That's a very difficult question. You need to sit down with your company's legal department and figure it out.
The answer depends on: 1) Where you are and thus what laws are applicable to you. 2) Who you are. Healthcare, university, private company? If you are a university, are you a public university? If so, there may be additional laws and regulations. 3) What's being emailed. Patient records, classified documents?
What's acceptable for people in similar situations may not be acceptable for you. I go to a university and Google handles our email, but again, this doesn't mean it's OK for you guys to do it. Set up a meeting with your legal department and they'll figure it out. Meeting with legal also ensures that you're not going to get thrown under the bus (at least not as quickly) if you do something and later get hit with a lawsuit.
Having a.edu address gains you a lot of credibility when communicating with people outside the university. They are quite valuable. You can often get very quick responses to questions that most companies won't even respond to if they came from a name@gmail.com or name@yahoo.com.
Also, email is used for a lot of very important stuff like sending reports, design files, etc. Having someone on campus that can fix problems is quite valuable. Your campus email will never be "accidentally" seized, locked out, etc. like people have experienced with google and yahoo. Because the campus maintains backups (or at least, they should), you data will never be suddenly gone with no chance for recovery like people have experienced with google and yahoo.
The companies want it to be legal because they can produce it and make money, law enforcement would probably be happy not to have to deal with drug offenses, and politicians will do whatever the public wants. If some congressman's constituents want legal pot then he's going to campaign for legalization of pot or he'll be thrown out of office. (Of course, most young people don't vote and old people don't want change so they oppose legalization).
The government is an extension of the politicians. The politicians don't have any inherent reason to oppose legalization*. If drugs were legal then they could tax them at huge margins and make lots of money, so they actually have quite a bit to gain from legalizing them.
* There is that argument about how pot makes you question authority. I'm pretty sure that's complete bullshit.
How many people are seriously buying black market cigarettes? Yes, there will still be a small black market for the product, but it will be so incredibly small as to be negligible. No cartel will form selling black market drugs if drugs are legalized. You'll have a few small drug dealers making very little money from it.
It's because a lot of people don't like drugs. Thus, any politician who says "let's legalize drugs" is committing career suicide. No politician will allow drugs to become legalized, nor will they reduce penalties for drug use for fear of being seen as "soft on crime".
Perhaps it's time that people realize that a lot of things do need to be connected to external networks and that "air gap them" is simply a cop out response equivalent to saying "use a typewriter".
Yes, some things should be air-gaped, nuclear gas centrifuges come to mind. However, many industrial control systems need to report information over the internet. Remote pumping stations, unmanned power distribution centers, etc. Having a lot of data is not simply a convenience. This data allows engineers to troubleshoot failures, predict future failures, and adjust systems for optimum efficiency.
What's really necessary is for some kind of device that will communicate the data to remote places, but refuse to pass any messages from the outside onto the control system. I don't know how difficult this is, but it's certainly harder than "air gap it". On the other hand, this solution actually addresses the problem.
Threatening to sue has all the weight of someone threatening to beat you up over the internet. People scream "I'M GOING TO SUE" for every single fucking thing nowadays. The proper action would be to retain legal council and make them aware of the situation immediately. They might write a warning letter, but this is much different than you, without representation, telling your company that you're going to sue them.
You idiot. This has nothing to do with stuxnet. Yes, it's very similar in how it works, but it serves a completely different purpose. Duqu isn't targeting Iran or any industrial/commercial automation and control systems. I determined this information from 10 seconds of research through wikipedia. Seriously, look stuff up before blindly commenting on it.
I think that more likely the cartels called anonymous' bluff and they backed down once they realized that this was actually real. Anonymous is made up of a few thousand members that do nothing but talk a lot of shit, make threats, etc. and a small handful of skilled hackers. In the past what has happened is that one or two of the hackers have broken into something (i.e. sony) and released a lot of data while the rest of the group takes all the credit. But even the skill of these few hackers is questionable. The servers they broke into had known security vulnerabilities that were unpatched due to incompetent administrators, one guy actually gave out the password to his server after some social engineering. The recent "child porn bust" was some "genius" who managed to write a script to return a list of names and other information that was publicly available in the first place.
I suspect what happened here is that a lot of members said "we're going to take down the cartels", the cartels didn't like that and responded by killing people. So now you're left with a bunch of shit-talking idiots and a few good hackers. The hackers aren't exactly useful here because I'm pretty sure the drug cartels don't go around storing details of their crimes on insecure servers. MAYBE some cartel member has an email account that might be of some use, but good luck hacking into a gmail account that you don't have any prior knowledge of. The rest of the anonymous members decided that maybe they should stop poking a hornet nest and tried to play it off as "well, we don't want anyone else to get hurt" rather than "we threatened some bad people, couldn't back it up, and got someone killed so we're not doing that anymore".
