This is a good point, and certainly makes a lot of sense.
As a more concrete example of how this can affect salaried IT workers -- for those who are not familiar with how we operate -- there was a time, a little over a month ago, where I worked 10 hours solid, and barely stopped for 10 minutes to nibble some lunch while working (I was less productive typing with 1 hand, but otherwise was still getting work done even during lunch). I never even checked my personal email the entire day, let alone visit Slashdot or anything else I would do on a normal day.
Why? Because I had a high-priority task that was due the same day, and I was assigned to get it done as soon as possible. On top of that, several additional requests came up during the day that delayed my progress on the original assignment. Nearly from the time I walked in the door until I was ready to go home -- after working two hours more than I'm officially required to -- my brain was basically 100% utilized doing productive work. I only took one bathroom break the entire day!
My management knows that I'm able and willing to do this when required, but the reality of my work is that, often, I'm simply not required to be fully utilized. My company is more than welcome to give me additional assignments to increase my utilization, and they actually do, on occasion. I assume that if they felt my time was not worth the output they were getting, I would be separated from the company. Since that hasn't happened and I've received consistent positive feedback from both customers and management, I don't feel bad at all about taking some downtime when I want/need to.
So that just obviates the question of why, exactly, these same employers feel the need to deploy such pervasive monitoring and work tracking systems. Are they doing it just because the technology is there, and some salesman convinced them it would increase productivity? Are they doing it out of fear of not detecting the 1-5% of the workforce that are actually bad apples and are in fact not getting their work done in a timely manner?
Whatever the reason, they should realize that it just makes life harder for the majority who will slave away tirelessly if the job calls for it, and won't if the job doesn't. It makes it harder to enjoy the downtime for what it is when you can feel their eyes on your keystrokes.
Yes, there is potential to become over-confident and careless; but someone who's serious about this type of behavior would constantly work to step up their game and make their behavior harder to detect. Also consider that a worker who's doing a job that is actually, genuinely easy for them to do, and has time to spare after completing all assignments on-time and *properly* (not even half-assedly), can legitimately slack off for the remaining time and the bosses shouldn't have a reason to say anything bad about them.
Also:
1. These days, in many environments, "the geek who seems to be drawing on his bag of tricks" could be anyone or everyone in the office. Are you going to fire your entire workforce? Or what if your top performers -- the people who actually get work done, and do so efficiently -- are the same people skirting your rules? Do you take the loss of a productive employee just so that the remaining employees are compliant with your network policy?
2. It's only bad for morale if others are aware of their behavior.
2a. It's only bad for security if the circumvention methods are being used to (deliberately or accidentally) exfiltrate sensitive data or cause malicious code to gain access to the network. Sure, you could have someone who's smart enough to set up a VPN but dumb enough to download a virus or visit a site with ads that exploit a Flash zero-day; but you're probably just as likely to be compromised by an employee who does not use any special techniques at all, and simply visits an ordinary site (during lunch break) that's been compromised by a bad actor or runs a malicious advertisement on your outdated "standard" browser that's chock-full of unpatched vulnerabilities.
Also, if you're *that* concerned about security, you shouldn't be allowing your employees to access the public Internet from a machine with access to internal resources or company data. Give them a separate, airgapped machine and monitor their time using it vs. their "business" machine.
2b. Bad for discipline? Sure, that's a valid argument. But no human being is so disciplined as to never go off-task. A rational, human-centric way of dealing with discipline is to enforce the minimum amount of discipline necessary for your workers to get done the assignments put before them, and don't expect 100% unrelenting focus on performing as much work as physically possible for 8 hours per day, every day. The amount of attention they need to pay to their job depends on how busy their job is. A store manager at the busiest Home Depot in the United States is going to have less downtime during the day than a security guard at a backwater office building in an area with very low crime and an office full of happy employees. If the security guard is skipping patrols or the store manager is watching Youtube instead of taking care of customers, that's a discipline problem. But most white collar workers spend at least some of their time waiting for other people to do stuff, and they should be allowed to have a little rest and mental relaxation while they do so.
And that point in 2b brings us to a point about income inequality. Although you don't need a degree to manage a Home Depot, I would be perfectly fine with an overworked store manager who's constantly got to be in "Go" mode, making much more than I do as a white-collar worker with several hours of downtime per week when I can slack off WITHOUT shirking my duties. In reality, I probably make more than them. If the compensation were reversed, I'd be fine with that - they work harder, so they deserve more pay.
Now, you might say that there's always something I could be doing instead of having downtime; but my rebuttal to that is I'm always coming up with new ideas and taking initiative to try and improve process and workflow at my job. I've been here for a number of years now, and most of the big improvements I identified have already been implemented in my first year or two, because I couldn't stand how cumbersome things were when I got here. The remaining i
It all depends on what you do with the data. The mere act of passively collecting the data is relatively benign, assuming that no action is ever taken with it and that it's securely stored away so that it can't be exfiltrated or abused. There ARE privacy concerns with this, of course, but most corporate networks explicitly state that users should have no expectation of privacy.
If your boss receives an email for every 5 minutes you spend on Slashdot or Reddit or Anandtech, and marches down to your cube and sternly tells you to get back on task, that solution will only improve productivity in the very near term. The worker will fear for their job, so they'll do their work more and go off-task less. But that will stop being effective as soon as the worker can leave to find another job, or come up with an alternative way to go off-task while avoiding detection, or half-heartedly do their work in a way that appears to show progress but isn't really (e.g. gaming the metrics). The end-game of "cracking the whip" is almost never a worker who willingly spends less time doing whatever they really would rather be doing besides working and suddenly enjoys their work more.
If, however, you collect all the data in aggregate and then discuss it during their annual performance review, and have it play a factor in their compensation, that could definitely be a strong motivator for people not to be off-task: if they associate slacking off with getting lower raises / bonuses / etc. and steady work output with higher compensation, most people will probably try to slack off *less*, at least. It also has the side effect of saving the company some money by being able to justify not giving a raise to someone who spends most of their time slacking off.
Either way, though, there is always going to be a way to game the system. If they track you at the network level, just use a proxy or VPN to an address that looks like it's on-task, or is too vague to get a sense of what exactly it is (e.g., since many sites use EC2 or S3 to serve content for all sorts of purposes, there's not a lot you can say about whether traffic to an EC2 box is business-related - maybe they're doing actual research for their white collar job?). If they're keylogging, set up a VM and plug in a USB keyboard straight into the VM. If you have decent cellular data at your desk, you could do your thing on a smartphone, assuming you can tolerate the display and input device limitations. Or of course you can just take frequent breaks into a hallway or empty conference room and use your own laptop/tablet/smartphone.
The only way to truly keep white-collar workers on task for 8 solid hours per day is to assign one supervisor per worker bee, but the overhead of that proposition is so high that no one will do it, because the costs will far outweigh the benefits.
Or there's Manna, http://marshallbrain.com/manna... which could be a possible future if AI or a close-enough approximation thereof turns out to be feasible.
With specs like that -- the worst of it being the low amount of RAM and the likely extremely slow NAND -- that phone will probably have severe performance problems with many popular apps, even some of the Google apps. I have an old "Android-on-a-stick" device with similar specs from a few years ago that can barely run the Play Store now.
And I'm not even talking about games. Web browsers, navigation apps, media players, voice assistance, productivity apps, and even shopping list apps have seen increases in their performance demands. They're doing more I/O and have more dynamic functionality than ever before.
From my experience, you're mostly fine right now if you're running at least a Snapdragon S4 Pro or later (or comparable from other manufacturers). If you have something that benchmarks much slower than that, which is likely to be the case for a $10 SoC (MediaTek?), many common apps will be unbearably slow, even if your network is fast. And the RAM factors in once you consider how many background services are running on Android devices these days. I think my Note 4 has more services running than my Windows 10 desktop that has the kitchen sink of third-party software installed.
I get what they're trying to do, but people are going to be unhappy with these devices if they try to use them for much more than a literal cellphone.
Privacy is important, indeed, but I wonder if this will also break functionality on some websites. What if the final "Buy Now" function in one of your apps is a link rather than a button? You hover over it, thinking about it; but little do you know, your browser has already made the decision for you. When you realize your bank account doesn't have enough money for the purchase, you decide not to place the order, but then you check your email and have an order confirmation ID from the vendor.
The most galling fallacy in this short statement isn't that he thinks "geeks" aren't creative; it's that he thinks art education makes people creative. Here's some news for you: it doesn't.
The MOST an art class can teach you is to learn how to follow the design memes of people who came before you. However, this is not necessarily a good thing. Those design features may have been very creative and engaging when they first started being incorporated into works, but if they are used in such a widespread way as to be monotonous, it actually makes a product *worse* to start throwing them in.
Consider, for instance, how many games have a soundtrack that is extremely similar to every other game in their genre. It's not similar enough to lead to a copyright infringement lawsuit -- usually -- but it's "generic" in the sense that it borrows 90% of its design features from past works, whether previous titles from the same developer or competitors. These soundtracks often receive poor reviews when they don't stand out in any particular way from the other games that came before, and players tend not to remember the music after they stop playing the game.
On the other hand, the best, most memorable and enjoyable game music soundtracks that have existed have all been extremely original, with major innovative design features that give a distinct "feel" or "sound" to the title. This can be VERY powerful and greatly boost the sales of the product.
Similar comparisons can be made of visual assets in games, of course.
