Mostly I can only address one part of it, which is the "can't be 100% certain that you are you". The takeout website checks your password at several times in the process. I was actually surprised that there didn't seem to be any option to encrypt the file.
Checking your password only helps ensure that the person getting the data that is known to be associated with the account actually is. It doesn't help with data that is only thought to be associated with the account. The uncertainty is in the connection between the data and the account, not between the account and the account owner.
I can't imagine them screwing this up, although knowing Google, like many projects they'll abandon it. So perhaps this policy will be abandoned for the sake of it in the next few years like everything else?
Google has been working on this project for a decade, so it seems like something with long-term commitment.
So far in my explorations of the data I haven't seen any browser history data, though I strongly suspect the google is collecting it
Unless you have web history enabled (check the settings in myactivity.google.com), I'm quite certain Google is not storing your browser history. I think this is a distinct question from tracking your web browsing through Google Analytics, assuming you haven't opted out of that. In the latter case, Google gets information about the sites you visit from those sites and uses it to update your interest profile, but doesn't store the actual visit history.
Note that there is almost certainly data Google has about you which it cannot show you, because it can't be 100% certain that you are you. Data derived from logged-out interactions can be tentatively correlated with you, but since there's no way to be completely certain you're the same person, it would be a violation of the privacy of whoever actually had that logged-out interaction (which might be you) to show it to you. In the case of logged-in interactions, of course, it's reasonable to presume that anything done while logged into account A can be safely shown to account A.
This list is missing your tracked browsing history. For Android users there is GPS tracking history and call and SMS history.
If location history is turned on, it should be there in the download. Mine is.
SMS messages are not uploaded to Google, unless you're using Hangouts for SMS (which you can't do anymore unless you're using Project Fi as your carrier). Many people wish SMS were backed up, so that it could be restored onto a new device. As it is, when you get a new phone your SMS history is lost unless you copy it across to the new device (which recent Android versions will automate for you).
FWIW, Android P is enabling Android backups to be encrypted in a way that ensures that Google cannot read them. That will in turn enable more data (like SMS, I'd expect) to be backed up and restored since it won't raise privacy concerns.
Not really sure what OP meant by "fragmentary rounds", but pretty sure 5.56 doesn't fit any of the possible interpretations of what I think he/she/it meant.
Jacketed 5.56 bullets have a tendency to break apart in terminal ballistics. The nomenclature was bad, but it is a real thing.
Medium-caliber cartridges like the.223 / 5.56mm used in an AR-15 are chosen by the military for their tendency to wound, rather than always killing, because wounding one soldier tends to take two or three out of the fight as his buddies stop fighting to focus on saving him.
This is outdated bullshit from WWII and has nothing to do with why we use the.223
Dude stop mashing together half ideas you heard from military wannabees at your gun club.
It's what I got from the training manuals I taught out of when I was a combat arms instructor in the US Air Force.
Actually, if you consider the situation, it could have been much worse. From the body count alone, one can infer that this person was not using a semi-automatic rifle with high-muzzle velocity fragmentary rounds. With an AR-15 she may have killed a dozen people before killing herself.
With a little practice and a bolt action deer rifle it could have been much worse. Medium-caliber cartridges like the.223 / 5.56mm used in an AR-15 are chosen by the military for their tendency to wound, rather than always killing, because wounding one soldier tends to take two or three out of the fight as his buddies stop fighting to focus on saving him. Hunting rifles are designed to kill as quickly as possible, both to avoid game being able to run away and to ensure a quick, humane kill.
If you want to kill a lot of people with a gun, find a bunch of them in an open area with no easy way to cover and shoot them with a high-powered rifle from an elevated perch. Bolt action will work fine as long as the action is smooth and you've practiced a little.
If you want to kill a *lot* of people, though, you don't use a gun. Bombs and incendiaries are much more effective.
In this case, though, and in the majority of rampage shooting events, she used a handgun because it was small and easy to carry.
