The people running those servers were notified, repeatedly. They took no action to apply the permanent fixes that were available. Their compromised machines pose a security risk not just to the owners but to everybody else on the Internet. If nothing else they permit the criminals behind the infections to download any and all personal information that may be accessible from those machines and use those machines to attack others.
If the FBI's going to abuse it's authority, this is the way I'd prefer them to abuse it.
What I don't get is why Aerialink ever had the ability to redirect SMS/MMS traffic through their gateway in the first place? There's no way for consumers to request that sort of redirect, so it couldn't have been at the number owner's request. The carriers are already the SMS/MMS gateway for their own networks, so they wouldn't need to request such a redirect. The only time I can see them needing that is if they were subcontracting operation of their own gateway out, and it doesn't sound like that was the case here. So why would there even need to be the ability for a third party to request control of SMS/MMS routing? It sounds to me like this is something that should never have even been implemented.
This is Microsoft we're talking about here. Anyone who thought that they wouldn't be making as many games exclusive to their platforms as possible hasn't been paying attention for the last 3 decades.
And no, that isn't exclusive to Microsoft, just they're one of the biggest and most visible in the games field.
The SEC may just have noticed that certain analysts changed their projections shortly before the financial call for no obviously-apparent reason, and wondered what those analysts knew that others didn't. And I'm sure in that case the analysts showed the SEC the disclosures they got, because that gets them right off the hook for any impropriety. But you're right, even in that case it should've been easy for AT&T to show that it sent the same thing out to all analysts and some of them just must've ignored it (which isn't on AT&T).
Only one thing: the EA game doesn't fall under any of the cases where you can use someone's trademark (which is what NIL would be considered) without permission. EA isn't reporting on what that player actually did, or reporting factual information about them, nor are they leaving the representation of the player unidentifiable. They're creating something new that the player never participated in featuring that player and distributing that, for which they need a license to use that player's NIL. Note that whether the player can be paid for the use of their NIL is irrelevant to the need for a license.
The question would be, rather, does that waiver grant the NCAA the right to re-license players' NIL to other companies, and whether it did so for EA. I don't know the exact wording of the waiver, so I can't speak to that.
In a lot of cases the simplest solution is to ask whether you need a meeting or not. I don't know how many meetings I've been in that are mostly or only data dumps. If you want to give a presentation or deliver data, write it up in an email or make a slideshow and send it out to everyone. Once everyone has the information and has gotten any follow-up they want directly from the originator, then you can see if there's still a need to have everyone on a call at the same time to debate or ask questions of the group. 9 times out of 10 I find that everyone's satisfied with what they have and there's no need for a meeting at all. The whole process is asynchronous so it doesn't interrupt schedules any more than absolutely necessary, and it creates it's own audit trail which is really useful for reference.
And it frees up more time for the meetings that really benefit from real-time interaction, which often don't require the people most likely to schedule meetings.
Re: Re: This is how you get not just protests but riots
This is one of the reasons why, here in Seattle, they took 911 away from the police and gave it to an outside agency with an explicit mandate to decide which emergency services to call for any given call. The police obviously aren't happy about this, but not many people can manage to feel any sympathy for them since they keep demonstrating why decisions like this are necessary.
The department pointed out that the system did have maximum limits in place in hardware, and alarms that would've alerted the operators to the change if they hadn't noticed it themselves. It was just that in this case the operators acted so quickly that the additional layers of safety measures never had a chance to activate.
Every system I've ever dealt with. Nobody sane trusts that the deployment of a new version went flawlessly, there's always at least some smoke tests done after deployment to make sure the system's really working before it's opened back up for use. And nobody sane does those tests using real user's accounts because nobody wants to mess up real data with test transactions.
Usually it's lack of outside systems. A vendor or outside agency that doesn't have a dedicated staging environment running the same software as production, for instance. Sometimes it's lack of hardware, for instance when I worked at Flying J our QA department had to buy real gas pumps and modify them for use in the lab for testing (and even then it wasn't really adequate, we couldn't replicate the variety of pump and controller firmware present at the actual stores).
Sometimes, though, the only place you can really run the final tests is in production. Nobody in software likes it, but sometimes that's the only place the networks and services you need to test with exist. You've got mock versions in the QA and staging environments, but they're not the real thing and may themselves have bugs in them so they don't behave the way the real thing would. Most often that would cause the system to fail null, and for something like the Amber Alert system you probably don't want to send out an alert and have it... fail to go out because the system sending out the alerts expected an all upper-case code (like the mocks all used) while the system raising the alert used lower-case.
That's why every system has a few test accounts in production for the express purpose of running tests and verifying things are working after deploying a new version of the system. They're usually set up the way this alert was, with blatantly obvious bogus data so if they accidentally get where they shouldn't've they're easily recognized and discarded.
