I'm unsure if you're serious or not.. actually it's the copyeditor's job to catch typos unless they are scientifically relevant. And if you think Nature is a journal and not a journal-like magazine, you are mistaken. TONS of stuff published in Nature turns out to be wrong or overhyped.
I think one of the troubles here is the difference between "YOUR record" and "THE record". I'm not a UK citizen, but I would be surprised if the relevant court records are somehow expunged. Are they? And with the database-driven information environment that we live in, how do we create a workable difference between "your record" and "the record" for private handling of public information.
I'm sorry but if you can sue me for libel for just for stating the fact that you have a "spent" conviction then the law is messed up. This is where we start to get into the fundamental nature of freedom of speech and how it relates even to freedom of thought. (Am I required to be lobotomized if I remember you have been convicted of a spent conviction. Maybe you should actually READ 1984.) I can understand laws that prohibit discrimination or harrassment based on old convictions, but trying to legislate the availablilty of public record information is stupid. I would also argue that this kind of thing is entirely separate from "privacy". There are many things that are "private", but public records are by definition not among them.
You realize that there is effectively no difference between a government-denied chinese hacker and a "non official cover" spy right?
And if they aren't government-employed then this is the completely appropriate action.
In either case, I 'd say its better to get this out in the open where the justice system can work it through rather than just finger pointing. If they're not government-sponsored (as the Chinese claim) then the Chinese should be willing to pony up and extradite them! (The fundamental issue here is really that the line between government and non-government is defined in a very different way in the US and China, both in law and in practice. China is still a single-party rule, which makes it often a matter of semantics what is government and what is not.)
The root problem here is the companies that make the drugs that have known properties are refusing to sell them to the state for use in executions. How it is legal for the companies who sell the drugs to discriminate in this way I don't understand. I know WHY they are doing it... due to pressure from anti-death penalty activists. But how it is legal?
And just to be up-front, I'm actually anti-death-penalty. But forcing state officials to euthanize people in inhumane ways in order to make headlines does not seem... humane.
Well I would say that is just evidence of the problem. If update adversely impacts stability that badly then updates are not being managed/tested properly, which is exactly the problem with OpenSSL. This also brings up another point -- a lot of the stability problems are due to interaction with various other (broken or oddly-functioning) SSL implementations. The correct way to handle that is with rigourous and extensive test cases, not just closing your eyes and not updating.
I would say it wasn't just OpenBSD either -- it appears that everyone was very reluctant to update from 0.9 to newer versions. This tells me that people knew the development practices weren't up to snuff. It's just too bad that it took such a major exploit to kick everyone in the head and get them to put proper development practices in place for OpenSSL. Many eyes don't work if everyone is intentionally holding their nose and looking the other way.
I think the basic problem is that we are not at war with country X.
I actually believe the basic bill of rights applies to the agents of government, not the people. i.e. it does not just protect these special people called "citizens", it restrains the government from certain actions, such as denial of due process of law, against any person. However, the general "rule of law" does not apply in a war zone. The problem is that we have become stupendously lax about exactly where the wars the US is currently fighting actually are. Are we at war with Pakistan? No, but we perform military strikes inside Pakistan without their consent. Are we a warlord or a modern country?
I disagree that there was no way to catch this. From code I saw, at its core, it was a simple case of using memcpy with the size of the destination buffer rather than the source buffer. Any automated bounds checker would have caught this. But, in addition, there should have been a compliance test that a packet with a specified size bigger than its payload went unanswered since anything else is noncompliant with the RFC. Clearly the person who wrote the RFC understood that answering a heartbeat request with a size different than its payload was a potential problem since the behavior was specified. To me, both of these mean that OpenSSL is enough lacking in validation testing to make me pretty nervous. No wonder everybody has been sticking to 0.9 versions for years if the path forward is this fraught with uncertainty.
MITM requires active interception to eavsdrop, wheras an unencrypted connection is vulnerable to passive eavesdropping. That is the sense in which an encrypted but not properly authenticated connection is "better". Also if the ID of the offered certificate is logged it is possible to audit for a MITM attack after the fact. According to Snowden, the NSA can crack 1024 bit certs' private keys. So really even properly verifying the cert is not secure depending on who your adversary is.
Really, if you're listening to reasonable people it's not expensive at all to have satellite-based ACARS enabled on all planes and have it include some basic flight information. In fact we knew from the first day or two that this plane had flown on for hours after the incident, the Malaysians were just not listening to the satellite techs. And if Malaysian air had simply paid the several thousand dollar fees we would have hours data to work with. These "real time tracking" people are just ambulance chasers. The problem here is that the plane flew on for so long after losing ground contact and Malaysian air was not paying for satellite service. So make intermittent satellite relayed updates mandatory. The additional infrastructure costs... $0. It's already in place.
