Posts by system 168 publicly visible posts • joined 1 Oct 2007
1) Have a mate set up a new musicians association and sign up some local bands.
2) Share some of their tracks and have them sue you.
3) Settle in a similar manner to this.
4) Start a site offering "out of print" (with your own definition of "out of print" of course) songs from all artists at 10p per track.
5) Profit!
Nope. Google is negotiating with 2 bodies, a collection of somewhere around 8000 authors/literary agents/attorneys, and a trade association for publishers. Both of these groups are primarily for American authors and publishers.
If you read the proposed notice from google (awaiting court approval), you will see that this affects all authors and publishers in all countries covered by the Berne Convention. http://books.google.com/booksrightsholders/notice.html
Under the settlement, google is authorised to: 1) sell to institutions subscriptions to an electronic Books database, 2) sell online access to individual Books, 3) sell advertising on pages from Books, and 4) make other uses. In exchange, google will pay 63% of all revenues through the registry that google itself is setting up. The registry itself is expected to take 10-20% of the income for "administrative fees".
For having already made digital copies of works, google will pay $60 per infringement for each complete book. Rather low when compared with the sort of payments expected by the RIAA/MPAA for each non-commercial infringement of the same type. To receive this $60, authors will need to register a valid claim before 2010.
Authors of out of print books will lose all their rights to exclusive distribution unless they opt-out. Google is given the right to not only sell copies of these out of print books, but to place adverts on every page. This right is granted for the full copyright term of the book.
Authors of in print books "may" be able to negotiate different terms with google, but no such point is made with regards to out of print books. So in addition to losing the right to keep a book out of print, those authors will also be paid a fee set by google regardless of their own wishes about pricing.
Rightsholders are specifically not allowed to remove their books from all uses unless they do so before 2011. If books are not removed before then, google has a right to use that work for any purposes they deem fit as long as the work is not displayed (providing of course that the author opted out their out of print works).
Future possibilities listed in the notice include on demand printing. If your book is out of print and you have not yet told google that they cannot use it, tough titty to you. They'll print your book and charge whatever they see fit for it. You may then get your fair share of the money, or you may not. Depends on whether the registry has your details, or whether your old publisher is claiming ownership. There will also be a cut going to all the authors of books that don't sell just for being included in the registry.
On the subject of inclusion fees, "Once Rightsholders have received their Inclusion Fees, they will no longer be permitted to exclude their Books or Inserts from subscriptions unless the Inclusion Fees are returned to the Registry". So, it's all or nothing. If you allow google subscribers to browse your work for 2 years, you'd better be in it for the long haul or you'll get nothing at all.
To cap all this off, if you aren't registered with the registry, you wont see a penny. Unclaimed funds will not be reserved while the registry tries to find the rights holder, they will instead be paid to the registry and to authors who are registered.
So, no, this is not fair competition. Google is effectively getting to stomp all over copyright, snatch up huge volumes of out of print books, print and publish without permission from the copyright holders and generally crap all over authors from all nations who will be given no options in the U.S. court system. Unless copyright laws are changed to allow other companies to wade in and snatch what they want on an opt-out basis, this is nothing like competition.
To turn your argument around, you don't need those VOIP packets more than I need to listen to net radio. You can make do with a real phone like everyone else. You do not need to see eastenders online more than I need to see youtube content, if you don't like it you can go watch the TV or buy a VCR/PVR. Nobodies usage is more important than anyone elses, pretending that your usage is somehow special and more important just smacks of a massive ego.
Two people paying the same price on the same ISP should get the same service regardless of what they are using packets for. If you think you deserve better service than everyone else, then you should pay extra for it.
"The representation of the content may be modified on the client side but the real data is cannot be modified unless the attacked browser is adding / modifying content"
To use a word you seem familiar with, that's a fail.
The attacked browser need not be doing anything for javascript within the page to launch any links the user has access to behind the scenes. If all you have access to is your own profile, the attacker can automatically change your password and email address for you and send a ping to their server to give them your new password (unless of course the coder had some brains and included a requirement for the original password to be entered before making those changes).
If the user has access to any admin functions (highly likely inside an admin panel), the javascript can do anything that admin panel can do. Add new users, delete users, edit content, run sql commands if the coder was dumb enough to include that "feature".
To others asking why someone would bother using a DNS attack against google-analytics rather than the site itself, a quick question for you. In every day browsing of the net, how many sites do you come across running GA? More than 32% of Alexas top 500 sites run it. The percentage is probably higher for other sites. Poison the DNS for change.gov, you've managed to attack one site. Poison the DNS for GA, you've managed to attack thousands.
http://royal.pingdom.com/2008/05/28/google-analytics-dominate-the-top-500-websites/
Yes, javascript runs on the client, but it has access to everything on the page that the client does.
