Do these laws state that (a) The US is claiming jurisdiction over foreign nationals' acts within foreign sovereign states?
or
(b) The US is claiming jurisdiction over the actions of US citizens and US corporations even if those actions were conducted in a foreign sovereign state?
I have seen evidence that (b) is the case such as when US citizens are tried for sexual exploitation of a minor after taking trips to certain parts of Cambodia or Thailand where child prostitution is common. US citizens have been tried and convicted for those acts.
I have not seen evidence for (a). If (a) is the case, then the US is even more arrogant than I thought, and the US is asking for trouble on many fronts.
As far as I can see, (a) would be the only thing that applies here since Yahoo Holdings (HK), Ltd. is a foreign corporation and its acts were performed in a foreign sovereign state. Unless I am missing something, the US should not have jurisdiction.
If the US claims jurisdiction under (a), then it is setting a very dangerous precident. I would be interested to see how the US would react if some other country claimed jurisdiction in a similar manner. Can you see some fundamentalist religious state attempting to sue various magazines for their swimsuit issues? How about suing clothing catalogues for showing models in bikinis? I cannot see how (a) can be the case.
Can someone offer a qualified legal opinion with regard to the US law in this case?
I do not understand how a company incorporated in Hong Kong (Yahoo! Holdings HK, Ltd.), which is part of the PRC, can be sued IN THE US for conforming with legal requirements in China for doing business in China.
To me this would be similar to France suing eBay (US) for selling Nazi items in the US to US customers. The French government have the right to say that such things cannot be sold in France and cannot be sold to French citizens (at least according to what I've read about French law - but French law is not the point here), but can someone file suit in a French court against an American company's American office for conducting business with American customers in accorance with American law just because that business being conducted happens to violate French law?
Without regard to the human rights issues here for a moment, I cannot believe that any US court would even accept this suit against Yahoo Holdings (HK) Ltd. It's a _Chinese_ corporation, conducting business in China and subject to Chinese law.
This is not an attempt at a troll. I am genuinely confused as to why this is a legal issue. The American court should (if my understanding is correct) simply claim no jurisdiction and dismiss the case, and perhaps slap a fine on the plaintiff for attempting to use the legal system to harass others without any valid legal cause.
I must be missing something here. Again, unless there is a LEGAL issue with the alleged human rights violations here, please don't mention them. My question is with regard to the legal issues here. How can a US court have jurisdiction over a Chinese company's actions entirely within China?
I usually avoid cabs for most of the reasons already stated by other posters.
Also, I am only "qualified" to comment on points (d) and (e) as they touch on information security (full-time job and my Ph.D. both are in InfoSec).
On both (d) and (e) the increased "security" will be temporary, and if the systems are properly designed they will certainly raise the bar to make criminal activity more difficult. It will require much more technical ability or social engineering to copy the card information with the new method than with the old one.
Note that I included "social engineering" in this discussion. A cabbie could easily claim that the reader was malfunctioning (and perhaps put a piece of tape over the reader head to make it malfunction) and request the card to record the charge the "old fashioned way".
Point (e) has multiple possibilities. It certainly can be useful to reduce creditcard fraud, but it could also be used to track cab movement. If a cab company has a policy that the closest cab picks up the fare, it could be used to track people lying about their locations in order to pick up an extra fare and cheat another driver. It could also be used, with proper additional technology, to allow dispatchers to assign cabs based on this information. Then the control moves and those with the most to gain/lose (dispatchers and cabbies) experience a shift in the balance of power. People don't like that.
I think that this technology will spread, and it will become the norm. I suspect that this will not happen without a fight.
If my memory serves (and this is not my area of expertise), eye protection is standard operating procedure for anything that could be considered a high-power laser. This is sort of like when they use tethers for testing things that go above the ground. It is a "safety" precaution required more by insurance companies than reality. (Such as when testing a new elevator design, a "home-built" helicopter that has already passed the FAA inspections for the current phase, etc.)
I suspect that these people are smart enough not to look directly into the lasers. The eye protection is as much a reminder to others that you need to wear eye protection when working with lasers and a requirement from the insurance company as it is realistic protection.
Again, the eye protection works, but I sincerely doubt that these people are dumb enough to look into the lasers.
This is like the guy on "New Yankee Workshop" who always gives his 30+ spiel on wearing safety glasses and following all instructions in the manual. Anyone who does that much woodworking with those kinds of power tools (huge bench-based units) should already know that stuff, but for reasons that I suspect include liability concerns Mr. Abrams reminds us every week to wear our safety glasses.
Actually, posting ad hominem attacks as an Anonymous Coward is a tell-tale sign that you are a poser or pathetic loser.
People with legitimate qualifications (such as doctorates, lawyers, etc.) in their respective fields should indicate such to help people filter out the noise.
I will be happy to communicate with the editors to have them verify my credentials. They know how to contact me. I do not post the url to my university web site because I do not feel like having people like you spam me.
>the problem with being focused.... you tend to forget real world details.
I work full-time in industry in InfoSec. Please try to avoid such baseless attacks in an attempt to support your flawed reasoning. Also, I worked full-time WHILE pursuing my Ph.D., so I have fully immersed in real-world InfoSec during and after my doctoral studies.
I am not spreading FUD. If you read the entire post, you would have seen the reasoning. Current rootkit detection and other malware detection relies on the operating system. A hypervisor is between the OS and the hardware, making it undetectable by the operating system.
