They need a law about this in New York, a city whose inhabitants are famed for their in-your-face abrasiveness when they're annoyed? Ah well, another stereotype beats the dust, I suppose.
Certainly, Microsoft hires a lot of smart people and I'm sure that if they were given the mandate to design and implement a secure infrastructure, they could do it - something that Bruce seems to think is impossible.
Design, yes. Implement? Well, given the SSL certificate mishandling in IE that's been reported recently (and commented on in this same edition of Mr Schneier's Cryptogram), quality control still seems to be a little, um, lacking. It's a little difficult to change the whole culture of an organisation from getting the latest! greatest! new-featured! products out of the door to hit the marketing window, to one where you're concentrating on getting the thing done right, even if you need to take more time and money over it. Yes, MS will gradually improve - it has no choice as it moves into areas where errors may cost serious money - but it will be a long process.
Just a suggestion. The link took me to a login box. If you want someone - even (shudder)/.-ers - to comment on it, please post a summary or put it where the world and its pet dog can see it without jumping through hoops.
FWIW, the referenced article includes an extensive discussion of the ways that currently commercially-available biometric authentication mechanisms have been found, how to put it politely, rather less reliable and rather more easy to spoof than their glossy booklets and glossy marketroids (not to mention lossy polliticians) have been wont to claim.
Which is not to say that a biometric device combined with intelligent human oversight (so you'll be spotted if you try to use an artificial hand to fool a device based on hand and finger sizes, for example) isn't an appropriate component of an authentication system, and the article gives an example in use on Mr Schneier's home turf.
Seriously, do read the article, even if it is a little on the long side. It contains a lot of good sense: in particular its emphasis on putting human decision-making back into the loop, rather than looking for all-encompassing technical solutions. We're clearly not yet at the point where our technology is sufficiently advanced that it can act as if by magic - as a lot of snake-oil merchants pretend, and a lot of quick-fix politicos who should know better affect to believe.
Assuming the sources cited are accurate, we now have two independent misimplementations of SSL certificate handling, indicating that two purveyors of software that is entrusted with providing a secure (ie, private and authenticated) communications channel have screwed up in a way that suggests they did not understand properly what they were doing.
Rather puts buffer overflows into the shade, doesn't it?
As the late Professor Doctor Edsgar W. Dijkstra commented: "If you don't know what your program is supposed to do, you'd better not start writing it." RIP, a great man.
You've got to remember - Opera is at v6 and Mozilla just hit v1 - give it some time.
ITYM "give it even more time".
(Not intended as a troll, btw: Moz' is pretty capable now, but for my usage it's not yet so clearly better than Opera to install on my home machine. YMMV.)
3 volumes, and the third volume has (shock, horror) Appendices filling in the mythology. With fragments - the end of "a Part of the Tale of Aragorn and Arwen" in App A, for example, that stand comparison with the best in the main story.
No offense intended. I'll probably take in the film sooner or later (probably when it comes round on public access TV). And I'll probably enjoy it, just as I've enjoyed viewing Blade Runner even though I read DADoES many years earlier.
Probably too late to be noticed on/., but The Times has a measured and appreciative obituary. You can find it in the online edition here (no registration needed).
Seems a pretty inefficient way to build a spam list. Sounds more like a variation of the classic chain letter, but fishing directly for suckers willing to cough up the $14.95.
Karma: NaN (mostly due to meddling Slashcode programmers)
That [warranty if there's a charge for installation or support] seems pretty reasonable. If I agree to install open source software to do X and charge you for it and the software doesn't do X I'm in breach.
Agreed, if the warranty is on the service that you are providing. From the article quote that you're responding to, the concern is that the opensource freely-donated software that you've decided to use would have to provide a warranty if it was utilised in these circumstances. If that's an accurate summary of that aspect of UCITA then there's cause for valid concern on the part of both open-source software donators and you as a service provider since you may find it inadvisable to use software whose authors are unable or unwilling to provide a warranty that fits this particular US law's requirements.
No disagreement with your other comments about distributors of collections of software making clear the extent to which they are standing behind them.
