Why? Is it a goal of society to put even more people behind bars? I don't know about you, but I'd rather have fewer criminal cases to prosecute in the first place.
Of course, if they only truly hire A players then their talent pool will be a worthwhile one for other companies to poach. So unless they find a way to lock in their talent so it can't leave.
The have an answer for that: Their approach is to pay every employee the amount they would be willing to pay to keep that employee from leaving for a better offer. They don't wait for an employee to threaten to leave to pay that much; they give large raises to keep pay at that market rate. As a result, Netflix pay is way above average. But they also try to maximize the value of that level of pay by evaluating whether each employee is really worth that... and by adjusting pay DOWNWARD (or just letting them go) if their performance no longer matches that level of compensation.
I'm not saying such an environment is for everyone (and they're very open about it to prospective employees), but they have chosen a particular approach that has its pros and cons, and I'm glad it exists somewhere at least to demonstrate whether it works. From Netflix's continued success at being extremely competitive operations-wise and continuing to innovate even as it grows, I'd say it's working in that respect. Whether it's the only approach that works, or if other approaches that also work have fewer downsides, I really don't know.
You do realize that nobody validates CSS any more, right? Because working CSS is almost never valid, and vice versa (aside from the very simplest and most rudimentary). I doubt many developers validate HTML or XHTML any more either.
Not so. If enough people vote, say Green, Pirate, Peace and Freedom, etc. that the Democrats start to lose votes off the progressive side, then they'll have to shift their policies to the left in hopes of getting them back, rather than constantly trying to stay JUST SLIGHTLY to the left of the Republicans, wherever the Republicans happen to be.
You're right that background, utilitarian music is easily replaced by programmed, synthesized music. TV soundtracks, electronica, backing of pop singers... it's already taken over for the most part.
But there are huge swaths of music, from folk to jazz to rock that will show how irrelevant that is.
This seemed to be a fairly big product category about 5 years ago, but since then it's dropped a lot, and in the MacOS space, has evaporated - I can't find a single currently-shipping product like this for the Mac. (Whether for USB or for Mini DisplayPort/Thunderbolt - there are some USB ones, but none with Mac software.) I might be ok with just buying a TV, but I don't have much space, I don't know what my OTA reception will be like, and a USB dongle would seem to be a lot smaller and cheaper than buying a whole TV... but I can't find such a product anywhere, the few manufacturers that 5 years ago purportedly made them, don't seem to sell them any more.
I happily watch Netflix and YouTube on my laptop, and would happily watch broadcast TV on it too, if I could just tune it in. But how?
Somehow the opposite direction seems to be the only way to do things, there are lots of products to watch internet video on a TV, or ones that require a cable connection. But what about watching TV ON A COMPUTER? That would give me a lot more options for content, especially the kinds of things you can't get on Netflix (or can't get until a long time later).
Then they should be as pissed off as the rest of us, and raising hell internally, threatening to quit, or quitting, not bemoaning how misunderstood they are.
Also, Google gives me some great free services in return - fantastic search, email, calendar, word processing, spreadsheet, document sharing, videos, etc.
And Google doesn't (directly) have the power or inclination to throw me in jail or brand me a criminal or assassinate me or deny me travel or plant malware on my computer or break into my house or follow me around or any of those other nasty things the government can (and routinely does) do - the worst thing Google usually does is send me more-targeted advertisements than they could otherwise.
In addition, Google is at least somewhat transparent about the kind of data they collect, how they collect it, and what they use it for - certainly far more transparent than the government ever has been.
This is why I am willing to let Google watch me to the extent they do, but am vehemently opposed to the government doing the same.
Encryption is worthless without secure key exchange.
I certainly wouldn't say that. I would say that encryption is worthless at guaranteeing protection from MITM attacks without secure key exchange. But it's far from worthless even if it doesn't do that. The vast majority of the surveillance going on is passive, not MITM, and even when you're actively targeted they're more likely to try to plant spyware on your machine than set up a MITM. Pervasive encryption protects us all from passive spying, even if the keys aren't trusted. While I don't want to imply a connection is more private or trusted than it really is, I even more don't want to discourage the use of as much opportunistic encryption as possible.
