This. At the time that the decision to not support Flash was made, one of the major driving factors behind that decision was its terrible reliability. Flash was responsible for... IIRC, the #1, #2, and #3 most common crashes on Safari on the Mac. Now bear in mind that for all intents and purposes, every single crash of the Flash plugin was a security hole. The terrible quality of Flash led to stricter and stricter sandboxing of the plugins, shifting it into its own process so it couldn't gain root, etc.
On iOS, at the time, Safari ran in a completely unrestricted user account with the equivalent of superuser privileges. The sandbox model was basically either "full access" or "access to the app's data", with nothing in between. It would have required a herculean effort to make Flash behave in a usable manner without it turning the entire operating system into a giant data leak.
And it seems very clear to me, at least from an outside perspective, that the problem is Adobe's management. Adobe has never taken security, stability, reliability, etc. seriously. If they did, their products would be much better than they are. Just take a look at the average Adobe app on OS X, which starts having serious reliability problems within one OS release after the last supported OS version, i.e. Adobe's code is so skanky that as soon as they stop patching it, it breaks. Now I'll grant that their code is considerably more complex than your average app, but the parts that break aren't typically the complex parts. They're menial things like file open dialogs—the sorts of things that should be written once and never touched again.
IMO, the problems with Flash can be readily explained by taking a look at a single bug I filed about Adobe's high-end apps not working on case-sensitive volumes because they linked to frameworks with incorrectly cased pathnames. They hemmed and hawed for years, repeatedly blaming Apple's tools for something that very obviously was caused by a typo in their Xcode project (or whatever build script they used instead of an Xcode project). They looked for every possible excuse to avoid fixing a problem that should have taken no more than a minute to fix (I've fixed the same mistake in my own projects, so I know it really is that simple). And you just know that every single one of those crashes was an equally silly bug that could have been fixed in a minute by an intern. But instead of spending the time to fix them, they kicked the can down the road and focused on adding features and bloat, all of which added even more security holes, ad infinitum. And they continued to do so for a decade until the situation got so bad that they were publicly shamed for it. I'm not entirely convinced they've learned their lesson even now.
Oops. Slashdot's website broke badly. Submissions weren't showing up for minutes. And now I got three identical posts because the duplicate post detection also wasn't working. *sigh*. Sorry for the noise.
If by succeeding, you mean completely failing to have any significant role in online commerce, and not being a significant source of information beyond currently trending events, then sure. Call me when there's something equivalent to Wikipedia that's built into Facebook without linking out into the Internet as a whole, or something equivalent to Amazon, or something equivalent to airline and hotel reservation websites, or....
So no, Facebook is not succeeding as a replacement for the Internetâ"only for the very narrow slice of the Internet that was previously dominated by MySpace.
If by succeeding, you mean completely failing to have any significant role in online commerce, and not being a significant source of information beyond currently trending events, then sure. Call me when there's something equivalent to Wikipedia that's built into Facebook without linking out into the Internet as a whole, or something equivalent to Amazon, or something equivalent to airline and hotel reservation websites, or....
So no, Facebook is not succeeding as a replacement for the Internet—only for the very narrow slice of the Internet that was previously dominated by MySpace.
If by succeeding, you mean completely failing to have any significant role in online commerce, and not being a significant source of information beyond currently trending events, then sure. Call me when there's something equivalent to Wikipedia that's built into Facebook without linking out into the Internet as a whole, or something equivalent to Amazon, or something equivalent to airline and hotel reservation websites, or....
So no, Facebook is not succeeding as a replacement for the Internet—only for the very narrow slice of the Internet that was previously dominated by MySpace.
It's not always a home ISP that's doing subtle MITM modification. It might be someone malicious in the same coffee shop as you.
Assuming DNSSec gets deployed as it should, someone in the same coffee shop will be able to passively snoop, but won't realistically be able to be in the middle of the communication unless the infrastructure is badly broken. After all, two hops over Wi-Fi should always realistically have higher latency than one hop plus a DHCP response. The biggest weakness is UDP-based DNS. For that matter, you could disable UDP-based DNS today, and you'd pretty much kill any hope of MiTM attacks by anybody other than your ISP. Arguably, you probably should.
