You're right that the code is not encrypted. What is encrypted is the user data, which is what you want to protect.
Whether or not you need a TPM to call it "secure" depends on the threat model. Under the most extreme threat models, TPMs aren't secure, either (they aren't designed to resist hardware hacks). Under a fairly reasonable threat model which assumes the attacker can read out flash but not RAM (because the RAM contents disappeared when the device was turned off for disassembly), the Android encryption model is secure, to the strength of the user password. The decryption key is gone from RAM so the flash-based storage cannot be decrypted, and of course any copies of the data in RAM are also gone.
No, it's not "safe". It violates the first three rules of passwords:
1. Do not write passwords down
2. Do not store all of your passwords together.
3. If you do break #1, do not store your password in an un-safe location.
Meh. The corollary to your rules is "Don't have very many passwords", which means either not having very many accounts (impractical), or reusing passwords (a really bad idea). You have to compromise somewhere, and IMNSHO a good password manager -- with an encrypted database -- is the lesser evil.
10 random chars are good for 65bits. Log(92^10)/Log(2) = 65.24
Heh. Good catch. I should have done the math, or at least thought about it for another second or two. Five bits per character assumes a character set of 32, which is obviously silly.
An offline attack would require a bootrom/bootloader exploit, since you can't get data off the device while it's locked (it refuses to complete the USB handshake). Even in restore mode, USB DFU mode won't dump data, only overwrite.
Android is the same in that respect. With either OS, the attacker can open the device and read out the flash directly, however.
In the other areas you mention Android needs to improve.
Good point. The weakness is easy to fix, though: Use a longer key. The only problem here is that the key is only 10 characters, which is probably only 40-50 bits of entropy even if the characters are chosen randomly. Use a 128-bit random key instead and known plaintext will become useless.
Oh, and new systems should use SHA-256, or SHA-3, not SHA-1. But that's probably not an issue in practice.
This isn't by any means a new concept; systems that care deeply about security have been using host security module (HSM)-based keyed hashing for decades. But doing it in an inexpensive, readily-available device is a really good idea for systems that don't need the physical security features offered by HSMs -- and that's nearly all systems. The key is to make sure that the communications channel between host and dongle cannot be used to compromise the dongle. Ideally, you should just ensure that the dongle system will not -- under any circumstances -- respond to anything other than hashing requests, and that codepath should be carefully validated for security bugs.
I don't even bother with a password on the thing - It wastes more of my time than that of a potential thief. If someone nabs it, hey, they get a few gigs of music (that I have backups of) and a $50 (replacement value - they don't tend to age well) tablet. Woo-hoo.
That's one approach, but I think on balance you're wasting more of your time with your approach. You don't have to enter passwords to unlock the device, but you do every time you want to do anything other than use media already on the tablet. The everything pre-logged-in approach is extremely convenient, and if you put a semi-decent password on it no ordinary thief is going to get into it. If you put a good password on it and enable encryption no one is going to get into it.
If you want everything encrypted: Sorry, you can't have that.
Sure you can. All Android versions from Gingerbread (IIRC) forward support full device encryption, using dm-crypt. Of course, it's only as strong as your password, so you have to trade off convenience against security.
It's as simple as: Power down device, remove battery, remove SIM, do not re-connect to wifi hotspots.
Why work so hard? Just turn on airplane mode.
Of course, if the phone is password-locked, getting the data from it requires some hardware and software knowledge. If it's also encrypted and the password is a good one, the data is safe.
Citation needed for the "laughably easy to defeat 'Find My Phone' and 'Remote Wipe' options". How are these laughably easy to defeat?
It depends on how the user's phone is set up.
If the phone is not password-protected, it's laughably easy: put the phone in airplane mode. As long as the thief does that before the owner can get to a web browser, the thief can peruse the data on the phone at leisure.
If the phone is password-protected but not encrypted, it's a little tougher. Airplane mode still blocks "Find my Phone" and "Remote Erase", but actually getting at the data is harder. If the thief can't guess the password within a few tries then he has to dump the flash and pick through the data, but that requires significant expertise which few, if any, thieves will have.
If the phone is encrypted (which implies password-protected), getting the data requires dumping the flash and then brute-forcing the password, which can likely be done with an offline attack, but further ups the ante on the level of expertise required. How difficult that is depends on how good the password is. If it's a good password the data is safe from basically anyone. Of course, good passwords are a pain in the ass to type on a phone.