I also like the idea of browsers trying to opportunistically encrypt as best they can in the background. (Perhaps only in private browsing mode, or as an option selected by the user, since it would slow down page loads and might occasionally break things.) For instance, they could try every connection as https first, and if it responds on port 443, doesn't redirect back to port 80, and can do an encrypted handshake, great. No big deal if the certificate doesn't check out, or if some assets can only be loaded as http. So long as the user didn't originally request https, just do the best you can. If the certificate doesn't check out or some assets were not loaded as https, you could even report it as just http to the user (which is fine since they didn't request https and so aren't expecting it). If the user DID request https, then it could still be treated like it currently is, dropping mixed content and giving big warnings for certificate problems.
There are some add-ons that already attempt to do this, but differently. HTTPS Everywhere I think has a whitelist of sites that have been at least partially tested. KB SSL enforcer for Chrome tries https on ALL sites, but it still chokes on certificate errors and fails to load mixed content the same as normal, so the failure rate is high (often just breaking the site with no explanation, which is annoying and not usable by non-technical people).
This behavior makes the assumption that users clearly distinguish between http and https, and significantly alter their own behavior between them. But is this true? I see no evidence that the large majority of people behave any differently over a regular http connection than over an https connection, if they even notice or are aware of the difference. I think the certificate warnings now give a disincentive to using https, for both users and for site administrators. Similarly, the silent dropping of mixed content simply breaks many https sites, again prompting people to switch back to regular http.
The warnings have become so blatant, they make a misconfigured https connection seem akin to a malware-ridden site (and mixed content may just make them unusably broken). But is this really fair? Security is about shades of risk, about probability. The VAST majority of certificate problems (self-signed, wrong hostname, expired) are not, in actuality, indicative of a MITM attack in progress. Yes, they are indicative of the risk of an undetected MITM, but 99.9+% of the time I expect you really are talking to the server you think you're talking to, etc. Very few people are ever being MITM'ed, but the NSA (and many others, I'm sure) are always listening to and recording traffic. Even if there's some risk of MITM, there's still huge value in opportunistically encrypting as much as possible against passive listening. This should be encouraged, not discouraged.
Furthermore, the green highlight and shiny lock may overstate the reliability of the CA chain of trust, considering not only all the entities that have intermediate signing certificates and of CAs potentially signing duplicate certificates on request, but the likelihood of the NSA having a sizable database of actual certificates acquired through various means, all usable in MITM attacks. And it may also overstate the ability of many forms of https to protect from decryption by various means, even during passive listening.
And why the big warnings about misconfigured https, but no warnings at all about using http? There is no conceivable circumstance in which using http is MORE secure (in any sense of the word) than even the worst possible https connection (unless users change their behavior in how they use the connection, knowing it's insecure - but I suspect few ever do). So why not constant blatant warnings about broadcasting your messages to the world, and not really knowing who you're talking to or whether the messages have been modified, when using a regular http connection?
In other words, the cert for www.google.com would actually be tied to www.google.com instead of having to just come from any one of the dozens of accepted CAs out in the world.
And don't forget the intermediate signing authorities (including governments, large corporations, and even non-profits) granted that power, usually without any restrictions, by said CAs. Unlike the CAs, there is no registry of who these entities are, though a study identified quite a number of them through observing certificates from actual websites.
For instance, the US Government has dozens of certificates giving intermediate signing authority, courtesy of VeriSign.
Besides DNSSEC, there are a couple of other (very similar) initiatives currently operating that aim to better manage trust in certificates:
No, you think far too highly of her.
I expect she has her own phone and email conversations with various foreign officials that she doesn't want anyone listening to.
The browser vendors are operating on the assumption that when you want https, you want to trust that you know who you're talking to, and so they warn the heck out of you when they deem your connection susceptible to a man-in-the-middle attack. They also assume that a certificate properly signed for the exact domain name by a CA is good, and anything else is bad. And overall this is a good idea. Sort of.
But there are a few problems with this theory:
1. Most people really do not notice or understand the difference between http and https, and even if they do, they don't clearly switch from thinking "I'm broadcasting everything I do over the web for anyone to see and hear so I'm very careful about what I say or do" to "cool, I'm secure, I can do whatever I want and nobody will ever know". Giving warnings for https connections with certain certificate problems gives the impression that those connections are akin to the "malware sites" your browser also warns you away from, and far worse than a regular old non-encrypted http connection. Which leads us to...
