False equivalency. Oh, sure, rape of a man is equally bad as rape of a woman, but on a societal scale rape of women is much worse than rape of men because it's much, much more common. Women are raped far more often than men, so it makes sense to focus primarily on female rape. And, actually, there's every reason to expect that putting a lot of effort into addressing rape in general will help reduce both male and female rape, even if nearly all of the effort is applied to the largest part of the problem (female rape)
Also, it should be pointed out that the reason male rape is often not taken seriously is because we're still carrying old, patriarchal gender stereotypes, which are exactly what feminists wish to erase. When women and gay men have as much social power as straight men do today, then accusations of male rape will be taken as seriously as accusations of female rape are today.
Basically, this isn't an implementation bug, or even a design flaw... it's an architectural flaw, present in all modern CPUs. Unless great care is taken, any CPU that supports both speculative execution and memory caching is vulnerable. This is incredibly huge. To a first approximation, all computers are broken.
There is a better solution to the auditability you seek: Scantegrity II. End-to-end verifiability, including the ability for any person or organization to verify the final tally, and for any voter to verify that their vote was correctly included in the tally, but without enabling the voter to prove how they voted to any third party (to avoid enabling vote buying and coercion).
10 years ago it was probably Punchscan. It's been improved significantly since than, simplified and streamlined, but with even better auditing, and renamed. The current version is Scantegrity II.
I post a link to it on pretty much every slashdot article about voting. Mostly it's ignored amid heated discussions of peripheral issues and lots of curmudgeons who say all you need is black X on a piece of paper and a horde of volunteers to count 'em up. (I'll note that the curmudgeons aren't wrong, exactly, but application of some more modern ideas can significantly improve the process.) I also usually get one or two replies that boldly assert that there's no way voters can use receipts to verify that their ballots are counted correctly without also being able to prove to a third party how they voted, thus enabling vote buying and coercion. I agree that it is counterintuitive, but so are lots of ideas in cryptography and mathematics.
It's not immediately clear exactly why Google is building a new operating system...
Possibly to un-encumber themselves from the GPL? I note that Fuchsia's licenses are a mix of MIT, BSD, and Apache. This would potentially allow them to adapt the OS to just about any environment without having to release the source code.
Note that those are the same FOSS licenses Google uses on all of its open source projects. I wouldn't read anything into those choices.
So what happens when the waitress at the restaurant incorporates, and now her (tax free) paycheck is going straight to her company (that she controls, and that pays her bills as business expenses). What happens when everyone does that? We lose our tax base and go broke is what I see.
Any money the waitress takes out of the corporation -- to pay her bills, etc. -- is taxable income. Likewise, having the corporation buy you a house, car, etc. is already taxable income.
It would seem totally logical that the simplest and least-subject-to-perversion method of taxation would be to chose to tax a value that requires the absolute minimum subjective interpretation: either a gross revenue tax or a consumption tax.
Even simpler: Simply abolish corporate taxes altogether. They're a scam on the voters, and evil.
Not because we should love all the corporations, but because corporations never actually pay taxes. All corporate taxes end up being shifted to individuals in one of three groups: investors, who receive lower rates of return; employees, who receive lower salaries/less benefits; and consumers, who pay higher prices. Exactly how the cost of taxes gets allocated among those groups is variable, hard to quantify and ultimately decided by corporate execs, which is bad because the allocation of taxes should be decided by legislatures.
That makes corporate taxes dumb and counterproductive. What makes them evil is that the voting taxpayers who ultimately foot the bill don't know they're doing so. In order for democracy to function, taxpayers should know what they're paying, so they can decide whether or not they're getting good value for their money and vote accordingly. But from the typical voter's perspective, money collected from corporations is "free", because it comes from entities that can't vote (though entities that can exercise considerable political influence through various forms of political speech, including donations).
What we should do is to reduce the corporate tax rate to zero, and legislatively reallocate that tax burden. We should probably recover most of it by increasing capital gains taxes, and perhaps imposing capital gains on foreign investors, since I think most people assume (almost certainly incorrectly!) that the burden of corp taxes is primarily felt by the owners of capital. But, however we think the tax burden ought to be allocated among the different kinds of people, we should legislatively allocate it that way, rather than hiding it from the taxpayers and making it all but impossible to work out who actually pays the bills.