Note that I only mentioned passwords. Android offers other authentication options, including face unlock, pattern and PIN (arbitrary-length numeric password) as well as alphanumeric password. Encryption requires PIN or password. Face unlock is convenient (once sufficiently well-trained), but not very secure; lots of random people will be able to unlock your phone and pattern is moderately good if you use a complex pattern and make a habit of wiping the screen clean, at least enough to smear out any pattern trails.
You're welcome. I don't have any way to prove it, of course, but I can tell you that the opt outs do exactly what they say they do, as do the "delete my data" options on the dashboard. I've been somewhat involved in the latter and I know people who work on the opt outs. They take it very seriously. Google wants to offer you such a compelling value proposition, which means providing good services plus taking good care that your data is only used in appropriate ways, that you want to give your data. And if you don't want the deal, Google really doesn't want to track you.
Actually, with respect to proving it consider this: Google is operating under the terms of a 20-year consent decree with the FTC around privacy issues arising from the Buzz fiasco, which includes regular third-party audits. Were Google to be found to be failing to fulfill any of the privacy terms it offers user, the company would be in big trouble. The fact is that the culture is very pro-privacy and pro-user control, so in fact the consent decree doesn't make much difference in how Google acts... but even if you don't believe that, there is oversight.
Governments can ask, and Google will say "No, please come back with an order."
How do you know Google will say, "No, please come back with an order?" What if Google only tells the public that it insists on the government presenting a lawfully issued court order, but in fact it secretly gives the government whatever information wants? Speculation that Google is deeply implicated with the US government has been going around for over a decade now.
How do I know? Well, (a) Google's leadership says so and AFAICT there is no law that allows the government to compel them to lie, publicly or internally and in fact there are laws that make it a crime for executives of publicly-traded companies to lie about issues which could affect the stock price (which this definitely does!); (b) as a Google employee who manages sensitive user data I have some visibility into how requests for that data are handled; and (c) as someone who is familiar with Google culture I find it inconceivable that such a thing could be happening on any kind of significant scale without being outed -- like most of silicon valley, and like geeks in general, Googlers tend to be pretty iconoclastic and anti-authoritarian.
Speculation that Google is deeply implicated with the US government has been going around for over a decade now.
If the speculation has been floating around that long, without a shred of evidence to support it in spite of the large-scale conspiracy that would be required to keep all such evidence suppressed, I think that's pretty compelling evidence that it's not true. You can never completely prove a negative, of course, but you can asymptotically approach certainty.
So now he's saying the opposite - that we can trust him with stuff we don't people to know (i.e. everything Google knows about us).
I think you're overstating what he's saying. He's saying that the government can't get access to the stuff we don't want people to know without getting an appropriate court order. That's not inconsistent with suggesting that if there's stuff you don't want people (the government) to know, then you shouldn't be doing it... because the government still can get it. They just need to be able to convince the appropriate magistrate that they have a good reason. Oh, and they have to be targeting you specifically.
The NSA could probably STILL access the information if they want to
Sure, they could resort to rubber-hose cryptanalysis, targeting key Google employees. If it were to come out, though, it would make the Snowden leaks look very, very mild. As one of said key Google employees (I work on security infrastructure), I've been given to understand that if I am ever approached in any way by the government, I am to immediately consult with Google legal counsel, and that any request that I not talk to counsel would be illegal (I think it would violate the constitutional guarantee of due process).
or Google can be compelled to reveal it with a super secret demand order, or even a regular warrant.
Certainly, as long as the order or warrant is issued by the appropriate court, is not excessively broad, etc., and then Google will add it to the statistics for the transparency report.
No information that is ever collected is ever "safe" from prying eyes.
In an information-theoretic sense that is undoubtedly true. In that sense, though, I'd argue that nothing that touches a networked computer is safe.
And even Google having the information is certainly nothing to be comfortable about.
YMMV, of course, but I actually am pretty comfortable with it. Of course, I have visibility into how Google manages user data, which helps. There is the possibility that a future version of Google may behave differently, but I think that possibility is at least a decade or two away, because I think it would take that long for the company's culture to change enough to make it possible.
They have ENOUGH information about consumers already... certainly enough to be creepy.
Perhaps. I think the general belief about what data Google has overstates the reality by a wide margin, and further even where it's accurate it overstates Google's (current) ability to actually make use of the data.
