From a defensive point of view, what is the minimum number of compromises that one should run in their own network to provide themselves with sufficient plausible deniability from this type of thing?
Some ISPs provide this for the customers by giving them all secondary semi-open wifi networks. For example BT Broadband customers have their own private wifi network but the router also broadcasts a second BT OpenZone SSID that allows other BT subscribers to get internet access after logging in. Fon offers something similar. The deal is you provide free wifi to other subscribers in exchange of having use of the same service when you are out and about.
Can you prove I didn't have malware? What if I sold a computer recently - it must have been infected, since all of the ones you confiscated aren't - and wiped the disk prior?
Can they confiscate your computers? In the UK they can't because copyright infringement is a civil matter. They can ask to examine it and you can tell them to fuck off because the burden of proof is on them and you are not required to aid them in any way, other than sharing evidence you yourself intend to rely on.
Well here's the thing - assuming that they can, through some judicial voodoo, examine all of your computers and other systems, how could they ever hope to prove that you didn't have malware on your system at the time the alleged crime occurred that has since been removed (by itself or by you)? The burden of solid proof just seems impossible to meet.
As a quick follow-on regarding "preponderance of evidence" (and legal burdens of proof in general) mentioned in another post: If I'm infected with a downloader malware, or if I have an open WiFi point, I could argue that this points to the likely scenario being that I didn't download anything illegally.
In the case of downloader malware, if someone finds stolen art in my basement, and, upon further investigation, discovers that someone else has built a hidden tunnel into my basement and used that area to store tons of stolen art, no person in their right mind would say that I likely stole that one specific piece of artwork.
In the case of an open WiFi access point, if a car used in a hit-and-run was found parked in a parking garage amidst several other random cars, no person in their right mind would say (by that fact alone) that it's likely the parking garage owner committed the hit-and-run.
I suppose all pirates should self-infect with some malware and run open access points just for plausible deniability. Sandboxed, of course...
So in all of these cases, as a technical person, I can't help but wonder how they're connecting an IP address to positive evidence of a specific person's deliberate action. There are countless plausible scenarios where a person can own a number (IP address) involved in a crime and yet not themselves be aware of or involved in said crime. Some examples are:
The defendant has (or had) an open WiFi access point at the time. The crime was committed by someone who used that connection.
The defendant has (or had) a secure WiFi access point with bad credentials at the time. The crime was committed by someone who guessed those credentials.
The defendant has (or had) a secure WiFi access point with secure credentials. The crime was committed by someone who obtained those credentials (overheard them, password reuse, friend-of-a-friend, etc.).
One of the defendant's computers is (or was) infected by malware at the time, and the malware performed the crime on behalf of someone else.
The defendant's IP address was spoofed by an employee at the defendant's ISP who was the actual party committing the crime.
The defendant was tricked into executing commands resulting in the crime on their system without knowing what those commands were doing (jerk tech-support guy, etc.).
The defendant's system performed the crime without the defendant's knowledge during routine execution of third-party content (Flash, Javascript) laced with malicious code.
A friend or associate of the defendant performed the crime using the defendant's systems without the defendant's knowledge or permission.
In all of these scenarios, the crime could have been committed without any knowledge of the defendant. In some of these scenarios, the defendant has little-to-no chance to detect or thwart the crime. How does any lawyer convince any judge or jury that the person on trial committed a crime in light of this?
From a defensive point of view, what is the minimum number of compromises that one should run in their own network to provide themselves with sufficient plausible deniability from this type of thing?
Can you prove I didn't have an open WiFi enabled at the time, or that my password was bad? What if I reset my router's logs daily?
Can you prove I didn't have malware? What if I sold a computer recently - it must have been infected, since all of the ones you confiscated aren't - and wiped the disk prior?
Can you prove someone didn't use my computer without my permission? What if I didn't have a password on it and frequently left it lying around work?
Furthermore, from an activist's point of view, imagine someone built a malware variant that monitored browser usage (Google, Facebook, etc.) for movie names and automatically downloads movie titles that were mentioned to a secret directory? I've now got a piece of malware that automatically, without any user knowledge or intervention, downloads illegal files that that user is interested in. What if the malware downloads new movie releases instead by monitoring public release knowledge bases for titles? Is being infected by such a malware enough for innocence? If enough people are thusly infected would the entire concept of using IP subpoenas for prosecution fall apart?
Just food for thought. I'd really like to know how someone can be held criminally-liable unless the prosecution caught them using the illegal file or captured an attributable confession.
It is not possible that an allocated GUID is allocated to another user again.
I would look into this. As it is written it sounds, at least, misleading. Even if it is true this GUID thing for all P2P protocols (which I sincerely doubt), I would say that it should be spoofable directly or indirectly (compromising the machine if public key cryptography is used).
He is technically correct, assuming that the act of "GUID allocation" involves the correct use of a valid GUID generation algorithm by the software in question. That said, as you noted, it's remarkably easy to spoof such a GUID (in this case). His statement implies that a GUID positively identifies a user, which it does not, and is thus a misleading statement.
If your computer is setup to act as a node on Tor or another onion routing technology and a pirate uses your computer as a exit node, the pirate's traffic would look like your traffic to your ISP..
Indeed it would, but when your traffic terminates in China, or some other place, who gives a fuck?
Note: I don't condone using bittorrent thru Tor either. there are similarly designed protocols for that, like I2P.
