In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said.
Experts? Experts who think you need real-world authentication to log into hotmail?
"The average person in the street doesn't need to worry, as they would have to be specifically targeted," said Graham Cluley, an Internet security expert with antivirus firm Sophos.
I'll just leave my door unlocked because it's not a problem unless I'm specifically targeted.
Anyway, if you're going to write a web page that cites other web pages, please put in a link. The anonymous authors of this page ("Tech Live staff") neglected to link to Root-Core, which seems to be the focus of the story, although they linked to Sophos, which was tangential.
...which they proceed to use to spam mercilessly until it's yanked (if it ever is) and they just stroll into a different library or fire station and claim to be "Dave Smith" and ask for their free account...
Ah, but these "fire stations" are actually an elaborate sting operation set up by disgrunted sysadmins. Those guys sitting around sharpening their axes to a razor edge are the same ones that got paged at 3:00 am when the mail server buckled beneath a torrent of spam. They've put out a lot of fires, but not the thermal kind.
When "Dave Smith" asks for his free account, they take his thumbprint and the computer links him up with "Carlos Moreno" whose account was TOS'd last night. Yes, spammers are stupid.
"OK, Dave, we just need you to lay your head on the desk for a minute. Yeah, right on that deep groove."
Unless they make them go through a long and extended glass first.
I'm having a hard time picturing the process you describe. Should I imagine these newbies viewing a CRT through the bottom of a beer glass? Or using a display two miles away with a telescope (which is certainly an extended (spy)glass.)
Maybe the key insight is that nobody can control the naming of a GPL'd project. I can fork Emacs and call it HappyEdit. I can fork it 1000 times and apply 1000 randomly generated names. But these actions are only significant if I can interest others in these forks.
Since the code itself can be forked, there's not logic in trying to maintain control of the name. We all would like to receive credit for the work we've done, but the GPL does not make any provision for this.
And yet in the linked article, the maintainer of Glibc says that he contributes the majority of the code and he does not consider it part of the GNU system. So GNU may be like the former Soviet Union - a theoretical umbrella entity embracing numberous rebellious provinces.
Why don't they promise to eradicate NSYNC and Brittany Spears instead?
Why don't they seek substantial copyright reform? Maybe movies and music recordings should be exempt from copyright. This would not stop the next Britney Spears, but it would take away the profit motive from the men who packaged and marketed her. Would Britney be shaking her ass for free in front of a webcam? Probably not. I notice the Christian Right doesn't complain about webcams or 'blasphemous' posts on Usenet. What really hits their hot buttons is when 'immoral' content is legitimized by the government or huge media corporations.
Huge media corporations shouldn't exist, and if they didn't then these Christians would not be upset by the abuse of a 'privileged pulpit.'
You could be right, but I also think that games put you into a heightened state of alertness, which is inevitably followed by a crash and feeling of depression.
It only exercises the whole mind because the mental exercise is novel.
Why do you think that? There was nothing in the study to support that idea.
If doing simple arithmetic exercises made us better people mentally, then every cashier, who does tons of arithmetic exercises on the brain every day...
I don't think today's cashiers do much mental arithmetic. The register does it. On the rare occasion when a cashier miskeys something and is forced to manually compensate, it's a very slow process.
Re:Explain this one to me...
on
Taming the Web
·
· Score: 2
I've been thinking about your question. An information exchange network is not strictly speaking a circumvention device. However, when the DMCA speaks of a "work" effectively protected by a technological measure, I don't think it requires that the technological measure be applied by the "owner" of the "work".
In other words, if a cable TV company buys programs without any protection, and yet their box outputs them with Macrovision, the work is now protected by a technological measure. Therefore a box that strips Macrovision is a circumvention device.
ISPs blocking inbound connections to consumers could therefore be considered a technological measure. A program that bypasses this blocking would then be a circumvention device.
I think a judge would be willing to apply this logic. If you followed the 2600 case, it's clear that once a judge identifies a party as 'bad guys' - that is, in opposition to major corporations, and the law under which they are charged is aimed in their general direction, he is not going to allow some computer technical issue to stop him.
Re:Freenet - dodging the issue
on
Taming the Web
·
· Score: 2
All you need is 2 nodes for a network.