Or it might be a government agency using the Fullscreen API to spoof the chrome of the entire desktop environment.
At that point, your endpoint is untrusted, so the communication is untrusted, period. There is no security mechanism that can have any real benefit if you cannot trust the browser itself or the operating system under it.
There exists a point at which everyone is already driving their individual vehicles and no additional capacity is needed. Once reached, no further worsening is realistically possible without attracting more people to the area....
my one wish before I die --assuming I can merge-- is to see the second sign for the exit to interstate 10. Could this app be the miracle ive prayed for between prayers for the sweet release of death? I sure hope so.
Fear not, my friend, for I have heard tales of a land beyond the jam—a mythical place called the O.C.—where giant mice and princesses roam the streets and the terrors of Hollyweird are but a distant memory. But to get there, you must turn left now, for your current path leads only to drowning after you drive off into the ocean at Huntingdon Beach. Beware the Tides of March.
Google.com also involves authentication credentials. You can't usefully do a phishing attack against a website that involves no credentials, because there's nothing to phish.
Without TLS, how do you ensure that a man in the middle isn't altering the information that you retrieve from said "Informational websites with no credentials"?
You don't, but it almost never matters. MiTM attacks tend to be harder than passive sniffing, and there are very few reasons why any ISP in its right mind would do so. They're far more likely to do blocking, or redirect a streaming site to their own streaming site, or other absurdity that's easy to spot.
The few times I've used Let's Encrypt was during testing phases, as a place-holder until I had the time to get a "real" cert. My company has an inane procedure to get purchase orders to pay for anything, so often it takes a couple of weeks to get to the point of being able to purchase anything via a "new vendor". If you can't afford $5 or so to get a year-long cert, then your either not serious about your site or doing something wrong.
Or you have more than the one subdomain that most CAs allow for $5 certs. Even with a limit of five for Let's Encrypt, it takes two certs for my main domain. Bare domain, www, images, git, homeserver, kinji, and I feek like I'm still forgetting one. A wildcard domain cert starts at two hundred bucks.
The registrars are *supposed* to do visual aliasing checks when issuing internationalized domain names. If that isn't happening, the failing party is clear. It isn't as though this hasn't been a known problem for years....
Does anyone remember what the point of SSL was? It's just so our users don't see the non SSL warning right?
You say that jokingly, but there's some truth to that. The need for TLS is proportional to the damage done by compromising the connection. Informational websites with no credentials do NOT need TLS, typically, and the push to add TLS more broadly has played a major role in lowering the bar for getting a cert (out of necessity), thus weakening an already weak system further.
More generally stated, if you can't trust the endpoint, you can't trust the communication, period. No protection scheme can protect against a compromised endpoint.
Normal people may want to visit paypal for the first time ever which means no AutoFill data or any indication they've arrived at the website they can really trust.
Normal people trust their search engine to return the real PayPal site when they search for it. The worst realistic scenario from a non-user getting otherwise redirected to a fake version of the site is having to contest false charges on a credit card and report the card stolen. No big deal. It becomes dangerous when you associate a bank account with it, which no mentally competent person should do when visiting a site referred from some random new website. But once you have done that, accidentally giving out your password to a phishing site becomes a really big deal, because you probably won't get that money back.
Idiots who say you should trust a website based on its name think too much of people.
What the h*** else can you possibly use as a basis for trust? Do you expect us to create a little walled garden that prevents the free flow
of information just in case some bad person decides to do something bad with that ability? We had that. It was called AOL, and it failed because it was too limited compared with the real web.
The only way to be sure that my connection attempt is not spoofed is what? VPN? No, you cannot trust it either. DNSSEC hasn't really taken off and then you cannot really trust CAs nowadays.
You should really be encouraging broader adoption of DNSSec so that we'll eventually be able to make DNSSec validation mandatory instead of whining on Slashdot that we aren't taking the problem seriously. Or propose a better solution. Either way.
Sorry, I've never seen so many idiots at/. simultaneously.