THAT was the point. This gives malware authors a new place to hide that will make detection nearly impossible, otherwise it is not a true hypervisor.
And to answer your question about other virtualization solutions is that other virtualization solutions, at least things like Xen, VMWare, and Parallels (I do not do much with mainframes), is that they run inside of an operating system, and it is possible to observe their activities from outside the virtual environment.
Perhaps an illustration is in order:
I have a Mac and run XP Pro in Parallels. If a rootkit is installed on my XP Pro VM, XP Pro may not be able to see it. However, the network activity that it generates is still visible to Wireshark running on my Mac OUTSIDE of Parallels (the virtulization software).
In the proposed Dell scenario, you are running XP Pro inside of a virtualized environment that is being virtualized by the motherboard. Your XP Pro has a rootkit. How will you discover it unless you are monitoring it from a different machine?
Given that I own both Parallels and VM Ware Fusion for my main system it should be clear that I feel that virtualization is useful, especially for security (the main reason I have them). If you read my post you would have realized that this is not about virtualization itself being bad. It is about the details of the proposed Dell implementation, with the virtualization being in the hardware, so to speak, and thus between the OS and the "real" hardware that is the issue.
This frightens me on so many levels that it is difficult to know where to start. Unless that hypervisor is burned into a non-rewritable form of storage (e.g. ROM), it will be subverted.
As it has been demonstrated at Black Hat by the illustrious Ms. Rutowska, (as well as being fairly obvious to anyone familiar with hypervisors) a hypervisor is below the OS and can be impervious to the OS's probing, but it still lies between the OS and the hardware.
Properly implemented, this could be a very good thing. With no disrespect intended toward Dell, I suspect that the first several implementations (at least) will leave the resulting systems vulnerable to subversion, and this subversion would be difficult, at best, to detect.
This is an interesting concept, and it could be used for "good", but as the saying goes "the devil is in the details". The idea is good, it is the potential implementation that worries me.
Full Disclosure: I have a Ph.D. (2006) in InfoSec.
The MPAA, in association with the TSA, have developed the "No Popcorn" list. This will be combined with the requirement that individuals will be required to present personal identification (drivers licence, etc) in the same manner used at airports today. Any individuals who are considered to be a threat to national security, the MPAA, RIAA, or Jiffy Pop(tm) will have their name placed on the "No Popcorn" list and will be denied entry to the nation's movie theaters.
The MPAA's "ushers and ticket takers union" will be absorbed into the Department of Homeland Security and become the new PSA = Popcorn Safety Administration. Initial screening stations will be set up by December 1, 2007, in theaters in major cities, with the full roll-out expected to be completed by December 31, 2009.
The MPAA commented that this move was "necessary due to [the likelihood of] terrorists stealing American intellectual property and then using the profits to fund acts of terror."
With regard to the potential for persons being incorrectly banned from theaters, the MPAA responded "They can wait for the DVD. We can't take chances with National Security(tm)".
One of the differences between the virus that your bog-standard AV will detect and this critter from the FBI is the number of instances out there in the wild. Keep in mind that this FBI thing is intentionally sent to specific targets, and I suspect that it is used sparingly in order to prevent it from being found easily.
Nearly all AV programs rely on signatures. The way they obtain the signatures is first to obtain samples, and then determine how they can identify the program accurately (Hashes, etc). I've discovered new malware and forwarded it to the proper channels, as have others that I know.
Therefore, the following (simplified) steps must occur:
1. become infected with the malware 2. suspect that the machine is infected 3. correctly isolate the malware (find its parts, etc)
Then, once those happen one must also do the following in order to hope that protection will be offered to others:
4. send the sample to one or more anti-malware application support teams for inclusion 5. wait until the AV/AM team can create a signature 6. wait until the AV/AM team distribute the signature 7. wait until people update their AV/AM signature databases.
As you can see, there are several places where this process can fail. Think of it like phishing, but sort of in reverse. Phishers send out a large number of messages in hope that even if only a very small percentage of recipients (1/100th of one percent, for example) fall for it, they will be able to profit.
That works just fine if you send out a few hundred thousand messages.
If you send out only one message, or ten, or twenty, your odds are very close to zero that even one person will "bite".
This is the critical difference. I doubt that this program is out there on thousands of machines, or hundreds of thousands of machines all over the place. It is "placed" (I know - some victim effort is required) on specific machines.
Therefore you have a very small victim base. The odds of this being discovered are quite small, even without collusion from the AV vendors.
This is more like "spearphishing" (who dreams up these phrases?), being specially targeted for one individual. This increases the odds of that one individual falling for the ruse, and since only one person was the target, this works well.
Things like this make the lives of us who work in security full time much more complicated.
While another poster gave a mostly correct description of the usage of "who" and "whom", I would like to offer a simpler way to remember which one to use when for those who are not as comfortable with grammatical terms.
Try replacing the word with "he" or "him". If you would use "him", then you need to use "whom". Both end with "m". If you use "he", the use "who". (Also, if you would use "his", then use "whose", both ending with an "s" sound).
Technically, the predicate is just about everything other than the subject in a sentence.
"Who" is a subject (nominative) pronoun, while "whom" is an object (either direct object = accusative, or indirect object = dative).
If you remember the "he/him" trick, you should be fine.
-Q (Yes, IWAET = I Was An English Tutor back in my university days.)
