
You're mistaken, sir. I explicitly acknowledged it earlier [slashdot.org], and of course I never denied it in the first place. Someone came up with that number, but that doesn't change what it is. No one can own a number, any number, whether they came up with it or not. They own the product, and the product is what you solicited, and conferring upon yourself the right to access for free.
Originally, no. But someone else knew it, and they told it to me. That's how knowledge spreads. You still don't know it. You never did. Its not your knowledge and it's not your speech.
Because someone else is willing to upload them for free, and the artist has no right to force his "distribution model" on our transaction. I'm sure we've been over this before. I'm sure we have. Someone else is not merely "willing to upload them for free". They are stealing. And so are you when you download from them.
Uh huh. Sure. I could make a similarly snotty remark about how after all the enthusiasm you've shown for limiting other people's speech, you don't have a shred of credibility when you claim to dislike DRM, since its main purpose is to limit speech. Except that we both refuse to purchase DRMed songs, but you rip the artist off and I don't.
Except there was no agreement between that guy and the artist. When you go into a record store, you don't shake the artist's hand and promise never to let anyone else know the secret of what number is stored on that CD you're buying. And you didn't shake the bank manager's hand and promise never to change your 'just a number' bank balance.
Can you refute that your model deflates all the profitability from the artists
Of course. It's silly to think it "deflates all the profitability" when artists can still ask any price they want for their labor. They don't even know if they have a hit on their hands at that time. Your model does indeed deprive the artists. No to mention the little detail of you getting their song for free, which seems to be all you care about.
The profit is whatever money you bring in, minus your costs. Thanks for the economics lesson.
The act of downloading a song is, itself, free. But paying the artist to record the song in the first place isn't. There are hidden costs which i already explained, but never mind that for now. You still haven't explained why that gives you the right to download songs for free -- just because the artist chose a distribution model you don't prefer.
I know I'd be willing to pay more than the price of a CD to fund production of a favorite band's next album. After all your attempts at justifying your cheapness don't even bother telling anyone you would actually do this -- you don't have a shred of credibility for this claim.
No shit. Need I remind you once again that I'm aware of the current state of copyright law? And this proves that pirate bay is legal? or morally right? or what? What's your point?
Oh, and the little fact that my account balance is stored in the bank's private property. You're conflating "tell a number you know to someone else who wants to hear it" with "hack into someone else's computer against their will and change a number", which, although they both involve the concept of numbers at some level, are nothing alike. And again, you see the big picture when it suits you, and pedantically cling to "it's just a number when it suits you".
It's not the same at all, because money has an owner. Money belongs to someone. To give it away, you have to be the owner, because you can't transfer ownership you don't have. So what? If you stole 'x' from bank, and dude stole 'x' from you, both of you stole 'x'. So if somebody stole a track from an artist and you steal the track from this person, you still stole a track.
Numbers, however, don't belong to anyone. So you're back to "it's just a number". Can't see the big picture any more? Remind me again why you can't change the bank balance on your last statement and just have your bank make a correction. You don't have to hack into the bank's computer to do that. And after all, "it's just a number" -- why would they deny your request? Oh, you say this number actually represnts something? Guess what -- the other 'numbers' represent music, movies, games and apps. You're being selective again about what big-picture you want to see, based on what you can get for free (and what you can get away with).
You don't need any special status to tell someone a number. You just need to know what the number is. I suggest the next time you want to play a game without paying it, you write down that number from memory. You never knew the number. Some entity put in the effort to create this number. You stole it by downloading it for free.
So although you can't give away an object that someone else owns, you can share a number that someone else claims to own, because claiming to own a number is absurd and meaningless. And claiming that a song/movie/game/app is just a number, (yet again) is you refusing to acknowledge the fact that this number is somebody's creation. It's not a random number picked out of thin air. It's not a number that you can substitute with another and get the same result. It's not even something you can approximate. It's a product that came together as a result of some entity's work. It performs some function (entertainment or whatever) because of which you solicited it. The entity want to sell this product to you -- and you want to steal it. Your point about it's super-low cost of replication is what's absurd and meaningless.
Breach of contract? Hilarious! Please, tell me more about the planet you live on where people sign a contract before downloading a torrent. Did you even read that sentence? Some dude who actually bought the CD, ripped it, posted it on bittorrent (or sold it like AllOfMP3) is the guy who's breaking his agreement with the artist. All subsequent free downloads of this ripped track are basically stolen goods.
