That's fair, but an argument can also be fairly made that minimum wage should never be less than the amount that a person needs to live, without requiring further aid from social assistance programs, and assuming that they work full time hours.
If the minimum wage were set that high, teenagers wouldn't be able to get jobs.
More importantly, it seems likely that we're only a decade or two away from massive automation-driven unemployment. The more we can slow and delay that shift, the less socially painful it will be. A high minimum wage will accelerate it just when we want to slow it down.
THis issue is easily solved by de-monopolizing communication.
How do you do that? I agree that it would be a better solution than regulation, but just describing the end state doesn't say anything about how to get there. NN may be a lighter regulatory framework than that required to create competition.
You people are always scared of something. What a miserable life, to be permanently in fear. Don't forget to put your gun under your pillow. And to change underwear often.
I think Trump's fearmongering about the "invasion" on the southern border is ludicrous, and I favor wide open immigration policies, but the above shows a truly deep misunderstanding of conservatives. Conservatives don't have to be actively fearful of something to want to protect against it. The fact that you misunderstand so completely is not surprising, though... it's actually normal. Research shows that conservatives understand liberal perspectives quite well, but liberals hardly understand conservatives at all.
You really need to read Jonathan Haidt's book "The Righteous Mind: Why Good People are Divided by Politics and Religion".
I understand SRP is "resistant" to attacks against the information held on the server. But I don't know more about what that means. I suspect it just forces the server to use a decent hash/salt approach rather than leave the window open to using a weak or no hash
In SRP, the server stores a value computed from the password. The computation involves a salted hash and then a modular exponentiation, but it's not particularly slow/expensive. Good SRP implementations should use a proper password-based key derivation function in place of the hash, to increase the computation required to recover the password via brute force search... but "increase the difficulty" is all that can be done, and if you put your password into Black Hat's server, none of that even matters.
Even with SRP, you still need strong, unique passwords. Which means you need a password database.
There's no reason to expect this to be the case. It's a device specifically targeted at very poor regions of the world and there's nothing about it that requires expensive hardware. It requires a lot less hardware than is in the typical low-end smartphone that sells in India for $40.
It may have annual licensing fees.
How much do you want to bet me that it doesn't?
It will surely need an internet connection.
There is absolutely no reason for it to need an Internet connection.
Or would that same money be better put into training its workers as health care technicians specifically skilled to diagnose pneumonia through traditional stethoscopes? No licensing. Stethoscopes are dirt cheap.
But training is very expensive, and you're talking about very complex training.
Sigh. You didn't read the post you responded to. That still requires the server to have a copy of the password.
Public keys can do it easily, the client just signs a proof of possession request. Server only needs public key.
Yep. From the post you replied to:
To achieve security, it's necessary to have a unique, high-entropy secret per account, with no relationship between the secrets. Ideally, each secret should be an asymmetric private key, but since keeping track of a bunch of non-memorizable private keys requires a database, that's really not much better than just having a database of unique passwords. It's a little better, but not much, and really not in any significant way.
yes, conductors turn radio waves into electricity, that's what happens in antenna. very bad to be absorbing large amounts, that means you're blocking them and attenuating them.... bad for everyone's wifi, bluetooth, broadcast radio reception, etc.
Yeah, that was my thought; if you're extracting power, you're killing the signal. However, it might be a great idea to incorporate something like this into the walls in apartment complexes. A little "free" power and it will also reduce Wifi bandwidth contention by damping signals. But putting lots of it inside your house seems like it will just create a lot of Wifi dead zones.
We only need to send a proof of possession of the password. The website only needs enough info to verify that we have it. A little crypto magic makes that very possible.
This is false. I wish it were true, and I'd love it if you could explain what crypto can achieve this magic, but it can't be done.
There are lots of ways to verify a password without sending a copy, but only when the server has a copy of the password, or something deterministically derived from, it to verify against. I can think of several ways to diversify passwords so as to automatically create a unique password per site, derived from the "real" password and information about the site (e.g. host or domain name)... but since the process will have to be deterministic it will be easy to recover the source password with a brute force search, and from there to generate the derived versions for all other sites.
