When the purpose is to allow schools without adequate supplies of teachers to save face, choosing those subjects probably isn't going to help much. If a school is so hard up for CS teachers that they can't even find a math teacher to lean on, odds are that their supply of more esoteric specialists isn't so hot. Plus, at the K-12 level, if you have philosophy on the curriculum at all, it is likely that it is covered as a 'history of philosophy' survey course, largely without going to far into the hairy depths of any specific philosopher or philosophy on the list; and usually starting with the greeks so that you'll have safely graduated before we get to anything more logical than a few toy syllogisms.
Nothing wrong with basic philosophy survey courses, if honestly billed as such; but the ability to teach one doesn't necessarily imply much background in logic beyond the ability to follow an argument.
It doesn't help that picking up 'machine learning' isn't exactly on the same scale as picking up the trendy framework or language of the day. It's not clear that the rate we churn through those is actually a good idea; but at least there are huge areas of conceptual similarity that allow somebody versed in yesterday's hot language and environment to pick up today's and tomorrow's with some acclimatization to new vocabulary.
This is pretty much an entire different branch of mathematics, similar only in that the problems are large enough that you need programming skills to implement useful solutions.
Or save everyone a lot of time and trouble and just decide how much data, how fast, is "Free Basics" and let those little users decide for themselves what counts as the best use of what they have available.
In practice, I suspect that 'the web' as designed for people with terrible phones and very, very, limited bandwidth is going to be a specialized subset; you just can't get away with streaming-video-ads and multiple megabytes of random 3rd party embeds under those conditions; but it can be a specialized subset that is worked out between people who want to serve those users and those users and their priorities, no fancy central planning needed. After all, the only technology you need to serve people with access to tiny amounts of bandwidth is 'just design like you did when American early-adopter geeks considered a V.32 dialup link to be pretty hot stuff". All those old tricks still work(even better, since judicious use of xhmlhttprequest can avoid the obnoxious old 'generate and load an entirely new page every time you click a single button because we can do almost nothing on the client side' behavior), most of them are still a proper subset of the current 'correct' way, or reasonably close.
If this were actually some mercy mission, you could just decide how much data it is economic to hand out, hand it out, and sit back. I'm guessing that that won't be the plan.
We kinda-sorta do; but in the most half-assed way possible. If you show up in the ER in sufficiently dreadful condition, they are obligated to at least pretend that they've provided the necessary acute care(there are various ways to...expedite...the less desireable customers; but you have to weasel around and keep up appearances) you can't just move them to the designated dying section of the parking lot. Anything less serious than that, though, go wait for it to get worse, then come back when it's an emergency.
Do you suspect that he believes that this is what schools and hospitals do; or do you suspect that he is using the ever-popular "present what you want to be the case as though it already is, whenever possible, as part of working to bring reality into conformity with your desires" strategy?
There certainly are people who enjoy an utterly sincere fundamental misunderstanding; but there are also people who know exactly what the current objective is; and simply want to radically alter it.
If he wanted the 'library' comparison, he'd need better evidence that there is a "librarian" involved.
Libraries are, ultimately, beholden to the desires of their funding organizations; but 'librarian' is one of those funny jobs, like 'teacher', 'doctor', and 'flight crew where they are supposed to serve "the customer"; but sometimes serving the customer means telling them to GTFO and let us do our job.
A given library can't drift too far from the objectives it was set up to fill(a K-12 collection is going to be expected to have some research materials aligned with the district's curriculum; plus a selection of child and young-adult literature deemed to fall within the intersection of 'likely to be popular' and 'worth having kids read'; a university library had better have the relevant journals and materials to support the work of the students and faculty, a public library needs to cater to a mixture of popular taste and availability of material deemed particularly worthwhile); but within the scope of the mission, the librarians are generally accorded broad leeway to exercise their professional judgement; and challenges to their decisions are supposed to be made in terms of accusations that they aren't upholding the library's objectives properly; not simple demands that the library cater to somebody's whim. "Circulation records indicate that this 'popular fiction' was last checked out in 1992; is it really the best use of limited shelf space?" is a perfectly valid question. Sounds like the librarian hasn't been keeping up with the collection properly. "Concerned Citizens For Decency want this obscenity away from the children!" not so much.
