Josh in CharlotteNC (profile), 17 Feb 2012 @ 7:58am
Re: Reparations?
but Jotform won't be able to bring a civil action against either the Gov or GoDaddy correct?
GoDaddy is most likely covered from being liable in any way by the fine print in whatever agreement you have to click to register a domain with them.
But I see no reason why they don't have a case against the government. The Secret Service sent some kind of request or order to GoDaddy without due process. The problem is that they're not saying what happened, and litigating a case like this can be expensive, so there's a lot of work for Jotform to do before they can get a ruling.
Josh in CharlotteNC (profile), 17 Feb 2012 @ 12:34am
Re: Re: Re: Re: Re:
This is a case where taking the domain domain is the most expedient way to assure that nobody is phished.
Wrong! Completely and utterly wrong in every possible way imaginable.
That comment shows your lack of technical knowledge as well as lack of common sense.
Let's compare what you would need to do to either remove a single form or redirect the entire domain.
Single form:
1) Send abuse report to Jotform.
2) Jotform removes form. Form no longer accessible pretty much immediately.
Redirect domain:
1) Identify domain registrar.
2) Send abuse report to domain registrar.
3) Registrar redirects domain.
4) Wait anywhere from a few hours to days for DNS records to propagate throughout the internet. After 2 days, most likely no one can access the site.
Josh in CharlotteNC (profile), 17 Feb 2012 @ 12:04am
Re: Re: Re: Re: Re: Re: Re: Time to go
as long as its specifically and surgically done (in this case it looks like it is because the .net was left alone) until at such time that some type of recourse can be taken.
Wrong on all counts.
Surgical? No, the entire jotform.com DNS entry was redirected by GoDaddy at request of the government.
The .net DNS entry was not active until after the seizure. As far as the entire internet was concerned it did not exist.
Considering that Jotform regularly deals with abuse of its service, and has well established methods for dealing with it, you cannot even make the argument that it is faster to shut the entire domain down! It's faster to contact Jotform and tell them one of their 2 million forms is being used for illegal purposes so they can investigate and turn it off.
I don't believe this is a Speech issue, nor censorship issue since criminal speech is NOT protected and the rights of society at large
So the 1,999,999 perfectly legal forms that were taken down on account of the 1 that was criminal are not protected speech?
This is akin to shutting down the entire telephone network in this country on account of 1 person who is alleged to have used it for criminal purposes.
Josh in CharlotteNC (profile), 15 Feb 2012 @ 11:08am
Re: True, but...
Two responses:
1) So what? We have a huge abundance of content of every type imaginable. There's more music/video/books/video games/etc being created than any person could hope to consume in a lifetime. Likability of the creator is just one factor among many that help us filter through all the content. So just add "artist/distributor likability" to quality, relevance, taste, ease of use, price, etc. Unsurprisingly, many of those mostly line up with not being an asshole already.
2) Is it so bad that society/the public/consumers wish to support those who work with the community and ostracize those who are only in it for themselves? In other words, choosing benevolence over selfishness if there is any alternative? It's simple competition.
Josh in CharlotteNC (profile), 13 Feb 2012 @ 11:17am
Re:
Even if the jury agrees that that fine is crazy, the minimum statutory damages of $750 are still so far beyond reasonable that it wouldn't really help. Even if reduced to the statutory minimum, she'd still owe $18,000 for 24 songs.
At that rate, the paying $2.50 vs. jumping the subway turnstile is a fine of $1875, instead of real world reasonable fine of $100.
Josh in CharlotteNC (profile), 11 Feb 2012 @ 3:01am
Re: Re: Re:
Tunecore isn't a replacement for record labels, any more than Amazon.com is a replacement for publishing companies.
You really do have your eyes squeezed shut, your fingers in your ears, and you're shouting "Lalalala the internet isn't real!"
Amazon's Kindle (and other e-readers) are making self publishing a reality for thousands of authors.
Do those authors using it, and the musicians using Tunecore, have to invest time and money? Sure they do. But they do not have to invest millions of dollars to be successful, or to reach the public, like they would have been required to do a decade ago.
Yes, Amazon and Tunecore are in it for the money. But they're helping thousands of artists every year become profitable at the same time. That's a win-win model, not the parasitic leech model of RIAA. Really, how many artists can the RIAA claim to have made profitable every year?
Josh in CharlotteNC (profile), 10 Feb 2012 @ 9:20am
Re: Re: Re:
It certainly should be possible to make a competitive CAD system without having to charge autodesk prices
It certainly would be without the insane level of patents and copyrights. The big name CAD software companies are playing the same game that Microsoft does with file formats for Office - and they'll try to sue into oblivion any free or low cost CAD software that's a threat. And much of the manufacturing equipment will only accept formats from the bag name companies. So there is a tremendous amount of legacy inertia to overcome.