I thought the missing heat (that which caused the pause for most of the first part of this millennia) was accumulating in the ocean...
It is. But heat isn't uniformly distributed, either in the air or in the oceans. For exactly the same sorts of reasons that global warming can cause land climates to get colder, it can cause some ocean climates to get colder.
we work with both the Apple and Android security teams and there's no way any of us would trust important data to an Android phone.
Why not? In detail, if you could.
I'm a member of the Android security platform team. My perception is that Apple is ahead in a few areas and Android in a few others, but that overall up-to-date Android devices are about as secure as up-to-date Apple devices. It's worth pointing out that the iPhone was popped in several mobile hacking competitions this year, but neither the Pixel nor Pixel 2 were.
All of this will happen because Greed N. Corruption killed Common F. Sense long ago.
About 3.8 billion years ago, on Earth at least. Likely longer ago since it's unlikely that Earth is the only place life has arisen. Life is inherently greedy.
Any system that relies upon participants not being greedy is doomed to failure, or at least very limited effectiveness. The reason that free market capitalism has succeeded where every other economic system has failed is because it exploits greed rather than fighting it.
. The question is "which is a more likely threat, a mitm or a hacked WordPress?"
That question is irrelevant. There's a simple way to eliminate the former threat, so it should be eliminated.
Mitm by Corp sec is an option. If corporate administers the computers, they can install a cert onto every computer which lets them (and anyone who gets their key) mitm ALL otherwise secure connections. Meaning NO connection is secure. Corpsec then sees your personal email, your banking password, etc - as does anyone who gets the corporate cert.
So... your argument is that it's so important that they be able to scan incoming traffic for malware that HTTPS shouldn't be used... but they shouldn't be able to scan HTTPS traffic for malware? Please make up your mind.
You are normally smart enough to have interesting conversations in which you recognize that other people, people with decades of experience in their field, can see something differently than the way you see it.
I didn't directly address your implied argument from authority and instead just explained why you were wrong. If you want to continue invoking that fallacious argument, though, I'll respond in kind: In this case, we're talking about my field, in which I have decades of experience, and in which I work with many other people who collectively have millenia of experience... and all agree that the security of the web is best-served by 100% TLS penetration.
You don't classify telling police that there's an armed murderer in a house as "Inherently dangerous"? Do you not read the news or something?
As I said, Kansas law defines "inherently dangerous" as "armed robbery, arson, or aggravated burglary". That's the definition and you can't arbitrarily extend it to include other crimes just because you want to.
>Violent crime is at an all time low but the cops keep becoming more and more violent.
Numbers please.
Look up the annual FBI crime reports. We've actually not at an all-time low, though. Crime was marginally lower a few years ago. But we're still at close to the lowest crime rates we've had in 40-50 years,
When a person commits a felony, and as a result someone dies, it's murder.
Note that this varies by state. Not all of them have the concept of felony murder and not all of those that do include all felonies. Kansas, where this doofus lives, only includes "inherently dangerous" felonies, meaning armed robbery, arson, or aggravated burglary.
Actually, as TFA points out, filing a false police report (which is esssentially what swatting is) *is* a felony in some juridictions but a misdemeanor in others. It's clearly a misdemeanor in California, but AFAICT can be either a misdemeanor *or* felony in Kansas depending on the severity. Since someone got killed, I'd guess this could fall into the felony category, in which case "Swautistic" could be going away for quite some time if prosecuted and found guilty in Kansas.
It looks like Kansas' felony murder statute only applies if the felony in question is classified as "inherently dangeorous", which means armed robbery, arson, or aggravated burglary. So while he could be prosecuted for a felony, he isn't on the hook for a first degree murder rap.
In states where felony murder includes any homicide caused by or in the process of any felony, and where filing a false report isa felony, a bad swatting could result in a sentence of life without parole.
Moving the terminals is impractical, but they could provide direct routes with people movers. But the hotel/casinos want the foot traffic through the casino. You have to walk through the casino to get to the taxi stops or street as well. So the best that's doable is probably to add people movers to get you between terminal and casino quickly.