But the network only becomes viable or interesting when there are lots of nodes. Was it Metcalfe who said the value of the network increases with the square of the number of hosts? Anyhow, your claim sounds like Winston Smith claiming that the contents of his head, at least, were still his property. We all know what happened then.
I would comply, but probably be looking at real estate in Canada or some country that actually lets people run thier own lives.
Contracting Parties shall provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures...
And in a grammatically tortured sentence, the treaty demands punishment for anyone who dares:
i) to remove or alter any electronic rights management information without authority;
ii) to distribute, import for distribution, broadcast or communicate to the public, without authority, works or copies of works knowing that electronic rights management information has been removed or altered without authority.
So if Canada hasn't passed a DMCA-like law yet, they are bound to do so by treaty. Maybe you can move to Iraq or Libya. These rogue states might need sysadmins for their homebrew networks of playstations computing nuclear bomb yields.
I think law enforcement is pretty good at infiltrating these 'webs of trust'. I was reading in the local newspaper about a DEA informant who created some headaches for the DEA. Apparently the DEA frequently persuades people who pled guilty to drug charges to act as informants for something like a year before their sentencing. If they are successful in busting a lot of their friends, they get a substantially reduced sentence.
I think the FBI has infiltrated Nazi groups, Communist groups, militias and other tight-knit face to face communities of trust. I think it would be child's play for them to infiltrate an internet-based community linked by crypto. All they have to do is bust one member, whether for traficking in circumvention devices or some unrelated offense, and convince him to be an informant for a lighter sentence. Tell him that he must finger 20 users in the next year. Then bust those twenty, and apply the same technique.
It wouldn't necessarily kill the community, but it would drive out a lot of people. Me, for instance.
And I don't understand how you can demand 100 ultimately trusted signatures. I'm assuming that ultimately trusted == known personally. Do you know and trust 100 people? If so, what are the chances of a new person knowing and being trusted by all 100?
It seems that in practice you'd have to allow 1 ultimately trusted signature, enabling the infiltration/informant attack.
I didn't know that. But I guess the dividing line is the use of methods to get/set members of a structure. This trades off speed for encapsulation. Linux isn't doing that, is it?
What's sad is that everyone is marketing to this 'passive consumer' who is a clueless victim of his software. Everyone is buying and selling 'desktop real estate' and 'eyeballs'. The assumption is that the consumer can be led around by the nose to any destination we see fit.
I think that in real life very few consumers fit this mold. The majority are angry and scared at the way their computers and the web seem to be fighting them. I think that the ideal of the 'passive consumer' does not come from experience, but from sick fantasy.
This is acted out constantly in meetings. We have a piece of Windows software that is installed with "InstallSheild Wizard". The marketing guy was complaining that it's too intimidating - we should just quietly install the software with hardly any notification to the user. Of course the programmers say "If that happened to me, I'd be mad." And the marketing guy says, "You're not normal. Normal people don't want to see a blue screen and bunch of steps of installation."
The kernel should be small and be completely seperate to most drivers...
This is called a microkernel and is apparently popular with OS researchers. Linus Torvalds explicitly rejected this view, much to the disgust of OS expert Andrew Tannenbaum. Read more here.
Wheres our object orientation?
Most good software, including Linux, is not object oriented. The idea that software must be either object oriented or chaotic spaghetti code is wrong. To put it simply, Linux had to be fast in order to win. OO code tends to be slower.
You seem to want a microkernel, object oriented operating system. This is the opposite of Linux.
Yup. And the interesting thing is that Taco does not seem to see the contradiction, even to the extent of saying, "I know the MPAA are bad guys, but...". It's like each 'category' of slashdot is a water-tight compartment. I'm really curious to know what it would take to pierce the barrier. If MPAA 'enforcement agents' were running around killing people like the 'death squads' in El Salvador, would Taco still be happily promoting their wares?
Of course it's easy (and cheap) for me to take this stance, because:
I have neither a TV nor a DVD player nor a computer running Windows.
I no longer have the attention span for 90 minutes+ of passive "entertainment". And my big goal in life is to get outside more, not to spend more hours in front of a CRT.
