I've had Prime since year one, and while I occasionally have purchase spurts - enough to make the subscription worth my while - I occasionally go for a month or two without ordering anything, so...I guess I'm subsidizing you? : )
Yes. Not the attacker, the site developer who chose give your password to his site to an tracking company. He could have chosen to do it directly, instead he just included their content and scripts on his site, from his domain, essentially enabling them to do an XSS attack on his site without needing the "XS" part.
In general, there's very little browsers can do to prevent XSS if site developers don't build their sites correctly. What we have here is a case where site developers may have done a decent job of preventing general XSS attacks, then gave a specific attacker special privileges. In this particular case, there may be some things that browsers can do about it, now that researchers have pointed out the issue. However, that won't actually fix the general case, because sites allow these tracking networks to inject Javascript as well. If the tracking companies wanted to, they could inject Javascript that collects your username and password from the visible fields, when you type them.
The only real solution is for site developers to be careful about whose content/code they inject in their sites. When they contract with an analytics company, they should ensure that the contract contains a commitment not to snarf extra data.
of course it's sustainable, otherwise they would have raised the $99 yearly fee.
That doesn't follow, because customers may use the service differently on a monthly subscription, and one usage pattern may be sustainable at a given price point, but not another.
For example, users may choose to sign up when they have a bunch of stuff to order (say, right before Christmas), then cancel immediately. With the annual subscription you have the low-utilization months to balance out the high-utilization months. I suppose some people may still say "I'm ordering a bunch of stuff right now, so much that my shipping cost is >$99, I'll sign up for Prime and save some money, then cancel", but that seems far less likely than for an $11 monthly subscription.
Of course, then there are people like me. Between everyone in my house, on my Prime subscription, we not only order/get stuff almost every day, it's common that UPS and FedEx make multiple stops at my house per day. Each. That utilization pattern seems unsustainable and I'm surprised they haven't announced tiered subscription rates.
#2 is a bigger problem, but realistically home routers were never designed to do those types of things. They aren't capable of doing full wirespeed packet inspection, and for 99+% of the homes this works fine at a fraction of the cost.
Huh? These are just ordinary multicast packets; the only inspection the router needs to do is to check the destination address, which they have to do with every packet they handle. It's what routers do... look at destination addresses and forward the packet on the right interface. If they can't do that at wire(less)speed, then they pretty much fail as routers. And it's not like it's difficult to handle a few hundred megabits per second with modern CPUs, even low-power ones.
And social problems don't benefit from the application of intelligence? I think they clearly do. Not that one person is going to come up with "the solution" to long-standing, knotty social problems. And of course it's crucial that people recognize their own limitations; you can't just rewrite the behavior of people, you have to work within the framework that exists and any effort to change behavior has to be done cautiously, with a constant vigilance for unexpected effects, and by convincing people that they want to behave differently.
But intelligence is absolutely useful for all of these things.
because the world needs yet another proprietary walled garden operating system that allows the manufacturer of the device to retain control over the purchaser's property.
What in the history of Google devices makes you think that this will be a walled garden? Is it the fact that all Nexus/Pixel devices have unlockable bootloaders (except those bought from Verizon, at Verizon's insistence, and Google made sure they can be unlocked when they're paid off)? Or the fact that Android has always allowed sideloading and alternative app stores? Or the fact that all ChromeOS devices -- from all manufacturers -- have had a developer mode switch? Or the fact that Google open sources all of its Android and ChromeOS code? Or the fact that Fuschia is also open source?
I mean... the story you're commenting on is about how someone downloaded the open source FuschiaOS code, compiled and built it themselves (meaning they could have modified it if they liked), and then installed and ran it on a Google Pixelbook they put in dev mode.
1. An End to the hardware Nightmares of Linux. Linux generally is not at the mercy of Windows Drivers. Linux Drivers for Android Devices has translated well to Linux Drivers on x86 for Desktop Linux.
Huh? I don't know of a single case where Android Linux driver development has made a driver available for the desktop. Mobile device drivers are very different from their desktop counterparts.
2. Root on our devices. Our Devices are our devices. I don't care how much I paid for the Device. If I was sold a device retail and paid for it in full, its mine. I don't care if they were sold on Amazon. We all should be entitled to have root, and unlocked bootloaders on our devices we pay for.
Linux hasn't, doesn't and will never help with this. Well, except in one way: Linux is buggy enough that it has, in the past, generally been possible to find kernel vulnerabilities to enable rooting on locked-down devices. That's a really backhanded "feature", though, since if the user can exploit the vulnerability so can an attacker. You're lauding insecurity, basically.