I don't think that there is much doubt that Facebook is doing this because it is good for Facebook, or they suspect that it is; but if they want to latch on to the highflown ideals of 'library' there are some concrete things they can do, even if the project remains their pet. Who are the 'librarians' of this library? What criteria do they use when deciding what does and doesn't go on the shelves? If I want to argue that X should be included, according to the criteria they claim to uphold, who do I talk to?
Then there is the more fundamental question: a library is, necessarily, a 'curated' sort of operation because it has finite resources, finite space, and staff expertise concerning the collection is considered a valuable feature. You can 'curate' down a selection of the internet if you want, just as you can the universe of books that are published; but why are you doing so? Obviously data transmission costs money, and more/faster transmission costs more money, so you can't expect people with approximately zero money to get screaming 4GLTE-and-special-sauce unlimited connections at prices they can afford; but if this "Free Basics" stuff is economically tenable; why is it access to a limited subset of the internet; rather than the entire internet, at whatever speed is low enough to be affordable?
Sure, Facebook isn't about to subsidize some random peasant's youtube habit; but if their "Free Basics" were 'whatever you want, at a crawl', rather than 'stuff we pick for you', that would both provide an incentive for users of "Free Basics" to stick to the basics, since sites not designed to cater to their network and hardware limitations are just going to suck; but also dodge a whole lot of unpleasant questions about the motives, selection process, etc. of the "basics" provided.
If they are willing to be honest about this being a straightforward grab for the developing world's eyeballs, in cooperation with local telco monopolies that would prefer that the cost of commodity bandwidth stay nice and high, then they can do whatever they can get past the local regulatory entities. If they want to pretend that this is some kind of humanitarian project, though, there are some pretty obvious steps they could take, but haven't, to clear things up.
Even with in the US, whether through malice or apathy, transferring money between accounts with different banks can take an absurd amount of time(in my case, this wasn't even some commercial-scale operation with validation and trust problems, it was my accounts, and those of my parents, at one bank that had very few branches or ATMs in the city I was going to college in, and my account with a bank that had better local coverage). It turned out to be the least hassle to just withdraw up to the limit on the occasions when I did pass Bank A's ATM and physically courier the money to Bank B's ATM for deposit. It worked out; but it seems as though banking is one of those things that gets more customer-hostile the lower you go.
You've really got two distinct points of contention at play: some people say 'altcoin' when they mean anything that isn't bitcoin-with-the-annointed-blockchain. Others say 'altcoin' when they mean something based on an algorithm with substantially different characteristics(eg. the scrypt vs. SHA-256 divide between bitcoin and litecoin) or markedly different rules aimed at achieving some very different outcome as a currency/meme/ponzi scheme(eg. dogecoin).
Then, you have the better informed but far less disinterested people who have a stake, sometimes a considerable one, in 'coins' tied to some particular blockchain, specialized hardware tied to some particular algorithm, or both; and are much less likely to be confused, or speaking in broad strokes; but much more likely to have a personal financial stake in rubbishing whatever they don't have a position in as a filthy, illegitimate, 'altcoin' that is heading nowhere fast, unlike the Real Thing.
I don't know how the numbers break down between mere internet pedants and people with nontrivial money on the line; but(especially with all the cryptocurrencies in a rather larval and volatile state), competitive hyping and dismissal of assorted different flavors is by no means a disinterested activity. Some people will argue about it forever, for free, because that's how people on the internet are(says the slashdot poster); but some of the people hyping or attempting to discredit almost certainly have a horse in the race(and, unlike the same game with speculative stocks, it's probably all legal).
It is, arguably, closer to trying to ensure that such seigniorage as exists has a cut kicked back to the developers; but more broadly it sounds like a "yeah, welcome to convergent evolution" situation.
