But I really miss waiting 5 minutes for new levels to load up after I changed the disk. Ahh, Pool of Radiance:
You have left The Sewers, please insert disk4 wait..wait...wait..wait.. You have entered the Outdoors. You have met a party of kobolds the size of a modern infantry battalion... you have died. Reload save game wait..wait..wait..wait Insert disk 3 wait..wait..wait..wait You have left The Sewers, please insert disk 4 Scream expletives and hurl disk 4 across the room...
Or maybe I'll thank him for replying and admit the correction. Nice troll though. I'm neither an Apple lover nor a hater (I used their products, but mainly work with Linux and have Windows on my desktop system), but I really find that the anti-Apple zealots are far more trollish than the Apple zealots.
Excellent of you to comment. I did in fact find and read your slides before commenting, but I did not see where you pointed out that clients could force a downgrade of the auth protocols. That is indeed far more concerning. Typically when I've used any significant number of Macs on a network I link just them into the infrastructure I use for my Linux clients (usually OpenLDAP over TLS) so I've not really ever tried to use the Apple services. I still stand by my assertion that a well configured Mac network should never have allowed a normal user to install the exploit software in the first place though.
Admittedly there is one semi-serious problem. DHX is apparently vulnerable to false credential attacks, and I believe that it is the default way that Macs servers handle AD type user management. It *shouldn't* be a problem: default user accounts shouldn't be able to escalate privileges to allow the attack, and admins should set up the more secure Kerberos ticketing scheme anyway. That said, Apple should fix it. Even offering an option this vulnerable, even if other, better, alternatives exist is a bad idea. Let alone making it the default. It's nowhere near as serious as the article indicates though, becasue a good admin shouldn't be allowing the things they exploit.
That kinda is my point. If you do a bad job of building your network, it's going to be vulnerable, regardless of OS. If you do a good job (and MacOS has the tools to do a good job, the presentation points them out indirectly), you will be less vulnerable, regardless of OS. These guys are focusing on: "Don't use Macs in the enterprise" rather than the more obviously lesson: "Treat Macs in the enterprise with the same degree of care as any other machine with any other OS"
It's also worth pointing out that the "exploits" for Macs these guys found require an amazing amount of stupidity on the part of the system/network admins. We're supposed to worried about using Macs in "Enterprise" level exploits, but the configuration required for exploiting is distinctly amateur.
They claim DHX is vulnerable, Kerberos is not; but it's "trivial" to change the scheme. This is true if you have root on the server box, but getting there should not be "trivial" in the first place. Even with DHX, you need to get admin privileges on a workstation box to start sniffing passwords. Again, that shouldn't be trivial in the first place. Admin accounts should only belong to trained administrative users, whether your OS is Windows, MacOS, or Linux. Sure, if you make every Tom, Dick, and Sue an admin you're highly vulnerable to social engineering attacks. On any OS. OSX permits and encourages privilege separation like any other OS; if you chose not to use it, you're an idiot, not "Enterprise IT".
A competently administered Mac network, with proper encryption, privileged separation, threat training , etc should be no more vulnerable than any other if I'm reading this right (I read the slides form the presentation in addition to the almost useless article). The take home point shouldn't be "Don't use Macs", it should be "Treat Macs like every other client and server." They're not more vulnerable, they're just not full of magic hacker repelling pixie dust.
No, they blew it up in a controlled detonation. Most of the time that's the safest way to handle small bombs (or suspected bombs). If you disarm it you run the risk of it blowing unexpected and hurting the tech. They probably never even opened it. If they really thought it could be a bomb, that would be dangerous.
Honestly? As someone who has seen real improvised explosive devices? It kinda looks like one. It also looks like any of about a million other possible home electronics kits stuck into a mint tin, but a bomb is definitely one possibility. Important point to remember here is that many of the people that make this sort of thing aren't terribly good at it. Especially if they just plan to make and use the one. Small devices like this are a lot less common than they used to be in the major theaters (Iraq and Afghanistan) these days from what I understand, but we were trained to look for stuff just like this (common household goods with suspicious wiring/electronics) and found a few that would have taken off a hand or leg, or disabled a wheeled vehicle.
Thankfully most of the cheap homemade jobs don't actually explode, but a few do. I can see caution at least. Seems like they could just get him to turn in on in an isolated spot though. Couldn't be enough explosives in that to hurt anyone more than a few feet away.