Someone using BitTorrent over Tor network wouldn't show traffic going through you to China (or wherever the Tor user resides). An ISP monitoring your traffic would see BitTorrent requests originate at your IP address, and BitTorrent responses terminate at your IP address, simple as that.
When you are a Tor exit node and someone makes a BitTorrent request through you, the actual request to the BitTorrent cloud is made by you (i.e., originates at your IP address) and the response is delivered to you (i.e., terminates at your IP address). At this point, your Tor software running on your system would encapsulate the response that you received and forward it through the Tor network back towards the actual requester.
Now, depending on whether or not your ISP is monitoring Tor traffic (or all traffic) as opposed to specifically BitTorrent traffic, they may very well be able to see a correlation between your receiving some packet (remember, Tor can be obfuscated) and making a BitTorrent request, and, likewise, you receiving a BitTorrent response and sending some packet. If they're smart and if they care to, they may even put two and two together and realize that you're just acting as a proxy for someone else. However, that's on them.
Makes running a Tor exit node as a method of plausible deniability seem pretty appealing though:)
I bought Diablo 3, but have had 3 separate occasions where my "single player" game was unavailable for multiple hour long "maintenance" windows. Not being able to blow off steam in a dungeon crawler so Blizzard can get more value out of its players is leaving a SERIOUSLY bad taste in my mouth.
Who the hell is going to pay real money for gear in a single player game?
The point, as I see it, is less to make a huge profit and more to preempt those who would otherwise operate their own third-party real-money markets.
In this case, you have all the tools to satisfy your inner skeptic: the source is right there, if you don't trust yourself to read it, it's trivial enough to examine all communication the page does.
As the site says, the passwords are hashed on the client, and nothing but the hash is ever sent to the server.
You make a fair point, but this is Slashdot, we're not supposed to be "users" here.
You also make a fair point, and I'll admit I didn't catch that and replied hastily in light of that.
There are, however, a lot of known website tricks that can get around this (e.g., collaborating iframes, etc.) as well as server-side tricks (e.g., serve a malicious page every nth visitor). A full client-side audit will prove any given instance harmless, and I suspect the site likely will pass all such tests, but I still think the encouraged trust of a one-factor authentication credential to a third-party site is in bad security taste, especially as the link propagates outside of the "expert" community to relatives and friends who will likely not have the know-how to perform such auditing.
Having seen the KDE people screw this up once already, many aren't interested in having it screwed up again in KDE 5.0 . KDE needs to make people understand that they admit they fucked up before and vow not to do it again.
To be fair, a good deal of that blame lies at the distributions' over-eager hands. The KDE team stated publicly and repeatedly that the initial KDE4.x line was basically a developer preview. They stated that they didn't expect KDE to be in the same realm of usability as KDE 3.5 until around version 4.5.
Nevertheless, Ubuntu, Fedora, etc. decided to be "bleeding-edge" and install the early 4.x developer preview KDE as the default desktop in their newer releases, severely harming KDE's reputation. While the KDE team could have handled the releases better ("beta" label, etc.), the distributions definitely should have known better.
You seriously expect people to go to an arbitrary site and enter their password, knowing that the hashes have been leaked alongside account information?
In the kindest possible world this may be seen as a service, but the skeptic in everyone should hear very loud alarm bells. This site could easily log all of the passwords that are entered for "testing", use them to solve the harder-to-brute-force hashes, and deliver to the site operator the resulting account information and plaintext password!
Even if you had the best intentions posting that link, and even if the site actually is completely innocuous, one should never encourage any user to enter their password into a random third-party site. Please take it down immediately.
If you're choosing Linux for security, you can already choose one of the security-enhanced distros like SELinux (if you trust the NSA)
SELinux has been open-source since the day it was released. Though it was initially developed by the NSA, it has since (over the course of several years) had significant contributions from the open-source community. It's been audited by security organizations and reviewed by the paranoid and curious alike. In other words, it's exactly the same as any other high-profile piece of FOSS, including the Linux kernel itself.
It's out there for everyone to see, no three-letter-agency trust necessary.
If you really are dying, you're probably not going to be able to send text messages very well.
If you really are dying, you'll probably call 911 instead of text. If you're in a situation where you can't call but can somehow text, then you're probably pretty glad that they enabled texting.
There are plenty of circumstances where texting is advantageous to calling, such as:
For the speech/hearing impaired
When you're in a situation where an instigator would react negatively to hearing your voice
When you want to covertly contact the authorities
Additionaly, FTFA, they can send text and photos, which opens the doors to a whole new type of information that can be sent to 911.
I'm guessing the reason this isn't as easy as enabling text subscriptions for '911' is because they are adding a lot of other features. Texts to 911 will likely also provide the responder with detailed location and subscription information. I suspect they'll also have an infrastructure in place to correlate calls, texts, and photos from the same number together into one session.
This change looks like a huge improvement over the current situation, and I suspect that it will both save and improve many peoples' lives.
This seems strangely relevant to the Oracle vs. Google case that's going on right now over Android and its usage of Java APIs. Does anyone know how much of a coincidence this EU court ruling is, that it occurs in such close proximity to its US analogue?
Init level 6 is "Reboot", so the system was configured to boot up... and then reboot... and reboot... and reboot... This is relevant to the story because the story is also about an "endless restart loop"!
I think you said all that needs to be said right here. Different law, different requirements, and different intentions. This case has nothing at all to do with patents or patent law, and certainly nothing to do with software patents.
Unlike every other kind of working patent, software patents generally describe the outcome/result of something instead of the actual mechanism (patents of physical things are based on the WAY it works, not what it produces, SW patents are generally based i the end product).
