A lot of the hotel paintings (in even some of the modest chains) are repeated original paintings, often local to the hotel, where the artist was commissioned to paint the same piece and over and over. Budget chains are more likely to have generic prints.
Just think about how many movies have come out in the last 20 years, and even RECENT TV shows/Movies whose plots break down immediately if a true Panopticon/Big Brother society exists.
CallerID would have wrecked 25% of Columbo episodes if it had existed back then. "Won't somebody please think of the screenwriters" is an unusual take on technology changes!
I recently rewatched the original Day of the Jackal from 1973. The entire movie was the suspense of the police chasing him via a paper trail of hotel registrations and phone calls, and I couldn't help but think that the whole movie would have been over in about three minutes if SQL existed.
Just because you have a "smart" TV doesn't mean you're stuck using the "smart" bits. Plug in an HDMI cable or three to the video source of your choosing, and you never have to touch the smart OS stuff unless you want to.
Just because it has a network connection doesn't mean you have to connect it to a network.
Bots creating GoFundMe pages have replaced bums, no need to stand on the street holding a tin cup when you can create a bot to create an online story of distress and have it beg money for you.
That's what this article is about. There are two bots standing on the street corner holding their tin cups, jostling each other for position, and spilling half their money in the process. The AI is converging on a solution using cooperation, where each bot assesses the traffic, and parcels out the begging duty to the robot more likely to succeed with that particular potential donor.
There are plenty of people I know who would fall for this, because they simply don't know. They were issued a laptop for work and were told it was secured through a VPN, but don't understand how networks or routing actually works. They think they're secure only because an expert told them that VPNs are secure.
And not all VPNs are secure. Corporate VPN solutions are increasingly looking to split tunnelling to cut costs: internal corporate IP addresses are correctly routed to the VPN tunnel interface, so things like internal email and corporate web sites are all secured, but the external IP addresses (Google, Microsoft, Slashdot, etc.,) are left to route through the local gateway, reducing bandwidth through the corporate network. So if your wireless adapter connects to a WiFi Pineapple using one of those corporate laptops (thinking it's connecting to a conference AP or something), the rogue AP will faithfully route the still-secure VPN traffic to the proper corporate headquarters servers, but it will just as happily MiTM the rest of the regular unsecured traffic, scanning for credentials, cookies, API keys, or whatever other external sites the computer may happen to access. They could expose personal email account credentials, various web apps, DNS requests, discovery packets, or other loud network traffic. And this allows scenarios where the browser gets cache poisoned while browsing the unsecured web, then used to connect to an internal corporate web site where the malicious cached javascript echoes all the booty back to the attacker.
Of course, you expect the tech folks at the RSA conference would know how it all works, but a significant fraction of the attendees are not tech employees. There are no doubt many finance people; executives with expense accounts and instructions to "come back with a security contract"; salespeople; politicians; and the press in attendance.
I just hope the guys with the rogue access points are no worse than gray hats who are posting them on a Wall of Sheep somewhere at the conference, and not actually hacking the attendees.
No, the whole point of Chip and PIN is the use of symetric key cryptography to generate a one time transaction with no need to share account details to the terminal. Basically the same thing as Apply Pay/etc. do, but embedded in a passive chip instead of requiring an active device.
This is not correct. Chip cards use cryptography only to produce a "cryptogram" called the ARQC. This is a Message Authentication Code, a checksum-like number that authenticates the card containing the secret key produced the message. By adding a PIN, the card can also fold the PIN into the cryptogram, authenticating the user, too. However, the card data, including the PAN is still sent in the clear for authorizing. The chip does not encrypt the card data.
Also, the chip is not passive. The chip contains a CPU and performs lots of cryptography, including validating the certificate presented by the terminal, the selection of various applications, protocol negotiations, etc. (And because that chip runs Java, every card issued gets to tithe Oracle for the privilege.)
But because of stupid, we use a crippled system that still allows that system to be bypassed with simple swipes and no crypto between the card and the terminal.