Don't get me wrong, I'm not anti-Linux. I switched to Debian as my platform of choice in 2000, and have never regretted it. I'm an Android engineer and enjoy the fact that the underlying kernel is one that's so familiar and comfortable. OTOH, I'm a security engineer and the size and monolithic nature of Linux makes it very hard to secure.
The manufacturer can void the warranty, but thats all. So what happens when root isn't a thing because of FushciaOS?
It's becoming not a thing for Linux, too, as we make progress toward closing the vulnerabilities in Linux. Actually, to the extent that Google manages to retain greater control of devices with FuschiaOS, you're more likely to be able to take control of your device. Google has always made its Android devices (Nexus/Pixel) unlockable, and has managed to require all ChromeOS device makers to allow theirs to be unlocked as well.
competent to properly secure the password database (which is fairly easy),
If they are competent, then they must be unwilling to secure it. In 2018, this worked for my experimental chrome browser , latest from Google at the time :
https://it.slashdot.org/story/...
Meh. It's no surprise that browsers don't yet mitigate a barely-published attack, particularly since it's arguably not an attack at all. The browser is doing the right thing and filling username and password fields for the site that it's supposed to. The site developer is the one including hidden forms that send that data to the wrong place. Bad/buggy web sites can do all kinds of nasty things with/to the data you give to those sites. The only difference here is that the site developer doesn't realize he's added this particular nastiness, but he did make the decision to use a shady tracking service.
Creative uses of Spectre (and Meltdown or something like it as an additional help) can make it even more "fairly easy" to steal the passwords.
Again, not an issue with having a password database in your browser. An issue with entering passwords in your browser at all, of course (or potentially in any program on your computer), but not a reason to prefer typing passwords over using the browser's password keeper.
The US federal government is explicitly allowed to have an army. It just can't get appropriations for more than two years each. The Founders were indeed worried about the oppression potential of armies (navies are a lot harder to use for oppressing populations), but realized a Federal army would be needed.
Yes, and the two-year limit on appropriations was intended specifically to make it difficult for the federal government to maintain a standing army in peacetime.
I have no idea what a Google Authenticator App is, let alone how it works, or what FIDO is or U2F. None of those things make sense, so why in the world would I ever use them?
"Do a search" the lazy nerd would say.
I'm a lazy nerd and that's not what I would say. I would say: "Go to myaccount.google.com and click on 'Signing in to Google'. It explains all of the options."
You don't need to give then your phone number, you can use the Google Authenticator app to generate the one time pass on your device.
This app requires the following permissions:
Access to your phone book
Access to storage devices
Access to your camera
Access to your microphone
Access to your call records
Access to your photos
Ability to send SMS
Ability to make calls
Access to device identifiers
Access to Internet
Access to Wifi
It does not. I don't know if you're deliberately lying or looking at something else but the above is simply false.
Per the info on Google Play, the Google Authenticator app requires:
Camera
- take pictures and videos
Other
- create accounts and set passwords
- full network access
- control Near Field Communication
- use accounts on the device
- control vibration
Camera is used to grab QR codes. That's the mechanism by which Authenticator is generally configured. I'm not sure what "create accounts and set passwords" means. It has network access to check time. It uses NFC to deliver authentication codes via NFC. It "uses accounts on the device" to see what accounts you have that you might want to set up authentication for. It controls vibration to, well, vibrate.
Anyone clicking "Yes" on a "Remember the password for this Site?" prompt in Chrome, Firefox or Safari is a complete moron. Why would anyone trust Apple, Google or Mozilla with the Keys To Their Kingdom? I might have trusted Mozilla with them a decade ago, but not any more.
If you use your gmail account as the primary account on all of your other sites, you are trusting Google with the Keys to Your Kingdom. Substitute whatever email service provider you use, because anyone who controls your email can almost certainly reset the password on any other account you have, unless that other account has some 2FA of its own. Security questions are weak in general, but even weaker against someone who has all your email and can mine it for answers.
Also... you're apparently saying that you trust Google, Mozilla or Apple enough to type your passwords into their browsers but not enough to use their password storage solutions. Does that make any sense at all? The only way it makes sense is if you assume that they're not competent to properly secure the password database (which is fairly easy), but are competent enough to get the rest of the security right (which is very hard). It clearly makes no sense if you assume they might be maliciously interested in stealing your passwords, because you're typing your passwords into their browser.
And, FWIW, if you set a sufficiently-long sync password on Chrome, Google has no access to the passwords that Chrome stores for you. Yes, they all get uploaded to Google, so they can be synced between Chrome instances on different machines, but they're all encrypted with your sync password.