I've been a sysadmin for about 15 years now. I used to host all my own e-mail, my own website, all that stuff. I had a webmail interface (Squirrelmail), spam filtering, IMAP, blah, blah blah. Then about 6 years ago I got deployed to Iraq. I couldn't use SSH from the DoD network, so updates became a big issue, spam became an issue as I couldn't maintain my filters easily. After a couple of months I went hosted on my domain. Web based admin tools meant I could maintain stuff without SSH, they had a much less "hands on" backup procedure (at the time mine involved CDs), the service was down less often than my DSL used to be... Honestly at this point I can't see the value in maintaining all this stuff for myself. I pay less for hosting than I would have to pay for a "business class" DSL or cable line for the static IP, they handle most of the hard work, and what they don't handle, I manage from a web based dashboard.
There are tradeoffs and disadvantages, but for 80-90% of personal uses cases I can't see why you'd want to personally maintain a server these days. If you simply enjoy doing it, that's one thing. If you have a business of any size, again, there's a good argument for self hosting. For most people though, just pay someone to take care of the grunt work for you. You'll have less downtime, and spend a lot less of your free time fiddling with it.
I think both you and your wife are missing the most likely threat vector here. Black Hat hackers may not be, in general, the most empathic of people; but I doubt there are many that would simply kill a random diabetic for the Hell of trying a new hack. A much more plausible situation is someone using a mature form of this to kill a specific person that they hate or who has something they want, who also happens to be a diabetic, in a nearly untraceable way.
Motiveless murders, while they grab headlines becasue of their horror and senselessness, are pretty rare. Murders with motives and murders who'd like to stay out of prison are much more common. The number of people who would "want to kill diabetics" in an abstract sense, is vanishingly small. The number of people who might want to kill a specific diabetic, for a specific reason (probably having to do with money or sex) is doubtless much higher.
It doesn't look like it's a credit course for anyone who isn't a registered Stanford student. They give you a certificate of completion (Which, when combined with $1.50 will get you a cup of coffee), but not actual course credit. On the other hand, this is a course taught by two of the top researchers in the field. It's probably worth it just to learn something. I'm seriously considering this. I don't know a lot about coding AI, beyond some really high level theory; and while I'm sure that a ten week course with 10,000 of my closest friends won't make me an expert... It could be fun.
Well of course. Nothing is a magic bullet, but this is buttoning down one of the more seriously vulnerable parts of the chain. It's possible but unlikely that a router or other device in my path could be compromised or run by bad actors. It's much more likely that the guy with laptop open on the other side of the cafe is using Firesheep.
But if you're at IBM's headquarters, and they have a big sign saying "Our public wifi network is "IBM.com" and is digitally signed" then you can be reasonably sure that you're OK. Not perfectly sure, but much more so than with current implementations. So Starbucks hangs a little sign that says "Join SSID Starbucks.com for free wifi!" Is it still possible that someone sets up a "storbucks.com" SSID and catches a few fish? Sure, but it's a Hell of a lot better than nothing. If you pay a little attention you should be much more secure than you would be otherwise.
If only we had a massive infrastructure of public entities that existed almost entirely to provide a chain of trust on digital certificates. We could call them Certificate Authorities or something.
The idea here is that you can have an open, public, wireless system that is not vulnerable to sniffers or MITM attacks. It's not for keeping your private wireless secure. As it stands right now, when I use the wireless in Starbucks I need to be careful. I need to make sure that all connections are HTTPS, or otherwise encrypted less I inadvertently give username or password information to anyone sniffing packets on the air; or setting up a rogue access point claiming to be Starbucks, but really on someone's laptop. With this technology you have a signed digital certificate and an encrypted connection. The one protects against rogue access points or MITM attacks, the latter again sniffers.
It's a clever use of a known paradigm (chain of trust) to protect something that hasn't previously been very safe. The trick will be adoption, and setting up a chain of trust. I imagine the existing CAs could issue the certificates to handle the chin of trust issues, but adoption will require some cooperation from industry. Hardware and software vendors will have to create WAPs and clients to use this tech; and companies like Starbucks and even mom and pop cafes will have to invest in the new WAPs and deploy them.