Again, more hilarity. Let me know when your next stand-up special is on: if this is the material you use in your free time on Slashdot, I can't wait to see the stuff you use professionally. Ah! You mock me. So you have no proper defence for that point then? Can you refute that your model deflates all the profitability from the artists, and provides you your much coveted free downloads?
Slashdot Mirror
Until the first world nations stop raping third world nations and supporting tinpot dictators just for the sake of guaranteeing access to their resources, human misery will continue wholesale.
Yes! We need to get out of the way and let the local tinpot dictators get on with raping their own countries without outside interference. Just ask Robert Mugabe! He'll tell you.
Well, just imagine if we hadn't interfered in Iraq, Afghanistan in the 60s, Vietnam, Korea, etc. -- we wouldn't be overextended right now, and could genuinely help out in Zimbabwe if the UN asked us to. In fact, we would actually have enough credibility in the UN to rally support around the idea of taking action in Zimbabwe.
But instead we went chasing 'weapons of mass destruction' and an 'al-qaida in Iraq' that didn't exist there until we turned the country into a pile of rubble. So the man has a point, and his anger is understandable, if not justified.
We barely care enough to try to keep you from starving.
That reminds me of US foreign policy. Taken straight from the "How to make friends and influence people" section.
It seems too good to be true.
Is there anything to stop him from making the exact same amount of noise, but just hiring other lawyers to do the legal mumbo jumbo?
When you consider how much money Microsoft drains from various countries' economies, it's easy to see how the money could be put to better use.
You seriously overestimate Microsoft. Their annual revenue is in the vicinity of $50 billion. So many companies have higher revenues than this it isn't even funny. Do you want them all to shutter their businesses?
Even if you make the grossly oversimplifying calculation of $50 billion divided by (roughly) 200 countries in the world -- that comes to $250 million per country. On most country's balance sheet, that number is noise. And for the most part, that is actually only divided among developed/developing countries -- Somalia/Zimbabwe/Uganda are hardly spending 100s of millions of dollars on software..
This anti-MS trolling on /. is getting seriously pathetic. You would think MS is peddling arms to the third world, mining conflict diamonds, or exploiting natural resources in the Amazon or in Africa or something. If you really cared one iota about society having "money left over to spend on fixing disease, starvation, etc." you'd first educate yourself on the issues that cause it. Until then, let me disabuse you of one notion -- children in poor African countries are not starving to death because their parents (or even governments) used up all their money on software.
I'm not sure where you got the presidential campaign thing from.
It's called paying attention. Try it sometime.
I am well aware of the Bill Gates for president thing that was going on some time ago. I guess I should be more specific: where did you get the information that this was Bill Gates testing the waters?
And why you're so cynical about his intentions. Have you heard his Harvard speech last year?
No. If you can point me to a transcript I will read it - I cannot receive high-speed internet where I live (except satellite - $80/mo for 9GB/mo - fuck that) and cannot use youtube at all (not even downloading with a download manager.)
Here's the speech. It's actually a really good read.
he doesn't give a fuck about anyone. But go ahead and believe what you want to believe.
You beleive he doesn't give a fuck about anyone. I'm taking his deeds through the foundation at face value. Don't you think you're being a bit unreasonable here? I mean, the google search for his speech took me all of 5 seconds. You seem to be so well-armed with all the negative information you can possibly find, but won't take 5 seconds to see the other side?
Your argument does not in any way justify doing more damage than you are doing repair.
This is the crux of the issue -- why do you say owning that stock does more damage than the good done by the foundation? After all, the good work (the actual work) is very direct, very tangible. The 'bad' is an intangible. I agree with your point about ownership of shares implying that you are a part of what the company is doing. But to support your conclusion you need to measure the 'bad' done without the foundation owning those shares, the 'bad' done with the foundation owning those shares, and then subtract the delta from the good done by the foundation.
My argument is, the delta itself is negligible (i.e. the impact of owning those shares is negligible in terms of actions undertaken by the companies in question) -- therefore the net 'good' is almost intact or largely positive anyhow.
In any case, if you disagree with me, I can accept that. I don't think its wrong to take a principled approach and say that ideally the foundation should not own shares like that. But calling the foundation a front inspite of the measurable positive impact it is having is definitely stretching it, and colored in a bit of good old fashioned "MS is teh sux" attitude.
Because whatever your stance on the issue of ownership of shares, the goal of the foundation is to prevent premature deaths of children in the third world from preventable causes. In their day to day functioning they surely violate some principle or the other that somebody somewhere finds offensive. Should they worry about that, or should they continue to do work that directly goes towards saving lives instead?
Buying shares is taking ownership is taking responsibility. It simply is a black spot on the foundation, the size is a matter of debate.