As I understand it, corporate security has the option of having you accept their keys and MITMing everything, allowing scanning and caching of activity performed from inside the corporate network. Is that incorrect?
Indeed. And with HTTPS, corporate security can ensure that they're the only ones MITMing the connection. With HTTP it's impossible to know if anyone else might be monitoring -- or even modifying -- the connection.
In my professional judgement, there is little benefit to https for many sites, which simply present publicly available information.
Your professional judgement is wrong, because you're only looking at half of what HTTPS provides. Encryption is only one of the things HTTPS provides, and it's arguably the less important one. Integrity is the more important one. HTTPS ensures that you're connecting to the site you think you are, and that the content it provides arrives at your browser unmodified.
Without this, if a malicious party can get access to your connection at any point between your browser and the server they can make arbitrary modifications. They can inject malware that exploits vulnerabilities in your browser and OS, they can inject ads, they can inject tracking cookies, etc.
Https means it can't be loaded from your ISP or company's cache, making popular sites slower. It also prevents corporate security or your own router / firewall from seeing the malware or whatever that some hacker added to the page, and generally keeping an eye out for security problems.
Nonsense, especially for the corporate cases. You can install proxies that do caching and content inspection by pushing custom certs to all of the client trust lists. This also allows the proxies to control which CAs and sites are trusted, rather than relying on whatever happens to be shipped with the clients.
In the ISP case, nearly all ISP-based caching today that actually offers any value is done by co-locating servers with the ISPs. Most ISPs of any size have Akamai and Netflix servers. These servers, of course, have access to the relevant certs.
For public sites where you don't log in, I think https is a net reduction of security.
Slashdot Mirror
Is there suddenly a world wide shortage of human sperm? This seems the height of waste.
Can you see no value in understanding the process of how sperm is created than to create sperm?
False equivalency. Oh, sure, rape of a man is equally bad as rape of a woman, but on a societal scale rape of women is much worse than rape of men because it's much, much more common. Women are raped far more often than men, so it makes sense to focus primarily on female rape. And, actually, there's every reason to expect that putting a lot of effort into addressing rape in general will help reduce both male and female rape, even if nearly all of the effort is applied to the largest part of the problem (female rape)
Also, it should be pointed out that the reason male rape is often not taken seriously is because we're still carrying old, patriarchal gender stereotypes, which are exactly what feminists wish to erase. When women and gay men have as much social power as straight men do today, then accusations of male rape will be taken as seriously as accusations of female rape are today.
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
Basically, this isn't an implementation bug, or even a design flaw... it's an architectural flaw, present in all modern CPUs. Unless great care is taken, any CPU that supports both speculative execution and memory caching is vulnerable. This is incredibly huge. To a first approximation, all computers are broken.
There is a better solution to the auditability you seek: Scantegrity II. End-to-end verifiability, including the ability for any person or organization to verify the final tally, and for any voter to verify that their vote was correctly included in the tally, but without enabling the voter to prove how they voted to any third party (to avoid enabling vote buying and coercion).
Does anyone else recall this method?
10 years ago it was probably Punchscan. It's been improved significantly since than, simplified and streamlined, but with even better auditing, and renamed. The current version is Scantegrity II.
I post a link to it on pretty much every slashdot article about voting. Mostly it's ignored amid heated discussions of peripheral issues and lots of curmudgeons who say all you need is black X on a piece of paper and a horde of volunteers to count 'em up. (I'll note that the curmudgeons aren't wrong, exactly, but application of some more modern ideas can significantly improve the process.) I also usually get one or two replies that boldly assert that there's no way voters can use receipts to verify that their ballots are counted correctly without also being able to prove to a third party how they voted, thus enabling vote buying and coercion. I agree that it is counterintuitive, but so are lots of ideas in cryptography and mathematics.
It's not immediately clear exactly why Google is building a new operating system...
Possibly to un-encumber themselves from the GPL? I note that Fuchsia's licenses are a mix of MIT, BSD, and Apache. This would potentially allow them to adapt the OS to just about any environment without having to release the source code.
Note that those are the same FOSS licenses Google uses on all of its open source projects. I wouldn't read anything into those choices.
No, I meant what I said and you understood it perfectly well.