For the most part the data does not need to be encrypted. The payment terminal is responsible for rejecting a swipe that has a Service Code indicating that a chip is present, so you can't just bypass the chip. The skimmer only sees the data flow past, but has no way of computing valid ARQC because the secret key remains embedded securely in the chip. As long as the user doesn't have to also enter the CVV2 from the back of the card, there's not enough information to abuse the card. (Any web page that accepts an account number without requiring the CVV2 is out of compliance with PCI requirements, and is liable for any fraud committed with that card number.)
However, if the payment terminal doesn't encrypt the data before sending it to the store's payment gateway (let alone from the terminal to the cash register), that's still plenty of stupid.
A breach that impacted 355,000 member cards is huge, indicating it was deployed to a large percentage of their chain, if not the whole chain. Since their breach "ended" on January 19 and it still took them 3 weeks to produce the list of affected cards, that tells me that Arby's response time is pretty damn poor, and that they may not be very good at tracking what's going on. Some senior VP said that "not all [of their 1000] corporate restaurants [out of 4000] were affected", but with news this bad combined with such a poor response time, it's hard to trust that they have a complete handle on the problem.
So, IF YOU ATE THE MEATS, it's a pretty good bet that your card got eaten too. Watch your statements.
Now that Arby's has submitted their list of impacted cards to the card associations, Visa or Mastercard will soon contact your bank. Your bank will then send you a letter saying "haxx0rs! Too bad, here's a new card, and if you want to sign up for a year of free credit monitoring, contact ohshitwewerebreached.com and tell them R.B sent you."
How does it only effect ards issued by one bank.if it was malware on the PoS machines?
The thieves likely stole numbers from any and all cards that ran through their infected payment terminals.
PCSU isn't a single bank, it's an association of about 800 credit unions. Arby's didn't report the number above, that came from PCSU's count of impacted member cards. They said 355,000 cards were impacted, a figure that does not include any other cards issued by any other banks. If those 800 member banks represent 10% of all cardholders (I don't know that for sure, that's just a rough guess to demonstrate the math), it's possible that this breach could impact a total of about 3 million cardholders.
The value I got from Design Patterns is that these were describing the solutions to actual problems I had already had to solve on my own (often not as well), and they covered the side effects of those solutions, some of which I hadn't thought too much about before reading the book. (The observer pattern creates hidden long-term maintenance dependencies on the semantics of the data published by the subject, for example. That was really useful to me when I hadn't yet recognized the problem.)
However, once it was published it seemed that every Tom, Dick, and Bjarne published a book like "23 More Design Patterns" "Web 2.0 Design Patterns", "Design Patterns that Won't Clash With Stripes and Pastels", "Summer Design Patterns to Take to the Beach", etc. They were so specialized as to be almost entirely useless. Yes, the GoF book had a few shortcomings, but its real value to me came from the idea that we could name these things, study them, and understand them. When I read it in the 1990s I thought that was pretty darn novel.
To broaden your skillset? To be more effective at what you do? To write more maintainable code? To make fewer errors? To interact with your peers? More specific to C++ and those particular books, to prevent race conditions, to have strong error handling, and to make more efficient use of multiple core processors? Perhaps most importantly, so that when the company hires a snot-nosed kid who actually does know and practice these things, that he won't show you up as the fossil you're describing yourself as?
I've been programming since 1976, and I think it's fair to say that computers have changed since then. If you think that programming now is anything like programming 20 years ago, you haven't been paying nearly enough attention.
If DRM is ever successful, it won't be due to companies like Denuvo. Effective DRM requires some critical-path hardware to be complicit in the hiding of a secret from the device's owner. It can't just be pasted-on code that says "check for a valid dongle", because the attackers patch around that. The hardware has to hide something of great importance to the operation of the application, something that can't simply be replicated by software.
Denuvo makes it hard to crack, but without the hardware's participation, it will never be impossible.
It sounds like they're describing ScotchGard, a surface treatment whose key ingredient was PFOS.
As far as your other questions, measuring direct contact of one burger wrapper with one person's blood levels isn't how these studies are typically done. There are too many variables: how long was the food in contact with the wrapper, how much surface area of the wrapper actually came in contact with how much surface area of the food, what kind of food, how many liquids from the food soaked into the paper and were returned to the food, etc. Another problem is the levels in the individual interactions are so low that they're difficult to measure. Instead, they look at the prevalence of the chemical in the environment, and the levels of the chemical in the blood of members of the population over time. But that means the data won't allow them to draw detailed conclusions, such as "Burger Chain's wrappers for their Big Beef Burger deliver 3x more PFAS than Taco Chain's wrappers for their Bottomless Burrito."