In any case, if you're concerned with it, Google provides you with the tools to opt out. I encourage you to use them. Personally, I turned on web history, location history, route all of my email through gmail, use Hangouts for SMS, etc., etc. I find the value I get from the services to outweigh the risk I perceive. If you see that balance differently, you should act accordingly.
Seriously is there anyone that would actually believe such a statement?
I do, but as a Google engineer involved in security and privacy infrastructure I'm in a position with much greater than normal visibility into exactly what is done and how.
Sure, the data might be safe from a government's prying eyes, but will it be safe from a government who kindly asks for the data, with the company acquiescing between it wants to maintain its lucrative business links with the authorities?
Governments can ask, and Google will say "No, please come back with an order."
Governments can order, and Google will comply, as long as the order was issued by proper authority, isn't excessively broad, etc. And then Google will add the order, and the number of accounts it affects, to the next transparency report.
That's not perfect, but it's much, much better than the government being able to snarf all the data with no accountability at all.
I can't handle 40 hours of sedation every week for the rest of my life. I chose to work in the defense industry specifically because I thought it would afford me opportunities to work on exciting high-tech shit. That bubble's been burst for some time now.
So a bank or similar isn't what you need. Fine. The GP's point is still valid: it sounds like your problem isn't software development, it's your job. There are plenty of really enjoyable software jobs around, for whatever your definition of "enjoyable" is (assuming you actually like coding, and you probably do otherwise you wouldn't have liked it in the past). You just need to find one, which means you first need to figure out what kind of environment will fulfill your needs.
Personally, I'm in my mid-40s, still writing code, and I expect to be gainfully and happily writing code until I'm ready to retire. I've gotten progressively pickier about what kind of place I want to work, but that's okay. In my case, my primary criterion is the number of idiots I work with; as long as that is sufficiently low, I can find challenging and interesting problems in any industry and problem space.
But why have the many successors to jpg that provide better lossy compression not caught on?
Without getting into a full-blown Doctoral Thesis, it's usually because either they suffer performance issues, or don't do nearly as good a job of preserving the visual integrity of the source image. JPG is a good balance of speed, quality preservation, and size of the compressed file.
Nah, I think it's mostly because JPEG is good enough. JPEG2000, for example, also provides perfectly acceptable performance and quality, with significantly-reduced file sizes. But unlike JPEG, JPEG2000 decoders aren't already available everywhere. The slightly-reduced file size isn't sufficient justification for the risk that some users might not be able to see the photo. An improved JPEG encoder helps (a little) with file size without incurring the need for a new decoder, so it's immediately useful.
The last ten years or so,, I've found that I just don't care that much any more about music. I actually listen to a lot of music these days, but that's an environmental issue, not because I like it. I listen to music pretty much all day every day while at work because I work in an open plan office and the headphones, and the music they play, are the way I eliminate distractions so I can focus. I don't really listen to the music, though... I have no idea at any given time what song played last, for example. I do, however, find that I get tired of repetitive music. Subscription Internet radio is perfect... I can start it playing from a vast collection of music, almost guaranteed I'll get few if any repeats, and completely guaranteed the music won't be interrupted by people talking (which would distract me).
When I'm driving or something and want some audio to actually pay attention to, I listen to audiobooks, not music.
To say that 'data scientist' roles are dead in the near future based on a ROI analysis is to suggest that all these huge data sets aren't likely to pay off for a corp in the near future. And that doesn't sound right at all.
I think what's really going on here is that lots of organizations have jumped on the Big Data bandwagon expecting that it will be easy, and hired lots of people who don't really know what they're doing (because they also saw an opportunity). There's lots of value in large corpuses of unstructured data, but teasing it out requires more than just a desire and some computing resources. As the field matures and builds up a well-known set of techniques which can be packaged up and on which people can easily be trained, it will be very effective. But right now, it really is research, and you really do need data scientists, not hacks who took a couple of classes on machine learning and a bit of statistics. And if there are ten thousand job openings for first (or even second) rate thinkers in a new field... well, all but a couple of dozen of them are going to get filled with hacks
The title of the article is "F-Secure: Android accounted for 97% of all mobile malware in 2013, but only 0.1% of those were on Google Play".
Essentially all of the Android malware comes from non-Google app stores, or sideloaded APKs. And with respect to the malware that does manage to make it into the Play Store, F-Secure says "the Play Store is most likely to promptly remove nefarious applications, so malware encountered there tends to have a short shelf life.”