So what happens when the waitress at the restaurant incorporates, and now her (tax free) paycheck is going straight to her company (that she controls, and that pays her bills as business expenses). What happens when everyone does that? We lose our tax base and go broke is what I see.
Any money the waitress takes out of the corporation -- to pay her bills, etc. -- is taxable income. Likewise, having the corporation buy you a house, car, etc. is already taxable income.
It would seem totally logical that the simplest and least-subject-to-perversion method of taxation would be to chose to tax a value that requires the absolute minimum subjective interpretation: either a gross revenue tax or a consumption tax.
Even simpler: Simply abolish corporate taxes altogether. They're a scam on the voters, and evil.
What loopholes? Corporations write the tax rules. This is all intentional. Why do you think corporations donate to political campaigns?
If corporations write the rules, why do corporate taxes exist at all?
Instead of Don't be Evil it's Don't Pay Taxes.
Corporate taxes are evil.
Not because we should love all the corporations, but because corporations never actually pay taxes. All corporate taxes end up being shifted to individuals in one of three groups: investors, who receive lower rates of return; employees, who receive lower salaries/less benefits; and consumers, who pay higher prices. Exactly how the cost of taxes gets allocated among those groups is variable, hard to quantify and ultimately decided by corporate execs, which is bad because the allocation of taxes should be decided by legislatures.
That makes corporate taxes dumb and counterproductive. What makes them evil is that the voting taxpayers who ultimately foot the bill don't know they're doing so. In order for democracy to function, taxpayers should know what they're paying, so they can decide whether or not they're getting good value for their money and vote accordingly. But from the typical voter's perspective, money collected from corporations is "free", because it comes from entities that can't vote (though entities that can exercise considerable political influence through various forms of political speech, including donations).
What we should do is to reduce the corporate tax rate to zero, and legislatively reallocate that tax burden. We should probably recover most of it by increasing capital gains taxes, and perhaps imposing capital gains on foreign investors, since I think most people assume (almost certainly incorrectly!) that the burden of corp taxes is primarily felt by the owners of capital. But, however we think the tax burden ought to be allocated among the different kinds of people, we should legislatively allocate it that way, rather than hiding it from the taxpayers and making it all but impossible to work out who actually pays the bills.
I thought the missing heat (that which caused the pause for most of the first part of this millennia) was accumulating in the ocean...
It is. But heat isn't uniformly distributed, either in the air or in the oceans. For exactly the same sorts of reasons that global warming can cause land climates to get colder, it can cause some ocean climates to get colder.
we work with both the Apple and Android security teams and there's no way any of us would trust important data to an Android phone.
Why not? In detail, if you could.
I'm a member of the Android security platform team. My perception is that Apple is ahead in a few areas and Android in a few others, but that overall up-to-date Android devices are about as secure as up-to-date Apple devices. It's worth pointing out that the iPhone was popped in several mobile hacking competitions this year, but neither the Pixel nor Pixel 2 were.
All of this will happen because Greed N. Corruption killed Common F. Sense long ago.
About 3.8 billion years ago, on Earth at least. Likely longer ago since it's unlikely that Earth is the only place life has arisen. Life is inherently greedy.
Any system that relies upon participants not being greedy is doomed to failure, or at least very limited effectiveness. The reason that free market capitalism has succeeded where every other economic system has failed is because it exploits greed rather than fighting it.
The only niche that Rust is particularly appropriate in is "SJW-dominated cult language".
The only thing worse than SJWs are anti-SJWs.
. The question is "which is a more likely threat, a mitm or a hacked WordPress?"
That question is irrelevant. There's a simple way to eliminate the former threat, so it should be eliminated.
Mitm by Corp sec is an option. If corporate administers the computers, they can install a cert onto every computer which lets them (and anyone who gets their key) mitm ALL otherwise secure connections. Meaning NO connection is secure. Corpsec then sees your personal email, your banking password, etc - as does anyone who gets the corporate cert.
So... your argument is that it's so important that they be able to scan incoming traffic for malware that HTTPS shouldn't be used... but they shouldn't be able to scan HTTPS traffic for malware? Please make up your mind.
You are normally smart enough to have interesting conversations in which you recognize that other people, people with decades of experience in their field, can see something differently than the way you see it.