The whole "Star Trek" thing strikes me as egregiously awful rubbish, summing up the worst and most embarassing stereotypes of the 'geek'. Not to mention the deeply authoritarian, imperialistic ideology underpinning the shows. Did you notice that the riot control expert (a Marine Colonel, I think) quoted in a recent non-lethal-weapon thread cited the phaser as the dream weapon they're working towards? Oh, and feel free to 'rebut' this by pointing out the episode where Captain Picard orders the Deltachrons not to impose their culture on the Anabonkas. You will be missing something.
For some reason I associate Star Trek with Microsoft. Every MCSE I've worked with seems like he wants to prance around in a spandex uniform saluting and saying "Thrusters full ahead, Captain!" (Or whatever they say). The whole tone of Microsoft's communication to developers/sysadmins seems to say, "Aren't you lucky to be on board our great big high-tech ship? You are hereby promoted to assistant technical system support engineer! Click OK to continue." Of course the abuse of the word "Enterprise" underscores the link.
So how am I doing in the real world? Well, I bought a book recently. Although book publishers haven't taken the spotlight yet, they all seem to support the DMCA. Some association of publishers was quoted as celebrating Sklyarov's arrest. My hands are not altogether clean.
By the way, if you mod this down for mocking Star Trek, I hope you are magically transported to the Enterprise and get to find out how an outspoken intelligent person would fare in such an environment.
By contrast, those who are security conscious would take protective measures even without full disclosure...
I disagree. I'm pretty security conscious, but there have been times when vulnerabilities are announced in software that I used, and yet I don't upgrade. Why? Because the detailed description of the exploit shows that it won't work with the software as configured or as used. Full disclosure lets me see if the vulnerability really applies to my installations.
They can share the details among themselves discreetly if they choose to...
Ah, the old boys' network approach. Those inside the club are trusted; those outside the club are not. But who defines the perimeter of the club, and who established his trust level? Anyhow, if you think the establishment of exclusive clubs is a good thing, rejoice - they're being established. There was story here recently about large vendors banding together to form such a club. It was greeted with much outrage, unnecessary outrage of course, since such a small group is unlikely to come up with anything interesting.
If all the security experts on BugTraq retreated into the old boys' network and denied me the benefit of their knowledge, I think that new experts would spring up to fill their place. The old experts would have ceased to be important.
If nobody has a patch or stopgap, the only people who benefit from full disclosure are the bad guys.
Actually, the main benefit I get from BugTraq is a feel for security in the software I'm writing. Frequently some tiny technical detail from a BugTraq message will come back to me when we're designing a piece of code, and I'll realize we're creating a subtle hole. Anyhow, your desire to squelch the actual exploit seems to swim against the current of the internet. If the guy who finds the bug stops short of a full exploit, someone else will naturally oblige by filling the gap.
Microsoft doesn't seem to do that anymore, because they've adapted to the reality of full disclosure. However, many software vendors still do sweep problems under the rug - in fact this seems to be the 'default setting' for a software vendor.
If you read BugTraq, it seems like half the vulnerability postings say "I notified $VENDOR four weeks ago, and they failed to respond/said it's a feature/said it's not worth fixing.
One vendor revved their firmware three times while ignoring a huge vulnerability that had been reported to them. Finally the researcher posted it to BugTraq. And this is not exceptional - I remember it only because I read it recently.
If you look at Microsoft's vulnerability announcements, you can see the evolution. They used to put a little PR spin on the vulnerability, claiming it would take 'special software' to exploit it, or otherwise implying that an exploit was unlikely. They seem to be reducing these attempts at damage control, since they realize that everyone realizes that if it can be done, it can be automated.
I mention these little PR driblets because they demonstrate that the advisories are issued under duress - Microsoft feels that it would be better not to issue an advisory. And they acknowledge the duress honestly - part of adapting to the full disclosure world - by giving credit to the researcher who reported the vulnerability. That's how they reward people for telling them first.
That's just silly. I've worked for a corporation bigger than you describe, and much of the internal web is run on Apache. And pushing information to 'several hundred people' is not a big deal. We supported 56,000 people when I was there. Did they use EJB's? Sure, in a few areas. They used just about every technology.
You're right that web sites (note plural - there are *many* independent web sites in a large organization) are only the pretty end. The 'nuts and bolts' is mostly Oracle. Applications invoke stored procedures to store and retrieve data. This is the quiet, unhyped reality of intra-business data interchange.
