Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Slashback Government Security The Courts News

Slashback: Blaster, Sabers, Canada 317

Slashback tonight brings you more on the recent cracking of GSM encryption,the odds of file sharers escaping industry scrutiny in Canada, the recently found (and stomped) OpenSSH bug, installation-time ads in Mandrake, and more. Read on below for the details.

Art of the Saber Jagaast writes "As a counterpoint to all the hype about the Star Wars kid, here's a Star Wars fan film that's actually very well done. Art of the Saber is 'a light saber fight sequence with the flavor of a Hong Kong martial arts action movie.' Well worth watching." Update by J : I've made torrents available.

Vote early, often, and reversably. An anonymous reader writes "As a follow up to a previous story here on Slashdot on electronic voting, Excite has a story on the same subject with a bit more information including this amazing quote from Deborah Seiler, Diebold's West Coast sales representative: '"These activists don't understand what they're looking at," Seiler said.'"

GSM-crack paper online morcheeba writes "Copies of the GSM-crack paper described in last week's Slashdot article are now available online (PDF) thanks to John Young's Cryptome"

Mandrake ads...take 2 *no comment* writes "Apparently there has been some controversy over the ads in the upcoming Mandrake 9.2. I thought it was pretty cut & dried, but apparently Mandrake thought it was enough of a controversy to to release a written statement about it. I wonder how many flames were posted in the slashdot forum using the download version of Opera."

Blaster Worm still alive and well on MIT campus fwc writes "MIT still has 900 network drops disabled due to the Blaster worm infection. Of particular interest is that MIT network security requires users to reformat their hard drive and re-install their operating system before they get back on the network. Sounds like a good excuse to reinstall something other than a Microsoft operating system."

A big AWOOOGAH for Canadian file sharers. Rumor writes in response to a recent story suggesting that Canadian users could swap files scot-free: "Listen, Canadians, don't go using your p2p apps and thinking you are immune from lawsuit, you are liable for copyright infringement if you share files on p2p apps.

To wit: a fellow law student and I have written an analysis of s. 80 of the Copyright Act and we've concluded that one can download music safely under the Private Copying provision, but no one can share or upload files without infringing on copyright.

In a nutshell, Private Copying allows anyone to make a copy of a song purely for their own use. As you probably know, when you share files and someone downloads from you, what actually happens is that their computer makes a request and your computer actually sends the file to them. Thus, you're copying for someone else's use and infringing. It doesn't matter if you didn't realize that's what happens, either... intent is not required for infringement.

The upside is that you can accept copies from other people (ie. download) all you want. Although there might be an issue of contributory infringement to worry about... I won't go into analyzing that, since so far the record companies are only suing uploaders.

The article can be found on greplaw.

I've recently confirmed this analysis with an IP law professor at my university, so I'm pretty damn sure of it. So, please, be aware of this danger. Downloading cool, uploading/sharing not. I guess the situation still better than nothing."

Why not ask for your money back? zaaj writes "There are several articles out about a newly found/fixed(openssh.org) buffer management bug in OpenSSH and some derivatives. Cisco's Advisory only mentions DoS attacks against certain of their SSH-enabled devices, but ZDNet's article hints at rumors of long-existing root exploits. Regardless, RedHat's got their typical list of updated packages with the patch back-ported. A few other distro's have info in the vendor section of Cert's advisory CA-2003-24"

This discussion has been archived. No new comments can be posted.

Slashback: Blaster, Sabers, Canada

Comments Filter:
  • by WIAKywbfatw ( 307557 ) on Wednesday September 17, 2003 @07:01PM (#6990322) Journal
    Canada's in Star Wars?
  • Apache section? (Score:4, Interesting)

    by piranha(jpl) ( 229201 ) on Wednesday September 17, 2003 @07:02PM (#6990334) Homepage
    Any reason this is in the Apache section?
  • by WIAKywbfatw ( 307557 ) on Wednesday September 17, 2003 @07:04PM (#6990342) Journal
    GSM-crack paper online morcheeba writes "Copies of the GSM-crack paper described in last week's Slashdot article are now available online (PDF) thanks to John Young's Cryptome"

    I dunno what's the world coming to?

    You can buy crack rock on the street and get crack paper online so what's next, crack scissors from your local hardware store?
  • P2P (Score:5, Funny)

    by jrockway ( 229604 ) * <jon-nospam@jrock.us> on Wednesday September 17, 2003 @07:04PM (#6990343) Homepage Journal
    I think I have a way of sharing music while avoiding legal action. The client should work like this:

    1) Request a file
    2) Ask "Is bit #0 a 1"
    3) Get a response, write the appropriate bit to a disk (or buffer).
    4) Repeat for the other 9238472093847 bits.

    Now, here we're not copying anything. We're just asking about it in a way that lets us make an educated guess about the contents of the file. How can that be illegal!?
    • Re:P2P (Score:4, Interesting)

      by robi2106 ( 464558 ) on Wednesday September 17, 2003 @07:11PM (#6990387) Journal
      Wow! A whole TCPIP packet to carry the question, one for the ack of the question, a 3rd for the response, and a 4th for the ack of the response.

      Assume about .1 seconds for each packet to get from end to end (could be more over dial up).

      While a neat idea (and sarcastic at that!) the usability people may raise questions.

      jason
      • Re:P2P (Score:5, Interesting)

        by Gherald ( 682277 ) on Wednesday September 17, 2003 @07:18PM (#6990430) Journal
        Well you could ask for everything at once. All you'd have to do is generate a text file 9238472093847 lines long saying:

        Is bit 0 a 1?
        Is bit 1 a 1?
        Is bit 2 a 1?
        Is bit 3 a 1? ...

        Then gzip it and send it via some standard TCPIP protocol.

