Tempes Fugit 's Techdirt Comments

Latest Comments (686) comment rss

  • On the post: Hollywood & The RIAA Won't Let Tech Save Them

    Tempes Fugit ( profile ), 27 Jun, 2012 @ 11:45am

    I've pointed out the same thing

    We, the tech folks, built for the music/movie industries the greatest promotion and distribution mechanism that they've ever had. In fact, it's SO great that if we'd described it to them in, say, 1990, they wouldn't have believed it possible. Not only that, we did all this at zero cost to them. They didn't have to envision it, plan it, execute it; all they had to do was wait and watch.

    And yet...they, in their arrogance, ignorance and greed, wish to destroy it.

    That's not going to happen.

  • On the post: Microsoft's 'Threat Management Gateway' Blocks Free Software Foundation Donation Page As 'Gambling'

    Tempes Fugit ( profile ), 25 Jun, 2012 @ 04:21am

    This is why closed-sourced security isn't

    (security, that is.) As the FSF astutely observes, "If you need to provide evidence to someone else to illustrate why using such software is a bad idea, feel free to use us as an example. If your workplace uses the software currently, please point to this post and ask them to drop it. Proprietary security software is an oxymoron -- if the user is not fundamentally in control of the software, the user has no security."

    Given that we are now presented with an obvious and egregious false positive error, there is no reason to think that equally obvious and egregious false negative errors also exist. Since the source code isn't available for public inspection, there's no way to know how many or how persistent they are.

  • On the post: Congressional Staffer Says SOPA Protests 'Poisoned The Well', Failure To Pass Puts Internet At Risk

    Tempes Fugit ( profile ), 22 Jun, 2012 @ 09:26am

    It never ceases to amaze me...

    ...how mere ignorant newbies like this actually have the audacity to believe that their brief and severely limited experience with the Internet has somehow given them the wisdom and insight necessary to make decisions about its future. Even those of us who've been here for more than a little while don't have all the answers: but at least we have the requisite background to ask the right questions.

  • On the post: The Hypocrisy Of Congress: As Big A Threat To The Internet As The UN They're Condemning

    Tempes Fugit ( profile ), 21 Jun, 2012 @ 10:21am

    Re: Re: Best course for the public

    Your point is excellent, but let me suggest that it makes the error of presuming that the Internet can or should be regulated. I think that we should debate at length the answers to those two questions prior to concerning ourselves with who might be best equipped to actually do so.

  • On the post: Apple Store Refuses To Sell To American Citizens Speaking Farsi In Case They Might Send iPhone To Iran

    Tempes Fugit ( profile ), 21 Jun, 2012 @ 09:01am

    Re: Re: Re: Couple of things...

    It's hardly "elitist" to expect people to be able to read and comprehend basic concepts before allowing them the privilege of utilizing an incredibly powerful tool -- in particular, one that allows them to do amazing amounts of damage to their own computing environment as well as any that they happen to be part of, in a very short time. I don't expect casual users to understand TCP/IP or sockets or buffer overflows or Python or any of that, but I do expect them to use their brains before they click on every shiny thing they see.

  • On the post: Apple Store Refuses To Sell To American Citizens Speaking Farsi In Case They Might Send iPhone To Iran

    Tempes Fugit ( profile ), 21 Jun, 2012 @ 06:05am

    Re: Couple of things...

    You'll want the AdBlock and NoScript extensions, for starters. These tend to eliminate many of the profoundly annoying "features" of numerous web sites. Also worth a look, while you're perusing extensions: Beef Taco, Better Privacy, Disconnect, ShareMeNot, and BlockSite.

    Of course, if the Firefox people were actually paying attention instead of trying to dumb the browser down to the point where any imbecile can use it, these wouldn't be extensions: they'd be part of the core browser.

  • On the post: Apple Store Refuses To Sell To American Citizens Speaking Farsi In Case They Might Send iPhone To Iran

    Tempes Fugit ( profile ), 21 Jun, 2012 @ 05:16am

    Re: Re:

    ITAR is taken VERY SERIOUSLY.

    Only by appallingly ignorant morons.

    For example: let's suppose that the evil wicked mean nasty terrorist bogeymen (I mean the real ones, not the ones created by the FBI as a substitute for doing sound police work) want to get their hands on a case of iPhone and iPads because they too want to be locked into Apple's increasingly-proprietary and unmaintainable and overpriced products.

    Does anyone really think that they can't make that happen? REALLY? Do you REALLY think that people who are putatively smart enough to construct elaborate conspiracies and execute complex plots can't figure out how to shop Walmart or Craigslist or eBay and come up with as many as they want?

    Pretending that widespread technology will somehow magically be confined to a limited space via regulatory fiat is stupid on a grand scale.

  • On the post: Should We Want A 'Cyberwar'? It's A Lot Less Bloody Than A Real War

    Tempes Fugit ( profile ), 20 Jun, 2012 @ 10:44am

    Re: Re:

    things that are not, or should be not, connected to the internet.
    traffic lights, medical equipment, airplanes, navigation, power grids, trains, nuclear launch systems, drones.