The problem is, even though you can teach someone to mimic what's been done in the past and grade them on their ability to do so, you can't teach people to be able to come up with entirely new design features or concepts on their own. And if you tried to grade an art class based on how unique or original the design features were, most students at the high school and 4-year degree level would fail the class because they couldn't think of anything creative that was also good (you could technically consider any random selection of features to be "unique", but not all things that are unique are beautiful, appreciable, or easily digestible by the person accessing (reading/viewing) the work.)
Most truly creative, novel design features that win awards and universal acclaim happen *spontaneously*, without any sort of directed methodology used to derive the aspects chosen. Sure, the creator may digest some existing art aspects of the game as "input" when trying to determine how to come up with more assets (textures, sounds, music), but even with that input, there are numerous ways you could go with creating the new content that seem equally viable from the outset. It's not until you get others to experience your content that you start to get feedback, like, "wow, this is incredible!" or "this sounds very generic".
So yeah, throw away money, making coders spend extra hours bored in art class doing watercolor paintings, as if that's going to make England's creative output any better. People who are born to be creators tend to do whatever they love doing on their own, without having to be forced to sit in a class to do it. You really can't force creativity, or the "forced-ness" of it becomes obvious in the content that's been created. That's just the way it is.
And don't even get me started on the stereotype that "geeks" are lacking in creativity. Coding shops used to ask people in interviews what their creative outlet is, whether it's singing, playing instruments, drawing, etc. - and those who didn't have any to speak of were often passed over in favor of candidates who had a creative passion. I imagine that type of thinking is even more prevalent in game studios, though I've never worked at one.
It's not true that the battery suffers the same kind of "charge cycle" whether you're charging it from 0% to 96%. For lithium ion batteries, there is no "memory" effect, but there is a "depth of discharge" effect. A deeper discharge will reduce the battery's maximum capacity more severely than a minor discharge.
It's not the act of plugging the battery into the charger that reduces its usable life; it's the process of actual charging. If you're doing less charging, your battery lasts longer. If you regularly drain your battery because you're under the misconception that all charge cycles affect the battery in the same way regardless of depth of discharge, you're actually making the problem much, much worse by discharging the battery completely.
In actual testing, the best results have been to charge the battery once it reaches 70 to 80% of its maximum charge level (as in, the max it can actually hold before the charging circuit cuts off, not the theoretical max that's advertised by the manufacturer). This depth of discharge doesn't really put much stress on the battery, and it doesn't generate as much heat as having it constantly plugged in, so it's a happy medium.
I'm *probably* going to buy the Note 5. I'm not 100% positive yet, but it's likely. I currently own a Note 4.
Why? Well, a few reasons.
First, between my SD card and the internal storage, I'm barely using 28 GB of space on my Note 4. Getting the 64GB model of the Note 5 still provides me plenty of room. And this is with having the Note 4 since launch day, and never deleting any pictures or videos I've taken (and I took something like 200 pictures during a vacation). Even if I kept the Note 5 for 2-3 years -- which is unlikely -- I'd literally have to spend MAYBE 1 or 2 hours over that entire 2-3 year period moving old pictures and recorded videos from my phone to my desktop and/or Google Drive and/or my dedi's FTP server. Then I'd be back down to a reasonable margin of free space again.
Second, whenever I go anywhere with my phone and either do not know how long I'll be without a chance to charge, or know that I will be somewhere for long periods without being able to charge, I always bring my 10,000 mAh battery case. Having the Note 5 sealed off isn't going to stop people from making battery cases; they'll just have to plug into the USB port. I'm not afraid of having a bulky or heavy phone if I need the extra juice. However, I don't actually need it all that often: most of the time I'll either be at home or at work, both of which are places that I can charge my phone without worry. Those also tend to be the two places where I use the phone most heavily and thus would be using the most energy, but it doesn't matter because I can leave it plugged into the charger, or periodically charge it when the battery gets low.
Third, my household has one other smartphone, a Motorola Droid Maxx, that has a non-replaceable battery. This phone is still in use about 2 years after it was purchased, and its battery life is still very good. The battery's capacity hasn't been reduced as much as some people claim. Heck, my power-hungry 1-year-old Note 4 probably gets WORSE battery life than the 2-year-old Droid Maxx because the Note 4's SoC and screen use significantly more energy than the comparatively simple components on the Droid Maxx, yet both have nearly identical battery capacity (out of the factory, that is).
I really DISLIKE the fact that they're taking away the microSD and the removable battery, but for me it's not a deal-breaker. The S-Pen latency reduction might finally enable me to take notes regularly on my phone, thus eliminating the need for pen and paper. And the more efficient Exynos chipset provides better performance than Snapdragon with much better energy efficiency at idle or background workloads.
I definitely prefer functionality and utility over appearance, but I imagine one of the advantages of having a non-removable battery is that you can make the unit slightly more water resistant. It's not IP6x certified, no, but I can see the tiny separation between the back cover and the main chassis on my Note 4. That separation should be more or less sealed off with the Note 5.
Deserialization vulnerabilities are a general problem with any runtime platform that supports ser/deser of in-memory objects to and from disk (or the network, or anywhere else you can deserialize to, e.g. stdout).
There isn't a whole lot the runtime itself can do to protect your code from deser exploits, since it doesn't know about the internal structure of your object data. Built-in support for ser/deser is pretty barebones and generic; if not customized, it can often serialize things in a way that is grossly inefficient or just plain wrong. It might also, by default, pick up other objects or parts of your program that you *don't* want serialized. You could argue for an improved language design that would build serialization primitives closer into the language syntax or the precompiler or compiler, and have robust checking for various types of problems; but a good static analyzer should probably be able to find these issues even if the compiler doesn't check for them.
As the article says, it seems like they are doing a class-by-class search over the Android built-in classes (of which OpenSSLX509Certificate is one, but this is notably NOT in the Oracle Java SE platform, nor in OpenJDK) to identify cases where these classes' particular serialization code (or lack thereof, if they're letting the runtime do it automatically via `implements Serializable`; I'm not sure which it is) might have vulnerabilities. Even if they find a vuln in a class which Oracle Java also has, there's no guarantee that Oracle's is also vulnerable, since they don't share a common codebase. Android uses some API definitions that apparently infringed Oracle's copyright (according to a judge, anyway), but they definitely have not lifted any of Oracle's implementation.
You can buy a phone outright from Amazon that's licensed for the Verizon bands (or buy one used on eBay or Amazon or elsewhere), stick your activated SIM card into it, and off you go. If your SIM card is too large or too small for the new phone, there are cutters and adapters to move in both the "larger" direction and the "smaller" direction.
If you're willing to pay, you can definitely get either a new, like-new or used phone of any make or model that runs on Verizon's network, and get service, without ever having to directly do business with Verizon Wireless or any of their associates in order to make the change.
By the way, Best Buy will let you buy a full retail phone too, last I checked.
Or maybe you might have an airgapped "kiosk", with a keyboard and/or mouse and a dedicated application running modal (so it can't be bypassed to access the OS, perhaps without some hardware hacking). If it's non-networked, or only networked locally to some other system on-site, but still accessible to "users" who aren't fully trusted to the same level as the CEO (e.g., line employees, general public customers, etc.), you might want to patch it *for* security vulnerabilities, such as "if the user presses Ctrl+Alt+Del, they can access the desktop" (or something equally based on the concept of user input -> system access). That would be an example of a software-based security exploit on airgapped equipment.
This company (or whoever wrote TFS/TFA about them) seems not to understand the concept of a zero-day vulnerability.
It is ridiculous to say that one is not vulnerable to zero-day attacks. They are, in security parlance, the "unknown unknowns" - the things you don't even conceptually know of as vulnerabilities right now. One cannot design a networked computer system with any functionality whatsoever in which they can somehow know and anticipate the "unknown unknowns" (as opposed to the known unknowns, some of which can be mitigated if you're lucky).
The unknown unknowns are, by definition, *not yet known*, so you can't design a mitigation against them until *after* you are aware of them. If awareness comes in the form of a zero-day hack, then you will fail to defend against the attack at the time it hit due to your lack of information about the attack vector.
Also, unless this company has full access to all Windows source code for the build they have, it is very likely that one singular memory-based mitigation will not be effective against every possible attack vector that exists in the Windows codebase. So unless they have performed full formal methods verification of the entire Windows codebase to guarantee that there are no "unknown unknowns", and then fixed every security vulnerability that exists in the product in the original state in which they received it from Microsoft, this is basically snakeoil.
Also, don't we already have ASLR? The mind boggles at the stupidity of these people. Who do they seriously think is going to buy this?
Actually, forget I asked. They said their target was governments. I have no doubt they will sell thousands of licenses.
To me it sounds like you are implying that, if the Great-Man "theory" were 100% representative of reality, and the big-shots WERE responsible for the majority of the work leading to the success of a product, the pay we dole out to CxOs would be justified.
But I disagree even with that notion. I don't think there's anything that justifies the abject poverty that, quite literally, the *majority* of the people on this planet have to suffer through. Not only is letting this many people live in poverty *morally wrong*, but it also carries many severe consequences with it, which affect the entirety of humanity and the health of the planet itself. And yet this is what our post-WWII magical thinking has begotten. Let's count the ways in which this severe income inequality makes things worse, not even counting the important fact that these human beings are living in *misery* and we should feel terrible for letting it go on this way.