Minis can be densely packed in a rack, making them pretty popular for some types of HPC applications and such. A few years ago, when I still had my hands a bit deeper into the HPC and simulation areas of computation I was also starting to see people use them for video clusters. I've been out of that game for a few years though (2008 was my last Supercomputing), so I dunno how any of that worked out or if it's still common.
You can get pre-built binaries of virtually every OSS server software for MacOS, and certainly for every remotely popular OSS server software. Fink is good, and I like it because I've used it a lot over the years. MacPorts seems to be more popular these days though. Since OSX is essentially just a POSIX compliant Unix variant with a fancy GUI, ports are extremely trivial to make. I will warn you that X-windows based software from these sources are a bit flaky sometimes, mostly becasue Apple's X overlay for Cocoa is a piece of crap; but the command line and server tools are dead solid.
Ignoring the other issues with your theory people are bringing up, it's not illegal to format shift in the US. It's illegal to crack CSS in order to rip DVDs to your hard drive (thanks to the DCMA), but that's still illegal in the UK under something called EUCD apparently. At least according to comments above yours. So this is actually an instance where UK law is simply catching up to US law, not going beyond it.
I don't have a reference, but based on the fact that it's a long tradition to tape records and rip MP3s from CDs I'm fairly certain it's legal. What is currently illegal is format shifting from DVD or BlueRay disks to other video medium. This is becasue your are bypassing an encryption scheme to do it, which is illegal under the DCMA. As silly as it is, it's legal for me to record my music to computer for personal use (becasue CDs aren't encrypted), but not legal for me to the same with my movies (unless I'm recording from VHS or Laser Disk or something).
The linked planet Money story is well worth a listen, though it's a bit long. The This American Life that the Planet Money story is based on is even longer, but again fairly entertaining. I actually drove around for an extra 15 minutes Saturday afternoon to continue listening to the whole thing.
From a licensing perspective RHEL is much cheaper than Windows. Not in the base cost, which is close to the same for Windows Server and RHEL, but Red Hat doesn't ask for seat licenses. That's where Microsoft gets you. If you setup an AD server you need a seat license for every single account (you can go with concurrent use licenses, but you risk someone not being able to get in if you have more users than licenses). That's no biggie with 10 users, but steadily increases, while the cost of RHEL stays the same. Most of Microsoft's server OS pieces use seat licenses. You get a deal if, say, you bundle your AD licenses with your Exchange licenses, but you're still paying by the user.
This is not to say that using Linux is cheaper than using Windows. There's tons of factors involved in figuring out TCO on one system vs. another. As a rule Unix admins are more expensive than Windows admins. There's often user training costs involved in switching OSs for any but the most trivial use cases. If you're already a Windows shop (likely unless you're either in a few specific industries or a new company), there's going to be lots of one time costs in transition. Sometime software has to be rewritten, replaced with another version, or simply doesn't exist for other platforms.
Speaking very generally I think that some, perhaps many, companies could save money by switching to Linux or other free alternatives, but I don't see them doing it during a recession. Like I said, there's lots of one time costs involved in such a switch, and even if you think you can save money in the long run by switching, you're not going to want to absorb those one time costs in an already lean period.
It was more that kids and old people are particularly vulnerable to this particular threat... Radiation is worse for those with lower resistance and in those development. I wouldn't want to be irradiated either though.
So what you're saying is that it should be perfectly permissible for someone to tinker with chemically dangerous and radioactive chemicals in an apartment building where he will surrounded by other people? Some of those other people being the particularly vulnerable kids and the elderly? The danger here isn't that he could be building a bomb, the danger is that large concentrations of radioactive material is inherently unhealthy. There was no one to make sure he stored it properly, didn't have too much of it, or general making sure he wasn't giving a X-ray levels of exposure to everyone in his building 24/7. Not to mention that the chemicals themselves are often toxic in concentration even ignoring the radiation.
Are you always this pedantic? I randomly banged on the keyboard to get that number, it was supposed be ridiculous. Yes, the running joke in college was that the first lottery ticket was the greatest odds increase for winning (infinite to a finite value), the second ticket is the next best odds increaser (roughly doubling your chance to win) and it's all down hill from there. That said, it is still ridiculous to spend $50 a week on lottery tickets. You're increasing your odds from incredibly unlikely to... still incredibly unlikely. It's even more foolish for someone already on a tight budget. That's point, and it still stands despite your pedantry.