If you read a typical software patent, you'll see that it usually does describe a specific mechanism. It doesn't necessarily describe it down to the lines of source code used to implement it, but it is required to disclose the mechanics of the patent adequately enough that a person reasonably-knowledgeable in the field could implement it. For example, while one can't patent "sorting algorithms"... one can patent a specific sorting algorithm, but, in doing so, one has to describe exactly how it works in the patent.
Your statement is patently (heh) false.
If suit is upheld it means software patents *could* have an extra life, and indeed if a vendor wants to squeeze out competition they could simply file for a COPYRIGHT on the visible result of the software too.
IANAL, but food for thought.
Read up a little on copyright. "Works" that can be copyrighted are (broadly speaking) constrained to artistic works. The closest software analogue of such a "work" is a user interface, and user interfaces are, in fact, subject to copyright.
Say Software Patent X, when utilized, produced visible result Y. X is protected as a system and/or method via a patent. Anything else that uses that system/method is infringing on that patent. Completely independently, Y is protected by copyright; anything that looks like Y is violating that copyright. If X were to enter the public domain, and someone implemented X (freely) and made the result look like Y, then you can, indeed, claim copyright violation, not because of anything related to X, but rather because someone else produced a derivative work of Y. However, someone wanting to use the now-free X system/method would merely have to present it differently to overcome this. Neither X nor Y add any protection to each other.
In other words, using other peoples' user interfaces can violate their copyright. Nothing new here, nor particularly objectionable.
> Many keyboards already have USB ports on them, so there is no need to be so elaborate.
No. Not really.
The idea of plugging a mouse into your keyboard is very much a non-PC idea. A keyboard isn't going to have it's own hub unless it is made to be sold to Mac users. PC users simply are not used to plugging mice into their keyboard.
Nice statement there. Any other truths to share?
Here are some anecdotal counter-claims (that don't make the mistake of overgeneralizing): I've seen several major stores that stock PC keyboards (read: non-Apple, and marketed to Windows users) with integrated USB hubs. I have been plugging my mouse into my keyboard for years on both Linux and Windows systems. Plenty of people I know plug all kinds of peripherals into keyboard hubs on Linux and Windows systems.
A simple Google search shows thousands of non-Mac keyboards that meet these criteria. Additionally, Dell and HP both sell them bundled with their systems. Keyboards with built-in USB hubs are not even remotely uncommon in the PC world.
The best move, from his company's perspective, would be to fire him and go "under new management."
Did you read the response from N-Control? They are trying to put as much distance between that guy and the company as they can.
I wonder if this Paul Cristoforo has pioneered a new PR strategy for startups though. . . hire him, or someone like him, to stir up a big pot of controversy, publicly fire him saying you had NO IDEA he was going to abuse his position, and release press releases talking about how great your products are for disabled people/kids/other sympathetic group, etc. Get the public to view your company as another victim of his abuse and try to get them to feel bad for you and good about your products, while transferring their rage to the "rogue employee/consultant".
Sort of Good Cop/Bad Cop for startups.
I figure it'll work just as well as any other tactic: it's new until it's old. The first time it's done intentionally, people will eat it up. The second, it'll raise some eyebrows. Thereafter, regardless of intent, anytime a douchebag PR representative acts out, people will point at the hiring company and say "look, this company is intentionally hiring douchebags for 'viral' PR."
In this case, N-Control's marketing success (regardless of whether or not this was intentional) depends entirely on them successfully distancing themselves from the original PR firm. If you're tagged as intentionally hiring douchebags, that's going to be a lot more difficult to accomplish.
The success of this tactic is still not decided; in fact, we won't know until N-Control releases sales information. Any number of things can happen:
Initial product exposure could increase sales
Likewise, customers may not be able (or willing) to differentiate between N-Control and its PR firm, and sales may be lost.
People may see N-Control's response and decide to buy the product in support of their corporate anti-douchebaggery.
People may want to send the message to companies that one should carefully profile one's PR firm, and boycott or cancel orders.
Either way, it's an interesting new circumstance; let's wait and see!
The whole point of portable USB sticks is to access your data from strange computers. Plugging an encrypted USB stick into a strange computer completely defeats the point of the encryption. None of my USB sticks are encrypted; they don't need to be because they have no personal information on them.
A common solution is to have multiple versions of encryption/decryption software (such as TrueCrypt) alongside the actual encrypted partition/blob. What you would do is plug it into the "strange" computer, install the software, and then have access your otherwise-encrypted valuable blob data. Depending on the situation, you can even have multiple encrypted blobs/partitions for different levels of trust.
So cool, they have developed a function p = F(x) where x is an image, and p is True if the image is photoshopped and False otherwise. Seems useful, and I'm sure it will be.
However, if this ever becomes deployed widely and if the verdict p = True ever has a negative financial effect on the image producers, then all the producers will do is acquire their own F and incrementally photoshop their images until it reads them as False. End result? Maybe photos will be photoshopped to a slightly less degree.
So for those who haven't watched the "annotated" version, allow me to summarize. The production presents a series of film industry professionals talking about how they think things "should" be, why piracy is "not right", and dropping some of the classic inflated statistics that we all know and love. Each annotation is overlayed on top its respective scene to act in shallow rebuttal. The annotations present very few (if any) actual facts in rebuttal, rather relying on the same appeal to emotion and common sense that the original production pursued.
