You're aware that surface of the earth is nearly 200 million square miles, right? And that's just at sea level. Of course, LEO is the range of 124 to 1240 miles above the surface, which makes the area of that "sphere" roughly 340 square miles at the upper limit.
In some ways, the issue boils down to who is more knowledgeable about the use of encryption or other security technologies: investigators or the targets of investigation,
In other words, Microsoft really hasn't learned much about security over the last 10 years. They still design security systems that are prone to operating in insecurely. This looks like the "Do you want to run this ActiveX control?" dialog all over again.
Here is a partial list of successful free software projects not on Sourceforge: No, that's basically it. When it comes to server software, interpreted languages, a couple of RDMSs, browsers, and toolkits, Sourceforge is GREAT!
Huh? Read my post again (emphasis added):
Here is a partial list of successful free software projects not on Sourceforge:
My point is that if you only look at Sourceforge, you'll miss a lot of good stuff. Sourceforge tends to attract projects that are too small to host their own files.
What, this? That's not a remotely-exploitable security hole. It's not even a DoS hole, because a separate qmail-smtpd gets run by tcpserver for each connection. You claim that qmail has remotely-exploitable security holes. Again, I ask you for evidence.
As far as your bullet points go, equal care could (and has) been done for other types of software that ended up with bugs anyway.
You can do formal analysis of software the size of, say, OpenOffice.org? You claim it has been done. Again, evidence? Not that it would refute my argument, because other people doing it wrong does not preclude someone from doing it right.
But don't forget the context of this discussion which is whether the criminal or the software writer is responsible for creating an exploit.
You made a strong statement ("X is impossible") backed by a bogus claim. I called you on it, and now you're saying that it doesn't matter---that you're right anyway? I'm not convinced.
I'm saying that having multiple teams trying very hard to do something and all failing is much better evidence of the task being impossible than possible. Do you dispute that?
Absolutely. Having multiple teams trying very hard to create powered human flight all failing is was not evidence of its impossibility, and it isn't here either. A bunch of people doing the wrong thing doesn't have any effect on someone doing the right thing. If anything, it makes it more likely that somebody will discover what the right thing is, because they have lots of knowledge of what doesn't work.
The fact remains that computers are deterministic machines that only do what they're programmed to do. If you don't program them to have specific mechanisms of being remotely exploitable, they won't be.
I'm not sure that qmail could be described as large ( I never said "non-trivial"), but a little research indicates that exploits have been reported.
What exploits are those?
I guess you're assuming that while all non-trivial software has flaws, the security related parts of the program can be immune somehow. If one can't eliminate all the bugs from the those parts of the programs unrelated to security, what evidence is there that they can be totally eliminated from those that are?
You keep the security-related parts simple;
You keep the security-related parts isolated from each other and from the rest of the system, and you tightly control the interfaces between these parts;
You perform formal analysis of the simple, isolated, security-related parts;
You make the security-related parts low-level enough that any flaws would manifest themselves frequently, and therefore be detected and fixed before the software is released;
You don't rush development of the security-related parts;
You design the rest of the system around the security-related parts, not the security-related parts to fit the rest of the system.
There is a difference between impossible, and has not been done yet. Are you actually disputing that?
In any case, it doesn't matter. You don't see them often, because they tend to be more expensive than your typical off-the-shelf software, but unexploitable, non-trivial software systems do exist. A popular example is qmail. Yes, it has bugs, and is suffering tremendous bit rot, but it's a nice example of how to design a large software system to be resistant to remote exploitation in the face of implementation flaws.
The trick is to limit the number of points where the system can fail in an exploitable manner, and to build the system so that exploitable bugs will cause frequent and obvious failures (and therefore never find their way into releases).
You're taking the notion that all non-trivial software has flaws---something I would agree with---and generalizing it to say that all non-trivial software has remotely-exploitable security holes.
I'm coming over to walk into your house and steal your stuff, as a joke, to show you how lax your home security is.
Home security and website security are very different things:
Homes can be attacked by anyone who is physically near them. Websites can be attacked by anyone on the Internet, regardless of physical distance.
Attacking a home requires physical presence, and is therefore risky for the attacker, who may be caught in the process. Websites can be attacked from a remote location, anonymously, with a much smaller risk of being caught.
Attacking a home causes damage. Attacking a website may (but will not necessarily) cause damage.
Attacking a home can put people's lives at risk. Attacking a website will not unless the people in charge of the website are grossly negligent.
Homes cannot be designed to be attack-proof, since cutting tools and explosives are cheap. Websites can be designed to be attack-proof, since a computer will only do what it's programmed to do.
Homes are (usually) not open to the public. Websites are.
None of that necessarily excuses what this guy did, but computer security is different from home security, and needs to be looked at separately.
Had he gone to MySpace and said "hey guys, I found this, might wanna check it out", no problem. But he didn't. He went public, and now he pays for it.
You have some fundamental misconceptions about computer security. Read this.
Actually, he probably can't get a job as a programmer anywhere. What good is a programmer who can't search Google?
I'm very disappointed with courts' willingness to ban people from computers and/or the Internet. I think they fail to understand the full impact that has in this part of the 21st century.
The biggest mistake I think people make is overstating what Linux can do. That just sets people up to be disappointed.
