If this is a once-every-20-years winter, by definition it's no longer "normal". Normal is the other 19.
And yes, the TV meteorologists have become aware their audience isn't just 50-year-old native residents who grew up with this weather, and that it now consists of a broad array of people with differing backgrounds. They constantly remind the recent arrivals "it's not safe to let your kids outside in shorts". During the day's forecast, our local news station's weather segment features a couple of children who are dressed appropriately for the day's weather, so that even non-English speakers can at least see how they should dress their kids.
Do I really need a server component to do word processing, or spreadsheets, or spell checking, or compute the total of an invoice? The answer is yes in a couple of specific cases: 1) the vendor wants to charge me rent instead of selling me the software; 2) the vendor wants to deliver "content relevant targeted marketing messages"; 3) the vendor wants to run all my personal data through their analytics servers.
Notice the thing all these cases have in common is: "the vendor wants" and not "the customer needs".
Software as a Service is just a different way of typing Consumer as a Sucker.
It's called "bug compatibility" and there's a valid reason for it. When you install a software package to handle some core function of your business, you build up a lot of dependencies on it. If that package has a quirk, instead of waiting for the vendor to fix it you build a way to work around that quirk. If someone later fixes that quirk, your workarounds can suddenly cause breakages.
Let's say your old accounting package has a buggy feature that automatically applies the "1% net 7" discount on an invoice but fails if you spell it in mixed case as "1% Net 7". Maybe the bookkeeper unknowingly enters them all with mixed case, but because they don't work she manually adds a 1% discount line to each invoice. When the vendor fixes the accounting package, these old discounts reappear, and the bookkeeper has to work to remove the double discounts. Worse, and more subtle, those new extra discounts might trigger a previously untested routine; perhaps the taxes on the automatic discounts are incorrectly computed on the subtotal before discounts. In this case fixing one bug triggers a new, untested feature that itself contains another bug - and the second bug is more vicious for multiple reasons. For one thing, you might check the discounts are fixed, but you don't realize this could impact taxes (which are often so complex that they're hard to figure out anyway.) So while the vendors may work with you to get the money due them; the tax collector can audit you for not collecting the right amount of tax, and create all kinds of legal problems for you.
This may seem contrived, but the scenario is common enough in the real world. Most users just have to struggle with whatever crap software they're dealt, and such workarounds have become the norm.
No, this doesn't put developers at any obligation to continue to support old versions. "If you really liked version n-2, then go ahead and install it, but when you get hacked it's your own damn fault for ignoring our security patches."
The thing I don't like about the patch circus is that you never know when the devs are going to let you down. I might be satisfied with 1.0, but I really need new feature X, and I'm willing to pay for and install 2.0 as long as I get X. So I install 2.0 and get feature X, but it performs like a sloth. The devs go to work, and by 2.3 it's performing well again. I now have a level of expectations and trust with this developer - if I upgrade, I will get good performance.
Along comes another needful feature Y in version 3.0. I read the reviews that there may again be performance issues, but I could really use feature Y so I warily upgrade, expecting that they will address the performance by 3.2 or 3.3, just like they did with 2.3. Nothing happens. 4.0 comes along with no appealing new features, yet I pay up anyway, hoping that they address the 3.0 performance issues. Nothing continues to happen. By the time 5.0 comes out I'm moving on to a different vendor who doesn't have these problems. (Yes, my next phone won't be an iPhone.)
I wish I could say I've learned this lesson, but sadly I haven't. I have ridden many early adopter cycles, only to be ultimately disappointed by the vendors.
Maybe it's an excuse for millennials to say to their parents, "We've got it just as bad as you did, so we're just as tough as you. Our cable went out TWICE in the ice storms. TWICE."
People want to prove they're strong, but in this technologically advanced, air-bagged, seat-belted, rubber-padded society in which we now live, there simply isn't the same level of adversity. These days 12 inches of snow means you fire up the snowblower a half hour before you normally go to work, and click on the 4 wheel drive before you pull out of the driveway. When my mom was a child, 12 inches of snow meant they weren't going anywhere for a week or two, and the woodshed and pantry better be full. As a child I never experienced anything nearly as bad, and these days my son only sees snow for its recreation potential.
Essentially we've tamed nature, and now it's pretty much boring. We have to tell ourselves its bad, because we don't feel it.