        The server would then just generate a similar file saying:

        Yes, bit 0 is a 1
        Yes, bit 1 is a 1
        No, bit 2 is not a 1
        Yes, bit 3 is a 1 ...
        • Re:P2P (Score:4, Funny)

          by netsharc ( 195805 ) on Wednesday September 17, 2003 @08:58PM (#6991030)
          And considering it's only yes and no, you can encode the yes'es as 1s and the no's as 0s!

          Sheesh, either some people are missing the joke or the grandparent post is joking, or you (parent post) is joking.
        • Re:P2P (Score:3, Interesting)

          by identity0 ( 77976 )
          So basically, you're sending the other peer a file, and asking for a diff between it and the song file. Since you have the random file and the diff output, you would be able to piece together the original song file.

          That's an interesting idea, but I don't think it'll hold water in court. Remember, MP3s are also machine-made derivatives of the original music tracks, and quite different data-wise from raw music - but courts have no problems holding that as copyright infringement. In the end, all that matte
        • Re:P2P (Score:5, Interesting)

          by PetiePooo ( 606423 ) on Wednesday September 17, 2003 @11:44PM (#6991705)
          I realize that this thread is mostly in jest, but you're all missing the bigger point. The problem isn't the actual transfer of the file.. its indexing the files that are available. How can you legally say to the room-temp-IQ crowd that "I have a song here, but its not available.. sorta.." and still get away with it?

          Remember those college students that just ran an indexing web page listing all of the songs on their fellow students' shared folders? They didn't share the files themselves, but they're now working their way out of debt thanks to the RIAA.

          There are hundreds of ways of actually transfering the file without attracting undue attention (Waste would be my favorite at the moment). But how do I find the person who has that file that I want when he's not telling the world that he has it because the world includes that suit-happy association whose business model it obliterates?

          How do I find that person?

          Seriously, I want to know. I'd like to borrow some of his/her CDs for personal use. Of course, I have some to lend as well...
          • Re:P2P (Score:3, Interesting)

            by cbiltcliffe ( 186293 )
            But how do I find the person who has that file that I want when he's not telling the world that he has it because the world includes that suit-happy association whose business model it obliterates?

            How do I find that person?


            Simple. A P2P client with a licence that specifically disallows use by the RIAA/MPAA, it's employees, agents, etc. If they use it, they infringe the author's copyright, which is what they say they're trying to uphold.
            Then, an encrypted protocol that's illegal for them to hack und
    • Re:P2P (Score:5, Funny)

      by Cutriss ( 262920 ) on Wednesday September 17, 2003 @07:18PM (#6990434) Homepage
      I think I have a way of sharing music while avoiding legal action. The client should work like this:

      1) Request a file
      2) Ask "Is bit #0 a 1"
      3) Get a response, write the appropriate bit to a disk (or buffer).
      4) Repeat for the other 9238472093847 bits.


      Client: "Is bit #2A389D1 a 1?"
      Host: "Go fish!"
    • Re:P2P (Score:5, Interesting)

      by the_real_tigga ( 568488 ) <(ten.egrofecruos.sresu) (ta) (sorhpen)> on Wednesday September 17, 2003 @07:19PM (#6990438) Journal
      How about protocols like BitTorrent?
      Although I might "share" a file, I never give away the whole thing. I only offer very tiny bits of a file to anyone who asks.

      AFAIK, copyright law permits giving away small"excerpts" of copyrighted materials.

      So provided I never permit upload of the whole file to a single downloader, would I be in the clear?
      • Re:P2P (Score:4, Insightful)

        by Anonymous Coward on Wednesday September 17, 2003 @07:36PM (#6990520)
        "Yes officer, but what if I crossed the street against the light, but I was walking on my hands, then it wouldn't be jaywalking, now would it? No? Well, what if I was skipping?"

        Give it up, the law does not look kindly upon those looking for a loophole (unless you've made a large campaign contribution).

      • Re:P2P (Score:2, Insightful)

        by conteXXt ( 249905 )
        ting ting The Real Tigga just won an award for most lines read between. That's exactly why I have been downloading whatever I want (and leaving the windows open). I am not sharing the whole file.

        Now how you deal with the pissed off librarians (who fought for the right to those excerpts) is whole other question/issue.

        P.S IANALibrarian :-)

      • Re:P2P (Score:3, Funny)

        by suss ( 158993 )
        So provided I never permit upload of the whole file to a single downloader, would I be in the clear?

        Didn't seem to have worked for napster...

        "99% and you disconnect me?! No! You fucker! Die! Die! Die! Nooooooooooo!"
    • I get the joke... but it's a great idea!

      Not the asking bit by bit, as the overhead would kill throughput, but what if we broke peices of the data into mathematical equations, and sent the equations instead? If I can send something like (bare with me here, I suck at math... ;) ) "2x/log(3x)" to represent a chunk of a song, then we are not actually sending a copy of the data, we are sending a formula which has many other uses.

      It's simply passing formulas, and if I happen to know what "x" is, then I might h
      • Actually I was planning at some point to do research on audio compression with Iterated Function Systems. That's what "Fractal Image Compression" is. Maybe someone has already done this?

        And I wasn't _really_ joking about the above protocol. Maybe we should do it more than a bit at a time :)
        • Actually I was planning at some point to do research on audio compression with Iterated Function Systems. That's what "Fractal Image Compression" is. Maybe someone has already done this?

          The key problem isn't how you send the data, but rather when someone sniffs your data, can they beyond a reasonable doubt prove that you are stealing music/movies, etc... if you use formulas (with variables that you don't transmit) there is no way for them to prove you stole anything... even if plunking in a certain value
    • Re:P2P (Score:5, Insightful)

      by Chris_Jefferson ( 581445 ) on Wednesday September 17, 2003 @07:59PM (#6990626) Homepage
      Computer geek types who want to be clever need to understand one thing. Much of the law is based on intent and result. It doesn't matter if you print a file out, fax it, then send it via piegon droppings. If at the end of the day you've made a copy, you've made a copy and all the consequences involved.

