How can I sign into my Google account if I'm out and about and lose my phone when the Google two-factor authentication SMS message that would let me sign in on someone else's phone or computer is going to be sent to my phone.
The last time I mowed it was hard for me to operate two mowers at the same time...
It's hard to use two computers at the same time too, so just like you would 8 cores in one computer rather than have 8 computers with 1 core each, you'd put 8 motors on one mower deck that span the width of the deck, and only start the motors that you need for the width of grass you want to cut.
The cores -> lawnmower analogy is not the best, but it wasn't my idea.
I thought the reasoning behind multiple cores was so you could power off the ones you're not using. It's not that you're taking 8 lawnmower engines and turning them into an 8 cylinder Ferrari engine, but you're putting 8 smaller lawnmower engines on your lawnmower so instead of using the big 80HP engine when you're just trimming a narrow stretch of grass, you only need to power up one 10HP engine while the rest of them remain powered off. If you're cutting wider stretch of grass, you can use 2 engines, etc. So you save energy by only using as many cores (engines) that you need for the task.
'My prediction is that in the years ahead, we will see more failures than we have been seeing, because people have forgotten what we had to do to get to where we are.'
And considering the cloud isn't exactly known for reliability right now, yet another reason not to trust your data out there.
Is any multi-region cloud provider less reliable than any single-site datacenter? There will always be unexpected disasters (or at least unplanned for, you may expect an asteroid to hit the planet every 50,000 years, but that doesn't mean that you've built the datacenter to survive it) and human error (like "oops, I wish I hadn't dropped my wrench into that panel, 480VAC makes a lot of sparks... it sure is dark in here now"), so it's not clear that cloud providers are siginificantly worse in that regard.
Of course, when a business's primary data center goes down, few people hear about it, while when Amazon has a regional outage (or even in a single Availability Zone), everyone hears about it because it affects hundreds or thousands of companies.
What, exactly, does this mean, and how is it different from my current Android phone and widgets to show me these things on the lockscreen?
It uses the screen instead of a notification LED, but only powers the portion of the screen necessary for the alert instead of turning the whole display on. I'm not sure how this works, but that's what they're claiming. It's not at all like a lock screen.
I thought this was how AMOLED worked on all phones - only the pixels that are lit use any power so if you have a mostly black background with a few lit pixels, the screen uses little power. Does an "Active Display" do things differently?
Right, but if this is happening on a large scale, it only takes one person to discover it and make it known to the world. "Hey, I ran a kernel trace and my *graphics card* is sending encrypted UDP packets to we-are-keeping-you-safe.trust-us.gov. What's up with that?"... and more and more people dig into their systems and find out what's going on.
What's the other option? The same rules being used for 802.11 works for me.
So you're ok with FCC regulation in the bands used by 802.11, but not the other bands? Or do you think that because your Wifi access point is unlicensed, that means that there is no regulation?
There is a huge difference in safety regulations and laws, trying to compare something like traffic laws to something invisible that will bring no harm to anyone (physically) is overreaching.
So is your argument that there's no public safety use for radio, or that there's no way that RF interference could get in the way of public safety use of radio? So if I, say, decided to run my "pirate" radio station on the same frequency that the local fire department uses (because I know those guys will want to hear my station!), there's no possible problem with that? I put "pirate" in quotes, because without the FCC, of course, there is no pirate radio stations, anyone anywhere can run a radio station on any frequency.
The FCC, FDA, FAA, ect.. ect.. do NOTHING to make sure things are safe. This is what cracks me up about people in this country they do not trust government but have some false sense of faith in federal agencies or regulations, they wont buy a drug unless it has an FDA stamp, and they do nothing to test the drugs themselves
The FCC sets exposure limits, among other things, and they type certify most devices to ensure that they are within legal limits for power and spectral purity among other things.
and they "trust" the results from research and testing. The FAA has been caught numerous times not testing any of the equipment used in airliners, but they stand there to witness testing by the companies, and there is nothing wrong with that (like fixing the tests).
If you want to vastly increase funding to the FAA so they can do their own testing, you should lobby for it -- I'm sure industry would be happy to be off the hook for the costs, and also to shield them from liabilty. If the FAA screw up the test and certifies something that shouldn't be certified, then it's the FAA's problem. BUt anyway, I'm not sure why you're talking about the FAA since they don't regulate airwaves.