So long as their is nonzero, usually nontrivial, work involved in keeping a currency(or an exchange service layered on top of a currency, like credit/debit/paypal/etc.) up and running, the people doing that work(as well as any opportunists available) will try to get their cut, whether in seigniorage, taxes, interest charges, transaction fees, or some other term.
Bitcoin itself is supposed to incorporate this as well: most of the attention is on largely speculative mining operations; but the point of 'mining' having a payoff is that it is the computing needed to incorporate additional transactions into the blockchain verifiably; and being paid to facilitate transactions is the theoretical end-state as mining's ROI gets lousier. Whether that will happen remains to be seen; but it was the plan.
In its defense, CS has some brutally elegant math. Unfortunately, that fact is arguably reason for pessimism in this case. Despite the availability of the elegant math, much of what we actually use has undergone only the shoddiest of empirical testing, whether for want of interest, want of time, want of talent, or whatever it happened to be. CS is hardly easy; but its mathematical underpinnings are much closer to the surface than in most other areas. If what we do today shows how little advantage we take of that, I'm very, very, skeptical that attempting more complexity and tighter interconnection is going to go well.
On the 'plus side', I suppose, what we are incapable of formally verifying tomorrow will be what we can't be bothered to formally verify today, so maybe the change won't be so drastic in practice.
Aren't 'marginalizes old people and refugees' and 'makes racking up consumer debt ever easier' typically considered features, rather than bugs, in payment systems?
Meh, that's old silicon valley logic. Here in the future; ideas only matter if VCs or annoying startup founders who use the world 'disruptive' a lot talk about them.
They used to have a bit of a niche in ultraportables, back when particularly light weight was hard to come by in laptops; but that just isn't a terribly special feature anymore.
There is already a domain where ubiquitous integration of high complexity capabilities into virtually all materials with room for them is a reality.
We call it "Biology". And, in my professional capacity as a fungus, let me remind you that you'd be fucking insane to want your computers to go down that path.
It's impressive that machines made of meat work at all; but that doesn't change the fact that they are tottering heaps of uncontrolled complexity, riddled with pathogens and parasites, kept alive only because they are (sometimes) more fault-tolerant than they are faulty; and because the various microorganism militias are too busy fighting assorted cryptic metabolic battles and it is possible to enter alliances of convenience with some of them, if you get lucky.
People have done a terrible enough job keeping a bunch of loosely-linked deterministic finite state machines from descending into a putrid jungle of malware that inspires comparison to unpleasant biological outcomes. You want to add more; and link them more tightly? Have fun with that.
Some of the talk about SHA-1 cutoff has been in terms of "Should we break the intertubes for the poor people who can't upgrade?"
Remember; we really don't have that choice. SHA-1 is doing the mathematical equivalent of creaking, groaning, and starting to splinter under load. Our choice is not whether to break SHA-1 or not; it is whether or not to pretend that SHA-1 isn't dangerously precarious.
It's like telling a structural engineer "We can't close that bridge! People need it to cross the river!". That's exactly why we must close the bridge; because if we don't there will be people on it when it falls into the river.
(That said, in environments where security is provided by other means, say a suitably isolated management-only network, there will continue to be a need for browsers that can interact with pitifully outdated SSL implementations for some time to come, probably a disgustingly long time; just as various ancient JVMs are currently kept around to interact with assorted horrible management interfaces, network KVMs, and the like. In practice, since virtualization is so cheap and such legacy systems should be kept the hell away from the internet, we'll probably just end up using an old browser version on a VM that is firewalled from everything except the legacy devices it is used to manage; but there will be places where compatibility will require accepting a known-pitiful authentication mechanism; but such environments should treat that mechanism purely as an archaic quirk, not as any sort of substitute for security.)
I think that we, as reasonable people, can agree that any video found guilty of massacring civilians, bombing things, poisoning the water supply, or similar atrocities can be considered a 'terrorist video' and duly punished with a life sentence to a neglected LTO tape in an offsite vault somewhere.