Google allows you to set up a FIDO security token AND the Authenticator app AND one or text/voice numbers AND a set of backup codes, any one of which will get you in. With enough different options, you'll never be locked out.
I use all of the above. There is a caveat on the text/voice numbers, which is that attackers have been able to hijack cell numbers, so consider that carefully... but if you also have a good password you've significantly raised the bar for anyone to hijack your account if they have to both steal your password (which you never use anywhere else, and never enter into any form that isn't on a Google site, right?) and hijack your cell. It's also a good idea to test your backup codes periodically, though I've never had mine fail to work.
Neither? Really? You'd honestly prefer to have a 50% chance of having to wait longer to get your information?
Load times for web sites are now under a second - over 100ms is considered slow. I honestly couldn't care less if two sites that are otherwise equally ranked end up sending me to the one that loads in 500ms instead of 50ms.
You must not look at very many web sites. There are plenty with load times of multiple seconds, even on a very fast connection.
What about other characteristics of bad sites? They can be slow, ugly, spammy, malware-laden.
A site that is spammy or malware-laden shouldn't make it into the search index at all. A site that is ugly may still have useful information - and often ugliness correlates quite strongly with utility for technical web pages, so I'd be very unhappy if a search engine decided that I wanted to look at pretty and information-light sites instead.
Information-light sites would score lower on content, so the ugliness factor wouldn't even come into play.
Nope, you are testing and helping their A.I. to learn using your data, at your expense, and THEY (Google) get all the benefits.
Even if they get some benefit, it's silly to say that they get all the benefits. I mean, if you do this it's because you'd like to have an AI trained to so some image classification job, and it's easier for you to use Google's service than to build and train your own. So it must be fulfilling some need of yours, and doing it more cheaply/easily than you could do it yourself. That's value.
If the NSA comes asking Amazon for data, there are strict rules that apply. They may simply not be able to tell anyone about what information they give over. Especially if it is backed by the FICA court.
FISA, not FICA. Also, you're conflating FISA wiretaps with National Security Letters.
Correct. Under the provisions of the PATRIOT Act the private corporation does not have a choice. All the government has to do is assert national security concerns.
Incorrect. I wish people would actually look up the law, instead of just assuming.
Yes, the PATRIOT act expanded the applicability of National Security Letters (note that it did not create NSLs, that was the Right to Financial Privacy Act, in 1978), and those allow the government to request certain sorts of information from private companies without prior judicial approval, and with a gag order on the recipient, preventing them from talking about it. However, the law also includes some important limitations. (Not enough, IMO, but the limitations that are there should not be ignored).
The primary limitation is that NSLs may only demand metadata, not content. Metadata is incredibly useful and valuable, of course. In the context of communications between parties, knowing who talks to who and when is often more valuable than knowing exactly what they're saying. In the context of a a smart speaker, I don't see how any metadata could be useful.
Another important limitation is that the recipient of the NSL may challenge the NSL in court. There is some evidence that many of the big tech companies do challenge them, though the evidence is obviously fragmentary, since such proceedings are normally closed and sealed, especially if the challenge is unsuccessful.
Anyone here remember Lavabit?
Indeed I do, and I also recall the details of how that actually went down. Lavabit had nothing to do with NSLs, it was all about ordinary court orders, because the FBI wanted the content of Snowden's communications, not just the metadata. And the reason the judge ended up handing down an extremely far-reaching order (to hand over private keys) was because Lavabit repeatedly and incompetently failed to comply with more selective orders. The "incompetently" part is important. If Lavabit had gotten an attorney and actually argued the earlier orders properly, they may or may not have won (probably not), but would ultimately have just had the selective order enforced. Mostly Lavabit just failed to respond or show up, leading the court and the FBI to decide that they were not acting in good faith, which resulted in the FBI's request for, and the court's approval of, an order to hand over their private keys. Lavabit chose to shut down instead of complying.
Aside from that, anyone remember Quest? The one telco that refused to play patriotic 9/11-ball with the government and just hand everything over. What happened to them?
Apparently you don't remember them very well, because their name was Qwest (note that the past tense is because they were bought out by CenturyLink, not because they ceased to exist).