I hope I'm not the only one who was gravely disappointed with these "nuh-uh!"-style counterpoints. Rather than "and yet the film industry made record profits", let's drop some actual numbers. If our premise - that these guys have failed to make their case to support SOPA - is correct, then all of the world's facts should back us up.
If you're going to rebut a video, have something more inspiring and concrete than "and yet you want to censor the Internet."
Define a "page". The whole point of a browser was to get us away from the confines of a page-based medium, like a book or magazine, so information could be presented without the interruption caused by the finite amount of space a "page" presents. Sure, we still call them web "pages", but that's an analogy used for cognitive purposes. If we go back to the finite page model, who's defining what a "page" is? Is it A4, U.S. letter, U.S. legal or what? Sounds like a step backwards to me rather than an innovation. I'm sorry, but in a digital world scrolling is better than flipping pages, IMHO. Don't get me wrong. I love real paper books for what they are (I own many books), but flipping pages digitally is annoying to me and trying to revert back to that model for digital content seems completely backwards-thinking and wrong.
A page on a medium is a medium-full of information. In print, that medium is paper, so a page is a piece of paper. In the tablet world, a page is a screen-ful of information.
Continuous scrolling is good in some cases, but Opera isn't proposing to replace continuous scrolling with pages; they're proposing to add the option and let sites formally choose to do that.
Sure, just like Apple's spying tech, they just patented it so the bad guys wouldn't be able to use it, see? ^_^
Not to take sides on the absolute issue here, but there is a huge difference between patenting something and actually using it. This is part of why the patent system is so horrible.
There are plenty of scenarios that can lead to a company filing a patent. To list a few:
A team of research employees devises a series of techniques to track users.
Maybe one employee on his "Google Friday" (or equivalent) decided to track people as a pet project.
Maybe you just acquired a company who, along with other intellectual property, had developed a novel method for tracking users.
Maybe you just woke up in the morning with a cool idea.
Bottom line is that if Facebook spends money researching, developing, and/or devising a technique, they will patent it, regardless of whether or not it will ever see the light of day. There's no downside. Worst-case it sits there and they waste trivial amounts of money. Best-case they use it to gain significant market advantage. Everything in between, from licensing to lawsuits, just raises the company's bottom line, and the mere possession of such a patent increases the company's overall worth and also makes it more threatening to would-be rivals or other lawsuit-threatening companies.
Furthermore, Facebook is easily able to deploy the technique regardless of whether or not they patent it. The main reason for acquiring a patent is to increase your intellectual inventory, which has nothing to do with real-world operations.
Now granted, patents like this are stupid... and Facebook is evil, so they're probably doing this and much worse.
In VirtualBox v4.0, Oracle released the core as an open-source projet and the proprietary extensions as a plug-in. This proprietary extension is free for home use but commercial users must by a licence. The extension is not 100% necessary but does provides some very useful features, such as being able to connect to the "console" of a headless VM. Cool right?
Well, not really. There is at the moment no way to actually buy such a licence from Oracle, so all the people using VirtualBox v4.0 with this extension in a business are technically out of compliance.
VirtualBox is cool, but they really need some leadership from Oracle.
The VirtualBox guest extensions were released under the Oracle PUEL. IANAL, but the PUEL itself doesn't seem to say what you think it says.
The actual PUEL seems to center around the following restriction (emphasis mine):
2 Grant of license. (1) Oracle grants you a personal, non-exclusive, non-transferable, limited license without fees to reproduce, install, execute, and use internally the Product a Host Computer for your Personal Use, Educational Use, or Evaluation. “Personal Use” requires that you use the Product on the same Host Computer where you installed it yourself and that no more than one client connect to that Host Computer at a time for the purpose of displaying Guest Computers remotely. “Educational use” is any use in an academic institution (schools, colleges and universities, by teachers and students). “Evaluation” means testing the Product for a reasonable period (that is, normally for a few weeks); after expiry of that term, you are no longer permitted to evaluate the Product.
In other words, it looks like the word "personal" is not a restriction on non-commercial versus commercial, but rather a limitation (of one) to the number of simultaneous users who may display guests remotely. The rest of the license doesn't seem to be changing this, so it seems to me that this is an accurate representation of their intentions. (On the side, it is one of the best-written comprehensible licenses I've seen in a while, so props Sun/Oracle). What they seem to want is for people to use this individually (commercially or non-commercially) and not try and use VirtualBox to set up an enterprise virtualization solution. This is consistent with the software itself, whose interfaces and features are very-much geared towards a single-user multiple-system scenario.
Now, historically, prior to Oracle's acquisition of Sun, VirtualBox's still released closed extensions; this was just accomplished by releasing two versions of VirtualBox side-by-side. One of them was a limited open-source bundle, while the other was a full bundle released by Sun under a similar PUEL. The main difference is that the previous model released two separate versions, while the current model releases a single open-source core version and a set of closed extensions that augment the open-source version's functionality to that of the previously-separate closed-source PUEL bundle. In other words, VirtualBox under Sun seems to be operating roughly equivalently to VirtualBox under Oracle.
VirtualBox is an excellent piece of virtualization software... highly-recommended to those who are using VMWare Player to run/test multiple systems in a development context. I, personally, feel it beats VMWare's pants off in that specific scenario.
It used to be "Nobody ever got fired for buying IBM.".
The moral for today in my industry (semigovernmental in CIO strategy) is all about corporate brand names. i.e. if there is no corporate big brand name attached it has no chance. If there is a corporate big brand name then by definition it's OK and let into the starting gate.