1. Large-scale poverty causes war. Why do you think the terrorists do what they do? A very large part of it is income inequality (and, yes, it's self-perpetuating because bombing them makes them poorer, hurts their economy, and makes them hate us because we killed people they knew). Do you really think they'd hate us if we hadn't ruined their economy and left them destitute? Do you really think a bunch of well-to-do middle class citizens making a healthy living wage would be able to be radicalized to give up their life with a suicide bomb? No. And without the masses behind them, any terrorism that *would* attempt to rise up would get shut down pretty quickly for lack of resources.
2. Large-scale poverty causes overpopulation, which further causes large-scale poverty. When people have nothing else to look forward to in life, they reproduce -- especially when they are without the tools to prevent pregnancy. It's about the only fun time that can be had when you can barely find enough food to survive and have no time or money to be entertained materialistically. This becomes a positive feedback loop, because it's that much harder to provide a comfortable life for more people than it is to provide the same level of resources to fewer, so the problem just gets worse.
3. Large-scale poverty causes disease, which is extremely expensive to fight, which leaves less resources for higher activity. If we spend a lot of resources just trying to keep people from death, we have even fewer resources left over to help people enjoy life and thrive. Poverty and overpopulation both increase the costs of healthcare because of the reduced ability to prevent disease in poverty-stricken environments. This forms a nasty three-sided positive feedback loop, where each negative action causes the other two problems to get worse. The only negative factor is that eventual death from disease helps the overpopulation problem, but we end up spending even more resources to help prevent that in many cases.
The utilitarian principle would suggest that we should redistribute resources evenly to uplift the poor, but the problem is, I don't think there are enough resources that we can gather and sustain on this finite planet to actually provide a middle-class life for every living person right now. Even if we halved the world population we'd still not have enough food and materials to do it. We're well past the point where our population is unsustainable, so any return to sanity is going to necessarily have to involve millions upon millions of premature deaths, OR a very widespread abstention from reproduction for a large percentage of the world's population, combined with replacement-level population stagnation elsewhere. And no one has any solid ideas for how to do any of that.
Most likely, human nature will force us to choose the ugliest and most horrible possible outcomes for the billions who will have to die in order to stabilize the planet and the economy: war and famine. I don't see anyone advocating for the alternatives in any meaningful way.
By the way, whoever modded your post "flamebait" was right, except this was more of a rant (to no one in particular) than a flame of you.
Don't try to upgrade from Windows Update. Just don't. It'll fail. Something is borked with the download process. It'll probably be fixed in a week (or even today, maybe), but for now, to be on the safe side, just go to this link - https://www.microsoft.com/en-u... and download the ISO. Then burn it to a DVD or install it onto a USB drive of sufficient capacity, and away you go. Not sure if it would work if you mounted it to a virtual drive, but worth a try.
I updated 3 systems (a 3 year old desktop, a 2 year old laptop with hybrid graphics, and a virtual machine in VMware on a 4 year old craptop) and did not have any upgrade issues. The only problem I had was on my desktop, where I would occasionally get a MEMORY_MANAGEMENT BSOD when viewing the start menu, until I updated my AMD Catalyst drivers to the latest on the AMD site.
Some more pitfalls:
- If you have exotic or rare network cards, graphics cards or printers, you may want to hold off to see if people with your hardware have similar problems.
- Is your GPU (graphics card, whether it's on the CPU, on the motherboard, or an expansion card) *more than* 4 years old? If so, you may have some problems, especially if it's by Intel.
- Do you have any programs installed which install custom software into the OS kernel ("kernel modules" / "drivers")? Things like: virtualization software (VMware, Virtual Box), VPN software (OpenVPN, SSL VPN clients, etc.), certain audio / video production software, etc? If you see anything in Device Manager that isn't actually a piece of hardware and sounds like it's associated with a program you have, chances are good that the answer is "yes". You should really consider uninstalling these programs before you upgrade to reduce the potential for incompatibility in the kernel. Then you can try to install them after the upgrade is complete, where the driver will hopefully fail to load "gracefully" and error out of the installer if it turns out to be incompatible.
- Is your system *extremely* "hacked up", with extensive deep-running customizations to the UI,.NET framework, kernel, or other things like that? You should probably not attempt an upgrade, especially if the vendor/developer of these changes is not a well-known commercial entity with an established footprint.
Summary: If you have a computer that was purchased new with current-gen hardware within the past 4 years, and you don't have anything more than web browsers, office programs, and games installed, you should have no problems upgrading. If you have a much older computer, your risk of breakage is higher. If you have deep customizations to the OS, your risk of breakage is higher. If you're in doubt, hold off until others with similar configurations try it first and report their results. But for the love of God, use the ISO, not Windows Update, to upgrade.
One thing you could do is write up a custom license and have contribution bounties.
The license would go something like this:
- Only "Your Company" can sell either the code (any part of it), any derived works based on the code, or the binaries.
- Any party who pays for a license for the "Ultimate Plan" (or whatever you want to call it) gets a copy of the source code.
- Any party that does not have an "Ultimate Plan" does NOT get the source code, and MAY NOT distribute any binaries they get, whether purchased from you or given to them by others.
- Anyone who has a legit copy of the source code may distribute binaries (modified or originals) to any third-party they wish, royalty-free. That third party can only use and distribute the binaries but may not modify or view the code unless they also have an "Ultimate Plan" with Your Company.
- Anyone who distributes modified binaries to others containing changes that they themselves made using the source code, MUST provide the source code changes they made back to you (for free).
- Anyone who does NOT distribute modified binaries to others MAY do one of two things: either keep all their code/binary changes a "secret" (don't share them with anyone), OR they may submit them for a Contribution Bounty to Your Company. Your Company will look at the source code (without storing a copy of it or taking any ideas from it) and place a value on it, and offer a "take it or leave it" monetary compensation for the contribution. If accepted, Your Company will receive copyright attribution to the code, so you can do whatever you want with it. If refused, Your Company must destroy all copies of the code/binaries you got from them.
So we'd have situations like the following:
Scenario A: The University of Vulcan buys your Ultimate Plan and has the source code. Their researcher comes up with an innovative new algorithm that will make your software better. They use it and your product in a paper, and distribute their compiled binaries so other researchers can test it. As soon as they go to distribute modified binaries to third parties, they realize that they are now required to give you back the source code they changed. They comply with the license and do so. You win because you get code to enhance your product for free. The university wins because they can give away their modified copy of your product to other researchers as a way of demonstrating their work.
Scenario B: The University of Tassadar buys your Ultimate Plan and has the source code. Their researcher finds a neat security vulnerability in your product. They don't have any incentive to share it with anyone else, but they want to bring in some revenue from it, so they sell the vulnerability details and patch to fix it to you for $5000. The university wins because they got some money (and the guy can probably write a paper on it). You win because your product has one less security vulnerability.
Scenario C: An independent self-taught researcher wants to use your product. They are not a very advanced user so they don't have a special need to modify the code. For a reasonable price that a person making a living wage (or slightly less) can afford, they go to your site and purchase a "Basic Plan" that gives them access to the binaries and some type of support. The researcher wins because he got a good product at an affordable price. You win because you made money.
Scenario D: An independent researcher knows a friend who's also a researcher as part of a large institution with an Ultimate Plan. The independent guy wants to use your product, but is very poor. Since he knows the guy from the institution, he gets him to provide a binary, free of charge, so he can work on stuff that needs to use a product like this. The independent researcher benefits by getting access to your product for free without breaking his budget. The institution benefits by increasing its networking with the larger scientific community. You benefit because you alread
As much as I find it distasteful to recommend a license that is Open Source but NOT Free Software, you may want to check out the Reciprocal Public License: http://opensource.org/licenses...
It basically says that anyone who makes any changes to the software, whether they're "just internal" or distributed to a third party, must share those changes back to the community.
It would allow your company to release your software under Copyleft terms similar to the GPL, but with an added *restriction* that prevents companies (and individuals) from modifying your code to suit their purposes and then not distributing the code to you.
Of course, people are free to violate your license and never tell you; enforcement of the license in the case of non-distribution would be difficult to impossible without unauthorized trespassing on their property to obtain evidence (and then you have fruit of the poisonous tree).
The RPL tries to write into the license what many (most?) developers do anyway: if you're going to make any enhancements, give them back to the "mothership" so they can include them in the main product, thus making the main product better.
You'd have the following situation, thus:
(1) Individuals are so unlikely to be caught that, unless they are very careful and deliberately ethical, they will probably not respect the wishes of the RPL.
(2) Companies are less likely to knowingly violate the license because of the risk of possible damage to their reputation in court, but you may find employees within a company who choose to "risk it" and not inform their management about the risks of not distributing their changes to RPL'ed code. So you'd have a certain group of companies that WOULD contribute back (to comply with the letter of the license), and a certain group that WOULDN'T contribute back (and risk the consequences if it's ever discovered).
Funnily enough, you wind up with a very similar situation with the GNU General Public License or Affero General Public License 3.0, except that:
(1) Not distributing their code is *legal*, unless they distribute binary copies to someone who is considered not to be a member of the organization. So an employee can legally hand his coworker a binary-only copy of your product, but if he gives it to his neighbor or posts it on a mailing list, he would be obligated to include the source code, or at least an offer to provide the source code upon request (possibly with a monetary fee attached to the distribution medium; the fee does not have to be reasonable or cheap).
(2) Some third party who (legally) gets a copy of the binaries from them could go through the process of obtaining the source code, as they'd be entitled to, and they would then be free to hand you a copy for free (or not, as they please). Basically anyone willing to pay the distribution fee / ransom would be able to "liberate" the code by posting it on Github, and that would be 100% legal.