What happened to them is that because they refused to play ball, they were denied government contracts worth many millions of dollars. The CEO, Joseph Nacchio, also publicly said that the request had come several months before 9/11. He was convicted of insider trading; the charges look legitimate, but not unrelated to the NSA stuff. Nacchio had used false accounting and inflated revenue predictions to pump up Qwest's stock price, believing that he'd be able to cover those inflated predictions with the revenue of the aforementioned government contracts. So his refusal to hand over customer data did directly result in his ultimate conviction, not because the conviction was punitive but because the loss of those contracts exposed the shell game he was already playing -- a shell game which included his early sale of stock while the price was high because he suspected his value inflation would not hold up, even before he was asked to illegally provide customer data. Odds are that his game would have fallen apart even with the lost contracts. It's impossible to say whether he would have been prosecuted in that case, but it seems li
OTOH, the whole point of a smart speaker is to listen and snoop.
Either this is nonsense, or the makers of smart speakers are blatantly -- and criminally -- lying to consumers, engaging in fraudulent advertising, probably violating SEC regulations on truthful disclosure to investors, and perhaps breaking other laws as well.
Also, if they were blatantly lying in this way, it would be fairly easy to tell by monitoring the device's network traffic. In fact, no one has found any evidence that any of the devices, from any manufacturer, send audio data back to the servers except when triggered by their hotword. In the case of Google's devices, you can also go to a web site (or use the phone app) to see and play back every piece of audio that was sent to Google by the device. This is how the defect with the Google Home Minis was discovered (there's a button on top that was intended to allow command-triggering by touching the device rather than using the hotword; the button was often triggering when not touched).
Skepticism and scrutiny of corporate claims is a good idea. But assuming blatant lying about something that (a) is easily checkable and (b) would get the companies in big trouble as well as generate massive negative PR is just silly paranoia.
Neither, you put them in the data set with equal rank and then in the UI pick a random ordering for each client.
Neither? Really? You'd honestly prefer to have a 50% chance of having to wait longer to get your information?
Frankly, I don't believe you.
What about other characteristics of bad sites? They can be slow, ugly, spammy, malware-laden... there are quite a number of quality factors other than content relevance. Obviously relevance is the most important characteristic (well, except for malware), but once that bar has been met, there are still better and worse sites. Google has long taken into account a wide variety of factors (including speed... note that they've been including speed in their rankings for desktop searches for years) in deciding how to rank search results, because offering users higher-quality results provides a better user experience.
On mobile, I suspect that they've been weighting total page and resource size rather heavily for years, since minimizing size uses less expensive mobile data. Is that something else you think they shouldn't consider in result rankings?
What does pizza cost in the US? 10 bucks cheaper would mean you get money if you order a pizza here...
Including delivery?
I just went to Domino's.com and created an order to check. The delivery charge for my mom's house (there's no pizza delivery service to my house; my area is too rural, but my mom is 30 miles away, so a reasonable proxy), is $2.50. Plus a tip, of course. Assuming two medium cheese pizzas ($12.99 each), four bottles of Coke and an order of bread twists with dipping sauce, plus delivery fee, the total is $45.09, so that's about a $7 for a tip.
Assuming the delivery surcharge of $2.50 stays the same, the main savings would be the tip. So, in this case, $7.
I don't know where you live, but if tipping is not the norm in your location, then the delivery charge will almost certainly be higher (adjusting for currency and cost of living), because $2.50 is unlikely to be enough to pay for the driver's time, unless the store is very close to your house.
What it boils down to is that unless labor is extremely cheap in your area, the bulk of the cost of delivery will be labor, not vehicle wear and tear or fuel. And whatever that labor amount is, eliminating the human reduces the delivery cost by about that much. In the US, labor costs are high enough that the savings is non-trivial.
I agree with you - back in the early 80's, while in college I worked at a Godfathers Pizza. We delivered and used company cars. (Chevy Citations, if remember).
What you're talking about isn't a difference between the 80s and now, but a difference between pizza places. Godfather's still uses company cars.
I think the logic is rather that if I ask for delivery, I want delivery. If Domino's does not provide this, I'll order from someone else who does.
What if Domino's is $5 cheaper, but you have to walk to the curb? Or $10?
If delivery to the door means having to pay a driver, that cost will be reflected in the price. You can choose to pay it if you want, and if you can find a pizza place that will do it. I suspect that the vast majority will choose the lower price and walk to the curb, so there will soon be no stores that provide delivery to the door. Well, until they put a robot in the car that will walk / wheel / fly it to the door for you.
Slashdot Mirror
I've had Prime since year one, and while I occasionally have purchase spurts - enough to make the subscription worth my while - I occasionally go for a month or two without ordering anything, so...I guess I'm subsidizing you? : )
And I appreciate it!