Sad thing is that is what the FCC is supposed to be doing. Limited resource for the public good, but the current meme of 'private enterprise is the solution to all problems' has twisted their mandate into enforcing who gets exclusive lucrative access to what is essentially a shared resource.
frankly, i prefer private enterprise to another bloated nanny department. did you know TSA has 54,000 employees? last thing we need is a weaponized FCC "enforcing fairness."
What's the other option? Open the airwaves to all uses and forgo all regulation? Whoever radiates the most power wins? I don't see how there can be any rational use of airwaves if there's no organization to control and allocate bandwidth.
Would you advocate abolishing all traffic laws and law enforcement on streets too? No speed limits, no stop signs, no DUI laws, anything goes. If someone runs you over in an 18 wheeler -- well, too bad, you should have had a bigger car - might means right in this lawless public resource and who needs weaponized law enforcement when private industry can sort it out through selling people bigger and bigger cars.
I've been through that too, and the most ridiculous part is that they announce it ahead of time and in an open boarding area, so anyone that was planning on carrying contraband on board would just skip that flight and call the airline to say their car broke down so they need to cancel their ticket and rebook on a later flight.
I've been in some large airports, but if you know of one where you need to drive from the check-in counter through the security checkpoint and then to the gate, I'd like to hear of it. Otherwise, how could your car breaking down after you get to the departure gate where this announcement is made make you miss the flight?
I've never been in an airport where TSA scans my boarding pass and knows if I actually passed security - they typically just scribble some illegible mark on the boarding pass and since I've checked-in online from home, not even the airline knows if I'm actually at the airport until I board and they scan my boarding pass.
Do some airports scan boarding passes in the TSA security line?
Got sick or simply missed the flight, perhaps, but you'll pay the penalty for having checked in and then not boarding. I wouldn't bet against doing that is sufficient to get a quad-S special treatment boarding pass for the next flight.
It doesn't matter - a terrorist is likely to be traveling under an assumed name anyway so next time he'll just use a new name - it's not impossible to get a fake drivers license. Any town with a significant illegal immigrant population will have a dozen places where you can pick up a fake driver's license.
Isn't the master encryption key used to encrypt the stream made from a hash of a server generated and client generated random number? That would seem to make it a moot point whether or not the server keys are random as long as the client hasn't been compromised and is using a good random number. The server could be issuing "0" as its "random" number and the key would still be random.
The gain access to the data stream, the government would need access to the server's private key (or signed fake certificate so they could execute a man in the middle attack). With Perfect Forward Secrecy, would possession of the private key allow one to decrypt the stream?
Notice this in the summary:
The key from the other side? Slip that in there somewhere, and I can find it (encrypted in a Set-Cookie header?)
I saw that, but I don't see how that helps since the Set-Cookie header is encrypted by the same symmetric key as the rest of the HTTP traffic. Which they can't read merely by making the server key non-random (or less random) if the client is sending a good random number for generating the master key.
If the NSA coerced the service provider into giving up their private SSL key, then that would probably work work (but I'm not even sure that's sufficient to decrypt a session with PFS)
Under the scenario posed by the summary, the company that owns the server is fully compromised to the extent that they are re-writing their system libraries for the NSA and the client's browser has been re-written so that it leaks the client's DH details of each connection. In this extreme scenario no sort of encryption can help you, although to be honest if they are going to hypothesise this sort of thing they may as well have gone with:
That's not in the summary -- the summary doesn't say anything at all about the Client, he's outlining scenario where the government coerces the service providers into weakening their protocol, but apparently not in a way that actually weakens the encryption assuming well behaved clients.
While it's true that if the government controls both ends of the connection, then they can see anything they want, there's probably no need to weaken SSL to do it since they already have code on the both ends of the connection.
Microsoft can simply request your graphics card to take regular snapshots of your screen, and you will never know this because the message stream to the GPU (for protected path functions) is encrypted with protected path control keys. A full screen JPG is quite a small file even for a high-resolution screen, and can be sneaked out to an NSA server with you standing ZERO chance of noticing the traffic blip
I took a full screen snapshot of my 1920x1080 screen (maximized browser window with this Slashdot page loaded, so there's a lot of white space on the screen) and saved it as a JPG. The size of the default quality JPG was 480KB (which looked about the same as the corresponding PNG which was only 275KB). I created JPG's of decreasing quality until the text became mostly illegible, that happened at a quality level of "7" (on a scale of 1 - 100 with 100 being the best). The resulting JPG ended up being 95KB in size.
