I think you have the right of it. I would like to point out however that the CYA approach only seems reasonable because this legal tort domain in These Modern United States is batshit crazy. It's purely a defensive move on FedEx's part.
Just like PayPal cancelling a business person's account because someone made a payment to them with a joke of a memo "for cocaine".
Yes, it's the same stupid that gives rise to "zero tolerance" policies, and yes, FedEx would undoubtedly be on the receiving end of a lawsuit for exercising common sense.
well computers can't hold copyrights so that won't be a big deal. computers can probably infringe on copyrights tho, and in causing untold trillions of dollars of global economic damage because copyright infringement will probably lead the computer to be summarily executed on the spot.
this is it exactly. if the people in power were in any way intellectually honest or even consistent, it would be a different story.
But in These Modern United States: citizens are people who have rights (insofar as they are granted them anyway) and responsibilities (that are imposed on them); corporations (that in many senses "own" citizens) are people that have rights but no responsibilities; and property (that citizens own and are empowered by) have responsibilities but no rights.
Yes absolutely; the property should be restored to the owner, unless the owner is found guilty for the crime under which the property was seized. None of this "seize for drugs, bust for prostitution, keep the car" bullshit. In fact this should be exactly what the 4th amendment covers. Anything else is (IMHO) an unreasonable seizure. (It should go without saying that seizure of the property should be a reasonable punishment for the crime to begin with.)
and we thought technologically clueless lawmakers were the only bad thing we had to worry about
Yes, it's Komodia (which Superfish doesn't name) who appears to have done this, but it's Superfish who decided to use Komodia's braindead stupid method of breaking HTTPS. Yes, you tested it, but your tests suck if you didn't spot this kind of security mess.
This goes beyond calling out that their tests suck. Maybe their tests do not. How many laptop provisioners have a line item in their test suite "does not expose user to massive MitM"? Probably none (arguments can be made that they should....)
This is purely and simply "technology and security cluelessness" in spades.
Because any halfway decent laptop provisioner should know the end result of what they are purchasing from their subcontractors. Even hearing a high level, 30,000 feet description of the process ("we inject ads into shopping sites for you by decrypting web sites and reencrypting it so the user doesn't notice") would have had any halfway competent neuron exposed to the security disasters in recent years lighting up like a distress flair. This conversation absolutely should have happened between superfish and komodia, or lenovo and superfish.
Being this ignorant of technology and security, for lawmakers and provisioners alike, is flat out unacceptable.
> I find it fascinating that China chooses to reply to requests for blocked domains by returning falsified results. That alone should be ground to get their DNS servers banned from the system until they fix the problem.
Wouldn't that mean that anyone from the outside would not be able to resolve hostnames that are theirs to point to? It also wouldn't help the fact that everyone on the inside is likely using those DNS servers by default.
> I wonder why they don't reply to those requests in the correct way: by saying that they can't resolve the domain name? Or why they don't do it like the US does it: reply with the address to a server that displays a big ol' "you're breaking the law!" message?
That would be too straight forward; by sending requestors to a wrong page, they sow confusion among the enemy. "Hey, did you check out that site?" "Yeah, they were selling cute kitten doilies!" It might be a while before they communicate that something is wrong.
I've come to the conclusion after heartbleed (and this confirms it) that companies that choose a FLOSS project instead of a costly proprietary one should take some of the money that would have gone to licensing and donate it to the FLOSS project.
OpenSSL is a particular sore spot for me as I know that a lot of companies devoted huge amounts of developer resources to their own proprietary fork, and spent another ton of money to get their own fork FIPS certified so they could use it in their products. Over and over and over again these companies redo the same damn work (as a group and individually when they went through the same process for a newer version of OpenSSL) and very little of it (if any) made it back to the project or developers in terms of code or money.
This seems to stem from a the entitlement culture - the grand daddy of the permission culture - that tries to claim "ownership" of every scrap of "intellectual property".
I am glad this has a happy continuation, but I can't help but wonder what are we overlooking? What other FLOSS projects out there are critical to the internet ecosystem, and what are their needs?
That's only half the solution though. Everyone seems to conveniently forget the gaping security hole introduced by arguably the most popular FOSS encryption library, OpenSSL.
The other half is to take at least some of that money your company would have spent on the proprietary software and donate it to the FOSS tools you are using.
It doesn't have to be a cash donation (in case the project doesn't really have a project manager in charge of financials, like, say, OpenSSL); offer to pay a developer's salary. Offer to pay for infrastructure and set it up.
For some projects, a year of salary or infrastructure might still be cheaper than licenses. For others you could band together with a few other companies and form a joint subsidiary (or whatever) and pool your money.