Also, all of the above-mentioned firearms are readily available in California. Magazine sizes are restricted for all types of firearms, some cosmetic features are restricted on ARs, and some effort has been made to make it difficult to swap rifle magazines quickly.
Most likely, it's population density, and the higher total crime rates that go along with that, even if the per capita crime rates are actually lower. Our puny little human brains SUCK at those kind of statistics for the same reason we are scared of terrorists and mass shootings, despite them being the least likely forms of violent death.
On a per capita basis urban crime rates are higher than suburban and suburban are higher than rural.
Note also that the recently-passed Omnibus continuing resolution (to avoid government shutdown) included language that clarifies that the CDC can conduct gun violence research.
since there's been a nation wide moratorium on researching gun violence since the early 2000s
No, there hasn't. There is a budget rider that says one government agency, the CDC, may not engage in gun control advocacy, which has resulted in that agency mostly deciding not to do any research beyond statistics gathering and reporting, lest it be accused of advocacy. No other government agency is barred from doing research, nor is any institution of higher learning, think tank or individual.
Moreover, when Obama requested the CDC to do gun violence research in 2013, the CDC funded a 2013 study, and did another one internally in 2015. Finally, the recently passed Omnibus continuing resolution clarified that the CDC can do gun violence research.
The Dickey rider was bad, but your characterization of it is ridiculously wrong.
And automobile deaths are higher in the US (where people have cars) than in Somalia (where they mostly don't). You're confusing the tool with the action.
What matters is total homicide rate, not gun homicide rate. As for how those compare... they don't correlate. blindseer gave you a few numbers. Here's a comprehensive set, plotted with the calculated correlation coefficient: https://docs.google.com/spread...
Gunshots aren't an infectious or otherwise biological disease, either. Why anyone would expect the CDC to research it in such a manner is beyond me.
Human on human violence does follow patterns that are extremely similar to those of diseases, so I think it does make sense. I'm pro-gun (I carry daily and own dozens of guns), but I support having the CDC research gun violence, just as they do research on every other large-scale cause of death and injury.
But but but.... the other end of the Chromebook is connected to Google, arguably one of the biggest personal data spies in the business. Nothing is secure there.
Define your threat model. If it includes a risk of getting targeted ads, then Chromebooks are not secure for some uses (and are secure for others). If you're worried about data leaking or being stolen, then Chromebooks are quite secure for whatever.
It can't be the case that an individual needs a team of security experts to use their own laptop securely.
You would like that not to be the case. I see no evidence that your wish is fulfilled. Mostly people are okay as long as they don't do anything egregiously stupid, not because their systems are secure but because no one seriously bothers to attack them. Security by being uninteresting is fine... until it's not.
If you're worried about security, OpenBSD would probably be better. Theo's pretty fanatical about it.
Theo isn't remotely as fanatical about security as the ChromeOS team. He also doesn't have the same control over the hardware that runs the systems, nor the software that runs on the systems, as the ChromeOS team does. OpenBSD doesn't even have a Mandatory Access Control system like SELinux, and if it did it couldn't lock it down as hard as ChromeOS can... precisely because OpenBSD has to be allowed to run arbitrary software, while ChromeOS does not.
I'm not saying OpenBSD isn't a nice system, nor that Theo et al aren't great security engineers, but they're working in a different context, one that simply doesn't allow the sort of security that ChromeOS achieves.
would be just as good as long as it is in competent hands
Exactly the problem. Vast majority of users, including most IT professionals, are not security competent. Expecting people to know the ins-and-outs of computer security before they can be secure is a non-starter.
More than that, security researchers will tell you that they, themselves, aren't competent to make good security decisions. It's why they use Chromebooks.
Systems are too big and complex for one person, however expert, to fully understand. Building a secure system requires teams of specialists, not just specialists in security but specialists in the security of particular parts of the system. Plus pen testers, security auditors, etc., who take a more holistic view, but with access to all of the specialists.