Cookies that are not set to httponly for instance. Or the ability to change where a form will be submitted to. Either of those can be used to steal login credentials.
If the client happens to be logged in as an admin, you can use the JS to do pretty much anything they could, like adding yourself as a user, deleting records, changing details etc.
"What reason do we have to think anyone inside the company would do something as nefarious as this?"
You mentioned that exploits of the urchin.js file could prove especially effective when combined with network or browser attacks, yet come back to the attack relying on someone inside google. It doesn't.
Network attacks could include attacks on the DNS system, pointing google-analytics.com to the attackers machine from which they serve up their own urchin.js file. From what I can see at google-analytics.com, google like to redirect pretty much everything on that domain to a google.com/analytics/xxxxxx address. If they do the same thing for those viewing their own stats (I don't use it), chances are such an attack would go unnoticed for days or weeks as the only thing being pulled from that domain would be javascript files which nobody looks at.
Browser attacks could include attacks against the host machine as well as the browser, altering the DNS server settings or the hosts file to point to the attackers address for google-analytics. The result would be the same, in that the attacker has control over what your browser thinks is google code.
Such attacks are made much easier when there is no ssl in use to pull the js code, as there are no warnings about invalid certificates.
Even el Reg has a flaw where SSL is concerned with analytics. http://www.theregister.co.uk/Design/javascript/_.js contains this line:
var s='<script type="text/javascript"'; return s+' src="'+ (document.location.protocol == "https:"?"https://ssl" :"http://www") + '.google-analytics.com/ga.js"></script>'
What this line translates to is: if the visitor is at http://www.theregister.co.uk then pull ga.js from google over plain http. Only pull it over https if they are visiting https://www.theregister.co.uk As long as thereg doesn't actually have a https version, then this line is useless. All visitors will receive the script from google over plain http.
"Where the four disagree was how easy it would be for Obama insiders or others to identify a plot as sinister as a rogue urchin.js"
As AC already pointed out, it's possible to hide a rogue file with referer header checks, and other tricks. When I've done security demonstrations using XSS in the past, a favourite was to return the rogue file to an IP address only once. It's likely that anyone attempting to view the rogue file will have already visited the page at least once, so the only thing they see upon accessing it again is a perfectly innocent file.
Such tricks may cut down on the return you get from the exploit (blocked referer headers, machines behind a NAT IP etc), but they keep the thing hidden for longer. If you get every password on the site but it's noticed instantly and passwords are changed, it's done you no good. If you get 75% of the passwords over 3 weeks and those passwords are not changed, you can work on getting the other 25% at your leisure from the inside.
Didn't realise he was supposed to have made the comments that far back. The article seems to imply the word is new, with lines like "within hours of its coining", and I didn't read the comments from the other article.
I think we can rule out any possibility of it being created in the comments recently though.
"Karl Molloy (35) met the girl on dating site Faceparty, where she initially claimed to be 16, and persuaded her to text him indecent pictures of herself."
Then according to faceparty, the girl is a sexual predator and will be prosecuted for lying about her age online, following which she will be placed on the sex offenders register. Karl Molloy clearly could not have been a paedophile because he was not yet 36.
Of course, faceparty seem to have a massive lack of understanding where the law is concerned.
"Despite malicious rumours spread by a few people on the website, it is not true that we have deleted members due to 'ageism'," its notice said.
From the OED: noun prejudice or discrimination on the grounds of age.
Deleting all accounts where the owner is over 36 sounds like a clear cut case of ageism to me.
Apart from the lack of a basic understanding of english, by ensuring that their site is full of kids they make it the prefered choice of paedophiles, thus demonstrating a complete lack of understanding about anything at all. Such a shame retardparty.com is already taken.
Not in the U.K it isn't. You see that .co.uk in the address bar?
While we're on the subject of criminals, I wonder if your world view enables you to see the number of criminal trials brought against the COS in various countries. To quote your own words, "They've chosen to use methods of criminals and that says all about them."
"However, since the need to remove material was via DMCA, enforced BY THE GOVERNMENT, that is, it has the force of government power behind it, the government ARE most definitely involved and so this IS a free speech issue."
No it isn't, unless free speech allows you to use copyright material without permission. The DMCA takedown was for copyrighted material, subsequent takedowns of none-copyrighted videos were at youtubes discretion and not covered by the DMCA request.
