If you find one that is not sufficiently descriptive, it is not valid. You have to teach someone proficient how to implement your patent in exchange for protection.
Valid or not, if the patenter can threaten you with it until you have to spend millions or billions in patent lawyer fees to get it _declared_ invalid by a court then that's pretty good protection in its own right.
Well, they do get credit for being at least one of the first to actually shove the components together like this.
For example, after SJ went on stage and demo'd the original iPhone [which by all accounts so far, was on a real device, running real apps], BB was convinced it was all a lie, that Apple couldn't physically get all that stuff together, working that well, that powerful [compared to other phones at the time]. And nevermind the right turn Android took, from a RIM/Windows CE style interface to a Apple interface.
The original iPhone wasn't exactly running "real apps" - it ran a fixed set of software that Apple shipped with it. There was no iTunes store, no third party software. Official support for third party software only came around after people started rooting the devices in order to write software for them. Conversely, the likes of Symbian, PalmOS, etc. were doing third party apps *years* before the iPhone appeared - I certainly wouldn't have called the original iPhone a "smartphone" since it lacked most of the features that made Smartphones Smartphones. Also, at the time the iPhone was being developed, a number of other vendors were developing similar devices - Apple just happened to get to market slightly before everyone else and did their usual job at marketing (Apple are *really* good at marketing).
So really, the current line of phones is pretty much a natural progression. Patenting a natural progression of technology just because you happened to sell first what everyone else already had in the works seems pretty bogus.
But installing a root CA on people own hardware, don't you think that is a step too far.
If you participate in a BYOD scheme then you can expect the network owner to take steps to keep their network secure (whether you're at a school or an employer). This may well include installing certificates so that they can filter web content for malware, etc. If you don't like it, then don't agree to the BYOD scheme and use your own internet connection.
I also struggle to believe that the school didn't have an internet usage policy that would have been signed by either the student or their parents (if they were a minor), which would have said that the school reserves the right to monitor the internet traffic.
It is not as if it is really easy to circumvent anyway. I have ssh running on port 80 and just tunnel everything through that to beat the schools surveillance.
You won't get a simple ssh session out through an intercepting proxy. However, you're missing the point here - this isn't about implementing a system that can't be circumvented (this is impossible) - it is about implementing a system that automatically filters _normal_ traffic without breaking too much stuff (whether that filtering be for malware or porn or whatever). Circumventing these systems is always possible, and when staff find a student has gone to lengths to circumvent these systems then they will discipline the student for breaking the internet usage policy.
Oh come now. There has been a sea change, and if you are old enough, you know it. It really was harder to get, harder to get away with, and the curve was skewed toward a 1. quick look at some breasts rather than 2. a jaded wondering what could be harder than hardcore.
Honestly, there will be plenty of time for that when you are an adult
Also, when Little Johnny came into school with a Playboy, that was clearly not the school's fault. If the school is providing internet access without any kind of filtering then that is seen as the school's fault when the kids start downloading porn over it. (Kids downloading porn over their personal 3G connections in school time is another matter).
In the submitter's case, he's talking about BYOD where the kids are going to be using their own devices (phones, tablets, etc) rather than classroom computers and are therefore going to be doing it in situations where there is no teacher supervision, so the whole "pay attention to what the kids are doing when they're using the Internet" thing isn't going to work unless you employ a *lot* of teachers and ensure they keep all the kids in sight at all times, or you cut off Internet access for the kids most of the day (which I would argue is counterproductive).
And that's ignoring stuff like virus scanning, work to prevent e-bullying, etc.
It used to be that *most* web sites were unencrypted and you could get away with just blocking all but a few encrypted websites. The tide has turned and now there are a huge number of encrypted sites that need to be allowed. It's unfeasible to whitelist all those sites and provide no further filtering on them, so intercepting SSL streams is the future, I'm afraid.
Besides, why in the world do kids need access to computers in the classroom? When kids are working in a computer lab or something, have someone watching them. If you can't trust them to not look at porn, then they're not mature or old enough to be left alone with a computer.
Now this, I heartily agree with.
Sounds counterproductive to me. The world we live in today requires people to know how to use the internet in their day to day lives, both for work and pleasure. If you refuse to let people use this valuable resource except for the 1-2 hours a week where they have an IT lesson then you're really screwing with their education. Its pretty much the equivalent of banning people from reading books outside of English lessons for fear that they might read something a bit too "explicit" - the answer, of course, is to ensure there are no explicit books in the school library, not ban reading altogether.
Blanket SSL blocking won't work -- employees often *need* to use SSL to do their job (i.e. Finance needs to connect to the bank websites, employees need to use SSL protected logins at other sites - most any site that allows logins will require SSL).
(Disclaimer: I run a business that provides web filtering systems for schools)
In fact, SSL is becoming quite common place on a lot of sites where you'd traditionally not consider security to be a big deal. For example, Google does searches over https(*). For a long time we resisted intercepting HTTPS streams, instead choosing to only whitelist certain sites. However, over the last few years, the number of sites using HTTPS has massively increased, and it's simply not feasible to allow them all through without any kind of automated content inspection. So these days, our filtering systems do perform a MITM attack on all HTTPS sites that aren't whitelisted - as far as we're concerned, there's no other way to reliably filter web traffic now.
I should take this opportunity to point out that I'm specifically talking about schools, where there is a need for some amount of filtering. I'm of the opinion that performing any kind of web filtering in a normal workplace is counter productive: you'll end up blocking stuff your employees need to access in order to do their jobs, you'll end up pissing your employees off and at the end of the day, if your employees aren't responsible adults, why the hell are you employing them?