Agreed.
There's no need to maximize. In particular, when the investments go directly against the purpose of the foundation, you would have a net negative, in that the existence of the foundation would do more harm than good.
That's exactly what I'm debating.
For example, in the article linked by GP: at the time of writing, the foundation had somewhere between 100 million to 1 billion dollars invested in BP (one of the oil giants with 'negative' impact going against the work of the foundation).
Now with a market cap of 220 billion dollars, the foundation's investment is somewhere between a 0.5% and 0.05% stake. In other words, they have absolutely no voice in the operation of BP. In fact, it makes absolutely no difference to BP who owns those shares -- they will continue operate exactly the same as always.
Also note, even Gate's entire wealth would not be enough to gain a controlling stake in this company. And the point there is, his personal fortune might be the largest (or third largest) in the world -- but compared to the size of oil giants and other big companies, it pales in comparison and is not a significant bargaining chip. So the theory that he's trying to do something nefarious with his fortune using the foundation as a front basically doesn't hold water.
Just to illustrate my point about big companies, not the market caps of the following: Exxon Mobil: $457Bn, Royal Dutch Shell: $246Bn, Mereck: $80Bn, Pfizer: $117Bn. Spread out among companies of this size, how on earth is the foundation going to have any impact in their running just by buying shares?
Don't you think this is a little unfair?
I mean, its obvious that most of BillG's wealth given to the foundation must have been MS stock (or some stock anyhow). Given that, the foundation will just bleed dry if they don't invest for maximum profits. And the more profitable their investments, the more impact the foundation can have.
Now owning stock in some company that does bad/evil stuff hardly makes you the perpetrator of the crime. I mean, the company is not going to behave different with/without the investment from the foundation. It makes to difference to them who actually owns their stock (unless it's a question of controlling stakes, proxy votes etc. -- and that didn't seem to be the case in the article you linked).
On top of that, it's really unfair when you say
Now, he is sitting on top of one of the largest fortunes on the planet, in charge of doling out money both to the greedy companies raping the land, and to help people who are being harmed by them.
Because again -- he did not dole out money to the company -- he has not made a loan or a gift to these companies. He's simply using the profits generated from their share price appreciation. And poetically, it goes into the people being harmed by this corporation.
I'm not sure where you got the presidential campaign thing from. And why you're so cynical about his intentions. Have you heard his Harvard speech last year?
http://www.youtube.com/watch?v=zXCVYtYWVyU
http://www.youtube.com/watch?v=R4Q1T70VwfM
http://www.youtube.com/watch?v=rXKrQBxJViQ
http://www.youtube.com/watch?v=9rh9Aj7WsKE
http://www.youtube.com/watch?v=gnHkUDxfmXE
And have you seen the progress being made by GAVI (Global Alliance for Vaccines and Immunization)? They have already prevented over 2.5 million children's deaths in the third world. The Gates Foundation was an active partner in creating and funding GAVI.
When you listen to Gates talk about solving problems for people in the most wretched of conditions, you'll realize -- he's got a different and fresh perspective compared to people who have worked in this field before. He's got a lot to learn from them, but he brings unique skills to the table, and a unique problem-solving ability.
You are inconsistent. If the administrator can get a signing key so can the malware creator. The CA's cannot do such a diligence which would ensure only nice people, no fronts, in practice.
The CA just needs to verify that they are traceable. To that extent they get contact information and credit card billing information. Even if you manage to dupe them and get a code signing cert, the CA can revoke trust if you end up releasing malware signed with that cert. If they don't, they lose credibility, and will not be used by Apple, MS etc. for code signing.
You do not need to hack digital signatures, you need to find a security hole in a signed program. As we know, those are plentiful and none of the measures you give have stopped exploits.
And as I said, digital signatures are not intended to 'solve all security problems'. They are intended to make the vendor traceable, and give you a guarantee that the s/w was not tampered with. At no point did I, or Apple, or anybody, claim that digital signatures remove security holes. Instead of re-typing, let me just quote from my previous post: "You need other measures as well to reduce the holes viruses can attack -- such as address space layout randomization, non-executable memory, source annotations, attack surface reduction, etc. (many more techniques.. several listed in TFA itself). And you still should run a firewall and antivirus."
Those two flaws make the whole system completely useless.
Debunked above. Again, I urge you to read up on these techniques before arguing further. My apologies if I sound rude, but you don't seem to have a grasp of the issue.
Repositories can be hacked in theory, but in practice it has happened extremely rarely. I'll change my view if they start to be broken constantly.