Right, because who needs to pass a law requiring a gun registry when we can just ask the NSA for a list on demand?
Oh, wait, maybe this is a BAD thing.
You gun nutjobs would probably be a lot more successful at making your case if you could string together at least 140 characters that make sense. Right now, people like you are actively keeping the phrase "gun nutjob" alive, and you're turning off people like me who actually support your position. I know it's asking a lot of someone with a room temperature IQ, but could you at least try to think before you click "post"?
Even the adherents of the basic principles themselves seem to stop short of explaining why they work. "Here, this is duplicate code. You should follow the DRY principle and get rid of it." "Why?" "Because it's a principle."
They should let the new kid do some sink-or-swim maintenance on code that doesn't follow the principles. You want to learn about DRY, try changing one branch of duplicated code without realizing there was a cut-and-paste copy elsewhere in the code base. Now you've gone from a solid bug to an intermittent bug, and your clients are still yelling at you. Thus beginneth the lesson.
They're certainly not "worth nothing." They're worth whatever a vulture capitalist is willing to fund, or whatever an IPO will bring in. Those people still have the ability to turn punching purple monkeys into a pile of quick cash. The few technologists who time their insider stock-option trades correctly will get rich, but almost everyone else will get pink slips and a hard slap of reality.
Everybody out there imagines they'll be the one who lucks into a lucrative stock market trade, just as every gold miner imagines he'll be the one to strike the motherlode. I wish them all luck, but that's all I'll give them. I'm still not dropping $0.99 on a fart app.
Wanna guess how long it would take utility companies to get going about fixing these problems if they started losing billions due to attacks?
The private utility companies would likely be in the best position. They already have security teams, they have upgrade paths, and they have incentive.
The city run utilities would be in the worst position. They typically engage an engineering company for a project to oversee the installation of systems, and train a few city workers to do basic monitoring and maintenance. Twenty years later the city still "owns and operates" the system, but they do not have anyone who understands it. Even if they recognize the need to patch it, their skint budgets are determined years in advance by city council members who are under pressure to fix the potholes, keep the police on the streets, and rein in taxes and spending. There is no budget this year or the next for overhauling the water systems infrastructure. These systems are a long way from being patched.
It could easily take several years to fix every system that needs fixing, even amidst the panic a world-wide hacking spree would induce. During those years, unpatched infrastructure installations around the globe would be hacked, with very negative consequences.
Why should he hold back from publishing? You doubted three specific claims:
A. The terrorists would have the technological know how to carry out the sabotage
People already have carried out technological sabotage on various infrastructure elements. These are generally not publicized because there is negative value in making this information public -- creating panic without a solution is the desire of the attacker. Some information about these attacks is shared in industry appropriate discussions, but these are not public forums, and participants are invited only on a need-to-know basis. There are real attacks on automation systems today, and there are dedicated, well-funded organizations backing these attackers.
B. The terrorists could locate the actual weaknesses of the infrastructure to carry out their attacks
With the nature of automation, an attacker does not need to know that "Manhattan Pumping Station #12" at 127.0.0.1 has a login page susceptible to buffer overflow of exactly 1028 bytes. All they have to do is try a 1028 byte overflow on every SCADA system they find, and maybe a few dozen or a few thousand are similarly unprotected. Even if Manhattan's pumping station fixes their login problem, that doesn't help protect the water pumping systems in Peoria, Illinois, or Nome, Alaska. It's important to remember that a terrorist doesn't have to "call his shots" in advance in order to achieve his objectives of spreading fear or panic.
C. The terrorists never suspect that what he said is after all, a "honeypot"
A honeypot is completely ineffective at determining the identity of an attacker. Sounding an alarm that an attacker is present simply means the attacker will disconnect, and move on to the next potential target. A honeypot is only useful for studying the moves of an attacker, and of potentially diverting them away from your own valuable systems. It can't catch them.
I'm actually not disagreeing with you that we need sunshine in order to fix the problems. The bigger problem is that we have a huge, non-centralized infrastructure that can't be fixed all at once. If Nome, Alaska's pumping station is vulnerable, Nome, Alaska is solely responsible for fixing it. There is nothing about owning such a system that means the owners are up to date on all security issues or patches needed. We may think they should be, but it's academic: they're not patched, they are vulnerable, and the cost of publishing the vulnerabilities could mean the destruction of critical infrastructure.