Why it's good: if Developer Dave can't insert rows in a table, the problem is between him and the DBA's. Ed, who wants to read those rows, is clearly not involved yet. When we switch to Dave's app messaging Ed's app directly, we get into finger pointing and usually a semi-documented API. And Ed will end up having to store the data somehow, which tends towards reinventing the database.
And long after Ed and Dave have left the company, a DBA can DESCRIBE the relevant tables and help the next wave of developers understand how it works.
Ah, but mix in one more factor. All this tunnelling will require software. Software like that needs to be revved pretty frequently - the version from three weeks ago will be blocked by some change in MSN protocols. And distributing this software is 'trafficking in a circumvention device' according to the DMCA, and punishable by 10 years imprisonment. Where will people download this software? How will development be coordinated? Remember, we take for granted the use of open mailing lists in software development. How will programmers live with the fear that the helpful person who offered programming advice on MSN chat may be an FBI agent collecting evidence for a bust? And finally, if some super-secret channel evolves for the development and distribution of the tunneling software, how does Joe User get connected? Remember, Napster was cool because of all those Windows users. Gnutella became useful when Limewire and Bearshare connected hordes of Windows users.
Are we a police state now for enforcing laws against illegal drugs? It looks like the info-war will soon resemble the drug war.
Re:Not only the net. THe article mentions CPRM als
on
Taming the Web
·
· Score: 2
Of course, the data is vulnerable when it leaves the initial reading device, wherever it is supposed to go.
In the scenario I'm describing, the data on the disk is encrypted. When it leaves the initial reading device, it's still encrypted. So it's not vulnerable.
...assuming that the recording industry doesn't "get it" and hide behind good encryption...
I don't think we can count on their ongoing refusal to understand modern cryptography. We have strong, free, widely available crypto algorithms and a good body of knowledge on building cryptosystems from them. I'm afraid they will finally 'get it'.
Hell, you could "tunnel" through automated geocities account creation.
That's a really beautiful interesting idea. I'm going to really think about that.
That would require some serious legislation. Legislation which would probably be unconstitutional, but more importantly, would hurt big business.
How would it hurt big business? It would benefit ISP's - make their lives simpler and more profitable. As for ordinary big business, this would have little effect - they're not using consumer connections for their servers! As for the Content Owners, this would be an absolute godsend. So how would it hurt Big Business?
Your point about tunneling over mail/MSN is a good one, but here's a possible flipside. You can tunnel your traffic to your best friend, and I'll tentatively grant that in the 'tunneling arms race' you stay one step ahead of 'tunneling detectors'. But what if you want to share information with people you don't know? How can you publish your willingness to share information without exposing yourself to a sting operation?
our childlike naivete and arrogance
on
Taming the Web
·
· Score: 2
I've read the article and all the comments, and I think the comments simply reinforce the point of the article - we are arrogant and naive and continue to cling to our 'three myths'. Every time the adversary strikes a blow, we react with utter astonishment: "I can't believe they're really imprisoning us!" "How could they shut down that site - isn't it a First Amendment violation?"
And then we're back to our regularly scheduled hubris. The author warned us that "haha - you can't stop me" is not a viable message for winning over voters and politicans. The 'rebuttals' mostly say, "as long as we have host-host connectivity, we'll find a way around everything."
That rebuttal is begging the Powers That Be to shut off inbound TCP connections to consumers. It would be easy; it would save bandwidth and administrative headaches; it would prevent Code Red and similar things; it would remove ISPs' liability for user-hosted infringing content; and it would go unnoticed by 99% of the internet-using population. And when it happens, I expect the usual expressions of shock and astonishment on slashdot. The words of people who underestimated their adversaries.
There's another myth the author didn't address: "They can't arrest everybody!" Although this may be a variation of myth 3 - infinite supply of hackers. What this myth overlooks is that it will only take a few high-profile arrests and convictions to quell everyone. As Sun Tzu put it, 'Kill one to terrify ten thousand.' What this myth also overlooks is that the enforcement end of the system can be made profitable. The simplest procedure would be to seize the computers of p2p participants under Civil Asset Forfeiture. There would be no need to charge the violators with a crime, unless they obstruct police activity. Two cops driving around in a van, guided by a printout of addresses, could probably seize two computers an hour. That would more than pay for their time. And they might luck into some busts or other stuff - cops are by no means reluctant to have a pretext for entering homes.