(* Google HTTPS searches can be disabled on a network-wide basis; although it could be argued that MITMing these connections at the proxy is better than disabling encryption entirely since the MITM method only introduces one weak point instead of weakening the entire path).
All the TOS in the world won't prevent them from being sued. Similarly, Caveat Emptor doesn't protect them from gross negligence.
Who you gonna sue if the company has been wound up? Hell, even if they had said "we insure these funds", you still can't do much if the company has gone. The only sensible thing to trust is if they said "we have a *third party* insure these funds for you", so their bankruptcey doesn't absolve the third party of paying out your insurance money.
That is really the point here - if you destroy a currency the currency is worthless, so why steal it unless you don't care about the value?
1. Steal currency
2. Convert into another currency
3. Time passes
4. People realise that a theft has occurred
5. Currency devalues
6. Theives don't care because they already cashed out in (2).
But then rethinking that, maybe it is better to trust a professional 3rd party (i.e. but not perhaps Magic the gathering wizards) to manage your security? there's big bussinesses in managing computer fleets simply because doing it right, rolling your own, is non trivial.
Its reasonable to trust a security company to manage security since they theoretically know more about it than you and can therefore do a better job. What is unreasonable is to trust someone with security with no kind of insurance against them screwing up - while a company can massively screw up and then simply say "sorry" and declare bankruptcey, leaving you out of pocket, they aren't really to be trusted.
I'm also not a big believer in accreditations - over the years I've had to deal with a lot of people who were supposidly qualified to do their job, but in the end I have frequently ended up picking up the pieces after it becomes clear that they don't know the first thing about what they're doing.
It depends on the position and situation. Having a million friends on Facebook at least shows that the applicant has connections to the mainstream, the people associated with it, and is likely the type who can handle their own in a social environment. Whether you believe any of that or not is up to you, but in any event, it is just 1 metric--nobody said that it's *THE* metric.
Or it shows that the applicant is the sort who will blindly accept a friend request from people they don't know. If you've got over 1000 "friends" on facebook, you aren't an extrovert, you're a security risk...
The encrypted tunnel is created on submit, that is, you can have a login form on an http page and still submit encrypted via SSL if the forms action sends data via https.
A non-HTTPS login page could be modified to submit the data to a different server instead of the bank's - by the time you realise, its too late. Or some JS could be embedded in the page to send the data to a third party *as well* as the bank, and you'd never spot that unless you had firebug open. The latter attack can also be carried out by embedding HTTP objects in an HTTPS page, which isn't especially visible to the end user.
My bank is secure!!1!!!!
Between generous application of padlock gif's designed to make me feel safe and account specific image letting me know I'm logging into my bank and not some imposter bank... it would be impossible to get hacked. They even say so on their web site.
Remember years ago feeling board and actually getting ahold of one of their "IT" guys informing him of the dangers of requesting credentials directly from a home page loaded via HTTP... His response was
There is no arguing with stupid or those who willfully subvert browser security features for marketing and or checking off security boxes on the compliance chart even if you (should) know better.
Meanwhile I was reasonably impressed by HSBC, who fixed their website in about a day when I told them they were including HTTP objects in the HTTPS login page. That said, they still include some objects from third party servers, over HTTPS (notably, Google advertising). IMHO the browser should warn you if thre are any objects on an HTTPS page that aren't covered by the certificate displayed in the address bar.
"'I know that if the water does overwhelm me I can always open the helmet,' wrote Parmitano about making it to the airlock. 'I'll probably lose consciousness, but in any case that would be better than drowning inside the helmet."
Wow that one cold mofo here.
I believe he was already in the (repressurising) airlock by that point, so whilst taking the helmet off would have been bad, it's not quite the same as doing it in space.
On the other hand, the helmets do have a depressurisation valve which can be opened while in space (Chris Hadfield had to use it to remove contamination from inside his suit while on EVA). ISTR that NASA had considered using that, but had concluded that the surface tension would prevent the water from migrating towards the valve so it wouldn't have worked.
When I went off to college, many of my most IT-savvy freshman colleagues were versed in networks and system administration because they had run the computer labs of their high schools. Some of them had been caught cracking or otherwise mucking about in ways that the school staff lacked the ability to revert and been forced to clean up after themselves, others saw messes and volunteered to help out.
Times have changed - when I did my computer science degree, most of the students were at the geeky end of the spectrum and were there because that's what they were really into. Compare to the present-day cross section of computer science students: most of them are there because computers are seen as a good career. The extra-curricular interest is giving way to people who just want a job.
FB chat is just XMPP and easy to setup in pretty much any messenger anyway.
Empathy on both my workstations has suddenly refused to log into facebook with auth failures over the past few weeks (no, I haven't changed my password). I must get around to looking into it, but it would imply that facebook have changed _something_ WRT XMPP...
Sure it's easy to model the spread of a virus. It's another thing entirely to write one that can run on every commodity access point, with sufficient CPU power to crack all nearby passwords / keys.
Doesn't need to do that: crack the wifi key and you now have access to the whole network. From there you can install on *any* insecure device on the network - be it the AP itself, a Windows workstation, a NAS, smart TV, printer, whatever. If the device in question has its own wireless NIC (which is frequently the case if you've infected something like a laptop or smartphone) then you can find another wifi network, crack that, install on any device you find therein, rinse and repeat. Especially good for devices like laptops and phones which physically move around so can probably infect geographically separated networks (think: home user bringing their infected phone into work - the phone doesn't need to already be authorised to log into the office wifi network for it to sit there all day, every day, cracking the damned thing!).
The trouble with a lot of self-made men is that they worship their creator.