(3) You'd *still* have companies and individuals in both the "not sharing with you" and "sharing with you" camps, except that those who choose *not* to share with you are not necessarily violating the license of the code (unless they give you binaries only, and then cackle maniacally and refuse to hand over the source).
Enforcement concerns make the *expected outcome* of licensing under either the GPL3/AGPL3 or the RPL1.5 almost identical, except that you would be technically entitled to sue anyone you happen to witness as having made modifications to the original source without sharing those modifications with the original developers (you). But the likelihood of you actually finding someone foolish enough to violate your license, and then willingly share that fact with you, is pretty low.
Three parts to my post here. Part 1: WHAT do people (often) do that's against security policy. Part 2: WHY do people (or at least, me, and people I know) do it. Part 3: Soapbox ("wot I think"), aka why I think this type of policy is silly and what I'd do differently.
Part 1: The "what"
- (Obvious, since it's in TFS) Using your smartphone/tablet while at your desk, assuming that's disallowed by policy.
- Bypassing the firewall/proxy at work by routing through a remote server or VPN, using, e.g. stunnel, OpenVPN, or whatever else can be hacked up (worst case, build a website that accepts a remote webpage as a URL and tunnels all the resources through it).
- Installing/running software, whether it shows up in Add/Remove programs or not, that isn't explicitly approved by IT management. Example: portable apps, VB Scripts, Java class files or JARs,.NET IL, etc. often fly "under the radar" of programs that try to detect and prevent the installation of unauthorized software.
Part 2: The "why" (from the perspective of employees)
- People who want to "get work done", but need to access information out there on the intarwebz that happens to be blocked by an arbitrary and capricious firewall program, will acquire code, programs, or even just plain *knowledge* from remote third-parties, will do so using either proxy-bypassing, tunneling, or third-party Internet connections (like the 3G/4G data connection on their phone).
Often, people will perceive the monolithic "IT" organization as opaque, impenetrable, overly bureaucratic, and taking way too much time, money and resources to acquire the software needed, permit the actions needed, whitelist the knowledge sites needed, etc. in order for people to get work done. They may also have the idea (real or perceived) that the IT organization would actually prohibit the action they're trying to take, but they may feel that their decision is actually in the company's best interests.
They may (or may not) go through their own vetting process of the knowledge/software they are acquiring in order to determine if it is malicious or not, and once satisfied, they may implement it under the nose of IT. They might be doing this because they feel that the IT organization is being overly cautious or needlessly paranoid or poorly informed about the knowledge/software/code they are acquiring, and, given a limited amount of time and budget, they need to get their work done or they will be on the hook for not having it done when the deadline hits. I'll assign this category of activity the term "skunkworks" for the sake of brevity, with the general idea that these activities are actively beneficial to the organization, come with a low risk, generally have very little impact on IT infrastructure, and very high upside for the company.
- People who want to participate in social networking, banking, personal email, etc. in cases where these services are blocked from their work computer, will often access them from a personal device, OR from the work device after taking the measures mentioned above. They are not willing to leave the work area in order to tell their spouse to order pizza tonight, order tickets to a baseball game, or check if they'll overdraw their checking account by stopping by the store tonight. This might also extend to watching a short Youtube video for pleasure, e.g. if you remember a meme and want to share it with a coworker because a conversation you had made you think of it.
They may feel that their actions are harmless to the company and benefit them, and are unwilling to give up this freedom for the sake of the company, because they need to live their lives and can't work eight hours straight like a robot without interruptions from real life. After all, even if they adhered strictly to the policy, they would have to spend a lot of time temporarily out of the office to handle these issues; the issues don't go away just because the employee is compliant with policy - their pr
It's a bit off-topic relative to this OP, but I wonder how long it'll be until AT&T and Verizon just decide to unilaterally either (A) move people off of unlimited plans and onto limited/shared plans; or (B) threaten to cancel their service entirely if they refuse to move to a new plan.
As an unlimited subscriber, this prospect scares me a bit every time I think of it. I know that unless we're able to change the carriers' attitudes about unlimited (which is really an uphill battle for many reasons), the day will come when they pull this. AT&T, generally being the forerunner in screwing customers, will probably do it first, with Verizon following along like a loyal lapdog 6 months later (or thereabouts).
How long can this continue? I'm really not ready to move into a world without unlimited data, but it's coming whether I want it to or not.:(
Frame it how ever you want, Libertarian free-market scum. You're so narrow-minded that you couldn't see your hand if you held it right in front of your face. To put it in terms that your tunnel vision paramecium brain can understand, people are rapidly starting to no longer be willing to pay $10 per GB. With the emergence of alterntives to doing so, it's only a matter of time -- a time short in comparison to how long they've been milking $10/GB -- until their market dries up. So they can either drop their prices or go out of business. The choice is theirs.
Picking one tiny piece of my post and applying your dogma to it while insulting me is not going to win you any arguments.
A gigabyte of data transmitted over the public Internet is not worth a dollar, much less $10. Carriers do not *need* to charge that much, but they choose to because it's profitable and you don't have any other choices.
Well, you do, kinda. You can "rent" an unlimited data plan from someone who has one grandfathered on Verizon or AT&T, on eBay. It'll be expensive, but if you use data like nobody's business, it's the best way to go. Don't do this if you plan to "sip" data, though, or you'll end up paying MORE than you would with a cheap limited plan.
Then there's T-Mo as someone else mentioned, but they have the huge downside that you get throttled after a certain amount of data. And the throttling is brutal. You can barely function after you're throttled for the month. It'd be fine -- great, even -- if they reduced it to 25% of full speed. But no, they bump you down to what basically amounts to 2G, if it isn't *actually* 2G. This is not a practical Internet connection for most purposes because everything will timeout trying to use it.
Then there's Sprint. I think they're still selling unlimited data plans without throttling *in most cases*, but if you're in the top 5% of users AND you're in a congested area (cell tower is saturated), they'll throttle you.
I'd rather have T-Mo OR Sprint over a "hard cap" data plan with overage fees beyond the cap. But my preference is still for the unlimited data plan I have from Verizon. I don't have any good suggestions for how to manage your data with a 2 GB cap because I would be unable to do that myself. I don't think it's a reasonable cap and it's not acceptable in 2015. The minimum plan should be 10 GB and they should make that as cheap as their current minimum plan.
The carriers have got to stop gouging the public for access to Internet services. It's killing the economy because so many other businesses besides the carriers depend on customers having unrestricted Internet access to profit from customers demanding their services.
Analogy: If you can't afford to pay the toll at the toll bridge, how are you going to get to the other side of the river and buy a new car at the dealership there? Well, you won't - the car dealership will go out of business for lack of customers. This is actually happening in the digital economy today.
The article offers a few speculations for why the data is skewed this way, but none of them are backed up by hard evidence, and there are numerous other possibilities that are no more or less plausible:
- Maybe these early adopters are just the *wrong kind* - if there is some correlation between their buying habits and social attitudes, maybe these early adopters are not very social? A product becomes mainstream when it has word-of-mouth viral marketing. If the people you reach initially tend not to speak to others advocating products they buy, you're not getting the "multiplier" effect, where one early adopter can lead to 50 or 100 or 1000 second or third-generation adopters who buy it because a friend told them it was good. If this virtuous cycle never gets started, you rely on much less effective external marketing, like TV ads - people are bombarded with so many ads that we treat them with a natural skepticism and disdain now, so many people actively dislike the ads.
- Maybe you determine who your market is by advertising? Some subtle cue in the advertising you're putting out, intentional or otherwise, could be attracting certain types of people while having attributes that strongly turn off the mainstream audience. If you're targeting the mainstream audience, your commercials cannot contain any feelings or opinions or even visual cues that the mainstream dislikes.
My "build" of an OS out of constituent components would be:
- Pure 64-bit; never never never never never any 32-bit support whatsoever throughout the software ecosystem
- The Linux kernel
- Solaris Zones (containers) able to host the latest Linux userspaces as well as an optional BSD and Solaris userspace with no virtualization
- ZFS (okay, probably the latest version from Oracle is better than what Illumos has, so let's go with that)
- An open-source version of Microsoft's WDDM as the graphics hardware abstraction layer (drivers are then built on that and are fully open source)
- The best of Linux cgroups and namespaces reconciled with Solaris Zones
- For a hypervisor (if you need to run Windows), Xen dom0/domU would be available
- Dtrace from Solaris
- kdbus
- systemd core, but omitting many/most of the optional components (available as packages but not installed by default)
- RPM for the package format, including Delta RPMs (drpms) for updates and LZMA compression on the package payloads
- aptitude or yum for the package management interface / downloader
- GNU bash
- Entire system compiled with clang by default, but with gcc available as a working alternative (competition is good; One Compiler To Rule Them All is bad for progress)
- A fully working, optimized, functionally validated Win32 and Win64 emulator (including graphics libs) supporting Windows Desktop apps that require any version of Windows from 95 to 7, for those legacy apps that just won't die
- Both the latest open source versions of Java and.NET installed, available by default, and automatically updated with no nags, but with neither one shipping any browser plugins
- No Flash!
Slashdot Mirror
This is a good point, and certainly makes a lot of sense.