Industry, government, and law enforcement groups have been trying to solve this problem for quite a while, but they're simply not there yet.
I think Wikipedia falls along the path that many potential buyers take. Wiki articles are usually very highly ranked by search engines, and tend to float near the top of results. When people start researching an upcoming purchase, many look at Wikipedia as a less-biased source of information. (Like you, I tend to think that people who read Wikipedia articles for such information are also somewhat more adept at spotting marketing materials, and are slightly less likely to be duped by them.)
These articles may not have specific products featured (although many do), but they can certainly steer the consumer in the direction that best aligns with their business, and that may or may not be in the best interests of the reader.
I think they have intelligent people. What they're looking for is some outside perspective.
When you've been staring at your own solution for years and years, it's good to have someone make you question it once in a while. They will no doubt get plenty of rookie and novice suggestions, the easy stuff they've long ago solved. They may even get some of the suggestions that took them a long time to understand and develop. What they're hoping for is something completely different. Maybe some grad student working on a new form of video compression will spot similarities that can be applied. Who knows?
The Courts are supposed to weigh cases based on the facts and arguments presented, and not so much on their own personal experiences. As a matter of fact if a member of the court is too closely involved in a case, they're supposed to recuse themselves. Therefore one does not need to use email to listen to arguments involving email.
At least that's the theory. Of course personal experiences and biases do enter into their decision making, but the rulings are to be made on the case before the court.
Of course the function of the courts are completely distinct from the function of a trade negotiator. A negotiator who does not fully understand their topic needs to be surrounded by people who do, and they need to get well versed in it prior to negotiations. That could be what's happening here: I don't know anyone who could recite every TLA in use by every technology out there, so an unfamiliar acronym might need a bit of context.
Regardless, it sounds like the "U.S. Official" is a bit of a dolt.
It's easy enough to check. Surf to any public https secured site, and check the certificate's chain of trust. If the self-signed cert at the top of the chain is the school's cert, they've been pwned.
Do the Go-pro carrying quad-copters fly in a different atmosphere than commercial aircraft? No? Then at some point the two can come in contact with each other. The FAA needs to have some regs that govern the places where these two could meet. "No flying anything (toys, kites, balloons, drones) within X of an airport" seems perfectly reasonable.
About the only way to deal with third party libraries is through the terms of the contract. If you agree to license it, you're going to hold them responsible for security violations. Perhaps you stipulate they must run their code through a designated scanner like Fortify or Klocwork and they must agree to fix all critical or severe errors, or that they undergo an annual independent code review.
If all that seems like it's too heavy handed for a simple library, just wait till you get hacked. That's a lot more expensive.
Except when you go to a parts store, you have very specific needs: 5 1k resistors, 3 NPN transistors, 4.01uf caps, etc. At the bakery, if you can't get exactly three chocolate frosted bear claws, you can pick up three long johns instead, and if someone else complains, you eat theirs and they go without.:-)
For Radio Shack to sell any resistors means they also have to stock a few dozen primary values of resistors, plus a few types of transistors, plus some caps, connectors, project boxes, switches, relays, and a whole bunch of other surrounding components. Sure, they could do without the little barcoded bags, but the bags aren't the primary expense here. The expense is in needing to have hundreds or thousands of components on hand in order to sell even a few of them.
Think of it this way: if they advertised themselves as the "470 ohm resistor store", how many customers would leave the 470 ohm resistors out of their on-line shopping carts in order to drive over there just to pick up their 470 ohm resistors? (If you guessed "zero or less", you'd be right.)
The people who are giving Microsoft difficulty here are the people who distinguish purchase types based on price. If they're going to spend $500 or more on a thing, that thing represents a significant investment, and they have always received 20-50 years of durability from significant investments in the past. Washers, cars, tractors, refrigerators, houses, all those things are expensive, but they last a long time. Even a color TV from the 1970s is still good enough for many of them.
You say "people shouldn't keep computer upgrade cycles to the same timing as vehicle or appliance upgrade cycles", but why is that true? All the rest of their experience is that "expensive things should last 20+ years" (even though they know that occasionally requires a roll of duct tape.) I see that as the root of the problem Microsoft has created here. Microsoft agrees with you on that assumption, but practical viewpoints of the world do not.
You and I know that security problems, reliability problems, media incompatibilities, speed incompatibilities, and all those things make keeping up with technology important, at least for people who are focused on the technology, but we have to consider that most of this equipment is now owned by people who aren't focused on the tech.