Note that most security researchers do have regular laptops they use, too. They don't take them to security conferences, because that's just asking to get pwned. No, they take Chromebooks because Chromebooks are much more secure... and because as soon as they get home they can powerwash them, just in case.
While it does avail itself of certain linux features (SELinux), it's mostly about implementing a very limited sandbox and they can/do pretty much implement that wherever their browser runs.
That's part of it, but only a part. Other crucial parts are the verified boot system, which ensures that even if the device does get compromised somehow it's essentially impossible for the compromise to be persistent, and the update system.
Also, saying "system X uses SELinux" doesn't really tell you anything. Whether or not and how much benefit you get from SELinux depends on the configuration, and how restrictive you can make the SELinux config depends heavily on how much you have to allow software to do. Similarly for verified boot, if you must allow arbitrary software to be installed, then by definition you can't fully validate all of the software on the system.
So these restrictive, less-flexible elements of ChromeOS are actually a big part of what enables it to be so secure.
However for security researchers protecting themselves, they should be able to do it either way.
Go talk to a bunch of security researchers. The first thing they'll tell you is that nobody can be trusted to make good security decisions, not even security researchers/experts. It takes a team of security experts, plus outside researchers and security audit firms working together to make a system secure -- and even then it's a matter of asymptotically approaching security; you never actually arrive. No one person can understand all of the pieces and all of the interactions deeply enough to make good decisions.
There's so much beauty and awe in nature and we pathetic bald apes are just trampling over it in the shallow quest for profits and a misguided sense of 'progress'.
We pathetic bald apes are part of nature. We're not some separate thing.
Slashdot Mirror
Mostly I can only address one part of it, which is the "can't be 100% certain that you are you". The takeout website checks your password at several times in the process. I was actually surprised that there didn't seem to be any option to encrypt the file.
Checking your password only helps ensure that the person getting the data that is known to be associated with the account actually is. It doesn't help with data that is only thought to be associated with the account. The uncertainty is in the connection between the data and the account, not between the account and the account owner.
I can't imagine them screwing this up, although knowing Google, like many projects they'll abandon it. So perhaps this policy will be abandoned for the sake of it in the next few years like everything else?
Google has been working on this project for a decade, so it seems like something with long-term commitment.
So far in my explorations of the data I haven't seen any browser history data, though I strongly suspect the google is collecting it
Unless you have web history enabled (check the settings in myactivity.google.com), I'm quite certain Google is not storing your browser history. I think this is a distinct question from tracking your web browsing through Google Analytics, assuming you haven't opted out of that. In the latter case, Google gets information about the sites you visit from those sites and uses it to update your interest profile, but doesn't store the actual visit history.
Note that there is almost certainly data Google has about you which it cannot show you, because it can't be 100% certain that you are you. Data derived from logged-out interactions can be tentatively correlated with you, but since there's no way to be completely certain you're the same person, it would be a violation of the privacy of whoever actually had that logged-out interaction (which might be you) to show it to you. In the case of logged-in interactions, of course, it's reasonable to presume that anything done while logged into account A can be safely shown to account A.
This list is missing your tracked browsing history. For Android users there is GPS tracking history and call and SMS history.
If location history is turned on, it should be there in the download. Mine is.
SMS messages are not uploaded to Google, unless you're using Hangouts for SMS (which you can't do anymore unless you're using Project Fi as your carrier). Many people wish SMS were backed up, so that it could be restored onto a new device. As it is, when you get a new phone your SMS history is lost unless you copy it across to the new device (which recent Android versions will automate for you).
FWIW, Android P is enabling Android backups to be encrypted in a way that ensures that Google cannot read them. That will in turn enable more data (like SMS, I'd expect) to be backed up and restored since it won't raise privacy concerns.
Not really sure what OP meant by "fragmentary rounds", but pretty sure 5.56 doesn't fit any of the possible interpretations of what I think he/she/it meant.