There is no crypto magic that allows you to remember only one password for all accounts and keeps someone who compromises one account database (or owns one, as in the XKCD) from discovering that password. To achieve security, it's necessary to have a unique, high-entropy secret per account, with no relationship between the secrets. Ideally, each secret should be an asymmetric private key, but since keeping track of a bunch of non-memorizable private keys requires a database, that's really not much better than just having a database of unique passwords. It's a little better, but not much, and really not in any significant ways.
No, the solution to this problem is one we have already in hand: the lowly password keeper, i.e. lastpass et al. For web site passwords, I highly recommend the password databases integrated into most (all?) modern web browsers. Most (all?) of them offer the ability to automatically store a copy of the encrypted database in the cloud and automatically sync it to your browser on all devices you use. Most (all?) of them will also generate high-entropy random passwords for you.
Actually, a slightly better solution is web single sign on using OAuth (which is essentially a cloud-based password store), especially if sites were to actually support arbitrary OAuth providers so you could pick from one of many. From a security perspective, the current widespread variation (log in with Facebook or Google) is fairly good, but it's too centralized. Given universal OAuth support, you could pick your OAuth provider of choice, or run your own OAuth server.
But, honestly, your browser's built-in password database is almost as good, and you already have it and it works with all web sites not run by idiots and most web sites that are run by idiots[*]. Use it. Personally, I use Chrome's password store. I let it generate all my passwords so I remember only two: my Google login password and my "Chrome sync" password. The latter is used to derive the encryption key used to protect my password store while it sits on Google's servers. Using it means I can't use passwords.google.com to manage my saved passwords, but that's okay.
There is one big caveat if you use a password database: Someone who gets into your machine can get all of your passwords. If you use only a handful of passwords this is probably true even without a password database, and it's definitely true that if someone compromises your machine while it's still in your possession they can simply snarf your passwords as you enter them. Plus, there's all of the other data about you on your machine. This just highlights the fact that your computers need to be well-secured. Patched up, with disk encryption enabled and with strong login passwords. And don't leave them unlocked and unattended. And note that "computer" includes phone, tablet, etc.
[*] Many bank web sites engage in a particularly obnoxious brand of idiocy, in which they actively attempt to prevent the use of browser password stores. Their theory is that your password to their web site is so critically important that y
Oh bullshit, I've seen law enforcement get interested over shoplifting at the 7-11, so fuck your "crimes only matter if they affect the rich" jibber jabber.
You've seen the FBI get interested in petty crimes? I don't believe you.
To an extent YouTube's hands are tied by the need to obey the DMCA.
YouTube doesn't really use the DMCA process. They'll honor it if they receive a DMCA takedown notice, of course, but they make it much easier to use their own complaint process, which has the three-strike rule. The YouTube process has nothing to do with the DMCA, other than the existence of the DMCA process wast the motivation for YouTube to create a different one that's less cumbersome to administer, in order to discourage people from using the DMCA process.
So in this case, the scammers sent no DMCA takedown, and YouTube has no legal obligation to do anything. Other, perhaps, than an obligation to follow their own published policy.
If they get claims they have to act on them, there is no provision for them to determine if the claimant really does own the copyright they are claiming to.
Under the DMCA process, they don't have to determine if the claimant really owns the copyright. They are required to respond to the takedown notice by taking the material down, period. BUT the person who posted it can file a counter-notice. If YouTube receives a DMCA notice and a counter-notice, they are free to put the material back up and let the claimant and defendant duke it out in court. They are also free to choose not to put it back up. Either way, they have no legal risk.
The onus is on the victim to sue.
No, the onus is on the victim to file a counter-notice. Then, assuming the hosting service chooses to put the material back up, the onus is on the alleged copyright holder to sue.
This all assumes the DMCA process is used, of course. But that's not what happened in this case, and it's basically never what happens with YouTube.
No matter what the form, extortion is illegal though.
The first I would do if I was the youtuber would be to report the extortion to the fbi or police. If the youtuber can't get a response from Google I'm sure the FBI would.
The dollar amount is too small for law enforcement to be interested. That's probably *why* the amount is so small.