That's not exactly what I could call "quite a small file", and though many people wouldn't notice that size file going out periodically (every hour? every minute?), it's big enough that some would - especially paranoid people that are worried about someone spying on them. 95KB sent out every minute would be around 15kbit/second on average, so it's definitely enough to be noticable.
Isn't the master encryption key used to encrypt the stream made from a hash of a server generated and client generated random number? That would seem to make it a moot point whether or not the server keys are random as long as the client hasn't been compromised and is using a good random number. The server could be issuing "0" as its "random" number and the key would still be random.
The gain access to the data stream, the government would need access to the server's private key (or signed fake certificate so they could execute a man in the middle attack). With Perfect Forward Secrecy, would possession of the private key allow one to decrypt the stream?
I traveled via plan; I went through the security checkpoint..
. It was the typical experience that everyone has come to expect. But once it is over, you're free to roam the "Secured" area of the airport. I don;t know how often this happens, but as we were getting ready to board the airplane, Three TSA agents showed up in their hands of blue, (One too many for a good firefly reference.)
Anyway, it was announced that the TSA would be doing random luggage checks as we boarded the plane. I watched what was happening and the "random" checks were that they stopped everyone with a backpack and/or large purse.
I've been through that too, and the most ridiculous part is that they announce it ahead of time and in an open boarding area, so anyone that was planning on carrying contraband on board would just skip that flight and call the airline to say their car broke down so they need to cancel their ticket and rebook on a later flight.
What's the point of the additional screening if people are allowed to opt-out by skipping the flight?
What did they expect when they replaced private security agents with government workers? When security was run by private companies, the government could make surprise inspections and fine the companies for violations -- who in turn would fire the employees responsible because fines eat into profits.
When the government employs the workers *and* does the inspections, everyone knows what happens when you let the fox guard the hen-house.
$10,000 is a stack of $100s thinner than a deck of cards. So $40,000 fits in a coat or even a couple pockets and no problem fitting it in carry on.
If you put it in your pocket, TSA will make you remove it and send it through the x-ray machine on its own, so not only will it be subject to theft by TSA, but by any passenger that gets through the scanner before you.
If you put it in your carry-on bag, TSA can open that bag too - nothing is stopping a dishonest employee from opening it away from your sight.
It may provide a definite endpoint, but it is definitely LESS specific in this example as it means anytime in the next 5 months. Whereas in the next few months in the vast majority of terms means at worst in the next 4 months and usually within the next 3.
Unless, by a "few" they meant 5 months. Or maybe 6.
Anytime a project manager tells you "Oh, it'll be done within a few months", you know that he doesn't really know when it's going to be done and it probably means no one has it on their schedule, it might be done tomorrow or it might be done in 6 months. If he really had a good idea when it would be done, he would have told you.
How the fuck is "by the end of 2013" more specific than "in the next few months"? First is a 5 month range, the second "generally" refers to a 2-4 month range. At worst there timeline response hasn't changed.
"By the end of 2013" specifies an exact point in time at which the project will be done - Dec 31st, 2013, if they slip past that date, then they are late. However, "in the next few months" is very non specific, with no universally accepted definition of what it means and can depend on the range being considered -- If I have big bag of M&M's and someone asks me for a "few", they'd probably be disappointed if I gave them 2 - 4. Since "few" is so non-specific, they could stretch it out to 5 months and still claim they are within a "few".
>Both Snowden and Manning took oaths with a clear understanding that they would be severely penalized if they violated that trust.
If the government is relying on an *oath* to protect my data, then I'm even more outraged that they have so much of my data.
Outside of a court, an oath means nothing - it's as valuable as a double-super pinky swear. The government wants me to believe that terrorists are out to kill me even if it means killing themselves, but at the same time, I'm supposed to believe that an oath is going to protect my data as well as national secrets because no evildoer would swear on god that they won't do something bad?