Slashdot Mirror
But I really miss waiting 5 minutes for new levels to load up after I changed the disk. Ahh, Pool of Radiance:
You have left The Sewers, please insert disk4
wait..wait...wait..wait..
You have entered the Outdoors.
You have met a party of kobolds the size of a modern infantry battalion... you have died.
Reload save game
wait..wait..wait..wait
Insert disk 3
wait..wait..wait..wait
You have left The Sewers, please insert disk 4
Scream expletives and hurl disk 4 across the room...
Or maybe I'll thank him for replying and admit the correction. Nice troll though. I'm neither an Apple lover nor a hater (I used their products, but mainly work with Linux and have Windows on my desktop system), but I really find that the anti-Apple zealots are far more trollish than the Apple zealots.
Excellent of you to comment. I did in fact find and read your slides before commenting, but I did not see where you pointed out that clients could force a downgrade of the auth protocols. That is indeed far more concerning. Typically when I've used any significant number of Macs on a network I link just them into the infrastructure I use for my Linux clients (usually OpenLDAP over TLS) so I've not really ever tried to use the Apple services. I still stand by my assertion that a well configured Mac network should never have allowed a normal user to install the exploit software in the first place though.
Admittedly there is one semi-serious problem. DHX is apparently vulnerable to false credential attacks, and I believe that it is the default way that Macs servers handle AD type user management. It *shouldn't* be a problem: default user accounts shouldn't be able to escalate privileges to allow the attack, and admins should set up the more secure Kerberos ticketing scheme anyway. That said, Apple should fix it. Even offering an option this vulnerable, even if other, better, alternatives exist is a bad idea. Let alone making it the default. It's nowhere near as serious as the article indicates though, becasue a good admin shouldn't be allowing the things they exploit.
That kinda is my point. If you do a bad job of building your network, it's going to be vulnerable, regardless of OS. If you do a good job (and MacOS has the tools to do a good job, the presentation points them out indirectly), you will be less vulnerable, regardless of OS. These guys are focusing on: "Don't use Macs in the enterprise" rather than the more obviously lesson: "Treat Macs in the enterprise with the same degree of care as any other machine with any other OS"
It's also worth pointing out that the "exploits" for Macs these guys found require an amazing amount of stupidity on the part of the system/network admins. We're supposed to worried about using Macs in "Enterprise" level exploits, but the configuration required for exploiting is distinctly amateur.
They claim DHX is vulnerable, Kerberos is not; but it's "trivial" to change the scheme. This is true if you have root on the server box, but getting there should not be "trivial" in the first place. Even with DHX, you need to get admin privileges on a workstation box to start sniffing passwords. Again, that shouldn't be trivial in the first place. Admin accounts should only belong to trained administrative users, whether your OS is Windows, MacOS, or Linux. Sure, if you make every Tom, Dick, and Sue an admin you're highly vulnerable to social engineering attacks. On any OS. OSX permits and encourages privilege separation like any other OS; if you chose not to use it, you're an idiot, not "Enterprise IT".
A competently administered Mac network, with proper encryption, privileged separation, threat training , etc should be no more vulnerable than any other if I'm reading this right (I read the slides form the presentation in addition to the almost useless article). The take home point shouldn't be "Don't use Macs", it should be "Treat Macs like every other client and server." They're not more vulnerable, they're just not full of magic hacker repelling pixie dust.
No, they blew it up in a controlled detonation. Most of the time that's the safest way to handle small bombs (or suspected bombs). If you disarm it you run the risk of it blowing unexpected and hurting the tech. They probably never even opened it. If they really thought it could be a bomb, that would be dangerous.
Honestly? As someone who has seen real improvised explosive devices? It kinda looks like one. It also looks like any of about a million other possible home electronics kits stuck into a mint tin, but a bomb is definitely one possibility. Important point to remember here is that many of the people that make this sort of thing aren't terribly good at it. Especially if they just plan to make and use the one. Small devices like this are a lot less common than they used to be in the major theaters (Iraq and Afghanistan) these days from what I understand, but we were trained to look for stuff just like this (common household goods with suspicious wiring/electronics) and found a few that would have taken off a hand or leg, or disabled a wheeled vehicle.
Thankfully most of the cheap homemade jobs don't actually explode, but a few do. I can see caution at least. Seems like they could just get him to turn in on in an isolated spot though. Couldn't be enough explosives in that to hurt anyone more than a few feet away.