I refer you to http://www.theregister.co.uk/2008/04/15/google_spreadsheet_bug/
Google have a long history of allowing access to everything from a single cookie which is quite often insecure. Their patient records service will most likely be the same. What makes you think anyone who knows about googles insecurities will want any part of your site if you are linking into their service?
"When you enroll, you receive a special sticker that you can put on the back of your driver's license or other identification. We recommend that you write down your User ID and Emergency Password on this sticker."
So, your medical records can be accessed by anyone who happens to steal your wallet? What a great idea.
You also claim that having data in two datacenters is a security feature, when in reality it allows hackers or others two points of attack.
Finally, you point out on your site that the site is not covered by HIPAA. In case you have trouble reading, this article is about two doctors calling for sites like yours to be covered by HIPAA and other relevant laws.
I wouldn't say that it's always those new to web scripting. Some very big projects supposedly written by those with experience have suffered from seriously bad coding practice. phpBB and others storing serialized data in cookies for instance.
OTOH, there are also some new web scripters who never trust anything coming into their scripts and would never trust external storage in that way.
I'd say it's more good vs bad coders. A good coder will have at least some knowledge of the entire environment their code runs in. On the net, that means everything is "tainted". Everything from POST/GET right down to the remote IP address can be altered.
If you build from the ground up never trusting any input, you eliminate a lot of attack vectors just by escaping everything. SQL and XSS injections become extremely difficult to pull off. If you take it a step further and never trust the user to handle their own security, you build in requirements for certain password strength and brute force protections which make it a lot harder to brute force an account.
The only way to safely approach web coding is with a paranoid outlook, and anyone writing web code who fails to notice the amount of hacks being done against big (supposedly well coded) sites is either ignorant or dumb. Neither of those qualities are what I'd say make a good coder.
Not to say that mistakes wont be made in any code, but there is a difference between forgetting to escape one input and deliberately choosing to trust it.
Surely it's common sense to never trust input from users regardless of whether it's ajax or not?
In the same way, you should never blindly trust programming tips or examples from strangers, in books or blogs. Unless you understand exactly what the code is doing (another form of "input" validation), it should not be implemented.
Anyone who needs the above pointing out should never have been hired to code in the first place. Actually, they need a good slapping if they go anywhere near code.
Funny that, I seem to recall that Tiscali are screaming the loudest about this.
They provide an LLU service, where they place all their own kit into the exchanges, and provide their own pipes into the greater internet, paying not a single penny to BT.
On the other hand, my ISP rents BT centrals at £1.5m a year each, provide their own network out to europe and the U.S (with great ping times, so hardly low budget), and has no trouble whatsoever with iPlayer. That would be because they charge me in excess of the 61p per GB that BT Central bandwidth costs. Because they are making profit, they also feel no need to sell their customers to phorm.
Bandwidth over BT centrals is expensive, yes, but it's a business cost which should be included in the pricing. The ISPs complaining about iPlayer are the ones who fail to grasp the very basics of business and massively underpriced their products. Those kinds of businesses are not limited to those renting BT bandwidth.
So, parents are supposed to take responsibility for their children while retailers are supposed to take no responsibility for themselves?
The only reason to rage against a legally enforceable age restriction is because you want the right to sell 18 rated games to 5 year olds and then pass off all responsiblity for that action to the parents.
If you really believe that retailers would never do that just for a profit (yeah right) then they have no need of a legal right to do whatever they want with age rated games.
If this is a pointless law, why not just drop all age restrictions on alcohol, cigarettes and sex while you're at it? If you have trouble selling the idea that paedophilia is caused by a lack of parental responsibility, you can always just change the subject to gun control as above.
"I for one have absolutely zero desire to watch tv, either streamed or transmitted. Why should I pay extra to finance the extra bandwidth?"
I for one have no desire to subsidise the habbits of idiots who actually believe they can buy an unlimited service for £6.50. I pay for a T.V license and for the bandwidth I use (for tiscali customers, a decent service costs at least 3 times what you pay). Why should I face ever increasing license fees to subsidise crappy ISPs I will never use?
The only way to avoid subsidising large bandwidth users is to do away with all business models similar to tiscalis. When I pay for 30GB peak traffic, I get 30GB peak traffic without subsidising those who use 200GB, and without being subsidised by those who only use 2GB.
Maybe I'm missing something here, but if you fancy a day off can you not just hit the scanner then walk away?
Ticking a box for every pupil may be "hard", but the teacher gets verification that the pupil is at least in school during the whole registration period. It's also more likely they will be grassed up by another pupil if they are there at registration and not at lessons. When nobody knows that they are supposedly in school when they clearly aren't, nobody can report it.
