Yeah, smells like "embrace, extend, ..." of Oracle's bullshit VM policies...
... but I do not expect the usually following "extinguish" in this case, though ...
111 posts • joined 2 Sep 2016
Once the UK agreed to create mass snooping capabilities for use against terrorists, these capabilites created demand in all other departments of government.
You _can_ better assess, direct and punish a population in a number of ways without any privacy laws in the way plus full suveillance. Most citizens of former Eastern Germany know that well from experience...
After all, only a citizen, that is observerd 24/7 is a) a secure citizen and b) a citizen _constantly_confirmed_ to be abiding the law.
While China was doing it openly to supress, in the UK it happened under the disguise (and maybe even intent) to fight terrorism. However, the result, as you will experience, is mostly identical.
Hopefully your example will at least spare some other countries the same fate as they have the opportunuty to learn by example.
I wish you good luck since reversing this situation and prying surveillance powers back from government agencies all over the place will be much more difficult than preventing it happening in the first place...
Sure you do that - you block all known attack vectors to access the data.
Until someone comes up with a new idea or - as is likely in this case - someone turns an authorized user's computer into a trojan horse that effectively steals the documents.
For encryption at rest:
Many people think that's a silver bullet, however, if continous accessability of the information is part of the requirement (which is true in most cases) you need to distribute the password/private key in some form to the point of access, otherwise even the authorized end user cannot read and work with the data. That's why I tend to view most implementations of encryption at rest somewhat as snake oil. The just make it somewhat harder to extract cleartext data.
Same problem with air-gapping systems.
In this case you need to bring every user of the data behind the air gap. Which excludes such a solution from most real-world scenarios.
Especially in complex distributed development, where optimized sharing of documentation/information is regarded as key to mission success..
> That is part of what I'm talking about - is it a fundamental truth that invisible doors and papier maché walls will exist? If so, why?
Neccesarily. Whatever you need to do in computer security, securing Websites, Web-Apps or simply securing documents inside a company, you need to work with existing (and continually changing) hardware, firmware, drivers, operating systems, network protocol implementations, firewalls, management solutions, etc.
Every component you work with is updated regularly (if you do it right). This means a) known bugs a closed, b) new features are added and c) new bugs are introduced, every single one a potential new door.
On all architecture levels mentioned above - simultanously.
> too much reliance on "somebody else".
Yes, every application you create/run/maintain today sits on a ton of other software you cannot control.
OK, you _could_ try to create a for example document management solution based on your own Hardrware, firmware, drivers OS, own network stack, own firewall code and finally own application.
But you'd need to invest thousands (millions?) of man-years to create and test tons of new new code.
And with an overwhelming probablitity your own code will have many more bugs than the stuff already on the market that has been tested in in thousands of installationson.
So, yeah, relying on somebody else is a problem, but having to code everything up from bare matal yourself would pose a worse problem in terms of security, let alone feasability.
> Now imagine the liability if you used that place to store hugely valuable stuff. You would have done your due diligence on the building before using it, and not taken someone else's word for its security. To do otherwise would find you liable for civil and possibly criminal action.
Accept criminal liability for security in a world where invisible doors exist and you cannot tell concrete and cardboard apart?
I'd get a new job immediately, since no amount of due diligence will make sure I have not overlooked one of the invilible doors. Or that no new door will pop up due to changes made by somebody else tomorrow.
As a virtual real world example :
Try to secure a building. You use Perimeter controls, fences, secure doors, alarms, etc. Not hard, right?
Now try to imagine to secure a building where fences have holes you cannot see. Where walls have doors you cannot see. Some walls that used to exist forever are gone the next day. Some walls only look like walls when in reality they are just props from a film set. Where people that you cannot control are working on structural changes and who routinely refuse to tell you what they did. Where alarms notice some trespassers while ignoring others. Where you learn one day that while you thought you had the only keys to the building, the company who made the doors was handing out every key to every door they ever made to anyone who asked...
Good luck with that...
On an emotional level I'd like to see the the pitchfork- based responses above implemented, but that's a bit too much 18th century style ...
But what about some 100hrs of community service to make up for the crap they cause?
Stopping E2E encryption of Whatsapp and Apple - Then what? Criminals/child predators moving to other services, of course. So what will be the next steps?
Will Telcos be forced to provide crackable in-transit encryption (like a backdoored https) in order to "earn" or keep their exemptions?
Will Hosting providers be forced to only provide crackable at-rest encryption in order to earn or keep their exemptions?