I didn't directly address your implied argument from authority and instead just explained why you were wrong. If you want to continue invoking that fallacious argument, though, I'll respond in kind: In this case, we're talking about my field, in which I have decades of experience, and in which I work with many other people who collectively have millenia of experience... and all agree that the security of the web is best-served by 100% TLS penetration.
You don't classify telling police that there's an armed murderer in a house as "Inherently dangerous"? Do you not read the news or something?
As I said, Kansas law defines "inherently dangerous" as "armed robbery, arson, or aggravated burglary". That's the definition and you can't arbitrarily extend it to include other crimes just because you want to.
>Violent crime is at an all time low but the cops keep becoming more and more violent. Numbers please.
Look up the annual FBI crime reports. We've actually not at an all-time low, though. Crime was marginally lower a few years ago. But we're still at close to the lowest crime rates we've had in 40-50 years,
The felony murder rule is:
When a person commits a felony, and as a result someone dies, it's murder.
Note that this varies by state. Not all of them have the concept of felony murder and not all of those that do include all felonies. Kansas, where this doofus lives, only includes "inherently dangerous" felonies, meaning armed robbery, arson, or aggravated burglary.
Actually, as TFA points out, filing a false police report (which is esssentially what swatting is) *is* a felony in some juridictions but a misdemeanor in others. It's clearly a misdemeanor in California, but AFAICT can be either a misdemeanor *or* felony in Kansas depending on the severity. Since someone got killed, I'd guess this could fall into the felony category, in which case "Swautistic" could be going away for quite some time if prosecuted and found guilty in Kansas.
It looks like Kansas' felony murder statute only applies if the felony in question is classified as "inherently dangeorous", which means armed robbery, arson, or aggravated burglary. So while he could be prosecuted for a felony, he isn't on the hook for a first degree murder rap.
In states where felony murder includes any homicide caused by or in the process of any felony, and where filing a false report isa felony, a bad swatting could result in a sentence of life without parole.
Moving the terminals is impractical, but they could provide direct routes with people movers. But the hotel/casinos want the foot traffic through the casino. You have to walk through the casino to get to the taxi stops or street as well. So the best that's doable is probably to add people movers to get you between terminal and casino quickly.
The airport could also get fees from the monorail tickets. But the political clout of the taxi companies is a significant obstacle.
As I understand it, corporate security has the option of having you accept their keys and MITMing everything, allowing scanning and caching of activity performed from inside the corporate network. Is that incorrect?
Indeed. And with HTTPS, corporate security can ensure that they're the only ones MITMing the connection. With HTTP it's impossible to know if anyone else might be monitoring -- or even modifying -- the connection.
In my professional judgement, there is little benefit to https for many sites, which simply present publicly available information.
Your professional judgement is wrong, because you're only looking at half of what HTTPS provides. Encryption is only one of the things HTTPS provides, and it's arguably the less important one. Integrity is the more important one. HTTPS ensures that you're connecting to the site you think you are, and that the content it provides arrives at your browser unmodified.
Without this, if a malicious party can get access to your connection at any point between your browser and the server they can make arbitrary modifications. They can inject malware that exploits vulnerabilities in your browser and OS, they can inject ads, they can inject tracking cookies, etc.
Https means it can't be loaded from your ISP or company's cache, making popular sites slower. It also prevents corporate security or your own router / firewall from seeing the malware or whatever that some hacker added to the page, and generally keeping an eye out for security problems.
Nonsense, especially for the corporate cases. You can install proxies that do caching and content inspection by pushing custom certs to all of the client trust lists. This also allows the proxies to control which CAs and sites are trusted, rather than relying on whatever happens to be shipped with the clients.
In the ISP case, nearly all ISP-based caching today that actually offers any value is done by co-locating servers with the ISPs. Most ISPs of any size have Akamai and Netflix servers. These servers, of course, have access to the relevant certs.
For public sites where you don't log in, I think https is a net reduction of security.
Nope. Plain HTTP is bad and should die.
C++ is becoming obscenely complex, and hence a pain to manage and a pain to find bugs and a pain to avoid creating more bugs when adding code
You clearly have not actually worked with modern C++.