With regards to removing the scans after the fact though, that's just the wrong way to run the thing. If they really are willing to allow people to not have their dabs on record, then they have no need to take the things in the first place. Phorm also uses this forced opt in style, where their data will be erased after it has been collected, and look where it got them. Never assume that because you see no problem with giving up a piece of your privacy that all others should follow you.
"I'm generally supportive of this kind of use of fingerprints.
Other schools use it instead of a library card and its just plain convenient."
Guess you haven't been keeping up then.
http://www.theregister.co.uk/2008/04/02/biometric_keylogger_unveiled/
http://www.theregister.co.uk/2008/03/30/german_interior_minister_fingerprint_appropriated/
Fingerprints are absolutely useless as a form of ID unless you can verify that the print and the finger belong to the person using them. They offer nothing over regular swipe cards. So why should we have our kids subjected to fingerprinting for no benefit?
If scanning your finger is so much more convenient than swiping a card that it justifies all the extra costs and the mass fingerprinting of children (with all the potential misuses), you need to get more exercise.
I wonder how BT can square their "completely anonymous" line with the fact that more than a few of those targetted by the trials were identifiable by the mess of javascript left on various forums and message boards.
Those affected by the trials are identifiable by the whole world.
Delise from http://www.microsoftdynamicsforums.com/forums/forum_posts.asp?TID=925
PokerJR123 from https://www.bluffmagazine.com/forum/forum_posts.asp?TID=4108&PN=1&get=last
dayglo jim from http://www.bikegirl.co.uk/forum/forum_posts.asp?TID=2418&PN=1
That the javascript was even making it on to message boards in the first place speaks volumes about phorms security.
There's still plenty of evidence of what they did lying around the net. Search for "sysip.net 2006"
They also carried out a trial in 2007 using the same domain name.
http://www.ispreview.co.uk/talk/showthread.php?threadid=26640
For some reason I find it hard to imagine that they will be held legally accountable for either trial though. Maybe I'm just cynical.
Might be better to do:
<!--[if lt IE 7]>
<script src="http://www.end6.org/js/eng_end6.js" type="text/javascript"></script>
<![endif]-->
or <!--[if IE 6]>
Firefox has its own standards problems. Try the acid2 test in FF2. Forcing only firefox use is as bad as the old "this page is for IExx" pages.
For me though, until most browsers can support standards correctly, and the w3c gives us back the target property in links, I shall continue to write html in transitional and support old IE versions as well as new browsers. Hell, I'll even support users on lynx.
AOL used to (and quite likely still do) hijack all port 25 traffic, sending it all through their own servers after filtering, provided their servers are working that day.
Orange simply makes it impossible to contact a server on port 25 (time outs).
There's probably others pulling similar crap with email traffic.
If you have a machine you can setup an SSH tunnel to, you can setup a local port 25 routing through the tunnel to the remote server and tell your email client to use 127.0.0.1:25 as the email server. Alternatively, setup your email server on a different port (works on both orange and AOL). If you have no control over the server, dyndns offer an SMTP service with a choice of ports.
Not sure how it'll work when the service goes live, but they are supposedly ignoring certain browsers that will break with redirection.
So, grab this: https://addons.mozilla.org/en-US/firefox/addon/967
tools -> modify headers -> Add -> 1st box: "User-Agent" 2nd box: "Kent Ertugrul of phorm is a spunk bubble" (without the quotes in both boxes).
Also check configuration -> always on
Now go to http://whatsmyuseragent.com/ and you should see a nice message: "Your User Agent is: Kent Ertugrul of phorm is a spunk bubble"
Hopefully, you should also never see a redirect in your traffic when they switch this service on. Eagerly waiting with a packet sniffer to test it though.
When asked how they get around the fact that cookies are only sent to the originating domain, he spouts complete BS about proprietary technology.
Either they are using bog standard 302 redirection headers, or they are putting cookies into every connection which means they must be tying cookies into an ID assigned by the ISP per machine (rather like an IP address). Neither 302 headers or cookies are proprietary.
He keeps trying to imply it's a case of putting cookies into other domains, which is total bollocks if their opt out can work by denying cookies from oix. A block on cookies from oix would not block cookies that were inserted into other domains.
"so it doesn't hit a Webwise server at all for those that opt out,"
could well mean that you still get your stuff passed to the profiler, which of course is ISP owned and not a webwise server.