And we really can't reach them, either. If we use technical terms like "buffer overruns", we'll be ignored. If we say "upgrade or they'll steal your credit cards" they'll say "so I won't buy online, or I'll pay cash at the store, or I don't have a credit card anyway." If we say "it's too slow, or it's too limited, or the screen is low res" they'll say "it's good enough for me." And if we say "new computers are cheap these days", they'll say "I can't even afford to fill my car with gas." They are probably already feeling the pinch of not enough disk space, or ancient browsers unable to display their favorite web sites, but they simply can't afford an upgrade now or in the immediate future. Filling the gas tank helps them get to their paychecks, and food and rent are simply more important than upgrading their computers.
These people expect to get 20+ years out of their computers. It's our problem to live with them, viruses and all; it's not their problem that they have old gear.
For a lot of these hold-out users, it's a matter of pride to keep a 50 year old tractor running, because it proved they made a good investment when they acquired something that has durability. For them, acknowledging that they have to replace a 9 year old computer means they made a bad decision when they bought it, and they don't want to admit that they invested in a piece of crap. Investing in a new computer after such a short time means they personally failed. They can understand replacing damaged parts, but they don't understand buying "improvement parts" just to keep doing what they've already been doing.
Microsoft's business model doesn't acknowledge this mindset. Their old profit model was built on upgrades to existing products, not sales of new products. They needed customers who are the opposite of who I described above, people who pedal the upgrade cycle every two or three years. But Microsoft's gotten really good at developing good software that meets people's primary needs, and the incentives to upgrade to Office yyyy+3 have dried up. Their new profit model is to lease software and services via the cloud. But to get everyone to the leasing model, they need to make that last push to upgrade them.
From the point of view of the hold-outs, why would they junk a perfectly suitable 50 year old tractor just so they can lease a shiny new one for a ton of money every month? That's crazy talk.
Not necessarily. Sure, some devices, like the Nest thermostat, only work with a data-grubbing service. Others allow you direct control. Some offer remote control via a service because people can't figure out how to safely poke a hole in their firewall, but offer unsecured local control from within your network.
Fortunately, not every thing is sold as a service. You can still exert control with your wallet. Support good companies that don't require a service, and shun those that do.
You mean "Teng-Yen Global Factory" made the device, and installed sticker part #LG-20140304 on assembly 87-B showing that it was made on behalf of Lucky-Goldstar.
Actually, I did have a useful dealer sticker on my lawn mower, once. It had the name of the hardware store I bought it from, along with their phone number. I called them when I needed service, once. But soon after I bought it they changed area codes, and then I think they went out of business.
My local Radio Shack carries various Arduino boards and kits, shields, peripherals like motor controllers, servos, sensors, and other stuff from various independent sources like SeeedStudios. I was quite surprised and pleased to see those hit the shelves in the last couple of years. Radio Shack has also become a heavy advertiser in Make magazine. And they're even advertising on TV with their "Do It Together" campaign.
They are trying to appeal to the makers, they are partnering with all the right independents, but the message isn't always getting through, and apparently the money still isn't pouring in. I think they've demonstrated that hobbyist demand just isn't self-sustaining for brick-and-mortar stores.
The problem is "inventory is expensive". For a store to have a cabinet full of resistors and switches, they have to buy them from the manufacturer, put them in little plastic bags, then send them out. Let's say that parts cabinet cost the store $2000. The store has now lost money until 100 hobbyists have shown up and each bought $20 worth of stuff from it. With as few hobbyist customers as they see, that could be two or more years away. That makes buying it a risky proposition. Then figure that Radio Shack HQ makes every store buy one: that's perhaps $10,000,000 investment that won't break even for two years.
They can't just carry the 3 most popular resistors, either, as their customers have varied needs and require a broad selection. People who buy resistors also buy LEDs, transistors, capacitors, wires, solder, breadboards, etc. So if they're going to carry components, they have to have enough so that they can meet reasonable requests. If they are missing a single essential part, the customer is likely to abandon their entire basket, then go on line to Digikey or Mouser.
Slashdot Mirror
I'm reading this on Firefox 28 running on Windows 8.1. No issues so far, but to be fair, this is the only page I've surfed to so far.
