TKnarr’s Techdirt Profile


About TKnarr

TKnarr’s Comments comment rss

  • Aug 3rd, 2015 @ 12:21pm

    (untitled comment)

    This is why I don't consider Github a primary repository for anything important. I don't trust any other party further than the explicit wording of my contract with them. Things like this just reinforce my reasons for that.

  • Jul 31st, 2015 @ 1:03pm

    New vs. used

    I do see a difference here. Brooks was talking about used CDs, where the royalty had already been paid when it was first sold. Swift is talking about new sales/streams, where a royalty hasn't already been paid. Suppose I sign a contract with a publisher giving me an X% royalty per book on a fixed cover price, no exceptions and no terms allowing for any sort of distribution at a discounted price. Then one day I walk into a bookstore and find copies of my book being given away for free in a publisher-sponsored giveaway program, I haven't been asked to agree to this and I'm not being paid any royalty on the theory that X% of zero is zero. These aren't used copies, they're brand-new books. Am I not entitled to take the position that my publisher owes me royalties on those copies based on the agreed-on cover price and they'll just have to chalk those royalties up as a cost of running the promotion?

  • Jul 27th, 2015 @ 1:26pm

    Re: Perfectly Secure

    The software's probably DD-WRT like seemingly every consumer-grade router uses these days, and the ISP's just using the guest-network capability already built in. The VLAN separation's built into the switch hardware, so I wouldn't be so worried about that (any bugs there would also show up in the switch maker's managed switches and they couldn't let it go very long without sales tanking).

  • Jul 27th, 2015 @ 11:50am

    Re: Re:

    As secure as your regular router is. Bear in mind that if you dig into the technical internals your router does not have a WAN port and 4 LAN ports. What it has is a 5-port switch. The firmware just configures 2 VLANs on the switch, usually assigning the 4 LAN ports and the WiFi interfaces to VLAN 1 and the single WAN port to VLAN 2. If there's a way to breach the VLAN separation then your router's already vulnerable to someone outside doing that and gaining access to the local VLAN through the WAN port. Which VLAN they start from won't change the vulnerability.

    Getting full control of this easily requires flashing DD-WRT, but since most router firmware's a modified version of DD-WRT anyway someone with enough knowledge and patience (or someone using a packaged exploit kit) can pull an NVRAM backup from the router, edit the VLAN setup and other configuration items and load in the new settings without having to flash new firmware. And if the router's running stock firmware it's probably outdated and has unpatched vulnerabilities in it.

  • Jul 1st, 2015 @ 12:09pm

    (untitled comment)

    So, basically another reason that I should travel by car if possible, with any important baggage traveling by FedEx or UPS.

  • Jun 25th, 2015 @ 10:52am

    (untitled comment)

    I think the theory is that it worked to get the French aristocracy out of power so it's good enough for anything else. What's annoying is that often I find myself agreeing with the protester's points, but that agreement's overwhelmed by the desire to smack them up the side of the head for their idiotic antics.

  • Jun 24th, 2015 @ 11:40am

    Re: Re:

    All the service providers I use have an RSS feed of their blogs where they post information like this policy change. I subscribe to them and put them in a Providers feed so I can keep up with things I may need to know about. If someone owns a domain and isn't keeping up with what's required of a domain owner in some fashion... tough, that's what happens when you don't pay attention to your stuff.

    As for scary emails, most of them are obvious fakes (I don't have an account there, wrong email address, obviously bogus source and so on). When I get one that isn't an obvious fake, yes I do check my account to make sure there isn't anything I need to take care of. It doesn't happen that often, maybe once every couple of months, so it's not a big deal.

  • Jun 24th, 2015 @ 10:46am

    (untitled comment)

    I'd suggested one solution to EasyDNS: have a way to verify the information from the domain's information page in addition to the e-mail, so when you got one of those e-mails you could simply log in to EasyDNS as usual and check the domain information to see if verification was really required. That'd comply with ICANN's spec and allow those that care about it to avoid phishing attempts at the same time.

  • Jun 9th, 2015 @ 12:41pm

    (untitled comment)

    I'd've gotten a lawyer and seen about having him write a letter back including a copy of their letter plus screen and source captures of my Web site and what they presented showing that theirs is a modified version of mine, and asking essentially "Are you really admitting, publicly and in writing, to modifying and distributing a copyrighted work (my web site) for commercial gain without the permission of the copyright holder (me)?". I'd also send a counternotice to Github citing that I am the copyright holder of the Web page in question and that the code posted was a copy of the code for my page served to me from my server through complainant's network which I had not granted permission to modify my work and distribute the modified version.

  • Jun 8th, 2015 @ 11:27am

    (untitled comment)

    Maybe a simple adjustment: set a statutory royalty rate, and say that anyone can use any work without a registered copyright owner merely by agreeing to pay the statutory rate per copy made up to the point where an owner registers the work, proves ownership and informs the user of the change or the user is informed through an annual check of the registration each user is required to make. No creator can sue for any relief other than the statutory rate for any use prior to registration. Give copyright owners 1 year to file registrations before this change goes into effect. That would seem to give at least clarity on how to go about using an orphan work without violating the Berne Convention (as far as I know) and without allowing copyright owners to ambush users nor users of a work to abuse claims that the work was orphaned.

  • Jun 4th, 2015 @ 6:36am

    Re: Re: Forced to lie

    But can you imagine a situation where it's useful to the government for the government to force a person to lie? That's the relevant question.

  • Jun 4th, 2015 @ 2:04am

    Forced to lie

    One thing I have problems with is the common assumption that the gag order can't legally require the subject to lie about the gag order. I'm of the opinion that courts would have no problem with an order requiring the subject in the general case to not do anything that would either by commission or omission disclose the existence of the order, ie. if failing to say X would mean you'd received an order then the subject must say X even if that means lying.