IBM is still in the arena but there's a bunch other names at least in the US: Oracle, Microsoft, Computer Associates, (don't get me started on CA and their bleed-the-customer-dry strategy) or any of the major government/defense contractors.
I've been fiendish a couple of times since Oracle bought MySQL, and the only way I got MySQL into the solution (and the solution did not need any fancy pants database features!) was by arguing that since Oracle owns it, it'll be OK to do it that way.
Not that you're incorrect, but that's exactly what companies like Canonical (Ubuntu), Red Hat (RHEL, KVM), and EnterpriseDB (PostgreSQL) are there to do. It's perfectly reasonable for large investments to require the backing of companies with technical expertise, support, warranties, and liability. That shouldn't be a barrier of entry, however, as the open-source world has its own representation in those areas.
Slashdot Mirror
From a defensive point of view, what is the minimum number of compromises that one should run in their own network to provide themselves with sufficient plausible deniability from this type of thing?
Some ISPs provide this for the customers by giving them all secondary semi-open wifi networks. For example BT Broadband customers have their own private wifi network but the router also broadcasts a second BT OpenZone SSID that allows other BT subscribers to get internet access after logging in. Fon offers something similar. The deal is you provide free wifi to other subscribers in exchange of having use of the same service when you are out and about.
Can you prove I didn't have malware? What if I sold a computer recently - it must have been infected, since all of the ones you confiscated aren't - and wiped the disk prior?
Can they confiscate your computers? In the UK they can't because copyright infringement is a civil matter. They can ask to examine it and you can tell them to fuck off because the burden of proof is on them and you are not required to aid them in any way, other than sharing evidence you yourself intend to rely on.
Well here's the thing - assuming that they can, through some judicial voodoo, examine all of your computers and other systems, how could they ever hope to prove that you didn't have malware on your system at the time the alleged crime occurred that has since been removed (by itself or by you)? The burden of solid proof just seems impossible to meet.
As a quick follow-on regarding "preponderance of evidence" (and legal burdens of proof in general) mentioned in another post: If I'm infected with a downloader malware, or if I have an open WiFi point, I could argue that this points to the likely scenario being that I didn't download anything illegally.
In the case of downloader malware, if someone finds stolen art in my basement, and, upon further investigation, discovers that someone else has built a hidden tunnel into my basement and used that area to store tons of stolen art, no person in their right mind would say that I likely stole that one specific piece of artwork.
In the case of an open WiFi access point, if a car used in a hit-and-run was found parked in a parking garage amidst several other random cars, no person in their right mind would say (by that fact alone) that it's likely the parking garage owner committed the hit-and-run.
I suppose all pirates should self-infect with some malware and run open access points just for plausible deniability. Sandboxed, of course...
So in all of these cases, as a technical person, I can't help but wonder how they're connecting an IP address to positive evidence of a specific person's deliberate action. There are countless plausible scenarios where a person can own a number (IP address) involved in a crime and yet not themselves be aware of or involved in said crime. Some examples are:
In all of these scenarios, the crime could have been committed without any knowledge of the defendant. In some of these scenarios, the defendant has little-to-no chance to detect or thwart the crime. How does any lawyer convince any judge or jury that the person on trial committed a crime in light of this?
From a defensive point of view, what is the minimum number of compromises that one should run in their own network to provide themselves with sufficient plausible deniability from this type of thing?
Furthermore, from an activist's point of view, imagine someone built a malware variant that monitored browser usage (Google, Facebook, etc.) for movie names and automatically downloads movie titles that were mentioned to a secret directory? I've now got a piece of malware that automatically, without any user knowledge or intervention, downloads illegal files that that user is interested in. What if the malware downloads new movie releases instead by monitoring public release knowledge bases for titles? Is being infected by such a malware enough for innocence? If enough people are thusly infected would the entire concept of using IP subpoenas for prosecution fall apart?
Just food for thought. I'd really like to know how someone can be held criminally-liable unless the prosecution caught them using the illegal file or captured an attributable confession.
It is not possible that an allocated GUID is allocated to another user again.
I would look into this. As it is written it sounds, at least, misleading. Even if it is true this GUID thing for all P2P protocols (which I sincerely doubt), I would say that it should be spoofable directly or indirectly (compromising the machine if public key cryptography is used).
He is technically correct, assuming that the act of "GUID allocation" involves the correct use of a valid GUID generation algorithm by the software in question. That said, as you noted, it's remarkably easy to spoof such a GUID (in this case). His statement implies that a GUID positively identifies a user, which it does not, and is thus a misleading statement.
If your computer is setup to act as a node on Tor or another onion routing technology and a pirate uses your computer as a exit node, the pirate's traffic would look like your traffic to your ISP..
Indeed it would, but when your traffic terminates in China, or some other place, who gives a fuck?
Note: I don't condone using bittorrent thru Tor either. there are similarly designed protocols for that, like I2P.
Someone using BitTorrent over Tor network wouldn't show traffic going through you to China (or wherever the Tor user resides). An ISP monitoring your traffic would see BitTorrent requests originate at your IP address, and BitTorrent responses terminate at your IP address, simple as that.
When you are a Tor exit node and someone makes a BitTorrent request through you, the actual request to the BitTorrent cloud is made by you (i.e., originates at your IP address) and the response is delivered to you (i.e., terminates at your IP address). At this point, your Tor software running on your system would encapsulate the response that you received and forward it through the Tor network back towards the actual requester.