Jacketed 5.56 bullets have a tendency to break apart in terminal ballistics. The nomenclature was bad, but it is a real thing.
Medium-caliber cartridges like the .223 / 5.56mm used in an AR-15 are chosen by the military for their tendency to wound, rather than always killing, because wounding one soldier tends to take two or three out of the fight as his buddies stop fighting to focus on saving him.
This is outdated bullshit from WWII and has nothing to do with why we use the .223
Dude stop mashing together half ideas you heard from military wannabees at your gun club.
It's what I got from the training manuals I taught out of when I was a combat arms instructor in the US Air Force.
What's your source?
Actually, if you consider the situation, it could have been much worse. From the body count alone, one can infer that this person was not using a semi-automatic rifle with high-muzzle velocity fragmentary rounds. With an AR-15 she may have killed a dozen people before killing herself.
With a little practice and a bolt action deer rifle it could have been much worse. Medium-caliber cartridges like the .223 / 5.56mm used in an AR-15 are chosen by the military for their tendency to wound, rather than always killing, because wounding one soldier tends to take two or three out of the fight as his buddies stop fighting to focus on saving him. Hunting rifles are designed to kill as quickly as possible, both to avoid game being able to run away and to ensure a quick, humane kill.
If you want to kill a lot of people with a gun, find a bunch of them in an open area with no easy way to cover and shoot them with a high-powered rifle from an elevated perch. Bolt action will work fine as long as the action is smooth and you've practiced a little.
If you want to kill a *lot* of people, though, you don't use a gun. Bombs and incendiaries are much more effective.
In this case, though, and in the majority of rampage shooting events, she used a handgun because it was small and easy to carry.
Also, all of the above-mentioned firearms are readily available in California. Magazine sizes are restricted for all types of firearms, some cosmetic features are restricted on ARs, and some effort has been made to make it difficult to swap rifle magazines quickly.
Most likely, it's population density, and the higher total crime rates that go along with that, even if the per capita crime rates are actually lower. Our puny little human brains SUCK at those kind of statistics for the same reason we are scared of terrorists and mass shootings, despite them being the least likely forms of violent death.
On a per capita basis urban crime rates are higher than suburban and suburban are higher than rural.
http://victimsofcrime.org/docs/default-source/ncvrw2015/2015ncvrw_stats_urbanrural.pdf?sfvrsn=2
Perhaps different years? I used 2015 homicide data and 2013 gun ownership data, since those were the most recent available when I did the analysis.
Yup
Note also that the recently-passed Omnibus continuing resolution (to avoid government shutdown) included language that clarifies that the CDC can conduct gun violence research.
since there's been a nation wide moratorium on researching gun violence since the early 2000s
No, there hasn't. There is a budget rider that says one government agency, the CDC, may not engage in gun control advocacy, which has resulted in that agency mostly deciding not to do any research beyond statistics gathering and reporting, lest it be accused of advocacy. No other government agency is barred from doing research, nor is any institution of higher learning, think tank or individual.
Moreover, when Obama requested the CDC to do gun violence research in 2013, the CDC funded a 2013 study, and did another one internally in 2015. Finally, the recently passed Omnibus continuing resolution clarified that the CDC can do gun violence research.
The Dickey rider was bad, but your characterization of it is ridiculously wrong.
No one at Google is ever going to see these comments
Plenty of Google employees read /.
https://docs.google.com/spread...
You're 100% wrong. Gun violence is usually HIGHER in areas with high gun ownership rates.
And automobile deaths are higher in the US (where people have cars) than in Somalia (where they mostly don't). You're confusing the tool with the action.
What matters is total homicide rate, not gun homicide rate. As for how those compare... they don't correlate. blindseer gave you a few numbers. Here's a comprehensive set, plotted with the calculated correlation coefficient: https://docs.google.com/spread...
Gunshots aren't an infectious or otherwise biological disease, either. Why anyone would expect the CDC to research it in such a manner is beyond me.