"Lasers can take out ICBM? Intercontinental Ballistic Missiles?"
Yeah, they can. Of course the lasers capable of doing this take up an entire purpose-built Boeing 747 and require an amazing amount of carious chemicals to work. Not exactly "hand held".
However, hand-held lasers can easily be powerful enough to permanently blind someone, which should be taken very seriously. No, you won't find them at the dollar store, but anyone can buy them (without a license) for a few hundred dollars. Suggesting some form of regulation isn't ridiculous because these things are very dangerous and can cause permanent bodily harm at range. Maybe not as much as a firearm, but more than a taser.
Just to reemphasize a point here: this is not any kind of scientific organization doing any kind of official naming. This is a thinly-veiled advertisement for an aquarium supplier which named two colors of coral some gamer-related terms. They aren't even named after call of duty specifically, they could refer to about 70% of games on the market.
He doesn't mean "blind the pilots" as in "destroy their eyes so they can never see again". He means "shine an extremely bright light into their face so it's extremely hard to see anything"
It has nothing to do with luck. All the script kiddies in the world won't be able to get into a server unless it hasn't been patched in 5 years or the root password is "password". Lulzsec, anonymous, etc. are all structured the same way. There's a huge group of extremely vocal script kiddies and a very small group of people who actually know what they're doing. The script kiddies are the ones running tools like LOIC to ddos websites and making statements to the press. This serves little purpose except to distract everyone from what the real hackers are doing. These are the ones that get arrested because even the most incompetent investigator can figure out who is sending a bajillion HTTP requests to a web server.
The people who actually know what they're doing don't get caught because, well, they know what they're doing. These people take the time to research their target, identify possible methods of attack, and then plan what they're going to do. They don't just attempt to break into random servers with whatever the vulnerability of the month happens to be and then somehow stumble across a metric shitload of confidential information.
"Freedom of Speech typically does not permit incitement to violence."
You're half correct. The limitation that you refer to is speech that is likely to result in "Imminent lawless action". So, saying "SHOOT THAT GUY RIGHT IN FRONT OF YOU RIGHT NOW" is probably illegal. However, advocating for an armed rebellion is not "imminent" and would likely be protected. Of course, this limitation only exists on speech in the United States and really has no relevance outside of that context.
"Furthermore, inciting harm to powerful leaders, regardless of motivation or full intent, is probably not wise" I completely disagree. There's multiple definitions of "not wise". Yeah, speaking out against an oppressive dictator is likely to result in you either getting thrown in a secret jail or shot. However, allowing your freedoms to be trampled and sitting idly by while the government murders innocent civilians is also "not wise".
Because anyone who is going to use this information to do harm already knows it. The thing people seem to forget whenever something scary happens is that the "bad guys" aren't stupid. Terrorists know how to use a computer. It's better that everyone knows the information so that everyone can use it to prevent whatever attack it might indicate.
The two choices are NOT: 1. Keep the information secret and the bad guys will never find it 2. Release the information and the bad guys will use it to do bad things
The choices ARE: 1. Keep the information secret and everyone is caught with their pants down when the bad guys, who figured all this out on their own, do bad things. 2. Tell everyone the information so that any Tom, Dick, and Harry knows what the bad guys are going to do and they can take appropriate measures.
This, from the people in charge of trading amazingly large amounts of money in a market which influences the global economy in a big way. (remember that billion vs. million mix-up awhile back that caused some pretty big problems until it was fixed)
You call it risky, I call it reckless. You try what you're doing in any other field and you'd be fired pretty damn quick.
That said, I'm not so much angry at you as I am at the people who ask you to do this.
He didn't just turn the company in one day for shits and giggles, he was told by management that he was liable if anyone ever found out that they were using pirated software. The company put him in a position to be thrown under the bus should anything happen in the future, and this was long before he did anything to hurt the company.
The proper solution in this case (both legally and ethically) was to inform the BSA (or at least someone) that this was going on. It would have been illegal and unethical of him to continue to use the software it would be equally wrong of him to simply leave the company knowing full well what was happening. Furthermore, if he didn't report them and simply left the company he could still be liable in the future if the company claimed that he caused these problems before he left.