In practice, malware for Ubuntu (linux in general) is non-existant, so you can do pretty much anything you want without much risk. MS doesn't have that luxury and Apple is slowly losing it as well. That's what promted this discussion -- TFA was about mechanisms to keep OS-X malware free. This topic has almost no bearing in the linux world at this point in time.
Sure, they should have moved away from MD5 long ago, but there is no reason why they could not do it now.
And do what with it??? Even if they move to SHA256 or something, the repositories are not secured until the hash is signed! There are so many mirrors for repositories. How do you know that the bits some mirror is providing are identical to the master? They could easily modify the source itself to do nasty things, and simply compute a new hash. The signing operation is what gives you the guarantee that the hash was not tampered with. Only the master's public signing key would need to be trusted, and automaticlly it would mean that you can have all the mirrors in the world, but none of them can ever make a change without invalidating the signature. Jeez.. read up on this stuff already instead of arguing for its own sake. You've already had to admit that repositories are insecure (albeit in theory) because of their reliance on MD5. Now if you read up on digital signatures hopefully you'll be able to make the next logical step and realize that in addition to a secure (collision-free) hashing function, you need to sign the hashes with a private key as well. Until then, repositories are not secure. And after that, repositories will be no different than Windows Update .
The point is that the malware does not need be signed and it still can get the rights of the signed program. Tracing the originator of the malware therefore becomes impossibile. That's not what code-signing is supposed to guard against. Code signing guarantees authenticity, traceability, and that the bits have not been tampered with. You need other measures as well to reduce the holes viruses can attack -- such as address space layout randomization, non-executable memory, source annotations, attack surface reduction, etc. (many more techniques.. several listed in TFA itself). And you still should run a firewall and antivirus. Apologies for flaming, but I think instead of arguing, you should read up on the rationale behind these technologies, and how they work. No single technique will make computing secure. All of them are needed to work in tandem.
BTW, I am quite confident that even if the malware creator could be traced it would help nothing, it would just lead to a "front" or faked information or "China". That's why the list of Certificate Authorities is not endless. Only CA's that do due dilligence when providing a signing certificate will be included in the root of trust. Again -- the administrator is free to make additions if she/he wants to.
This far there have been extremely few hacked repositories, several orders of magnitude less than insecure programs (signed or not). The point is, it's possible to hack into it and put in a tampered binary that passes md5 checking scrutiny. It is not possible to fake a digital signature -- unless you have some ungodly supercomputer generating signing keys for a trial and error approach until you find a key that works. And even that approach can take years with the current state of supercomputing. Or, you can try to find a flaw in the algorithm and implementation for hashing or key-pair generation. Both options are essentially non-options.it will be just as buggy and dragged down with DRM crap you can't get rid of as Vista, and will retain the Vista "take 3 steps what you're used to doing in 1" layout that has my customers buying XP machines from me left and right. I assume you mean UAC and WGA? Yes, MS has certainly not said anything about getting rid of them (and they should definitely never get rid of UAC -- it's brilliant). Are there some specific bugs you're referring to, or is this just one of those "M$ is teh sux" posts?
One can only hope someone in power will see what a pisspoor job that Ballmer is doing filling Gate's shoes and they'll fire his ass and take a new path,perhaps replacing him with the uber efficient head of the Office team. Ballmer (the CEO) put Steven Sinofsky (the uber efficient head of the Office team) in charge of Windows 7. Ballmer was never the head of Windows development. Here's a link about it.
Dude -- please, for the love of god, tell me you don't believe the propaganda on roughly drafted (Daniel Eran Dilger's site).
The motive behind malware is the same as any other commercial software -- commerce (just in a different form). The malware authors make money either by getting personal info (identity theft) or by creating bot clusters -- the bot clusters are generally used to threaten some company with a DOS attack if they don't cough up dough (blackmail essentially).
Now that being the case, if Windows has 93% marketshare, OS-X 6%, and Linux 1% -- what platform will you choose to attack? The equation is changing for OS-X as Mac sales have been on fire for some time now, and that's why malware authors are (very slowly) starting to target it as well. It will still be some time before their share really grabs malware author's attentions, but is certainly no longer wise for OS-X users to assume they are 'automatically safe' because of their OS choice.
- The identity of the vendor for random-installer.exe
- That the bits have not been tampered on their journey from the vendor to you (needed because you could have got the bits via bittorrent, website download, usb drive, etc.)
- The vendor is traceable (through their registration with the certificate authority) so if their software is indeed malware, they can be brought to book.