As a more concrete example of how this can affect salaried IT workers -- for those who are not familiar with how we operate -- there was a time, a little over a month ago, where I worked 10 hours solid, and barely stopped for 10 minutes to nibble some lunch while working (I was less productive typing with 1 hand, but otherwise was still getting work done even during lunch). I never even checked my personal email the entire day, let alone visit Slashdot or anything else I would do on a normal day.
Why? Because I had a high-priority task that was due the same day, and I was assigned to get it done as soon as possible. On top of that, several additional requests came up during the day that delayed my progress on the original assignment. Nearly from the time I walked in the door until I was ready to go home -- after working two hours more than I'm officially required to -- my brain was basically 100% utilized doing productive work. I only took one bathroom break the entire day!
My management knows that I'm able and willing to do this when required, but the reality of my work is that, often, I'm simply not required to be fully utilized. My company is more than welcome to give me additional assignments to increase my utilization, and they actually do, on occasion. I assume that if they felt my time was not worth the output they were getting, I would be separated from the company. Since that hasn't happened and I've received consistent positive feedback from both customers and management, I don't feel bad at all about taking some downtime when I want/need to.
So that just obviates the question of why, exactly, these same employers feel the need to deploy such pervasive monitoring and work tracking systems. Are they doing it just because the technology is there, and some salesman convinced them it would increase productivity? Are they doing it out of fear of not detecting the 1-5% of the workforce that are actually bad apples and are in fact not getting their work done in a timely manner?
Whatever the reason, they should realize that it just makes life harder for the majority who will slave away tirelessly if the job calls for it, and won't if the job doesn't. It makes it harder to enjoy the downtime for what it is when you can feel their eyes on your keystrokes.
Yes, there is potential to become over-confident and careless; but someone who's serious about this type of behavior would constantly work to step up their game and make their behavior harder to detect. Also consider that a worker who's doing a job that is actually, genuinely easy for them to do, and has time to spare after completing all assignments on-time and *properly* (not even half-assedly), can legitimately slack off for the remaining time and the bosses shouldn't have a reason to say anything bad about them.
Also:
1. These days, in many environments, "the geek who seems to be drawing on his bag of tricks" could be anyone or everyone in the office. Are you going to fire your entire workforce? Or what if your top performers -- the people who actually get work done, and do so efficiently -- are the same people skirting your rules? Do you take the loss of a productive employee just so that the remaining employees are compliant with your network policy?
2. It's only bad for morale if others are aware of their behavior.
2a. It's only bad for security if the circumvention methods are being used to (deliberately or accidentally) exfiltrate sensitive data or cause malicious code to gain access to the network. Sure, you could have someone who's smart enough to set up a VPN but dumb enough to download a virus or visit a site with ads that exploit a Flash zero-day; but you're probably just as likely to be compromised by an employee who does not use any special techniques at all, and simply visits an ordinary site (during lunch break) that's been compromised by a bad actor or runs a malicious advertisement on your outdated "standard" browser that's chock-full of unpatched vulnerabilities.
Also, if you're *that* concerned about security, you shouldn't be allowing your employees to access the public Internet from a machine with access to internal resources or company data. Give them a separate, airgapped machine and monitor their time using it vs. their "business" machine.
2b. Bad for discipline? Sure, that's a valid argument. But no human being is so disciplined as to never go off-task. A rational, human-centric way of dealing with discipline is to enforce the minimum amount of discipline necessary for your workers to get done the assignments put before them, and don't expect 100% unrelenting focus on performing as much work as physically possible for 8 hours per day, every day. The amount of attention they need to pay to their job depends on how busy their job is. A store manager at the busiest Home Depot in the United States is going to have less downtime during the day than a security guard at a backwater office building in an area with very low crime and an office full of happy employees. If the security guard is skipping patrols or the store manager is watching Youtube instead of taking care of customers, that's a discipline problem. But most white collar workers spend at least some of their time waiting for other people to do stuff, and they should be allowed to have a little rest and mental relaxation while they do so.
And that point in 2b brings us to a point about income inequality. Although you don't need a degree to manage a Home Depot, I would be perfectly fine with an overworked store manager who's constantly got to be in "Go" mode, making much more than I do as a white-collar worker with several hours of downtime per week when I can slack off WITHOUT shirking my duties. In reality, I probably make more than them. If the compensation were reversed, I'd be fine with that - they work harder, so they deserve more pay.
Now, you might say that there's always something I could be doing instead of having downtime; but my rebuttal to that is I'm always coming up with new ideas and taking initiative to try and improve process and workflow at my job. I've been here for a number of years now, and most of the big improvements I identified have already been implemented in my first year or two, because I couldn't stand how cumbersome things were when I got here. The remaining i
It all depends on what you do with the data. The mere act of passively collecting the data is relatively benign, assuming that no action is ever taken with it and that it's securely stored away so that it can't be exfiltrated or abused. There ARE privacy concerns with this, of course, but most corporate networks explicitly state that users should have no expectation of privacy.
If your boss receives an email for every 5 minutes you spend on Slashdot or Reddit or Anandtech, and marches down to your cube and sternly tells you to get back on task, that solution will only improve productivity in the very near term. The worker will fear for their job, so they'll do their work more and go off-task less. But that will stop being effective as soon as the worker can leave to find another job, or come up with an alternative way to go off-task while avoiding detection, or half-heartedly do their work in a way that appears to show progress but isn't really (e.g. gaming the metrics). The end-game of "cracking the whip" is almost never a worker who willingly spends less time doing whatever they really would rather be doing besides working and suddenly enjoys their work more.
If, however, you collect all the data in aggregate and then discuss it during their annual performance review, and have it play a factor in their compensation, that could definitely be a strong motivator for people not to be off-task: if they associate slacking off with getting lower raises / bonuses / etc. and steady work output with higher compensation, most people will probably try to slack off *less*, at least. It also has the side effect of saving the company some money by being able to justify not giving a raise to someone who spends most of their time slacking off.
Either way, though, there is always going to be a way to game the system. If they track you at the network level, just use a proxy or VPN to an address that looks like it's on-task, or is too vague to get a sense of what exactly it is (e.g., since many sites use EC2 or S3 to serve content for all sorts of purposes, there's not a lot you can say about whether traffic to an EC2 box is business-related - maybe they're doing actual research for their white collar job?). If they're keylogging, set up a VM and plug in a USB keyboard straight into the VM. If you have decent cellular data at your desk, you could do your thing on a smartphone, assuming you can tolerate the display and input device limitations. Or of course you can just take frequent breaks into a hallway or empty conference room and use your own laptop/tablet/smartphone.
The only way to truly keep white-collar workers on task for 8 solid hours per day is to assign one supervisor per worker bee, but the overhead of that proposition is so high that no one will do it, because the costs will far outweigh the benefits.
Or there's Manna, http://marshallbrain.com/manna... which could be a possible future if AI or a close-enough approximation thereof turns out to be feasible.
With specs like that -- the worst of it being the low amount of RAM and the likely extremely slow NAND -- that phone will probably have severe performance problems with many popular apps, even some of the Google apps. I have an old "Android-on-a-stick" device with similar specs from a few years ago that can barely run the Play Store now.
And I'm not even talking about games. Web browsers, navigation apps, media players, voice assistance, productivity apps, and even shopping list apps have seen increases in their performance demands. They're doing more I/O and have more dynamic functionality than ever before.
From my experience, you're mostly fine right now if you're running at least a Snapdragon S4 Pro or later (or comparable from other manufacturers). If you have something that benchmarks much slower than that, which is likely to be the case for a $10 SoC (MediaTek?), many common apps will be unbearably slow, even if your network is fast. And the RAM factors in once you consider how many background services are running on Android devices these days. I think my Note 4 has more services running than my Windows 10 desktop that has the kitchen sink of third-party software installed.
I get what they're trying to do, but people are going to be unhappy with these devices if they try to use them for much more than a literal cellphone.
Privacy is important, indeed, but I wonder if this will also break functionality on some websites. What if the final "Buy Now" function in one of your apps is a link rather than a button? You hover over it, thinking about it; but little do you know, your browser has already made the decision for you. When you realize your bank account doesn't have enough money for the purchase, you decide not to place the order, but then you check your email and have an order confirmation ID from the vendor.
Ouch.
The most galling fallacy in this short statement isn't that he thinks "geeks" aren't creative; it's that he thinks art education makes people creative. Here's some news for you: it doesn't.
The MOST an art class can teach you is to learn how to follow the design memes of people who came before you. However, this is not necessarily a good thing. Those design features may have been very creative and engaging when they first started being incorporated into works, but if they are used in such a widespread way as to be monotonous, it actually makes a product *worse* to start throwing them in.
Consider, for instance, how many games have a soundtrack that is extremely similar to every other game in their genre. It's not similar enough to lead to a copyright infringement lawsuit -- usually -- but it's "generic" in the sense that it borrows 90% of its design features from past works, whether previous titles from the same developer or competitors. These soundtracks often receive poor reviews when they don't stand out in any particular way from the other games that came before, and players tend not to remember the music after they stop playing the game.
On the other hand, the best, most memorable and enjoyable game music soundtracks that have existed have all been extremely original, with major innovative design features that give a distinct "feel" or "sound" to the title. This can be VERY powerful and greatly boost the sales of the product.
Similar comparisons can be made of visual assets in games, of course.
The problem is, even though you can teach someone to mimic what's been done in the past and grade them on their ability to do so, you can't teach people to be able to come up with entirely new design features or concepts on their own. And if you tried to grade an art class based on how unique or original the design features were, most students at the high school and 4-year degree level would fail the class because they couldn't think of anything creative that was also good (you could technically consider any random selection of features to be "unique", but not all things that are unique are beautiful, appreciable, or easily digestible by the person accessing (reading/viewing) the work.)