Entering a battle with overconfidence is like bringing a knife to a gun fight. Our puny weapon is just enough threat to justify pulling the trigger. And our overbearing and unjustified arrogrance makes all the neutral bystanders eager to see that trigger pulled.
Re:The Internet will never be completely controlle
on
Taming the Web
·
· Score: 2
I'm glad you see it. It seems that very few posting here do. The end of the computer and the end of the internet will mean nothing to the average user. Actually, life will probably be easier and cheaper for him. The fact that our computers are full-fledged internet hosts is a historical accident. The upcoming times could be the dark ages of computing. It doesn't bother me that we face a powerful adversary; it bothers me greatly that most of us foolishly underestimate that adversary.
Re:A counter-example
on
Taming the Web
·
· Score: 4, Interesting
Well that's great as long as Bobby already knows and trusts Sally. Suppose Sally's an FBI agent? Then Bobby has just done the equivalent of selling drugs to a cop. Per the DMCA, traffiking in a circumvention device is punishable by ten years imprisonment.
Will Bobby take this chance to benefit some random stranger?
I think the real threat to the entertainment industry is not Bobby's ability to send data to trusted friend Sally, but Bobby's ability to publish information so it's accessible to a huge audience.
So you have just proved that in the absence of government intervention, our technology beats their technology. Which is exactly the smug hubris condemned by the article - we don't have absence of government intervention. We have the DMCA precisely because the government thinks Bobby is 'out of control' and blowing past every technical restraint.
Re:two general assumptions are faulty
on
Taming the Web
·
· Score: 2
The first assumption is that people will buy the devices, LOL.
Right, I mean who would buy a VCR with Macrovision?
Slashdot Mirror
Experts? Experts who think you need real-world authentication to log into hotmail?
I'll just leave my door unlocked because it's not a problem unless I'm specifically targeted.
Anyway, if you're going to write a web page that cites other web pages, please put in a link. The anonymous authors of this page ("Tech Live staff") neglected
to link to Root-Core, which seems to be the focus of the story, although they linked to Sophos, which was tangential.
And this was on Bugtraq on Saturday.
Ah, but these "fire stations" are actually an elaborate sting operation set up by disgrunted sysadmins. Those guys sitting around sharpening their axes to a razor edge are the same ones that got paged at 3:00 am when the mail server buckled beneath a torrent of spam. They've put out a lot of fires, but not the thermal kind.
When "Dave Smith" asks for his free account, they take his thumbprint and the computer links him up with "Carlos Moreno" whose account was TOS'd last night. Yes, spammers are stupid.
"OK, Dave, we just need you to lay your head on the desk for a minute. Yeah, right on that deep groove."
I'm having a hard time picturing the process you describe. Should I imagine these newbies viewing a CRT through the bottom of a beer glass? Or using a display two miles away with a telescope (which is certainly an extended (spy)glass.)
I get it! A looking glass.
Maybe the key insight is that nobody can control the naming of a GPL'd project. I can fork Emacs and call it HappyEdit. I can fork it 1000 times and apply 1000 randomly generated names. But these actions are only significant if I can interest others in these forks.
Since the code itself can be forked, there's not logic in trying to maintain control of the name. We all would like to receive credit for the work we've done, but the GPL does not make any provision for this.
And yet in the linked article, the maintainer of Glibc says that he contributes the majority of the code and he does not consider it part of the GNU system. So GNU may be like the former Soviet Union - a theoretical umbrella entity embracing numberous rebellious provinces.
Why don't they seek substantial copyright reform? Maybe movies and music recordings should be exempt from copyright. This would not stop the next Britney Spears, but it would take away the profit motive from the men who packaged and marketed her. Would Britney be shaking her ass for free in front of a webcam? Probably not. I notice the Christian Right doesn't complain about webcams or 'blasphemous' posts on Usenet. What really hits their hot buttons is when 'immoral' content is legitimized by the government or huge media corporations.
Huge media corporations shouldn't exist, and if they didn't then these Christians would not be upset by the abuse of a 'privileged pulpit.'
You could be right, but I also think that games put you into a heightened state of alertness, which is inevitably followed by a crash and feeling of depression.