I've been a sysadmin for about 15 years now. I used to host all my own e-mail, my own website, all that stuff. I had a webmail interface (Squirrelmail), spam filtering, IMAP, blah, blah blah. Then about 6 years ago I got deployed to Iraq. I couldn't use SSH from the DoD network, so updates became a big issue, spam became an issue as I couldn't maintain my filters easily. After a couple of months I went hosted on my domain. Web based admin tools meant I could maintain stuff without SSH, they had a much less "hands on" backup procedure (at the time mine involved CDs), the service was down less often than my DSL used to be... Honestly at this point I can't see the value in maintaining all this stuff for myself. I pay less for hosting than I would have to pay for a "business class" DSL or cable line for the static IP, they handle most of the hard work, and what they don't handle, I manage from a web based dashboard.
There are tradeoffs and disadvantages, but for 80-90% of personal uses cases I can't see why you'd want to personally maintain a server these days. If you simply enjoy doing it, that's one thing. If you have a business of any size, again, there's a good argument for self hosting. For most people though, just pay someone to take care of the grunt work for you. You'll have less downtime, and spend a lot less of your free time fiddling with it.
I think both you and your wife are missing the most likely threat vector here. Black Hat hackers may not be, in general, the most empathic of people; but I doubt there are many that would simply kill a random diabetic for the Hell of trying a new hack. A much more plausible situation is someone using a mature form of this to kill a specific person that they hate or who has something they want, who also happens to be a diabetic, in a nearly untraceable way.
Motiveless murders, while they grab headlines becasue of their horror and senselessness, are pretty rare. Murders with motives and murders who'd like to stay out of prison are much more common. The number of people who would "want to kill diabetics" in an abstract sense, is vanishingly small. The number of people who might want to kill a specific diabetic, for a specific reason (probably having to do with money or sex) is doubtless much higher.
It doesn't look like it's a credit course for anyone who isn't a registered Stanford student. They give you a certificate of completion (Which, when combined with $1.50 will get you a cup of coffee), but not actual course credit. On the other hand, this is a course taught by two of the top researchers in the field. It's probably worth it just to learn something. I'm seriously considering this. I don't know a lot about coding AI, beyond some really high level theory; and while I'm sure that a ten week course with 10,000 of my closest friends won't make me an expert... It could be fun.
Well of course. Nothing is a magic bullet, but this is buttoning down one of the more seriously vulnerable parts of the chain. It's possible but unlikely that a router or other device in my path could be compromised or run by bad actors. It's much more likely that the guy with laptop open on the other side of the cafe is using Firesheep.
But if you're at IBM's headquarters, and they have a big sign saying "Our public wifi network is "IBM.com" and is digitally signed" then you can be reasonably sure that you're OK. Not perfectly sure, but much more so than with current implementations. So Starbucks hangs a little sign that says "Join SSID Starbucks.com for free wifi!" Is it still possible that someone sets up a "storbucks.com" SSID and catches a few fish? Sure, but it's a Hell of a lot better than nothing. If you pay a little attention you should be much more secure than you would be otherwise.
If only we had a massive infrastructure of public entities that existed almost entirely to provide a chain of trust on digital certificates. We could call them Certificate Authorities or something.
The idea here is that you can have an open, public, wireless system that is not vulnerable to sniffers or MITM attacks. It's not for keeping your private wireless secure. As it stands right now, when I use the wireless in Starbucks I need to be careful. I need to make sure that all connections are HTTPS, or otherwise encrypted less I inadvertently give username or password information to anyone sniffing packets on the air; or setting up a rogue access point claiming to be Starbucks, but really on someone's laptop. With this technology you have a signed digital certificate and an encrypted connection. The one protects against rogue access points or MITM attacks, the latter again sniffers.
It's a clever use of a known paradigm (chain of trust) to protect something that hasn't previously been very safe. The trick will be adoption, and setting up a chain of trust. I imagine the existing CAs could issue the certificates to handle the chin of trust issues, but adoption will require some cooperation from industry. Hardware and software vendors will have to create WAPs and clients to use this tech; and companies like Starbucks and even mom and pop cafes will have to invest in the new WAPs and deploy them.
To be more clear, the server version of Lion can still have MySQL installed, but the server package doesn't include it by default.