I am not so sure that it is Vista, per se, that is causing the problems. I noticed several applications broke once IE7 was installed. Several of my older son's games broke with IE7. Once we rolled it back to IE6 everything was fine again.
Granted, Vista may have other issues, and it may indeed break applications on its own, but it has been observed that IE7 breaks programs without Vista.
I hate to be pedantic, but please consider either reading your posts more carefully or taking a refresher in logic.
(a) and (d) can be true at the same time provided that the woman in question was not the plaintiff's wife. It is entirely consistent. The woman in question was not the plaintiff's wife, and the defendant did not _think_ that the woman in question was not the plaintiff's wife.
None of the arguments presented are contradictory to each other. (a), (c), and (d) can support each other. (c) and (d) can be considered the same thing, only to differing degrees. (c) is making an assertion about the identity of the woman while (d) is stating the defendant's beliefs regarding the woman's identity at the time of the incident in question.
(b) is all on its own. The utility of (b) lies in (1) diffusing the suit through commity (that is, the plaintiff knew about it and agreed to it, therefore cannot sue later) and (2) the fact that (b) does not accept guilt - it is simply a statement that the defendant was given permission by the plaintiff. It does not state that the action occurred.
An analysis of (e) and its interconnections with the other four arguments is left as an exercise for the reader.
IANAL, but this is simple logic.
That said, I suspect that there are people (including juries) who would agree with the original post due to their lack of understanding of formal logic. Unfortunately, until we have a system of trained, professional jurors we will not be able to avoid this issue. I believe that this is why it is possible to appeal decisions.
But is that the legal definition of rape in Belgium?
I know that is the definition in Massachusetts (or, at least it was 25+ years ago when my uncle graduated law school), but what is the definition that applies in this case?
And, assuming for the moment that a crime occurred, which court would have jurisdiction? The court that would have jurisdiction over the place where the plaintiff was a the time of the incident? The court that would have jurisdiction over the location of the servers? If this crossed state and/or national boundaries, how is this handled?
There are significant chunks of "good" spectrum available for research: you need to have an Amateur radio license of at least "General" class to do it. ("General", the still existing but no longer issued "Advanced", and "Extra" class license holders are allowed to do these things.)
The rules are freely available at the FCC's web site as well as the ARRL's site.
("Disclaimer" I hold an Extra class US amateur radio license)
I do not know in which state you live, but here in South Carolina a Notary Public is technically an officer of the court. The whole purpose behind the concept of Notaries Public is that they are appointed to serve as the verification point for such things.
In theory, at least here in SC, all notary signatures are equivalent. In other words, they could not require that you use any particular notary for anything. Again, the whole purpose behind a notary is that the notary is the trusted neutral party. (that is why in many states - but not SC - you cannot notarize family member signatures)
("disclaimer" I bave been a South Carolina Notary since 1994, my mother has been one in Mass. for over 40 years, my sister is a notary in Mass, etc. Having notaries in the family and as friends is really handy at times.)
Notary Trivia: In South Carolina, a Notary is allowed to sign marriage certificates along with a judge, a justice of the peace, and an ordained minister.
I hate to split hairs, but this is _not_ steganography. There is a subtle difference.
This is not hiding the existance of the message. It is simply obfuscating it with the decoy photons. It is still obvious that a message is being sent.
Steganography is hiding the very existance of the message, such as the ancient example of shaving a slave's head, tatooing the message on his bald scalp, waiting for the hair to regrow, and then sending the slave to the recipient of the message. To any outsider the slave was just (most likely) one of several slaves moving with some other people from one place to another.
At the destination the slave's head would be shaved again and the message revealed. Unfortunately, this usually would also result in the slave being killed to prevent the secret method from ever being revealed.
Thus, this "quantum encryption" is not steganography, but two things: a method to prevent reading of a message by way of quantum mechanics and a method of obfuscating (e.g. chaffing) a message.
My answer, and I am not trying to start a flame-war here, is sort of a combination of both of yours.
I believe that artists, authors, etc. should be compensated for their work if they so choose. To that end, copyright allows those creative efforts to be rewarded in a free market environment (e.g. if you ask for $2000 for a piece of junk, no-one will buy it) and provides legal protection to help protect the creators of those works. This exists to encourage more creative work and also to provide legal protection for proper attribution of the work. In other words, you cannot simply take a hit song (for example), re-record it and claim that you wrote it. Beside being morally wrong it is also illegal.
I believe that the current term of a copyright in the USA is excessive and is being abused. The original length was appropriate, and I have several works that, under the old system, have fallen into the "public domain". I am OK with that, since that was "part of the deal" with the copyright office.
Again, you may not agree with all of these points, but I was the one asked to teach the class. I respect your right to disagree, and since I am not an attorney this is only my opinion. I tried to keep it balanced between fair use and protecting "intellectual property" (without using that term). Again, I feel that artists and other creative efforts should be rewarded in a manner that a free market would support. You are free to give away your works, and I mentioned some bands that place some of their songs on their web sites for free to encourage purchase of albums and attendance at concerts.
Background: I am a Unit Commissioner with the local Boy Scouts and I have a Ph.D. in Computer Information Systems (Security and AI), so I am teaching the Computers Merit Badge classes at our local "Merit Badge College".
In Boy Scouts, you have to do all of the numbered requirements. (Some are "Do three of these" and list, for example, A-H sub-requirements).