Windows 8.1 doesn't have stability problems. It has UX problems, but the OS beneath has been fine.
If this is a once-every-20-years winter, by definition it's no longer "normal". Normal is the other 19.
And yes, the TV meteorologists have become aware their audience isn't just 50-year-old native residents who grew up with this weather, and that it now consists of a broad array of people with differing backgrounds. They constantly remind the recent arrivals "it's not safe to let your kids outside in shorts". During the day's forecast, our local news station's weather segment features a couple of children who are dressed appropriately for the day's weather, so that even non-English speakers can at least see how they should dress their kids.
Do I really need a server component to do word processing, or spreadsheets, or spell checking, or compute the total of an invoice? The answer is yes in a couple of specific cases: 1) the vendor wants to charge me rent instead of selling me the software; 2) the vendor wants to deliver "content relevant targeted marketing messages"; 3) the vendor wants to run all my personal data through their analytics servers.
Notice the thing all these cases have in common is: "the vendor wants" and not "the customer needs".
Software as a Service is just a different way of typing Consumer as a Sucker.
It's called "bug compatibility" and there's a valid reason for it. When you install a software package to handle some core function of your business, you build up a lot of dependencies on it. If that package has a quirk, instead of waiting for the vendor to fix it you build a way to work around that quirk. If someone later fixes that quirk, your workarounds can suddenly cause breakages.
Let's say your old accounting package has a buggy feature that automatically applies the "1% net 7" discount on an invoice but fails if you spell it in mixed case as "1% Net 7". Maybe the bookkeeper unknowingly enters them all with mixed case, but because they don't work she manually adds a 1% discount line to each invoice. When the vendor fixes the accounting package, these old discounts reappear, and the bookkeeper has to work to remove the double discounts. Worse, and more subtle, those new extra discounts might trigger a previously untested routine; perhaps the taxes on the automatic discounts are incorrectly computed on the subtotal before discounts. In this case fixing one bug triggers a new, untested feature that itself contains another bug - and the second bug is more vicious for multiple reasons. For one thing, you might check the discounts are fixed, but you don't realize this could impact taxes (which are often so complex that they're hard to figure out anyway.) So while the vendors may work with you to get the money due them; the tax collector can audit you for not collecting the right amount of tax, and create all kinds of legal problems for you.
This may seem contrived, but the scenario is common enough in the real world. Most users just have to struggle with whatever crap software they're dealt, and such workarounds have become the norm.
No, this doesn't put developers at any obligation to continue to support old versions. "If you really liked version n-2, then go ahead and install it, but when you get hacked it's your own damn fault for ignoring our security patches."
The thing I don't like about the patch circus is that you never know when the devs are going to let you down. I might be satisfied with 1.0, but I really need new feature X, and I'm willing to pay for and install 2.0 as long as I get X. So I install 2.0 and get feature X, but it performs like a sloth. The devs go to work, and by 2.3 it's performing well again. I now have a level of expectations and trust with this developer - if I upgrade, I will get good performance.
Along comes another needful feature Y in version 3.0. I read the reviews that there may again be performance issues, but I could really use feature Y so I warily upgrade, expecting that they will address the performance by 3.2 or 3.3, just like they did with 2.3. Nothing happens. 4.0 comes along with no appealing new features, yet I pay up anyway, hoping that they address the 3.0 performance issues. Nothing continues to happen. By the time 5.0 comes out I'm moving on to a different vendor who doesn't have these problems. (Yes, my next phone won't be an iPhone.)
I wish I could say I've learned this lesson, but sadly I haven't. I have ridden many early adopter cycles, only to be ultimately disappointed by the vendors.
I remember the old joke this way:
"Thank you for installing Windows by Microsoft, where quality is job 1.1"
Maybe it's an excuse for millennials to say to their parents, "We've got it just as bad as you did, so we're just as tough as you. Our cable went out TWICE in the ice storms. TWICE."
People want to prove they're strong, but in this technologically advanced, air-bagged, seat-belted, rubber-padded society in which we now live, there simply isn't the same level of adversity. These days 12 inches of snow means you fire up the snowblower a half hour before you normally go to work, and click on the 4 wheel drive before you pull out of the driveway. When my mom was a child, 12 inches of snow meant they weren't going anywhere for a week or two, and the woodshed and pantry better be full. As a child I never experienced anything nearly as bad, and these days my son only sees snow for its recreation potential.