2. Gives a false sense of security when using the LEAST secure mode of browsing the web: regular old unencrypted HTTP. No warnings there.
3. 99+% of the time, a site with a certificate problem is just sloppily run, not a sign of an actual MITM attack. Getting content from images.mydomain.com but certificate singed for www.mydomain.com? This should not be getting such a huge warning, if any. Even a totally different domain is usually a sign of a CDN, hosting provider certificate, parent or affiliated company name, etc. Certificate expired last week? Um, sure, why a big warning about this? Even a self-signed certificate is almost never actually a sign of MITM. In addition, these dire warnings are so apocalyptic that they steer both users and site owners away from https unless it's really necessary, because it can be kind of a pain to get everything right (and renew the certificate on time every year, etc.), so they'd rather just avoid the hassle.
4. Gives a false sense of security even when the certificate IS properly signed... the NSA/FBI/etc. can make legit signed certificates with US Government intermediate signing certificates, courtesy of VeriSign (as can thousands of other entities around the world who hold intermediate signing certificates, of which there is no public registry saying who they all are...). That is, if they haven't stolen/cajoled the site's actual certificates already...
I have no problem with them clearly communicating that some certificates are much more prone to MITM attacks than others, but I have a serious problem with making it seem like those certificate problems are worse than regular old plaintext HTTP, or akin to trying to visit a malware-laden site.
It's not DoD certificates we're talking about, it's intermediate certificates good for ANY domain, which have VeriSign as the root signing CA. So since your browser trusts VeriSign, it will trust the US Government's many certificates. There is no listing or registration of intermediate certificates, they are just discovered "in the wild" by scans of servers.
True, which is why they probably only use it for targeted individuals. I mean they have to intercept the internet traffic for that individual anyway, which doesn't happen every day. (Though frankly, 99.9% of the population never checks and couldn't tell the difference even if they did check.)
But the signing CA is... VeriSign. That's the root of the trust chain, since they're the ones who signed the intermediate certificates given to the US Government (and no, I'm not talking about.mil, I mean certs that can sign for any domain, and also sign for further levels of intermediate certs, going four levels deep that we know of). And good luck with getting the major browsers to blacklist VeriSign's root cert.
As for Dual EC DRBG, I think there is a long list of products from various vendors which implement it. I'm not sure which have it as a default other than those from RSA though.
Slashdot Mirror
The US Federal Government already believes bank safety deposit boxes are fair game, no warrant needed: http://www.examiner.com/article/memo-dhs-can-confiscate-bank-accounts-without-warrant
Why? Is it a goal of society to put even more people behind bars? I don't know about you, but I'd rather have fewer criminal cases to prosecute in the first place.
Yes. Yes they do.
Of course, if they only truly hire A players then their talent pool will be a worthwhile one for other companies to poach. So unless they find a way to lock in their talent so it can't leave.
The have an answer for that: Their approach is to pay every employee the amount they would be willing to pay to keep that employee from leaving for a better offer. They don't wait for an employee to threaten to leave to pay that much; they give large raises to keep pay at that market rate. As a result, Netflix pay is way above average. But they also try to maximize the value of that level of pay by evaluating whether each employee is really worth that... and by adjusting pay DOWNWARD (or just letting them go) if their performance no longer matches that level of compensation.
I'm not saying such an environment is for everyone (and they're very open about it to prospective employees), but they have chosen a particular approach that has its pros and cons, and I'm glad it exists somewhere at least to demonstrate whether it works. From Netflix's continued success at being extremely competitive operations-wise and continuing to innovate even as it grows, I'd say it's working in that respect. Whether it's the only approach that works, or if other approaches that also work have fewer downsides, I really don't know.
You do realize that nobody validates CSS any more, right? Because working CSS is almost never valid, and vice versa (aside from the very simplest and most rudimentary). I doubt many developers validate HTML or XHTML any more either.
Not so. If enough people vote, say Green, Pirate, Peace and Freedom, etc. that the Democrats start to lose votes off the progressive side, then they'll have to shift their policies to the left in hopes of getting them back, rather than constantly trying to stay JUST SLIGHTLY to the left of the Republicans, wherever the Republicans happen to be.
