Most of the area of these glaciers is less than 13,000 years old. On the level of erosion of mountains, not significant. The glacier cover is quite new on this scale of time.
Just what I was going to say. The summary is conflating massively different time scales. Just because both of them are far longer than our lives doesn't mean they're the same.
Google has specifically stated on the Google Glass blog that it will not put ads on Glass, in the same post where it was announced that third party apps will not be allowed to show ads on Glass. Google it.
Google's business model is advertising.
Google's primary business model is advertising, in the sense that it brings in 90% of revenues, but Google is fundamentally a technology company, not an advertising company, and has no objection whatsoever to pursuing other business models. It has been pursuing other approaches, and advertising's share of the revenues has declined from basically 100% to about 90% (enterprise apps licensing being the biggest single other source). In fact, the Google founders and most of the employees aren't particularly enamored of advertising. It brings in large revenues, and it enables end-user services to be free, and therefore low-friction, and done right it can even offer some value to end users as well as advertisers, but it will always be somewhat distasteful to engineers -- and Google is an engineer-driven company, bottom to top.
Google has stated that the Glass experience needs to be ad-free to be of value. Whether that means it'll be monetized strictly through hardware sales, or whether it's just another link binding people into the Google ecosystem (like Google+) which will facilitate ad targeting accuracy or something else, I don't know. But Google has said that it won't allow ads on the platform, theirs or others'.
Prediction: this article will not get 850 comments, and many people will continue pointing to this story as proof that Google lets the federal government rifle through all of everyone's data.
If the feds have compromised the CAs, that https gets you nothing.
If the feds were using compromised CAs to perform man-in-the-middle attacks, we'd notice, unless they did it very, very rarely. If they're going to restrict themselves to using this capability only in circumstances when they have strong reason to believe their target is a criminal or planning to be one, they'd probably be able to just get a warrant.
Another possibility (though I think yours is more likely): Do you use HTTPS to access Google? If you use the search bar on major web browsers, you do. If you are signed into a Google account, you do. Otherwise, if you're not logged in and you manually direct your browser to google.com and then do a search, the query goes to Google unencrypted.
Assuming Google searches had anything to do with this story (which I doubt), I think it's more likely that non-SSL queries were intercepted.
Except they said they do this "100 times a week". The implications of that are staggering. 100 times a week? That is 5200 raids a year.... if they are not putting terrorists away by the truckload then they have some serious explaining to do.
Even more staggering when you realize this was carried out by a county Sheriff's department. So is this one department carrying out 100 raids per week? Assuming they're not the only PD doing it, we much have hundred of thousands of raids per year. Millions, maybe.
Just like every other company that does ads, they buy the info from Google.
Google doesn't sell data. Not to advertisers, not to anyone. The only exception is market research data which is aggregated and anonymized and cannot be used to target specific individuals.
Of course, once weak selectors have triggered from the google data, the gov't has other systems (e.g. let's say telco info) to get the location and possibly user of the IP address that google recorded.
I strongly doubt that Google was involved at all. I see two realistic possibilities:
1. The supposition that the content of a Google search was involved at all is simply false. The visit was provoked by something else, and the targets just assumed it was related to Google queries.
2. The search was done over HTTP, and the connection was intercepted at the ISP or any other point in the chain between browser and Google.
That's pretty much it. Google says it doesn't supply data to the government without lawful orders, and that it doesn't supply broad data at all, only specific data about specific individuals given specific legal documentation. You may not believe it, but there's really no evidence otherwise. As a Google employee with some visibility into relevant infrastructure, I have evidence to support it.
Call me a shill, naive, whatever. This is just my honest, and fairly well-informed, opinion.
WIth physical access and knowledge of the hardware sure it's extractable
With good tamper-reactive hardware? Well... in theory, sure, anything is possible. In practice, good luck getting in without triggering the tamper response, which zeros the master key. Note that freezing attacks don't work, because getting the device outside of a certain temperature range triggers the tamper response, as does physical penetration, exposure to radiation, improper input voltage or loss of battery power or... good FIPS 140-2 level 4 hardware is very touchy.
... this is assuming there's no backdoor in the HSM, always a large assumption.
Actually, I worked a bit on the IBM 4758 and know a bunch of the people involved throughout its design and development, and I'd say it's extremely unlikely that there's a back door. There's a published paper on the 4758 design (Google it); go read that and then come back and we'll talk. I can tell you about all of the code control and layered reviews at every point in the design, implementation and testing process. It would be fantastically hard to sneak a back door in through that.
Umm... you should go re-read the SSL/TLS specs. The server doesn't get to dictate the session key.
The session key (AKA master key) is computed from a "pre-master" secret key and two random numbers, one provided by client the other from the server. Both sides perform this computation independently, and the server has no control over the client random -- nor the client over the server random. Also, the pre-master secret is either generated entirely by the client, or else generated through a Diffie Hellman key agreement protocol, which again involves input from both sides.
There may be other attacks, but the one described in the summary doesn't work.
The root key is in an HSM, and can't be extracted.
For disaster recovery purposes it must also exist elsewhere.