Do you have references for that with real re-analysis of the radar data? Ones that aren't confused reporters citing "anonymous sources" that they might be misquoting. Reporters are really bad about leaving out little things like "maybe" or "under the assumption that..." which are night and day when eliminating possible options.
It seems more likely that the earlier analysis of the radar data mixed up the plane with another one after it got across the penisula. Also it has been said that there is quite a bit of uncertainty in the radar altitude measurements during the airplane's supposed altitude changes. Do you have a reference that actually discusses what the radar data can and cannot exclude in a technical way? The search is sure acting consistent with a plane that just flew on to the southwest unpiloted. Surely they have made some assumption about the behavior during this time in computing the current search area. What were those assumptions? I haven't seen any technical discussion of this, and would really like to.
I believe the problem is that the interface for this and the way warnings are handled is just horrible and inconsistent between clients.
For example, android requires yout to set a passcode in order to store the public certificate. That's right you need to lock your device so nobody can get access to that PUBLIC key. duh. Clearly you should have a passcode for a private key, but not a public one. I"m not sure if this has been straitened out or not. Also it's often not clear if you can say the equivalent of "trust the current certificate, and warn me if the network tries to give a different one". It typically asks you to manually load the certificate that the server can easily send to the client.
This doesn't even mention that generally the cert will be signed in a way that it can be verified through the same trust chain the web browser uses. While this isn't optimal, it's pretty decent in practice and could easily be implemented as an option.
I agree. Go look at common core, don't assume you know what it is. A lot of the "criticism" of common core has nothing to do with what is actually in common core. I have looked at the teaching of multiplication and it does some things that seem "weird" but are clearly intended to teach students number concepts, not just rote memorization. Now whether the elementary teacher figures that out is a totally different ballgame - since they may not have a firm number concept themselves and therefare they may not even understand what is being taught or know how to explain it to parents.
Sorry, but is it even legal under education privacy laws to require students to use google services in order to use those chromebooks? I love how people just ignore this stuff when it comes to "cloud" services.
Wait whose economy was it that imploded at the end of the cold war? So the "western" (i.e. pro-individual-freedom, multi-party-rule) mindset was supposed to just leave eastern europe to rot because Russia used to be in charge there. Then we just ignore them re-aquiring territory at gunpoint. Last I checked NATO was not invading eastern european countries to integrate them into the EU. Europeans are doing exactly the opposite, trying to help countries get their economies in good shape so that they can move toward closer ties to the EU at their option.
This whole thing in the Ukraine started with the president of Ukraine back-tracking on the parliament's attempts (and the electorate's desire) to have closer ties to the EU. Why did he do this? because he was turning into Russia's puppet. This is not to mention that this guy was elected president under suspicious circumstances. You cannot compare Russia's under-handed meddling with Ukraine to the west trying to help Ukraine get its economy on track as if they are both bad things. One is bad, one is not.
Yep, "most popular smartphone in japan" is a rubbish statistic. Japanese feature phones were so far ahead of those in other parts of the world in features and usage that making a distinction between smartphones and featurephones in the same way one does outside Japan is just nonsense.
It's almost enough to make you wonder if the introduction of the "smartphone" is not what really changed the phone culture in the West. Really Japan had already transitioned to what we think of as the "new" phone-oriented culture, but it was based around high-quality feature phones. So the west might have transitioned even without the introduction of the iphone. The iphone just happened to be the right product in the right place at the right time. I know I was startled to see the speed that Americans transitioned from making fun of asians always poking at their phones to doing the same thing with their own smartphone.
So why is it swipe&sign vs. chip&pin, why not chip&sign? This would make it near impossible to clone cards but still be more secure under audit (i.e. not subject to easily stolen PIN). Even chip and nothing would probably be better in practice than swipe and sign.
That doesn't even seem to make sense. Even with swipe and sign a card doesn't really "work" on two different networks. Does anybody know how this regulation really works?
I think it does always require measuring proficiency at the end. Otherwise how do you know if you are educating?
That being said, it is easy to create a test that will rank students, but extremely difficult to make a test that will measure their proficiency. And making one that is resistant to cheating (e.g. memorizing answers from previous tests) is even harder.
Current grading is generally not even based on level of proficiency, but on level of coverage. You get a good grade if you can demonstrate skill in all the topics covered. The level of proficiency expected on those topics is often not well defined. Also this leads to what the thread root comment is complaining about, where the class is taught as if everybody is going to achieve proficiency in all topics, even when that is known to not be happening. Is it better to teach a set of topics for which it is known the median student can achieve satisfactory proficiency, and then measure proficiency? What does the letter grade mean in such a system? Does in refer to proficiency or coverage?