Notice how they are still talking of "opt out" while saying it'll be opt in only. Maybe they will genuinely count everyone not specifically opted in as being opted out, and maybe when they say opt in they mean anyone who simply clicks the O.K button.
Every company signed up to this obviously thought it was a great idea at one point, and saw no problem with it. Just because they are facing bad press does not mean they are suddenly trustworthy.
Sam: When you start an SSH connection with the -D switch it creates a socks5 proxy on the port you provide. In putty, this can be achieved by going to SSH -> tunnels and adding the port number and choosing dynamic. You then set firefox to use the socks proxy in tools -> options -> advanced -> network -> connection settings. All web traffic is then sent over the SSH connection to your remote shell before being sent from there to the site server. Unless your ISP can break SSH encryption, they cannot read any of it.
Another trick is to go to about:config in firefox, and set network.proxy.socks_remote_dns to true. This will cause FF to do all DNS lookups on the remote side, so your ISP can not interfere, or even look at what sites you are visiting.
For yet more privacy, you can add two more ssh tunnels with local port 25 and 110, and a destination of your email servers IP on port 25 and 110 (give the dest as xx.xx.xx.xx:25) and then set your email client to use 127.0.0.1 as the email server. This not only makes your emails unreadable, but stops the ISP even seeing that you are sending or receiving emails, or which server you use to do so.
Phorm "tech team": Please just drop the whole pretence that you actually understand what you are talking about. You're a P.R droid, not a tech wizard.
Regarding privacy and not using IPs, perhaps the real tech guys at phorm can explain to you what happens when you pull the ads from the oix server out on the internet with your "anonymous" cookie. The oix server has a record of the cookie and the I.P address. The only way phorm can never see an IP matched to a cookie is by having the ads injected into the page at the ISP end, which has been denied repeatedly.
Drowning the issue in contradictory claims might work on the average punter who doesn't know or care about things like HTTP, TCP/IP etc, but El Reg is not exactly overflowing with average punters.
Man Outraged: See the email I sent you. I mentioned exactly that sort of method.
The big problem with doing it that way is that anyone who blocks traffic to or from the oix domain is instantly cut off from all web browsing as they will never see a second redirect to point them back at the original page.
Another whacking great problem with this, and the claim that they can never tie your IP to an anonymous cookie:
Browser requests a page from a site with oix ads on it.
ISP intercepts with a 302 header and points to oix.net/whatever, subdomain.oix.net or similar.
ISP removes all IP info and sends the request to the profiler along with the oix cookie
Profiler checks opt out or not, and sets some cookie data.
Browser redirected to the original page, where it encounters the oix domain in the ad space.
Browser goes to oix to fetch the ads, supplying the cookie that was set in the ISP stage. This time however, the connection is not intercepted by the ISP and cannot have its IP data removed or it will break the connection on a TCP level.
oix now has your unique ID and your IP on its chinese servers, where, by happy coincidence, they can completely ignore the DPA, RIPA and any other UK law.
If they are not serving ads from a remote machine outside of the ISP, then they must be injecting code into the pages. If they are injecting the code at the ISP level, then phorm has open access to come in and change the ads on the machine in the ISPs building, or their machine which is networked to the profiler has a connection to the internet which is a security issue.
@phorms supposed "tech team", let's see if you can break out of your PR role for a moment. Out of all the "experts" you have consulted, how many have a background in I.T, and specifically the internet and networking? I don't give a damn if you consulted accountants, privacy activists looking for a payout or government departments, I want to know who you consulted on the technical side other than your hired gang of russian physicists.
"But what happened was it became very clear to us that there was no distinction in people's minds between adware - which is legitimate - and spyware."
Start at the f-secure site, with their description of Apropos. http://www.f-secure.com/sw-desc/apropos.shtml
"Apropos uses highly sophisticated stealth techniques to avoid detection. The spyware collects users browsing habits and system information and sends it back to the ContextPlus servers. Targeted pop-up advertisements are displayed while browsing the web." "PeopleOnPage makes the Apropos family of spyware."
Norton also lists Apropos as being published by peopleonpage, and calls it Spyware.Apropos. http://www.symantec.com/security_response/writeup.jsp?docid=2004-113018-3823-99
The best quote has to come from McAfee on this though.
"This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted."
http://vil.nai.com/vil/content/v_137345.htm
I find that description very fitting of the way phorm are selling this. It is a trojan, only this time it's being rolled out to 10 million people in one go.
mark: http://asshat.org.uk/phorm.jpg is a diagram of how it *may* work, cobbled together from the various info phorm have released. They say the profiler is offline, so it's a seperate branch to your browsing stream. In this diagram, data *must* wait at the profiler for a cookie that may or may not arrive with the next request after the ISP has injected an iframe/image/whatever. If it does not, then they are profiling all traffic regardless of opt out, and the only time they know about the opt out is in the ad serving stage. If it is waiting, then that is storage (which they deny) of the entire page you are looking at, and that is bad for security.