Most truly creative, novel design features that win awards and universal acclaim happen *spontaneously*, without any sort of directed methodology used to derive the aspects chosen. Sure, the creator may digest some existing art aspects of the game as "input" when trying to determine how to come up with more assets (textures, sounds, music), but even with that input, there are numerous ways you could go with creating the new content that seem equally viable from the outset. It's not until you get others to experience your content that you start to get feedback, like, "wow, this is incredible!" or "this sounds very generic".
So yeah, throw away money, making coders spend extra hours bored in art class doing watercolor paintings, as if that's going to make England's creative output any better. People who are born to be creators tend to do whatever they love doing on their own, without having to be forced to sit in a class to do it. You really can't force creativity, or the "forced-ness" of it becomes obvious in the content that's been created. That's just the way it is.
And don't even get me started on the stereotype that "geeks" are lacking in creativity. Coding shops used to ask people in interviews what their creative outlet is, whether it's singing, playing instruments, drawing, etc. - and those who didn't have any to speak of were often passed over in favor of candidates who had a creative passion. I imagine that type of thinking is even more prevalent in game studios, though I've never worked at one.
It's not true that the battery suffers the same kind of "charge cycle" whether you're charging it from 0% to 96%. For lithium ion batteries, there is no "memory" effect, but there is a "depth of discharge" effect. A deeper discharge will reduce the battery's maximum capacity more severely than a minor discharge.
It's not the act of plugging the battery into the charger that reduces its usable life; it's the process of actual charging. If you're doing less charging, your battery lasts longer. If you regularly drain your battery because you're under the misconception that all charge cycles affect the battery in the same way regardless of depth of discharge, you're actually making the problem much, much worse by discharging the battery completely.
In actual testing, the best results have been to charge the battery once it reaches 70 to 80% of its maximum charge level (as in, the max it can actually hold before the charging circuit cuts off, not the theoretical max that's advertised by the manufacturer). This depth of discharge doesn't really put much stress on the battery, and it doesn't generate as much heat as having it constantly plugged in, so it's a happy medium.
I'm *probably* going to buy the Note 5. I'm not 100% positive yet, but it's likely. I currently own a Note 4.
Why? Well, a few reasons.
First, between my SD card and the internal storage, I'm barely using 28 GB of space on my Note 4. Getting the 64GB model of the Note 5 still provides me plenty of room. And this is with having the Note 4 since launch day, and never deleting any pictures or videos I've taken (and I took something like 200 pictures during a vacation). Even if I kept the Note 5 for 2-3 years -- which is unlikely -- I'd literally have to spend MAYBE 1 or 2 hours over that entire 2-3 year period moving old pictures and recorded videos from my phone to my desktop and/or Google Drive and/or my dedi's FTP server. Then I'd be back down to a reasonable margin of free space again.
Second, whenever I go anywhere with my phone and either do not know how long I'll be without a chance to charge, or know that I will be somewhere for long periods without being able to charge, I always bring my 10,000 mAh battery case. Having the Note 5 sealed off isn't going to stop people from making battery cases; they'll just have to plug into the USB port. I'm not afraid of having a bulky or heavy phone if I need the extra juice. However, I don't actually need it all that often: most of the time I'll either be at home or at work, both of which are places that I can charge my phone without worry. Those also tend to be the two places where I use the phone most heavily and thus would be using the most energy, but it doesn't matter because I can leave it plugged into the charger, or periodically charge it when the battery gets low.
Third, my household has one other smartphone, a Motorola Droid Maxx, that has a non-replaceable battery. This phone is still in use about 2 years after it was purchased, and its battery life is still very good. The battery's capacity hasn't been reduced as much as some people claim. Heck, my power-hungry 1-year-old Note 4 probably gets WORSE battery life than the 2-year-old Droid Maxx because the Note 4's SoC and screen use significantly more energy than the comparatively simple components on the Droid Maxx, yet both have nearly identical battery capacity (out of the factory, that is).
I really DISLIKE the fact that they're taking away the microSD and the removable battery, but for me it's not a deal-breaker. The S-Pen latency reduction might finally enable me to take notes regularly on my phone, thus eliminating the need for pen and paper. And the more efficient Exynos chipset provides better performance than Snapdragon with much better energy efficiency at idle or background workloads.
I definitely prefer functionality and utility over appearance, but I imagine one of the advantages of having a non-removable battery is that you can make the unit slightly more water resistant. It's not IP6x certified, no, but I can see the tiny separation between the back cover and the main chassis on my Note 4. That separation should be more or less sealed off with the Note 5.
Deserialization vulnerabilities are a general problem with any runtime platform that supports ser/deser of in-memory objects to and from disk (or the network, or anywhere else you can deserialize to, e.g. stdout).
There isn't a whole lot the runtime itself can do to protect your code from deser exploits, since it doesn't know about the internal structure of your object data. Built-in support for ser/deser is pretty barebones and generic; if not customized, it can often serialize things in a way that is grossly inefficient or just plain wrong. It might also, by default, pick up other objects or parts of your program that you *don't* want serialized. You could argue for an improved language design that would build serialization primitives closer into the language syntax or the precompiler or compiler, and have robust checking for various types of problems; but a good static analyzer should probably be able to find these issues even if the compiler doesn't check for them.
As the article says, it seems like they are doing a class-by-class search over the Android built-in classes (of which OpenSSLX509Certificate is one, but this is notably NOT in the Oracle Java SE platform, nor in OpenJDK) to identify cases where these classes' particular serialization code (or lack thereof, if they're letting the runtime do it automatically via `implements Serializable`; I'm not sure which it is) might have vulnerabilities. Even if they find a vuln in a class which Oracle Java also has, there's no guarantee that Oracle's is also vulnerable, since they don't share a common codebase. Android uses some API definitions that apparently infringed Oracle's copyright (according to a judge, anyway), but they definitely have not lifted any of Oracle's implementation.
But how unlimited is unlimited? Don't you get throttled down to 2G speeds if you use more than a handful of gigs of data?
You can buy a phone outright from Amazon that's licensed for the Verizon bands (or buy one used on eBay or Amazon or elsewhere), stick your activated SIM card into it, and off you go. If your SIM card is too large or too small for the new phone, there are cutters and adapters to move in both the "larger" direction and the "smaller" direction.
If you're willing to pay, you can definitely get either a new, like-new or used phone of any make or model that runs on Verizon's network, and get service, without ever having to directly do business with Verizon Wireless or any of their associates in order to make the change.
By the way, Best Buy will let you buy a full retail phone too, last I checked.
Or maybe you might have an airgapped "kiosk", with a keyboard and/or mouse and a dedicated application running modal (so it can't be bypassed to access the OS, perhaps without some hardware hacking). If it's non-networked, or only networked locally to some other system on-site, but still accessible to "users" who aren't fully trusted to the same level as the CEO (e.g., line employees, general public customers, etc.), you might want to patch it *for* security vulnerabilities, such as "if the user presses Ctrl+Alt+Del, they can access the desktop" (or something equally based on the concept of user input -> system access). That would be an example of a software-based security exploit on airgapped equipment.
This company (or whoever wrote TFS/TFA about them) seems not to understand the concept of a zero-day vulnerability.
It is ridiculous to say that one is not vulnerable to zero-day attacks. They are, in security parlance, the "unknown unknowns" - the things you don't even conceptually know of as vulnerabilities right now. One cannot design a networked computer system with any functionality whatsoever in which they can somehow know and anticipate the "unknown unknowns" (as opposed to the known unknowns, some of which can be mitigated if you're lucky).
The unknown unknowns are, by definition, *not yet known*, so you can't design a mitigation against them until *after* you are aware of them. If awareness comes in the form of a zero-day hack, then you will fail to defend against the attack at the time it hit due to your lack of information about the attack vector.
Also, unless this company has full access to all Windows source code for the build they have, it is very likely that one singular memory-based mitigation will not be effective against every possible attack vector that exists in the Windows codebase. So unless they have performed full formal methods verification of the entire Windows codebase to guarantee that there are no "unknown unknowns", and then fixed every security vulnerability that exists in the product in the original state in which they received it from Microsoft, this is basically snakeoil.
Also, don't we already have ASLR? The mind boggles at the stupidity of these people. Who do they seriously think is going to buy this?
Actually, forget I asked. They said their target was governments. I have no doubt they will sell thousands of licenses.
To me it sounds like you are implying that, if the Great-Man "theory" were 100% representative of reality, and the big-shots WERE responsible for the majority of the work leading to the success of a product, the pay we dole out to CxOs would be justified.
But I disagree even with that notion. I don't think there's anything that justifies the abject poverty that, quite literally, the *majority* of the people on this planet have to suffer through. Not only is letting this many people live in poverty *morally wrong*, but it also carries many severe consequences with it, which affect the entirety of humanity and the health of the planet itself. And yet this is what our post-WWII magical thinking has begotten. Let's count the ways in which this severe income inequality makes things worse, not even counting the important fact that these human beings are living in *misery* and we should feel terrible for letting it go on this way.