I think he's being a bit sarcastic.
Perfect, awesome, thanks (you and SpiceWare both)
You're right that background, utilitarian music is easily replaced by programmed, synthesized music. TV soundtracks, electronica, backing of pop singers... it's already taken over for the most part.
But there are huge swaths of music, from folk to jazz to rock that will show how irrelevant that is.
And in the world of classical music, Spira Mirabilis and the Takacs Quartet think you're missing the point. Besides, I'd rather watch Midori or the Berlin Philharmonic than watch a synthesizer.
This seemed to be a fairly big product category about 5 years ago, but since then it's dropped a lot, and in the MacOS space, has evaporated - I can't find a single currently-shipping product like this for the Mac. (Whether for USB or for Mini DisplayPort/Thunderbolt - there are some USB ones, but none with Mac software.) I might be ok with just buying a TV, but I don't have much space, I don't know what my OTA reception will be like, and a USB dongle would seem to be a lot smaller and cheaper than buying a whole TV... but I can't find such a product anywhere, the few manufacturers that 5 years ago purportedly made them, don't seem to sell them any more.
I happily watch Netflix and YouTube on my laptop, and would happily watch broadcast TV on it too, if I could just tune it in. But how?
Somehow the opposite direction seems to be the only way to do things, there are lots of products to watch internet video on a TV, or ones that require a cable connection. But what about watching TV ON A COMPUTER? That would give me a lot more options for content, especially the kinds of things you can't get on Netflix (or can't get until a long time later).
amen
Then they should be as pissed off as the rest of us, and raising hell internally, threatening to quit, or quitting, not bemoaning how misunderstood they are.
Also, Google gives me some great free services in return - fantastic search, email, calendar, word processing, spreadsheet, document sharing, videos, etc.
And Google doesn't (directly) have the power or inclination to throw me in jail or brand me a criminal or assassinate me or deny me travel or plant malware on my computer or break into my house or follow me around or any of those other nasty things the government can (and routinely does) do - the worst thing Google usually does is send me more-targeted advertisements than they could otherwise.
In addition, Google is at least somewhat transparent about the kind of data they collect, how they collect it, and what they use it for - certainly far more transparent than the government ever has been.
This is why I am willing to let Google watch me to the extent they do, but am vehemently opposed to the government doing the same.
Er, I thought everyone knew by now that story was a bs fabrication of the right-wing media?
For YOU it does, but that's the whole point of the Akamai "georedirector", is to find the nearest server TO YOU.
Encryption is worthless without secure key exchange.
I certainly wouldn't say that. I would say that encryption is worthless at guaranteeing protection from MITM attacks without secure key exchange. But it's far from worthless even if it doesn't do that. The vast majority of the surveillance going on is passive, not MITM, and even when you're actively targeted they're more likely to try to plant spyware on your machine than set up a MITM. Pervasive encryption protects us all from passive spying, even if the keys aren't trusted. While I don't want to imply a connection is more private or trusted than it really is, I even more don't want to discourage the use of as much opportunistic encryption as possible.
EXACTLY!
I also like the idea of browsers trying to opportunistically encrypt as best they can in the background. (Perhaps only in private browsing mode, or as an option selected by the user, since it would slow down page loads and might occasionally break things.) For instance, they could try every connection as https first, and if it responds on port 443, doesn't redirect back to port 80, and can do an encrypted handshake, great. No big deal if the certificate doesn't check out, or if some assets can only be loaded as http. So long as the user didn't originally request https, just do the best you can. If the certificate doesn't check out or some assets were not loaded as https, you could even report it as just http to the user (which is fine since they didn't request https and so aren't expecting it). If the user DID request https, then it could still be treated like it currently is, dropping mixed content and giving big warnings for certificate problems.
There are some add-ons that already attempt to do this, but differently. HTTPS Everywhere I think has a whitelist of sites that have been at least partially tested. KB SSL enforcer for Chrome tries https on ALL sites, but it still chokes on certificate errors and fails to load mixed content the same as normal, so the failure rate is high (often just breaking the site with no explanation, which is annoying and not usable by non-technical people).