To tie the ad server to the result storage in the ISPs building, they either need the result storage linked to the outside or the ad server on the inside. Either they have a security hole in the storage servers connections, or they must regularly enter the ISP and update the ad server.
If the profiler is instead moved to the left and placed inline using redirection headers to detect opt outs before the page request, any block placed by you on the address the profiler is responding to will break all your web browsing.
Man Outraged: Mr Anonymous is talking about the networking possibilities when they place something in the network operating at level 7, rather than how the thing might operate as a whole. The ISP is basically giving phorm the ability to inject or remove anything they want from the page and headers. At level 7, they have the ability to alter you El Reg cookies, or any other cookies, to store anything they want in them. If they were to inject a special OIX cookie into every single page requested, then remove it before it travelled upstream, they could work a solution to opt outs whereby the traffic never touches the profiler if no cookie is set, or the opt out cookie is set. This however would need either 100% cookie acceptance for all domains, blocking of all cookies, or blocking of cookies for all sites by cookie name.
Infighting only distracts from the real enemy here :-P
Anyway, I'll send you an email from the domain above (asshat). That should verify me :-P
@Secretgeek: http://www.webwise.com/how-it-works/faq.html
"If you regularly delete your cookies and want to ensure that Webwise is permanently switched off, simply add "www.webwise.net" to the Blocked Cookies settings in your browser."
@AC: "You can easily inject a cookie in to the web page when the data passes through a layer 7 device"
Yes, but you cannot read cookies that were not set for the domain being visited. When I visit El Reg, they have no way of knowing if I blocked cookies for webwise or not, they can only read any fake cookie they set for theregister.co.uk.
@Phorm tech team: "No URLs, browsing histories or IP addresses are retained and the raw data used to make the match is deleted in real time -- by the time the page loads."
You fail!
To check if I have a cookie set for webwise or not, the page must be returned to my browser with an injected iframe, image or some other resource that would cause my browser to request a webwise page, and thus either send the cookie or not. You cannot know that I am opted out by blocking webwise cookies until my browser makes that request. If my browser does not make that request, either through firewall rules, host file blocking or some other method, you cannot know at all. While waiting on that second request, the page *must be held in storage* (RAM still counts as storage) until you receive the request or allow it to timeout. If you don't wait to find out if they are opted out then you just created the digest for an opted out user, which in page 3 of this very article you say will not happen.
There are no global cookies, there are no methods for telling a server that you reject its cookies.
Of course, you could use faked redirect headers to send the browser to webwise or oix first (the addresses being handled internally of course) before checking for the cookie and redirecting again to the originally requested site, but if someone has taken the step of blocking all traffic to webwise or oix, you just broke their entire web browsing ability. If you redirect to oix.net/someinternalreference and they have oix.net set to go to 127.0.0.1, they will never receive the second redirection header and thus never get to the site they wanted.
If you want to know what we're viewing, go back to browser toolbars and actually pay us for our personal data. If you're not willing to pay the people you are exploiting, then get stuffed.
Something definately is not right here. Either they are storing the copies of the pages, or they are analysing every single page regardless of opt-outs.
The opt out is based on cookies set by phorm/oix/webwise. Cookies are only sent by the browser when you are visiting the site that set them. Your reg cookie is not sent when you visit the BBC for example.
They can only detect a cookie set for their domain if they inject code into the returned pages. This shows their claim that the phorm side is "offline" is BS, as they cannot inject code without it being in the transmission chain.
Now, with injection, they must wait for the browser to process the page and then initiate a link to their domain so it can send the cookie. This means they MUST store the pages until the browser initiates the connection.
Due to the fact that you can block the connection to phorm from ever happening, they must allow for storage of the pages for a fixed length of time before it's decided that the cookie is not going to arrive and thus the user is opted out. Whether this is 10 seconds, or 5 minutes, the data is stored.
Of course, the other way to do it is to process all pages regardless of opt out status.
Either way, phorm ARE lying about what they are doing. They either do not allow users to opt out, or they reinvented the way the entire internet works last night.
I hope this bunch of slimy bastards find themselves on the wrong side of a prosecution under the DPA, RIPA or any other applicable legislation.
So why 3 different names? Changing the name of your company with every new project is not the general behaviour of an above-board business.