Josh in CharlotteNC (profile), 9 Feb 2012 @ 8:10am
Re: Re: Re:
Does a normal Windows computer trusts those certificates by default? This is a bit scary if it is.
I wish I could give you a simple answer, but there isn't one. Some root certificate authorities are trusted by default, yes, and they are generally the big names like Verisign, Thawte, Equifax, GoDaddy and such. But just because you trust a root CA doesn't mean you trust all certs they have issued. There are also intermediate certificates. And then also resellers and affiliates who also issue certs.
They're a small Dutch company that issued certs. They got hacked by suspected Iranian (state sponsored) hackers as a way to monitor secure communications over Google services.
Once the full extent of the breach became known, a lot of their certs were blacklisted, including an intermediate certificate used by the Dutch government for their Tax and Customs Administration. It then became difficult to impossible for Dutch citizens to login to the site and pay their taxes.
That's just a small CA - ramifications were felt by Dutch citizens and whoever in Iran had their Gmail intercepted. What happens if Verisign's CA business (owned by Symantec now) has a massive breach? What if it appears that they were knowingly issuing false certs to a government for the purpose of monitoring their citizens? They control >40% market share. They get blacklisted and that's millions of people unable to login to the bank accounts and investments. Thousands of businesses like Amazon who can't process payments.
Josh in CharlotteNC (profile), 9 Feb 2012 @ 4:47am
Re: Re: Likely has happened before without becoming public
Unfortunately its not that simple.
Chrome's solution is a step forward. It solves two problems - websites reluctance to use SSL due to speed concerns, and DoS attacks that would prevent a browser from checking the status of a cert.
There are many other problems that need to be dealt with.
Josh in CharlotteNC (profile), 8 Feb 2012 @ 10:37pm
Re:
You're joking, right? People designed the certificate system. Any good security system needs to take into account that people are fallible.
Paraphrasing Churchill:
Many forms of security have been tried, and will be tried in this world of sin and woe. No one pretends that the certificate system is perfect or all-wise. Indeed, it has been said that the certificate system is the worst form of security except all those other forms that have been tried from time to time.
Seriously, though, there are some fundamental problems with the certificate system that are not directly human-based. One big issue is that once you trust a CA, you're stuck trusting them forever (in practical terms). Just because I trust Trustwave, or Comodo, or Verisign, now doesn't mean they'll still be trustworthy in 5 years - yet the system really doesn't deal well with revocation of an entire CA. And there are over 600 organizations which can sign certificates, including the government of China. This story isn't over yet. Just wait until a major application wipes out a notable CA's "trustbits" - all sorts of hell will break loose.
Josh in CharlotteNC (profile), 8 Feb 2012 @ 8:23pm
Likely has happened before without becoming public
On top of that, there's no telling if other certificate authorities are doing the same thing elsewhere, significantly compromising SSL security.
I'm not sure if it could be called common, but it is highly suspected by many security professionals that this is not an isolated instance. Why would Trustwave have a specially designed hardware solution that could handle this? Sure, the hardware and software has legitimate uses, but someone from Trustwave really had to configure or program this to function well - and either that means they already had this capability, or spent a lot of effort for this single (yet unnamed) client. Hopefully it will shine a light on other CAs doing the same thing.
While Trustwave's original actions are very distasteful, I do have to give them credit for coming clean. Unfortunately, revoking the bogus cert doesn't really deal with the issue. Certificate revocation is basically the "least bad" option right now. Google has recently said that Chrome may stop checking revocation lists from CAs:
Josh in CharlotteNC (profile), 8 Feb 2012 @ 12:21am
Re: Re:
Where do these guys get their numbers.
One guy pulls a random number out of the air and spreads it around for a few months. Other people quote that number repeatedly without mentioning the first guy made it up. Some other people adjust the number upwards for no rational reason. Others start quoting the new higher number. Repeat ad infinitum.
On the post: US Returns JotForm.com Domain; Still Refuses To Say What Happened
Re: Reparations?
GoDaddy is most likely covered from being liable in any way by the fine print in whatever agreement you have to click to register a domain with them.
But I see no reason why they don't have a case against the government. The Secret Service sent some kind of request or order to GoDaddy without due process. The problem is that they're not saying what happened, and litigating a case like this can be expensive, so there's a lot of work for Jotform to do before they can get a ruling.
On the post: US Government 'Suspends' JotForm.com Over User Generated Forms; Censorship Regime Expands
Re: Re: Re: Re: Re:
Wrong! Completely and utterly wrong in every possible way imaginable.
That comment shows your lack of technical knowledge as well as lack of common sense.