I do not know why some people think this is true. A company producing X and selling it for Y, isn't going to automatically raise the cost of X if their taxes go up. Is that what you mean? Passed on to the consumer?
No.
Well, actually, that is one of the mechanisms, among many (some of which I actually mentioned in the post you replied to; perhaps you should re-read it). And it does happen more than you seem to think; a given company can't just raise prices because their cost of doing business goes up, because their competition will undercut them. But if you raise the costs across the board for a whole industry then that dynamic no longer applies, and prices will go up. But the core point is that ultimately all money ends up in the hands of people (real people, not fictitious corporate "people"); corporations are just a mechanism for consolidating the wealth of many and then redistributing the profits (or losses) generated.
That is why the US wealth inequality is so high right now. Company profit is not often used to expand business, or hire more people. It is just making rich folks richer.
So tax the rich folks when they get richer. But, actually, that statement "making the rich folks richer" doesn't really mean what you probably think it does. If you look at where the wealthy have their money, most of them don't actually have that much actual money; it's all estimated value based on their ownership of portions of productive enterprises. This means the actual value isn't just sitting in their bank accounts, it's paying employees, buying goods, building products, etc. When they get wealthier because their companies are successful, to a large degree the increase in wealth is an illusion -- it's just paper. Until they cash some of it out, of course. Then it becomes real, and then we tax it. Perhaps we should be taxing it a lot harder than we are.
There are many, many ways in which additional tax burdens on corporations percolate to the people, where "people" includes, customers, employees and shareholders. Keep in mind that ordinary middle class folks are the largest shareholders in virtually all large public businesses, via their retirement accounts, which means corporate taxes are a sneaky way to tax our supposedly tax-free retirement accounts, among other things. However it eventually works its way out to impacting individuals, it does get there, which means those individuals are paying taxes they don't even know they're paying.
That is the core of the problem. In order for the system to work, people should know what they're paying for it. Corporate taxes are one mechanism, of many, to hide those taxes from us. That's wrong.
With physical access and being prepared to destroy the device you can access it, but then you have to defeat the AES-256 key in the HSM.
There is no HSM in iOS devices. They do use the ARM TrustZone, which is a good thing, but is no HSM.
Nope, Starting with the iPhone 3GS, the flash is encrypted. The encryption key used is encrypted with a per-device key that's known only by the device
Yes, I know the flash is encrypted (read the thread). But the key is on the device...
You're right that the code is not encrypted. What is encrypted is the user data, which is what you want to protect.
Whether or not you need a TPM to call it "secure" depends on the threat model. Under the most extreme threat models, TPMs aren't secure, either (they aren't designed to resist hardware hacks). Under a fairly reasonable threat model which assumes the attacker can read out flash but not RAM (because the RAM contents disappeared when the device was turned off for disassembly), the Android encryption model is secure, to the strength of the user password. The decryption key is gone from RAM so the flash-based storage cannot be decrypted, and of course any copies of the data in RAM are also gone.
No, it's not "safe". It violates the first three rules of passwords: 1. Do not write passwords down 2. Do not store all of your passwords together. 3. If you do break #1, do not store your password in an un-safe location.
Meh. The corollary to your rules is "Don't have very many passwords", which means either not having very many accounts (impractical), or reusing passwords (a really bad idea). You have to compromise somewhere, and IMNSHO a good password manager -- with an encrypted database -- is the lesser evil.
10 random chars are good for 65bits. Log(92^10)/Log(2) = 65.24
Heh. Good catch. I should have done the math, or at least thought about it for another second or two. Five bits per character assumes a character set of 32, which is obviously silly.
An offline attack would require a bootrom/bootloader exploit, since you can't get data off the device while it's locked (it refuses to complete the USB handshake). Even in restore mode, USB DFU mode won't dump data, only overwrite.
Android is the same in that respect. With either OS, the attacker can open the device and read out the flash directly, however.
In the other areas you mention Android needs to improve.
Good point. The weakness is easy to fix, though: Use a longer key. The only problem here is that the key is only 10 characters, which is probably only 40-50 bits of entropy even if the characters are chosen randomly. Use a 128-bit random key instead and known plaintext will become useless.
Oh, and new systems should use SHA-256, or SHA-3, not SHA-1. But that's probably not an issue in practice.