They're something to be said for being loyal to your employer, but this loyalty ends when your employer isn't loyal to you. This loyalty ends even faster when your employer tells you straight out that they aren't loyal to you, as they did in this case.
"I assume the BSA would have the information available, such as a sworn or at least signed statement from someone, to prove they actually had a reasonable basis for a lawsuit, in their own defense against claims of some sort of abuse of process, but maybe they don't keep the information."
If they use the statement to justify a lawsuit they cannot then destroy it, that would be destroying evidence and would serve no purpose to the BSA. In fact, if the company they're suing returns fire then the BSA will want that statement in order to shift blame onto that person. "Well of course we sued you, this guy here gave us a sworn statement saying you were pirating software, he apparently lied under penalty of perjury, sue him instead"
If you read the OP's description you'd see that this is not feasible. They're already not running any software without proper licensing and hiring a lawyer would basically solve the issue. The problem is that they DON'T HAVE ANY MONEY FOR A LAWYER. Yeah, it'd be great to sue the BSA for wasting your time and filing bullshit, even illegal, lawsuits, but do you have any idea how much money that's going to cost? Even if you could recover attorney's fees as part of the trial you don't actually get that money until after the trial IF you're successful. You'd still have to pay the lawyer their fees, in full, up-front.
"but should programmers play the role of doctor even in seemingly harmless areas"
No, obviously no one other than a doctor should play the role of doctor. But this is a red herring. We're not talking about medical apps that claim to be equivalent to doctors. No one is practicing medicine without a license here.
It should be obvious to anyone that an app can be written by someone who does not have a medical degree or any relevant experience. Now, if these apps were claiming to be written by doctors or to be giving advice approved by a doctor or something then that might be a case for intervention.
Of course, US law doesn't prohibit the military from producing weapons, so there's really no conflict in the license terms. I've seen that line in a lot of licenses for a lot of products that seem to have absolutely nothing to do with anything related to weapons or manufacturing of the same. I think it's just something that a lot of product manufacturers throw in there to cover their ass in case some terrorist gets caught with an iphone/ipad/whatever in their car.
Slashdot Mirror
That's a very difficult question. You need to sit down with your company's legal department and figure it out.
The answer depends on:
1) Where you are and thus what laws are applicable to you.
2) Who you are. Healthcare, university, private company? If you are a university, are you a public university? If so, there may be additional laws and regulations.
3) What's being emailed. Patient records, classified documents?
What's acceptable for people in similar situations may not be acceptable for you. I go to a university and Google handles our email, but again, this doesn't mean it's OK for you guys to do it. Set up a meeting with your legal department and they'll figure it out. Meeting with legal also ensures that you're not going to get thrown under the bus (at least not as quickly) if you do something and later get hit with a lawsuit.
Having a .edu address gains you a lot of credibility when communicating with people outside the university. They are quite valuable. You can often get very quick responses to questions that most companies won't even respond to if they came from a name@gmail.com or name@yahoo.com.
Also, email is used for a lot of very important stuff like sending reports, design files, etc. Having someone on campus that can fix problems is quite valuable. Your campus email will never be "accidentally" seized, locked out, etc. like people have experienced with google and yahoo. Because the campus maintains backups (or at least, they should), you data will never be suddenly gone with no chance for recovery like people have experienced with google and yahoo.
The companies want it to be legal because they can produce it and make money, law enforcement would probably be happy not to have to deal with drug offenses, and politicians will do whatever the public wants. If some congressman's constituents want legal pot then he's going to campaign for legalization of pot or he'll be thrown out of office. (Of course, most young people don't vote and old people don't want change so they oppose legalization).
The government is an extension of the politicians. The politicians don't have any inherent reason to oppose legalization*. If drugs were legal then they could tax them at huge margins and make lots of money, so they actually have quite a bit to gain from legalizing them.
* There is that argument about how pot makes you question authority. I'm pretty sure that's complete bullshit.
How many people are seriously buying black market cigarettes? Yes, there will still be a small black market for the product, but it will be so incredibly small as to be negligible. No cartel will form selling black market drugs if drugs are legalized. You'll have a few small drug dealers making very little money from it.
It's because a lot of people don't like drugs. Thus, any politician who says "let's legalize drugs" is committing career suicide. No politician will allow drugs to become legalized, nor will they reduce penalties for drug use for fear of being seen as "soft on crime".
A company is using deceitful tactics to attract unsuspecting customers! News at eleven.
Perhaps it's time that people realize that a lot of things do need to be connected to external networks and that "air gap them" is simply a cop out response equivalent to saying "use a typewriter".