Let's compare what you would need to do to either remove a single form or redirect the entire domain.
Single form:
1) Send abuse report to Jotform.
2) Jotform removes form. Form no longer accessible pretty much immediately.
Redirect domain:
1) Identify domain registrar.
2) Send abuse report to domain registrar.
3) Registrar redirects domain.
4) Wait anywhere from a few hours to days for DNS records to propagate throughout the internet. After 2 days, most likely no one can access the site.
Here, read it straight from GoDaddy: http://help.godaddy.com/article/1746?locale=en
On the post: US Government 'Suspends' JotForm.com Over User Generated Forms; Censorship Regime Expands
Re: Re: Re: Re: Re: Re: Re: Time to go
Wrong on all counts.
Surgical? No, the entire jotform.com DNS entry was redirected by GoDaddy at request of the government.
The .net DNS entry was not active until after the seizure. As far as the entire internet was concerned it did not exist.
Considering that Jotform regularly deals with abuse of its service, and has well established methods for dealing with it, you cannot even make the argument that it is faster to shut the entire domain down! It's faster to contact Jotform and tell them one of their 2 million forms is being used for illegal purposes so they can investigate and turn it off.
I don't believe this is a Speech issue, nor censorship issue since criminal speech is NOT protected and the rights of society at large
So the 1,999,999 perfectly legal forms that were taken down on account of the 1 that was criminal are not protected speech?
This is akin to shutting down the entire telephone network in this country on account of 1 person who is alleged to have used it for criminal purposes.
On the post: How Do We Know That Piracy Isn't Really A Big Issue? Because Media Companies Still Haven't Needed To Change As A Result Of It
Re: Re:
"Go away or I will replace you with a very small shell script."
http://www.thinkgeek.com/tshirts-apparel/unisex/frustrations/374d/?srp=1
On the post: If People Like You And Your Work They'll Pay; If They Like Your Work, But Don't Like You, They'll Infringe
Re: True, but...
1) So what? We have a huge abundance of content of every type imaginable. There's more music/video/books/video games/etc being created than any person could hope to consume in a lifetime. Likability of the creator is just one factor among many that help us filter through all the content. So just add "artist/distributor likability" to quality, relevance, taste, ease of use, price, etc. Unsurprisingly, many of those mostly line up with not being an asshole already.
2) Is it so bad that society/the public/consumers wish to support those who work with the community and ostracize those who are only in it for themselves? In other words, choosing benevolence over selfishness if there is any alternative? It's simple competition.
On the post: UK Now Seizing Music Blogs (With American Domains) Over Copyright Claims
Re:
On the post: How Does The Penalty For 'Content Theft' Match Up With Similar 'Crimes'?
Re:
At that rate, the paying $2.50 vs. jumping the subway turnstile is a fine of $1875, instead of real world reasonable fine of $100.
On the post: TuneCore: RIAA Has Become A Part Of The Problem For Artists
Re: Re: Re:
You really do have your eyes squeezed shut, your fingers in your ears, and you're shouting "Lalalala the internet isn't real!"
Amazon's Kindle (and other e-readers) are making self publishing a reality for thousands of authors.
Do those authors using it, and the musicians using Tunecore, have to invest time and money? Sure they do. But they do not have to invest millions of dollars to be successful, or to reach the public, like they would have been required to do a decade ago.
Yes, Amazon and Tunecore are in it for the money. But they're helping thousands of artists every year become profitable at the same time. That's a win-win model, not the parasitic leech model of RIAA. Really, how many artists can the RIAA claim to have made profitable every year?
On the post: SOPA Strikedown Aftermath: Old Media Cannot Tell The Narrative Of One Million People
Re: Re: If you are going to ask or assume
Just like no one will be buying your spinning CDs.
On the post: Do The Differences Between Software Piracy And Media Piracy Matter?
Re: Re: Re:
It certainly would be without the insane level of patents and copyrights. The big name CAD software companies are playing the same game that Microsoft does with file formats for Office - and they'll try to sue into oblivion any free or low cost CAD software that's a threat. And much of the manufacturing equipment will only accept formats from the bag name companies. So there is a tremendous amount of legacy inertia to overcome.
On the post: Trustwave Admits It Issued A Certificate To Allow Company To Run Man-In-The-Middle Attacks
Re: Re: Re:
I wish I could give you a simple answer, but there isn't one. Some root certificate authorities are trusted by default, yes, and they are generally the big names like Verisign, Thawte, Equifax, GoDaddy and such. But just because you trust a root CA doesn't mean you trust all certs they have issued. There are also intermediate certificates. And then also resellers and affiliates who also issue certs.
Confused yet? It's about to get worse.
Can you elaborate on that?