Now, depending on whether or not your ISP is monitoring Tor traffic (or all traffic) as opposed to specifically BitTorrent traffic, they may very well be able to see a correlation between your receiving some packet (remember, Tor can be obfuscated) and making a BitTorrent request, and, likewise, you receiving a BitTorrent response and sending some packet. If they're smart and if they care to, they may even put two and two together and realize that you're just acting as a proxy for someone else. However, that's on them.
Makes running a Tor exit node as a method of plausible deniability seem pretty appealing though :)
I bought Diablo 3, but have had 3 separate occasions where my "single player" game was unavailable for multiple hour long "maintenance" windows. Not being able to blow off steam in a dungeon crawler so Blizzard can get more value out of its players is leaving a SERIOUSLY bad taste in my mouth.
Who the hell is going to pay real money for gear in a single player game?
The point, as I see it, is less to make a huge profit and more to preempt those who would otherwise operate their own third-party real-money markets.
In this case, you have all the tools to satisfy your inner skeptic: the source is right there, if you don't trust yourself to read it, it's trivial enough to examine all communication the page does. As the site says, the passwords are hashed on the client, and nothing but the hash is ever sent to the server. You make a fair point, but this is Slashdot, we're not supposed to be "users" here.
You also make a fair point, and I'll admit I didn't catch that and replied hastily in light of that.
There are, however, a lot of known website tricks that can get around this (e.g., collaborating iframes, etc.) as well as server-side tricks (e.g., serve a malicious page every nth visitor). A full client-side audit will prove any given instance harmless, and I suspect the site likely will pass all such tests, but I still think the encouraged trust of a one-factor authentication credential to a third-party site is in bad security taste, especially as the link propagates outside of the "expert" community to relatives and friends who will likely not have the know-how to perform such auditing.
Thank you for pointing that out!
Having seen the KDE people screw this up once already, many aren't interested in having it screwed up again in KDE 5.0 . KDE needs to make people understand that they admit they fucked up before and vow not to do it again.
To be fair, a good deal of that blame lies at the distributions' over-eager hands. The KDE team stated publicly and repeatedly that the initial KDE4.x line was basically a developer preview. They stated that they didn't expect KDE to be in the same realm of usability as KDE 3.5 until around version 4.5.
Nevertheless, Ubuntu, Fedora, etc. decided to be "bleeding-edge" and install the early 4.x developer preview KDE as the default desktop in their newer releases, severely harming KDE's reputation. While the KDE team could have handled the releases better ("beta" label, etc.), the distributions definitely should have known better.
www.leakedin.org/
Nobody should use this site, period.
You seriously expect people to go to an arbitrary site and enter their password, knowing that the hashes have been leaked alongside account information?
In the kindest possible world this may be seen as a service, but the skeptic in everyone should hear very loud alarm bells. This site could easily log all of the passwords that are entered for "testing", use them to solve the harder-to-brute-force hashes, and deliver to the site operator the resulting account information and plaintext password!
Even if you had the best intentions posting that link, and even if the site actually is completely innocuous, one should never encourage any user to enter their password into a random third-party site. Please take it down immediately.
If you're choosing Linux for security, you can already choose one of the security-enhanced distros like SELinux (if you trust the NSA)
SELinux has been open-source since the day it was released. Though it was initially developed by the NSA, it has since (over the course of several years) had significant contributions from the open-source community. It's been audited by security organizations and reviewed by the paranoid and curious alike. In other words, it's exactly the same as any other high-profile piece of FOSS, including the Linux kernel itself.
It's out there for everyone to see, no three-letter-agency trust necessary.
If you really are dying, you're probably not going to be able to send text messages very well.
If you really are dying, you'll probably call 911 instead of text. If you're in a situation where you can't call but can somehow text, then you're probably pretty glad that they enabled texting.
There are plenty of circumstances where texting is advantageous to calling, such as:
Additionaly, FTFA, they can send text and photos, which opens the doors to a whole new type of information that can be sent to 911.
I'm guessing the reason this isn't as easy as enabling text subscriptions for '911' is because they are adding a lot of other features. Texts to 911 will likely also provide the responder with detailed location and subscription information. I suspect they'll also have an infrastructure in place to correlate calls, texts, and photos from the same number together into one session.
This change looks like a huge improvement over the current situation, and I suspect that it will both save and improve many peoples' lives.
It's also the first legitimate use for texting ;)
I tell people that it is a self referential acronym: GIMP Is Most of Photoshop
Well, in that case they should rename it to something more friendly like PIMP.
This seems strangely relevant to the Oracle vs. Google case that's going on right now over Android and its usage of Java APIs. Does anyone know how much of a coincidence this EU court ruling is, that it occurs in such close proximity to its US analogue?
What? Relevance to this story?
Init level 6 is "Reboot", so the system was configured to boot up ... and then reboot ... and reboot ... and reboot... This is relevant to the story because the story is also about an "endless restart loop"!
Of course, obviously PATENT != COPYRIGHT
I think you said all that needs to be said right here. Different law, different requirements, and different intentions. This case has nothing at all to do with patents or patent law, and certainly nothing to do with software patents.
Unlike every other kind of working patent, software patents generally describe the outcome/result of something instead of the actual mechanism (patents of physical things are based on the WAY it works, not what it produces, SW patents are generally based i the end product).
If you read a typical software patent, you'll see that it usually does describe a specific mechanism. It doesn't necessarily describe it down to the lines of source code used to implement it, but it is required to disclose the mechanics of the patent adequately enough that a person reasonably-knowledgeable in the field could implement it. For example, while one can't patent "sorting algorithms" ... one can patent a specific sorting algorithm, but, in doing so, one has to describe exactly how it works in the patent.