We discovered on BBS networks way back in the '90s that there were two kinds of non-anonymity: verified identity and continuity of identity. Verified identity connected your real-life identity with your online identity, requiring providing valid ID to create an account and associating your real name with your account (tying your account to your real-life identity). It worked, but it was overkill. The other, continuity of identity, turned out to do everything needed and several useful things verified identity didn't do. It was basically the assurance that anything posted under a given name came from the same actual person. You didn't know who that person was, but you could trust that the same name was always the same person. There was also assurance that it wasn't trivial for one person to acquire a different online name. Not hard, mind you, but not something someone would do unless they truly intended to do it. Unlike verified identity, it allowed people's words and record to speak for themselves. Since all you knew about the person was what they said, things like what position they held, what education they had, what their economic status was, all became less important than what they were actually saying. That kept the focus on what was being said since people couldn't hide behind titles and degrees and claim authority based on who they were, they had to back it up (which the truly knowledgeable could do easily and the BS-ers couldn't). The whole system worked fairly well for... well, a couple of decades at least, I first encountered it on CompuServe and GEnie, and it was still going strong into the early 2000's.
Maybe what we need is something like what CompuServe had, where your account identifier was just a large number that, while not hard to get, was non-trivial to get several of since you had to provide payment information for each one and the account system would balk at creating multiple accounts with the same payment information attached through the regular individual-user interface. You could set any name you wanted on your account, you could change your name any time you wanted, but everyone could see that it was always the same account identifier behind it. At the same time, that account identifier didn't reveal anything about your actual identity unless you deliberately linked the two by attributing the identifier to your name elsewhere.
Problem is that all the problematic political advertising the last election cycle wasn't paid placement, it was political groups setting up accounts to post their articles on which if you can't see inside the mind of the poster is indistinguishable from organic discussion. To ban that sort of political advertising you'd have to ban posting anything political by anybody, which I agree with you would be a bad thing.
I say allow politics, but allow any post to be fact-checked if it contains false or misleading information. And if a high percentage of an account's posts are false or misleading, say 80% or more, restrict or ban that account.
Substantially increases both initial and ongoing education requirements with no money to pay for the increased costs and no assurances that the courses will even be offered
Like no other profession has ongoing continuing-education requirements where members of that profession are expected to pay for their own education. Ha ha bloody hah!
The local cable company and telcos pay those same providers too. That's why you hear big ISPs screaming about how Google and other content providers are "free-riding" on the ISP's bandwidth and should have to pay the ISPs to reach the ISP's customers: those ISPs are consumer-heavy so their traffic's highly asymmetric (high download, low upload) and they're having to pay the backbone providers to carry traffic to their networks. Everyone has to pay the backbone providers eventually, but this guy's paying them directly and doesn't have to pay any of the local ISPs as well as the backbone.
Oh, and if you're running fiber long distances, you won't be talking to any of the local ISPs to get access to fiber either. You'll likely start by talking to the railroad line that owns the rights-of-way in your area (in my case, Union Pacific). They either own the fiber along the right-of-way or lease it out to a reseller. Most of the big backbone providers and local ISPs don't run their own cross-country fiber, they lease capacity in the fiber runs the railroads laid down.
Given the Trump administration's track record, I'd say their accusations against Xiaomi are probably a good indication Xiaomi isn't in fact working with the Chinese military and their biggest offenses are offering better kit at lower prices than American manufacturers and/or failing to cooperate with US intelligence agencies.
On the post: FBI Flexes Rule 41 Powers, Uses Remote Access Technique To Neutralize Compromised Software All Over The US
Re:
The people running those servers were notified, repeatedly. They took no action to apply the permanent fixes that were available. Their compromised machines pose a security risk not just to the owners but to everybody else on the Internet. If nothing else they permit the criminals behind the infections to download any and all personal information that may be accessible from those machines and use those machines to attack others.
If the FBI's going to abuse it's authority, this is the way I'd prefer them to abuse it.
On the post: Game Publishers: If Your DRM, Anti-Cheat Software Does Creepy Installs, Warn Your Customers First
Re: Re:
Objection. Rusty nails are at least theoretically usable for something, making them more welcome than DRM.
On the post: Activision Forces Online Check DRM Into New Game, Which Gets Cracked In One Day
FTFY
On the post: Journalism Forces Wireless Industry To Belatedly Fix Text Message Flaw That Let Hackers Access Your Data For $16
What I don't get is why Aerialink ever had the ability to redirect SMS/MMS traffic through their gateway in the first place? There's no way for consumers to request that sort of redirect, so it couldn't have been at the number owner's request. The carriers are already the SMS/MMS gateway for their own networks, so they wouldn't need to request such a redirect. The only time I can see them needing that is if they were subcontracting operation of their own gateway out, and it doesn't sound like that was the case here. So why would there even need to be the ability for a third party to request control of SMS/MMS routing? It sounds to me like this is something that should never have even been implemented.
