Firstly, Microsoft has invalidated the cert (at least to my knowledge).
Your knowledge is incorrect. At the request of the Dutch government, Microsoft deliberately did NOT patch its systems from that country... until several weeks later when the government's request was made public and they retracted their request.
But Microsoft HAS pulled the cert, whereas your comment was written as if they have not yet done so. And my knowledge of this is not incorrect unless you are still implying that Microsoft has yet to invalidate those certs.
Secondly, it is not at all clear how moving to ipv6 tells the corporations to eat a bag of dicks
Perhaps not to you, but to the rest of us who have read the standard... end to end encryption means no man in the middle attacks, no certificate authorities, etc. Every organization has access to its own key in DNS, and if someone tries to replace it, anyone who has connected to it previously would know.
It does not mean no man in the middle attacks. Even with IPSec you still have to trust, whether you are trusting a CA or the DNS, you are still trusting. If your ISP is your DNS provider, and they are also the best positioned to implement MITM attacks, then unless you have a shared secret, using a CA in a country like Iran may actually be more secure.
I'm not sure the parent post should really be moderated up, as it is now, since it seems to be reasonably misinformed.
Firstly, Microsoft has invalidated the cert (at least to my knowledge).
Secondly, it is not at all clear how moving to ipv6 tells the corporations to eat a bag of dicks while informing them that our data is not for sale anymore. The concepts (ipv6, dicks, and our data) all seem mutually exclusive.
"but I doubt they will let you turn off the Metro UI completely."
Incorrect.
Are you alleging that I do not doubt? Please let me assure you, that I do indeed have my doubts about the situation.
Furthermore, I stand by my doubts that you will not be able to turn off the Metro UI completely (or, at least, perhaps not easily). As far as I know, every boot of windows 8 will boot into the Metro UI first. Perhaps there will be hacks (or hopefully just settings) to boot into the desktop UI directly, but I am not aware of any of these having been revealed just yet. Please let me know if you have further information that elaborates on the situation.
There is a button to go to the desktop, but I doubt they will let you turn off the Metro UI completely. Microsoft is essentially using windows 8 to force their way into the mobile market. If every user is suddenly familiar with the windows phone UI, and all of their applications suddenly work seamlessly with their desktop and the windows phone OS, then maybe that windows phone starts to look that much better.
It is actually a rather brilliant move (not that I endorse it in any way) by Microsoft to leverage their desktop supremacy into the mobile space while seemingly avoiding anti-trust issues. I am sure that some of their competitors may try to call them out on this, but it seems like it would be an upward legal battle.
The best theory that I have read in regards to what prevents 3rd world nations from developing is that it is due to government corruption. The essential gist is that government corruption prevents a legal system from forming and foreign investment from arriving to create infrastructure.
That is not the point that the original poster is referring to. What is being referred to is that if you pay off trolls, you probably shouldn't announce that you pay off trolls, or you will end up with more trolls coming at you.
This is why the comment by the CEO is being referred to as stupid, since saying something like this can only lead to more patent trolls and nothing positive for the company.
I'm slightly torn on this. On the one side, this means that there won't be ridiculous class action settlements where the class members get a $5 coupon towards future purchases while the lawyers get millions of dollars. On the other side, it effectively removes the only real consumer protection from wide spread practices.
I'd have to say, I'm leaning more towards it being a bad thing.
Under the current law, you are not responsible for illegal uses of your shared connection if you were unaware of said uses and did not filter the access / use (this is the common carrier protection). I am not a lawyer, so do not take that as legal advice, but this describes a reasonable interpretation of the law.
In regards to your analogy, a different standard is generally applied to physical uses of your property, especially when it comes to drug offences. However, if you can genuinely show that you did not know what was going on, and could not reasonably have known, you would probably not be found complicit (but your task would be much much harder).
If you're talking about information being sent to Apple then it's a "no".
The "no" is referring to the (believed) fact that information is not being sent to Apple, thus if your definition of track is for Apple to have the data, then they are not tracking you. However, if your definition of track refers to local storage only, then yes, Apple (or your iPhone) is tracking you.
The GP was not saying that Apple is not tracking you if the information is sent to them.
CopyOnWriteArrayList will not solve your problem. The name refers to an implementation detail used to handle concurrent access, and does not result in a copy of the array list being made (just the underlying backing array). This does not help you at all, since you cannot get direct access to the underlying backing array anyway, and creating a CopyOnWriteArrayList from an array will result in an immediate copy of the passed in array being created (so this is no better than just defensively copying before you return).