      Similarily (in the UK at least), you can't get around paying for a TV licence by doing something stupid like sending it over ethernet and routing it via your printer or something :)
      • That sounds right. But wasn't that whole PGP source code being OCR'ed from hard copy a end-run around for a set of laws? Or did those laws specifically exempt printed ("published") material?

        Just playing devil's advocate here. Loopholes are ways to get around the "intent and result" you mention. And ideas like the grandparent post may be valid loopholes.

      • Re:P2P (Score:3, Informative)

        by arcade ( 16638 )
        Computer geek types who want to be clever need to understand one thing. Much of the law is based on intent and result. It doesn't matter if you print a file out, fax it, then send it via piegon droppings.

        Actually, I've got a funny little story about exactly that. The US have (had?) this funny law about exporting strong crypto.

        Now, this law only covered the electronic implementation of the crypto systems. If you remember Phil Zimmerman of PGP fame .. well .. he got into a lot of trouble for releasing PG
    • "How, here we're not copying anything. We're just asking about it in a way that lets us make an educated guess about the contents of the file. How can that be illegal!? "

      Wouldn't that mean that if you're downloading a 20 meg file, you'd be sending out 20 megs worth of data?
    • At first glance, this appears to be a very unique and clever way of transferring information about a copyrighted work.

      However, this would be very similar to using analog methods to record music from the radio or the soundcard.

      Someone correct me if I'm wrong, please.

      *still chuckling*... A very clever idea indeed. Would this mean that once the original material has been verified elsewhere, that the subsequent information can be shared wholesale? ie: shared normally through p2p.
  • by Anonymous Coward on Wednesday September 17, 2003 @07:05PM (#6990345)
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2003-0682

    may I suggest a nice bottle of '01 -fstack-protector?
  • draconian, defined. (Score:5, Interesting)

    by lingqi ( 577227 ) on Wednesday September 17, 2003 @07:06PM (#6990356) Journal
    Of particular interest is that MIT network security requires users to reformat their hard drive and re-install their operating system before they get back on the network.

    That's a draconian policy if I've ever heard of one!

    To reformat you need to backup - and if you have more data to backup than some puny CDRs? and you can't get on the network to backup onto your friend's gigantic file server that he has kindly carved out a nice chunk for you for a week? and I have a laptop so it's not exactly a good idea to be pulling drives out?

    all practical concerns I'd face if I was part of the MIT network - but glad that I am not on the MIT network, and that blaster didn't come my way. heh...

    poor suckers who'd have similar problems with me, though - maybe that kind of explains why there are still so many people un-connected... they are all looking for used tape drives...

    • ...if you have more data to backup than some puny CDRs? and you can't get on the network to backup onto your friend's gigantic file server...

      You get a hub and some cables and some private IP addresses and you get to work. That doesn't make the policy any less draconian, though.

    • To reformat you need to backup - and if you have more data to backup than some puny CDRs? and you can't get on the network to backup onto your friend's gigantic file server that he has kindly carved out a nice chunk for you for a week? and I have a laptop so it's not exactly a good idea to be pulling drives out?

      Grab a knoppix (or similiar) disk and upload that why.
      Reboot. Install. Retrieve.

    • by Anonymous Coward
      Kinda a cute draconian policy....

      1) reformat harddrive
      2) reinstall windows from the CD, (back to the version without Service Packs, security updates, etc.)
      3) Get network access reenabled
      4) Pray MSUpdate is faster downloading and installing all the updates than MSBlaster et al. is at find the vulnerabilities that used to be patched.
      • More likely:

        1) Reformat hard drive
        2) Reinstall Windows from CD
        3) Install the patch from CD
        4) Get network access reenabled
        5) Ignore recommendations and never touch Windows Update, never intall a firewall, and never install antivirus software.
        6) Get hit by the next Windows worm.
        7) Go to step 1. Do not ???, do not Profit!
        • by E-Rock ( 84950 )
          Even more likely:

          1. Call your buddy to clean the computer, or do it yourself since it's simple
          2. Call IT support
          3. Lie to the overworked underpaid slave/student who doesn't actually care
          4. Laugh at all the dumbasses who formatted their computers.
    • I'm curious, do you *HAVE* to reinstall OSes, even if you're, erm, running NetBSD or some such? My first guess would be no, but it's unsafe to assume such things sometimes.
  • by Anonymous Coward
    Cause I don't have any money.
  • by dspeyer ( 531333 ) <dspeyer.wam@umd@edu> on Wednesday September 17, 2003 @07:09PM (#6990372) Homepage Journal
    The file's has a .mov extension, but neither file nor xine seems able to recognize it. Does anyone know what format it is, and how to play it?
  • by Zocalo ( 252965 ) on Wednesday September 17, 2003 @07:10PM (#6990381) Homepage
    And since the Slashback didn't mention it; if you patched your SSH yesterday to version 3.7p1, then patch again to v3.7.1p1. It would appear the bug wasn't quite squashed the first time around.

    PS. Don't feed the trolls! Given the recent DCOM fiasco, it's fairly obvious where this thread goes...

  • MIT say it isn't so (Score:5, Informative)

    by segment ( 695309 ) <`gro.xirtilop' `ta' `lis'> on Wednesday September 17, 2003 @07:10PM (#6990382) Homepage Journal

    "MIT still has 900 network drops disabled due to the Blaster worm infection. Of particular interest is that MIT network security requires users to reformat their hard drive and re-install their operating system before they get back on the network. Sounds like a good excuse to reinstall something other than a Microsoft operating system."