With all due respect, has it ever occurred to you that if you think a large number of really smart people are idiots, it probably means that you don't understand the problem as much as you think you do? Just saying.
... phishing sites needed to pay money to play in the https realm or hire someone smart enough to exploit an https protected site.
Nope. StartSSL had been issuing free low-validation certs since at least 2009, some six years before Let's Encrypt issued its first cert. The only substantive differences between Let's Encrypt and StartSSL, as far as I can tell, are:
Let's Encrypt didn't get bought out by a Chinese registrar who abused their signing certs in ways that caused them to become untrusted by most browser vendors.
Let's Encrypt forces you to use automated certificate updating by limiting the certificate duration to a ridiculously short period for no actual security benefit (and worse, in its default configuration, generates a new RSA key every time it renews the cert, which significantly weakens the security model by making key pinning impossible).
Let's Encrypt merely requires you to prove that you have control over the web server, rather than that you have control over the domain, which also weakens security somewhat if your server gets compromised.
But in terms of being able to get free certs for a domain that you control, there's no real difference.
Or AutoFill. You enable AutoFill for PayPal.com, and then when your password doesn't automatically show up, you look at the URL more carefully and immediately see why.
The real threats to security are not the CAs that issue certs for sites containing PayPal in the name. The real threats are clueless sysadmins at (mostly banking) websites that insist on not allowing AutoFill and/or break their websites in ways that make AutoFill stop working when it worked before. Besides playing right into the hands of keyloggers, such actions force people to remain willing to type passwords when in reality, users should never, ever, ever type a password into a website. Ever. Seriously.
... that and browser makers, who haven't bothered to come up with a global standard for changing passwords so that users whose computers become compromised can easily reset all their passwords automatically with a single click, and also haven't bothered to come up with completely automatic plug-in update systems, thus making it easy to trick people into believing that their Flash Player or Silverlight plug-in is out of date, thus causing them to download and run a trojan horse installer that steals their password database, etc.
All of the printer companies have a history of abusing the legal system. Lexmar just happens to the worse offender.
Really? I'm aware of Lexmark's abuse. HP abuses users in more subtle ways, but not through the legal system. I'm not aware of anything even remotely similar from Brother, Konica Minolta, or Canon, all of which IMO make much better printers than Lexmark and HP.
Frankly, I don't even understand how Lexmark is still in business.
It hasn't been squelched because it isn't consumer-friendly. It actually causes even bigger problems, because the obnoxious scammers have already changed their tactics, and now are using actual phone numbers that belong to other people.
About two weeks, I got a text message from somebody asking why I called them. I had not made any phone calls in nearly a day at the time, as verified on my phone. And I keep getting telemarketing calls from random assigned phone numbers in the area that belong to random individuals, all of whom are innocent victims.
It is not sufficient to ban calls from unassigned numbers. Our phone network is hopelessly insecure, dating back to the days when only trusted carriers could add calls into the system. The only way to fix this is to ensure that at every injection point, the system verifies that the call is really coming from where it claims to be coming from—one wire, one or more fixed number blocks. And because there are probably major carriers complicit with this abuse, doing this right would require some sort of authenticated source check further down the line as well. This would probably require a major rearchitecting, which is why it probably won't happen any time soon. Basically, we need the equivalent of TLS and CAs for the phone network....
If you enter on yellow it should be because you were going to fast and were too close to stop safely, so leaving before it turns red shouldn't be a problem.
Only if the yellow is long enough. I've seen many lights where if there's only one car at the intersection and you're turning left, you can enter on green and you'll still exit two or three seconds after the light turns red. A car approaching from behind at any speed even remotely approaching the speed limit would then enter on yellow without time to stop, but would have to slow down for you and would be unable to get out of the light until long after it turned red.
Depends on the state. For example, prior to 2014, Tennessee law didn't say that, and we were taught that unless you entered on green, you had to be clear of the light before it turned red, IIRC.