Your statement is patently (heh) false.
If suit is upheld it means software patents *could* have an extra life, and indeed if a vendor wants to squeeze out competition they could simply file for a COPYRIGHT on the visible result of the software too.
IANAL, but food for thought.
Read up a little on copyright. "Works" that can be copyrighted are (broadly speaking) constrained to artistic works. The closest software analogue of such a "work" is a user interface, and user interfaces are, in fact, subject to copyright.
Say Software Patent X, when utilized, produced visible result Y. X is protected as a system and/or method via a patent. Anything else that uses that system/method is infringing on that patent. Completely independently, Y is protected by copyright; anything that looks like Y is violating that copyright. If X were to enter the public domain, and someone implemented X (freely) and made the result look like Y, then you can, indeed, claim copyright violation, not because of anything related to X, but rather because someone else produced a derivative work of Y. However, someone wanting to use the now-free X system/method would merely have to present it differently to overcome this. Neither X nor Y add any protection to each other.
In other words, using other peoples' user interfaces can violate their copyright. Nothing new here, nor particularly objectionable.
> Many keyboards already have USB ports on them, so there is no need to be so elaborate.
No. Not really.
The idea of plugging a mouse into your keyboard is very much a non-PC idea. A keyboard isn't going to have it's own hub unless it is made to be sold to Mac users. PC users simply are not used to plugging mice into their keyboard.
Nice statement there. Any other truths to share?
Here are some anecdotal counter-claims (that don't make the mistake of overgeneralizing): I've seen several major stores that stock PC keyboards (read: non-Apple, and marketed to Windows users) with integrated USB hubs. I have been plugging my mouse into my keyboard for years on both Linux and Windows systems. Plenty of people I know plug all kinds of peripherals into keyboard hubs on Linux and Windows systems.
A simple Google search shows thousands of non-Mac keyboards that meet these criteria. Additionally, Dell and HP both sell them bundled with their systems. Keyboards with built-in USB hubs are not even remotely uncommon in the PC world.
I would be interesting to run grep through the source code. Bet you would find lines like:
# This part slows down the computer if the license is not renewed
... and being written in a scripting language probably doesn't help either!
The best move, from his company's perspective, would be to fire him and go "under new management."
Did you read the response from N-Control? They are trying to put as much distance between that guy and the company as they can.
I wonder if this Paul Cristoforo has pioneered a new PR strategy for startups though. . . hire him, or someone like him, to stir up a big pot of controversy, publicly fire him saying you had NO IDEA he was going to abuse his position, and release press releases talking about how great your products are for disabled people/kids/other sympathetic group, etc. Get the public to view your company as another victim of his abuse and try to get them to feel bad for you and good about your products, while transferring their rage to the "rogue employee/consultant".
Sort of Good Cop/Bad Cop for startups.
I figure it'll work just as well as any other tactic: it's new until it's old. The first time it's done intentionally, people will eat it up. The second, it'll raise some eyebrows. Thereafter, regardless of intent, anytime a douchebag PR representative acts out, people will point at the hiring company and say "look, this company is intentionally hiring douchebags for 'viral' PR."
In this case, N-Control's marketing success (regardless of whether or not this was intentional) depends entirely on them successfully distancing themselves from the original PR firm. If you're tagged as intentionally hiring douchebags, that's going to be a lot more difficult to accomplish.
The success of this tactic is still not decided; in fact, we won't know until N-Control releases sales information. Any number of things can happen:
Either way, it's an interesting new circumstance; let's wait and see!
The whole point of portable USB sticks is to access your data from strange computers. Plugging an encrypted USB stick into a strange computer completely defeats the point of the encryption. None of my USB sticks are encrypted; they don't need to be because they have no personal information on them.
A common solution is to have multiple versions of encryption/decryption software (such as TrueCrypt) alongside the actual encrypted partition/blob. What you would do is plug it into the "strange" computer, install the software, and then have access your otherwise-encrypted valuable blob data. Depending on the situation, you can even have multiple encrypted blobs/partitions for different levels of trust.
So cool, they have developed a function p = F(x) where x is an image, and p is True if the image is photoshopped and False otherwise. Seems useful, and I'm sure it will be.
However, if this ever becomes deployed widely and if the verdict p = True ever has a negative financial effect on the image producers, then all the producers will do is acquire their own F and incrementally photoshop their images until it reads them as False. End result? Maybe photos will be photoshopped to a slightly less degree.
So for those who haven't watched the "annotated" version, allow me to summarize. The production presents a series of film industry professionals talking about how they think things "should" be, why piracy is "not right", and dropping some of the classic inflated statistics that we all know and love. Each annotation is overlayed on top its respective scene to act in shallow rebuttal. The annotations present very few (if any) actual facts in rebuttal, rather relying on the same appeal to emotion and common sense that the original production pursued.
I hope I'm not the only one who was gravely disappointed with these "nuh-uh!"-style counterpoints. Rather than "and yet the film industry made record profits", let's drop some actual numbers. If our premise - that these guys have failed to make their case to support SOPA - is correct, then all of the world's facts should back us up.
If you're going to rebut a video, have something more inspiring and concrete than "and yet you want to censor the Internet."