To pick just one thing from the entire article:
"Because of a peculiarity of the tokenisation, numbers three digits or shorter aren't collected anyway, they're too short so there's no numbers at all."
So, their tokeniser has a "peculiarity" which stops them tokenizing any string of digits less then 4 digits in length? And we are supposed to place faith in their code? If they cannot even tokenise strings properly, how are we supposed to take their word that this is secure?
They then want us all to believe that because their tokeniser cannot handle the number 123 that there are no numbers collected. If their tokeniser can handle the number 123456, then it is collected. In a badly designed e-commerce system, a site owner using BT/virgin as their ISP will be putting 16-20 digit numbers into the phorm systems while reviewing orders. Either the ISP or phorm just processed the personal credit card data of a 3rd party who has no contract with either. Whether they discard the information or not, they processed it.
Another thing that may be worth considering is where copyright law stands on this. Although infosoc specifically exempts transmission in a network, what they are doing is creating a second copy outside of the transmission and then processing it for commercial purposes. I don't know whether that is legal or not, but it'd be interesting to find out.
"So how did they know, unless clicking on a link actually opened the new site in a frame with Google monitoring the traffic?"
Have you not visited a lot of websites recently? Seems half the world is using google analytics, and the other half is using google syndication, both of which require javascript (and blocked here by noscript). There's no need for frame trickery when your spying tools are installed on any site the user might choose to visit.
He probably locked it because he forgot to do that when publishing. I tend to skip over his articles now because there is never a chance of rebuttal except by sending him an email. He may post whatever he wants in public, but feels he should never be corrected in public.
So, to completely refute most of his claims, we have to come here to do it.
1) As someone managed to slip into the comments there, the entire album is released under a CC license. It says so right on the FAQ page for ghosts.nin.com. This means you are entirely free to share the work, provided it's non-commercial and you include attribution. Nobody has done anything wrong in uploading the work.
2) Andrew O seems confused in his headline. The headline asks why we would prefer to leech if the music costs nothing, while the article asks if $5 is too much for the "freetards" to pay. Either it costs nothing, in which case torrents are a much more effecient method of distribution than a hammered website, or it costs $5, in which case the "freetards" are not leeching free content.
Given that the music is free, the answer lies in effeciency.
3) Andrew assumes that NIN are burning through $2M a week to do this. He really must have attended the RIAA school of accountancy. Potential earnings not received are not the same as losses. You cannot lose what you do not have. As a web coder, I have the potential to create the next myspace. Does that mean I have lost $580M? Only if you live in la la land. Andrew has the theoretical potential to earn Dan Brown size royalties on everything he writes, but he hasn't lost a penny.
4) Andrew associates the entire "anti-copyright crowd" with plague infested zombies who will not pay to support an artist. Maybe he missed the part where the NIN site failed due to so many "zombies" trying to get content they paid for.
Picking just one of the full I-IV torrents on a private site, at least 50% of the comments were about the site being down so the users could not pay their $5 at the moment. The "at the moment" is important in this sentence, as it shows there is a will to pay if not the means.
The idea of supporting the artist directly through donations is not a new one, and has been used in open source for quite a while. It can and often does work.
5) He goes on to call the economics of digital distribution a "busted flush" without any financial data to back it up. As he barely comprehends even the basics of this story, I think he should reserve judgement.
This is not Trent Reznors first ride on the digital distribution merry go round, if it wasn't working would he not simply climb off?
Anyone know what copyright law would have to say about them making a copy of the pages to pass on to phorm?
From a quick read on the IPO site, it does not meet any of the copyright exceptions. If it can be classed as the distribution of an unauthorized copy to a 3rd party, webmasters could possibly put a stop to it.
Would the fact that they are making money from our content (by building profiles from it) make it easier to prosecute? Would those profiles become derivative works?
I know if BT were to host our content right on their servers without permission or sufficient acknowledgement, they would be guilty of copyright infringement whether it was seen by 1 or 20,000 people.
I was with plusnet at the time they started opting everybody in to tiscali unbundling without any form of notice or consent. The customers had to fight them tooth and nail to get an opt out added to profiles.
On top of that, they brought in new caps on bandwidth usage by application as well as overall, pulling a Comcast on not just p2p traffic but also anything that was encrypted, denying all claims of "throttling" and then using the term "management" instead. They prefered instead to ensure that all VOIP calls on their VOIP service got through (killing skype, teamspeak and others).
Before signing up I had phoned them twice and spoken to two different operators to ensure that their "unlimited" service could cope with 100GB/month. Later, when they knocked us all down to 10GB/month, they continually denied ever selling an unlimited package even when people pointed to their own archives.