Seriously. When I was in high school/college, I had something like thirty FreeNet accounts on different servers around the U.S., just for the heck of it. Do those count? Because if so, I don't have any idea what any of them were....:-D
That's seems backwards to me. People who are near retirement would probably be better off holding on to their home and retiring earlier than planned rather than taking what is potentially the loss of one or more years' income in a single hit.
In the past, before these subsidies that distorted the pricing so horrendously, most students had to study something that brought real value. While a few dicked around in an abstract, rather useless subject like philosophy, most students studied science, engineering, mathematics, law, and medicine. These are the sorts of subjects that allow the students to, in the future, provide real value to society.
That's arguable. In our "anything that can be outsourced should be" culture, science, technology, engineering, and mathematics degrees are no longer guarantees of adding economic value, either. And not everybody is good at those subjects. In my experience as a college educator, forcing students to dedicate four years of their lives to a a subject that they hate just because it theoretically pays better after graduation is self-defeating. You end up with students that don't really want to learn the material, struggle to pick it up, and drag down the rest of the class as you try to help them keep up.
Eventually, even medicine will be mostly automated. We'll still need nurses for a while, because robotic nursing is a genuinely hard problem, but doctors could basically be replaced by IBM's Watson and a glorified secretary today. Besides being an extremely expensive career to go into, the long-term prospects are bleak. So the question you have to ask yourself is this: Do we really want to live in a society of lawyers?
Also, as others have mentioned, education used to be much more highly subsidized than it is now, even taking into account the availability of college loans (which are largely a more-expensive-to-the-student replacement for the government subsidies that used to exist). Yet people continue to choose those degree programs. Could it be that you're wrong about the value to society? Folks with degrees in the performing arts are guaranteed a menial income for the rest of their lives, but they're also doing something that they enjoy. When faced with a society of people who are getting more and more unhappy, given that happiness is a strong predictor of longevity, arguably those degree programs benefit society a great deal even before you consider that their creative output improves society directly. And many art history majors learn (either as part of their degree or on the job) how to do fundraising, which contributes greatly to the arts, and thus to society as well. AFAIK, there aren't degree programs specific to arts development in most places, so art history and music degrees are often as close as you can get.
Now I'm not going to argue that I know the value of those other degrees you mentioned. I suspect that at least for now, they mainly qualify you to be a high school guidance counselor or maybe a politician, but that's just a guess. But in my experience, the job market creates interesting opportunities based on the availability of people with specific skills. If there are enough people with those currently low-value majors, somebody (maybe even somebody who majored in one of those fields) will come up with some interesting task that those students can uniquely perform after they graduate, and society benefits from the creation of those new areas of work and study.
Finally, I would add that the purpose of college is to educate students for the sake of learning—to open their eyes to the world's possibilities. Its purpose is not to be a trade school. We don't need more cookie-cutter STEM majors who got their degrees because they pay better out of school. We need a society of people who appreciate the world in which we live, who find ways to do what they love and love what they do, who understand how to learn, who understand how to think for themselves, who understand that they live in a diverse world of people with different backgrounds, different interests, different cultures, and different perspectives. And that is far more valuable to society than being able to check "yes" in the box that says "I have a degree in science
Slashdot Mirror
This. At the time that the decision to not support Flash was made, one of the major driving factors behind that decision was its terrible reliability. Flash was responsible for... IIRC, the #1, #2, and #3 most common crashes on Safari on the Mac. Now bear in mind that for all intents and purposes, every single crash of the Flash plugin was a security hole. The terrible quality of Flash led to stricter and stricter sandboxing of the plugins, shifting it into its own process so it couldn't gain root, etc.
On iOS, at the time, Safari ran in a completely unrestricted user account with the equivalent of superuser privileges. The sandbox model was basically either "full access" or "access to the app's data", with nothing in between. It would have required a herculean effort to make Flash behave in a usable manner without it turning the entire operating system into a giant data leak.
And it seems very clear to me, at least from an outside perspective, that the problem is Adobe's management. Adobe has never taken security, stability, reliability, etc. seriously. If they did, their products would be much better than they are. Just take a look at the average Adobe app on OS X, which starts having serious reliability problems within one OS release after the last supported OS version, i.e. Adobe's code is so skanky that as soon as they stop patching it, it breaks. Now I'll grant that their code is considerably more complex than your average app, but the parts that break aren't typically the complex parts. They're menial things like file open dialogs—the sorts of things that should be written once and never touched again.