Human on human violence does follow patterns that are extremely similar to those of diseases, so I think it does make sense. I'm pro-gun (I carry daily and own dozens of guns), but I support having the CDC research gun violence, just as they do research on every other large-scale cause of death and injury.
California has pretty strict gun laws. How could anyone get a gun to YouTube HQ?
Handguns are legal in California.
The CDC still provides injury and death statistics, broken down by region and cause, including by firearms.
But but but.... the other end of the Chromebook is connected to Google, arguably one of the biggest personal data spies in the business. Nothing is secure there.
Define your threat model. If it includes a risk of getting targeted ads, then Chromebooks are not secure for some uses (and are secure for others). If you're worried about data leaking or being stolen, then Chromebooks are quite secure for whatever.
It can't be the case that an individual needs a team of security experts to use their own laptop securely.
You would like that not to be the case. I see no evidence that your wish is fulfilled. Mostly people are okay as long as they don't do anything egregiously stupid, not because their systems are secure but because no one seriously bothers to attack them. Security by being uninteresting is fine... until it's not.
That all changed when we learned to light shit on fire.
Why?
If you're worried about security, OpenBSD would probably be better. Theo's pretty fanatical about it.
Theo isn't remotely as fanatical about security as the ChromeOS team. He also doesn't have the same control over the hardware that runs the systems, nor the software that runs on the systems, as the ChromeOS team does. OpenBSD doesn't even have a Mandatory Access Control system like SELinux, and if it did it couldn't lock it down as hard as ChromeOS can... precisely because OpenBSD has to be allowed to run arbitrary software, while ChromeOS does not.
I'm not saying OpenBSD isn't a nice system, nor that Theo et al aren't great security engineers, but they're working in a different context, one that simply doesn't allow the sort of security that ChromeOS achieves.
would be just as good as long as it is in competent hands
Exactly the problem. Vast majority of users, including most IT professionals, are not security competent. Expecting people to know the ins-and-outs of computer security before they can be secure is a non-starter.
More than that, security researchers will tell you that they, themselves, aren't competent to make good security decisions. It's why they use Chromebooks.
Systems are too big and complex for one person, however expert, to fully understand. Building a secure system requires teams of specialists, not just specialists in security but specialists in the security of particular parts of the system. Plus pen testers, security auditors, etc., who take a more holistic view, but with access to all of the specialists.
Note that most security researchers do have regular laptops they use, too. They don't take them to security conferences, because that's just asking to get pwned. No, they take Chromebooks because Chromebooks are much more secure... and because as soon as they get home they can powerwash them, just in case.
While it does avail itself of certain linux features (SELinux), it's mostly about implementing a very limited sandbox and they can/do pretty much implement that wherever their browser runs.
That's part of it, but only a part. Other crucial parts are the verified boot system, which ensures that even if the device does get compromised somehow it's essentially impossible for the compromise to be persistent, and the update system.
Also, saying "system X uses SELinux" doesn't really tell you anything. Whether or not and how much benefit you get from SELinux depends on the configuration, and how restrictive you can make the SELinux config depends heavily on how much you have to allow software to do. Similarly for verified boot, if you must allow arbitrary software to be installed, then by definition you can't fully validate all of the software on the system.
So these restrictive, less-flexible elements of ChromeOS are actually a big part of what enables it to be so secure.
However for security researchers protecting themselves, they should be able to do it either way.
Go talk to a bunch of security researchers. The first thing they'll tell you is that nobody can be trusted to make good security decisions, not even security researchers/experts. It takes a team of security experts, plus outside researchers and security audit firms working together to make a system secure -- and even then it's a matter of asymptotically approaching security; you never actually arrive. No one person can understand all of the pieces and all of the interactions deeply enough to make good decisions.
There's so much beauty and awe in nature and we pathetic bald apes are just trampling over it in the shallow quest for profits and a misguided sense of 'progress'.
We pathetic bald apes are part of nature. We're not some separate thing.