Nominally this reveals the underlying problem being grappled with in education today. If you get down and honestly measure student proficiency, you realize that only the top 10% of students were actually learning what they were supposedly learning. This makes it really hard to construct a coherent overall sequence of education because you cannot assume that most students have mastered topics covered in previous courses.
So fund the science. Forbidding regulation is just beuracratic stupidity that will get people killed. My impression is that a lot of regulations don't have good science to back them up because the science costs money and hasn't been done yet, and EPA has to make a rule even in the absence of good science. Are you somehow surprised that they would err on the side of public safety when the science is inconclusive? You do realize that this stuff actually maims and kills people right?
You do not appear to understand what he is getting at. In the case referred to in the original article, the credit card info stored at one company was used as proof of identity to another company. i.e. your credit card can be used to identify you uniquely if you only use one credit card. On the other hand if you use pre-paid limited-use cards, this doesn't work. This seems like a general benefit to prevent companies from cross-tracking purchasing habits. But the interesting thing here is this case shows that it also provides additional protection against identity theft-type attacks using your credit card info. Basically because you don't have unique credit card info.
But really that godaddy would give control of your account to somebody that has your credit card info is outrageously stupid on their part. Credit cards are a payment method, not an authentication method. The bank will only eat the cost of payment fraud. This was probably some undertrained phone support person thinking there was no other way to get this guy's account access back, which is ludicrous since he probably has ICANN contact information recorded. They could have hung up and called him back using known-good contact info and the whole scheme would have fallen apart.
As others have said, the lesson is don't use godaddy since they are so "customer-friendly" that they are insecure. This just makes me glad that I moved away from godaddy a while ago.
Sorry the Centrifuge Accomodations Module was cancelled. I consider this emblematic of the space program having absolutely no intelligent direction. This module should be at the center of te ISS mission, since the station's primary direct scientific product is study of biology in space. Also one of the most unique aspects of space is microgravity, i.e. low, controlled acceleration in a variable-rate centrifuge module.
Slashdot Mirror
I'm unsure if you're serious or not.. actually it's the copyeditor's job to catch typos unless they are scientifically relevant. And if you think Nature is a journal and not a journal-like magazine, you are mistaken. TONS of stuff published in Nature turns out to be wrong or overhyped.
I think one of the troubles here is the difference between "YOUR record" and "THE record". I'm not a UK citizen, but I would be surprised if the relevant court records are somehow expunged. Are they? And with the database-driven information environment that we live in, how do we create a workable difference between "your record" and "the record" for private handling of public information.
I'm sorry but if you can sue me for libel for just for stating the fact that you have a "spent" conviction then the law is messed up. This is where we start to get into the fundamental nature of freedom of speech and how it relates even to freedom of thought. (Am I required to be lobotomized if I remember you have been convicted of a spent conviction. Maybe you should actually READ 1984.) I can understand laws that prohibit discrimination or harrassment based on old convictions, but trying to legislate the availablilty of public record information is stupid. I would also argue that this kind of thing is entirely separate from "privacy". There are many things that are "private", but public records are by definition not among them.
You realize that there is effectively no difference between a government-denied chinese hacker and a "non official cover" spy right?
And if they aren't government-employed then this is the completely appropriate action.
In either case, I 'd say its better to get this out in the open where the justice system can work it through rather than just finger pointing. If they're not government-sponsored (as the Chinese claim) then the Chinese should be willing to pony up and extradite them! (The fundamental issue here is really that the line between government and non-government is defined in a very different way in the US and China, both in law and in practice. China is still a single-party rule, which makes it often a matter of semantics what is government and what is not.)
Exactly. The ISPs are holding their subscribers hostage. i.e. abusing their monopoly power to get paid twice for the same service.
Yes, it is a relatively simple culture change really: if someone else paid for you to see or hear it, assume it is a lie or distortion.
The root problem here is the companies that make the drugs that have known properties are refusing to sell them to the state for use in executions. How it is legal for the companies who sell the drugs to discriminate in this way I don't understand. I know WHY they are doing it... due to pressure from anti-death penalty activists. But how it is legal?
And just to be up-front, I'm actually anti-death-penalty. But forcing state officials to euthanize people in inhumane ways in order to make headlines does not seem... humane.
Well I would say that is just evidence of the problem. If update adversely impacts stability that badly then updates are not being managed/tested properly, which is exactly the problem with OpenSSL. This also brings up another point -- a lot of the stability problems are due to interaction with various other (broken or oddly-functioning) SSL implementations. The correct way to handle that is with rigourous and extensive test cases, not just closing your eyes and not updating.