And it turns out the details of individual interactions don't matter much because the solution is almost always a broad spectrum approach: once they determine the link between levels of PFAS in the blood and rates of diseases, they'll simply ban the substance entirely from all products, not just food wrappers. ScotchGard was never used to treat food wrappers - it was used to make furniture, carpeting, and fabrics stain resistant - yet we all ended up with PFOS in our blood as a result of it simply being in the environment.
The good news is that bans are an effective approach. Once the substance is banned, measured levels of it in the population decline.
Maybe Apple has figured out the magical formula to scale "down" production to remain profitable while delivering just enough devices for a single nation. Normally, manufacturers want to scale up to realize the cost benefit of global production, but that doesn't work in India. They never want to import anything they don't have to.
India has dialed in on the way to make stuff happen locally. They recognize that every job created boosts their middle class, and reduces their overall poverty, so they don't seem to care much if the jobs or the output is similar to the rest of the planet. As long as paychecks are going out to more of her citizens, it's a big win for them.
The problem is that neonicotinoids are about as close to an ideal insecticide as we could hope to have. They're effective on a broad spectrum of insects, they don't harm plants, and they're really quite safe around mammals. For example, dinotefuran has an oral and dermal LD50 in rats of > 2000mg/kg, is not known to be carcinogenic, and is not known to be a neurotoxin. It's also essentially non-toxic to birds, fish, and aquatic invertebrates (important because of chemical run-off.) I'm not saying I'd sprinkle it on my breakfast cereal, but I wouldn't get sick from it.
They just happen to be 50 times as lethal to bees as to any other insect. So even the lowest doses used to control economically damaging pests are still going to kill huge numbers of bees, because the tainted nectar and pollen that comes back with the bees feeds the colonies.
I really like the stuff for INDOOR control of greenhouse pests. Outdoors, I won't use it.
It's not their "fault" because they were under no contractual obligation to provide support. Why should they continue to make their expensive resources available for free, when they're not making them any money? Especially when they're running out of money and a sugar daddy like Fitbit shows up with a wad of cash.
This is textbook capitalism. Nobody sells you stuff in order to make you happy; they sell stuff in order to make money. Never, ever forget that.
The fitbit app has never asked for access to my contacts, and it would only request access if I asked it to "Add Friends" and explicitly tapped on the "Contacts" button. All the "friends" I've added have been done so without granting access to the whole contact list, I've simply typed in their email addresses. And it's never sought access to my "call history", or whatever other evil conspiracies you imagined it might have done when you typed etc., etc.
Now go be a good son. Give the fitbit back to your dad, apologize for being overly paranoid, show him how it works, and help him keep up his health.
The real issues I see are that fitness trackers [...] don't provide workout plans to meet the needs of the individual [...]
Everything else you said is spot on, but you missed on this one. If you're interested and motivated, the Fitbit app offers a few generic workout videos and plans, but they offer a "Fitstar Personal Trainer" app, which does provide personalized workout plans. Open the Fitbit app on your phone and tap the "Guidance" compass icon to get started. Once upon a time, many years ago, they would link you up with an actual human trainer, but I don't know what they offer now.
It's not Fitbit's fault; it's the entire business model of the Cloud. Sell some cool tech thing that's cloud-dependent, run low on cash because those servers aren't paying for themselves, get bought by a bigger company. Fitbit just knows how to play the game, for now.
Who's really to blame when you buy a cloud-dependent toy, with no service contract to guarantee cloud availability for the next 25 years? What other outcome were you possibly expecting to happen? The only rational question is, "how long will I get to play with my cool toy until the company pulls the servers down?" And you should factor that limited lifespan estimate into your purchase price.
The current processes work pretty well. My dentist can get me in the chair, pop in a tooth-colored filling, and get me out in less than 20 minutes, at which time I'm free to eat whatever I want, and it costs only a few hundred dollars. If I have to have a temporary tooth cap, wait ??? weeks for the regrowth to take place, make another appointment to get the cap taken off, pay the patent-inflated price for the magical tooth-growing sponge, and then pray I don't get tooth or bone cancer, I think I'd rather stick with the old fillings.