For videos that just consist of an encoded series of frames and maybe a soundtrack; perhaps we should stop hyperventilating.
Their reputation with the general public is largely irrelevant, nor do I think that it will be affected(if the general public could even identify 'CERT/CC' at all).
The problem is their reputation with people who don't directly work for them; but have historically worked with them: if they are respected as a group that coordinates security improvements, that is one thing. If they are seen as feeding exploits to the feds rather than fixing things; why work with them when you could sell to one of the outfits that already makes a business of selling exploits to the feds?
Unfortunately, what they were doing before was arguably much more useful: CERT/CC, a program heavily intertwined with CMU's software engineering side, has a relatively noble history of doing security research with the intent to make software more secure; rather than weaponize exploits for somebody's petty temporary advantage at the expense of every other user.
There is absolutely no way that catching a few druggies could possibly be worth tainting the reputation of a respected security research institution with the suspicion of being just another malware vendor for the feds. Are there scary bad people who use software? Sure. Do all the rest of us use mostly the same software, almost all of it terrifyingly full of holes and in dire need of any and all assistance available? Also yes.
An Irish narcotics trafficking site will presumably involve some jail time for those involved; but at least the tax burden will be among the lightest in the EU!
The one cause for real concern with the PCI SSC is that whatever mistakes they make now will be with us when we are feebly waving our canes at the kids on our lawns.
EMV dates back to 1994(with smartcards more generally being a late-80's thing); and we've just started to pretend at actually being serious about using it. Merchants hate upgrading POS hardware(which damn well earns its name; but at least it's surprisingly expensive), every change means a knife-fight over processing fees and an attempt to shove liability onto somebody else, so progress is glacial.
While many of the risks are, indeed, not worth the trouble given the much easier methods available; we might well still be fighting about them in 15 years, and they are unlikely to have aged well in that time.
Arguably, the correct code for 1984-style censorship is either a 404 or a 200 that returns a page full of historically corrected and party approved content.
The honest censor is the one who says "yup, this exists and you can't see it." The effective censor is the one who successfully conceals the existence of whatever they are trying to keep you away from.
The phrase "Unauthorized code" smells of weasel wording. If the malware was injected afterwards(either through a network attack or a physical intercept-and-tamper, then the manufacturer could reasonably call it "unauthorized" or "malware" or similar; but if they shipped it, how much more 'authorized' do you get?
Perhaps "mistakenly authorized after slipping past scrutiny" or "authorized by one or more of our employees who is also a spook", or "we fucked up"; but not really "unauthorized". Were I a customer, I'd want a much, much, better account of how exactly this 'unauthorized code' came to be present, when, and who knew about it, who didn't, and why or why not.
I can understand why people want the feature(it's a decent middle ground between "haha, no, you can't fix even the tiniest misconfiguration without booting from an entirely different medium!" and giving anyone who can reboot the machine the ability to use Grub to load a near-arbitrary payload(they need to know what they are doing; but if all boot devices except the one with grub on them are locked out in the device firmware, you can then use grub to boot a payload from any storage it knows how to interact with, or boot the contents of the disk with different parameters); but it is necessarily a bit of a hacky place for security.
Since the OS isn't available yet, because it's the bootloader, you don't get any handy integration with OS-level authentication(eg. being able to use LDAP/Kerberos to define access and restrictions to bootloader functions); but since it is designed to run on almost all hardware; including hardware that lacks hardware/firmware level security features or OSS support for them is unavailable, it can't fully replicate what full-disk encryption can do(you can use software encryption and get most of the benefit; but an unencrypted initrd is obviously needed to decrypt and mount the encrypted partitions.
For situations where you might need to monkey with grub parameters from time to time, it's a useful option; but if you are confident that they won't be changing(and/or are willing to boot an alternate medium if necessary); it would probably be better to have the option of a bootloader that simply lacks support for any input devices at all, keyboard, serial, network, whatever, and just goes from BIOS handoff to OS load as quickly as possible.