On the post: Even Murkier: Microsoft Says Some Bethesda Games Will Indeed Be Xbox, PC Exclusives
This is Microsoft we're talking about here. Anyone who thought that they wouldn't be making as many games exclusive to their platforms as possible hasn't been paying attention for the last 3 decades.
And no, that isn't exclusive to Microsoft, just they're one of the biggest and most visible in the games field.
On the post: SEC Sues AT&T For Leaking Info To Analysts To Cover Up Drooping Smartphone Sales
Re:
The SEC may just have noticed that certain analysts changed their projections shortly before the financial call for no obviously-apparent reason, and wondered what those analysts knew that others didn't. And I'm sure in that case the analysts showed the SEC the disclosures they got, because that gets them right off the hook for any impropriety. But you're right, even in that case it should've been easy for AT&T to show that it sent the same thing out to all analysts and some of them just must've ignored it (which isn't on AT&T).
On the post: EA College Sports Is Back, But Some Schools Are Opting Out Until Name, Image, Likeness Rules Are Created To Compensate Athletes
Re: NIL
Only one thing: the EA game doesn't fall under any of the cases where you can use someone's trademark (which is what NIL would be considered) without permission. EA isn't reporting on what that player actually did, or reporting factual information about them, nor are they leaving the representation of the player unidentifiable. They're creating something new that the player never participated in featuring that player and distributing that, for which they need a license to use that player's NIL. Note that whether the player can be paid for the use of their NIL is irrelevant to the need for a license.
The question would be, rather, does that waiver grant the NCAA the right to re-license players' NIL to other companies, and whether it did so for EA. I don't know the exact wording of the waiver, so I can't speak to that.
On the post: Not OK, Zoomer: Here's Why You Hate Videoconference Meetings -- And What To Do About It
In a lot of cases the simplest solution is to ask whether you need a meeting or not. I don't know how many meetings I've been in that are mostly or only data dumps. If you want to give a presentation or deliver data, write it up in an email or make a slideshow and send it out to everyone. Once everyone has the information and has gotten any follow-up they want directly from the originator, then you can see if there's still a need to have everyone on a call at the same time to debate or ask questions of the group. 9 times out of 10 I find that everyone's satisfied with what they have and there's no need for a meeting at all. The whole process is asynchronous so it doesn't interrupt schedules any more than absolutely necessary, and it creates it's own audit trail which is really useful for reference.
And it frees up more time for the meetings that really benefit from real-time interaction, which often don't require the people most likely to schedule meetings.
On the post: Fifth Circuit Says Tasing A Person Soaked In Gasoline And Setting Them On Fire Isn't An Unreasonable Use Of Force
Re: Re: This is how you get not just protests but riots
This is one of the reasons why, here in Seattle, they took 911 away from the police and gave it to an outside agency with an explicit mandate to decide which emergency services to call for any given call. The police obviously aren't happy about this, but not many people can manage to feel any sympathy for them since they keep demonstrating why decisions like this are necessary.
On the post: Hacked Florida Water Plant Found To Have Been Using Unsupported Windows 7 Machines And Shared Passwords
Re: That shouldn't even be an option
The department pointed out that the system did have maximum limits in place in hardware, and alarms that would've alerted the operators to the change if they hadn't noticed it themselves. It was just that in this case the operators acted so quickly that the additional layers of safety measures never had a chance to activate.
On the post: Texas Dept. Of Public Safety Issues Amber Alert For Victim Of Horror Doll Chucky
Re: Re:
Every system I've ever dealt with. Nobody sane trusts that the deployment of a new version went flawlessly, there's always at least some smoke tests done after deployment to make sure the system's really working before it's opened back up for use. And nobody sane does those tests using real user's accounts because nobody wants to mess up real data with test transactions.
On the post: Texas Dept. Of Public Safety Issues Amber Alert For Victim Of Horror Doll Chucky
Re: Re:
Usually it's lack of outside systems. A vendor or outside agency that doesn't have a dedicated staging environment running the same software as production, for instance. Sometimes it's lack of hardware, for instance when I worked at Flying J our QA department had to buy real gas pumps and modify them for use in the lab for testing (and even then it wasn't really adequate, we couldn't replicate the variety of pump and controller firmware present at the actual stores).
On the post: Texas Dept. Of Public Safety Issues Amber Alert For Victim Of Horror Doll Chucky
Sometimes, though, the only place you can really run the final tests is in production. Nobody in software likes it, but sometimes that's the only place the networks and services you need to test with exist. You've got mock versions in the QA and staging environments, but they're not the real thing and may themselves have bugs in them so they don't behave the way the real thing would. Most often that would cause the system to fail null, and for something like the Amber Alert system you probably don't want to send out an alert and have it... fail to go out because the system sending out the alerts expected an all upper-case code (like the mocks all used) while the system raising the alert used lower-case.