Data security is not cheap (in implementation costs or labor), but if we're supposed to believe that having this data out in the wild could be compromising our national security, isn't it worth securing the data? Fort Knox doesn't leave piles of gold around the complex and just rely on staff to promise not to take it - they have serious security protocols that limit access to the gold and don't let any single person in a position where they could steal it, even if it makes working there less efficient.
It's unfortunate they didn't use a more legitimate whistle-blowing channel - they've thrown away their lives.
When those that are collecting the data are willing to outright lie about it to congress, and even those in congress that knew about the data collection are still defending it, what is the legitimate whistle-blowing channel that will let the public know what's going on?
The U.S. Army discliplined 15 people as a result of an internal investigation into the decisions and failures that put Pvt. Bradley Manning in a position to download and leak thousands of classified military reports and diplomatic cables he allegedly provided to WikiLeaks, an Army spokesman said Wednesday.
At least one non-commissioned officer was reduced in rank for dereliction of duty, according a legal filing made public by Manning's defense over the weekend.
So one officer lost rank, 14 others had some non-specified administrative punishment when through their action (or inaction) they allowed a serious intelligence leak? And the only leak they *know* about was the one from Manning, who knows how many other analysts walked out with data but didn't release it to the public?
As an analyst that prepared reports he needed access to data. The network apparently wasn't properly prepared and certified for use. There probably should have been better controls for sharing different stacks of data, but the nature of counter-insurgency warfare would tend to press against some of them at some level.
Doesn't the leak show that there definitely should have been better controls?
The Army should thank Manning for exposing their security flaws.... The same applies to Snowden...
I think that might be worth considering if you can do the same following your house being burglarized, your car stolen, and your bank account emptied... in separate events.
If my house staff found a hole in the back of my safe and some of them have been been slipping 20 dollar bills out of the safe for years, I'd be pretty thankful when my maid got busted while trying to deposit her stolen cash in the bank, revealing the hole to me so I could stop the leak.
I'd still be mad at her, but glad she got caught since it exposed the security flaw.
When leaks like this one happen, a lot of attention and effort is spent on punishing the leaker, but we seldom hear about punishment for those that should have protected the data. Why did Manning not only have access to this sensitive data, but was able to download it and walk it out of the office?
In my company, the receptionist isn't supposed to tell anyone what's in our sensitive financial documents and really has no reason to read them. So he can't - his login doesn't have access to those files and if he persists in trying to get access, his username will come up in IPS alerts.
While I suppose it's publicly comforting to go after the leakers once they are caught, what about the spies that steal the data and hand it over quietly to their keepers? If the data is so easy to access that an Army Private can walk in and download thousands of documents, does anyone really think that spies from other nations aren't doing the same thing? The Army should thank Manning for exposing their security flaws.
The same applies to Snowden - he shouldn't have been able to download thousands of pages of classified documents and walk out with them unnoticed.
Yes, they were below the glidepath, and yes they blew the approach and had to go around: but this is hardly seconds from disaster or even a close thing. 600' at a normal approach speed is not "close" to the ground and 3.8 NM is more than 3 minutes at Vref which is certainly adequate time to respond.
These kinds of things happen and the only reason we're even hearing about this one is that it happened at SFO 28L.
I expected a little less sensationalism and a lot more intelligence from slashdot.
Yeah, well it's still seconds from disaster. I boarded a flight to JFK once that was delayed due to a mechanical issue, if we had taken off, we would have been only 20,000 seconds from disaster... it was a close call.
The system that Google employs was based on the logical idea that having massive amounts of redundant cheap hardware would be much more reliable than spending that same budget on enterprise grade hardware. Once this was proven in practice, that budget could be reduced to provide slightly better than enterprise hardware levels of reliability on the client side.
There's a job at Google that consists of endlessly imaging new boxes to take the place of failed boxes. Yank the bad HDD throw a new one in, push an image onto it and place it in the queue for use.
.
That's great when you have many racks of storage and can pay someone to endlessly image new boxes to take the place of failed ones. But labor is expensive, so for the small enterprise that has a couple racks of storage, it usually works out better to pay for the expensive storage system that calls home and automatically sends out a service engineer whenever anything breaks.
Slashdot Mirror
How can I sign into my Google account if I'm out and about and lose my phone when the Google two-factor authentication SMS message that would let me sign in on someone else's phone or computer is going to be sent to my phone.
The last time I mowed it was hard for me to operate two mowers at the same time...