Essentially we've tamed nature, and now it's pretty much boring. We have to tell ourselves its bad, because we don't feel it.
Right, because who needs to pass a law requiring a gun registry when we can just ask the NSA for a list on demand?
Oh, wait, maybe this is a BAD thing.
You gun nutjobs would probably be a lot more successful at making your case if you could string together at least 140 characters that make sense. Right now, people like you are actively keeping the phrase "gun nutjob" alive, and you're turning off people like me who actually support your position. I know it's asking a lot of someone with a room temperature IQ, but could you at least try to think before you click "post"?
Even the adherents of the basic principles themselves seem to stop short of explaining why they work. "Here, this is duplicate code. You should follow the DRY principle and get rid of it." "Why?" "Because it's a principle."
They should let the new kid do some sink-or-swim maintenance on code that doesn't follow the principles. You want to learn about DRY, try changing one branch of duplicated code without realizing there was a cut-and-paste copy elsewhere in the code base. Now you've gone from a solid bug to an intermittent bug, and your clients are still yelling at you. Thus beginneth the lesson.
These useless apps are worth nothing.
They're certainly not "worth nothing." They're worth whatever a vulture capitalist is willing to fund, or whatever an IPO will bring in. Those people still have the ability to turn punching purple monkeys into a pile of quick cash. The few technologists who time their insider stock-option trades correctly will get rich, but almost everyone else will get pink slips and a hard slap of reality.
Everybody out there imagines they'll be the one who lucks into a lucrative stock market trade, just as every gold miner imagines he'll be the one to strike the motherlode. I wish them all luck, but that's all I'll give them. I'm still not dropping $0.99 on a fart app.
Wanna guess how long it would take utility companies to get going about fixing these problems if they started losing billions due to attacks?
The private utility companies would likely be in the best position. They already have security teams, they have upgrade paths, and they have incentive.
The city run utilities would be in the worst position. They typically engage an engineering company for a project to oversee the installation of systems, and train a few city workers to do basic monitoring and maintenance. Twenty years later the city still "owns and operates" the system, but they do not have anyone who understands it. Even if they recognize the need to patch it, their skint budgets are determined years in advance by city council members who are under pressure to fix the potholes, keep the police on the streets, and rein in taxes and spending. There is no budget this year or the next for overhauling the water systems infrastructure. These systems are a long way from being patched.
It could easily take several years to fix every system that needs fixing, even amidst the panic a world-wide hacking spree would induce. During those years, unpatched infrastructure installations around the globe would be hacked, with very negative consequences.
Why should he hold back from publishing? You doubted three specific claims:
A. The terrorists would have the technological know how to carry out the sabotage
People already have carried out technological sabotage on various infrastructure elements. These are generally not publicized because there is negative value in making this information public -- creating panic without a solution is the desire of the attacker. Some information about these attacks is shared in industry appropriate discussions, but these are not public forums, and participants are invited only on a need-to-know basis. There are real attacks on automation systems today, and there are dedicated, well-funded organizations backing these attackers.
B. The terrorists could locate the actual weaknesses of the infrastructure to carry out their attacks
With the nature of automation, an attacker does not need to know that "Manhattan Pumping Station #12" at 127.0.0.1 has a login page susceptible to buffer overflow of exactly 1028 bytes. All they have to do is try a 1028 byte overflow on every SCADA system they find, and maybe a few dozen or a few thousand are similarly unprotected. Even if Manhattan's pumping station fixes their login problem, that doesn't help protect the water pumping systems in Peoria, Illinois, or Nome, Alaska. It's important to remember that a terrorist doesn't have to "call his shots" in advance in order to achieve his objectives of spreading fear or panic.
C. The terrorists never suspect that what he said is after all, a "honeypot"
A honeypot is completely ineffective at determining the identity of an attacker. Sounding an alarm that an attacker is present simply means the attacker will disconnect, and move on to the next potential target. A honeypot is only useful for studying the moves of an attacker, and of potentially diverting them away from your own valuable systems. It can't catch them.
I'm actually not disagreeing with you that we need sunshine in order to fix the problems. The bigger problem is that we have a huge, non-centralized infrastructure that can't be fixed all at once. If Nome, Alaska's pumping station is vulnerable, Nome, Alaska is solely responsible for fixing it. There is nothing about owning such a system that means the owners are up to date on all security issues or patches needed. We may think they should be, but it's academic: they're not patched, they are vulnerable, and the cost of publishing the vulnerabilities could mean the destruction of critical infrastructure.