Requirement 9 (the January 2006 revision) has three mandatory sub-sections.
(paraphrased - I don't have the exact text)
A. If a friend offers you a copy of a game or a software package, is it legal to accept it? B. When is it legal to download music from the Internet and when is it illegal? C. Why do Copyright laws exist?
I know this has been discussed many months ago, but I felt that it was appropriate to mention it again since it shows Microsoft's reach and influence.
It was a typo or a lack of understanding by the reporter. I strongly suspect that it was a hyperbaric chamber, which means a high-pressure chamber. Those can be quite dangerous if not built correctly -- just imagine the thing blowing apart like a balloon, but with metal instead of rubber.
Actually, just because they make software for Taiwan does not mean the same software will work in the PRC. The two entities (the US does not recognize Taiwan as a separate country) use different character sets. Taiwan and most Chinese-language nations use the traditional character set which has developed over thousands of years. The PRC and Singapore use what is called the "Simplified" character set which was developed in the PRC to help improve literacy rates by simplifying may of the more complex characters by reducing the number of strokes (lines/marks) needed to write them. I've seen characters that have been reduced from over 20 strokes to fewer than ten.
Most younger Chinese in the mainland and Singapore cannot read the traditional characters, so the software would be difficult to understand at best, and useless at worst.
I do not know if Singapore is a significant enough market for Micro$oft to continue producing a Simplified Character set version of their software.
This is why the language codes zh-CN and zh-TW exist. The official language used in both is essentially the same other than some regional variations, such as different words for "taxi" and different interpretations of "ai4ren2" (Literally "love person". On the mainland it means "spouse", in Taiwan it means "lover" and implies an extra-marital affair.) (Sorry -- no Chinese characters -- I can't be sure everyone will be able to see them.)
I know that this may sound a little too "tinfoil hat", but the thing that scares me the most about this is the potential for backdoors, spyware, and other nefarious modifications in this grey market hardware. Where would you detect the spying? This is potentially A Bad Thing(tm).
Yes, I know that so far no-one has found anything like that, but the potential creeps me out. One of the reasons people buy Cisco gear is because they trust the company. Counterfeit goods weaken the brand value and in and of themselves generate FUD.
Let's take a slightly easier (and fanciful) example: fake Rolex watches. OK, everyone knows that there are fake Rolex watches out there. But let us pretend for a moment that you did not know about the fakes, and you bought a "Rolex" (in quotes to indicate a fake) watch. The thing keeps lousy time, losing 5 minutes a day, and the wind stem breaks off in a month. You walk away from that experience thinking that Rolex (note: no quotes) watches are trash.
People are far more likely to complain than to praise, and when they're ripped off they are far more likely to tell people about it than when something works as expected, therefore the damage is done not only in your mind but in the minds of people who trust you. Suddenly, many people think that Rolex watches are junk.
Again, a fanciful example because Rolex's reputation is well established to the point that if a "Rolex" were to fail most people would suspect a fake. But the point is that the damage can occur to the brand as well. I can see Cisco trying to fight this one quite vigorously to protect their reputation.
The damage has been done. The only thing now is to minimize the results.
I have friends in many other countries, and every time the US does this I am ashamed to be an American. While these countries have their own faults, and some have been ridiculed here on Slashdot many times, I still feel very strongly that they are much more concerned about true peace than the current US administration.
At least my friends in Asia can see why I want to move there before it is too late. The big question for me is only which country... the one that cooperates with the US on most things but has a very high cost of living, or the one that is powerful enough not to be afraid of the US but has a much lower standard of living. Decisions, decisions...
p.s. I also find it hard to believe that the "Emperor Zurg" headline is real. In true Slashdot fashion, I'll comment first on it and _then_ check.:-)
I have (just completed) a Ph.D. in Information Security (*), and I have to call "snake oil" on this one. Unless they've managed to re-write TCP and IP or have somehow managed to coordinate a one-time pad encryption key exchange (which, itself, would be loaded with security issues) I cannot see how this will work.
I suspect that this is intended to give a false sense of security while providing Big Brother a way to watch people who _think_ that their communications are secure. Digital cell phones, anyone? Yes, it is illegal to listen in on the cell phone frequencies in the USA unless you are in law enforcement, but since when are criminals interested in obeying the law except to prevent drawing attention to themselves (e.g. -- don't speed on your way _to_ commit a crime, and don't speed on the way out unless you are already fleeing from someone who spotted you).
I also suspect that the hype about the government not being pleased with this is inteded to further the false image that this is secure.
There are ways to communicate securely in the digital age, depending on how you define "securely". The longgevity of the data is critical. Being able to decrypt today's troop movement orders for tomorrow morning after six months' time is not very useful because the data will be useless after tomorrow morning. Being able to decrypt, for example, today's communication about a terror plot to take place on January 20, 2009 (the day the next new President will be sworn into office in the USA for our non-US readers) in six months would be very valuable.
You cannot make a blanket statement that a system is "secure". A system is only secure for a given use in a given context.
Again, I have to call "Snake oil" on this one.
(*) This note was added in response to a comment in the Capacitor thread yesterday about people wanting information from "qualified" individuals, therefore I felt it appropriate to state my qualifications in this area.
Slashdot Mirror
I still do not see how this works.
Do these laws state that
(a) The US is claiming jurisdiction over foreign nationals' acts within foreign sovereign states?
or
(b) The US is claiming jurisdiction over the actions of US citizens and US corporations even if those actions were conducted in a foreign sovereign state?