This is what happened to DigiNotar.
http://www.techdirt.com/articles/20110830/13243615741/evidence-suggests-diginotar-who- issued-fraudulent-google-certificate-was-hacked-years-ago.shtml
They're a small Dutch company that issued certs. They got hacked by suspected Iranian (state sponsored) hackers as a way to monitor secure communications over Google services.
Once the full extent of the breach became known, a lot of their certs were blacklisted, including an intermediate certificate used by the Dutch government for their Tax and Customs Administration. It then became difficult to impossible for Dutch citizens to login to the site and pay their taxes.
That's just a small CA - ramifications were felt by Dutch citizens and whoever in Iran had their Gmail intercepted. What happens if Verisign's CA business (owned by Symantec now) has a massive breach? What if it appears that they were knowingly issuing false certs to a government for the purpose of monitoring their citizens? They control >40% market share. They get blacklisted and that's millions of people unable to login to the bank accounts and investments. Thousands of businesses like Amazon who can't process payments.
On the post: Trustwave Admits It Issued A Certificate To Allow Company To Run Man-In-The-Middle Attacks
Re: Re: Likely has happened before without becoming public
Chrome's solution is a step forward. It solves two problems - websites reluctance to use SSL due to speed concerns, and DoS attacks that would prevent a browser from checking the status of a cert.
There are many other problems that need to be dealt with.
On the post: Trustwave Admits It Issued A Certificate To Allow Company To Run Man-In-The-Middle Attacks
Re:
Paraphrasing Churchill:
Many forms of security have been tried, and will be tried in this world of sin and woe. No one pretends that the certificate system is perfect or all-wise. Indeed, it has been said that the certificate system is the worst form of security except all those other forms that have been tried from time to time.
Seriously, though, there are some fundamental problems with the certificate system that are not directly human-based. One big issue is that once you trust a CA, you're stuck trusting them forever (in practical terms). Just because I trust Trustwave, or Comodo, or Verisign, now doesn't mean they'll still be trustworthy in 5 years - yet the system really doesn't deal well with revocation of an entire CA. And there are over 600 organizations which can sign certificates, including the government of China. This story isn't over yet. Just wait until a major application wipes out a notable CA's "trustbits" - all sorts of hell will break loose.
On the post: Trustwave Admits It Issued A Certificate To Allow Company To Run Man-In-The-Middle Attacks
Re: Likely has happened before without becoming public
https://bugzilla.mozilla.org/show_bug.cgi?id=724929
Brian Trzupek appears to be from Trustwave.
On the post: Trustwave Admits It Issued A Certificate To Allow Company To Run Man-In-The-Middle Attacks
Likely has happened before without becoming public
I'm not sure if it could be called common, but it is highly suspected by many security professionals that this is not an isolated instance. Why would Trustwave have a specially designed hardware solution that could handle this? Sure, the hardware and software has legitimate uses, but someone from Trustwave really had to configure or program this to function well - and either that means they already had this capability, or spent a lot of effort for this single (yet unnamed) client. Hopefully it will shine a light on other CAs doing the same thing.
While Trustwave's original actions are very distasteful, I do have to give them credit for coming clean. Unfortunately, revoking the bogus cert doesn't really deal with the issue. Certificate revocation is basically the "least bad" option right now. Google has recently said that Chrome may stop checking revocation lists from CAs:
http://arstechnica.com/business/guides/2012/02/google-strips-chrome-of-ssl-revocation-checking.a rs
More details:
http://arstechnica.com/business/news/2012/02/critics-slam-ssl-authority-for-minting-cert-u sed-to-impersonate-sites.ars
Background info on CAs and certificates if you don't understand all this stuff:
http://en.wikipedia.org/wiki/Certificate_authority
On the post: RIAA Totally Out Of Touch: Lashes Out At Google, Wikipedia And Everyone Who Protested SOPA/PIPA
Re: _sigh_
Hope Mike covers the Kickstarter campaign currently underway. It is truly impressive.
On the post: Who's Still Backing SOPA/PIPA... And Why?
Re: Re:
One guy pulls a random number out of the air and spreads it around for a few months. Other people quote that number repeatedly without mentioning the first guy made it up. Some other people adjust the number upwards for no rational reason. Others start quoting the new higher number. Repeat ad infinitum.
On the post: CreativeAmerica Literally Resorts To Buying Signatures
Re: Re: Re: Re: Sign Me Up
Wrong word. "Taking" implies the creator no longer has it. Copying it, or using it without permission is perfectly fine, yes.
On the post: Hollywood Still Doesn't Realize That The Internet Drives Popular Culture Now
Re: Hollywood's New Business Model
On the post: Hollywood Still Doesn't Realize That The Internet Drives Popular Culture Now
Re:
Next >>