Another option is to take it up with Paypal, since apparently the scammer has a Paypal address. If Paypal makes a complaint to the police, that would be more likely to get action. The amount is still trivial, but Paypal has an incentive to nip this sort of thing in the bud.
Whilst I agree that e-cigs are a good way to quit, I don't agree with this. A traditional cigarette gives a handy cue when to stop (the cig is all smoked, if I want to continue I have to light another one). When I tried an e-cig this cue to stop was absent, once I started puffing and then got distracted I often found myself still puffing away an hour later, consuming many times more nicotine than I would have from a single normal cig. YMMV.
You're comparing different things than apoc.famine is. He's comparing the difficulty of a cigarette smoker gradually weaning while smoking to the difficulty of a vaper gradually weaning while vaping. You're talking about the transition from cigarettes to vaping. Clearly, if you want to vape in order to quit entirely, you have to make that transition, but you have to do that first, and establish a new set of habits. In the short term, it's possible that will result in an increase of nicotine intake. In the longer term, once you've made that switch, you can then start reducing your nicotine intake by changing the percentage of the nicotine in the stuff you're vaping, decreasing it gradually until you get to zero. After you've been vaping without any nicotine for a while, then you can work on killing the vaping habit -- but now you're just changing a habit, not going through drug withdrawals at the same time.
An anecdote isn't data, but it worked very well for my daughter. She switched to vaping and within a couple of months quit completely.
Hold up. There's a very important adjective missing from anything you've just said: informed. Where was the informed consent?
In the case of the Google app, you're talking about people who were invited to join a panel, regularly answer questionnaires, place additional monitoring devices near the TVs in their homes... I think they are well-informed.
The Screenwise Meter mobile app is used to manage registered panelists' participation in market research panels. If you are not a registered panelist with Google, this app will not function; please do not download or use this app. This app works in sync with external Screenwise measurement devices.
ABOUT PANEL RESEARCH: Like many other companies, Google brings together market research panels to help learn more about things like technology usage, how people are consuming media, and how they use Google products. This is part of our Panel Research program.
Apparently there are "Screenwise" devices that you put near your TV that track usage (a la Nielsen, I guess), and the Screenwise Meter app works with them somehow. The panel enrollment page is here, but it's by invitation only.
Facebook got around this protection by asking you to give it root access to your device so that it could install its signing certificate in the trusted root certificates on your device, right along side VeriSign, DigiCert and the other majors.
Note that Facebook can't ask for "root access" on Android or iOS, at least not as "root" is commonly interpreted in Unix-like OSes (which both Android and iOS are). It can ask you to install a new trusted root certificate.
The term "root" is overloaded here, but "root access" sounds like something different from what this is.
I'm probably in a minority here, but I disagree with this. For some reason white text on a black background makes my eyes strain after a while. I prefer dark text on light.
"But, yes, I'm assuming competence. When it comes to statisticians at Google, that's an eminently reasonable assumption."
You're also assuming honesty & good will. When it comes to leadership at Google, that's an eminently unreasonable assumption.
(Note: In this reply, I'm assuming that you are interested in an actual conversation about this topic, and are willing to logically evaluate an opposing point of view. If that's an unreasonable assumption, you can just stop reading now. Otherwise, know that I'm also willing to logically and honestly evaluate counter arguments. This topic is personally important to me.)
It's not unreasonable at all to assume honesty and goodwill, but let's ignore that. Honesty and good will need not be assumed if motivation is sufficient, and Google's motivation here is clearly to thoroughly anonymize the data.
In general, Google is has no interest in disclosing information about users... indeed Google's most important business model is based completely on not disclosing information about users. I challenge you to find any evidence of Google selling identifiable private data. To anyone. Ever. (No, Google didn't participate in PRISM. Snowden's documents show that the NSA was tapping fiber between Google data centers. Google's response was a crash program to encrypt everything. Google spent millions to avoid leaking to the government, rather than selling to them.) This isn't to say that no one at Google makes mistakes -- there have obviously been some. People are fallible. On the other hand, Google pioneered the transparency report and the notion of making users' data available for downloading and deletion. And Google has invested heavily in research into and tools for really strong anonymization. (For example.)