IMO, the problems with Flash can be readily explained by taking a look at a single bug I filed about Adobe's high-end apps not working on case-sensitive volumes because they linked to frameworks with incorrectly cased pathnames. They hemmed and hawed for years, repeatedly blaming Apple's tools for something that very obviously was caused by a typo in their Xcode project (or whatever build script they used instead of an Xcode project). They looked for every possible excuse to avoid fixing a problem that should have taken no more than a minute to fix (I've fixed the same mistake in my own projects, so I know it really is that simple). And you just know that every single one of those crashes was an equally silly bug that could have been fixed in a minute by an intern. But instead of spending the time to fix them, they kicked the can down the road and focused on adding features and bloat, all of which added even more security holes, ad infinitum. And they continued to do so for a decade until the situation got so bad that they were publicly shamed for it. I'm not entirely convinced they've learned their lesson even now.
Oops. Slashdot's website broke badly. Submissions weren't showing up for minutes. And now I got three identical posts because the duplicate post detection also wasn't working. *sigh*. Sorry for the noise.
If by succeeding, you mean completely failing to have any significant role in online commerce, and not being a significant source of information beyond currently trending events, then sure. Call me when there's something equivalent to Wikipedia that's built into Facebook without linking out into the Internet as a whole, or something equivalent to Amazon, or something equivalent to airline and hotel reservation websites, or....
So no, Facebook is not succeeding as a replacement for the Internetâ"only for the very narrow slice of the Internet that was previously dominated by MySpace.
If by succeeding, you mean completely failing to have any significant role in online commerce, and not being a significant source of information beyond currently trending events, then sure. Call me when there's something equivalent to Wikipedia that's built into Facebook without linking out into the Internet as a whole, or something equivalent to Amazon, or something equivalent to airline and hotel reservation websites, or....
So no, Facebook is not succeeding as a replacement for the Internet—only for the very narrow slice of the Internet that was previously dominated by MySpace.
If by succeeding, you mean completely failing to have any significant role in online commerce, and not being a significant source of information beyond currently trending events, then sure. Call me when there's something equivalent to Wikipedia that's built into Facebook without linking out into the Internet as a whole, or something equivalent to Amazon, or something equivalent to airline and hotel reservation websites, or....
So no, Facebook is not succeeding as a replacement for the Internet—only for the very narrow slice of the Internet that was previously dominated by MySpace.
Assuming DNSSec gets deployed as it should, someone in the same coffee shop will be able to passively snoop, but won't realistically be able to be in the middle of the communication unless the infrastructure is badly broken. After all, two hops over Wi-Fi should always realistically have higher latency than one hop plus a DHCP response. The biggest weakness is UDP-based DNS. For that matter, you could disable UDP-based DNS today, and you'd pretty much kill any hope of MiTM attacks by anybody other than your ISP. Arguably, you probably should.
At that point, your endpoint is untrusted, so the communication is untrusted, period. There is no security mechanism that can have any real benefit if you cannot trust the browser itself or the operating system under it.
There exists a point at which everyone is already driving their individual vehicles and no additional capacity is needed. Once reached, no further worsening is realistically possible without attracting more people to the area....
Fear not, my friend, for I have heard tales of a land beyond the jam—a mythical place called the O.C.—where giant mice and princesses roam the streets and the terrors of Hollyweird are but a distant memory. But to get there, you must turn left now, for your current path leads only to drowning after you drive off into the ocean at Huntingdon Beach. Beware the Tides of March.
This whole thread is starting to sound like a BOFH episode.
Google.com also involves authentication credentials. You can't usefully do a phishing attack against a website that involves no credentials, because there's nothing to phish.
You don't, but it almost never matters. MiTM attacks tend to be harder than passive sniffing, and there are very few reasons why any ISP in its right mind would do so. They're far more likely to do blocking, or redirect a streaming site to their own streaming site, or other absurdity that's easy to spot.