    The only way around that I can see is to involve one of the special cases where not even the government can require someone to lie. The lowest-risk case would be to have the person making the statement be an attorney in an attorney-client relationship with the subject, have that attorney be the only proper and official person authorized to receive all legal demands, and have the canary state under penalty of perjury that the above is to the best of the attorney's knowledge true and correct and be cryptographically signed by that attorney. That might be the only case where even the most pro-law-and-order judge might balk at requiring a lie. Especially if the canary was still being posted but the lack of either the signature or the "true and correct" language was the tip-off that something was wrong.

  • Jun 2nd, 2015 @ 12:54am


    Yes, independent contractors do. However, their clients aren't obligated to let the contractor set the rate the client's willing to pay. If I say I need a carpenter for a job and I'm willing to pay $35 per hour the job takes (with the carpenters submitting estimates of how long it'll take them, but I'm still going to pay based on actual hours taken and not the dollar value of the estimate), a carpenter who wants $45/hour isn't going to get $45/hour. He'll either accept the $35/hour I'm offering or I'll decline his services. Same for Uber, they're willing to offer a fixed rate and if you want more they simply won't contract with you.

  • Jun 1st, 2015 @ 11:49am

    Intent not commonly found?

    Hello? Manslaughter? It and several other charges exist for the sole purpose of being an appropriate criminal charge for someone who did something without intent. Ditto sexual assault and related crimes, the defendant can be charged and convicted even if they honestly believed they had consent and so couldn't have intended sexual assault (eg. the victim was under-age and concealed that fact by lying to the defendant).

  • May 30th, 2015 @ 12:27am

    Not just diet and health

    Here's a list of papers appearing in chemistry journals:

    To give you an idea, here's titles for some of the papers:
    JACS: "Science Rejected It, and Angewandte Couldn't Think Up a Bad Enough Joke, So Here We Are"
    Ang. Chem.: "A Metal-Organic Framework With Nanostructured BODIPY Ligands, Published Without Review on the Basis of the Title Alone"
    J. Med. Chem.: "This Project Looks Good, But It Did Not Work. And 18 Out of the 23 Authors have Typographical Symbols Behind Their Names, Because The Work Took Place During Bush's First Term"

  • May 26th, 2015 @ 12:33pm


    Cox's IP assignments are relatively static. I've had the same IP address for several years now. As far as I can tell they associate a DHCP lease with the cable modem's serial number and check whether an address is in use before handing it out, so the only times it'll assign a new address is if you replace your modem, your router's off-line long enough for the lease to expire and then for someone else to request a new lease while your router's unable to respond to the head-end's in-use test, or your router's off-line when they reset the head-end (clearing the lease database) and stays off-line long enough for the head-end to hand out your address to someone else.

    And even if IP addresses changed regularly, the DHCP servers log the assignments so given an address and a timestamp you can determine from the logs which subscriber had that address at that time. At least as long as the logs haven't aged out, anyway.

  • Apr 24th, 2015 @ 10:53pm

    On WiFi at all?

    My reaction was "Why is anything related to aircraft safety or control on WiFi at all?". That sort of stuff should be running on a hardwired network where getting access wouldn't be a trivial job or, if it absolutely must be broadcast, on a securely-encrypted network on a band not usable by common consumer electronics. This isn't just a vulnerability in the system, it's a fatal flaw in the very foundation of the system itself: as long as it exists the system can't be adequately secured.

  • Apr 22nd, 2015 @ 5:46pm

    (untitled comment)

    Full-disk encryption won't protect you from most attacks. They most often occur when your system's operating normally and decrypting the disk for the attacker. It only protects you against physical theft of the drive or, in hosted data centers, access to the physical drives your volumes reside on. I'd only use it on a mobile device that was at a relatively high risk of being stolen.

    Why not in a hosted data center? Because there's the issue of how your host gets the decryption key during startup so it can mount the volume. All practical methods allow the attacker to get the plaintext key if he could access the encrypted volume, so it might as well not be encrypted. If it's not encrypted, nobody gets fooled into thinking it's secured against things it isn't.

  • Apr 15th, 2015 @ 10:21pm

    Re: Re: Development

    Notice that I said "yet". I definitely want to add it, but not when it's just running on my local workstation or on the developer network and I'm trying to get the code itself working. One thing at a time.

    And what are they going to do with IPv6 and built-in IPSec, where the authentication and encryptiong are handled at the IP level rendering SSL/TLS redundant? IPSec is an RFC-level standard, after all.

  • Apr 15th, 2015 @ 9:28pm


    I can see an issue here: development environments and internal operations where by design it's not necessary to verify the endpoint's identity or secure the content from eavesdropping, either because the client and endpoint are on the same machine via, because everything's running over a VPN that handles the encryption or because they're on a secured network where if an intruder's in a position to spoof an endpoint or eavesdrop on traffic you've got far, far bigger problems than HTTP traffic to worry about.

    Especially when I'm developing software I don't want to add SSL and it's complications to the mix yet. I have enough bugs without adding SSL certificate issues (including such fun as "I can't get real SSL certificates for the domain, security policies on the systems prevent me from adding a local root CA certificate and bits of software don't have the ability to handle self-signed certificates without errors.") and having to correctly configure SSL on both ends before I can even start seeing output.

    I'm strongly of the opinion that protocol layers should be independent. HTML shouldn't depend on features of HTTP nor require that it only be served over HTTP. HTTP likewise shouldn't care whether it's running over TCP or SSL or SNA for that matter (yes, even in this decade good old LU6.2 and SNA over bisync is alive and well despite all attempts to correct the situation).

More comments from TKnarr >>