Site developer
Yes. Not the attacker, the site developer who chose give your password to his site to an tracking company. He could have chosen to do it directly, instead he just included their content and scripts on his site, from his domain, essentially enabling them to do an XSS attack on his site without needing the "XS" part.
In general, there's very little browsers can do to prevent XSS if site developers don't build their sites correctly. What we have here is a case where site developers may have done a decent job of preventing general XSS attacks, then gave a specific attacker special privileges. In this particular case, there may be some things that browsers can do about it, now that researchers have pointed out the issue. However, that won't actually fix the general case, because sites allow these tracking networks to inject Javascript as well. If the tracking companies wanted to, they could inject Javascript that collects your username and password from the visible fields, when you type them.
The only real solution is for site developers to be careful about whose content/code they inject in their sites. When they contract with an analytics company, they should ensure that the contract contains a commitment not to snarf extra data.
of course it's sustainable, otherwise they would have raised the $99 yearly fee.
That doesn't follow, because customers may use the service differently on a monthly subscription, and one usage pattern may be sustainable at a given price point, but not another.
For example, users may choose to sign up when they have a bunch of stuff to order (say, right before Christmas), then cancel immediately. With the annual subscription you have the low-utilization months to balance out the high-utilization months. I suppose some people may still say "I'm ordering a bunch of stuff right now, so much that my shipping cost is >$99, I'll sign up for Prime and save some money, then cancel", but that seems far less likely than for an $11 monthly subscription.
Of course, then there are people like me. Between everyone in my house, on my Prime subscription, we not only order/get stuff almost every day, it's common that UPS and FedEx make multiple stops at my house per day. Each. That utilization pattern seems unsustainable and I'm surprised they haven't announced tiered subscription rates.
#2 is a bigger problem, but realistically home routers were never designed to do those types of things. They aren't capable of doing full wirespeed packet inspection, and for 99+% of the homes this works fine at a fraction of the cost.
Huh? These are just ordinary multicast packets; the only inspection the router needs to do is to check the destination address, which they have to do with every packet they handle. It's what routers do... look at destination addresses and forward the packet on the right interface. If they can't do that at wire(less)speed, then they pretty much fail as routers. And it's not like it's difficult to handle a few hundred megabits per second with modern CPUs, even low-power ones.
Yup. Blaming the attacker completely absolves the maker of vulnerable software. What else can I expect from Google employees?
Umm, you need to re-read the post you're replying to. Nowhere did I blame the attacker.
Our problems are social, not scientific.
And social problems don't benefit from the application of intelligence? I think they clearly do. Not that one person is going to come up with "the solution" to long-standing, knotty social problems. And of course it's crucial that people recognize their own limitations; you can't just rewrite the behavior of people, you have to work within the framework that exists and any effort to change behavior has to be done cautiously, with a constant vigilance for unexpected effects, and by convincing people that they want to behave differently.
But intelligence is absolutely useful for all of these things.
My bet is that Fuchsia is forgotten by the end of the 2019.
I'll take a piece of that action. How much do you want to put on it, and how do you propose to settle it?
because the world needs yet another proprietary walled garden operating system that allows the manufacturer of the device to retain control over the purchaser's property.
What in the history of Google devices makes you think that this will be a walled garden? Is it the fact that all Nexus/Pixel devices have unlockable bootloaders (except those bought from Verizon, at Verizon's insistence, and Google made sure they can be unlocked when they're paid off)? Or the fact that Android has always allowed sideloading and alternative app stores? Or the fact that all ChromeOS devices -- from all manufacturers -- have had a developer mode switch? Or the fact that Google open sources all of its Android and ChromeOS code? Or the fact that Fuschia is also open source?
I mean... the story you're commenting on is about how someone downloaded the open source FuschiaOS code, compiled and built it themselves (meaning they could have modified it if they liked), and then installed and ran it on a Google Pixelbook they put in dev mode.
How do you get "walled garden" out of that?
1. An End to the hardware Nightmares of Linux. Linux generally is not at the mercy of Windows Drivers. Linux Drivers for Android Devices has translated well to Linux Drivers on x86 for Desktop Linux.
Huh? I don't know of a single case where Android Linux driver development has made a driver available for the desktop. Mobile device drivers are very different from their desktop counterparts.
2. Root on our devices. Our Devices are our devices. I don't care how much I paid for the Device. If I was sold a device retail and paid for it in full, its mine. I don't care if they were sold on Amazon. We all should be entitled to have root, and unlocked bootloaders on our devices we pay for.