The best you can do in Java is Collections.unmodifiableList(Arrays.asList(myArray)); which will give you an unmodifiable list view of the array, backed by the array (so no copy is made). For small arrays, this will probably not be any better than defensively copying the array via System.arraycopy (and may possibly be worse), but for large arrays, there should be an improvement (if not in speed, then at least in memory).
I like this. In addition, when logging in there's no reason to send the password, when it could be hashed with a random initialization vector. All the browser has to send is proof of knowledge of the password, not the password itself. The password only needs to be sent verbatim when it's changed and during registration. This overcomes a weakness in your proposal, namely that your scheme requires authentication to set up the connection; so it can't be used for the authentication itself. The site also needs to provide a challenge to prevent playbacks, I suppose that could be part of the IV.
My intention in my original description was that your password is not sent to the site, it is used for authentication by verification of the establishment of the encrypted stream. So you would go to the https site (or maybe it would be httpss for super secure...;-), and you would be prompted (by your browser, not the site) for your credentials. You input your username and password, and only your username gets sent to the site (via regular https or what have you), and then both the remote site and your browser modify the already shared (as part of traditional SSL) symetric key with your hashed password (possibly a salted hashed password, with the remote site sending you the salt). If communication is still possible (perhaps verified with round trip random number echoed back from both the site and your browser) then authentication of both the user and the remote site has been verified.
I like your idea of shared trust / referral, but the specific implementation should be something like key signing. A site could have their certificate signed by other sites, and hopefully by one which you trust. This wouldn't be a problem for large sites, but it would still have challenges when it comes to smaller sites (who could they find to trust them, if not a CA). Ultimately, the best we may be able to hope for is for Google and other search providers to report to you (over a secure connection) the certificate that they see for a particular site (and the change history therein), so that if you see something different then you know that there might be a man in the middle attack.
There is a reasonably straight forward technical solution, that could be implemented in a future SSL protocol, to resolve the issue of trust when you already have an account on a site. A host site can add the hash of your password to the symmetric key used after the key exchange, your browser can then do the same on your side. This is essentially using a a shared secret (the hash of your password) as part of the symmetric key. The result is that no one in the middle can intercept your communication even if they have compromised the certificate.
Since most attacks are done on people who already have accounts, this is a decent improvement in security. It will not, however, prevent spoofing a site before you have an account on it, so extra precaution would need to be taken.
The implementation of this protocol would require that when initiating an https session with the server, you need to input your account credentials to your browser (not posted to the host), which then uses them to establish the SSL session.
Software can have a large impact on power consumption because, quite simply, your hardware consumes less power when it does less. So giving your system more work requires more power.
There are many reasons for this, from the architecture of modern CPUs to memory and disk usage. If you use a program that is inefficient and takes more operations (say O(N) vs O(2^N)) then power will be wasted, regardless of what hardware it is executing on.
From what I read, plutonium is pretty bad if you inhale or ingest it, otherwise not too much of a problem. If it gets into you it can stay in you for years, causing cancer and bone problems (it can get into your bones and bone marrow).
Outside of your skin, the radiation is too weak to cause much concern, but when it is inside you, the radiation is enough to cause reasonably serious harm (or at least the potential therein).
The vast majority of high end real estate in Vancouver is being purchased by offshore (read Chinese) investors / immigrants. The entire Vancouver real estate market is propped up by this foreign investment.
Unfortunately, even if the software is free, it does not absolve you from damages for distributing it. Only in the case where you negotiated a percentage only licensing deal would having a free product impact your royalty payments.
I think that the GP is referring to foreign workers in the US on Visas. If you are in the US on a work Visa, my understanding is that it is much more difficult to switch employers. And worse than that, it is difficult to even find a new employer if your current employer lays you off (you have a very limited time until you are forced to leave the country).
As a consequence, foreign workers on Visas are forced to work harder for longer hours since they don't have many other options. Unfortunately, this has the side effect of making them more attractive than local labor.
Steps: 1. Compromise account. 2. Buy in game goods with compromised account's Visa, gift cards, or (perhaps) fraudulently generated gift cards. 3. Sell in game goods for real currency.
The reason this particular developer is getting hit the hardest is probably because their game is the current best way to realize profits from a compromised account. For many other apps with in app purchases, it is probably difficult to convert your purchase back into money.
I would not hope for that. Not to knock Sanderson, but Martin writes some of the best prose in fantasy, so it would be a shame to have another author attempt to finish his work.