This isn't by any means a new concept; systems that care deeply about security have been using host security module (HSM)-based keyed hashing for decades. But doing it in an inexpensive, readily-available device is a really good idea for systems that don't need the physical security features offered by HSMs -- and that's nearly all systems. The key is to make sure that the communications channel between host and dongle cannot be used to compromise the dongle. Ideally, you should just ensure that the dongle system will not -- under any circumstances -- respond to anything other than hashing requests, and that codepath should be carefully validated for security bugs.
I don't even bother with a password on the thing - It wastes more of my time than that of a potential thief. If someone nabs it, hey, they get a few gigs of music (that I have backups of) and a $50 (replacement value - they don't tend to age well) tablet. Woo-hoo.
That's one approach, but I think on balance you're wasting more of your time with your approach. You don't have to enter passwords to unlock the device, but you do every time you want to do anything other than use media already on the tablet. The everything pre-logged-in approach is extremely convenient, and if you put a semi-decent password on it no ordinary thief is going to get into it. If you put a good password on it and enable encryption no one is going to get into it.
If you want everything encrypted: Sorry, you can't have that.
Sure you can. All Android versions from Gingerbread (IIRC) forward support full device encryption, using dm-crypt. Of course, it's only as strong as your password, so you have to trade off convenience against security.
It's as simple as: Power down device, remove battery, remove SIM, do not re-connect to wifi hotspots.
Why work so hard? Just turn on airplane mode.
Of course, if the phone is password-locked, getting the data from it requires some hardware and software knowledge. If it's also encrypted and the password is a good one, the data is safe.
Citation needed for the "laughably easy to defeat 'Find My Phone' and 'Remote Wipe' options". How are these laughably easy to defeat?
It depends on how the user's phone is set up.
If the phone is not password-protected, it's laughably easy: put the phone in airplane mode. As long as the thief does that before the owner can get to a web browser, the thief can peruse the data on the phone at leisure.
If the phone is password-protected but not encrypted, it's a little tougher. Airplane mode still blocks "Find my Phone" and "Remote Erase", but actually getting at the data is harder. If the thief can't guess the password within a few tries then he has to dump the flash and pick through the data, but that requires significant expertise which few, if any, thieves will have.
If the phone is encrypted (which implies password-protected), getting the data requires dumping the flash and then brute-forcing the password, which can likely be done with an offline attack, but further ups the ante on the level of expertise required. How difficult that is depends on how good the password is. If it's a good password the data is safe from basically anyone. Of course, good passwords are a pain in the ass to type on a phone.
Note that I only mentioned passwords. Android offers other authentication options, including face unlock, pattern and PIN (arbitrary-length numeric password) as well as alphanumeric password. Encryption requires PIN or password. Face unlock is convenient (once sufficiently well-trained), but not very secure; lots of random people will be able to unlock your phone and pattern is moderately good if you use a complex pattern and make a habit of wiping the screen clean, at least enough to smear out any pattern trails.
You're welcome. I don't have any way to prove it, of course, but I can tell you that the opt outs do exactly what they say they do, as do the "delete my data" options on the dashboard. I've been somewhat involved in the latter and I know people who work on the opt outs. They take it very seriously. Google wants to offer you such a compelling value proposition, which means providing good services plus taking good care that your data is only used in appropriate ways, that you want to give your data. And if you don't want the deal, Google really doesn't want to track you.
Actually, with respect to proving it consider this: Google is operating under the terms of a 20-year consent decree with the FTC around privacy issues arising from the Buzz fiasco, which includes regular third-party audits. Were Google to be found to be failing to fulfill any of the privacy terms it offers user, the company would be in big trouble. The fact is that the culture is very pro-privacy and pro-user control, so in fact the consent decree doesn't make much difference in how Google acts... but even if you don't believe that, there is oversight.
How do you know Google will say, "No, please come back with an order?" What if Google only tells the public that it insists on the government presenting a lawfully issued court order, but in fact it secretly gives the government whatever information wants? Speculation that Google is deeply implicated with the US government has been going around for over a decade now.
How do I know? Well, (a) Google's leadership says so and AFAICT there is no law that allows the government to compel them to lie, publicly or internally and in fact there are laws that make it a crime for executives of publicly-traded companies to lie about issues which could affect the stock price (which this definitely does!); (b) as a Google employee who manages sensitive user data I have some visibility into how requests for that data are handled; and (c) as someone who is familiar with Google culture I find it inconceivable that such a thing could be happening on any kind of significant scale without being outed -- like most of silicon valley, and like geeks in general, Googlers tend to be pretty iconoclastic and anti-authoritarian.