Other HSMs. There is a secure mechanism for syncing keys between devices that ensures that it is still impossible to ever extract them in cleartext. All major HSM devices can do this.
The largest risk isn't during transmission, it is at the user's end... and Google's end. 2 million bit encryption wouldn't be enough if you had a keylogger, or if google got served a National Security Letter that it decided to honor.
Yeah, but the NIST recommendations suggest that 1024-bit keys aren't adequate any more, so it's just good security hygiene to upgrade, even if they're not actually the current weak point, which I agree is almost certainly at the user's end.
I tend to try to give people the benefit of the doubt, because it makes my life better than if I assumed the worst and walked around angry all of the time, but it's nice to get confirmation that the Volt owner most likely wasn't being rude.
I think maybe I'll print up a little sign to leave under my windshield wiper when I'm parked at the airport, explaining how to interpret the lights. Or maybe I can put it over the charging port; that would be even better.
On the Leaf vs Volt access to the charging station, I think the Leaf owners have a point. Charging is optional for the Volt, not so for the Leaf.
Of course, I own a Leaf, and have had the experience of having a Volt owner unplug my car at the airport parking lot, 15 minutes after I plugged in. When I got back from my trip it was questionable if I had enough juice to get home. Well, to be fair, I don't know for sure that it was the Volt owner who unplugged me, but it was a day trip and the charger was plugged into a Volt when I got home in the evening. On the assumption the Volt owner was uninformed rather than rude, I left a nice note explaining that the Leaf does not have a gasoline engine, and how the blue lights on the dash indicate charge state, pointing out that when you see a car with a single blue light flashing, you should probably leave it plugged in.
The flaw in your thinking is that the ability to detect creativity matters.
The flaw in your thinking is that you don't get to judge what constitutes creativity. Thus, you don't get to decide what is "the ability to detect creativity" either. So yeah, try again?
Who said I (or anyone) needs to judge what constitutes creativity?
Care to make a wager on it?
yes thats right 20 whole gb.
Hehe. And you actually think that was small.
Life should be unfair. It is better that way.
Absolutely. And artists must starve, else where will they acquire the angst needed to create art?
Most of the area of these glaciers is less than 13,000 years old. On the level of erosion of mountains, not significant. The glacier cover is quite new on this scale of time.
Just what I was going to say. The summary is conflating massively different time scales. Just because both of them are far longer than our lives doesn't mean they're the same.
I thought I was alone in this until a few weeks ago I found a site called xkcdsucks, and it appears I'm not alone in thinking this.
Hey, look at me! My opinion is valid because I found a website that says the same thing.
I'm making a sig out of that.
I want a t-shirt that says that.
Seeing is believing. In this case, quite literally so.
Actually, I think in this case the announcement is a stronger indicator than the lack of ads on current devices.
Typing "pressure cooker" lists pressure cooker bomb as the 3rd suggestion in Google.
Hmm. It's the top suggestion for me. Does that indicate what Google thinks about me?
Google has specifically stated on the Google Glass blog that it will not put ads on Glass, in the same post where it was announced that third party apps will not be allowed to show ads on Glass. Google it.
Google's business model is advertising.
Google's primary business model is advertising, in the sense that it brings in 90% of revenues, but Google is fundamentally a technology company, not an advertising company, and has no objection whatsoever to pursuing other business models. It has been pursuing other approaches, and advertising's share of the revenues has declined from basically 100% to about 90% (enterprise apps licensing being the biggest single other source). In fact, the Google founders and most of the employees aren't particularly enamored of advertising. It brings in large revenues, and it enables end-user services to be free, and therefore low-friction, and done right it can even offer some value to end users as well as advertisers, but it will always be somewhat distasteful to engineers -- and Google is an engineer-driven company, bottom to top.
Google has stated that the Glass experience needs to be ad-free to be of value. Whether that means it'll be monetized strictly through hardware sales, or whether it's just another link binding people into the Google ecosystem (like Google+) which will facilitate ad targeting accuracy or something else, I don't know. But Google has said that it won't allow ads on the platform, theirs or others'.
Of course they've banned third parties. Google's own advertising is the sole reason for the device.
Google is also not putting any ads on Glass.
Nice quote.
What makes you think that the woman's search history was involved at all?
Prediction: this article will not get 850 comments, and many people will continue pointing to this story as proof that Google lets the federal government rifle through all of everyone's data.
If the feds have compromised the CAs, that https gets you nothing.
If the feds were using compromised CAs to perform man-in-the-middle attacks, we'd notice, unless they did it very, very rarely. If they're going to restrict themselves to using this capability only in circumstances when they have strong reason to believe their target is a criminal or planning to be one, they'd probably be able to just get a warrant.
a) Google glass already has ads.
Cite? Last I heard, Google was not only no putting ads on Glass, but had banned third party developers from incorporating ads into their apps.
Another possibility (though I think yours is more likely): Do you use HTTPS to access Google? If you use the search bar on major web browsers, you do. If you are signed into a Google account, you do. Otherwise, if you're not logged in and you manually direct your browser to google.com and then do a search, the query goes to Google unencrypted.