1. Large-scale poverty causes war. Why do you think the terrorists do what they do? A very large part of it is income inequality (and, yes, it's self-perpetuating because bombing them makes them poorer, hurts their economy, and makes them hate us because we killed people they knew). Do you really think they'd hate us if we hadn't ruined their economy and left them destitute? Do you really think a bunch of well-to-do middle class citizens making a healthy living wage would be able to be radicalized to give up their life with a suicide bomb? No. And without the masses behind them, any terrorism that *would* attempt to rise up would get shut down pretty quickly for lack of resources.
2. Large-scale poverty causes overpopulation, which further causes large-scale poverty. When people have nothing else to look forward to in life, they reproduce -- especially when they are without the tools to prevent pregnancy. It's about the only fun time that can be had when you can barely find enough food to survive and have no time or money to be entertained materialistically. This becomes a positive feedback loop, because it's that much harder to provide a comfortable life for more people than it is to provide the same level of resources to fewer, so the problem just gets worse.
3. Large-scale poverty causes disease, which is extremely expensive to fight, which leaves less resources for higher activity. If we spend a lot of resources just trying to keep people from death, we have even fewer resources left over to help people enjoy life and thrive. Poverty and overpopulation both increase the costs of healthcare because of the reduced ability to prevent disease in poverty-stricken environments. This forms a nasty three-sided positive feedback loop, where each negative action causes the other two problems to get worse. The only negative factor is that eventual death from disease helps the overpopulation problem, but we end up spending even more resources to help prevent that in many cases.
The utilitarian principle would suggest that we should redistribute resources evenly to uplift the poor, but the problem is, I don't think there are enough resources that we can gather and sustain on this finite planet to actually provide a middle-class life for every living person right now. Even if we halved the world population we'd still not have enough food and materials to do it. We're well past the point where our population is unsustainable, so any return to sanity is going to necessarily have to involve millions upon millions of premature deaths, OR a very widespread abstention from reproduction for a large percentage of the world's population, combined with replacement-level population stagnation elsewhere. And no one has any solid ideas for how to do any of that.
Most likely, human nature will force us to choose the ugliest and most horrible possible outcomes for the billions who will have to die in order to stabilize the planet and the economy: war and famine. I don't see anyone advocating for the alternatives in any meaningful way.
By the way, whoever modded your post "flamebait" was right, except this was more of a rant (to no one in particular) than a flame of you.
Don't try to upgrade from Windows Update. Just don't. It'll fail. Something is borked with the download process. It'll probably be fixed in a week (or even today, maybe), but for now, to be on the safe side, just go to this link - https://www.microsoft.com/en-u... and download the ISO. Then burn it to a DVD or install it onto a USB drive of sufficient capacity, and away you go. Not sure if it would work if you mounted it to a virtual drive, but worth a try.
I updated 3 systems (a 3 year old desktop, a 2 year old laptop with hybrid graphics, and a virtual machine in VMware on a 4 year old craptop) and did not have any upgrade issues. The only problem I had was on my desktop, where I would occasionally get a MEMORY_MANAGEMENT BSOD when viewing the start menu, until I updated my AMD Catalyst drivers to the latest on the AMD site.
Some more pitfalls:
- If you have exotic or rare network cards, graphics cards or printers, you may want to hold off to see if people with your hardware have similar problems. .NET framework, kernel, or other things like that? You should probably not attempt an upgrade, especially if the vendor/developer of these changes is not a well-known commercial entity with an established footprint.
- Is your GPU (graphics card, whether it's on the CPU, on the motherboard, or an expansion card) *more than* 4 years old? If so, you may have some problems, especially if it's by Intel.
- Do you have any programs installed which install custom software into the OS kernel ("kernel modules" / "drivers")? Things like: virtualization software (VMware, Virtual Box), VPN software (OpenVPN, SSL VPN clients, etc.), certain audio / video production software, etc? If you see anything in Device Manager that isn't actually a piece of hardware and sounds like it's associated with a program you have, chances are good that the answer is "yes". You should really consider uninstalling these programs before you upgrade to reduce the potential for incompatibility in the kernel. Then you can try to install them after the upgrade is complete, where the driver will hopefully fail to load "gracefully" and error out of the installer if it turns out to be incompatible.
- Is your system *extremely* "hacked up", with extensive deep-running customizations to the UI,
Summary: If you have a computer that was purchased new with current-gen hardware within the past 4 years, and you don't have anything more than web browsers, office programs, and games installed, you should have no problems upgrading. If you have a much older computer, your risk of breakage is higher. If you have deep customizations to the OS, your risk of breakage is higher. If you're in doubt, hold off until others with similar configurations try it first and report their results. But for the love of God, use the ISO, not Windows Update, to upgrade.
One thing you could do is write up a custom license and have contribution bounties.
The license would go something like this:
- Only "Your Company" can sell either the code (any part of it), any derived works based on the code, or the binaries.
- Any party who pays for a license for the "Ultimate Plan" (or whatever you want to call it) gets a copy of the source code.
- Any party that does not have an "Ultimate Plan" does NOT get the source code, and MAY NOT distribute any binaries they get, whether purchased from you or given to them by others.
- Anyone who has a legit copy of the source code may distribute binaries (modified or originals) to any third-party they wish, royalty-free. That third party can only use and distribute the binaries but may not modify or view the code unless they also have an "Ultimate Plan" with Your Company.
- Anyone who distributes modified binaries to others containing changes that they themselves made using the source code, MUST provide the source code changes they made back to you (for free).
- Anyone who does NOT distribute modified binaries to others MAY do one of two things: either keep all their code/binary changes a "secret" (don't share them with anyone), OR they may submit them for a Contribution Bounty to Your Company. Your Company will look at the source code (without storing a copy of it or taking any ideas from it) and place a value on it, and offer a "take it or leave it" monetary compensation for the contribution. If accepted, Your Company will receive copyright attribution to the code, so you can do whatever you want with it. If refused, Your Company must destroy all copies of the code/binaries you got from them.
So we'd have situations like the following:
Scenario A: The University of Vulcan buys your Ultimate Plan and has the source code. Their researcher comes up with an innovative new algorithm that will make your software better. They use it and your product in a paper, and distribute their compiled binaries so other researchers can test it. As soon as they go to distribute modified binaries to third parties, they realize that they are now required to give you back the source code they changed. They comply with the license and do so. You win because you get code to enhance your product for free. The university wins because they can give away their modified copy of your product to other researchers as a way of demonstrating their work.
Scenario B: The University of Tassadar buys your Ultimate Plan and has the source code. Their researcher finds a neat security vulnerability in your product. They don't have any incentive to share it with anyone else, but they want to bring in some revenue from it, so they sell the vulnerability details and patch to fix it to you for $5000. The university wins because they got some money (and the guy can probably write a paper on it). You win because your product has one less security vulnerability.
Scenario C: An independent self-taught researcher wants to use your product. They are not a very advanced user so they don't have a special need to modify the code. For a reasonable price that a person making a living wage (or slightly less) can afford, they go to your site and purchase a "Basic Plan" that gives them access to the binaries and some type of support. The researcher wins because he got a good product at an affordable price. You win because you made money.
Scenario D: An independent researcher knows a friend who's also a researcher as part of a large institution with an Ultimate Plan. The independent guy wants to use your product, but is very poor. Since he knows the guy from the institution, he gets him to provide a binary, free of charge, so he can work on stuff that needs to use a product like this. The independent researcher benefits by getting access to your product for free without breaking his budget. The institution benefits by increasing its networking with the larger scientific community. You benefit because you alread
As much as I find it distasteful to recommend a license that is Open Source but NOT Free Software, you may want to check out the Reciprocal Public License: http://opensource.org/licenses...
It basically says that anyone who makes any changes to the software, whether they're "just internal" or distributed to a third party, must share those changes back to the community.
It would allow your company to release your software under Copyleft terms similar to the GPL, but with an added *restriction* that prevents companies (and individuals) from modifying your code to suit their purposes and then not distributing the code to you.
Of course, people are free to violate your license and never tell you; enforcement of the license in the case of non-distribution would be difficult to impossible without unauthorized trespassing on their property to obtain evidence (and then you have fruit of the poisonous tree).
The RPL tries to write into the license what many (most?) developers do anyway: if you're going to make any enhancements, give them back to the "mothership" so they can include them in the main product, thus making the main product better.
You'd have the following situation, thus:
(1) Individuals are so unlikely to be caught that, unless they are very careful and deliberately ethical, they will probably not respect the wishes of the RPL.
(2) Companies are less likely to knowingly violate the license because of the risk of possible damage to their reputation in court, but you may find employees within a company who choose to "risk it" and not inform their management about the risks of not distributing their changes to RPL'ed code. So you'd have a certain group of companies that WOULD contribute back (to comply with the letter of the license), and a certain group that WOULDN'T contribute back (and risk the consequences if it's ever discovered).
Funnily enough, you wind up with a very similar situation with the GNU General Public License or Affero General Public License 3.0, except that:
(1) Not distributing their code is *legal*, unless they distribute binary copies to someone who is considered not to be a member of the organization. So an employee can legally hand his coworker a binary-only copy of your product, but if he gives it to his neighbor or posts it on a mailing list, he would be obligated to include the source code, or at least an offer to provide the source code upon request (possibly with a monetary fee attached to the distribution medium; the fee does not have to be reasonable or cheap).
(2) Some third party who (legally) gets a copy of the binaries from them could go through the process of obtaining the source code, as they'd be entitled to, and they would then be free to hand you a copy for free (or not, as they please). Basically anyone willing to pay the distribution fee / ransom would be able to "liberate" the code by posting it on Github, and that would be 100% legal.