I would say it wasn't just OpenBSD either -- it appears that everyone was very reluctant to update from 0.9 to newer versions. This tells me that people knew the development practices weren't up to snuff. It's just too bad that it took such a major exploit to kick everyone in the head and get them to put proper development practices in place for OpenSSL. Many eyes don't work if everyone is intentionally holding their nose and looking the other way.
I think the basic problem is that we are not at war with country X.
I actually believe the basic bill of rights applies to the agents of government, not the people. i.e. it does not just protect these special people called "citizens", it restrains the government from certain actions, such as denial of due process of law, against any person. However, the general "rule of law" does not apply in a war zone. The problem is that we have become stupendously lax about exactly where the wars the US is currently fighting actually are. Are we at war with Pakistan? No, but we perform military strikes inside Pakistan without their consent. Are we a warlord or a modern country?
I disagree that there was no way to catch this. From code I saw, at its core, it was a simple case of using memcpy with the size of the destination buffer rather than the source buffer. Any automated bounds checker would have caught this. But, in addition, there should have been a compliance test that a packet with a specified size bigger than its payload went unanswered since anything else is noncompliant with the RFC. Clearly the person who wrote the RFC understood that answering a heartbeat request with a size different than its payload was a potential problem since the behavior was specified. To me, both of these mean that OpenSSL is enough lacking in validation testing to make me pretty nervous. No wonder everybody has been sticking to 0.9 versions for years if the path forward is this fraught with uncertainty.
MITM requires active interception to eavsdrop, wheras an unencrypted connection is vulnerable to passive eavesdropping. That is the sense in which an encrypted but not properly authenticated connection is "better". Also if the ID of the offered certificate is logged it is possible to audit for a MITM attack after the fact. According to Snowden, the NSA can crack 1024 bit certs' private keys. So really even properly verifying the cert is not secure depending on who your adversary is.
Really, if you're listening to reasonable people it's not expensive at all to have satellite-based ACARS enabled on all planes and have it include some basic flight information. In fact we knew from the first day or two that this plane had flown on for hours after the incident, the Malaysians were just not listening to the satellite techs. And if Malaysian air had simply paid the several thousand dollar fees we would have hours data to work with. These "real time tracking" people are just ambulance chasers. The problem here is that the plane flew on for so long after losing ground contact and Malaysian air was not paying for satellite service. So make intermittent satellite relayed updates mandatory. The additional infrastructure costs... $0. It's already in place.
Do you have references for that with real re-analysis of the radar data? Ones that aren't confused reporters citing "anonymous sources" that they might be misquoting. Reporters are really bad about leaving out little things like "maybe" or "under the assumption that..." which are night and day when eliminating possible options.
It seems more likely that the earlier analysis of the radar data mixed up the plane with another one after it got across the penisula. Also it has been said that there is quite a bit of uncertainty in the radar altitude measurements during the airplane's supposed altitude changes. Do you have a reference that actually discusses what the radar data can and cannot exclude in a technical way? The search is sure acting consistent with a plane that just flew on to the southwest unpiloted. Surely they have made some assumption about the behavior during this time in computing the current search area. What were those assumptions? I haven't seen any technical discussion of this, and would really like to.
I believe the problem is that the interface for this and the way warnings are handled is just horrible and inconsistent between clients.
For example, android requires yout to set a passcode in order to store the public certificate. That's right you need to lock your device so nobody can get access to that PUBLIC key. duh. Clearly you should have a passcode for a private key, but not a public one. I"m not sure if this has been straitened out or not. Also it's often not clear if you can say the equivalent of "trust the current certificate, and warn me if the network tries to give a different one". It typically asks you to manually load the certificate that the server can easily send to the client.
This doesn't even mention that generally the cert will be signed in a way that it can be verified through the same trust chain the web browser uses. While this isn't optimal, it's pretty decent in practice and could easily be implemented as an option.
I agree. Go look at common core, don't assume you know what it is. A lot of the "criticism" of common core has nothing to do with what is actually in common core. I have looked at the teaching of multiplication and it does some things that seem "weird" but are clearly intended to teach students number concepts, not just rote memorization. Now whether the elementary teacher figures that out is a totally different ballgame - since they may not have a firm number concept themselves and therefare they may not even understand what is being taught or know how to explain it to parents.
Sorry, but is it even legal under education privacy laws to require students to use google services in order to use those chromebooks? I love how people just ignore this stuff when it comes to "cloud" services.