I have seen evidence that (b) is the case such as when US citizens are tried for sexual exploitation of a minor after taking trips to certain parts of Cambodia or Thailand where child prostitution is common. US citizens have been tried and convicted for those acts.
I have not seen evidence for (a). If (a) is the case, then the US is even more arrogant than I thought, and the US is asking for trouble on many fronts.
As far as I can see, (a) would be the only thing that applies here since Yahoo Holdings (HK), Ltd. is a foreign corporation and its acts were performed in a foreign sovereign state. Unless I am missing something, the US should not have jurisdiction.
If the US claims jurisdiction under (a), then it is setting a very dangerous precident. I would be interested to see how the US would react if some other country claimed jurisdiction in a similar manner. Can you see some fundamentalist religious state attempting to sue various magazines for their swimsuit issues? How about suing clothing catalogues for showing models in bikinis? I cannot see how (a) can be the case.
Can someone offer a qualified legal opinion with regard to the US law in this case?
I do not understand how a company incorporated in Hong Kong (Yahoo! Holdings HK, Ltd.), which is part of the PRC, can be sued IN THE US for conforming with legal requirements in China for doing business in China.
To me this would be similar to France suing eBay (US) for selling Nazi items in the US to US customers. The French government have the right to say that such things cannot be sold in France and cannot be sold to French citizens (at least according to what I've read about French law - but French law is not the point here), but can someone file suit in a French court against an American company's American office for conducting business with American customers in accorance with American law just because that business being conducted happens to violate French law?
Without regard to the human rights issues here for a moment, I cannot believe that any US court would even accept this suit against Yahoo Holdings (HK) Ltd. It's a _Chinese_ corporation, conducting business in China and subject to Chinese law.
This is not an attempt at a troll. I am genuinely confused as to why this is a legal issue. The American court should (if my understanding is correct) simply claim no jurisdiction and dismiss the case, and perhaps slap a fine on the plaintiff for attempting to use the legal system to harass others without any valid legal cause.
I must be missing something here. Again, unless there is a LEGAL issue with the alleged human rights violations here, please don't mention them. My question is with regard to the legal issues here. How can a US court have jurisdiction over a Chinese company's actions entirely within China?
I usually avoid cabs for most of the reasons already stated by other posters.
Also, I am only "qualified" to comment on points (d) and (e) as they touch on information security (full-time job and my Ph.D. both are in InfoSec).
On both (d) and (e) the increased "security" will be temporary, and if the systems are properly designed they will certainly raise the bar to make criminal activity more difficult. It will require much more technical ability or social engineering to copy the card information with the new method than with the old one.
Note that I included "social engineering" in this discussion. A cabbie could easily claim that the reader was malfunctioning (and perhaps put a piece of tape over the reader head to make it malfunction) and request the card to record the charge the "old fashioned way".
Point (e) has multiple possibilities. It certainly can be useful to reduce creditcard fraud, but it could also be used to track cab movement. If a cab company has a policy that the closest cab picks up the fare, it could be used to track people lying about their locations in order to pick up an extra fare and cheat another driver. It could also be used, with proper additional technology, to allow dispatchers to assign cabs based on this information. Then the control moves and those with the most to gain/lose (dispatchers and cabbies) experience a shift in the balance of power. People don't like that.
I think that this technology will spread, and it will become the norm. I suspect that this will not happen without a fight.
If my memory serves (and this is not my area of expertise), eye protection is standard operating procedure for anything that could be considered a high-power laser. This is sort of like when they use tethers for testing things that go above the ground. It is a "safety" precaution required more by insurance companies than reality. (Such as when testing a new elevator design, a "home-built" helicopter that has already passed the FAA inspections for the current phase, etc.)
I suspect that these people are smart enough not to look directly into the lasers. The eye protection is as much a reminder to others that you need to wear eye protection when working with lasers and a requirement from the insurance company as it is realistic protection.
Again, the eye protection works, but I sincerely doubt that these people are dumb enough to look into the lasers.
This is like the guy on "New Yankee Workshop" who always gives his 30+ spiel on wearing safety glasses and following all instructions in the manual. Anyone who does that much woodworking with those kinds of power tools (huge bench-based units) should already know that stuff, but for reasons that I suspect include liability concerns Mr. Abrams reminds us every week to wear our safety glasses.
-Q
Actually, posting ad hominem attacks as an Anonymous Coward is a tell-tale sign that you are a poser or pathetic loser.
People with legitimate qualifications (such as doctorates, lawyers, etc.) in their respective fields should indicate such to help people filter out the noise.
I will be happy to communicate with the editors to have them verify my credentials. They know how to contact me. I do not post the url to my university web site because I do not feel like having people like you spam me.
>the problem with being focused .... you tend to forget real world details.
I work full-time in industry in InfoSec. Please try to avoid such baseless attacks in an attempt to support your flawed reasoning. Also, I worked full-time WHILE pursuing my Ph.D., so I have fully immersed in real-world InfoSec during and after my doctoral studies.
I am not spreading FUD. If you read the entire post, you would have seen the reasoning. Current rootkit detection and other malware detection relies on the operating system. A hypervisor is between the OS and the hardware, making it undetectable by the operating system.
THAT was the point. This gives malware authors a new place to hide that will make detection nearly impossible, otherwise it is not a true hypervisor.