Why do you think that? There was nothing in the study to support that idea.
I don't think today's cashiers do much mental arithmetic. The register does it. On the rare occasion when a cashier miskeys something and is forced to manually compensate, it's a very slow process.
I've been thinking about your question. An information exchange network is not strictly speaking a circumvention device. However, when the DMCA speaks of a "work" effectively protected by a technological measure, I don't think it requires that the technological measure be applied by the "owner" of the "work".
In other words, if a cable TV company buys programs without any protection, and yet their box outputs them with Macrovision, the work is now protected by a technological measure. Therefore a box that strips Macrovision is a circumvention device.
ISPs blocking inbound connections to consumers could therefore be considered a technological measure. A program that bypasses this blocking would then be a circumvention device.
I think a judge would be willing to apply this logic. If you followed the 2600 case, it's clear that once a judge identifies a party as 'bad guys' - that is, in opposition to major corporations, and the law under which they are charged is aimed in their general direction, he is not going to allow some computer technical issue to stop him.
But the network only becomes viable or interesting when there are lots of nodes. Was it Metcalfe who said the value of the network increases with the square of the number of hosts? Anyhow, your claim sounds like Winston Smith claiming that the contents of his head, at least, were still his property. We all know what happened then.
Canada has signed the WIPO treaty. That treaty says:
And in a grammatically tortured sentence, the treaty demands punishment for anyone who dares:
So if Canada hasn't passed a DMCA-like law yet, they are bound to do so by treaty. Maybe you can move to Iraq or Libya. These rogue states might need sysadmins for their homebrew networks of playstations computing nuclear bomb yields.
I think law enforcement is pretty good at infiltrating these 'webs of trust'. I was reading in the local newspaper about a DEA informant who created some headaches for the DEA. Apparently the DEA frequently persuades people who pled guilty to drug charges to act as informants for something like a year before their sentencing. If they are successful in busting a lot of their friends, they get a substantially reduced sentence.
I think the FBI has infiltrated Nazi groups, Communist groups, militias and other tight-knit face to face communities of trust. I think it would be child's play for them to infiltrate an internet-based community linked by crypto. All they have to do is bust one member, whether for traficking in circumvention devices or some unrelated offense, and convince him to be an informant for a lighter sentence. Tell him that he must finger 20 users in the next year. Then bust those twenty, and apply the same technique.
It wouldn't necessarily kill the community, but it would drive out a lot of people. Me, for instance.
And I don't understand how you can demand 100 ultimately trusted signatures. I'm assuming that ultimately trusted == known personally. Do you know and trust 100 people? If so, what are the chances of a new person knowing and being trusted by all 100?
It seems that in practice you'd have to allow 1 ultimately trusted signature, enabling the infiltration/informant attack.
I didn't know that. But I guess the dividing line is the use of methods to get/set members of a structure. This trades off speed for encapsulation. Linux isn't doing that, is it?
What's sad is that everyone is marketing to this 'passive consumer' who is a clueless victim of his software. Everyone is buying and selling 'desktop real estate' and 'eyeballs'. The assumption is that the consumer can be led around by the nose to any destination we see fit.
I think that in real life very few consumers fit this mold. The majority are angry and scared at the way their computers and the web seem to be fighting them. I think that the ideal of the 'passive consumer' does not come from experience, but from sick fantasy.
This is acted out constantly in meetings. We have a piece of Windows software that is installed with "InstallSheild Wizard". The marketing guy was complaining that it's too intimidating - we should just quietly install the software with hardly any notification to the user. Of course the programmers say "If that happened to me, I'd be mad." And the marketing guy says, "You're not normal. Normal people don't want to see a blue screen and bunch of steps of installation."
This is called a microkernel and is apparently popular with OS researchers. Linus Torvalds explicitly rejected this view, much to the disgust of OS expert Andrew Tannenbaum. Read more here.
Most good software, including Linux, is not object oriented. The idea that software must be either object oriented or chaotic spaghetti code is wrong. To put it simply, Linux had to be fast in order to win. OO code tends to be slower.
You seem to want a microkernel, object oriented operating system. This is the opposite of Linux.
Of course it's easy (and cheap) for me to take this stance, because:
- I have neither a TV nor a DVD player nor a computer running Windows.