Assuming Google searches had anything to do with this story (which I doubt), I think it's more likely that non-SSL queries were intercepted.
Except they said they do this "100 times a week". The implications of that are staggering. 100 times a week? That is 5200 raids a year.... if they are not putting terrorists away by the truckload then they have some serious explaining to do.
Even more staggering when you realize this was carried out by a county Sheriff's department. So is this one department carrying out 100 raids per week? Assuming they're not the only PD doing it, we much have hundred of thousands of raids per year. Millions, maybe.
Color me skeptical.
Just like every other company that does ads, they buy the info from Google.
Google doesn't sell data. Not to advertisers, not to anyone. The only exception is market research data which is aggregated and anonymized and cannot be used to target specific individuals.
Of course, once weak selectors have triggered from the google data, the gov't has other systems (e.g. let's say telco info) to get the location and possibly user of the IP address that google recorded.
I strongly doubt that Google was involved at all. I see two realistic possibilities:
1. The supposition that the content of a Google search was involved at all is simply false. The visit was provoked by something else, and the targets just assumed it was related to Google queries.
2. The search was done over HTTP, and the connection was intercepted at the ISP or any other point in the chain between browser and Google.
That's pretty much it. Google says it doesn't supply data to the government without lawful orders, and that it doesn't supply broad data at all, only specific data about specific individuals given specific legal documentation. You may not believe it, but there's really no evidence otherwise. As a Google employee with some visibility into relevant infrastructure, I have evidence to support it.
Call me a shill, naive, whatever. This is just my honest, and fairly well-informed, opinion.
WIth physical access and knowledge of the hardware sure it's extractable
With good tamper-reactive hardware? Well... in theory, sure, anything is possible. In practice, good luck getting in without triggering the tamper response, which zeros the master key. Note that freezing attacks don't work, because getting the device outside of a certain temperature range triggers the tamper response, as does physical penetration, exposure to radiation, improper input voltage or loss of battery power or... good FIPS 140-2 level 4 hardware is very touchy.
... this is assuming there's no backdoor in the HSM, always a large assumption.
Actually, I worked a bit on the IBM 4758 and know a bunch of the people involved throughout its design and development, and I'd say it's extremely unlikely that there's a back door. There's a published paper on the 4758 design (Google it); go read that and then come back and we'll talk. I can tell you about all of the code control and layered reviews at every point in the design, implementation and testing process. It would be fantastically hard to sneak a back door in through that.
Umm... you should go re-read the SSL/TLS specs. The server doesn't get to dictate the session key.
The session key (AKA master key) is computed from a "pre-master" secret key and two random numbers, one provided by client the other from the server. Both sides perform this computation independently, and the server has no control over the client random -- nor the client over the server random. Also, the pre-master secret is either generated entirely by the client, or else generated through a Diffie Hellman key agreement protocol, which again involves input from both sides.
There may be other attacks, but the one described in the summary doesn't work.
The root key is in an HSM, and can't be extracted.
For disaster recovery purposes it must also exist elsewhere.
Other HSMs. There is a secure mechanism for syncing keys between devices that ensures that it is still impossible to ever extract them in cleartext. All major HSM devices can do this.
The root key is in an HSM, and can't be extracted. I think I can say that without compromising anything confidential.
The largest risk isn't during transmission, it is at the user's end... and Google's end. 2 million bit encryption wouldn't be enough if you had a keylogger, or if google got served a National Security Letter that it decided to honor.
Yeah, but the NIST recommendations suggest that 1024-bit keys aren't adequate any more, so it's just good security hygiene to upgrade, even if they're not actually the current weak point, which I agree is almost certainly at the user's end.
I tend to try to give people the benefit of the doubt, because it makes my life better than if I assumed the worst and walked around angry all of the time, but it's nice to get confirmation that the Volt owner most likely wasn't being rude.
I think maybe I'll print up a little sign to leave under my windshield wiper when I'm parked at the airport, explaining how to interpret the lights. Or maybe I can put it over the charging port; that would be even better.
Thanks for the information.
On the Leaf vs Volt access to the charging station, I think the Leaf owners have a point. Charging is optional for the Volt, not so for the Leaf.
Of course, I own a Leaf, and have had the experience of having a Volt owner unplug my car at the airport parking lot, 15 minutes after I plugged in. When I got back from my trip it was questionable if I had enough juice to get home. Well, to be fair, I don't know for sure that it was the Volt owner who unplugged me, but it was a day trip and the charger was plugged into a Volt when I got home in the evening. On the assumption the Volt owner was uninformed rather than rude, I left a nice note explaining that the Leaf does not have a gasoline engine, and how the blue lights on the dash indicate charge state, pointing out that when you see a car with a single blue light flashing, you should probably leave it plugged in.
The flaw in your thinking is that the ability to detect creativity matters.
The flaw in your thinking is that you don't get to judge what constitutes creativity. Thus, you don't get to decide what is "the ability to detect creativity" either. So yeah, try again?
Who said I (or anyone) needs to judge what constitutes creativity?