This behavior makes the assumption that users clearly distinguish between http and https, and significantly alter their own behavior between them. But is this true? I see no evidence that the large majority of people behave any differently over a regular http connection than over an https connection, if they even notice or are aware of the difference. I think the certificate warnings now give a disincentive to using https, for both users and for site administrators. Similarly, the silent dropping of mixed content simply breaks many https sites, again prompting people to switch back to regular http.
The warnings have become so blatant, they make a misconfigured https connection seem akin to a malware-ridden site (and mixed content may just make them unusably broken). But is this really fair? Security is about shades of risk, about probability. The VAST majority of certificate problems (self-signed, wrong hostname, expired) are not, in actuality, indicative of a MITM attack in progress. Yes, they are indicative of the risk of an undetected MITM, but 99.9+% of the time I expect you really are talking to the server you think you're talking to, etc. Very few people are ever being MITM'ed, but the NSA (and many others, I'm sure) are always listening to and recording traffic. Even if there's some risk of MITM, there's still huge value in opportunistically encrypting as much as possible against passive listening. This should be encouraged, not discouraged.
Furthermore, the green highlight and shiny lock may overstate the reliability of the CA chain of trust, considering not only all the entities that have intermediate signing certificates and of CAs potentially signing duplicate certificates on request, but the likelihood of the NSA having a sizable database of actual certificates acquired through various means, all usable in MITM attacks. And it may also overstate the ability of many forms of https to protect from decryption by various means, even during passive listening.
And why the big warnings about misconfigured https, but no warnings at all about using http? There is no conceivable circumstance in which using http is MORE secure (in any sense of the word) than even the worst possible https connection (unless users change their behavior in how they use the connection, knowing it's insecure - but I suspect few ever do). So why not constant blatant warnings about broadcasting your messages to the world, and not really knowing who you're talking to or whether the messages have been modified, when using a regular http connection?
In other words, the cert for www.google.com would actually be tied to www.google.com instead of having to just come from any one of the dozens of accepted CAs out in the world.
And don't forget the intermediate signing authorities (including governments, large corporations, and even non-profits) granted that power, usually without any restrictions, by said CAs. Unlike the CAs, there is no registry of who these entities are, though a study identified quite a number of them through observing certificates from actual websites.
For instance, the US Government has dozens of certificates giving intermediate signing authority, courtesy of VeriSign.
Besides DNSSEC, there are a couple of other (very similar) initiatives currently operating that aim to better manage trust in certificates:
http://perspectives-project.org/
http://convergence.io/
It's a parody of America. Naturally American's won't understand this.
No, you think far too highly of her. I expect she has her own phone and email conversations with various foreign officials that she doesn't want anyone listening to.
I used to think this, until I learned that the name was originally spelled SEQUEL when it was invented at IBM.
This is an excellent point.
The browser vendors are operating on the assumption that when you want https, you want to trust that you know who you're talking to, and so they warn the heck out of you when they deem your connection susceptible to a man-in-the-middle attack. They also assume that a certificate properly signed for the exact domain name by a CA is good, and anything else is bad. And overall this is a good idea. Sort of.
But there are a few problems with this theory:
I have no problem with them clearly communicating that some certificates are much more prone to MITM attacks than others, but I have a serious problem with making it seem like those certificate problems are worse than regular old plaintext HTTP, or akin to trying to visit a malware-laden site.
It's not DoD certificates we're talking about, it's intermediate certificates good for ANY domain, which have VeriSign as the root signing CA. So since your browser trusts VeriSign, it will trust the US Government's many certificates. There is no listing or registration of intermediate certificates, they are just discovered "in the wild" by scans of servers.
True, which is why they probably only use it for targeted individuals. I mean they have to intercept the internet traffic for that individual anyway, which doesn't happen every day. (Though frankly, 99.9% of the population never checks and couldn't tell the difference even if they did check.)
But the signing CA is... VeriSign. That's the root of the trust chain, since they're the ones who signed the intermediate certificates given to the US Government (and no, I'm not talking about .mil, I mean certs that can sign for any domain, and also sign for further levels of intermediate certs, going four levels deep that we know of). And good luck with getting the major browsers to blacklist VeriSign's root cert.
As for Dual EC DRBG, I think there is a long list of products from various vendors which implement it. I'm not sure which have it as a default other than those from RSA though.