Slashdot Mirror
When the purpose is to allow schools without adequate supplies of teachers to save face, choosing those subjects probably isn't going to help much. If a school is so hard up for CS teachers that they can't even find a math teacher to lean on, odds are that their supply of more esoteric specialists isn't so hot. Plus, at the K-12 level, if you have philosophy on the curriculum at all, it is likely that it is covered as a 'history of philosophy' survey course, largely without going to far into the hairy depths of any specific philosopher or philosophy on the list; and usually starting with the greeks so that you'll have safely graduated before we get to anything more logical than a few toy syllogisms.
Nothing wrong with basic philosophy survey courses, if honestly billed as such; but the ability to teach one doesn't necessarily imply much background in logic beyond the ability to follow an argument.
Its install base?
It doesn't help that picking up 'machine learning' isn't exactly on the same scale as picking up the trendy framework or language of the day. It's not clear that the rate we churn through those is actually a good idea; but at least there are huge areas of conceptual similarity that allow somebody versed in yesterday's hot language and environment to pick up today's and tomorrow's with some acclimatization to new vocabulary.
This is pretty much an entire different branch of mathematics, similar only in that the problems are large enough that you need programming skills to implement useful solutions.
Or save everyone a lot of time and trouble and just decide how much data, how fast, is "Free Basics" and let those little users decide for themselves what counts as the best use of what they have available.
In practice, I suspect that 'the web' as designed for people with terrible phones and very, very, limited bandwidth is going to be a specialized subset; you just can't get away with streaming-video-ads and multiple megabytes of random 3rd party embeds under those conditions; but it can be a specialized subset that is worked out between people who want to serve those users and those users and their priorities, no fancy central planning needed. After all, the only technology you need to serve people with access to tiny amounts of bandwidth is 'just design like you did when American early-adopter geeks considered a V.32 dialup link to be pretty hot stuff". All those old tricks still work(even better, since judicious use of xhmlhttprequest can avoid the obnoxious old 'generate and load an entirely new page every time you click a single button because we can do almost nothing on the client side' behavior), most of them are still a proper subset of the current 'correct' way, or reasonably close.
If this were actually some mercy mission, you could just decide how much data it is economic to hand out, hand it out, and sit back. I'm guessing that that won't be the plan.
We kinda-sorta do; but in the most half-assed way possible. If you show up in the ER in sufficiently dreadful condition, they are obligated to at least pretend that they've provided the necessary acute care(there are various ways to...expedite...the less desireable customers; but you have to weasel around and keep up appearances) you can't just move them to the designated dying section of the parking lot. Anything less serious than that, though, go wait for it to get worse, then come back when it's an emergency.
Do you suspect that he believes that this is what schools and hospitals do; or do you suspect that he is using the ever-popular "present what you want to be the case as though it already is, whenever possible, as part of working to bring reality into conformity with your desires" strategy?
There certainly are people who enjoy an utterly sincere fundamental misunderstanding; but there are also people who know exactly what the current objective is; and simply want to radically alter it.
If he wanted the 'library' comparison, he'd need better evidence that there is a "librarian" involved.
Libraries are, ultimately, beholden to the desires of their funding organizations; but 'librarian' is one of those funny jobs, like 'teacher', 'doctor', and 'flight crew where they are supposed to serve "the customer"; but sometimes serving the customer means telling them to GTFO and let us do our job.
A given library can't drift too far from the objectives it was set up to fill(a K-12 collection is going to be expected to have some research materials aligned with the district's curriculum; plus a selection of child and young-adult literature deemed to fall within the intersection of 'likely to be popular' and 'worth having kids read'; a university library had better have the relevant journals and materials to support the work of the students and faculty, a public library needs to cater to a mixture of popular taste and availability of material deemed particularly worthwhile); but within the scope of the mission, the librarians are generally accorded broad leeway to exercise their professional judgement; and challenges to their decisions are supposed to be made in terms of accusations that they aren't upholding the library's objectives properly; not simple demands that the library cater to somebody's whim. "Circulation records indicate that this 'popular fiction' was last checked out in 1992; is it really the best use of limited shelf space?" is a perfectly valid question. Sounds like the librarian hasn't been keeping up with the collection properly. "Concerned Citizens For Decency want this obscenity away from the children!" not so much.