If you don't believe me on this, pick up a Storm of Swords and read any chapter (or just the prologue), and then compare it back to back with a chapter from another fantasy novel. In most cases the comparison is striking.
Few authors are as talented as Martin when it comes to complexity, characters, and prose.
I assume that part of the reason is that Amazon has costs associated with 3g service that you are not factoring in. All of the other "free" 3g services on the Kindle need to be subsidized somehow.
Additionally, the very fact that the Kindle has a SIM card and data access probably costs Amazon something on a yearly basis per device. Without more information it is difficult to determine what actual profit (if any) Amazon is making on the delivery fees themselves.
The timing of the article itself seems obviously related to the recent spat of negative feedback towards Apple over their newly launched pricing. The author is at least somewhat pro Apple (writes Apple app reviews for instance), but that does not discount his message that Kindle subscriptions may be equally expensive. I am curious as to which pricing model and service is actually preferred by publishers, since as far as I am aware, there have not been as many complaints leveled at Amazon's structure by content creators.
A couple of things. Firstly, GPS location detection is actually based on trilateration, but people often mean that when they say triangulation with regards to GPS (to use triangulation you would need directional antennas).
Secondly, it is impossible to find a source to disprove something that doesn't make any sense. Your proposal is akin to recommending using a brick to help someone swim. Whether phase modulation or frequency modulation are used as the data channel will not impact the success of a relay attack on proximity detection. Similarly, trilateration will only locate the location of the relayed signal.
It is not for me to disprove your hand waving at technologies you do not understand. Your argument is essentially: The US government knew what it was doing when it made GPS, so their solution must be good enough to solve this completely unrelated problem. Unfortunately, it doesn't work like that.
Yes, everyone knows the military use encrypted GPS. The techniques they use will not be helpful in this situation for proximity detection of a key to a car.
It all comes down to how reliably and precisely the round trip time from the key to the car can be determined. The entire process would need an error margin in the tens of nano seconds to ensure proximity within the tens of meters. GPS techniques have no bearing on this since they rely on multiple signals (4+ satellites) to compute timing errors, besides being one way communication.
Slashdot Mirror
Firstly, Microsoft has invalidated the cert (at least to my knowledge).
Your knowledge is incorrect. At the request of the Dutch government, Microsoft deliberately did NOT patch its systems from that country... until several weeks later when the government's request was made public and they retracted their request.
But Microsoft HAS pulled the cert, whereas your comment was written as if they have not yet done so. And my knowledge of this is not incorrect unless you are still implying that Microsoft has yet to invalidate those certs.
Secondly, it is not at all clear how moving to ipv6 tells the corporations to eat a bag of dicks
Perhaps not to you, but to the rest of us who have read the standard... end to end encryption means no man in the middle attacks, no certificate authorities, etc. Every organization has access to its own key in DNS, and if someone tries to replace it, anyone who has connected to it previously would know.
It does not mean no man in the middle attacks. Even with IPSec you still have to trust, whether you are trusting a CA or the DNS, you are still trusting. If your ISP is your DNS provider, and they are also the best positioned to implement MITM attacks, then unless you have a shared secret, using a CA in a country like Iran may actually be more secure.
I'm not sure the parent post should really be moderated up, as it is now, since it seems to be reasonably misinformed.
Firstly, Microsoft has invalidated the cert (at least to my knowledge).
Secondly, it is not at all clear how moving to ipv6 tells the corporations to eat a bag of dicks while informing them that our data is not for sale anymore. The concepts (ipv6, dicks, and our data) all seem mutually exclusive.
"but I doubt they will let you turn off the Metro UI completely."
Incorrect.
Are you alleging that I do not doubt? Please let me assure you, that I do indeed have my doubts about the situation.
Furthermore, I stand by my doubts that you will not be able to turn off the Metro UI completely (or, at least, perhaps not easily). As far as I know, every boot of windows 8 will boot into the Metro UI first. Perhaps there will be hacks (or hopefully just settings) to boot into the desktop UI directly, but I am not aware of any of these having been revealed just yet. Please let me know if you have further information that elaborates on the situation.
There is a button to go to the desktop, but I doubt they will let you turn off the Metro UI completely. Microsoft is essentially using windows 8 to force their way into the mobile market. If every user is suddenly familiar with the windows phone UI, and all of their applications suddenly work seamlessly with their desktop and the windows phone OS, then maybe that windows phone starts to look that much better.
It is actually a rather brilliant move (not that I endorse it in any way) by Microsoft to leverage their desktop supremacy into the mobile space while seemingly avoiding anti-trust issues. I am sure that some of their competitors may try to call them out on this, but it seems like it would be an upward legal battle.