The problem is too expensive to fix, but not for the reason you mentioned.
Many passengers struggle with flying, due to inexperience, carelessness, distractions, or fear of flying, or they lack the mental capacity to understand everything they need to do. These people need the simplest possible way to access their flight info. That means helping them as much as possible by printing the booking code on the luggage tags, flight coupons, boarding passes, everything.
So far, it's much cheaper to accept the risk of a few people messing with the flight info, rather than dealing with millions of scared, confused, and/or angry travelers stuck in an unplanned layover because they didn't have the ability to access their connecting flight information.
That could change if someone figures out how to monetize this hack safely, but that's very unlikely. The booking code isn't the only security measure in place. The hackers can change a flight, but a passenger complaining at a gate will win out over an online change; anyone attempting to cash in on the fraudulently changed ticket risks felony theft and fraud charges.
Given the description of the test includes repeatedly downloading the same pages on an "internal" hosted server, they're at least attempting to control for variables like automatic updates, random network scans as a result of malware attacks, or variations in advertisements delivered. An "external" test risks exposing the machine to too many random power draining events.
Or do you mean "external" as in an external simulated mouse and keyboard instead of an "internal" script? CR has always been scrupulously careful in their testing methodology. Since it would be almost impossible to fairly compare a shell script with a batch file, it seems highly unlikely they would trust a test script.
Nope, this was certainly not a Windows problem. I'm running the same suite of extensions that you are, on Firefox 50.1.0, on Windows 10 (on a 3 year old tablet with only 4GB RAM and over OpenVPN, no less.) The page loaded instantly for me. I had no problem scrolling to the bottom and back to the top.
Slashdot Mirror
A lot of the hotel paintings (in even some of the modest chains) are repeated original paintings, often local to the hotel, where the artist was commissioned to paint the same piece and over and over. Budget chains are more likely to have generic prints.
Just think about how many movies have come out in the last 20 years, and even RECENT TV shows/Movies whose plots break down immediately if a true Panopticon/Big Brother society exists.
CallerID would have wrecked 25% of Columbo episodes if it had existed back then. "Won't somebody please think of the screenwriters" is an unusual take on technology changes!
I recently rewatched the original Day of the Jackal from 1973. The entire movie was the suspense of the police chasing him via a paper trail of hotel registrations and phone calls, and I couldn't help but think that the whole movie would have been over in about three minutes if SQL existed.
Just because you have a "smart" TV doesn't mean you're stuck using the "smart" bits. Plug in an HDMI cable or three to the video source of your choosing, and you never have to touch the smart OS stuff unless you want to.
Just because it has a network connection doesn't mean you have to connect it to a network.
Bots creating GoFundMe pages have replaced bums, no need to stand on the street holding a tin cup when you can create a bot to create an online story of distress and have it beg money for you.
That's what this article is about. There are two bots standing on the street corner holding their tin cups, jostling each other for position, and spilling half their money in the process. The AI is converging on a solution using cooperation, where each bot assesses the traffic, and parcels out the begging duty to the robot more likely to succeed with that particular potential donor.
In other words, "two bots one cup".
There are plenty of people I know who would fall for this, because they simply don't know. They were issued a laptop for work and were told it was secured through a VPN, but don't understand how networks or routing actually works. They think they're secure only because an expert told them that VPNs are secure.
And not all VPNs are secure. Corporate VPN solutions are increasingly looking to split tunnelling to cut costs: internal corporate IP addresses are correctly routed to the VPN tunnel interface, so things like internal email and corporate web sites are all secured, but the external IP addresses (Google, Microsoft, Slashdot, etc.,) are left to route through the local gateway, reducing bandwidth through the corporate network. So if your wireless adapter connects to a WiFi Pineapple using one of those corporate laptops (thinking it's connecting to a conference AP or something), the rogue AP will faithfully route the still-secure VPN traffic to the proper corporate headquarters servers, but it will just as happily MiTM the rest of the regular unsecured traffic, scanning for credentials, cookies, API keys, or whatever other external sites the computer may happen to access. They could expose personal email account credentials, various web apps, DNS requests, discovery packets, or other loud network traffic. And this allows scenarios where the browser gets cache poisoned while browsing the unsecured web, then used to connect to an internal corporate web site where the malicious cached javascript echoes all the booty back to the attacker.