I don't think that there is much doubt that Facebook is doing this because it is good for Facebook, or they suspect that it is; but if they want to latch on to the highflown ideals of 'library' there are some concrete things they can do, even if the project remains their pet. Who are the 'librarians' of this library? What criteria do they use when deciding what does and doesn't go on the shelves? If I want to argue that X should be included, according to the criteria they claim to uphold, who do I talk to?
Then there is the more fundamental question: a library is, necessarily, a 'curated' sort of operation because it has finite resources, finite space, and staff expertise concerning the collection is considered a valuable feature. You can 'curate' down a selection of the internet if you want, just as you can the universe of books that are published; but why are you doing so? Obviously data transmission costs money, and more/faster transmission costs more money, so you can't expect people with approximately zero money to get screaming 4GLTE-and-special-sauce unlimited connections at prices they can afford; but if this "Free Basics" stuff is economically tenable; why is it access to a limited subset of the internet; rather than the entire internet, at whatever speed is low enough to be affordable?
Sure, Facebook isn't about to subsidize some random peasant's youtube habit; but if their "Free Basics" were 'whatever you want, at a crawl', rather than 'stuff we pick for you', that would both provide an incentive for users of "Free Basics" to stick to the basics, since sites not designed to cater to their network and hardware limitations are just going to suck; but also dodge a whole lot of unpleasant questions about the motives, selection process, etc. of the "basics" provided.
If they are willing to be honest about this being a straightforward grab for the developing world's eyeballs, in cooperation with local telco monopolies that would prefer that the cost of commodity bandwidth stay nice and high, then they can do whatever they can get past the local regulatory entities. If they want to pretend that this is some kind of humanitarian project, though, there are some pretty obvious steps they could take, but haven't, to clear things up.
Even with in the US, whether through malice or apathy, transferring money between accounts with different banks can take an absurd amount of time(in my case, this wasn't even some commercial-scale operation with validation and trust problems, it was my accounts, and those of my parents, at one bank that had very few branches or ATMs in the city I was going to college in, and my account with a bank that had better local coverage). It turned out to be the least hassle to just withdraw up to the limit on the occasions when I did pass Bank A's ATM and physically courier the money to Bank B's ATM for deposit. It worked out; but it seems as though banking is one of those things that gets more customer-hostile the lower you go.
You've really got two distinct points of contention at play: some people say 'altcoin' when they mean anything that isn't bitcoin-with-the-annointed-blockchain. Others say 'altcoin' when they mean something based on an algorithm with substantially different characteristics(eg. the scrypt vs. SHA-256 divide between bitcoin and litecoin) or markedly different rules aimed at achieving some very different outcome as a currency/meme/ponzi scheme(eg. dogecoin).
Then, you have the better informed but far less disinterested people who have a stake, sometimes a considerable one, in 'coins' tied to some particular blockchain, specialized hardware tied to some particular algorithm, or both; and are much less likely to be confused, or speaking in broad strokes; but much more likely to have a personal financial stake in rubbishing whatever they don't have a position in as a filthy, illegitimate, 'altcoin' that is heading nowhere fast, unlike the Real Thing.
I don't know how the numbers break down between mere internet pedants and people with nontrivial money on the line; but(especially with all the cryptocurrencies in a rather larval and volatile state), competitive hyping and dismissal of assorted different flavors is by no means a disinterested activity. Some people will argue about it forever, for free, because that's how people on the internet are(says the slashdot poster); but some of the people hyping or attempting to discredit almost certainly have a horse in the race(and, unlike the same game with speculative stocks, it's probably all legal).
It is, arguably, closer to trying to ensure that such seigniorage as exists has a cut kicked back to the developers; but more broadly it sounds like a "yeah, welcome to convergent evolution" situation.