Or at least not as long as any of the signed modules contain a single security hole. That's a separate issue. Obviously signing is not a panacea, and you still need due diligence (thread models, pen testing, attack surface reduction, etc.)
Besides only administrator should be able to install modules, making him to sign them will not stop anything, just makes things harder. The administrator is not the one who has to do the signing -- it's the software vendor who signs this. If you're not aware of that, it's possible you don't understand how code signing works. Secondly, you need to consider that most users (parents, grandparents, etc.) simply won't know if a certain software is safe to install -- they simply don't have the knowledge to make that decision. This makes it easy for them by essentially not requiring them to make a decision at all.
IANAL, but as I understand the argument, in order to protect the user's interest, the OS must protect itself from the user, just in case he does something stupid, like authorize the installation of a malicious driver. Otherwise, said user might sue the OS maker, claiming "You put code signing in the OS to protect me from malicious code, so why did it not project me?" Actually the thinking is along very different lines. Think about what it takes to know if random-installer.exe you just downloaded is malware, or not:
- Is the software from the vendor who claimed to have written it?
- Can we track this vendor down and sue them, if the software turns out to be malware
- If we're downloading s/w from a different site (bittorrent or download.com) how do we know it was not tampered with, before we downloaded it?
Digital signatures are intended to address these problems:- The hash in the signature tells you the software has not been modified in any way.
- The signature on the hash (using PKI) tells you that the vendor is indeed who they claim to be.
- If the software still turns out to be malware -- you can contact the Root CA, ask them for the business registered with them under that name, and serve them notice.
Here's the list of Windows' trusted Root CAs: http://msdn.microsoft.com/en-us/library/ms995347.aspx. Only third-parties are on that list -- not Microsoft.
Code signing is harmless if the machine's administrator is the ultimate authority. Take a look at CertMgr.exe (specifically, play around with the 'import' function). The administrator is the ultimate authority, and this is the case in XP/2003/Vista/2008.
The issue is: whose interests should the OS serve: the OS maker, the user, or (in the case of malware) anyone who manages to get their code onto the machine? If the OS designer answers that question correctly, then there's no problem with code signing (or other whitelisting approaches). I agree. I think you have to admit that MS has addressed these concerns.
Naturally, the author of TFA got it wrong: Most kernel extensions are from Apple anyway and for the few common 3rd party ones, they should be required to get a code signing certificate. Required by whom? A certificate from whom? And the amount of trust delegated to this CA is what? I'd say the author got it right. Your concern is valid, but it's orthogonal to the point of TFA. Code signing is a Good Thing and Apple might implement it -- that's the point of TFA. The third-party approach is the correct way to do it -- that's your point.What's sad is the number of people on /. that crucify MS without realizing that their implementation has already addressed all the things they are complaining about (and has done so from day 1).
I agree, but I think you overestimate this effect. In Apple, with Ive and Jobs generally being the public faces, it's rare for the guys in the trenches to get noticed. Not everybody's ego is pleased with a pat on the back. They need public accolades, more money, or a mix of both.
Also, as sexy as Apple's products are, they don't have a very large lineup. There's no dearth of sexy products in the rest of the tech. world, and people do often move -- we'd probably be surprised at the number of people who have worked for at least 2 companies out of Apple, Google, and MS.
The numbers in TFA (Glassdoor) are based on a sample set that's way too small to be a statistically "representative sample". So we don't even know if Apple engineers really are paid less than the average silicon valley employee.
The one effect the article seems to miss: Apple's stock has been on fire for some time now. So if Apple employees are getting stock awards and have a decent employee stock purchase plan, the raw salary numbers aren't telling us the whole story.
Look, this is getting beyond ridiculous. I can come to grips with the fact that I'm not going to be able to change your mind on this issue. I tried really hard. I appreciate that this conversation was more or less clean -- if anything I got frustrated an made a couple of unnecessary personal comments, and I apologize. Go ahead and do as you please (as if you wanted my approval anyway). If you get caught, it's just too bad I guess. I can't honestly say I wish you well -- I really hope you do get caught. But I don't see the point of continuing this thread -- it's clear you and I will never see eye to eye on this topic.
I'm not adding any layer of abstraction. As usual, you're just refusing to see the obvious big picture, and sticking to your pedantic "it's just a number" claim.
Again, more hilarity. Let me know when your next stand-up special is on: if this is the material you use in your free time on Slashdot, I can't wait to see the stuff you use professionally. Ah! You mock me. So you have no proper defence for that point then? Can you refute that your model deflates all the profitability from the artists, and provides you your much coveted free downloads?