Industry, government, and law enforcement groups have been trying to solve this problem for quite a while, but they're simply not there yet.
I think Wikipedia falls along the path that many potential buyers take. Wiki articles are usually very highly ranked by search engines, and tend to float near the top of results. When people start researching an upcoming purchase, many look at Wikipedia as a less-biased source of information. (Like you, I tend to think that people who read Wikipedia articles for such information are also somewhat more adept at spotting marketing materials, and are slightly less likely to be duped by them.)
These articles may not have specific products featured (although many do), but they can certainly steer the consumer in the direction that best aligns with their business, and that may or may not be in the best interests of the reader.
I think they have intelligent people. What they're looking for is some outside perspective.
When you've been staring at your own solution for years and years, it's good to have someone make you question it once in a while. They will no doubt get plenty of rookie and novice suggestions, the easy stuff they've long ago solved. They may even get some of the suggestions that took them a long time to understand and develop. What they're hoping for is something completely different. Maybe some grad student working on a new form of video compression will spot similarities that can be applied. Who knows?
The Courts are supposed to weigh cases based on the facts and arguments presented, and not so much on their own personal experiences. As a matter of fact if a member of the court is too closely involved in a case, they're supposed to recuse themselves. Therefore one does not need to use email to listen to arguments involving email.
At least that's the theory. Of course personal experiences and biases do enter into their decision making, but the rulings are to be made on the case before the court.
Of course the function of the courts are completely distinct from the function of a trade negotiator. A negotiator who does not fully understand their topic needs to be surrounded by people who do, and they need to get well versed in it prior to negotiations. That could be what's happening here: I don't know anyone who could recite every TLA in use by every technology out there, so an unfamiliar acronym might need a bit of context.
Regardless, it sounds like the "U.S. Official" is a bit of a dolt.
It's easy enough to check. Surf to any public https secured site, and check the certificate's chain of trust. If the self-signed cert at the top of the chain is the school's cert, they've been pwned.
Do the Go-pro carrying quad-copters fly in a different atmosphere than commercial aircraft? No? Then at some point the two can come in contact with each other. The FAA needs to have some regs that govern the places where these two could meet. "No flying anything (toys, kites, balloons, drones) within X of an airport" seems perfectly reasonable.
About the only way to deal with third party libraries is through the terms of the contract. If you agree to license it, you're going to hold them responsible for security violations. Perhaps you stipulate they must run their code through a designated scanner like Fortify or Klocwork and they must agree to fix all critical or severe errors, or that they undergo an annual independent code review.
If all that seems like it's too heavy handed for a simple library, just wait till you get hacked. That's a lot more expensive.
Except when you go to a parts store, you have very specific needs: 5 1k resistors, 3 NPN transistors, 4 .01uf caps, etc. At the bakery, if you can't get exactly three chocolate frosted bear claws, you can pick up three long johns instead, and if someone else complains, you eat theirs and they go without. :-)
For Radio Shack to sell any resistors means they also have to stock a few dozen primary values of resistors, plus a few types of transistors, plus some caps, connectors, project boxes, switches, relays, and a whole bunch of other surrounding components. Sure, they could do without the little barcoded bags, but the bags aren't the primary expense here. The expense is in needing to have hundreds or thousands of components on hand in order to sell even a few of them.
Think of it this way: if they advertised themselves as the "470 ohm resistor store", how many customers would leave the 470 ohm resistors out of their on-line shopping carts in order to drive over there just to pick up their 470 ohm resistors? (If you guessed "zero or less", you'd be right.)
The people who are giving Microsoft difficulty here are the people who distinguish purchase types based on price. If they're going to spend $500 or more on a thing, that thing represents a significant investment, and they have always received 20-50 years of durability from significant investments in the past. Washers, cars, tractors, refrigerators, houses, all those things are expensive, but they last a long time. Even a color TV from the 1970s is still good enough for many of them.
You say "people shouldn't keep computer upgrade cycles to the same timing as vehicle or appliance upgrade cycles", but why is that true? All the rest of their experience is that "expensive things should last 20+ years" (even though they know that occasionally requires a roll of duct tape.) I see that as the root of the problem Microsoft has created here. Microsoft agrees with you on that assumption, but practical viewpoints of the world do not.