So long as their is nonzero, usually nontrivial, work involved in keeping a currency(or an exchange service layered on top of a currency, like credit/debit/paypal/etc.) up and running, the people doing that work(as well as any opportunists available) will try to get their cut, whether in seigniorage, taxes, interest charges, transaction fees, or some other term.
Bitcoin itself is supposed to incorporate this as well: most of the attention is on largely speculative mining operations; but the point of 'mining' having a payoff is that it is the computing needed to incorporate additional transactions into the blockchain verifiably; and being paid to facilitate transactions is the theoretical end-state as mining's ROI gets lousier. Whether that will happen remains to be seen; but it was the plan.
In its defense, CS has some brutally elegant math. Unfortunately, that fact is arguably reason for pessimism in this case. Despite the availability of the elegant math, much of what we actually use has undergone only the shoddiest of empirical testing, whether for want of interest, want of time, want of talent, or whatever it happened to be. CS is hardly easy; but its mathematical underpinnings are much closer to the surface than in most other areas. If what we do today shows how little advantage we take of that, I'm very, very, skeptical that attempting more complexity and tighter interconnection is going to go well.
On the 'plus side', I suppose, what we are incapable of formally verifying tomorrow will be what we can't be bothered to formally verify today, so maybe the change won't be so drastic in practice.
Aren't 'marginalizes old people and refugees' and 'makes racking up consumer debt ever easier' typically considered features, rather than bugs, in payment systems?
Meh, that's old silicon valley logic. Here in the future; ideas only matter if VCs or annoying startup founders who use the world 'disruptive' a lot talk about them.
They used to have a bit of a niche in ultraportables, back when particularly light weight was hard to come by in laptops; but that just isn't a terribly special feature anymore.
There is already a domain where ubiquitous integration of high complexity capabilities into virtually all materials with room for them is a reality.
We call it "Biology". And, in my professional capacity as a fungus, let me remind you that you'd be fucking insane to want your computers to go down that path.
It's impressive that machines made of meat work at all; but that doesn't change the fact that they are tottering heaps of uncontrolled complexity, riddled with pathogens and parasites, kept alive only because they are (sometimes) more fault-tolerant than they are faulty; and because the various microorganism militias are too busy fighting assorted cryptic metabolic battles and it is possible to enter alliances of convenience with some of them, if you get lucky.
People have done a terrible enough job keeping a bunch of loosely-linked deterministic finite state machines from descending into a putrid jungle of malware that inspires comparison to unpleasant biological outcomes. You want to add more; and link them more tightly? Have fun with that.
Any chance that the gloriously titled "World Targets in Megadeaths" folder from Dr. Strangelove has a real-world counterpart?
Some of the talk about SHA-1 cutoff has been in terms of "Should we break the intertubes for the poor people who can't upgrade?"
Remember; we really don't have that choice. SHA-1 is doing the mathematical equivalent of creaking, groaning, and starting to splinter under load. Our choice is not whether to break SHA-1 or not; it is whether or not to pretend that SHA-1 isn't dangerously precarious.
It's like telling a structural engineer "We can't close that bridge! People need it to cross the river!". That's exactly why we must close the bridge; because if we don't there will be people on it when it falls into the river.
(That said, in environments where security is provided by other means, say a suitably isolated management-only network, there will continue to be a need for browsers that can interact with pitifully outdated SSL implementations for some time to come, probably a disgustingly long time; just as various ancient JVMs are currently kept around to interact with assorted horrible management interfaces, network KVMs, and the like. In practice, since virtualization is so cheap and such legacy systems should be kept the hell away from the internet, we'll probably just end up using an old browser version on a VM that is firewalled from everything except the legacy devices it is used to manage; but there will be places where compatibility will require accepting a known-pitiful authentication mechanism; but such environments should treat that mechanism purely as an archaic quirk, not as any sort of substitute for security.)
I think that we, as reasonable people, can agree that any video found guilty of massacring civilians, bombing things, poisoning the water supply, or similar atrocities can be considered a 'terrorist video' and duly punished with a life sentence to a neglected LTO tape in an offsite vault somewhere.