Of course, you expect the tech folks at the RSA conference would know how it all works, but a significant fraction of the attendees are not tech employees. There are no doubt many finance people; executives with expense accounts and instructions to "come back with a security contract"; salespeople; politicians; and the press in attendance.
I just hope the guys with the rogue access points are no worse than gray hats who are posting them on a Wall of Sheep somewhere at the conference, and not actually hacking the attendees.
No, the whole point of Chip and PIN is the use of symetric key cryptography to generate a one time transaction with no need to share account details to the terminal. Basically the same thing as Apply Pay/etc. do, but embedded in a passive chip instead of requiring an active device.
This is not correct. Chip cards use cryptography only to produce a "cryptogram" called the ARQC. This is a Message Authentication Code, a checksum-like number that authenticates the card containing the secret key produced the message. By adding a PIN, the card can also fold the PIN into the cryptogram, authenticating the user, too. However, the card data, including the PAN is still sent in the clear for authorizing. The chip does not encrypt the card data.
Also, the chip is not passive. The chip contains a CPU and performs lots of cryptography, including validating the certificate presented by the terminal, the selection of various applications, protocol negotiations, etc. (And because that chip runs Java, every card issued gets to tithe Oracle for the privilege.)
But because of stupid, we use a crippled system that still allows that system to be bypassed with simple swipes and no crypto between the card and the terminal.
For the most part the data does not need to be encrypted. The payment terminal is responsible for rejecting a swipe that has a Service Code indicating that a chip is present, so you can't just bypass the chip. The skimmer only sees the data flow past, but has no way of computing valid ARQC because the secret key remains embedded securely in the chip. As long as the user doesn't have to also enter the CVV2 from the back of the card, there's not enough information to abuse the card. (Any web page that accepts an account number without requiring the CVV2 is out of compliance with PCI requirements, and is liable for any fraud committed with that card number.)
However, if the payment terminal doesn't encrypt the data before sending it to the store's payment gateway (let alone from the terminal to the cash register), that's still plenty of stupid.
A breach that impacted 355,000 member cards is huge, indicating it was deployed to a large percentage of their chain, if not the whole chain. Since their breach "ended" on January 19 and it still took them 3 weeks to produce the list of affected cards, that tells me that Arby's response time is pretty damn poor, and that they may not be very good at tracking what's going on. Some senior VP said that "not all [of their 1000] corporate restaurants [out of 4000] were affected", but with news this bad combined with such a poor response time, it's hard to trust that they have a complete handle on the problem.
So, IF YOU ATE THE MEATS, it's a pretty good bet that your card got eaten too. Watch your statements.
Now that Arby's has submitted their list of impacted cards to the card associations, Visa or Mastercard will soon contact your bank. Your bank will then send you a letter saying "haxx0rs! Too bad, here's a new card, and if you want to sign up for a year of free credit monitoring, contact ohshitwewerebreached.com and tell them R.B sent you."
How does it only effect ards issued by one bank.if it was malware on the PoS machines?
The thieves likely stole numbers from any and all cards that ran through their infected payment terminals.
PCSU isn't a single bank, it's an association of about 800 credit unions. Arby's didn't report the number above, that came from PCSU's count of impacted member cards. They said 355,000 cards were impacted, a figure that does not include any other cards issued by any other banks. If those 800 member banks represent 10% of all cardholders (I don't know that for sure, that's just a rough guess to demonstrate the math), it's possible that this breach could impact a total of about 3 million cardholders.
The value I got from Design Patterns is that these were describing the solutions to actual problems I had already had to solve on my own (often not as well), and they covered the side effects of those solutions, some of which I hadn't thought too much about before reading the book. (The observer pattern creates hidden long-term maintenance dependencies on the semantics of the data published by the subject, for example. That was really useful to me when I hadn't yet recognized the problem.)