That's why every system has a few test accounts in production for the express purpose of running tests and verifying things are working after deploying a new version of the system. They're usually set up the way this alert was, with blatantly obvious bogus data so if they accidentally get where they shouldn't've they're easily recognized and discarded.
On the post: No, Getting Rid Of Anonymity Will Not Fix Social Media; It Will Cause More Problems
We discovered on BBS networks way back in the '90s that there were two kinds of non-anonymity: verified identity and continuity of identity. Verified identity connected your real-life identity with your online identity, requiring providing valid ID to create an account and associating your real name with your account (tying your account to your real-life identity). It worked, but it was overkill. The other, continuity of identity, turned out to do everything needed and several useful things verified identity didn't do. It was basically the assurance that anything posted under a given name came from the same actual person. You didn't know who that person was, but you could trust that the same name was always the same person. There was also assurance that it wasn't trivial for one person to acquire a different online name. Not hard, mind you, but not something someone would do unless they truly intended to do it. Unlike verified identity, it allowed people's words and record to speak for themselves. Since all you knew about the person was what they said, things like what position they held, what education they had, what their economic status was, all became less important than what they were actually saying. That kept the focus on what was being said since people couldn't hide behind titles and degrees and claim authority based on who they were, they had to back it up (which the truly knowledgeable could do easily and the BS-ers couldn't). The whole system worked fairly well for... well, a couple of decades at least, I first encountered it on CompuServe and GEnie, and it was still going strong into the early 2000's.
Maybe what we need is something like what CompuServe had, where your account identifier was just a large number that, while not hard to get, was non-trivial to get several of since you had to provide payment information for each one and the account system would balk at creating multiple accounts with the same payment information attached through the regular individual-user interface. You could set any name you wanted on your account, you could change your name any time you wanted, but everyone could see that it was always the same account identifier behind it. At the same time, that account identifier didn't reveal anything about your actual identity unless you deliberately linked the two by attributing the identifier to your name elsewhere.
On the post: House Republicans Have A Big Tech Plan... That Is Both Unconstitutional And Ridiculous
Re: Very Simple
Unfortunately the Supreme Court disagrees with you.
On the post: Congressman Asks House Education Committee To Look At Pre-Crime Program Targeting Florida Schoolkids
When they titled the film "Minority Report", it was accurate in far more ways than they intended.
On the post: Inauguration Has Happened, Google And Facebook Should End The Ban On Political Advertisements
Re: Re: Re: How about no?
Problem is that all the problematic political advertising the last election cycle wasn't paid placement, it was political groups setting up accounts to post their articles on which if you can't see inside the mind of the poster is indistinguishable from organic discussion. To ban that sort of political advertising you'd have to ban posting anything political by anybody, which I agree with you would be a bad thing.
I say allow politics, but allow any post to be fact-checked if it contains false or misleading information. And if a high percentage of an account's posts are false or misleading, say 80% or more, restrict or ban that account.
On the post: Illinois Legislature Sends Massive Police Reform Bill To The Governor's Desk
Like no other profession has ongoing continuing-education requirements where members of that profession are expected to pay for their own education. Ha ha bloody hah!
On the post: Broadband Market Failure Keeps Forcing Americans To Build Their Own ISPs
Re: Re: Re: Re: Re: Re: Re:
The local cable company and telcos pay those same providers too. That's why you hear big ISPs screaming about how Google and other content providers are "free-riding" on the ISP's bandwidth and should have to pay the ISPs to reach the ISP's customers: those ISPs are consumer-heavy so their traffic's highly asymmetric (high download, low upload) and they're having to pay the backbone providers to carry traffic to their networks. Everyone has to pay the backbone providers eventually, but this guy's paying them directly and doesn't have to pay any of the local ISPs as well as the backbone.
Oh, and if you're running fiber long distances, you won't be talking to any of the local ISPs to get access to fiber either. You'll likely start by talking to the railroad line that owns the rights-of-way in your area (in my case, Union Pacific). They either own the fiber along the right-of-way or lease it out to a reseller. Most of the big backbone providers and local ISPs don't run their own cross-country fiber, they lease capacity in the fiber runs the railroads laid down.
On the post: Trump's Facts-Optional Assault On Chinese Tech Continues With Blocking Of Xiaomi
Given the Trump administration's track record, I'd say their accusations against Xiaomi are probably a good indication Xiaomi isn't in fact working with the Chinese military and their biggest offenses are offering better kit at lower prices than American manufacturers and/or failing to cooperate with US intelligence agencies.
Next >>