<soapbox>
It seems to me that there's a certain amount of special pleading going on here from open-source advocates. On the one hand, claims are made for its superior quality and lower cost of ownership, but at the same time there's a strong tendency to devolve responsibility for checking that the quality is adequate to the people and organisations who decide to use it. And, as we've seen with some embarassing incidents recently, there's also a tendency to assume that the many-eyes checking has already been done - by other people.
I like the idea that software should be covered by the "fitness for ordinary use" criterion that applies to most other products and services; I don't see it as self-evident that open source software should automatically be given special treatment.
"This could prove useful in the battlefield someday."
(Shudder) This is the sort of comment that gives me the creeps. At least with humans there's the chance that you can eventually reason with your opponents . But autonomous robots? You might as well try to negotiate with a land mine - "hey, dude, the war's over, mind if I walk through there now?"
See the Phil K. Dick story referred to in the title, or the film "Screamers" that was based on it.
They actually needed to commission a 'task force' to figure this out?
I may be giving 'them' too much credit, but they probably needed the task force to provide some halfway plausible justification to do what they had already worked out was needed. Sorry, but that's par for the course in the typical large Dilbert-documented corp, and AOL-TW (or whatever they'll be calling themselves next week to divert attention from the ongoing stockmarket storm) is certainly in that class.
At least they're using the focus group to Do The Right Thing. I've just encountered a 'business case' that has been carefully constructed to justify a decision that was casually imposed a couple of months ago then had to be withdrawn because of the volume of objections from the end-users of the service concerned.
-- Do not anger Pointy-Haired Bosses, for they set the agendas, rewrite the meeting minutes, and would not understand subtlety if it reared up and bit them in the LOSS OF CARRIER
By Samuel Butler. Late 19th century satirical fable, but with an exceedingly bleak underlying view of human nature.
Ursula leGuin's The Dispossessed.
As others have noted, virtually everything by Philipp K. Dick - Do Androids Dream etc is one of the more approachable, but look at Flow My Tears The Policeman Said, and A Scanner Darkly for darker takes on very similar worlds.
Who on Earth wants to try to jump into a series on the 22nd book? Nobody!
At the risk of drifting offtopic or being accused of trolling, are there any series that truely continue to have something to say when they get to the 22nd book, rather than being written mostly to satisfy the series' existing fans?
(Sure it's a matter of personal opinion, but it's been years since I felt motivated to pick up the latest release of the Diskworld franchise, though I still find the earlier part of the series worth a reread from time to time.)
"Apparently there is a massive problem in Europe with cell phones being stolen. I've never understood this, as it would seem pretty easy to catch someone who has such a device; the IMEI number is one way, but also just basic police work like tracking numbers called and the like would seem to make it easy to catch cell snatchers. And just wait until GPS technology is widespread in the phones. Also, if the problem is that rampant I would think the industry would make it extrenely easy to blacklist and just disable the stolen phone. If that happened then the incentive to swipe a cell phone would diminish pretty quickly."
Twit.
It is a significant problem. Mobile phones are everyday consumer items in Europe, especially amongst young people. And it's genuinely very useful for parents of kids who are learning their way to live independently if the kids have a way to phone home from just about anywhere if they find themselves in a tricky situation. You can't depend on there always being a nearby (unvandalised) public phone booth - partly because the spread of mobile phones is making these less economic, but that's another matter. Kids, of course, are also good targets to mug to steal such devices 'cos they can't fight back so hard, which tends to get people's attention when it happens.
Some mobile service providers don't block calls made from phones with IMIE numbers reported as stolen. The general consensus is that this is because this would cost them money. Of course There Oughta Be A Law Mandating This, but see the next point.
Re-identifying phones with new IMIE numbers evades such checks even on networks which apply them. The general consensus is that this may possibly (gasp) be a significant reason for changing the IMIE numbers in the first place.
Blacklisting mobiles phones/ recontacting them, etc. I believe it's been tried (Holland?), with the phones having text messages sent to them declaring "this phone is stolen". See the previous point for a discussion of the incentives this produces to change IMIE numbers.