Wait whose economy was it that imploded at the end of the cold war? So the "western" (i.e. pro-individual-freedom, multi-party-rule) mindset was supposed to just leave eastern europe to rot because Russia used to be in charge there. Then we just ignore them re-aquiring territory at gunpoint. Last I checked NATO was not invading eastern european countries to integrate them into the EU. Europeans are doing exactly the opposite, trying to help countries get their economies in good shape so that they can move toward closer ties to the EU at their option.
This whole thing in the Ukraine started with the president of Ukraine back-tracking on the parliament's attempts (and the electorate's desire) to have closer ties to the EU. Why did he do this? because he was turning into Russia's puppet. This is not to mention that this guy was elected president under suspicious circumstances. You cannot compare Russia's under-handed meddling with Ukraine to the west trying to help Ukraine get its economy on track as if they are both bad things. One is bad, one is not.
Yep, "most popular smartphone in japan" is a rubbish statistic. Japanese feature phones were so far ahead of those in other parts of the world in features and usage that making a distinction between smartphones and featurephones in the same way one does outside Japan is just nonsense.
It's almost enough to make you wonder if the introduction of the "smartphone" is not what really changed the phone culture in the West. Really Japan had already transitioned to what we think of as the "new" phone-oriented culture, but it was based around high-quality feature phones. So the west might have transitioned even without the introduction of the iphone. The iphone just happened to be the right product in the right place at the right time. I know I was startled to see the speed that Americans transitioned from making fun of asians always poking at their phones to doing the same thing with their own smartphone.
So why is it swipe&sign vs. chip&pin, why not chip&sign? This would make it near impossible to clone cards but still be more secure under audit (i.e. not subject to easily stolen PIN). Even chip and nothing would probably be better in practice than swipe and sign.
That doesn't even seem to make sense. Even with swipe and sign a card doesn't really "work" on two different networks. Does anybody know how this regulation really works?
I think it does always require measuring proficiency at the end. Otherwise how do you know if you are educating?
That being said, it is easy to create a test that will rank students, but extremely difficult to make a test that will measure their proficiency. And making one that is resistant to cheating (e.g. memorizing answers from previous tests) is even harder.
Current grading is generally not even based on level of proficiency, but on level of coverage. You get a good grade if you can demonstrate skill in all the topics covered. The level of proficiency expected on those topics is often not well defined. Also this leads to what the thread root comment is complaining about, where the class is taught as if everybody is going to achieve proficiency in all topics, even when that is known to not be happening. Is it better to teach a set of topics for which it is known the median student can achieve satisfactory proficiency, and then measure proficiency? What does the letter grade mean in such a system? Does in refer to proficiency or coverage?
Nominally this reveals the underlying problem being grappled with in education today. If you get down and honestly measure student proficiency, you realize that only the top 10% of students were actually learning what they were supposedly learning. This makes it really hard to construct a coherent overall sequence of education because you cannot assume that most students have mastered topics covered in previous courses.
So fund the science. Forbidding regulation is just beuracratic stupidity that will get people killed. My impression is that a lot of regulations don't have good science to back them up because the science costs money and hasn't been done yet, and EPA has to make a rule even in the absence of good science. Are you somehow surprised that they would err on the side of public safety when the science is inconclusive? You do realize that this stuff actually maims and kills people right?
You do not appear to understand what he is getting at. In the case referred to in the original article, the credit card info stored at one company was used as proof of identity to another company. i.e. your credit card can be used to identify you uniquely if you only use one credit card. On the other hand if you use pre-paid limited-use cards, this doesn't work. This seems like a general benefit to prevent companies from cross-tracking purchasing habits. But the interesting thing here is this case shows that it also provides additional protection against identity theft-type attacks using your credit card info. Basically because you don't have unique credit card info.
But really that godaddy would give control of your account to somebody that has your credit card info is outrageously stupid on their part. Credit cards are a payment method, not an authentication method. The bank will only eat the cost of payment fraud. This was probably some undertrained phone support person thinking there was no other way to get this guy's account access back, which is ludicrous since he probably has ICANN contact information recorded. They could have hung up and called him back using known-good contact info and the whole scheme would have fallen apart.
As others have said, the lesson is don't use godaddy since they are so "customer-friendly" that they are insecure. This just makes me glad that I moved away from godaddy a while ago.
Sorry the Centrifuge Accomodations Module was cancelled. I consider this emblematic of the space program having absolutely no intelligent direction. This module should be at the center of te ISS mission, since the station's primary direct scientific product is study of biology in space. Also one of the most unique aspects of space is microgravity, i.e. low, controlled acceleration in a variable-rate centrifuge module.