I understand that the way Google collects data about people bothers you. It bothers me, too, though not as much as it bothers many people, for a couple of reasons that I'll go into if you're interested. I actually spend a portion of my working day on preventing Google (and others) from being able to collect data from Android users (with the complete support of my director, VP and SVP, and without any real pushback from the teams I'm blocking -- as soon as I point out the risk, they agree and back off). But what you're talking about here isn't about collection, it's about disclosure... and when was the last time you saw an article about data disclosed by or leaking from Google? The only one I can think of is the G+ APIs which overshared. And note the thoroughness of Google's response to the discovery of that problem (no, the API problems aren't the whole reason for shutting down G+, but they were the proximate cause).
Finally, given the target audience of this data, it seems highly unlikely that they would be interested in buying identifiable data, even if Google were interested in selling it. Also, note that having made public statements about the anonymous nature of this data, Google is legally obligated to ensure that's true, or be subject to lawsuits and fines from both citizens and regulators. People at Google would have to be really dumb to expose themselves to that risk.
Bottom line: Google has zero interest in disclosing identifiable data about user movements, and lots of PR and regulatory reasons not to do it. I assert that Google employees also have a deep and abiding altruistic interest in not disclosing identifiable user data, but even if that weren't true, the self-interested reasons are sufficient.
You're also forgetting the fact that the data reported is from a simulation derived from the model built from the de-identiied data, not from the input data. And the most logical implication of the list of techniques used is that all of them are used where appropriate.
But, yes, I'm assuming competence. When it comes to statisticians at Google, that's an eminently reasonable assumption.
But I thought AT&T, Sprint and T-Mobile stated that they'll no longer sell location data...
Believing a promise from a corporation that isn't legally compelled to comply was your first mistake.
Corporations are legally required to abide by any public statement that may affect the share price, which would include statements about how they treat customer data.
Data which has been anonymized poorly, if the raw data is distributed rather than statistics, can sometimes be de-anonymized. I see differential privacy mathematically guarantees that the statistics they provide cannot be de-anonymized back to data about individuals.
Yep, it's pretty cool. Differential privacy as a concept is just about proving the maximum amount of information that can be extracted from an anonymized data set, but in practice we usually talk more about specific algorithms that are designed to anonymize data such that the differential privacy falls below a certain threshold, while still enabling highly-accurate statistics to be calculated over the anonymized data. They work on the principle that if you inject noise of a known distribution into the data, you can then perform statistical analysis on the noisy data and apply corrections to remove the effects of the noise such that the result of the corrected calculations is within an error bound of the result of calculations performed on the raw data. Of course, the error bound can be predicted, and the math also allows calculation of the minimum amount of noise required to ensure privacy.
For a simple example, suppose you have a data set D and want to compute the mean of that data set. You inject a uniformly-distributed noise set N, either by adding fake samples or by randomly perturbing real samples, then compute the mean of the result. Now notice that mean(D + N) = (mean(D) * |D| + mean(N) * |N|)/(|D| + |N|). If you knew the actual noise set N, then you could solve for mean(D). For differential privacy, it's important that you not know N, or even mean(N), exactly. But if you generate noise corresponding to some distribution, then given |N|, with standard statistical techniques you can estimate the distribution of your noise sample mean(N), and you can take those error bounds and work them back through, so you end up with an estimate for mean(D) and error bounds on that estimate (of course, those error bounds need to be combined correctly with the error bounds from the sampling method used to obtain D in order to get bounds on your estimate for the population mean).
Anyway, while the math gets a little complicated, the concept is actually quite simple and can be easily applied (with the help of a good statistician) to a wide variety of data sets and statistical calculations. Google has excellent tools for doing this, and a staff of helpful statisticians to make sure they're used correctly.
Oh, and the best way to ensure that D and N are unknown is to avoid reporting either of them. This is extremely easy on mobile devices: You just program the device to add the random noise, then upload the result. Since the servers never receive either D or N, but only D+N, and the noise parameters were carefully chosen to ensure differential privacy, the data cannot be deanonymized. Where that can't be done (I don't think it would work for location data, but maybe there's a clever way to do it), the data can be anonymized server-side and only the anonymized data stored.