    Reformat? That's pretty dumb

    B. Clear your computer of the Blaster worm

    1.On the taskbar at the bottom of your screen, click Start, and then click Run. Type in services.msc and click on OK.

    2. The Services window will appear. Enlarge it, if small, so you can see things. Click on the Name heading so the list is in alphabetical order. Look down the list for Remote Procedure Call (RPC) which Provides the endpoint mapper, etc. Do not choose Remote Procedure Call (RPC) Locator, which Manages things. Right click on Remote Procedure Call (RPC) and left click on Properties.

    3. Click on the Recovery tab, and change first, second and subsequent failures to Restart the service, not Restart the computer. Click on Apply then OK. Close the Services window.

    4. Hold down Ctrl and Alt keys and press the Delete key. The Windows Task Manager window will appear. Click on Processes. Click on Image Name to put the list into alphabetical order. Look down the list for msblast. There it is. Right click on it and click on End Process. Close all windows.


    Total time to find this info: less than 30 seconds on Google cache [216.239.41.104]... Interested in SoBigF? Check out my psychotic rants [politrix.org] on it.

    As for so called security team of whatever, I don't know why they would tell their users to format their machines... Seems a bit irresponsible, and makes me think their too lazy to read something like the DOC I just linked (Google cache link)... Hell they don't have to if you think about it... Print it out and throw it on every damn door. Come on if MIT can hang cars off bridges, place cars on roofs for pranks don't tell me they cant ctrl-p a damn doc...

    • I have one word for you: copycat. Frankly, network admins were quite lucky that there weren't more Blaster copycat virii introduced. Just because the first and most well-known version of this worm was somewhat benign in impact (and easily removed), doesn't mean others don't have additional nastiness thrown on to em. As a former network abuse desk guy, when a customer called us who had an ongoing infection running on a server, we always recommended:

      - disconnect the box from the network
      - perform reasonable l
    • by carlfish ( 7229 ) <cmiller@pastiche.org> on Wednesday September 17, 2003 @07:56PM (#6990610) Homepage Journal
      Reformat and reinstall is a pretty standard response to a root-level system compromise. It also serves as a rather effective deterrent to users who might want to delay installing patches in the future.

      The command-line exploit for the hole was available several weeks before the Blaster worm came out. I demo'd it in the office by breaking into my Boss's workstation (Yes, while he was watching over my shoulder). Compile the exploit on a Linux box, run it against a remote NT host, up comes a nice command-shell with Administrator access.

      While the Blaster worm itself is pretty easy to get rid of, the RPC/DCOM bug is a remotely-compromiseable hole that gives you Administrator privileges. As such, it's quite possible that vulnerable machines could have been backdoored by something other than the worm (or by some rare variant of the worm) in the process.

      A Blaster-infected machine was wide open for long enough for the virus to catch it. At that point, you have no idea what malware could have be installed. You're pretty sure it's "just" the regular worm, and the standard removal instructions are all you need, but how sure is that? Network security want to be completely sure that their network doesn't become a home of a few thousand more DDOS drones.

      In my judgement MIT security may be being a little paranoid, but if you work in network security, you're paranoid by definition anyway.

      Charles Miller
      • by Symbiosis ( 39537 ) on Wednesday September 17, 2003 @08:45PM (#6990957) Homepage
        As someone who works for Network Security, I feel I have to chime in here.

        Basically, what Chris said was right. A format and reinstall is the standard response to a root-level system compromise, which the RPC vulnerability leaves a system open to. It's also enough of a pain in the rear, that people don't want to have to do it again.

        Furthermore, Network Security only has two full-time staff members, a handful of student employees (the category I fall under), and a handful of volunteers from here & there. Under normal loads, we don't have the resources to do forensics or any type of individually tailored recovery advice. With the thousands of computers being compromised on campus, it's the quickest (and easiest, believe it or not) solution for everyone.

        Give us a break, this thing has generated way more overtime hours than any one (or two now) security hole(s) should be allowed to do. :-p
    • The average (l)user isn't smart enough to follow clear directions like that and will probably screw it up. Even users from MIT.

      Reformatting will get rid of whatever spyware they have, too, at least for a little while.

      I'm not defending their policy. I'm just bitter from having to deal with lusers. ;-)
  • by phr2 ( 545169 ) on Wednesday September 17, 2003 @07:16PM (#6990420)
    Um, I don't get that, if I let someone else use my cassette deck to record one of my cd's, how is it that I'm the one doing the copying? And if I let them use my computer to do the same thing, what's different? Why does it matter if the computer is remotely operated over the net?
    • You're not. And if you invite me over to your house, leave the door unlocked, your computer unsecured, and I just happen to burn all your mp3's to CD, you haven't done anything wrong either.

      But when you knowingly place copyrighted music into a public forum via the internet, that's the same as you using your own casette recorder to make copies and giving them away.

      Sorry, but I don't think saying that you didn't realize people were actually downloading the mp3's you shared over Kazaa will hold up as a lega
      • Lets say I record Justin Timberlake off the radio. Then I make a copy of it and start handing them out. Whats the difference between this, and if those other people recorded it off the radio too. End result is the same, multiple people with copies of the same song.

        Hell FOX [fox.com] even says you can copy broadcasted shows from friends. So why is copying from one broadcast medium ok and another not?

        Now before anyone says, "Oh, but if you copy the CD and share it, you are sharing songs that were not broadcasted", le
    • Wouldn't it be more like your standing on your porch waiving your CD at passers by?