The few times I've used Let's Encrypt was during testing phases, as a place-holder until I had the time to get a "real" cert. My company has an inane procedure to get purchase orders to pay for anything, so often it takes a couple of weeks to get to the point of being able to purchase anything via a "new vendor". If you can't afford $5 or so to get a year-long cert, then your either not serious about your site or doing something wrong.
Or you have more than the one subdomain that most CAs allow for $5 certs. Even with a limit of five for Let's Encrypt, it takes two certs for my main domain. Bare domain, www, images, git, homeserver, kinji, and I feek like I'm still forgetting one. A wildcard domain cert starts at two hundred bucks.
The registrars are *supposed* to do visual aliasing checks when issuing internationalized domain names. If that isn't happening, the failing party is clear. It isn't as though this hasn't been a known problem for years....
Does anyone remember what the point of SSL was? It's just so our users don't see the non SSL warning right?
You say that jokingly, but there's some truth to that. The need for TLS is proportional to the damage done by compromising the connection. Informational websites with no credentials do NOT need TLS, typically, and the push to add TLS more broadly has played a major role in lowering the bar for getting a cert (out of necessity), thus weakening an already weak system further.
More generally stated, if you can't trust the endpoint, you can't trust the communication, period. No protection scheme can protect against a compromised endpoint.
Normal people trust their search engine to return the real PayPal site when they search for it. The worst realistic scenario from a non-user getting otherwise redirected to a fake version of the site is having to contest false charges on a credit card and report the card stolen. No big deal. It becomes dangerous when you associate a bank account with it, which no mentally competent person should do when visiting a site referred from some random new website. But once you have done that, accidentally giving out your password to a phishing site becomes a really big deal, because you probably won't get that money back.
What the h*** else can you possibly use as a basis for trust? Do you expect us to create a little walled garden that prevents the free flow of information just in case some bad person decides to do something bad with that ability? We had that. It was called AOL, and it failed because it was too limited compared with the real web.
You should really be encouraging broader adoption of DNSSec so that we'll eventually be able to make DNSSec validation mandatory instead of whining on Slashdot that we aren't taking the problem seriously. Or propose a better solution. Either way.
With all due respect, has it ever occurred to you that if you think a large number of really smart people are idiots, it probably means that you don't understand the problem as much as you think you do? Just saying.
Nope. StartSSL had been issuing free low-validation certs since at least 2009, some six years before Let's Encrypt issued its first cert. The only substantive differences between Let's Encrypt and StartSSL, as far as I can tell, are:
But in terms of being able to get free certs for a domain that you control, there's no real difference.
Or AutoFill. You enable AutoFill for PayPal.com, and then when your password doesn't automatically show up, you look at the URL more carefully and immediately see why.
The real threats to security are not the CAs that issue certs for sites containing PayPal in the name. The real threats are clueless sysadmins at (mostly banking) websites that insist on not allowing AutoFill and/or break their websites in ways that make AutoFill stop working when it worked before. Besides playing right into the hands of keyloggers, such actions force people to remain willing to type passwords when in reality, users should never, ever, ever type a password into a website. Ever. Seriously.
... that and browser makers, who haven't bothered to come up with a global standard for changing passwords so that users whose computers become compromised can easily reset all their passwords automatically with a single click, and also haven't bothered to come up with completely automatic plug-in update systems, thus making it easy to trick people into believing that their Flash Player or Silverlight plug-in is out of date, thus causing them to download and run a trojan horse installer that steals their password database, etc.
Really? I'm aware of Lexmark's abuse. HP abuses users in more subtle ways, but not through the legal system. I'm not aware of anything even remotely similar from Brother, Konica Minolta, or Canon, all of which IMO make much better printers than Lexmark and HP.
Frankly, I don't even understand how Lexmark is still in business.
It hasn't been squelched because it isn't consumer-friendly. It actually causes even bigger problems, because the obnoxious scammers have already changed their tactics, and now are using actual phone numbers that belong to other people.