Linux hasn't, doesn't and will never help with this. Well, except in one way: Linux is buggy enough that it has, in the past, generally been possible to find kernel vulnerabilities to enable rooting on locked-down devices. That's a really backhanded "feature", though, since if the user can exploit the vulnerability so can an attacker. You're lauding insecurity, basically.
Don't get me wrong, I'm not anti-Linux. I switched to Debian as my platform of choice in 2000, and have never regretted it. I'm an Android engineer and enjoy the fact that the underlying kernel is one that's so familiar and comfortable. OTOH, I'm a security engineer and the size and monolithic nature of Linux makes it very hard to secure.
The manufacturer can void the warranty, but thats all. So what happens when root isn't a thing because of FushciaOS?
It's becoming not a thing for Linux, too, as we make progress toward closing the vulnerabilities in Linux. Actually, to the extent that Google manages to retain greater control of devices with FuschiaOS, you're more likely to be able to take control of your device. Google has always made its Android devices (Nexus/Pixel) unlockable, and has managed to require all ChromeOS device makers to allow theirs to be unlocked as well.
competent to properly secure the password database (which is fairly easy),
If they are competent, then they must be unwilling to secure it. In 2018, this worked for my experimental chrome browser , latest from Google at the time : https://it.slashdot.org/story/...
Meh. It's no surprise that browsers don't yet mitigate a barely-published attack, particularly since it's arguably not an attack at all. The browser is doing the right thing and filling username and password fields for the site that it's supposed to. The site developer is the one including hidden forms that send that data to the wrong place. Bad/buggy web sites can do all kinds of nasty things with/to the data you give to those sites. The only difference here is that the site developer doesn't realize he's added this particular nastiness, but he did make the decision to use a shady tracking service.
Creative uses of Spectre (and Meltdown or something like it as an additional help) can make it even more "fairly easy" to steal the passwords.
Again, not an issue with having a password database in your browser. An issue with entering passwords in your browser at all, of course (or potentially in any program on your computer), but not a reason to prefer typing passwords over using the browser's password keeper.
The US federal government is explicitly allowed to have an army. It just can't get appropriations for more than two years each. The Founders were indeed worried about the oppression potential of armies (navies are a lot harder to use for oppressing populations), but realized a Federal army would be needed.
Yes, and the two-year limit on appropriations was intended specifically to make it difficult for the federal government to maintain a standing army in peacetime.
Go to myaccount.google.com. Google's documentation explains all this.
I have no idea what a Google Authenticator App is, let alone how it works, or what FIDO is or U2F. None of those things make sense, so why in the world would I ever use them?
"Do a search" the lazy nerd would say.
I'm a lazy nerd and that's not what I would say. I would say: "Go to myaccount.google.com and click on 'Signing in to Google'. It explains all of the options."
You don't need to give then your phone number, you can use the Google Authenticator app to generate the one time pass on your device.
This app requires the following permissions:
Access to your phone book
Access to storage devices
Access to your camera
Access to your microphone
Access to your call records
Access to your photos
Ability to send SMS
Ability to make calls
Access to device identifiers
Access to Internet
Access to Wifi
It does not. I don't know if you're deliberately lying or looking at something else but the above is simply false.
Per the info on Google Play, the Google Authenticator app requires:
Camera
- take pictures and videos
Other
- create accounts and set passwords
- full network access
- control Near Field Communication
- use accounts on the device
- control vibration
Camera is used to grab QR codes. That's the mechanism by which Authenticator is generally configured. I'm not sure what "create accounts and set passwords" means. It has network access to check time. It uses NFC to deliver authentication codes via NFC. It "uses accounts on the device" to see what accounts you have that you might want to set up authentication for. It controls vibration to, well, vibrate.
Anyone clicking "Yes" on a "Remember the password for this Site?" prompt in Chrome, Firefox or Safari is a complete moron. Why would anyone trust Apple, Google or Mozilla with the Keys To Their Kingdom? I might have trusted Mozilla with them a decade ago, but not any more.
If you use your gmail account as the primary account on all of your other sites, you are trusting Google with the Keys to Your Kingdom. Substitute whatever email service provider you use, because anyone who controls your email can almost certainly reset the password on any other account you have, unless that other account has some 2FA of its own. Security questions are weak in general, but even weaker against someone who has all your email and can mine it for answers.
Also... you're apparently saying that you trust Google, Mozilla or Apple enough to type your passwords into their browsers but not enough to use their password storage solutions. Does that make any sense at all? The only way it makes sense is if you assume that they're not competent to properly secure the password database (which is fairly easy), but are competent enough to get the rest of the security right (which is very hard). It clearly makes no sense if you assume they might be maliciously interested in stealing your passwords, because you're typing your passwords into their browser.