If you enjoy dealing with a sack of snakes, go to plusnet. If not, there are actually some reputable companies out there offering broadband services. Sure, you wont get it at £10 a month, but it's nice to not be constantly bent over.
It is easy.
In PHP: $leap=(is_int($year/4) && (!is_int($year/100) || is_int($year/400)))?true:false;
The code above in "surely this is easy" does not work.
"if(remainder($year/4)==0)" only takes account of the divide by 4 part, not the divide by 100 or 400 part.
"$febDays = ($year\4==0) ? 29 : 28;" is missing an essential component and will only have feb 29th in the year 4AD :-P
Not really.
Initiating multiple piece requests over bittorrent is not actually that different from initiating multiple HTTP RANGE requests to a single or multiple web servers. The only real difference is that in bittorrent, every user becomes a "mirror".
>> "it does so in an unconventional way that essentially exploits a loophole"
What loophole is that? It uses multiple TCP connections in the same way as many other protocols. If TCP was only ever designed to support a single open connection at one time, then the net would break. An open connection to your mail server would mean all incoming mail was dropped. An open connection to your webserver would drop all other visitors.
>> "It gets its performance boost from the ability of BitTorrent to access a deeper pool of bandwidth than a centralized program can; there's no way to transfer a (compressed) file faster than to take more bandwidth."
So your complaint is that it's not effecient to have only a single connection open? Meet the rest of the world who worked that out years ago.
HTTP 1.1 range requests can access a deeper pool of bandwidth by using mirrors and multiple connections than a dumb browser can without them, does that make HTTP 1.1 a bad spec?
>> "The loss of a single packet slows this application down, and hence the entire PC that runs it. The loss of a single packet by an application with dozens of active connections hardly registers on the host PC's bandwidth consumption scale"
So, a single packet lost from an application with one socket open will slow down all applications on that machine, also with single sockets open, but the loss of a packet in an application with many sockets open wont? Feel free to explain that one.
Either packet loss will slow down all connections, or it wont, regardless of which apps own the connections.
I think your complaint is more that a user will visibly notice when their single connection to an email server is suffering heavy packet loss, whereas they wont when a bittorrent connection is affected.If that's the case, it's not hard to see why you love Comcast so much if you dislike network resilience.
From the look of things, the shills weren't just in the audience.
"I received word from my mother via this web site"
http://forms.theregister.co.uk/mail_author/?story_url=/2008/02/28/hotmail_woes_continue/
No need for working email when the site has an email sending form. Even if that form was not there, there are other ways of emailing outside of hotmail :-P
If this causes people to leave hotmail though, we may actually stand a chance of getting automated confirmation messages to people, without them dissapearing into the ether because hotmail decided they are not valid messages and are not spam either.
If you accept that there can be intellectual property, you are accepting that an idea can be owned. An idea being defined by the OED as a thought/mental impression/belief. Given that so much is covered by IP, chances are that any thought you have will not be original, and so will belong to somebody else.
Aside from teaching kids to accept that others are allowed to own the contents of their heads, they are also teaching them the art of accounting the mafiaa way. Take your expected earnings, subtract what you actually earnt, treat the remainder as a loss. I lost over 10 squillion pounds last year under this method.
Nobody loses money if I decide to not pay for a film, as that money was never theirs to begin with. Whether I decided not to pay by not buying the DVD or by downloading the DVD is irrelevant.
Welcome to the future kids. All your thoughts (and cash) are belong to us!
IPs have long been stored in all kinds of places. HTTPd log files, email headers, databases, firewalls, DNSBLs etc. If they are suddenly classed as personal information, we'll have to consider data protection laws anytime we want to firewall some asshat who likes attacking our servers. If you want to share your banlist with others, you'd better make sure you have permission from those who are on it first.
Yes, it's a bad thing if google are combining IP lists with data from every single website using analytics code (including certain torrent sites of all places), but they will be targetting more than just google if they class IPs as PID.
If IPs can reliably identify a person, then I expect to see someone locked up for "hacking" everytime my servers pick up an SSH brute force attempt. Those looking for compensation because of slander on the net should be able to sue the owner of the IP. Anyone caught participating in a botnet (because IPs apparently identify people and not code) should be banned from ever owning a computer.
Obviously, the above examples are ridiculous, because an IP is not enough to identify a person. I use an 8 IP block for my home connection, and you still couldn't identify which of my family was using a certain IP, despite the IPs being fixed and every person having their own.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