It's hard to use two computers at the same time too, so just like you would 8 cores in one computer rather than have 8 computers with 1 core each, you'd put 8 motors on one mower deck that span the width of the deck, and only start the motors that you need for the width of grass you want to cut.
The cores -> lawnmower analogy is not the best, but it wasn't my idea.
I thought the reasoning behind multiple cores was so you could power off the ones you're not using. It's not that you're taking 8 lawnmower engines and turning them into an 8 cylinder Ferrari engine, but you're putting 8 smaller lawnmower engines on your lawnmower so instead of using the big 80HP engine when you're just trimming a narrow stretch of grass, you only need to power up one 10HP engine while the rest of them remain powered off. If you're cutting wider stretch of grass, you can use 2 engines, etc. So you save energy by only using as many cores (engines) that you need for the task.
'My prediction is that in the years ahead, we will see more failures than we have been seeing, because people have forgotten what we had to do to get to where we are.'
And considering the cloud isn't exactly known for reliability right now, yet another reason not to trust your data out there.
Is any multi-region cloud provider less reliable than any single-site datacenter? There will always be unexpected disasters (or at least unplanned for, you may expect an asteroid to hit the planet every 50,000 years, but that doesn't mean that you've built the datacenter to survive it) and human error (like "oops, I wish I hadn't dropped my wrench into that panel, 480VAC makes a lot of sparks... it sure is dark in here now"), so it's not clear that cloud providers are siginificantly worse in that regard.
Of course, when a business's primary data center goes down, few people hear about it, while when Amazon has a regional outage (or even in a single Availability Zone), everyone hears about it because it affects hundreds or thousands of companies.
What, exactly, does this mean, and how is it different from my current Android phone and widgets to show me these things on the lockscreen?
It uses the screen instead of a notification LED, but only powers the portion of the screen necessary for the alert instead of turning the whole display on. I'm not sure how this works, but that's what they're claiming. It's not at all like a lock screen.
I thought this was how AMOLED worked on all phones - only the pixels that are lit use any power so if you have a mostly black background with a few lit pixels, the screen uses little power. Does an "Active Display" do things differently?
Only to someone who is looking.
Right, but if this is happening on a large scale, it only takes one person to discover it and make it known to the world. "Hey, I ran a kernel trace and my *graphics card* is sending encrypted UDP packets to we-are-keeping-you-safe.trust-us.gov. What's up with that?"... and more and more people dig into their systems and find out what's going on.
What's the other option? The same rules being used for 802.11 works for me.
So you're ok with FCC regulation in the bands used by 802.11, but not the other bands? Or do you think that because your Wifi access point is unlicensed, that means that there is no regulation?
There is a huge difference in safety regulations and laws, trying to compare something like traffic laws to something invisible that will bring no harm to anyone (physically) is overreaching.
So is your argument that there's no public safety use for radio, or that there's no way that RF interference could get in the way of public safety use of radio? So if I, say, decided to run my "pirate" radio station on the same frequency that the local fire department uses (because I know those guys will want to hear my station!), there's no possible problem with that? I put "pirate" in quotes, because without the FCC, of course, there is no pirate radio stations, anyone anywhere can run a radio station on any frequency.
The FCC, FDA, FAA, ect.. ect.. do NOTHING to make sure things are safe. This is what cracks me up about people in this country they do not trust government but have some false sense of faith in federal agencies or regulations, they wont buy a drug unless it has an FDA stamp, and they do nothing to test the drugs themselves
The FCC sets exposure limits, among other things, and they type certify most devices to ensure that they are within legal limits for power and spectral purity among other things.
and they "trust" the results from research and testing. The FAA has been caught numerous times not testing any of the equipment used in airliners, but they stand there to witness testing by the companies, and there is nothing wrong with that (like fixing the tests).
If you want to vastly increase funding to the FAA so they can do their own testing, you should lobby for it -- I'm sure industry would be happy to be off the hook for the costs, and also to shield them from liabilty. If the FAA screw up the test and certifies something that shouldn't be certified, then it's the FAA's problem. BUt anyway, I'm not sure why you're talking about the FAA since they don't regulate airwaves.