The best theory that I have read in regards to what prevents 3rd world nations from developing is that it is due to government corruption. The essential gist is that government corruption prevents a legal system from forming and foreign investment from arriving to create infrastructure.
How about a video clip of a tablet long before they were ever made?
http://www.techspot.com/news/45209-samsung-stanley-kubrick-invented-the-tablet-in-2001-a-space-odyssey.html
That is not the point that the original poster is referring to. What is being referred to is that if you pay off trolls, you probably shouldn't announce that you pay off trolls, or you will end up with more trolls coming at you.
This is why the comment by the CEO is being referred to as stupid, since saying something like this can only lead to more patent trolls and nothing positive for the company.
I'm slightly torn on this. On the one side, this means that there won't be ridiculous class action settlements where the class members get a $5 coupon towards future purchases while the lawyers get millions of dollars. On the other side, it effectively removes the only real consumer protection from wide spread practices.
I'd have to say, I'm leaning more towards it being a bad thing.
Under the current law, you are not responsible for illegal uses of your shared connection if you were unaware of said uses and did not filter the access / use (this is the common carrier protection). I am not a lawyer, so do not take that as legal advice, but this describes a reasonable interpretation of the law.
In regards to your analogy, a different standard is generally applied to physical uses of your property, especially when it comes to drug offences. However, if you can genuinely show that you did not know what was going on, and could not reasonably have known, you would probably not be found complicit (but your task would be much much harder).
I think that you misread the GP. When he says:
If you're talking about information being sent to Apple then it's a "no".
The "no" is referring to the (believed) fact that information is not being sent to Apple, thus if your definition of track is for Apple to have the data, then they are not tracking you. However, if your definition of track refers to local storage only, then yes, Apple (or your iPhone) is tracking you.
The GP was not saying that Apple is not tracking you if the information is sent to them.
CopyOnWriteArrayList will not solve your problem. The name refers to an implementation detail used to handle concurrent access, and does not result in a copy of the array list being made (just the underlying backing array). This does not help you at all, since you cannot get direct access to the underlying backing array anyway, and creating a CopyOnWriteArrayList from an array will result in an immediate copy of the passed in array being created (so this is no better than just defensively copying before you return).
The best you can do in Java is Collections.unmodifiableList(Arrays.asList(myArray)); which will give you an unmodifiable list view of the array, backed by the array (so no copy is made). For small arrays, this will probably not be any better than defensively copying the array via System.arraycopy (and may possibly be worse), but for large arrays, there should be an improvement (if not in speed, then at least in memory).
I like this. In addition, when logging in there's no reason to send the password, when it could be hashed with a random initialization vector. All the browser has to send is proof of knowledge of the password, not the password itself. The password only needs to be sent verbatim when it's changed and during registration. This overcomes a weakness in your proposal, namely that your scheme requires authentication to set up the connection; so it can't be used for the authentication itself. The site also needs to provide a challenge to prevent playbacks, I suppose that could be part of the IV.
My intention in my original description was that your password is not sent to the site, it is used for authentication by verification of the establishment of the encrypted stream. So you would go to the https site (or maybe it would be httpss for super secure... ;-), and you would be prompted (by your browser, not the site) for your credentials. You input your username and password, and only your username gets sent to the site (via regular https or what have you), and then both the remote site and your browser modify the already shared (as part of traditional SSL) symetric key with your hashed password (possibly a salted hashed password, with the remote site sending you the salt). If communication is still possible (perhaps verified with round trip random number echoed back from both the site and your browser) then authentication of both the user and the remote site has been verified.
I like your idea of shared trust / referral, but the specific implementation should be something like key signing. A site could have their certificate signed by other sites, and hopefully by one which you trust. This wouldn't be a problem for large sites, but it would still have challenges when it comes to smaller sites (who could they find to trust them, if not a CA). Ultimately, the best we may be able to hope for is for Google and other search providers to report to you (over a secure connection) the certificate that they see for a particular site (and the change history therein), so that if you see something different then you know that there might be a man in the middle attack.
There is a reasonably straight forward technical solution, that could be implemented in a future SSL protocol, to resolve the issue of trust when you already have an account on a site. A host site can add the hash of your password to the symmetric key used after the key exchange, your browser can then do the same on your side. This is essentially using a a shared secret (the hash of your password) as part of the symmetric key. The result is that no one in the middle can intercept your communication even if they have compromised the certificate.