The legislation appears aimed to clamp down on people who have found a hitherto legal market niche in catering to a demand to have phone IMIEs changed, when the general consensus is that the only significant call for such services is to disguise the origin of phones that have been acquired in an illegal way. The people stealing the phones may not be deterred - street crime is street crime. Driving the IMIE modding underground will make it more trickier, riskier, and so more expensive to recycle the phones, though, which may well reduce the demand. The modding merchants might need to go back to personally selling products that "fell off the back of a lorry" as the euphemism goes, but that's just tough.
Oh, and please tell us that you're not suggesting hardwired tamperproof IDs in each phone to set up a massive "my self-asserted rights to privacy are being infringed" troll if that is ever done.
HP doesn't have the people and resources to fix a potentially serious bug, but it does have the people and resources to claim copyright protection on it.
True, this is on a product that the company undoubtedly wants to retire as soon as possible, but the message this is sending about its priorities goes considerably wider.
...New Scientist's Incarus column of fond memory...
Daedalus, perhaps? Heard the author give a talk on a typically far-fetched topic once - something about how the graduations in population density between town and country are explicable by analogy with the kinetic theory of gases. Not one of his best efforts, but ingeniously worked out.
I seem to recall he also invented the nuclear-powered pogo stick (use a piston/ cylinder arrangement that compresses the enclosed gas as the spring, embed sub-critical masses of uranium in head of piston and closed end of cylinder, as piston approaches end of cylinder proximity of the two pieces of uranium initiates limited chain reaction which warms the gas and provides the motive power; make sure piston - cylinder arrangement is really airtight).
It's funny how in the telephone network, the only way to survive is to be completely interoperable...
It's not totally seamless in the mobile world: some wireless network operators refuse to accept short text messages addressed to their users from users on other networks. Typically this is across national boundaries and when there's a large imbalance in message flow between a particular pair of providers, so there is a desire for a contract to cross-charge for carrying "foreign" traffic. All very frustrating if you're wanting to use the medium to send alerts to your (signed-up and opted-in) business customers.
imagine the hijackers treating the plane like a German V2... keep the normal flight path until they get near/ over a major city, they just point the nose at the ground
Pedantic point: the pilotless 'buzz-bomb' plane was the V1. The V2 was the ballistic missile developed by - amongst others - Werner von Braun.
Slashdot Mirror
Karma: I am a number, not an adjective!
Karma: NaN (mostly affected by meddling slashcode maintainers).
For God's sake don't tell Dubya, he'll decide it hampers the War Against Terrorism and order it abrogated.
</troll>
--
No Pope Here! (Wall slogan in protestant Belfast)
- Lucky old Pope. (Short-lived addition)
Which is not to say that a biometric device combined with intelligent human oversight (so you'll be spotted if you try to use an artificial hand to fool a device based on hand and finger sizes, for example) isn't an appropriate component of an authentication system, and the article gives an example in use on Mr Schneier's home turf.
Seriously, do read the article, even if it is a little on the long side. It contains a lot of good sense: in particular its emphasis on putting human decision-making back into the loop, rather than looking for all-encompassing technical solutions. We're clearly not yet at the point where our technology is sufficiently advanced that it can act as if by magic - as a lot of snake-oil merchants pretend, and a lot of quick-fix politicos who should know better affect to believe.
Assuming the sources cited are accurate, we now have two independent misimplementations of SSL certificate handling, indicating that two purveyors of software that is entrusted with providing a secure (ie, private and authenticated) communications channel have screwed up in a way that suggests they did not understand properly what they were doing.
Rather puts buffer overflows into the shade, doesn't it?
As the late Professor Doctor Edsgar W. Dijkstra commented: "If you don't know what your program is supposed to do, you'd better not start writing it." RIP, a great man.
(Not intended as a troll, btw: Moz' is pretty capable now, but for my usage it's not yet so clearly better than Opera to install on my home machine. YMMV.)
No offense intended. I'll probably take in the film sooner or later (probably when it comes round on public access TV). And I'll probably enjoy it, just as I've enjoyed viewing Blade Runner even though I read DADoES many years earlier.
See subject line.
RIP.
Karma: NaN (mostly due to meddling Slashcode programmers)
No disagreement with your other comments about distributors of collections of software making clear the extent to which they are standing behind them.