Yes, some things should be air-gaped, nuclear gas centrifuges come to mind. However, many industrial control systems need to report information over the internet. Remote pumping stations, unmanned power distribution centers, etc. Having a lot of data is not simply a convenience. This data allows engineers to troubleshoot failures, predict future failures, and adjust systems for optimum efficiency.
What's really necessary is for some kind of device that will communicate the data to remote places, but refuse to pass any messages from the outside onto the control system. I don't know how difficult this is, but it's certainly harder than "air gap it". On the other hand, this solution actually addresses the problem.
Threatening to sue has all the weight of someone threatening to beat you up over the internet. People scream "I'M GOING TO SUE" for every single fucking thing nowadays. The proper action would be to retain legal council and make them aware of the situation immediately. They might write a warning letter, but this is much different than you, without representation, telling your company that you're going to sue them.
TYPEWRITERS! TYPEWRITERS FOR EVERYONE!
Filter error: Don't use so many caps. It's like YELLING.
The candy man can
You idiot. This has nothing to do with stuxnet. Yes, it's very similar in how it works, but it serves a completely different purpose. Duqu isn't targeting Iran or any industrial/commercial automation and control systems. I determined this information from 10 seconds of research through wikipedia. Seriously, look stuff up before blindly commenting on it.
It's quicker just to read the article. Whoever wrote the summary has absolutely no idea how to use quotes.
I think that more likely the cartels called anonymous' bluff and they backed down once they realized that this was actually real. Anonymous is made up of a few thousand members that do nothing but talk a lot of shit, make threats, etc. and a small handful of skilled hackers. In the past what has happened is that one or two of the hackers have broken into something (i.e. sony) and released a lot of data while the rest of the group takes all the credit. But even the skill of these few hackers is questionable. The servers they broke into had known security vulnerabilities that were unpatched due to incompetent administrators, one guy actually gave out the password to his server after some social engineering. The recent "child porn bust" was some "genius" who managed to write a script to return a list of names and other information that was publicly available in the first place.
I suspect what happened here is that a lot of members said "we're going to take down the cartels", the cartels didn't like that and responded by killing people. So now you're left with a bunch of shit-talking idiots and a few good hackers. The hackers aren't exactly useful here because I'm pretty sure the drug cartels don't go around storing details of their crimes on insecure servers. MAYBE some cartel member has an email account that might be of some use, but good luck hacking into a gmail account that you don't have any prior knowledge of. The rest of the anonymous members decided that maybe they should stop poking a hornet nest and tried to play it off as "well, we don't want anyone else to get hurt" rather than "we threatened some bad people, couldn't back it up, and got someone killed so we're not doing that anymore".
"Lasers can take out ICBM? Intercontinental Ballistic Missiles?"
Yeah, they can. Of course the lasers capable of doing this take up an entire purpose-built Boeing 747 and require an amazing amount of carious chemicals to work. Not exactly "hand held".
However, hand-held lasers can easily be powerful enough to permanently blind someone, which should be taken very seriously. No, you won't find them at the dollar store, but anyone can buy them (without a license) for a few hundred dollars. Suggesting some form of regulation isn't ridiculous because these things are very dangerous and can cause permanent bodily harm at range. Maybe not as much as a firearm, but more than a taser.
Just to reemphasize a point here: this is not any kind of scientific organization doing any kind of official naming. This is a thinly-veiled advertisement for an aquarium supplier which named two colors of coral some gamer-related terms. They aren't even named after call of duty specifically, they could refer to about 70% of games on the market.
He doesn't mean "blind the pilots" as in "destroy their eyes so they can never see again". He means "shine an extremely bright light into their face so it's extremely hard to see anything"
It has nothing to do with luck. All the script kiddies in the world won't be able to get into a server unless it hasn't been patched in 5 years or the root password is "password".
Lulzsec, anonymous, etc. are all structured the same way. There's a huge group of extremely vocal script kiddies and a very small group of people who actually know what they're doing. The script kiddies are the ones running tools like LOIC to ddos websites and making statements to the press. This serves little purpose except to distract everyone from what the real hackers are doing. These are the ones that get arrested because even the most incompetent investigator can figure out who is sending a bajillion HTTP requests to a web server.
The people who actually know what they're doing don't get caught because, well, they know what they're doing. These people take the time to research their target, identify possible methods of attack, and then plan what they're going to do. They don't just attempt to break into random servers with whatever the vulnerability of the month happens to be and then somehow stumble across a metric shitload of confidential information.