    I believe that we've just received another in a long line of object lessons which indicate that lack of connectivity is not equivalent to lack of vulnerability.

  • On the post: Carreon's Full Filing Reveals He Donated To Oatmeal Campaign Himself, Plus Other Assorted Nuttiness

    Tempes Fugit ( profile ), 18 Jun, 2012 @ 01:08pm

    Some technical points in re "private" email addresses

    1. Setting up a truly private email address is difficult -- and largely pointless. (After all, if it's truly private, then nobody but the owner knows it and this rather limits its usefulness. I have a few of these that are used by my own software agents, simply because it's convenient.) Creating a truly private address requires running your own mailserver on your own hardware (shared hosts and clouds need not apply) and configuring the MTA (Mail Transport Agent) on that system so that it won't reveal the address when queried (e.g., via SMTP VRFY). None of this is within the reach of most people.

    2. Of course once you share any email address with ANYONE -- a registrar, a document processor, ANYONE -- it's no longer private in any sense. These entities may publish it (deliberately) or leak it (accidentally) or store it or share it or any number of other things.

    3. Even addresses which aren't shared but which are insufficiently obscure can be deduced via brute-force enumeration -- something that spammers discovered a long time ago. John Smith at example.com might be jsmith, john.smith, jack.smith, smith.john, smithj, or any number of other similar variants...and it takes only a small percentage of a botnet to run their exercise on millions of users.

    4. Even addresses which are carefully set up as in (1) above may not remain private: security compromises in desktops, laptops, phones, pads, etc., can yield them up quite readily. Again, spammers have become quite adept at "harvesting" addresses by targeting these.

    Bottom line: setting up and maintaining a "private" email address is a technically challenging task that requires specialized knowledge and dedicated hardware.

  • On the post: The Politicians Who Cried 'Cyber Pearl Harbor' Wolf

    Tempes Fugit ( profile ), 15 Jun, 2012 @ 02:40pm

    Re: Re: Re: Damned if you do, damned if you don't

    I'm well aware of the Morris worm, as I was in the trenches that day; my colleague Kevin Braunsdorf and I were the ones who came up with what we called "the condom" fix, a one-liner that prevented it from spreading. But the problem there is not C, or Unix or sendmail, or finger, but bad programming practice -- which is possible in any language, with only the details of how bad varying.

    That said, yes, it was a wakeup call, and it's worth noting that in the decades since, there has been no security incident of similar magnitude involving Unix/Linux systems. However...there's one of that size going on right now, and there has been for years. Well over a hundred million Windows systems are fully compromised and part of botnets. (100M was a 2006-2007 estimate. I think 200M is probably a better one today.) Of course those systems aren't down -- which would bring the problem into sharp focus -- because their new owners have better things to do with them than merely shutting them down.

    This problem is now ten years old. It affects issues as diverse as spam, phishing, identity theft, DoS attacks, online polls/voting, malware hosting, clickfraud, and others. Yet because (with rare exceptions) nothing is actually "down" there has been very little done to address beyond the usual "we take the problem seriously". (Yes, I'm aware of announced "botnet takedowns". These are meaningless theater. All the systems that are part of those are likely part of new botnets before the press conference is over.)

    In a sane world, dealing with this problem -- which is largest and longest running security issues in the history of computing -- would be front and center. But it's not. It doesn't even get mentioned in most of the OMGOMGCYBERWAR fear-mongering, in favor of hypothetical attacks by the perceived national enemies du jour. (See, by the way, this excellent article: Why the United States Can?t Win a Cyberwar -- h/t to Richard Forno and his excellent infowarrior list.)

    After thinking about this for ten years, I've realized why: it's an ugly, difficult problem to solve and very unlikely to result in huge profits for contractors. That's because it's real and of course really fixing it is a measurable outcome -- one of the last things that those seeking to land $1.2B contracts want. It's far more profitable for them to deal with imagined problems because then of course claims that they're "solved" are vastly easily to sustain -- and the cash register will keep ringing. Meanwhile, botted systems are everywhere and if there has been any slowdown in the infection rate, it's only because their owners have an embarrassment of riches and thus don't have a practical need for any more.

  • On the post: The Politicians Who Cried 'Cyber Pearl Harbor' Wolf

    Tempes Fugit ( profile ), 15 Jun, 2012 @ 12:15pm

    Re: Damned if you do, damned if you don't

    Two points.

    First, we already have cyber-Pearl-Harbors on a regular basis, primarily because people are making the same well-known mistakes over and over and over again. The fix for this is not legislation or technology: it is accountability. But as we see (from watching "dataloss" and similar resources) there's almost no accountability; the magic phrases "we take the problem seriously" and "no one could have foreseen" take care of everything. Until the next time.