As the "law" would just authorize basically *anything* a comission comes up with, this could become a very slippery slope...
Math laws cannot be selectively enforced for citizens and waived for police. Every encryption that becomes crackable/backdoored for police will also become crackable for criminals.
So software and services of US origin will become insecure in a very basic sense of the word.
As a consequence, once this really becomes law, we will probably see the downfall of the great US software empire, as only the EU and Asia will be able to construct secure products.
""Who expects honesty and decency from Google" I would also have agreed."
Agree, and I must say I'm not into this topic for Google. or for honesty and decency for that matter.
But if Oracle wins this case, the whole software industry which, since its inception, always was based on the fact that APIs are not copyrightable, will suffer heavily under lawsuit after lawsuit.
"They go after many respected think tanks and call them 'Google shills' while themselves getting money directly from Oracle"
Well, after all, accusing the other side of what you are guilty doing, is, in fact, an as widely used strategy as is buying support from groups that are portrayed as being neutral and interested in "public wellbeing".
A classic comms strategy, albeit dishonest and opportunistic ...
10/10 on the Oracle scale, I' say .
Let's hope the judges see through this ...
and based on the fact humanity came up with crap ideas how to use flintstone, fire, the wheel and basically every invention since then this was quite to be expected ...
_Every_ invention that works will also be used for negative goals.
And his invention works perfectly :-)
Actually Oracle bought SUNs server biz.
Java was an addition they never knew how to use - until they came up with using it as tactical weapon in court to unfairly attack competitors.
"creative choices" in API naming... can't make that shit up.
The only thing "creative" I see here is the Oracle legal argument....
This is more like a traditional car maker breaking into the car you just bought from a dealership and removing a feature ( say, the NAV system or the seat heating ) because " - you - did not pay [the manufacturer] for it" ...
Sounds weird, in case this story really happened that way ...
Just because a "feature" of a car is a configurable software item and not a physically installed item, it still belongs to the car's features that are sold to the first customer who for all I know should be allowed to sell it to a new owner via dealership or directly.
I assume you are aware that Hacking attacks can - and in fact are - also be executed from the soil of the US, UK, Germany, France, etc.
If so, how much of a nail are these countries?
How appropriate would be military action in these cases?
And why should other countries be more of a nail, just because we do not live there?
Nope, thinking about responding to a Virus/Malware with military force is simply stupid.
"If the only tool you have is a hammer, every problem looks like a nail" comes to mind ...
Applying military "thinking" to civil problems like computer security is a danger to public security.
Is this just a General trying to appear relevant or NATO trying to do the same?...
That's how Oracle tries to muddy the water ...
Oracle basically claims that the hard thought-out and innovative names of functions and parameters, aka "the API" were copied/stolen by Google.
They never claimed the implementation itself was copied/stolen - but they sure as hell make it sound like that to the judges.
SCO claimed copyright on kernel API. So despite of a clean-room implementation Linux would have violated copyright.
Oracle claims copyright on API descrption on Java functions, so even clean-room re- implementations of the API would violate copyright.
You are right. No idea who owns the SCO ccopyrights these days, but they will rise in value massively, should Oracle win.
Improbable, as RedHat, just like any other Linux Distro, is pretty replaceable.
Re-training support staff from RHEL to another distro should be completed quickly if need be.
There's just not enough lock-in potential for IBM to get away with big price hikes or changes in the licensing fine print the way Oracle does it.
That said, I like RHEL, the way RedHat behaved as a company and how they were easy to work with.
I hope that will not change under IBM.
But, if it does, we are ready to move...
Even at a rate of 2 Million in 2 years there would not be a goot chance of any direct hit with any solar system body, let alone tiny earth ...
However, the night sky view would become spectaclular : Imagine 10.000 active comets when you look up in the dark at night :)
It's easy to control a population if you completely control the News and all Internet activity - and the chinese government semms to have been gotten dependant on that level of control.
You can manipulate their perception, can blatantly lie to them whenever it suits you and can make them love the heroes of their government and the KP- even though these organizations roughly have the same percentage of corrupt bastards as in every other government.
Together with the social scoring system that enforces citizen's compliance and curbs any critic to zero - even by people you just happen to know - Mainland China has become a full-fledged police- and surveillance state that basically knows what people think and punishes them for thinking the "wrong" things or holding "wrong" opinions.
It must feel really alien to the chinese KP to not have that level of manipulation and control over Hong-Kong's population.
Must be like driving a bycicle hands-free.