Minis can be densely packed in a rack, making them pretty popular for some types of HPC applications and such. A few years ago, when I still had my hands a bit deeper into the HPC and simulation areas of computation I was also starting to see people use them for video clusters. I've been out of that game for a few years though (2008 was my last Supercomputing), so I dunno how any of that worked out or if it's still common.
You can get pre-built binaries of virtually every OSS server software for MacOS, and certainly for every remotely popular OSS server software. Fink is good, and I like it because I've used it a lot over the years. MacPorts seems to be more popular these days though. Since OSX is essentially just a POSIX compliant Unix variant with a fancy GUI, ports are extremely trivial to make. I will warn you that X-windows based software from these sources are a bit flaky sometimes, mostly becasue Apple's X overlay for Cocoa is a piece of crap; but the command line and server tools are dead solid.
Ignoring the other issues with your theory people are bringing up, it's not illegal to format shift in the US. It's illegal to crack CSS in order to rip DVDs to your hard drive (thanks to the DCMA), but that's still illegal in the UK under something called EUCD apparently. At least according to comments above yours. So this is actually an instance where UK law is simply catching up to US law, not going beyond it.
I don't have a reference, but based on the fact that it's a long tradition to tape records and rip MP3s from CDs I'm fairly certain it's legal. What is currently illegal is format shifting from DVD or BlueRay disks to other video medium. This is becasue your are bypassing an encryption scheme to do it, which is illegal under the DCMA. As silly as it is, it's legal for me to record my music to computer for personal use (becasue CDs aren't encrypted), but not legal for me to the same with my movies (unless I'm recording from VHS or Laser Disk or something).
The linked planet Money story is well worth a listen, though it's a bit long. The This American Life that the Planet Money story is based on is even longer, but again fairly entertaining. I actually drove around for an extra 15 minutes Saturday afternoon to continue listening to the whole thing.
From a licensing perspective RHEL is much cheaper than Windows. Not in the base cost, which is close to the same for Windows Server and RHEL, but Red Hat doesn't ask for seat licenses. That's where Microsoft gets you. If you setup an AD server you need a seat license for every single account (you can go with concurrent use licenses, but you risk someone not being able to get in if you have more users than licenses). That's no biggie with 10 users, but steadily increases, while the cost of RHEL stays the same. Most of Microsoft's server OS pieces use seat licenses. You get a deal if, say, you bundle your AD licenses with your Exchange licenses, but you're still paying by the user.
This is not to say that using Linux is cheaper than using Windows. There's tons of factors involved in figuring out TCO on one system vs. another. As a rule Unix admins are more expensive than Windows admins. There's often user training costs involved in switching OSs for any but the most trivial use cases. If you're already a Windows shop (likely unless you're either in a few specific industries or a new company), there's going to be lots of one time costs in transition. Sometime software has to be rewritten, replaced with another version, or simply doesn't exist for other platforms.
Speaking very generally I think that some, perhaps many, companies could save money by switching to Linux or other free alternatives, but I don't see them doing it during a recession. Like I said, there's lots of one time costs involved in such a switch, and even if you think you can save money in the long run by switching, you're not going to want to absorb those one time costs in an already lean period.
It was more that kids and old people are particularly vulnerable to this particular threat... Radiation is worse for those with lower resistance and in those development. I wouldn't want to be irradiated either though.
So what you're saying is that it should be perfectly permissible for someone to tinker with chemically dangerous and radioactive chemicals in an apartment building where he will surrounded by other people? Some of those other people being the particularly vulnerable kids and the elderly? The danger here isn't that he could be building a bomb, the danger is that large concentrations of radioactive material is inherently unhealthy. There was no one to make sure he stored it properly, didn't have too much of it, or general making sure he wasn't giving a X-ray levels of exposure to everyone in his building 24/7. Not to mention that the chemicals themselves are often toxic in concentration even ignoring the radiation.
Are you always this pedantic? I randomly banged on the keyboard to get that number, it was supposed be ridiculous. Yes, the running joke in college was that the first lottery ticket was the greatest odds increase for winning (infinite to a finite value), the second ticket is the next best odds increaser (roughly doubling your chance to win) and it's all down hill from there. That said, it is still ridiculous to spend $50 a week on lottery tickets. You're increasing your odds from incredibly unlikely to... still incredibly unlikely. It's even more foolish for someone already on a tight budget. That's point, and it still stands despite your pedantry.