Linux is not the best at everything, and it's not necessarily for everyone. Linux is not a gaming platform, though it does have plenty of fun games (frozen-bubble, anyone?). Linux may be hard to install, and you sometimes have to be choosy when selecting hardware for a Linux, but it gets easier with time, and for me, it was worth it.
Everyone already knows that Linux is great for Linux fanatics. The main points you want to get across are as follows:
Linux is a respectable tool that some people use to get stuff done.
Linux is changing rapidly, so if it's not for you today, try it again in a year or two.
Slashdot Mirror
Entirely possible. Learn about the Gulf Stream.
Don't blame me, I voted for Kodos.
Who put the earth inside a TARDIS?
In other words, Microsoft really hasn't learned much about security over the last 10 years. They still design security systems that are prone to operating in insecurely. This looks like the "Do you want to run this ActiveX control?" dialog all over again.
Clearly, the mods have never played frozen-bubble. That's probably a good thing, since it's a huge sink of time.
/me goes back to playing frozen-bubble.
Huh? Read my post again (emphasis added):
Here is a partial list of successful free software projects not on Sourceforge:My point is that if you only look at Sourceforge, you'll miss a lot of good stuff. Sourceforge tends to attract projects that are too small to host their own files.
I'm not sure if you are joking or not, so...
Here is a partial list of successful free software projects not on Sourceforge:
A better place to look for successful free software projects is http://packages.debian.org/.
Uh-oh!
Yeah.
Frozen.
Bubble.
I only play so I can listen to the lyrics.
What, this? That's not a remotely-exploitable security hole. It's not even a DoS hole, because a separate qmail-smtpd gets run by tcpserver for each connection. You claim that qmail has remotely-exploitable security holes. Again, I ask you for evidence.
As far as your bullet points go, equal care could (and has) been done for other types of software that ended up with bugs anyway.You can do formal analysis of software the size of, say, OpenOffice.org? You claim it has been done. Again, evidence? Not that it would refute my argument, because other people doing it wrong does not preclude someone from doing it right.
But don't forget the context of this discussion which is whether the criminal or the software writer is responsible for creating an exploit.You made a strong statement ("X is impossible") backed by a bogus claim. I called you on it, and now you're saying that it doesn't matter---that you're right anyway? I'm not convinced.
Absolutely. Having multiple teams trying very hard to create powered human flight all failing is was not evidence of its impossibility, and it isn't here either. A bunch of people doing the wrong thing doesn't have any effect on someone doing the right thing. If anything, it makes it more likely that somebody will discover what the right thing is, because they have lots of knowledge of what doesn't work.
The fact remains that computers are deterministic machines that only do what they're programmed to do. If you don't program them to have specific mechanisms of being remotely exploitable, they won't be.
I'm not sure that qmail could be described as large ( I never said "non-trivial"), but a little research indicates that exploits have been reported.What exploits are those?
I guess you're assuming that while all non-trivial software has flaws, the security related parts of the program can be immune somehow. If one can't eliminate all the bugs from the those parts of the programs unrelated to security, what evidence is there that they can be totally eliminated from those that are?Who said anything about being bug free?
Not all implementation mistakes result in remotely-exploitable security holes.
Does rhyme constitute sound argument?
There is a difference between impossible, and has not been done yet. Are you actually disputing that?
In any case, it doesn't matter. You don't see them often, because they tend to be more expensive than your typical off-the-shelf software, but unexploitable, non-trivial software systems do exist. A popular example is qmail. Yes, it has bugs, and is suffering tremendous bit rot, but it's a nice example of how to design a large software system to be resistant to remote exploitation in the face of implementation flaws.
The trick is to limit the number of points where the system can fail in an exploitable manner, and to build the system so that exploitable bugs will cause frequent and obvious failures (and therefore never find their way into releases).
You're taking the notion that all non-trivial software has flaws---something I would agree with---and generalizing it to say that all non-trivial software has remotely-exploitable security holes.
What theorem is that?
Home security and website security are very different things:
None of that necessarily excuses what this guy did, but computer security is different from home security, and needs to be looked at separately.
Had he gone to MySpace and said "hey guys, I found this, might wanna check it out", no problem. But he didn't. He went public, and now he pays for it.You have some fundamental misconceptions about computer security. Read this.
No. Go do some research on CERT and on full disclosure.
Actually, he probably can't get a job as a programmer anywhere. What good is a programmer who can't search Google?
I'm very disappointed with courts' willingness to ban people from computers and/or the Internet. I think they fail to understand the full impact that has in this part of the 21st century.
It's better than having 5 different programs called "WebBrowser".
Flamebait I can understand, but offtopic?
The biggest mistake I think people make is overstating what Linux can do. That just sets people up to be disappointed.
Linux is not the best at everything, and it's not necessarily for everyone. Linux is not a gaming platform, though it does have plenty of fun games (frozen-bubble, anyone?). Linux may be hard to install, and you sometimes have to be choosy when selecting hardware for a Linux, but it gets easier with time, and for me, it was worth it.
Everyone already knows that Linux is great for Linux fanatics. The main points you want to get across are as follows:
Your primary goal is to inspire curiosity.
What about charge pumps?
Okay, that's true-to-form for Microsoft, but not exactly what I had in mind.
Like renaming a public building/stadium after your company?
Free operating systems are much less likely to have this problem.
Note that I'm not in any supporting DRM/activation/etc, which simply isn't good for anybody.