(3) You'd *still* have companies and individuals in both the "not sharing with you" and "sharing with you" camps, except that those who choose *not* to share with you are not necessarily violating the license of the code (unless they give you binaries only, and then cackle maniacally and refuse to hand over the source).
Enforcement concerns make the *expected outcome* of licensing under either the GPL3/AGPL3 or the RPL1.5 almost identical, except that you would be technically entitled to sue anyone you happen to witness as having made modifications to the original source without sharing those modifications with the original developers (you). But the likelihood of you actually finding someone foolish enough to violate your license, and then willingly share that fact with you, is pretty low.
Three parts to my post here. Part 1: WHAT do people (often) do that's against security policy. Part 2: WHY do people (or at least, me, and people I know) do it. Part 3: Soapbox ("wot I think"), aka why I think this type of policy is silly and what I'd do differently.
Part 1: The "what"
- (Obvious, since it's in TFS) Using your smartphone/tablet while at your desk, assuming that's disallowed by policy. .NET IL, etc. often fly "under the radar" of programs that try to detect and prevent the installation of unauthorized software.
- Bypassing the firewall/proxy at work by routing through a remote server or VPN, using, e.g. stunnel, OpenVPN, or whatever else can be hacked up (worst case, build a website that accepts a remote webpage as a URL and tunnels all the resources through it).
- Installing/running software, whether it shows up in Add/Remove programs or not, that isn't explicitly approved by IT management. Example: portable apps, VB Scripts, Java class files or JARs,
Part 2: The "why" (from the perspective of employees)
- People who want to "get work done", but need to access information out there on the intarwebz that happens to be blocked by an arbitrary and capricious firewall program, will acquire code, programs, or even just plain *knowledge* from remote third-parties, will do so using either proxy-bypassing, tunneling, or third-party Internet connections (like the 3G/4G data connection on their phone).
Often, people will perceive the monolithic "IT" organization as opaque, impenetrable, overly bureaucratic, and taking way too much time, money and resources to acquire the software needed, permit the actions needed, whitelist the knowledge sites needed, etc. in order for people to get work done. They may also have the idea (real or perceived) that the IT organization would actually prohibit the action they're trying to take, but they may feel that their decision is actually in the company's best interests.
They may (or may not) go through their own vetting process of the knowledge/software they are acquiring in order to determine if it is malicious or not, and once satisfied, they may implement it under the nose of IT. They might be doing this because they feel that the IT organization is being overly cautious or needlessly paranoid or poorly informed about the knowledge/software/code they are acquiring, and, given a limited amount of time and budget, they need to get their work done or they will be on the hook for not having it done when the deadline hits. I'll assign this category of activity the term "skunkworks" for the sake of brevity, with the general idea that these activities are actively beneficial to the organization, come with a low risk, generally have very little impact on IT infrastructure, and very high upside for the company.
- People who want to participate in social networking, banking, personal email, etc. in cases where these services are blocked from their work computer, will often access them from a personal device, OR from the work device after taking the measures mentioned above. They are not willing to leave the work area in order to tell their spouse to order pizza tonight, order tickets to a baseball game, or check if they'll overdraw their checking account by stopping by the store tonight. This might also extend to watching a short Youtube video for pleasure, e.g. if you remember a meme and want to share it with a coworker because a conversation you had made you think of it.
They may feel that their actions are harmless to the company and benefit them, and are unwilling to give up this freedom for the sake of the company, because they need to live their lives and can't work eight hours straight like a robot without interruptions from real life. After all, even if they adhered strictly to the policy, they would have to spend a lot of time temporarily out of the office to handle these issues; the issues don't go away just because the employee is compliant with policy - their pr
It's a bit off-topic relative to this OP, but I wonder how long it'll be until AT&T and Verizon just decide to unilaterally either (A) move people off of unlimited plans and onto limited/shared plans; or (B) threaten to cancel their service entirely if they refuse to move to a new plan.
As an unlimited subscriber, this prospect scares me a bit every time I think of it. I know that unless we're able to change the carriers' attitudes about unlimited (which is really an uphill battle for many reasons), the day will come when they pull this. AT&T, generally being the forerunner in screwing customers, will probably do it first, with Verizon following along like a loyal lapdog 6 months later (or thereabouts).
How long can this continue? I'm really not ready to move into a world without unlimited data, but it's coming whether I want it to or not. :(
Frame it how ever you want, Libertarian free-market scum. You're so narrow-minded that you couldn't see your hand if you held it right in front of your face. To put it in terms that your tunnel vision paramecium brain can understand, people are rapidly starting to no longer be willing to pay $10 per GB. With the emergence of alterntives to doing so, it's only a matter of time -- a time short in comparison to how long they've been milking $10/GB -- until their market dries up. So they can either drop their prices or go out of business. The choice is theirs.
Picking one tiny piece of my post and applying your dogma to it while insulting me is not going to win you any arguments.
A gigabyte of data transmitted over the public Internet is not worth a dollar, much less $10. Carriers do not *need* to charge that much, but they choose to because it's profitable and you don't have any other choices.
Well, you do, kinda. You can "rent" an unlimited data plan from someone who has one grandfathered on Verizon or AT&T, on eBay. It'll be expensive, but if you use data like nobody's business, it's the best way to go. Don't do this if you plan to "sip" data, though, or you'll end up paying MORE than you would with a cheap limited plan.
Then there's T-Mo as someone else mentioned, but they have the huge downside that you get throttled after a certain amount of data. And the throttling is brutal. You can barely function after you're throttled for the month. It'd be fine -- great, even -- if they reduced it to 25% of full speed. But no, they bump you down to what basically amounts to 2G, if it isn't *actually* 2G. This is not a practical Internet connection for most purposes because everything will timeout trying to use it.
Then there's Sprint. I think they're still selling unlimited data plans without throttling *in most cases*, but if you're in the top 5% of users AND you're in a congested area (cell tower is saturated), they'll throttle you.
I'd rather have T-Mo OR Sprint over a "hard cap" data plan with overage fees beyond the cap. But my preference is still for the unlimited data plan I have from Verizon. I don't have any good suggestions for how to manage your data with a 2 GB cap because I would be unable to do that myself. I don't think it's a reasonable cap and it's not acceptable in 2015. The minimum plan should be 10 GB and they should make that as cheap as their current minimum plan.
The carriers have got to stop gouging the public for access to Internet services. It's killing the economy because so many other businesses besides the carriers depend on customers having unrestricted Internet access to profit from customers demanding their services.
Analogy: If you can't afford to pay the toll at the toll bridge, how are you going to get to the other side of the river and buy a new car at the dealership there? Well, you won't - the car dealership will go out of business for lack of customers. This is actually happening in the digital economy today.
Catastrophic Chinese FOODS triggered by air pollution.
I could believe that.
Did this immediately remind anyone else of One Must Fall 2097, the DOS video game that you loved growing up?
Mechanic: "Humph. You think you're pretty good, don't you. Well, if I was younger, I'd show you a thing or two."
The article offers a few speculations for why the data is skewed this way, but none of them are backed up by hard evidence, and there are numerous other possibilities that are no more or less plausible:
- Maybe these early adopters are just the *wrong kind* - if there is some correlation between their buying habits and social attitudes, maybe these early adopters are not very social? A product becomes mainstream when it has word-of-mouth viral marketing. If the people you reach initially tend not to speak to others advocating products they buy, you're not getting the "multiplier" effect, where one early adopter can lead to 50 or 100 or 1000 second or third-generation adopters who buy it because a friend told them it was good. If this virtuous cycle never gets started, you rely on much less effective external marketing, like TV ads - people are bombarded with so many ads that we treat them with a natural skepticism and disdain now, so many people actively dislike the ads.
- Maybe you determine who your market is by advertising? Some subtle cue in the advertising you're putting out, intentional or otherwise, could be attracting certain types of people while having attributes that strongly turn off the mainstream audience. If you're targeting the mainstream audience, your commercials cannot contain any feelings or opinions or even visual cues that the mainstream dislikes.
- Maybe it's just random luck.
My "build" of an OS out of constituent components would be:
- Pure 64-bit; never never never never never any 32-bit support whatsoever throughout the software ecosystem .NET installed, available by default, and automatically updated with no nags, but with neither one shipping any browser plugins
- The Linux kernel
- Solaris Zones (containers) able to host the latest Linux userspaces as well as an optional BSD and Solaris userspace with no virtualization
- ZFS (okay, probably the latest version from Oracle is better than what Illumos has, so let's go with that)
- An open-source version of Microsoft's WDDM as the graphics hardware abstraction layer (drivers are then built on that and are fully open source)
- The best of Linux cgroups and namespaces reconciled with Solaris Zones
- For a hypervisor (if you need to run Windows), Xen dom0/domU would be available
- Dtrace from Solaris
- kdbus
- systemd core, but omitting many/most of the optional components (available as packages but not installed by default)
- RPM for the package format, including Delta RPMs (drpms) for updates and LZMA compression on the package payloads
- aptitude or yum for the package management interface / downloader
- GNU bash
- Entire system compiled with clang by default, but with gcc available as a working alternative (competition is good; One Compiler To Rule Them All is bad for progress)
- A fully working, optimized, functionally validated Win32 and Win64 emulator (including graphics libs) supporting Windows Desktop apps that require any version of Windows from 95 to 7, for those legacy apps that just won't die
- Both the latest open source versions of Java and
- No Flash!