And, FWIW, if you set a sufficiently-long sync password on Chrome, Google has no access to the passwords that Chrome stores for you. Yes, they all get uploaded to Google, so they can be synced between Chrome instances on different machines, but they're all encrypted with your sync password.
Add some more 2FA options.
Google allows you to set up a FIDO security token AND the Authenticator app AND one or text/voice numbers AND a set of backup codes, any one of which will get you in. With enough different options, you'll never be locked out.
I use all of the above. There is a caveat on the text/voice numbers, which is that attackers have been able to hijack cell numbers, so consider that carefully... but if you also have a good password you've significantly raised the bar for anyone to hijack your account if they have to both steal your password (which you never use anywhere else, and never enter into any form that isn't on a Google site, right?) and hijack your cell. It's also a good idea to test your backup codes periodically, though I've never had mine fail to work.
Neither? Really? You'd honestly prefer to have a 50% chance of having to wait longer to get your information?
Load times for web sites are now under a second - over 100ms is considered slow. I honestly couldn't care less if two sites that are otherwise equally ranked end up sending me to the one that loads in 500ms instead of 50ms.
You must not look at very many web sites. There are plenty with load times of multiple seconds, even on a very fast connection.
What about other characteristics of bad sites? They can be slow, ugly, spammy, malware-laden.
A site that is spammy or malware-laden shouldn't make it into the search index at all. A site that is ugly may still have useful information - and often ugliness correlates quite strongly with utility for technical web pages, so I'd be very unhappy if a search engine decided that I wanted to look at pretty and information-light sites instead.
Information-light sites would score lower on content, so the ugliness factor wouldn't even come into play.
Nope, you are testing and helping their A.I. to learn using your data, at your expense, and THEY (Google) get all the benefits.
Even if they get some benefit, it's silly to say that they get all the benefits. I mean, if you do this it's because you'd like to have an AI trained to so some image classification job, and it's easier for you to use Google's service than to build and train your own. So it must be fulfilling some need of yours, and doing it more cheaply/easily than you could do it yourself. That's value.
If the NSA comes asking Amazon for data, there are strict rules that apply. They may simply not be able to tell anyone about what information they give over. Especially if it is backed by the FICA court.
FISA, not FICA. Also, you're conflating FISA wiretaps with National Security Letters.
Correct. Under the provisions of the PATRIOT Act the private corporation does not have a choice. All the government has to do is assert national security concerns.
Incorrect. I wish people would actually look up the law, instead of just assuming.
Yes, the PATRIOT act expanded the applicability of National Security Letters (note that it did not create NSLs, that was the Right to Financial Privacy Act, in 1978), and those allow the government to request certain sorts of information from private companies without prior judicial approval, and with a gag order on the recipient, preventing them from talking about it. However, the law also includes some important limitations. (Not enough, IMO, but the limitations that are there should not be ignored).
The primary limitation is that NSLs may only demand metadata, not content. Metadata is incredibly useful and valuable, of course. In the context of communications between parties, knowing who talks to who and when is often more valuable than knowing exactly what they're saying. In the context of a a smart speaker, I don't see how any metadata could be useful.
Another important limitation is that the recipient of the NSL may challenge the NSL in court. There is some evidence that many of the big tech companies do challenge them, though the evidence is obviously fragmentary, since such proceedings are normally closed and sealed, especially if the challenge is unsuccessful.
Anyone here remember Lavabit?
Indeed I do, and I also recall the details of how that actually went down. Lavabit had nothing to do with NSLs, it was all about ordinary court orders, because the FBI wanted the content of Snowden's communications, not just the metadata. And the reason the judge ended up handing down an extremely far-reaching order (to hand over private keys) was because Lavabit repeatedly and incompetently failed to comply with more selective orders. The "incompetently" part is important. If Lavabit had gotten an attorney and actually argued the earlier orders properly, they may or may not have won (probably not), but would ultimately have just had the selective order enforced. Mostly Lavabit just failed to respond or show up, leading the court and the FBI to decide that they were not acting in good faith, which resulted in the FBI's request for, and the court's approval of, an order to hand over their private keys. Lavabit chose to shut down instead of complying.
Aside from that, anyone remember Quest? The one telco that refused to play patriotic 9/11-ball with the government and just hand everything over. What happened to them?
Apparently you don't remember them very well, because their name was Qwest (note that the past tense is because they were bought out by CenturyLink, not because they ceased to exist).