However, once it was published it seemed that every Tom, Dick, and Bjarne published a book like "23 More Design Patterns" "Web 2.0 Design Patterns", "Design Patterns that Won't Clash With Stripes and Pastels", "Summer Design Patterns to Take to the Beach", etc. They were so specialized as to be almost entirely useless. Yes, the GoF book had a few shortcomings, but its real value to me came from the idea that we could name these things, study them, and understand them. When I read it in the 1990s I thought that was pretty darn novel.
All the big ftp sites, and searches were Archie.
Gopher, you heathen. Now go jump in a volcano.
The hell do you need all of them for?
To broaden your skillset? To be more effective at what you do? To write more maintainable code? To make fewer errors? To interact with your peers? More specific to C++ and those particular books, to prevent race conditions, to have strong error handling, and to make more efficient use of multiple core processors? Perhaps most importantly, so that when the company hires a snot-nosed kid who actually does know and practice these things, that he won't show you up as the fossil you're describing yourself as?
I've been programming since 1976, and I think it's fair to say that computers have changed since then. If you think that programming now is anything like programming 20 years ago, you haven't been paying nearly enough attention.
If DRM is ever successful, it won't be due to companies like Denuvo. Effective DRM requires some critical-path hardware to be complicit in the hiding of a secret from the device's owner. It can't just be pasted-on code that says "check for a valid dongle", because the attackers patch around that. The hardware has to hide something of great importance to the operation of the application, something that can't simply be replicated by software.
Denuvo makes it hard to crack, but without the hardware's participation, it will never be impossible.
It sounds like they're describing ScotchGard, a surface treatment whose key ingredient was PFOS.
As far as your other questions, measuring direct contact of one burger wrapper with one person's blood levels isn't how these studies are typically done. There are too many variables: how long was the food in contact with the wrapper, how much surface area of the wrapper actually came in contact with how much surface area of the food, what kind of food, how many liquids from the food soaked into the paper and were returned to the food, etc. Another problem is the levels in the individual interactions are so low that they're difficult to measure. Instead, they look at the prevalence of the chemical in the environment, and the levels of the chemical in the blood of members of the population over time. But that means the data won't allow them to draw detailed conclusions, such as "Burger Chain's wrappers for their Big Beef Burger deliver 3x more PFAS than Taco Chain's wrappers for their Bottomless Burrito."
And it turns out the details of individual interactions don't matter much because the solution is almost always a broad spectrum approach: once they determine the link between levels of PFAS in the blood and rates of diseases, they'll simply ban the substance entirely from all products, not just food wrappers. ScotchGard was never used to treat food wrappers - it was used to make furniture, carpeting, and fabrics stain resistant - yet we all ended up with PFOS in our blood as a result of it simply being in the environment.
The good news is that bans are an effective approach. Once the substance is banned, measured levels of it in the population decline.
Maybe Apple has figured out the magical formula to scale "down" production to remain profitable while delivering just enough devices for a single nation. Normally, manufacturers want to scale up to realize the cost benefit of global production, but that doesn't work in India. They never want to import anything they don't have to.
India has dialed in on the way to make stuff happen locally. They recognize that every job created boosts their middle class, and reduces their overall poverty, so they don't seem to care much if the jobs or the output is similar to the rest of the planet. As long as paychecks are going out to more of her citizens, it's a big win for them.
The problem is that neonicotinoids are about as close to an ideal insecticide as we could hope to have. They're effective on a broad spectrum of insects, they don't harm plants, and they're really quite safe around mammals. For example, dinotefuran has an oral and dermal LD50 in rats of > 2000mg/kg, is not known to be carcinogenic, and is not known to be a neurotoxin. It's also essentially non-toxic to birds, fish, and aquatic invertebrates (important because of chemical run-off.) I'm not saying I'd sprinkle it on my breakfast cereal, but I wouldn't get sick from it.
They just happen to be 50 times as lethal to bees as to any other insect. So even the lowest doses used to control economically damaging pests are still going to kill huge numbers of bees, because the tainted nectar and pollen that comes back with the bees feeds the colonies.
I really like the stuff for INDOOR control of greenhouse pests. Outdoors, I won't use it.