      I mean to make your Mp3's (Ogg's) available you have to do it intentionally, at least in my experience.
  • Blaster and variants (Score:4, Interesting)

    by kaan ( 88626 ) on Wednesday September 17, 2003 @07:21PM (#6990449)
    I'm not too suprised to see that Blaster is still running around, even at MIT. I work in an office that's behind a firewall, but it wasn't until yesterday that somebody discovered one of the Blater variants in our internal network. Most likely it was introduced by somebody taking their laptop home, and then back to the office. So what's the big deal? We're a small software house with reasonably intelligent folks working here, but that didn't stop people from a) avoiding the install of Microsoft patches on their office machines, even though these are internal machines and thus "immune" from external traffic, and b) from taking a laptop computer home and using it on a non-firewall protected environment. That we're seeing stuff like this still happening on MIT campus doesn't suprise me. Sure, a good number of /. readers will scoff at this, but there are plenty of intelligent people out there who still think that a firewall will protect them from everything. And that's just the reasonably intelligent people. What about the average, non-technical folks who don't even know what a firewall is? What the heck has to change (other than Microsoft cleaning up Windows, and shutting down all of its stoopid ports) for this kind of things to stop?
  • by kcurtis ( 311610 ) on Wednesday September 17, 2003 @07:25PM (#6990475)
    OK, so the student reformats the drive and reinstalls windows. Whee! Network access is turned back on.

    Of course, no patches have been installed, since they are available as downloads unless MIT is distributing service packs and patches to the students via CD.

    So now you have completely unpatched machines on the network, at least for the time it takes to repatch.

    I've had rebuilt machines reinfected during that short time (yes, I should have thought of that first).

    Maybe they have something in place to prevent this from happening, but that isn't indicated one way or another.

    Besides, given the ease of fixing problems like these without reinstalling the OS, why bother forcing a drive wipe?

    Just wondering if they're forcing everyone with the SSH hole to reformat and reinstall? (Yes, not as serious since it isn't a worm, but still)
    • because 'format the thing' is the sort of thing (almost)anyone with little knoweledge of pc's would do(little knoweledge is worse than nothing at all though..) still. they have some spyware-> reformat. they got some driver problems->reformat, they got some issues with temperorary files->reformat. it's the sort of knee jerk reaction anyone can do and think his doing something useful, yet annoying.

      they might instruct them to shut down the services(i doubt they would be able to, the users, and if the
    • Of course, no patches have been installed, since they are available as downloads unless MIT is distributing service packs and patches to the students via CD.

      Actually, we are, but aside from that, we also tell them how to (temporarily) use the built in firewalling of winxp and win2k to prevent a compromise while installing the patches. Yes, there were cases of people getting recompromised before patching was finished. As a test, an unpatched laptop was placed on the network. Time to compromise: ~1 minut
    • "Of course, no patches have been installed, since they are available as downloads unless MIT is distributing service packs and patches to the students via CD."

      This is not unlikely, especially given this policy. PSU had a massive PR campaign called "disinfect before you connect" where they printed what must be a couple thousand CDs with the patches and stuff, and handed out flyers to everyone, and had RAs try to get people to patch, and stuff like that.
  • by hankaholic ( 32239 ) on Wednesday September 17, 2003 @07:27PM (#6990481)
    I don't use Mandrake, but I have to respect any company that knows enough to number points in a press release starting with zero.
  • Canadian Loophole (Score:3, Interesting)

    by Goldberg's Pants ( 139800 ) on Wednesday September 17, 2003 @07:31PM (#6990499) Journal
    I thought when the story was posted the other day it smelled off. Copyright law here as I understand it says you can LEND a CD to someone and they can copy it, that's legal. If you copy it for THEM though, that's illegal.

    The loophole? Okay, on a P2P app, when someone downloads a file from you it is REMOVED from your hard drive. Translation: You've lent it to them. Then you get sent the file back. They've made their copy by "borrowing" yours, and then given it back.

    Probably not viable since there'd be wankers who'd download and then kill the software so you don't get your song back (the RIAA would love to abuse that I bet!) but still, there has to be some loophole as the law doesn't take P2P into account.
    • If you copy it for THEM though, that's illegal.

      I think that the question is - when a file is transferred, who is making the copy?

      I'd say that the receiver is making the copy, because it doesn't exist until it's on his HD. (A 'copy' is something that's "fixed in a tangible form" - by definition, it can't be fixed until it arrives at the destination.)

      The poster says he's run it by his law professor - but does this professor truly understand computers, or does he have the same understanding as the writers
      • Well, U.S. law would say "fixed in tangible form". However, it isn't part of the definition of a "copy".

        Something I found interesting, in a section called "Scope of exclusive rights in sound recordings", was this:

        From Title 17 USC, Chapter 1, Section 114:

        The exclusive rights of the owner of copyright in a sound recording under clauses (1) and (2) of section 106 do not extend to the making or duplication of another sound recording that consists entirely of an independent fixation of other sounds, even

  • by lplatypus ( 50962 ) on Wednesday September 17, 2003 @07:33PM (#6990507)
    Why are the MIT sysadmins being so draconian as to require infected computers to be reformatted, without solving the cause of the problem by *requiring* the windows bug to be patched? The article says "Reinfection rates are very high". Unbelievable!
  • Isnt that a just bit extreme?

    Proper patching and de-infecting should be enough.. until the next round.
    • Proper patching and de-infecting should be enough.. until the next round.

      I disagree. Who is to say that machine was infected by a new strain of the worm that would plant spyware or a trojan? You just can't fully trust a compromised machine.
    • by Sloppy ( 14984 ) * on Wednesday September 17, 2003 @08:51PM (#6990997) Homepage Journal
      Isnt that a just bit extreme?

      Isn't still running MS Windows, after all these years, also a bit extreme?

      Which is more extreme? One of these acts has been increasing in extremity, for a very long time. The other act started out as extreme, but at least it's stable and doesn't get any more insaner as the years drag on.

      It's just a question of when one of them passed, or will pass, the other. Pretty subjective, I guess. But when you see it keep happening year after year, with complete oblivion to experience and a total lack of capacity for learning, it's hard to keep a straight face when anyone throws around the word "extreme."