Sad thing is that is what the FCC is supposed to be doing. Limited resource for the public good, but the current meme of 'private enterprise is the solution to all problems' has twisted their mandate into enforcing who gets exclusive lucrative access to what is essentially a shared resource.
frankly, i prefer private enterprise to another bloated nanny department. did you know TSA has 54,000 employees? last thing we need is a weaponized FCC "enforcing fairness."
What's the other option? Open the airwaves to all uses and forgo all regulation? Whoever radiates the most power wins? I don't see how there can be any rational use of airwaves if there's no organization to control and allocate bandwidth.
Would you advocate abolishing all traffic laws and law enforcement on streets too? No speed limits, no stop signs, no DUI laws, anything goes. If someone runs you over in an 18 wheeler -- well, too bad, you should have had a bigger car - might means right in this lawless public resource and who needs weaponized law enforcement when private industry can sort it out through selling people bigger and bigger cars.
I've been through that too, and the most ridiculous part is that they announce it ahead of time and in an open boarding area, so anyone that was planning on carrying contraband on board would just skip that flight and call the airline to say their car broke down so they need to cancel their ticket and rebook on a later flight.
I've been in some large airports, but if you know of one where you need to drive from the check-in counter through the security checkpoint and then to the gate, I'd like to hear of it. Otherwise, how could your car breaking down after you get to the departure gate where this announcement is made make you miss the flight?
I've never been in an airport where TSA scans my boarding pass and knows if I actually passed security - they typically just scribble some illegible mark on the boarding pass and since I've checked-in online from home, not even the airline knows if I'm actually at the airport until I board and they scan my boarding pass.
Do some airports scan boarding passes in the TSA security line?
Got sick or simply missed the flight, perhaps, but you'll pay the penalty for having checked in and then not boarding. I wouldn't bet against doing that is sufficient to get a quad-S special treatment boarding pass for the next flight.
It doesn't matter - a terrorist is likely to be traveling under an assumed name anyway so next time he'll just use a new name - it's not impossible to get a fake drivers license. Any town with a significant illegal immigrant population will have a dozen places where you can pick up a fake driver's license.
Isn't the master encryption key used to encrypt the stream made from a hash of a server generated and client generated random number? That would seem to make it a moot point whether or not the server keys are random as long as the client hasn't been compromised and is using a good random number. The server could be issuing "0" as its "random" number and the key would still be random.
The gain access to the data stream, the government would need access to the server's private key (or signed fake certificate so they could execute a man in the middle attack). With Perfect Forward Secrecy, would possession of the private key allow one to decrypt the stream?
Notice this in the summary:
The key from the other side? Slip that in there somewhere, and I can find it (encrypted in a Set-Cookie header?)
I saw that, but I don't see how that helps since the Set-Cookie header is encrypted by the same symmetric key as the rest of the HTTP traffic. Which they can't read merely by making the server key non-random (or less random) if the client is sending a good random number for generating the master key.
If the NSA coerced the service provider into giving up their private SSL key, then that would probably work work (but I'm not even sure that's sufficient to decrypt a session with PFS)
Under the scenario posed by the summary, the company that owns the server is fully compromised to the extent that they are re-writing their system libraries for the NSA and the client's browser has been re-written so that it leaks the client's DH details of each connection. In this extreme scenario no sort of encryption can help you, although to be honest if they are going to hypothesise this sort of thing they may as well have gone with:
That's not in the summary -- the summary doesn't say anything at all about the Client, he's outlining scenario where the government coerces the service providers into weakening their protocol, but apparently not in a way that actually weakens the encryption assuming well behaved clients.
While it's true that if the government controls both ends of the connection, then they can see anything they want, there's probably no need to weaken SSL to do it since they already have code on the both ends of the connection.
Microsoft can simply request your graphics card to take regular snapshots of your screen, and you will never know this because the message stream to the GPU (for protected path functions) is encrypted with protected path control keys. A full screen JPG is quite a small file even for a high-resolution screen, and can be sneaked out to an NSA server with you standing ZERO chance of noticing the traffic blip
I took a full screen snapshot of my 1920x1080 screen (maximized browser window with this Slashdot page loaded, so there's a lot of white space on the screen) and saved it as a JPG. The size of the default quality JPG was 480KB (which looked about the same as the corresponding PNG which was only 275KB). I created JPG's of decreasing quality until the text became mostly illegible, that happened at a quality level of "7" (on a scale of 1 - 100 with 100 being the best). The resulting JPG ended up being 95KB in size.