It's not their "fault" because they were under no contractual obligation to provide support. Why should they continue to make their expensive resources available for free, when they're not making them any money? Especially when they're running out of money and a sugar daddy like Fitbit shows up with a wad of cash.
This is textbook capitalism. Nobody sells you stuff in order to make you happy; they sell stuff in order to make money. Never, ever forget that.
I checked the iOS client, and it's asking for nothing like that!
Yes, if it wants access to all that, get a refund.
To me it looks like the dentist will still have to drill out the cavity to insert the sponge, so I assume he or she would drill to the pulp.
Sorry, I'm calling 100% bullshit on this one.
The fitbit app has never asked for access to my contacts, and it would only request access if I asked it to "Add Friends" and explicitly tapped on the "Contacts" button. All the "friends" I've added have been done so without granting access to the whole contact list, I've simply typed in their email addresses. And it's never sought access to my "call history", or whatever other evil conspiracies you imagined it might have done when you typed etc., etc.
Now go be a good son. Give the fitbit back to your dad, apologize for being overly paranoid, show him how it works, and help him keep up his health.
The real issues I see are that fitness trackers [...] don't provide workout plans to meet the needs of the individual [...]
Everything else you said is spot on, but you missed on this one. If you're interested and motivated, the Fitbit app offers a few generic workout videos and plans, but they offer a "Fitstar Personal Trainer" app, which does provide personalized workout plans. Open the Fitbit app on your phone and tap the "Guidance" compass icon to get started. Once upon a time, many years ago, they would link you up with an actual human trainer, but I don't know what they offer now.
It's not Fitbit's fault; it's the entire business model of the Cloud. Sell some cool tech thing that's cloud-dependent, run low on cash because those servers aren't paying for themselves, get bought by a bigger company. Fitbit just knows how to play the game, for now.
Who's really to blame when you buy a cloud-dependent toy, with no service contract to guarantee cloud availability for the next 25 years? What other outcome were you possibly expecting to happen? The only rational question is, "how long will I get to play with my cool toy until the company pulls the servers down?" And you should factor that limited lifespan estimate into your purchase price.
The current processes work pretty well. My dentist can get me in the chair, pop in a tooth-colored filling, and get me out in less than 20 minutes, at which time I'm free to eat whatever I want, and it costs only a few hundred dollars. If I have to have a temporary tooth cap, wait ??? weeks for the regrowth to take place, make another appointment to get the cap taken off, pay the patent-inflated price for the magical tooth-growing sponge, and then pray I don't get tooth or bone cancer, I think I'd rather stick with the old fillings.
The problem is too expensive to fix, but not for the reason you mentioned.
Many passengers struggle with flying, due to inexperience, carelessness, distractions, or fear of flying, or they lack the mental capacity to understand everything they need to do. These people need the simplest possible way to access their flight info. That means helping them as much as possible by printing the booking code on the luggage tags, flight coupons, boarding passes, everything.
So far, it's much cheaper to accept the risk of a few people messing with the flight info, rather than dealing with millions of scared, confused, and/or angry travelers stuck in an unplanned layover because they didn't have the ability to access their connecting flight information.
That could change if someone figures out how to monetize this hack safely, but that's very unlikely. The booking code isn't the only security measure in place. The hackers can change a flight, but a passenger complaining at a gate will win out over an online change; anyone attempting to cash in on the fraudulently changed ticket risks felony theft and fraud charges.
Given the description of the test includes repeatedly downloading the same pages on an "internal" hosted server, they're at least attempting to control for variables like automatic updates, random network scans as a result of malware attacks, or variations in advertisements delivered. An "external" test risks exposing the machine to too many random power draining events.
Or do you mean "external" as in an external simulated mouse and keyboard instead of an "internal" script? CR has always been scrupulously careful in their testing methodology. Since it would be almost impossible to fairly compare a shell script with a batch file, it seems highly unlikely they would trust a test script.
Nope, this was certainly not a Windows problem. I'm running the same suite of extensions that you are, on Firefox 50.1.0, on Windows 10 (on a 3 year old tablet with only 4GB RAM and over OpenVPN, no less.) The page loaded instantly for me. I had no problem scrolling to the bottom and back to the top.
Of course now my battery is dead... :-)