      You always keep thinking, "Is that finally the last lemming that will jump off the cliff?" and they just keep surprising you with their determination.

  • I predict Bush/Cheney, and other republicans by a landslide.

    Seriously though, from what I saw in an election on September 9 here, we have an even bigger problem that doesn't involve connectivity. Anybody could just go in and punch their votes as many times as they want, as long as the total number of votes doesn't exceed the number of registered voters in that district. This would have to be done by a voting official though, which could easily be arranged. This could also be done by anybody who just wants

    • Anybody could just go in and punch their votes as many times as they want, as long as the total number of votes doesn't exceed the number of registered voters in that district.

      In other news, voter turnout in ZZZZZ county was 90% compared to the 15% it normally has. I doubt that would happen without anyone noticing.

      Here [slashdot.org] is a possibility for a decent voting system. (dont forget to read the replys from this prior post as well.)

  • by msimm ( 580077 ) on Wednesday September 17, 2003 @07:41PM (#6990541) Homepage
    Good intentions by themselves are not a sound business model. Income is. Mandrake has been a progressive and remarkably loyal supporter of the open source movement. Ads? Good, because I want to see Mandrake survive for another couple of years.

    I didn't see too much complaining myself (maybe I ignored some of it) but I'm sure some got hysterical about it (it wouldn't be a internet-age community without someone getting hysterical).

    Anyhow, I wish them best of luck. Good idea whoever decided on this. Programmers need to get paid and I *want* my Mandrake. ;-)
  • by Compact Dick ( 518888 ) on Wednesday September 17, 2003 @07:42PM (#6990548) Homepage
    The furore about Mandrake placing one commercial ad tarnishes the Open Source users' image. Here is a financially struggling firm trying to make some money through ethical means, and we feel violated having to view it? As mentioned in the press article, they have had ads before, and none of the intrusive, irrelevant shit found on the web. Why shouldn't they try every ethical, non-invasive means to stay afloat?

    I've always held Mandrake in high esteem as they are the [possibly only] commercial entity that adheres closest to the principles of Free Software, listens to community feedback, and, if you read the press release about the ad, very polite in their communication - even when lesser people would've ignored us or told us to fuck off. Do you imagine slagging them off for being French makes you look intelligent? Hell, if they are typical of France, I would hold them with deep respect.

    Remember - we all have our favourite distros, preferences, and so on. But until the day we realise that a loss for our [Mandrake-loving] peers is a loss for the entire community, we are not living by, and upholding, the principles of freedom, choice and tolerance.
    • Frankly I don't really care about it, and if I used Mandrake this wouldn't stop me.

      But I think the irritating factor for some people is having ads in something you've paid for, and from what I've heard there will be (easily removable Linux-related) ads even in the commercial version. Now in many cases we accept ads on things we pay for, such as cable television and magazines, because we recognize our subscription fees alone are not enough to keep some things afloat.

      I don't know enough about Mandrake to

  • Uberhacking (Score:3, Funny)

    by Rosco P. Coltrane ( 209368 ) on Wednesday September 17, 2003 @07:43PM (#6990551)
    With all the neat technical things I learn on Slashdot about hacking, viruses and Canadia, I have to ask the question: is there a chance I can get an SSH shell on Tom Green's cellphone to plant the Blaster worm on it? Then I'll chop his head off with a Mandrake-enabled light saber.

    I really can't stand Tom Green ...
  • by stretch0611 ( 603238 ) on Wednesday September 17, 2003 @07:44PM (#6990560) Journal
    I use Mandrake and this probably won't stop me from using it. According to the release, "There will be one paid-ad in the installation procedure, and a few paid-links in bookmarks."

    Usually when I am installing an operating system, I leave the room or do something else when I am done with any user interaction. Why should I care if the show an ad while the OS is being copied to my hard drive and I am not looking?

    As for the bookmarks who cares if I can delete them. Microsoft does this, Netscape did this(and now AOL does this.) You have to pay for Microsoft's OS (In more ways than one), and with AOL's version of Netscape they have things like Net2Phone that you can't remove. (I admit when AOL posted its ad links that could not be removed, I switched to Mozilla.)

    As long as Mandrake sticks to their words from their press release, "ads won't be intrusive (no pop-up windows) and can be removed easily;" I will not mind if they make a few bucks to stay afloat financially.

  • Fanfilms (Score:5, Informative)

    by blincoln ( 592401 ) on Wednesday September 17, 2003 @07:45PM (#6990566) Homepage Journal
    Art of the Saber is one of legions of "lightsaber effect" videos made by fans.

    TFN Fanfilms [theforce.net] has a huge library of Star Wars home movies. Many of them have excellent stories, and do much more than display the rotoscoping skills of the creators.

    Duality [crewoftwo.com] is one of the most visually impressive, but because of conflicts between the two guys who made it it's not available on TFN anymore.
  • Whaaaaa???? (Score:2, Interesting)

    by Anonymous Coward

    Cavin said that Network Security requires users to reformat their hard drive and re-install their operating system before the network drop is turned back on.

    You've got to be shitting me. If their IT department is too fucking stupid to cut/paste Blaster removal instructions, they should just turn out the lights and go home. They've got no business accepting money for that kind of "work". It took me about 5 minutes to clean Blaster off my Grandpa's computer (he got hit before the virus defs were upated).

  • According to Canada's laws its OK to make a copy for your OWN use, so the problem with sharing is you make a copy for someone else's use.

    What if instead we did this:

    Person A MOVES the file to Person B, who then makes a copy. Person B then MOVES the original back to person A. Hmm...
  • The Excite (AP) story [excite.com]:

    March said he found absentee ballot totals from 57 of 164 San Luis Obispo County precincts in an easily accessible File Transfer Protocol site operated by North Canton, Ohio-based Diebold. The votes were time-stamped at 3:31 p.m. on March 5, 2002 - more than four hours before polls closed.