That's not exactly what I could call "quite a small file", and though many people wouldn't notice that size file going out periodically (every hour? every minute?), it's big enough that some would - especially paranoid people that are worried about someone spying on them. 95KB sent out every minute would be around 15kbit/second on average, so it's definitely enough to be noticable.
Isn't the master encryption key used to encrypt the stream made from a hash of a server generated and client generated random number? That would seem to make it a moot point whether or not the server keys are random as long as the client hasn't been compromised and is using a good random number. The server could be issuing "0" as its "random" number and the key would still be random.
The gain access to the data stream, the government would need access to the server's private key (or signed fake certificate so they could execute a man in the middle attack). With Perfect Forward Secrecy, would possession of the private key allow one to decrypt the stream?
Unless, of course, the agent bribes his supervisor to look the other way (and/or block the camera(s)) while he steals the cash:
https://www.nydailynews.com/news/national/tsa-agent-michael-arato-admits-stealing-passengers-security-checks-bribes-article-1.136272
I traveled via plan; I went through the security checkpoint..
. It was the typical experience that everyone has come to expect. But once it is over, you're free to roam the "Secured" area of the airport. I don;t know how often this happens, but as we were getting ready to board the airplane, Three TSA agents showed up in their hands of blue, (One too many for a good firefly reference.)
Anyway, it was announced that the TSA would be doing random luggage checks as we boarded the plane. I watched what was happening and the "random" checks were that they stopped everyone with a backpack and/or large purse.
I've been through that too, and the most ridiculous part is that they announce it ahead of time and in an open boarding area, so anyone that was planning on carrying contraband on board would just skip that flight and call the airline to say their car broke down so they need to cancel their ticket and rebook on a later flight.
What's the point of the additional screening if people are allowed to opt-out by skipping the flight?
What did they expect when they replaced private security agents with government workers? When security was run by private companies, the government could make surprise inspections and fine the companies for violations -- who in turn would fire the employees responsible because fines eat into profits.
When the government employs the workers *and* does the inspections, everyone knows what happens when you let the fox guard the hen-house.
Why would you check that kind of money?
Why not just put it in your carry on?
$10,000 is a stack of $100s thinner than a deck of cards. So $40,000 fits in a coat or even a couple pockets and no problem fitting it in carry on.
If you put it in your pocket, TSA will make you remove it and send it through the x-ray machine on its own, so not only will it be subject to theft by TSA, but by any passenger that gets through the scanner before you.
If you put it in your carry-on bag, TSA can open that bag too - nothing is stopping a dishonest employee from opening it away from your sight.
9 women can't have a baby in a month
On average, they can.
It may provide a definite endpoint, but it is definitely LESS specific in this example as it means anytime in the next 5 months. Whereas in the next few months in the vast majority of terms means at worst in the next 4 months and usually within the next 3.
Unless, by a "few" they meant 5 months. Or maybe 6.
Anytime a project manager tells you "Oh, it'll be done within a few months", you know that he doesn't really know when it's going to be done and it probably means no one has it on their schedule, it might be done tomorrow or it might be done in 6 months. If he really had a good idea when it would be done, he would have told you.
How the fuck is "by the end of 2013" more specific than "in the next few months"? First is a 5 month range, the second "generally" refers to a 2-4 month range. At worst there timeline response hasn't changed.
"By the end of 2013" specifies an exact point in time at which the project will be done - Dec 31st, 2013, if they slip past that date, then they are late. However, "in the next few months" is very non specific, with no universally accepted definition of what it means and can depend on the range being considered -- If I have big bag of M&M's and someone asks me for a "few", they'd probably be disappointed if I gave them 2 - 4. Since "few" is so non-specific, they could stretch it out to 5 months and still claim they are within a "few".
>Both Snowden and Manning took oaths with a clear understanding that they would be severely penalized if they violated that trust.
If the government is relying on an *oath* to protect my data, then I'm even more outraged that they have so much of my data.
Outside of a court, an oath means nothing - it's as valuable as a double-super pinky swear. The government wants me to believe that terrorists are out to kill me even if it means killing themselves, but at the same time, I'm supposed to believe that an oath is going to protect my data as well as national secrets because no evildoer would swear on god that they won't do something bad?