    Second, the kind of real-world security improvements that are needed are within reach today. Again: no legislation, no technology. "Don't plug critical systems into the Internet" would be a good start. "Don't run Windows" would be another. "Don't use Adobe Acrobat" still another. None of this is difficult or arcane, none of it requires 8-figure contracts with inept corporations, none of it requires spying on citizens, none of it requires anything except recognition that it must be done.

    So yes, there are real security problems everywhere, but the fixes are not at all what these demagogues think/say they are. What they have in mind will simply make things much worse.

  • On the post: Patent Holder Sues Basically Anyone Who Offers Recipes Or 'Meal Planning' Online

    Tempes Fugit ( profile ), 15 Jun, 2012 @ 12:05pm

    Prior art?

    I wonder if Usenet?s net.recipes (circa 1980) would be an adequate example of prior art?

  • On the post: The Cyberpolitics Of Cyberbellicosity Cyberpushing Cybersecurity To Cyberprevent Cyberwar

    Tempes Fugit ( profile ), 14 Jun, 2012 @ 04:18pm

    Mass hysteria, dogs and cats living together...

    ...real old-testament stuff...but where was I?

    Ah, yes. We have arrived at the point in time where fear-mongering over cyber-armageddon is being relentlessly flogged 24x7 in an attempt to line the pockets of the pigs at the trough and their pet lobbyists. Yes, yes, of course yes, a bill MUST be passed, it simply must, otherwise the 3Q P&L statements will suffer. So trample the rights of the citizens, ignore the real problems in favor of imagined ones, and let's, by all means, ram through legislation written by clueless fucksticks like Dutch "computers run on X's and O's" Ruppersberger.

  • On the post: .Rip .Off: Highlights From The Top-Level Domain Scrum

    Tempes Fugit ( profile ), 13 Jun, 2012 @ 03:02pm

    This is one area where I could see some benefit in potentially stopping certain phishing scams [...]

    On the contrary, this entire process is a goldmine for phishers and every other variety of scammer. (Unsurprising, really, given that Internet users weren't even considered in this process; the entire thing is a moneygrab for corrupt-to-the-bone ICANN and the registrars. Why should they care if it creates security problems?)

  • On the post: The EU Telco Plan To Have The UN 'Tax & Track' Internet Usage Goes Against Fundamental Internet Principles

    Tempes Fugit ( profile ), 13 Jun, 2012 @ 09:58am

    This is also a security nightmare

    Given the massive security issues we have -- several hundred million bots, epidemic spam and phishing, daily security breaches of major sites, rampant malware, etc. -- the opportunities for harm that this would bring are incredible. Imagine what the telco billing system would be like if X could generate billable events for Y at will, for roughly a billion Y's.

  • On the post: What Kind Of Professor Patents A Way To Make It More Expensive & More Difficult For Students To Learn?

    Tempes Fugit ( profile ), 12 Jun, 2012 @ 06:40pm

    Re: Re: Re: Re:

    "Rampant piracy", aka "the free exchange of ideas", is something that every true educator ardently supports.

  • On the post: Two Men Sue Chicago Police; Claim They Were Abused And Falsely Charged For Filming Officers

    Tempes Fugit ( profile ), 08 Jun, 2012 @ 10:20am

    Re: Re: Re: Was it deleted?

    You're a real tough cookie...

    ..with a long history
    Of deleting video from my friend and me
    So before I put another notch in my cellphone case
    You better make sure you put me in my place

    Hit me with your best shot
    C'mon, hit me with your best shot
    Hit me with your best shot
    Fire awaaaaaaaaaaay

  • On the post: LinkedIn Passwords Leaked… Congress Immediately Wants To 'Do Something!'

    Tempes Fugit ( profile ), 07 Jun, 2012 @ 09:17am

    It would have helped if the spammers at LinkedIn...

    ...had used the rather well-known technique of salting the passwords -- see, for example Password Security: A Case History (1978). I believe early Unix systems used a 12-bit salt, but contemporary ones should be using at least a 64-bit one, preferably 96-128.

    This wouldn't have stopped the leak of the encrypted passwords, of course -- that appears to be the result of a security hole that has nothing to do with passwords. But it would raise the bar considerably for attackers attempting to decrypt them.

    The solution to this problem -- and many, MANY others like it, including the endless stream we see from the federal government -- isn't legislation. It's competence. And as we see on a continuous basis, there is absolutely no IT competence in the United States Congress.

  • On the post: Beyond Open Access: Open Source Scientific Software

    Tempes Fugit ( profile ), 05 Jun, 2012 @ 03:01am

    Full text is available elsewhere

    I found it as a PDF here.

  • On the post: Flame Malware Signed By 'Rogue' Microsoft Cert, Once Again Highlights Problems With Relying On Certs

    Tempes Fugit ( profile ), 05 Jun, 2012 @ 02:58am

    "Convergence" is worth a look

    Convergence is, at minimum, an attempt to address issues similar to this one. I'm as-yet undecided as to whether or not it constitutes a solution or just a shift in the problem space. But it's certainly worth studying for a look at an alternative approach.

Next >>