You and I know that security problems, reliability problems, media incompatibilities, speed incompatibilities, and all those things make keeping up with technology important, at least for people who are focused on the technology, but we have to consider that most of this equipment is now owned by people who aren't focused on the tech.
And we really can't reach them, either. If we use technical terms like "buffer overruns", we'll be ignored. If we say "upgrade or they'll steal your credit cards" they'll say "so I won't buy online, or I'll pay cash at the store, or I don't have a credit card anyway." If we say "it's too slow, or it's too limited, or the screen is low res" they'll say "it's good enough for me." And if we say "new computers are cheap these days", they'll say "I can't even afford to fill my car with gas." They are probably already feeling the pinch of not enough disk space, or ancient browsers unable to display their favorite web sites, but they simply can't afford an upgrade now or in the immediate future. Filling the gas tank helps them get to their paychecks, and food and rent are simply more important than upgrading their computers.
These people expect to get 20+ years out of their computers. It's our problem to live with them, viruses and all; it's not their problem that they have old gear.
For a lot of these hold-out users, it's a matter of pride to keep a 50 year old tractor running, because it proved they made a good investment when they acquired something that has durability. For them, acknowledging that they have to replace a 9 year old computer means they made a bad decision when they bought it, and they don't want to admit that they invested in a piece of crap. Investing in a new computer after such a short time means they personally failed. They can understand replacing damaged parts, but they don't understand buying "improvement parts" just to keep doing what they've already been doing.
Microsoft's business model doesn't acknowledge this mindset. Their old profit model was built on upgrades to existing products, not sales of new products. They needed customers who are the opposite of who I described above, people who pedal the upgrade cycle every two or three years. But Microsoft's gotten really good at developing good software that meets people's primary needs, and the incentives to upgrade to Office yyyy+3 have dried up. Their new profit model is to lease software and services via the cloud. But to get everyone to the leasing model, they need to make that last push to upgrade them.
From the point of view of the hold-outs, why would they junk a perfectly suitable 50 year old tractor just so they can lease a shiny new one for a ton of money every month? That's crazy talk.
Not necessarily. Sure, some devices, like the Nest thermostat, only work with a data-grubbing service. Others allow you direct control. Some offer remote control via a service because people can't figure out how to safely poke a hole in their firewall, but offer unsecured local control from within your network.
Fortunately, not every thing is sold as a service. You can still exert control with your wallet. Support good companies that don't require a service, and shun those that do.
You mean "Teng-Yen Global Factory" made the device, and installed sticker part #LG-20140304 on assembly 87-B showing that it was made on behalf of Lucky-Goldstar.
Actually, I did have a useful dealer sticker on my lawn mower, once. It had the name of the hardware store I bought it from, along with their phone number. I called them when I needed service, once. But soon after I bought it they changed area codes, and then I think they went out of business.
They have.
My local Radio Shack carries various Arduino boards and kits, shields, peripherals like motor controllers, servos, sensors, and other stuff from various independent sources like SeeedStudios. I was quite surprised and pleased to see those hit the shelves in the last couple of years. Radio Shack has also become a heavy advertiser in Make magazine. And they're even advertising on TV with their "Do It Together" campaign.
They are trying to appeal to the makers, they are partnering with all the right independents, but the message isn't always getting through, and apparently the money still isn't pouring in. I think they've demonstrated that hobbyist demand just isn't self-sustaining for brick-and-mortar stores.
The problem is "inventory is expensive". For a store to have a cabinet full of resistors and switches, they have to buy them from the manufacturer, put them in little plastic bags, then send them out. Let's say that parts cabinet cost the store $2000. The store has now lost money until 100 hobbyists have shown up and each bought $20 worth of stuff from it. With as few hobbyist customers as they see, that could be two or more years away. That makes buying it a risky proposition. Then figure that Radio Shack HQ makes every store buy one: that's perhaps $10,000,000 investment that won't break even for two years.
They can't just carry the 3 most popular resistors, either, as their customers have varied needs and require a broad selection. People who buy resistors also buy LEDs, transistors, capacitors, wires, solder, breadboards, etc. So if they're going to carry components, they have to have enough so that they can meet reasonable requests. If they are missing a single essential part, the customer is likely to abandon their entire basket, then go on line to Digikey or Mouser.