Data security is not cheap (in implementation costs or labor), but if we're supposed to believe that having this data out in the wild could be compromising our national security, isn't it worth securing the data? Fort Knox doesn't leave piles of gold around the complex and just rely on staff to promise not to take it - they have serious security protocols that limit access to the gold and don't let any single person in a position where they could steal it, even if it makes working there less efficient.
It's unfortunate they didn't use a more legitimate whistle-blowing channel - they've thrown away their lives.
When those that are collecting the data are willing to outright lie about it to congress, and even those in congress that knew about the data collection are still defending it, what is the legitimate whistle-blowing channel that will let the public know what's going on?
The U.S. Army discliplined 15 people as a result of an internal investigation into the decisions and failures that put Pvt. Bradley Manning in a position to download and leak thousands of classified military reports and diplomatic cables he allegedly provided to WikiLeaks, an Army spokesman said Wednesday.
At least one non-commissioned officer was reduced in rank for dereliction of duty, according a legal filing made public by Manning's defense over the weekend.
So one officer lost rank, 14 others had some non-specified administrative punishment when through their action (or inaction) they allowed a serious intelligence leak? And the only leak they *know* about was the one from Manning, who knows how many other analysts walked out with data but didn't release it to the public?
As an analyst that prepared reports he needed access to data. The network apparently wasn't properly prepared and certified for use. There probably should have been better controls for sharing different stacks of data, but the nature of counter-insurgency warfare would tend to press against some of them at some level.
Doesn't the leak show that there definitely should have been better controls?
The Army should thank Manning for exposing their security flaws. ... The same applies to Snowden ...
I think that might be worth considering if you can do the same following your house being burglarized, your car stolen, and your bank account emptied ... in separate events.
If my house staff found a hole in the back of my safe and some of them have been been slipping 20 dollar bills out of the safe for years, I'd be pretty thankful when my maid got busted while trying to deposit her stolen cash in the bank, revealing the hole to me so I could stop the leak.
I'd still be mad at her, but glad she got caught since it exposed the security flaw.
...for the crimes that he's convicted of.
When leaks like this one happen, a lot of attention and effort is spent on punishing the leaker, but we seldom hear about punishment for those that should have protected the data. Why did Manning not only have access to this sensitive data, but was able to download it and walk it out of the office?
In my company, the receptionist isn't supposed to tell anyone what's in our sensitive financial documents and really has no reason to read them. So he can't - his login doesn't have access to those files and if he persists in trying to get access, his username will come up in IPS alerts.
While I suppose it's publicly comforting to go after the leakers once they are caught, what about the spies that steal the data and hand it over quietly to their keepers? If the data is so easy to access that an Army Private can walk in and download thousands of documents, does anyone really think that spies from other nations aren't doing the same thing? The Army should thank Manning for exposing their security flaws.
The same applies to Snowden - he shouldn't have been able to download thousands of pages of classified documents and walk out with them unnoticed.
So who's getting fired over lax security?
Yes, they were below the glidepath, and yes they blew the approach and had to go around: but this is hardly seconds from disaster or even a close thing. 600' at a normal approach speed is not "close" to the ground and 3.8 NM is more than 3 minutes at Vref which is certainly adequate time to respond.
These kinds of things happen and the only reason we're even hearing about this one is that it happened at SFO 28L.
I expected a little less sensationalism and a lot more intelligence from slashdot.
Yeah, well it's still seconds from disaster. I boarded a flight to JFK once that was delayed due to a mechanical issue, if we had taken off, we would have been only 20,000 seconds from disaster... it was a close call.
The system that Google employs was based on the logical idea that having massive amounts of redundant cheap hardware would be much more reliable than spending that same budget on enterprise grade hardware. Once this was proven in practice, that budget could be reduced to provide slightly better than enterprise hardware levels of reliability on the client side.
There's a job at Google that consists of endlessly imaging new boxes to take the place of failed boxes. Yank the bad HDD throw a new one in, push an image onto it and place it in the queue for use.
.
That's great when you have many racks of storage and can pay someone to endlessly image new boxes to take the place of failed ones. But labor is expensive, so for the small enterprise that has a couple racks of storage, it usually works out better to pay for the expensive storage system that calls home and automatically sends out a service engineer whenever anything breaks.