Speculation that Google is deeply implicated with the US government has been going around for over a decade now.
If the speculation has been floating around that long, without a shred of evidence to support it in spite of the large-scale conspiracy that would be required to keep all such evidence suppressed, I think that's pretty compelling evidence that it's not true. You can never completely prove a negative, of course, but you can asymptotically approach certainty.
So now he's saying the opposite - that we can trust him with stuff we don't people to know (i.e. everything Google knows about us).
I think you're overstating what he's saying. He's saying that the government can't get access to the stuff we don't want people to know without getting an appropriate court order. That's not inconsistent with suggesting that if there's stuff you don't want people (the government) to know, then you shouldn't be doing it... because the government still can get it. They just need to be able to convince the appropriate magistrate that they have a good reason. Oh, and they have to be targeting you specifically.
The NSA could probably STILL access the information if they want to
Sure, they could resort to rubber-hose cryptanalysis, targeting key Google employees. If it were to come out, though, it would make the Snowden leaks look very, very mild. As one of said key Google employees (I work on security infrastructure), I've been given to understand that if I am ever approached in any way by the government, I am to immediately consult with Google legal counsel, and that any request that I not talk to counsel would be illegal (I think it would violate the constitutional guarantee of due process).
or Google can be compelled to reveal it with a super secret demand order, or even a regular warrant.
Certainly, as long as the order or warrant is issued by the appropriate court, is not excessively broad, etc., and then Google will add it to the statistics for the transparency report.
No information that is ever collected is ever "safe" from prying eyes.
In an information-theoretic sense that is undoubtedly true. In that sense, though, I'd argue that nothing that touches a networked computer is safe.
And even Google having the information is certainly nothing to be comfortable about.
YMMV, of course, but I actually am pretty comfortable with it. Of course, I have visibility into how Google manages user data, which helps. There is the possibility that a future version of Google may behave differently, but I think that possibility is at least a decade or two away, because I think it would take that long for the company's culture to change enough to make it possible.
They have ENOUGH information about consumers already... certainly enough to be creepy.
Perhaps. I think the general belief about what data Google has overstates the reality by a wide margin, and further even where it's accurate it overstates Google's (current) ability to actually make use of the data.
In any case, if you're concerned with it, Google provides you with the tools to opt out. I encourage you to use them. Personally, I turned on web history, location history, route all of my email through gmail, use Hangouts for SMS, etc., etc. I find the value I get from the services to outweigh the risk I perceive. If you see that balance differently, you should act accordingly.
Seriously is there anyone that would actually believe such a statement?
I do, but as a Google engineer involved in security and privacy infrastructure I'm in a position with much greater than normal visibility into exactly what is done and how.
Sure, the data might be safe from a government's prying eyes, but will it be safe from a government who kindly asks for the data, with the company acquiescing between it wants to maintain its lucrative business links with the authorities?
Governments can ask, and Google will say "No, please come back with an order."
Governments can order, and Google will comply, as long as the order was issued by proper authority, isn't excessively broad, etc. And then Google will add the order, and the number of accounts it affects, to the next transparency report.
That's not perfect, but it's much, much better than the government being able to snarf all the data with no accountability at all.
I can't handle 40 hours of sedation every week for the rest of my life. I chose to work in the defense industry specifically because I thought it would afford me opportunities to work on exciting high-tech shit. That bubble's been burst for some time now.
So a bank or similar isn't what you need. Fine. The GP's point is still valid: it sounds like your problem isn't software development, it's your job. There are plenty of really enjoyable software jobs around, for whatever your definition of "enjoyable" is (assuming you actually like coding, and you probably do otherwise you wouldn't have liked it in the past). You just need to find one, which means you first need to figure out what kind of environment will fulfill your needs.
Personally, I'm in my mid-40s, still writing code, and I expect to be gainfully and happily writing code until I'm ready to retire. I've gotten progressively pickier about what kind of place I want to work, but that's okay. In my case, my primary criterion is the number of idiots I work with; as long as that is sufficiently low, I can find challenging and interesting problems in any industry and problem space.
But why have the many successors to jpg that provide better lossy compression not caught on?
Without getting into a full-blown Doctoral Thesis, it's usually because either they suffer performance issues, or don't do nearly as good a job of preserving the visual integrity of the source image. JPG is a good balance of speed, quality preservation, and size of the compressed file.