Since most attacks are done on people who already have accounts, this is a decent improvement in security. It will not, however, prevent spoofing a site before you have an account on it, so extra precaution would need to be taken.
The implementation of this protocol would require that when initiating an https session with the server, you need to input your account credentials to your browser (not posted to the host), which then uses them to establish the SSL session.
Software can have a large impact on power consumption because, quite simply, your hardware consumes less power when it does less. So giving your system more work requires more power.
There are many reasons for this, from the architecture of modern CPUs to memory and disk usage. If you use a program that is inefficient and takes more operations (say O(N) vs O(2^N)) then power will be wasted, regardless of what hardware it is executing on.
From what I read, plutonium is pretty bad if you inhale or ingest it, otherwise not too much of a problem. If it gets into you it can stay in you for years, causing cancer and bone problems (it can get into your bones and bone marrow).
Outside of your skin, the radiation is too weak to cause much concern, but when it is inside you, the radiation is enough to cause reasonably serious harm (or at least the potential therein).
The vast majority of high end real estate in Vancouver is being purchased by offshore (read Chinese) investors / immigrants. The entire Vancouver real estate market is propped up by this foreign investment.
And if you can't litigate, obfuscate (with FUD).
Unfortunately, even if the software is free, it does not absolve you from damages for distributing it. Only in the case where you negotiated a percentage only licensing deal would having a free product impact your royalty payments.
I think that the GP is referring to foreign workers in the US on Visas. If you are in the US on a work Visa, my understanding is that it is much more difficult to switch employers. And worse than that, it is difficult to even find a new employer if your current employer lays you off (you have a very limited time until you are forced to leave the country).
As a consequence, foreign workers on Visas are forced to work harder for longer hours since they don't have many other options. Unfortunately, this has the side effect of making them more attractive than local labor.
The motive is financial.
Steps:
1. Compromise account.
2. Buy in game goods with compromised account's Visa, gift cards, or (perhaps) fraudulently generated gift cards.
3. Sell in game goods for real currency.
The reason this particular developer is getting hit the hardest is probably because their game is the current best way to realize profits from a compromised account. For many other apps with in app purchases, it is probably difficult to convert your purchase back into money.
I would not hope for that. Not to knock Sanderson, but Martin writes some of the best prose in fantasy, so it would be a shame to have another author attempt to finish his work.
If you don't believe me on this, pick up a Storm of Swords and read any chapter (or just the prologue), and then compare it back to back with a chapter from another fantasy novel. In most cases the comparison is striking.
Few authors are as talented as Martin when it comes to complexity, characters, and prose.
I assume that part of the reason is that Amazon has costs associated with 3g service that you are not factoring in. All of the other "free" 3g services on the Kindle need to be subsidized somehow.
Additionally, the very fact that the Kindle has a SIM card and data access probably costs Amazon something on a yearly basis per device. Without more information it is difficult to determine what actual profit (if any) Amazon is making on the delivery fees themselves.
The timing of the article itself seems obviously related to the recent spat of negative feedback towards Apple over their newly launched pricing. The author is at least somewhat pro Apple (writes Apple app reviews for instance), but that does not discount his message that Kindle subscriptions may be equally expensive. I am curious as to which pricing model and service is actually preferred by publishers, since as far as I am aware, there have not been as many complaints leveled at Amazon's structure by content creators.
I give up, you win. Please, patent your wonderful system, it will be ever so secure.
Do me one favor though, let me know which cars use it, so I know what to avoid.
A couple of things. Firstly, GPS location detection is actually based on trilateration, but people often mean that when they say triangulation with regards to GPS (to use triangulation you would need directional antennas).
Secondly, it is impossible to find a source to disprove something that doesn't make any sense. Your proposal is akin to recommending using a brick to help someone swim. Whether phase modulation or frequency modulation are used as the data channel will not impact the success of a relay attack on proximity detection. Similarly, trilateration will only locate the location of the relayed signal.
It is not for me to disprove your hand waving at technologies you do not understand. Your argument is essentially: The US government knew what it was doing when it made GPS, so their solution must be good enough to solve this completely unrelated problem. Unfortunately, it doesn't work like that.
Yes, everyone knows the military use encrypted GPS. The techniques they use will not be helpful in this situation for proximity detection of a key to a car.
It all comes down to how reliably and precisely the round trip time from the key to the car can be determined. The entire process would need an error margin in the tens of nano seconds to ensure proximity within the tens of meters. GPS techniques have no bearing on this since they rely on multiple signals (4+ satellites) to compute timing errors, besides being one way communication.