What happened to them is that because they refused to play ball, they were denied government contracts worth many millions of dollars. The CEO, Joseph Nacchio, also publicly said that the request had come several months before 9/11. He was convicted of insider trading; the charges look legitimate, but not unrelated to the NSA stuff. Nacchio had used false accounting and inflated revenue predictions to pump up Qwest's stock price, believing that he'd be able to cover those inflated predictions with the revenue of the aforementioned government contracts. So his refusal to hand over customer data did directly result in his ultimate conviction, not because the conviction was punitive but because the loss of those contracts exposed the shell game he was already playing -- a shell game which included his early sale of stock while the price was high because he suspected his value inflation would not hold up, even before he was asked to illegally provide customer data. Odds are that his game would have fallen apart even with the lost contracts. It's impossible to say whether he would have been prosecuted in that case, but it seems li
OTOH, the whole point of a smart speaker is to listen and snoop.
Either this is nonsense, or the makers of smart speakers are blatantly -- and criminally -- lying to consumers, engaging in fraudulent advertising, probably violating SEC regulations on truthful disclosure to investors, and perhaps breaking other laws as well.
Also, if they were blatantly lying in this way, it would be fairly easy to tell by monitoring the device's network traffic. In fact, no one has found any evidence that any of the devices, from any manufacturer, send audio data back to the servers except when triggered by their hotword. In the case of Google's devices, you can also go to a web site (or use the phone app) to see and play back every piece of audio that was sent to Google by the device. This is how the defect with the Google Home Minis was discovered (there's a button on top that was intended to allow command-triggering by touching the device rather than using the hotword; the button was often triggering when not touched).
Skepticism and scrutiny of corporate claims is a good idea. But assuming blatant lying about something that (a) is easily checkable and (b) would get the companies in big trouble as well as generate massive negative PR is just silly paranoia.
Neither, you put them in the data set with equal rank and then in the UI pick a random ordering for each client.
Neither? Really? You'd honestly prefer to have a 50% chance of having to wait longer to get your information?
Frankly, I don't believe you.
What about other characteristics of bad sites? They can be slow, ugly, spammy, malware-laden... there are quite a number of quality factors other than content relevance. Obviously relevance is the most important characteristic (well, except for malware), but once that bar has been met, there are still better and worse sites. Google has long taken into account a wide variety of factors (including speed... note that they've been including speed in their rankings for desktop searches for years) in deciding how to rank search results, because offering users higher-quality results provides a better user experience.
On mobile, I suspect that they've been weighting total page and resource size rather heavily for years, since minimizing size uses less expensive mobile data. Is that something else you think they shouldn't consider in result rankings?
What does pizza cost in the US? 10 bucks cheaper would mean you get money if you order a pizza here...
Including delivery?
I just went to Domino's.com and created an order to check. The delivery charge for my mom's house (there's no pizza delivery service to my house; my area is too rural, but my mom is 30 miles away, so a reasonable proxy), is $2.50. Plus a tip, of course. Assuming two medium cheese pizzas ($12.99 each), four bottles of Coke and an order of bread twists with dipping sauce, plus delivery fee, the total is $45.09, so that's about a $7 for a tip.
Assuming the delivery surcharge of $2.50 stays the same, the main savings would be the tip. So, in this case, $7.
I don't know where you live, but if tipping is not the norm in your location, then the delivery charge will almost certainly be higher (adjusting for currency and cost of living), because $2.50 is unlikely to be enough to pay for the driver's time, unless the store is very close to your house.
What it boils down to is that unless labor is extremely cheap in your area, the bulk of the cost of delivery will be labor, not vehicle wear and tear or fuel. And whatever that labor amount is, eliminating the human reduces the delivery cost by about that much. In the US, labor costs are high enough that the savings is non-trivial.
I agree with you - back in the early 80's, while in college I worked at a Godfathers Pizza. We delivered and used company cars. (Chevy Citations, if remember).
What you're talking about isn't a difference between the 80s and now, but a difference between pizza places. Godfather's still uses company cars.
I think the logic is rather that if I ask for delivery, I want delivery. If Domino's does not provide this, I'll order from someone else who does.
What if Domino's is $5 cheaper, but you have to walk to the curb? Or $10?
If delivery to the door means having to pay a driver, that cost will be reflected in the price. You can choose to pay it if you want, and if you can find a pizza place that will do it. I suspect that the vast majority will choose the lower price and walk to the curb, so there will soon be no stores that provide delivery to the door. Well, until they put a robot in the car that will walk / wheel / fly it to the door for you.