For videos that just consist of an encoded series of frames and maybe a soundtrack; perhaps we should stop hyperventilating.
Their reputation with the general public is largely irrelevant, nor do I think that it will be affected(if the general public could even identify 'CERT/CC' at all).
The problem is their reputation with people who don't directly work for them; but have historically worked with them: if they are respected as a group that coordinates security improvements, that is one thing. If they are seen as feeding exploits to the feds rather than fixing things; why work with them when you could sell to one of the outfits that already makes a business of selling exploits to the feds?
Unfortunately, what they were doing before was arguably much more useful: CERT/CC, a program heavily intertwined with CMU's software engineering side, has a relatively noble history of doing security research with the intent to make software more secure; rather than weaponize exploits for somebody's petty temporary advantage at the expense of every other user.
There is absolutely no way that catching a few druggies could possibly be worth tainting the reputation of a respected security research institution with the suspicion of being just another malware vendor for the feds. Are there scary bad people who use software? Sure. Do all the rest of us use mostly the same software, almost all of it terrifyingly full of holes and in dire need of any and all assistance available? Also yes.
An Irish narcotics trafficking site will presumably involve some jail time for those involved; but at least the tax burden will be among the lightest in the EU!
The one cause for real concern with the PCI SSC is that whatever mistakes they make now will be with us when we are feebly waving our canes at the kids on our lawns.
EMV dates back to 1994(with smartcards more generally being a late-80's thing); and we've just started to pretend at actually being serious about using it. Merchants hate upgrading POS hardware(which damn well earns its name; but at least it's surprisingly expensive), every change means a knife-fight over processing fees and an attempt to shove liability onto somebody else, so progress is glacial.
While many of the risks are, indeed, not worth the trouble given the much easier methods available; we might well still be fighting about them in 15 years, and they are unlikely to have aged well in that time.
Arguably, the correct code for 1984-style censorship is either a 404 or a 200 that returns a page full of historically corrected and party approved content.
The honest censor is the one who says "yup, this exists and you can't see it." The effective censor is the one who successfully conceals the existence of whatever they are trying to keep you away from.
The phrase "Unauthorized code" smells of weasel wording. If the malware was injected afterwards(either through a network attack or a physical intercept-and-tamper, then the manufacturer could reasonably call it "unauthorized" or "malware" or similar; but if they shipped it, how much more 'authorized' do you get?
Perhaps "mistakenly authorized after slipping past scrutiny" or "authorized by one or more of our employees who is also a spook", or "we fucked up"; but not really "unauthorized". Were I a customer, I'd want a much, much, better account of how exactly this 'unauthorized code' came to be present, when, and who knew about it, who didn't, and why or why not.
I can understand why people want the feature(it's a decent middle ground between "haha, no, you can't fix even the tiniest misconfiguration without booting from an entirely different medium!" and giving anyone who can reboot the machine the ability to use Grub to load a near-arbitrary payload(they need to know what they are doing; but if all boot devices except the one with grub on them are locked out in the device firmware, you can then use grub to boot a payload from any storage it knows how to interact with, or boot the contents of the disk with different parameters); but it is necessarily a bit of a hacky place for security.
Since the OS isn't available yet, because it's the bootloader, you don't get any handy integration with OS-level authentication(eg. being able to use LDAP/Kerberos to define access and restrictions to bootloader functions); but since it is designed to run on almost all hardware; including hardware that lacks hardware/firmware level security features or OSS support for them is unavailable, it can't fully replicate what full-disk encryption can do(you can use software encryption and get most of the benefit; but an unencrypted initrd is obviously needed to decrypt and mount the encrypted partitions.
For situations where you might need to monkey with grub parameters from time to time, it's a useful option; but if you are confident that they won't be changing(and/or are willing to boot an alternate medium if necessary); it would probably be better to have the option of a bootloader that simply lacks support for any input devices at all, keyboard, serial, network, whatever, and just goes from BIOS handoff to OS load as quickly as possible.