Nah, I think it's mostly because JPEG is good enough. JPEG2000, for example, also provides perfectly acceptable performance and quality, with significantly-reduced file sizes. But unlike JPEG, JPEG2000 decoders aren't already available everywhere. The slightly-reduced file size isn't sufficient justification for the risk that some users might not be able to see the photo. An improved JPEG encoder helps (a little) with file size without incurring the need for a new decoder, so it's immediately useful.
The last ten years or so,, I've found that I just don't care that much any more about music. I actually listen to a lot of music these days, but that's an environmental issue, not because I like it. I listen to music pretty much all day every day while at work because I work in an open plan office and the headphones, and the music they play, are the way I eliminate distractions so I can focus. I don't really listen to the music, though... I have no idea at any given time what song played last, for example. I do, however, find that I get tired of repetitive music. Subscription Internet radio is perfect... I can start it playing from a vast collection of music, almost guaranteed I'll get few if any repeats, and completely guaranteed the music won't be interrupted by people talking (which would distract me).
When I'm driving or something and want some audio to actually pay attention to, I listen to audiobooks, not music.
To say that 'data scientist' roles are dead in the near future based on a ROI analysis is to suggest that all these huge data sets aren't likely to pay off for a corp in the near future. And that doesn't sound right at all.
I think what's really going on here is that lots of organizations have jumped on the Big Data bandwagon expecting that it will be easy, and hired lots of people who don't really know what they're doing (because they also saw an opportunity). There's lots of value in large corpuses of unstructured data, but teasing it out requires more than just a desire and some computing resources. As the field matures and builds up a well-known set of techniques which can be packaged up and on which people can easily be trained, it will be very effective. But right now, it really is research, and you really do need data scientists, not hacks who took a couple of classes on machine learning and a bit of statistics. And if there are ten thousand job openings for first (or even second) rate thinkers in a new field... well, all but a couple of dozen of them are going to get filled with hacks
Android has problems with it's "app store".
RTFA (I know, I know, new here and whatnot):
The title of the article is "F-Secure: Android accounted for 97% of all mobile malware in 2013, but only 0.1% of those were on Google Play".
Essentially all of the Android malware comes from non-Google app stores, or sideloaded APKs. And with respect to the malware that does manage to make it into the Play Store, F-Secure says "the Play Store is most likely to promptly remove nefarious applications, so malware encountered there tends to have a short shelf life.”
Meh. Even if you're right it doesn't matter, because while the details of the current positions may be fuzzy, the trend is crystal clear.
I do not know why some people think this is true. A company producing X and selling it for Y, isn't going to automatically raise the cost of X if their taxes go up. Is that what you mean? Passed on to the consumer?
No.
Well, actually, that is one of the mechanisms, among many (some of which I actually mentioned in the post you replied to; perhaps you should re-read it). And it does happen more than you seem to think; a given company can't just raise prices because their cost of doing business goes up, because their competition will undercut them. But if you raise the costs across the board for a whole industry then that dynamic no longer applies, and prices will go up. But the core point is that ultimately all money ends up in the hands of people (real people, not fictitious corporate "people"); corporations are just a mechanism for consolidating the wealth of many and then redistributing the profits (or losses) generated.
That is why the US wealth inequality is so high right now. Company profit is not often used to expand business, or hire more people. It is just making rich folks richer.
So tax the rich folks when they get richer. But, actually, that statement "making the rich folks richer" doesn't really mean what you probably think it does. If you look at where the wealthy have their money, most of them don't actually have that much actual money; it's all estimated value based on their ownership of portions of productive enterprises. This means the actual value isn't just sitting in their bank accounts, it's paying employees, buying goods, building products, etc. When they get wealthier because their companies are successful, to a large degree the increase in wealth is an illusion -- it's just paper. Until they cash some of it out, of course. Then it becomes real, and then we tax it. Perhaps we should be taxing it a lot harder than we are.
There are many, many ways in which additional tax burdens on corporations percolate to the people, where "people" includes, customers, employees and shareholders. Keep in mind that ordinary middle class folks are the largest shareholders in virtually all large public businesses, via their retirement accounts, which means corporate taxes are a sneaky way to tax our supposedly tax-free retirement accounts, among other things. However it eventually works its way out to impacting individuals, it does get there, which means those individuals are paying taxes they don't even know they're paying.
That is the core of the problem. In order for the system to work, people should know what they're paying for it. Corporate taxes are one mechanism, of many, to hide those taxes from us. That's wrong.