And to answer your question about other virtualization solutions is that other virtualization solutions, at least things like Xen, VMWare, and Parallels (I do not do much with mainframes), is that they run inside of an operating system, and it is possible to observe their activities from outside the virtual environment.
Perhaps an illustration is in order:
I have a Mac and run XP Pro in Parallels. If a rootkit is installed on my XP Pro VM, XP Pro may not be able to see it. However, the network activity that it generates is still visible to Wireshark running on my Mac OUTSIDE of Parallels (the virtulization software).
In the proposed Dell scenario, you are running XP Pro inside of a virtualized environment that is being virtualized by the motherboard. Your XP Pro has a rootkit. How will you discover it unless you are monitoring it from a different machine?
Given that I own both Parallels and VM Ware Fusion for my main system it should be clear that I feel that virtualization is useful, especially for security (the main reason I have them). If you read my post you would have realized that this is not about virtualization itself being bad. It is about the details of the proposed Dell implementation, with the virtualization being in the hardware, so to speak, and thus between the OS and the "real" hardware that is the issue.
This frightens me on so many levels that it is difficult to know where to start. Unless that hypervisor is burned into a non-rewritable form of storage (e.g. ROM), it will be subverted.
As it has been demonstrated at Black Hat by the illustrious Ms. Rutowska, (as well as being fairly obvious to anyone familiar with hypervisors) a hypervisor is below the OS and can be impervious to the OS's probing, but it still lies between the OS and the hardware.
Properly implemented, this could be a very good thing. With no disrespect intended toward Dell, I suspect that the first several implementations (at least) will leave the resulting systems vulnerable to subversion, and this subversion would be difficult, at best, to detect.
This is an interesting concept, and it could be used for "good", but as the saying goes "the devil is in the details". The idea is good, it is the potential implementation that worries me.
Full Disclosure: I have a Ph.D. (2006) in InfoSec.
The MPAA, in association with the TSA, have developed the "No Popcorn" list. This will be combined with the requirement that individuals will be required to present personal identification (drivers licence, etc) in the same manner used at airports today. Any individuals who are considered to be a threat to national security, the MPAA, RIAA, or Jiffy Pop(tm) will have their name placed on the "No Popcorn" list and will be denied entry to the nation's movie theaters.
The MPAA's "ushers and ticket takers union" will be absorbed into the Department of Homeland Security and become the new PSA = Popcorn Safety Administration. Initial screening stations will be set up by December 1, 2007, in theaters in major cities, with the full roll-out expected to be completed by December 31, 2009.
The MPAA commented that this move was "necessary due to [the likelihood of] terrorists stealing American intellectual property and then using the profits to fund acts of terror."
With regard to the potential for persons being incorrectly banned from theaters, the MPAA responded "They can wait for the DVD. We can't take chances with National Security(tm)".
(Yes, this is only a joke)
-Q
Discretion is the better part of valor.
One of the differences between the virus that your bog-standard AV will detect and this critter from the FBI is the number of instances out there in the wild. Keep in mind that this FBI thing is intentionally sent to specific targets, and I suspect that it is used sparingly in order to prevent it from being found easily.
Nearly all AV programs rely on signatures. The way they obtain the signatures is first to obtain samples, and then determine how they can identify the program accurately (Hashes, etc). I've discovered new malware and forwarded it to the proper channels, as have others that I know.
Therefore, the following (simplified) steps must occur:
1. become infected with the malware
2. suspect that the machine is infected
3. correctly isolate the malware (find its parts, etc)
Then, once those happen one must also do the following in order to hope that protection will be offered to others:
4. send the sample to one or more anti-malware application support teams for inclusion
5. wait until the AV/AM team can create a signature
6. wait until the AV/AM team distribute the signature
7. wait until people update their AV/AM signature databases.
As you can see, there are several places where this process can fail. Think of it like phishing, but sort of in reverse. Phishers send out a large number of messages in hope that even if only a very small percentage of recipients (1/100th of one percent, for example) fall for it, they will be able to profit.
That works just fine if you send out a few hundred thousand messages.
If you send out only one message, or ten, or twenty, your odds are very close to zero that even one person will "bite".
This is the critical difference. I doubt that this program is out there on thousands of machines, or hundreds of thousands of machines all over the place. It is "placed" (I know - some victim effort is required) on specific machines.
Therefore you have a very small victim base. The odds of this being discovered are quite small, even without collusion from the AV vendors.
This is more like "spearphishing" (who dreams up these phrases?), being specially targeted for one individual. This increases the odds of that one individual falling for the ruse, and since only one person was the target, this works well.
Things like this make the lives of us who work in security full time much more complicated.
-Q
While another poster gave a mostly correct description of the usage of "who" and "whom", I would like to offer a simpler way to remember which one to use when for those who are not as comfortable with grammatical terms.
Try replacing the word with "he" or "him". If you would use "him", then you need to use "whom". Both end with "m". If you use "he", the use "who". (Also, if you would use "his", then use "whose", both ending with an "s" sound).
Technically, the predicate is just about everything other than the subject in a sentence.
"Who" is a subject (nominative) pronoun, while "whom" is an object (either direct object = accusative, or indirect object = dative).
If you remember the "he/him" trick, you should be fine.
-Q
(Yes, IWAET = I Was An English Tutor back in my university days.)