"Freedom of Speech typically does not permit incitement to violence."
You're half correct. The limitation that you refer to is speech that is likely to result in "Imminent lawless action". So, saying "SHOOT THAT GUY RIGHT IN FRONT OF YOU RIGHT NOW" is probably illegal. However, advocating for an armed rebellion is not "imminent" and would likely be protected. Of course, this limitation only exists on speech in the United States and really has no relevance outside of that context.
"Furthermore, inciting harm to powerful leaders, regardless of motivation or full intent, is probably not wise"
I completely disagree. There's multiple definitions of "not wise". Yeah, speaking out against an oppressive dictator is likely to result in you either getting thrown in a secret jail or shot. However, allowing your freedoms to be trampled and sitting idly by while the government murders innocent civilians is also "not wise".
Because anyone who is going to use this information to do harm already knows it. The thing people seem to forget whenever something scary happens is that the "bad guys" aren't stupid. Terrorists know how to use a computer. It's better that everyone knows the information so that everyone can use it to prevent whatever attack it might indicate.
The two choices are NOT:
1. Keep the information secret and the bad guys will never find it
2. Release the information and the bad guys will use it to do bad things
The choices ARE:
1. Keep the information secret and everyone is caught with their pants down when the bad guys, who figured all this out on their own, do bad things.
2. Tell everyone the information so that any Tom, Dick, and Harry knows what the bad guys are going to do and they can take appropriate measures.
"They can't wait for the safe development cycle."
This, from the people in charge of trading amazingly large amounts of money in a market which influences the global economy in a big way. (remember that billion vs. million mix-up awhile back that caused some pretty big problems until it was fixed)
You call it risky, I call it reckless. You try what you're doing in any other field and you'd be fired pretty damn quick.
That said, I'm not so much angry at you as I am at the people who ask you to do this.
What morons rated this up to +5 insightful?
He didn't just turn the company in one day for shits and giggles, he was told by management that he was liable if anyone ever found out that they were using pirated software. The company put him in a position to be thrown under the bus should anything happen in the future, and this was long before he did anything to hurt the company.
The proper solution in this case (both legally and ethically) was to inform the BSA (or at least someone) that this was going on. It would have been illegal and unethical of him to continue to use the software it would be equally wrong of him to simply leave the company knowing full well what was happening. Furthermore, if he didn't report them and simply left the company he could still be liable in the future if the company claimed that he caused these problems before he left.
They're something to be said for being loyal to your employer, but this loyalty ends when your employer isn't loyal to you. This loyalty ends even faster when your employer tells you straight out that they aren't loyal to you, as they did in this case.
"I assume the BSA would have the information available, such as a sworn or at least signed statement from someone, to prove they actually had a reasonable basis for a lawsuit, in their own defense against claims of some sort of abuse of process, but maybe they don't keep the information."
If they use the statement to justify a lawsuit they cannot then destroy it, that would be destroying evidence and would serve no purpose to the BSA. In fact, if the company they're suing returns fire then the BSA will want that statement in order to shift blame onto that person. "Well of course we sued you, this guy here gave us a sworn statement saying you were pirating software, he apparently lied under penalty of perjury, sue him instead"
If you read the OP's description you'd see that this is not feasible. They're already not running any software without proper licensing and hiring a lawyer would basically solve the issue. The problem is that they DON'T HAVE ANY MONEY FOR A LAWYER. Yeah, it'd be great to sue the BSA for wasting your time and filing bullshit, even illegal, lawsuits, but do you have any idea how much money that's going to cost? Even if you could recover attorney's fees as part of the trial you don't actually get that money until after the trial IF you're successful. You'd still have to pay the lawyer their fees, in full, up-front.
"but should programmers play the role of doctor even in seemingly harmless areas"
No, obviously no one other than a doctor should play the role of doctor. But this is a red herring. We're not talking about medical apps that claim to be equivalent to doctors. No one is practicing medicine without a license here.
It should be obvious to anyone that an app can be written by someone who does not have a medical degree or any relevant experience. Now, if these apps were claiming to be written by doctors or to be giving advice approved by a doctor or something then that might be a case for intervention.
Of course, US law doesn't prohibit the military from producing weapons, so there's really no conflict in the license terms. I've seen that line in a lot of licenses for a lot of products that seem to have absolutely nothing to do with anything related to weapons or manufacturing of the same. I think it's just something that a lot of product manufacturers throw in there to cover their ass in case some terrorist gets caught with an iphone/ipad/whatever in their car.