Define a "page". The whole point of a browser was to get us away from the confines of a page-based medium, like a book or magazine, so information could be presented without the interruption caused by the finite amount of space a "page" presents. Sure, we still call them web "pages", but that's an analogy used for cognitive purposes. If we go back to the finite page model, who's defining what a "page" is? Is it A4, U.S. letter, U.S. legal or what? Sounds like a step backwards to me rather than an innovation. I'm sorry, but in a digital world scrolling is better than flipping pages, IMHO. Don't get me wrong. I love real paper books for what they are (I own many books), but flipping pages digitally is annoying to me and trying to revert back to that model for digital content seems completely backwards-thinking and wrong.
A page on a medium is a medium-full of information. In print, that medium is paper, so a page is a piece of paper. In the tablet world, a page is a screen-ful of information.
Continuous scrolling is good in some cases, but Opera isn't proposing to replace continuous scrolling with pages; they're proposing to add the option and let sites formally choose to do that.
Sure, just like Apple's spying tech, they just patented it so the bad guys wouldn't be able to use it, see? ^_^
Not to take sides on the absolute issue here, but there is a huge difference between patenting something and actually using it. This is part of why the patent system is so horrible.
There are plenty of scenarios that can lead to a company filing a patent. To list a few:
Bottom line is that if Facebook spends money researching, developing, and/or devising a technique, they will patent it, regardless of whether or not it will ever see the light of day. There's no downside. Worst-case it sits there and they waste trivial amounts of money. Best-case they use it to gain significant market advantage. Everything in between, from licensing to lawsuits, just raises the company's bottom line, and the mere possession of such a patent increases the company's overall worth and also makes it more threatening to would-be rivals or other lawsuit-threatening companies.
Furthermore, Facebook is easily able to deploy the technique regardless of whether or not they patent it. The main reason for acquiring a patent is to increase your intellectual inventory, which has nothing to do with real-world operations.
Now granted, patents like this are stupid... and Facebook is evil, so they're probably doing this and much worse.
In VirtualBox v4.0, Oracle released the core as an open-source projet and the proprietary extensions as a plug-in. This proprietary extension is free for home use but commercial users must by a licence. The extension is not 100% necessary but does provides some very useful features, such as being able to connect to the "console" of a headless VM. Cool right?
Well, not really. There is at the moment no way to actually buy such a licence from Oracle, so all the people using VirtualBox v4.0 with this extension in a business are technically out of compliance.
VirtualBox is cool, but they really need some leadership from Oracle.
The VirtualBox guest extensions were released under the Oracle PUEL. IANAL, but the PUEL itself doesn't seem to say what you think it says.
The actual PUEL seems to center around the following restriction (emphasis mine):
2 Grant of license. (1) Oracle grants you a personal, non-exclusive, non-transferable, limited license without fees to reproduce, install, execute, and use internally the Product a Host Computer for your Personal Use, Educational Use, or Evaluation. “Personal Use” requires that you use the Product on the same Host Computer where you installed it yourself and that no more than one client connect to that Host Computer at a time for the purpose of displaying Guest Computers remotely. “Educational use” is any use in an academic institution (schools, colleges and universities, by teachers and students). “Evaluation” means testing the Product for a reasonable period (that is, normally for a few weeks); after expiry of that term, you are no longer permitted to evaluate the Product.
In other words, it looks like the word "personal" is not a restriction on non-commercial versus commercial, but rather a limitation (of one) to the number of simultaneous users who may display guests remotely. The rest of the license doesn't seem to be changing this, so it seems to me that this is an accurate representation of their intentions. (On the side, it is one of the best-written comprehensible licenses I've seen in a while, so props Sun/Oracle). What they seem to want is for people to use this individually (commercially or non-commercially) and not try and use VirtualBox to set up an enterprise virtualization solution. This is consistent with the software itself, whose interfaces and features are very-much geared towards a single-user multiple-system scenario.
Now, historically, prior to Oracle's acquisition of Sun, VirtualBox's still released closed extensions; this was just accomplished by releasing two versions of VirtualBox side-by-side. One of them was a limited open-source bundle, while the other was a full bundle released by Sun under a similar PUEL. The main difference is that the previous model released two separate versions, while the current model releases a single open-source core version and a set of closed extensions that augment the open-source version's functionality to that of the previously-separate closed-source PUEL bundle. In other words, VirtualBox under Sun seems to be operating roughly equivalently to VirtualBox under Oracle.
VirtualBox is an excellent piece of virtualization software ... highly-recommended to those who are using VMWare Player to run/test multiple systems in a development context. I, personally, feel it beats VMWare's pants off in that specific scenario.
It used to be "Nobody ever got fired for buying IBM.". The moral for today in my industry (semigovernmental in CIO strategy) is all about corporate brand names. i.e. if there is no corporate big brand name attached it has no chance. If there is a corporate big brand name then by definition it's OK and let into the starting gate. IBM is still in the arena but there's a bunch other names at least in the US: Oracle, Microsoft, Computer Associates, (don't get me started on CA and their bleed-the-customer-dry strategy) or any of the major government/defense contractors. I've been fiendish a couple of times since Oracle bought MySQL, and the only way I got MySQL into the solution (and the solution did not need any fancy pants database features!) was by arguing that since Oracle owns it, it'll be OK to do it that way.
Not that you're incorrect, but that's exactly what companies like Canonical (Ubuntu), Red Hat (RHEL, KVM), and EnterpriseDB (PostgreSQL) are there to do. It's perfectly reasonable for large investments to require the backing of companies with technical expertise, support, warranties, and liability. That shouldn't be a barrier of entry, however, as the open-source world has its own representation in those areas.