I am not so sure that it is Vista, per se, that is causing the problems. I noticed several applications broke once IE7 was installed. Several of my older son's games broke with IE7. Once we rolled it back to IE6 everything was fine again.
Granted, Vista may have other issues, and it may indeed break applications on its own, but it has been observed that IE7 breaks programs without Vista.
-Q
I hate to be pedantic, but please consider either reading your posts more carefully or taking a refresher in logic.
(a) and (d) can be true at the same time provided that the woman in question was not the plaintiff's wife. It is entirely consistent. The woman in question was not the plaintiff's wife, and the defendant did not _think_ that the woman in question was not the plaintiff's wife.
None of the arguments presented are contradictory to each other. (a), (c), and (d) can support each other. (c) and (d) can be considered the same thing, only to differing degrees. (c) is making an assertion about the identity of the woman while (d) is stating the defendant's beliefs regarding the woman's identity at the time of the incident in question.
(b) is all on its own. The utility of (b) lies in (1) diffusing the suit through commity (that is, the plaintiff knew about it and agreed to it, therefore cannot sue later) and (2) the fact that (b) does not accept guilt - it is simply a statement that the defendant was given permission by the plaintiff. It does not state that the action occurred.
An analysis of (e) and its interconnections with the other four arguments is left as an exercise for the reader.
IANAL, but this is simple logic.
That said, I suspect that there are people (including juries) who would agree with the original post due to their lack of understanding of formal logic. Unfortunately, until we have a system of trained, professional jurors we will not be able to avoid this issue. I believe that this is why it is possible to appeal decisions.
But is that the legal definition of rape in Belgium?
I know that is the definition in Massachusetts (or, at least it was 25+ years ago when my uncle graduated law school), but what is the definition that applies in this case?
And, assuming for the moment that a crime occurred, which court would have jurisdiction? The court that would have jurisdiction over the place where the plaintiff was a the time of the incident? The court that would have jurisdiction over the location of the servers? If this crossed state and/or national boundaries, how is this handled?
There are significant chunks of "good" spectrum available for research: you need to have an Amateur radio license of at least "General" class to do it. ("General", the still existing but no longer issued "Advanced", and "Extra" class license holders are allowed to do these things.)
The rules are freely available at the FCC's web site as well as the ARRL's site.
("Disclaimer" I hold an Extra class US amateur radio license)
I do not know in which state you live, but here in South Carolina a Notary Public is technically an officer of the court. The whole purpose behind the concept of Notaries Public is that they are appointed to serve as the verification point for such things.
In theory, at least here in SC, all notary signatures are equivalent. In other words, they could not require that you use any particular notary for anything. Again, the whole purpose behind a notary is that the notary is the trusted neutral party. (that is why in many states - but not SC - you cannot notarize family member signatures)
("disclaimer" I bave been a South Carolina Notary since 1994, my mother has been one in Mass. for over 40 years, my sister is a notary in Mass, etc. Having notaries in the family and as friends is really handy at times.)
Notary Trivia: In South Carolina, a Notary is allowed to sign marriage certificates along with a judge, a justice of the peace, and an ordained minister.
I hate to split hairs, but this is _not_ steganography. There is a subtle difference.
This is not hiding the existance of the message. It is simply obfuscating it with the decoy photons. It is still obvious that a message is being sent.
Steganography is hiding the very existance of the message, such as the ancient example of shaving a slave's head, tatooing the message on his bald scalp, waiting for the hair to regrow, and then sending the slave to the recipient of the message. To any outsider the slave was just (most likely) one of several slaves moving with some other people from one place to another.
At the destination the slave's head would be shaved again and the message revealed. Unfortunately, this usually would also result in the slave being killed to prevent the secret method from ever being revealed.
Thus, this "quantum encryption" is not steganography, but two things: a method to prevent reading of a message by way of quantum mechanics and a method of obfuscating (e.g. chaffing) a message.
(background - I have a Ph.D. in infosec and AI)
Well, I did not look for the "official" answer :-)
My answer, and I am not trying to start a flame-war here, is sort of a combination of both of yours.
I believe that artists, authors, etc. should be compensated for their work if they so choose. To that end, copyright allows those creative efforts to be rewarded in a free market environment (e.g. if you ask for $2000 for a piece of junk, no-one will buy it) and provides legal protection to help protect the creators of those works. This exists to encourage more creative work and also to provide legal protection for proper attribution of the work. In other words, you cannot simply take a hit song (for example), re-record it and claim that you wrote it. Beside being morally wrong it is also illegal.
I believe that the current term of a copyright in the USA is excessive and is being abused. The original length was appropriate, and I have several works that, under the old system, have fallen into the "public domain". I am OK with that, since that was "part of the deal" with the copyright office.
Again, you may not agree with all of these points, but I was the one asked to teach the class. I respect your right to disagree, and since I am not an attorney this is only my opinion. I tried to keep it balanced between fair use and protecting "intellectual property" (without using that term). Again, I feel that artists and other creative efforts should be rewarded in a manner that a free market would support. You are free to give away your works, and I mentioned some bands that place some of their songs on their web sites for free to encourage purchase of albums and attendance at concerts.
Background: I am a Unit Commissioner with the local Boy Scouts and I have a Ph.D. in Computer Information Systems (Security and AI), so I am teaching the Computers Merit Badge classes at our local "Merit Badge College".
In Boy Scouts, you have to do all of the numbered requirements. (Some are "Do three of these" and list, for example, A-H sub-requirements).