    Is it possible in this case, Jim March (love how it's the March 2002 incident, and his name is March, but I digress) doesn't know what he was looking at?

    What does the time stamp mean? Is it necessa

  • by geekee ( 591277 ) on Wednesday September 17, 2003 @08:13PM (#6990693)
    "In a nutshell, Private Copying allows anyone to make a copy of a song purely for their own use. As you probably know, when you share files and someone downloads from you, what actually happens is that their computer makes a request and your computer actually sends the file to them. Thus, you're copying for someone else's use and infringing. It doesn't matter if you didn't realize that's what happens, either... intent is not required for infringement. "

    I said essentially the same thing yesterday [slashdot.org] when the original article came out and I got modded up 1 for insightful and modded down 1 for overrated. Where's the justice? :-)
  • Very cool saber fight, but:

    Only siths have red sabers.
  • Art of the Saber (Score:3, Insightful)

    by EngMedic ( 604629 ) on Wednesday September 17, 2003 @08:19PM (#6990757) Homepage
    All i can say is, Lucas had better be taking notes -- lightsaber fights never looked this good in any of the movies.
  • Idea for Canadians (Score:4, Interesting)

    by bstadil ( 7110 ) on Wednesday September 17, 2003 @08:19PM (#6990765) Homepage
    If you can download without being in violation of copy right you only need to solve the Make Available problem

    Here is how:

    Break up any mp3 files into say 10 RAR and calculate MD5 for each part plus total.

    Name the 10 parts equal to their MD5 number

    Make small Identity file that contains above plus all of the normal mp3 ID's like Name, artist etc.

    Make small plug in that disallows for any more than 3 or so of the parts to be made available for up load and obviously never the total mp3 file.

    Make small script that takes Identity file as input and as output automatic tries to find and download all MD5 pieces.

    Once retrieved combine and play.

    If real fancy you could make the "Encryption" / "decryption" function DMCA proof, so RIAA can not legally tamper with it.

    I am sure we can elaborate but you get the idea.

  • Blaster/SoBig (Score:3, Informative)

    by MNJavaGuy ( 619805 ) <pond0019.umn@edu> on Wednesday September 17, 2003 @08:20PM (#6990779)
    The University of Minnesota has a similar policy for using it's network, except for the whole reformat thing. They were actually nice enough to provide each student with a CD that had all the necessary patches and removal tools on it. Your ethernet jack was disabled until you proved to them that you had been patched.

    Seems like a much more reasonable way of dealing with it than MIT's policy.
  • by rtrifts ( 61627 ) on Wednesday September 17, 2003 @08:25PM (#6990814) Homepage
    The problem with law school is that while you learn the theory of law, you don't learn much about the practice of law. That comes only after law school.

    All the potential copyright actions in the world aren't going to matter when you don't know who to name as a party defendant.

    The DMCA has a subpoena provision which has been interpreted to require an ISP to provide the identity of the Kazaa user (say) in the USA.

    No such similar provision exists under Canadian law and the DMCA has no applicability in Canada in a civil suit. The closest you could get to it is a Bill of Discovery for an intended action.

    While you might get such a discovery right against the ISP, this area of the law is wholly unexplored in the context of file sharing in Canada.

    Getting a Bill of Discovery granted for a novel action is also problematic.

    And most of all - it would be extremely expensive. You can't just do all your Bills of Discovery in one motion either. To do them all at once would amount to a Class Proceeding, which in this context, would first require a certification motion and motions to strike before you ever got a single user name. And then it's appeals to the Divisional Court, Court of Appeal, motion for Leave to Appeal to the SCC and maybe even leave granted...

    Four years later...your Kazaa user isn't even with the ISP anymore and Kazaa is yesterday's news. What now Mr. Bronfman?

    Theory is fine - but $$$ and delay are the essence of the practice of litigation.

    Robert Trifts
    Barrister & Solicitor (Ontario)

  • by Spazmania ( 174582 ) on Wednesday September 17, 2003 @08:27PM (#6990827) Homepage
    what actually happens is that their computer makes a request and your computer actually sends the file to them. Thus, you're copying for someone else's use and infringing.

    The Crux of this argument revolves around a simple question: Who is operating the computer?

    Possible Answer #1: The owner of the computer is operating it. Even if he does not explicitly review and authorize each operation that the computer performs, the owner still dictated the paramaters under which the computer would make those decisions. As a result, the computer copying and sending the music file is identical in every respect to the owner copying and sending the file... a clear copyright violation.

    The parallel to this notion is that you go to a friend's house, point to a CD on his shelf and say, "I want that one." The friend then burns you a copy of the CD and gives it to you, a clear violation.

    Possible Answer #2: The remote individual is teleoperating the computer. The owner has permitted some limited form of teleoperation, but each action the computer takes is at the behest of that remote individual. Since the non-owner individual is running the remote computer, its actions in making a copy for that individual's personal use are reasonable and completely legal.

    The parallel to this notion is that you go to a friend's house, point to a CD on his shelf and say, "I want that one." You then take it off the shelf and copy it using your friend's computer while he stands by and watches. Legal in Canada.

    Possible Answer #3: The computer is operating itself. Soon it will take over the world. Muahaha. We'll relegate this answer to science fiction where it belongs.

    The current caselaw is varied and confusing. Generally though, the following theme has developed: INTENT. If the owner knew and expected the computer to be used for a specific purpose, then when the computer does its as if the owner did that same action himself, regardless of who actually instigated the action. If the owner did not know and should not reasonably have known that the computer could perform such an action, then whoever actually induced it to perform that action is the guilty party.