Judging just by the video linked in this article, I think it's perfectly open an fair to call bullshit on this "solution".
In fact, if the presentation maintained only about half the fantasy level of the video , I'm surprised they were even able to finish the presentation ...
Both, hackers and engineers, are not known to tolearate fantasy marketing very well.
Probably the fact that all VC money is currently spent on "doing XXX with blockchain/KI/Deep Learning" and more general on startups that promise to gather, use and sell sensitive customer data as recklessly as the current market leaders?
And that is also the reason why existing or announced tarriffs will not lead to significant relocations of production capacity.
These relocations need several months to several years to be planned & executed. Several more years in stable economic situations to pay for themselves.
And that stability can not be expected from the US government.
Either Trump tries raising taxes permanently, tanks the US economy and loses the next election or he will soon drop the new taxes in response a a probably meaningless "fantastic deal" he will pretend to have reached with the Chinese.
In neither case these tarriffs will last anywhere long enough to justify any long-term relocation of production capacity back to the US.
OK, the Ringworld reference was quite obvious from the Rat's "optimization" of behavior.
However, maybe Tad Williams' novel "Otherland" might offer a not quite so frightening scenario on how to use/abuse such tech, if it should become available and really reach that level of tactile and visual sensoric input.
To be fair to your DBAs: The licensing traps like D&T, AWS, hot/cold standbys, SAN replcation, etc. are carefully avoided in technical DBA trainings and even experienced DBAs I work with are often fully ignorant of the licensing status of their installations, if they work in a puerly technical capacity.
Even Oracle sales staff will not allways produce correct answers when calculating the number of licenses for a given, even slightly complex, setup...
Especially if it involves Cloud components other than Oracle's legacy stuff ...
This, let's call it 'situation', opens up a nice huge attack surface for the other Oracle sales staff (auditors) to ram new products and services into existing victims/customers.
So this licensing complexity problem with Oracle products does not seem to have happened purely by accident.
It seems to be a carfully designed strategic sales tool of the worse kind.
Is such law based on the assumption that terrorist propaganda, in a way, _creates_ more terrorists? So that a normal, law-abiding citizen just reads through some BS posted online and thinks: "Hey, killing people and using $DEITY or $IDEOLOGY as a pretense might be a great idea after all"?
Is it instant brainwash that should be prevented by this law?
Looks like someone watched too much Sci-Fi...
This is an interesting interpretation of "free will" and free speak that seems to form the rationale of this law.
Also note that the definition of what might be regarded as terror OR propaganda is rather foggy ...
After all, SCO also claimed copyright violations that centered around the header files of kernel functions.
So Google using the API defintions of Java to cleanly re-implement the bodies of internal Java functions ist to me ( programmer, not lawyer) exactly the same.
The culture you need to maintain to retain staff in a company that is actively developing on the bleeding edge of IT and the culture of IBM ( or any on of the remaining IT dinosaurs) are two very different things.
Let's see what happens to RedHat's innovative drive - and revenue - once the standard IBM management techniques regarding (or better: disregarding) their human ressources kicks in.
The one sensible idea in this whole mess is having a third-party do the actual identity validation completely independently from anything else. They are then able to provide some sort of verification token to any site that asks for it, presumably based on some sort of username/password you provide,
Yep, but providing uid/pw to a second or third party also reveals your identity to that party.
The possible promise of said third party to immediatly forget your identity after the queston does not count.
Oracle still thinks it is becoming a cloud vendor, while in reality they are a tool vendor with a hardware compartment and identity problems ...
Cloud is the reason they they are losing territory due to detoriating tool quality and byzantine licensing terms & conditions in non-cloud and foreign-cloud environments .
It's a good thing Mr Buffet admits to himself he does not really understand the market and draws the correct consequences.
That is exactly the way Oracle is not acting.
UK government takes back contol, but - based on what I see in the live stream from british parliarment- doesn't know how or where to drive the country any longer.
Without a deal EU companies are no longer automatically allowed to host data and services in the UK starting April 2019.
Likewise, UK IT staff is no longer automatically allowed to work remotely on EU data.
Hosting data/apps in the UK will be comparable to hosting them in the US or in northern Africa - regulation-wise. The potential legal problems will be enough for most companies to re-locate data and services inside the EU and staff it purely with EU citizens.
I guess there's not much individual businesses can do to prepare for that scanario. They will simply be excluded from what is currently a sizeable portion of their market.
Biting the hand that feeds IT © 1998–2020