- I no longer have the attention span for 90 minutes+ of passive "entertainment". And my big goal in life is to get outside more, not to spend more hours in front of a CRT.
- The whole "Star Trek" thing strikes me as egregiously awful rubbish, summing up the worst and most embarassing stereotypes of the 'geek'. Not to mention the deeply authoritarian, imperialistic ideology underpinning the shows. Did you notice that the riot control expert (a Marine Colonel, I think) quoted in a recent non-lethal-weapon thread cited the phaser as the dream weapon they're working towards? Oh, and feel free to 'rebut' this by pointing out the episode where Captain Picard orders the Deltachrons not to impose their culture on the Anabonkas. You will be missing something.
- For some reason I associate Star Trek with Microsoft. Every MCSE I've worked with seems like he wants to prance around in a spandex uniform saluting and saying "Thrusters full ahead, Captain!" (Or whatever they say). The whole tone of Microsoft's communication to developers/sysadmins seems to say, "Aren't you lucky to be on board our great big high-tech ship? You are hereby promoted to assistant technical system support engineer! Click OK to continue." Of course the abuse of the word "Enterprise" underscores the link.
So how am I doing in the real world? Well, I bought a book recently. Although book publishers haven't taken the spotlight yet, they all seem to support the DMCA. Some association of publishers was quoted as celebrating Sklyarov's arrest. My hands are not altogether clean.By the way, if you mod this down for mocking Star Trek, I hope you are magically transported to the Enterprise and get to find out how an outspoken intelligent person would fare in such an environment.
If all the security experts on BugTraq retreated into the old boys' network and denied me the benefit of their knowledge, I think that new experts would spring up to fill their place. The old experts would have ceased to be important. Actually, the main benefit I get from BugTraq is a feel for security in the software I'm writing. Frequently some tiny technical detail from a BugTraq message will come back to me when we're designing a piece of code, and I'll realize we're creating a subtle hole. Anyhow, your desire to squelch the actual exploit seems to swim against the current of the internet. If the guy who finds the bug stops short of a full exploit, someone else will naturally oblige by filling the gap.
Microsoft doesn't seem to do that anymore, because they've adapted to the reality of full disclosure. However, many software vendors still do sweep problems under the rug - in fact this seems to be the 'default setting' for a software vendor.
If you read BugTraq, it seems like half the vulnerability postings say "I notified $VENDOR four weeks ago, and they failed to respond/said it's a feature/said it's not worth fixing.
One vendor revved their firmware three times while ignoring a huge vulnerability that had been reported to them. Finally the researcher posted it to BugTraq. And this is not exceptional - I remember it only because I read it recently.
If you look at Microsoft's vulnerability announcements, you can see the evolution. They used to put a little PR spin on the vulnerability, claiming it would take 'special software' to exploit it, or otherwise implying that an exploit was unlikely. They seem to be reducing these attempts at damage control, since they realize that everyone realizes that if it can be done, it can be automated.
I mention these little PR driblets because they demonstrate that the advisories are issued under duress - Microsoft feels that it would be better not to issue an advisory. And they acknowledge the duress honestly - part of adapting to the full disclosure world - by giving credit to the researcher who reported the vulnerability. That's how they reward people for telling them first.
That's just silly. I've worked for a corporation bigger than you describe, and much of the internal web is run on Apache. And pushing information to 'several hundred people' is not a big deal. We supported 56,000 people when I was there. Did they use EJB's? Sure, in a few areas. They used just about every technology.
You're right that web sites (note plural - there are *many* independent web sites in a large organization) are only the pretty end. The 'nuts and bolts' is mostly Oracle. Applications invoke stored procedures to store and retrieve data. This is the quiet, unhyped reality of intra-business data interchange.
Why it's good: if Developer Dave can't insert rows in a table, the problem is between him and the DBA's. Ed, who wants to read those rows, is clearly not involved yet. When we switch to Dave's app messaging Ed's app directly, we get into finger pointing and usually a semi-documented API. And Ed will end up having to store the data somehow, which tends towards reinventing the database.
And long after Ed and Dave have left the company, a DBA can DESCRIBE the relevant tables and help the next wave of developers understand how it works.