    Lets set up exteme hypotheticals to illustrate that theme:

    Example #1: You rig an electric chair to a computer and a modem so that the next time a telemarketer calls, the chair will electrocute its occupant. A telemarketer calls. Who is guilty of murder, you or the telemarketer? Duh. You of course.

    Example #2: Your Windows laptop gets a worm on it. You don't know it. You carry it to work behind the corporate firewall where it runs rampant, deletes everything and ruins the company. Are you guilty of destroying the company or is it entirely the worm author's fault? You're absolved; its entirely the worm author's fault.

    So, how does all this help with the question of who's running the computer as it makes and sends the copy of the song? Well, it doesn't really. You could make a powerful argument that running a P2P server is no different than inviting the public at large to use your computer. You could strongly counter that by specifically setting up the computer to copy those particular songs, you and not the stranger are the agent of its copying. You could argue that its no different than radio, deliberately putting specific songs into the ether where any stranger can record them.

    In fact, you can argue the issue back and forth through a lot of permutations. Before the matter is settled, you can expect the courts to argue the issue back and forth through a lot of permutations, ruling both ways while they seek the right balance.

    So basically, the short answer is:

    If you want to try to prove a point, go ahead but beware: Folks who want to live don't jump in front of trucks and epect them to stop, and the courts are behaving like a drunk drivers. Your best bet for longevity is not to play in the street.

  • by JoshRoss ( 88988 ) <josssssssssssssh@gmail.com> on Wednesday September 17, 2003 @08:55PM (#6991014) Journal
    How could some people be smart enough to crack GSM and not smart enough together a PDF that does not look like ass?

    I don't know shit about dot products but I do know a shitty looking PDF when I see one.

    Somebody give these folks some fonts!
  • Now here's a random thought: In Canada, your friend is allowed to lend you a CD, and once in possession of it you're allowed to make a copy for personal enjoyment. But are you allowed to lend that copy to a different friend? Does that second-hand lending still constitute "private use," or is lending a copied CD infringement?
  • by cdn-programmer ( 468978 ) <terr@terralogic.MENCKENnet minus author> on Wednesday September 17, 2003 @09:57PM (#6991316)
    It would be legal in Saudi Arabia to both download and upload. Since the downloading is legal in Canada there would be no liability under section 80 for a Canadian in Canada to download whatever she wants if she can ascertain the source can legally upload. In fact it would be a real streatch to go after any Canadian who uploads from anyone out of the country.

    However, since the communication actually does involve one machine copying from another it would seem the ISP the downloader is connecting to might well be liable for anything downloaded as well as the telecomunications industry. Yet, there are provisions in place so that the telecommunications indusrty has a legal right to copy and cache anything that is put on the net so perhaps they are off the hook too.

    It seems the laws with respect to internet content have been designed so that the creators of the work lose the right to control or otherwise profit from the distribution of their content the moment it hits the net. The opportunity to profit transfers to the telecomunications industry.

    This means that there is perhaps a business opportunity. If we set up a company in say Saudi Arabia to serve copyrighted material for say a small subscription and legally buy one copy of each CD then any Canadian should be able to rip off the musicians legally. As for Americans, well perhaps we can legally ship pirated music out of Saudia Arabia... I don't know... it is an open question in my mind but I do think it is legal for any American to purchase a legally created CD even if it arrives from Saudi Arabia.

    Another way out for Americans might be for each to claim they are offering telecommunications services because under the DMCA they would then gain the right to "cache" any music placed on the net. They might not have the right to listen to it mind you - but then they would have to be caught in the act so to speak.

    There is already another business opportunity which is well underway now... this is the resale of used CD's. For about $12 bux I can buy a used CD in the mall near here and then copy it for my personal use and then take it back an hour later for a refund of $6 bux.

    Personally I think the spread is too great mindyou. But I suspect the prices will come down with more competition.

    If I ever bother to buy a cd burner perhaps I will make some copies but only of material I presently own as albums. I personally consider this fair use. I do not think ripping off artists is morally acceptable but then it was a stoopid liberal politition named Sheila Copps who organised the changes to the copyright act. Thus, WHY the present laws are written the way they are is perfectly understandable.

    On the other hand, what this change has accomplished is basically to remove the opportunity to profit from the distribution of copyrighted material away from the recording industry and transfer it without compensation to the retailers who set up little cd exchange shops. In a twist of fate it would seem however that the RIAA effectivly managed to do that to the artistic community because as Janic Ian pointed out, she has never received a royalty cheque where they did not claim she owed them money!

    One could argue that this puts recording artists into the same boat as webmasters because webmasters also lose the opportunity to make money from the distribution of their copyrighted materials as soon as they are placed on the net.

    Oh well, artists should expect to be poor and die broke!

  • by dstone ( 191334 ) on Wednesday September 17, 2003 @10:54PM (#6991561) Homepage
    First, I realize that any action's legality can only -truly- be tested in the courts and we're playing theoretical/law-school games here. But how about this protocol...

    1) Server receives HTTP GET for file.
    2) Recognize that (for example) a 3 megabyte file can be described by a 24 million bit long number in base 2, or even shorter numbers in other bases you might prefer.
    3) Recognize that numbers are free and can't be copyrighted. Every number can and is used for a multitude of purposes.
    4) Respond with HTTP code 401 Unauthorized or a 403 Forbidden or whatever is applicable. Heck, create a new code that informs the client that you can't give them the file requested, since copying a digital work -may- infringe on copyright law.
    5) In the body of the response, give an extended error code number as per 2) above. It's up to the client how they interpret or use that number. You're giving them a freely available and multi-purpose number.

    Nothing in my response to the client was a copyrighted work, just a free number that is not and cannot be copyrighted.

    Okay, my tongue is out of my cheek now... :-)

Just go with the flow control, roll with the crunches, and, when you get a prompt, type like hell.

Working...