<soapbox>
It seems to me that there's a certain amount of special pleading going on here from open-source advocates. On the one hand, claims are made for its superior quality and lower cost of ownership, but at the same time there's a strong tendency to devolve responsibility for checking that the quality is adequate to the people and organisations who decide to use it. And, as we've seen with some embarassing incidents recently, there's also a tendency to assume that the many-eyes checking has already been done - by other people.
I like the idea that software should be covered by the "fitness for ordinary use" criterion that applies to most other products and services; I don't see it as self-evident that open source software should automatically be given special treatment.
</soapbox>
--
Hey, where's my karma gone?
See the Phil K. Dick story referred to in the title, or the film "Screamers" that was based on it.
--
Come back, Ned Ludd, the world needs you.
(I'm not sure I agree that the current state of the US system has any close connection with the system's basic underlying philosophy, btw.)
At least they're using the focus group to Do The Right Thing. I've just encountered a 'business case' that has been carefully constructed to justify a decision that was casually imposed a couple of months ago then had to be withdrawn because of the volume of objections from the end-users of the service concerned.
-- Do not anger Pointy-Haired Bosses, for they set the agendas, rewrite the meeting minutes, and would not understand subtlety if it reared up and bit them in the
LOSS OF CARRIER
Ursula leGuin's The Dispossessed.
As others have noted, virtually everything by Philipp K. Dick - Do Androids Dream etc is one of the more approachable, but look at Flow My Tears The Policeman Said, and A Scanner Darkly for darker takes on very similar worlds.
(Sure it's a matter of personal opinion, but it's been years since I felt motivated to pick up the latest release of the Diskworld franchise, though I still find the earlier part of the series worth a reread from time to time.)
- It is a significant problem. Mobile phones are everyday consumer items in Europe, especially amongst young people. And it's genuinely very useful for parents of kids who are learning their way to live independently if the kids have a way to phone home from just about anywhere if they find themselves in a tricky situation. You can't depend on there always being a nearby (unvandalised) public phone booth - partly because the spread of mobile phones is making these less economic, but that's another matter. Kids, of course, are also good targets to mug to steal such devices 'cos they can't fight back so hard, which tends to get people's attention when it happens.
- Some mobile service providers don't block calls made from phones with IMIE numbers reported as stolen. The general consensus is that this is because this would cost them money. Of course There Oughta Be A Law Mandating This, but see the next point.
- Re-identifying phones with new IMIE numbers evades such checks even on networks which apply them. The general consensus is that this may possibly (gasp) be a significant reason for changing the IMIE numbers in the first place.
- Blacklisting mobiles phones/ recontacting them, etc. I believe it's been tried (Holland?), with the phones having text messages sent to them declaring "this phone is stolen". See the previous point for a discussion of the incentives this produces to change IMIE numbers.
The legislation appears aimed to clamp down on people who have found a hitherto legal market niche in catering to a demand to have phone IMIEs changed, when the general consensus is that the only significant call for such services is to disguise the origin of phones that have been acquired in an illegal way. The people stealing the phones may not be deterred - street crime is street crime. Driving the IMIE modding underground will make it more trickier, riskier, and so more expensive to recycle the phones, though, which may well reduce the demand. The modding merchants might need to go back to personally selling products that "fell off the back of a lorry" as the euphemism goes, but that's just tough.Oh, and please tell us that you're not suggesting hardwired tamperproof IDs in each phone to set up a massive "my self-asserted rights to privacy are being infringed" troll if that is ever done.
True, this is on a product that the company undoubtedly wants to retire as soon as possible, but the message this is sending about its priorities goes considerably wider.
I seem to recall he also invented the nuclear-powered pogo stick (use a piston/ cylinder arrangement that compresses the enclosed gas as the spring, embed sub-critical masses of uranium in head of piston and closed end of cylinder, as piston approaches end of cylinder proximity of the two pieces of uranium initiates limited chain reaction which warms the gas and provides the motive power; make sure piston - cylinder arrangement is really airtight).
"It seems an awful lot of trouble to go to just to break a Britney Spears ringtone collection or an AOL beer coaster."