Ah, but mix in one more factor. All this tunnelling will require software. Software like that needs to be revved pretty frequently - the version from three weeks ago will be blocked by some change in MSN protocols. And distributing this software is 'trafficking in a circumvention device' according to the DMCA, and punishable by 10 years imprisonment. Where will people download this software? How will development be coordinated? Remember, we take for granted the use of open mailing lists in software development. How will programmers live with the fear that the helpful person who offered programming advice on MSN chat may be an FBI agent collecting evidence for a bust? And finally, if some super-secret channel evolves for the development and distribution of the tunneling software, how does Joe User get connected? Remember, Napster was cool because of all those Windows users. Gnutella became useful when Limewire and Bearshare connected hordes of Windows users.
Are we a police state now for enforcing laws against illegal drugs? It looks like the info-war will soon resemble the drug war.
How would it hurt big business? It would benefit ISP's - make their lives simpler and more profitable. As for ordinary big business, this would have little effect - they're not using consumer connections for their servers! As for the Content Owners, this would be an absolute godsend. So how would it hurt Big Business?
Your point about tunneling over mail/MSN is a good one, but here's a possible flipside. You can tunnel your traffic to your best friend, and I'll tentatively grant that in the 'tunneling arms race' you stay one step ahead of 'tunneling detectors'. But what if you want to share information with people you don't know? How can you publish your willingness to share information without exposing yourself to a sting operation?
I've read the article and all the comments, and I think the comments simply reinforce the point of the article - we are arrogant and naive and continue to cling to our 'three myths'. Every time the adversary strikes a blow, we react with utter astonishment: "I can't believe they're really imprisoning us!" "How could they shut down that site - isn't it a First Amendment violation?"
And then we're back to our regularly scheduled hubris. The author warned us that "haha - you can't stop me" is not a viable message for winning over voters and politicans. The 'rebuttals' mostly say, "as long as we have host-host connectivity, we'll find a way around everything."
That rebuttal is begging the Powers That Be to shut off inbound TCP connections to consumers. It would be easy; it would save bandwidth and administrative headaches; it would prevent Code Red and similar things; it would remove ISPs' liability for user-hosted infringing content; and it would go unnoticed by 99% of the internet-using population. And when it happens, I expect the usual expressions of shock and astonishment on slashdot. The words of people who underestimated their adversaries.
There's another myth the author didn't address: "They can't arrest everybody!" Although this may be a variation of myth 3 - infinite supply of hackers. What this myth overlooks is that it will only take a few high-profile arrests and convictions to quell everyone. As Sun Tzu put it, 'Kill one to terrify ten thousand.' What this myth also overlooks is that the enforcement end of the system can be made profitable. The simplest procedure would be to seize the computers of p2p participants under Civil Asset Forfeiture. There would be no need to charge the violators with a crime, unless they obstruct police activity. Two cops driving around in a van, guided by a printout of addresses, could probably seize two computers an hour. That would more than pay for their time. And they might luck into some busts or other stuff - cops are by no means reluctant to have a pretext for entering homes.
Entering a battle with overconfidence is like bringing a knife to a gun fight. Our puny weapon is just enough threat to justify pulling the trigger. And our overbearing and unjustified arrogrance makes all the neutral bystanders eager to see that trigger pulled.
I'm glad you see it. It seems that very few posting here do. The end of the computer and the end of the internet will mean nothing to the average user. Actually, life will probably be easier and cheaper for him. The fact that our computers are full-fledged internet hosts is a historical accident. The upcoming times could be the dark ages of computing. It doesn't bother me that we face a powerful adversary; it bothers me greatly that most of us foolishly underestimate that adversary.
Well that's great as long as Bobby already knows and trusts Sally. Suppose Sally's an FBI agent? Then Bobby has just done the equivalent of selling drugs to a cop. Per the DMCA, traffiking in a circumvention device is punishable by ten years imprisonment.
Will Bobby take this chance to benefit some random stranger?
I think the real threat to the entertainment industry is not Bobby's ability to send data to trusted friend Sally, but Bobby's ability to publish information so it's accessible to a huge audience.
So you have just proved that in the absence of government intervention, our technology beats their technology. Which is exactly the smug hubris condemned by the article - we don't have absence of government intervention. We have the DMCA precisely because the government thinks Bobby is 'out of control' and blowing past every technical restraint.