Requirement 9 (the January 2006 revision) has three mandatory sub-sections.
(paraphrased - I don't have the exact text)
A. If a friend offers you a copy of a game or a software package, is it legal to accept it?
B. When is it legal to download music from the Internet and when is it illegal?
C. Why do Copyright laws exist?
I know this has been discussed many months ago, but I felt that it was appropriate to mention it again since it shows Microsoft's reach and influence.
It was a typo or a lack of understanding by the reporter. I strongly suspect that it was a hyperbaric chamber, which means a high-pressure chamber. Those can be quite dangerous if not built correctly -- just imagine the thing blowing apart like a balloon, but with metal instead of rubber.
I think that was a typo in the article. I suspect that it was supposed to be "hyperbaric", which means at high pressure.
Actually, just because they make software for Taiwan does not mean the same software will work in the PRC. The two entities (the US does not recognize Taiwan as a separate country) use different character sets. Taiwan and most Chinese-language nations use the traditional character set which has developed over thousands of years. The PRC and Singapore use what is called the "Simplified" character set which was developed in the PRC to help improve literacy rates by simplifying may of the more complex characters by reducing the number of strokes (lines/marks) needed to write them. I've seen characters that have been reduced from over 20 strokes to fewer than ten.
Most younger Chinese in the mainland and Singapore cannot read the traditional characters, so the software would be difficult to understand at best, and useless at worst.
I do not know if Singapore is a significant enough market for Micro$oft to continue producing a Simplified Character set version of their software.
This is why the language codes zh-CN and zh-TW exist. The official language used in both is essentially the same other than some regional variations, such as different words for "taxi" and different interpretations of "ai4ren2" (Literally "love person". On the mainland it means "spouse", in Taiwan it means "lover" and implies an extra-marital affair.) (Sorry -- no Chinese characters -- I can't be sure everyone will be able to see them.)
I know that this may sound a little too "tinfoil hat", but the thing that scares me the most about this is the potential for backdoors, spyware, and other nefarious modifications in this grey market hardware. Where would you detect the spying? This is potentially A Bad Thing(tm).
Yes, I know that so far no-one has found anything like that, but the potential creeps me out. One of the reasons people buy Cisco gear is because they trust the company. Counterfeit goods weaken the brand value and in and of themselves generate FUD.
Let's take a slightly easier (and fanciful) example: fake Rolex watches. OK, everyone knows that there are fake Rolex watches out there. But let us pretend for a moment that you did not know about the fakes, and you bought a "Rolex" (in quotes to indicate a fake) watch. The thing keeps lousy time, losing 5 minutes a day, and the wind stem breaks off in a month. You walk away from that experience thinking that Rolex (note: no quotes) watches are trash.
People are far more likely to complain than to praise, and when they're ripped off they are far more likely to tell people about it than when something works as expected, therefore the damage is done not only in your mind but in the minds of people who trust you. Suddenly, many people think that Rolex watches are junk.
Again, a fanciful example because Rolex's reputation is well established to the point that if a "Rolex" were to fail most people would suspect a fake. But the point is that the damage can occur to the brand as well. I can see Cisco trying to fight this one quite vigorously to protect their reputation.
The damage has been done. The only thing now is to minimize the results.
Please, not again.
:-)
I have friends in many other countries, and every time the US does this I am ashamed to be an American. While these countries have their own faults, and some have been ridiculed here on Slashdot many times, I still feel very strongly that they are much more concerned about true peace than the current US administration.
At least my friends in Asia can see why I want to move there before it is too late. The big question for me is only which country... the one that cooperates with the US on most things but has a very high cost of living, or the one that is powerful enough not to be afraid of the US but has a much lower standard of living. Decisions, decisions...
p.s. I also find it hard to believe that the "Emperor Zurg" headline is real. In true Slashdot fashion, I'll comment first on it and _then_ check.
I thought throwing chairs was the rule, not the exception.
I have (just completed) a Ph.D. in Information Security (*), and I have to call "snake oil" on this one. Unless they've managed to re-write TCP and IP or have somehow managed to coordinate a one-time pad encryption key exchange (which, itself, would be loaded with security issues) I cannot see how this will work.
I suspect that this is intended to give a false sense of security while providing Big Brother a way to watch people who _think_ that their communications are secure. Digital cell phones, anyone? Yes, it is illegal to listen in on the cell phone frequencies in the USA unless you are in law enforcement, but since when are criminals interested in obeying the law except to prevent drawing attention to themselves (e.g. -- don't speed on your way _to_ commit a crime, and don't speed on the way out unless you are already fleeing from someone who spotted you).
I also suspect that the hype about the government not being pleased with this is inteded to further the false image that this is secure.
There are ways to communicate securely in the digital age, depending on how you define "securely". The longgevity of the data is critical. Being able to decrypt today's troop movement orders for tomorrow morning after six months' time is not very useful because the data will be useless after tomorrow morning. Being able to decrypt, for example, today's communication about a terror plot to take place on January 20, 2009 (the day the next new President will be sworn into office in the USA for our non-US readers) in six months would be very valuable.
You cannot make a blanket statement that a system is "secure". A system is only secure for a given use in a given context.
Again, I have to call "Snake oil" on this one.
(*) This note was added in response to a comment in the Capacitor thread yesterday about people wanting information from "qualified" individuals, therefore I felt it appropriate to state my qualifications in this area.