About two weeks, I got a text message from somebody asking why I called them. I had not made any phone calls in nearly a day at the time, as verified on my phone. And I keep getting telemarketing calls from random assigned phone numbers in the area that belong to random individuals, all of whom are innocent victims.
It is not sufficient to ban calls from unassigned numbers. Our phone network is hopelessly insecure, dating back to the days when only trusted carriers could add calls into the system. The only way to fix this is to ensure that at every injection point, the system verifies that the call is really coming from where it claims to be coming from—one wire, one or more fixed number blocks. And because there are probably major carriers complicit with this abuse, doing this right would require some sort of authenticated source check further down the line as well. This would probably require a major rearchitecting, which is why it probably won't happen any time soon. Basically, we need the equivalent of TLS and CAs for the phone network....
Only if the yellow is long enough. I've seen many lights where if there's only one car at the intersection and you're turning left, you can enter on green and you'll still exit two or three seconds after the light turns red. A car approaching from behind at any speed even remotely approaching the speed limit would then enter on yellow without time to stop, but would have to slow down for you and would be unable to get out of the light until long after it turned red.
Depends on the state. For example, prior to 2014, Tennessee law didn't say that, and we were taught that unless you entered on green, you had to be clear of the light before it turned red, IIRC.
Seriously. When I was in high school/college, I had something like thirty FreeNet accounts on different servers around the U.S., just for the heck of it. Do those count? Because if so, I don't have any idea what any of them were.... :-D
That's seems backwards to me. People who are near retirement would probably be better off holding on to their home and retiring earlier than planned rather than taking what is potentially the loss of one or more years' income in a single hit.
That's arguable. In our "anything that can be outsourced should be" culture, science, technology, engineering, and mathematics degrees are no longer guarantees of adding economic value, either. And not everybody is good at those subjects. In my experience as a college educator, forcing students to dedicate four years of their lives to a a subject that they hate just because it theoretically pays better after graduation is self-defeating. You end up with students that don't really want to learn the material, struggle to pick it up, and drag down the rest of the class as you try to help them keep up.
Eventually, even medicine will be mostly automated. We'll still need nurses for a while, because robotic nursing is a genuinely hard problem, but doctors could basically be replaced by IBM's Watson and a glorified secretary today. Besides being an extremely expensive career to go into, the long-term prospects are bleak. So the question you have to ask yourself is this: Do we really want to live in a society of lawyers?
Also, as others have mentioned, education used to be much more highly subsidized than it is now, even taking into account the availability of college loans (which are largely a more-expensive-to-the-student replacement for the government subsidies that used to exist). Yet people continue to choose those degree programs. Could it be that you're wrong about the value to society? Folks with degrees in the performing arts are guaranteed a menial income for the rest of their lives, but they're also doing something that they enjoy. When faced with a society of people who are getting more and more unhappy, given that happiness is a strong predictor of longevity, arguably those degree programs benefit society a great deal even before you consider that their creative output improves society directly. And many art history majors learn (either as part of their degree or on the job) how to do fundraising, which contributes greatly to the arts, and thus to society as well. AFAIK, there aren't degree programs specific to arts development in most places, so art history and music degrees are often as close as you can get.
Now I'm not going to argue that I know the value of those other degrees you mentioned. I suspect that at least for now, they mainly qualify you to be a high school guidance counselor or maybe a politician, but that's just a guess. But in my experience, the job market creates interesting opportunities based on the availability of people with specific skills. If there are enough people with those currently low-value majors, somebody (maybe even somebody who majored in one of those fields) will come up with some interesting task that those students can uniquely perform after they graduate, and society benefits from the creation of those new areas of work and study.
Finally, I would add that the purpose of college is to educate students for the sake of learning—to open their eyes to the world's possibilities. Its purpose is not to be a trade school. We don't need more cookie-cutter STEM majors who got their degrees because they pay better out of school. We need a society of people who appreciate the world in which we live, who find ways to do what they love and love what they do, who understand how to learn, who understand how to think for themselves, who understand that they live in a diverse world of people with different backgrounds, different interests, different cultures, and different perspectives. And that is far more valuable to society than being able to check "yes" in the box that says "I have a degree in science