And note that, as the summary says, after the data is anonymized it's used to construct a model of cellphone user movement which is then simulated to create a set of synthetic tracks which follow the same patterns as real cellphone users, but have no relationship whatsoever to any specific individuals. This seems like it would be a sufficient anonymization process by itself, even if the model were built from non-anonymous data, but adding the noise-based anonymization step allows differential privacy to be proven, and privacy therefore guaranteed.
This seems like a responsible, careful and privacy-conscious approach to producing a really useful data set.
Yeah, I've seen that. Pretty cool attack, and very professionally executed. Tesla has added an optional PIN authentication to limit the risk, but that makes their RF key system about as inconvenient as inserting a physical key into a keyhole, which sucks. UWB distance bounding provides a solid solution to this problem, both more convenient and more secure than a physical key.
The system partition is already far larger than it needs to be. Manufactures reserve space for future upgrades. There's no reason to think that they would significantly shrink the system partition just because you forced them to make some of the bloat deletable
OEMs leave extra space for upgrades, but they definitely make them smaller when fewer apps are preinstalled. I've spoken to several about exactly this topic.
Slashdot Mirror
That's fair, but an argument can also be fairly made that minimum wage should never be less than the amount that a person needs to live, without requiring further aid from social assistance programs, and assuming that they work full time hours.
If the minimum wage were set that high, teenagers wouldn't be able to get jobs.
More importantly, it seems likely that we're only a decade or two away from massive automation-driven unemployment. The more we can slow and delay that shift, the less socially painful it will be. A high minimum wage will accelerate it just when we want to slow it down.
THis issue is easily solved by de-monopolizing communication.
How do you do that? I agree that it would be a better solution than regulation, but just describing the end state doesn't say anything about how to get there. NN may be a lighter regulatory framework than that required to create competition.
from hostile invaders threatening our borders.
You people are always scared of something. What a miserable life, to be permanently in fear. Don't forget to put your gun under your pillow. And to change underwear often.
I think Trump's fearmongering about the "invasion" on the southern border is ludicrous, and I favor wide open immigration policies, but the above shows a truly deep misunderstanding of conservatives. Conservatives don't have to be actively fearful of something to want to protect against it. The fact that you misunderstand so completely is not surprising, though... it's actually normal. Research shows that conservatives understand liberal perspectives quite well, but liberals hardly understand conservatives at all.
You really need to read Jonathan Haidt's book "The Righteous Mind: Why Good People are Divided by Politics and Religion".
You didn't read the post you replied to.
I understand SRP is "resistant" to attacks against the information held on the server. But I don't know more about what that means. I suspect it just forces the server to use a decent hash/salt approach rather than leave the window open to using a weak or no hash
In SRP, the server stores a value computed from the password. The computation involves a salted hash and then a modular exponentiation, but it's not particularly slow/expensive. Good SRP implementations should use a proper password-based key derivation function in place of the hash, to increase the computation required to recover the password via brute force search... but "increase the difficulty" is all that can be done, and if you put your password into Black Hat's server, none of that even matters.
Even with SRP, you still need strong, unique passwords. Which means you need a password database.
It will need batteries.
Sure. Batteries are cheap.
It will cost a bundle.
There's no reason to expect this to be the case. It's a device specifically targeted at very poor regions of the world and there's nothing about it that requires expensive hardware. It requires a lot less hardware than is in the typical low-end smartphone that sells in India for $40.
It may have annual licensing fees.
How much do you want to bet me that it doesn't?
It will surely need an internet connection.
There is absolutely no reason for it to need an Internet connection.
Or would that same money be better put into training its workers as health care technicians specifically skilled to diagnose pneumonia through traditional stethoscopes? No licensing. Stethoscopes are dirt cheap.
But training is very expensive, and you're talking about very complex training.
Google it. Secure Remote Password. (SRP)
Sigh. You didn't read the post you responded to. That still requires the server to have a copy of the password.
Public keys can do it easily, the client just signs a proof of possession request. Server only needs public key.
Yep. From the post you replied to:
yes, conductors turn radio waves into electricity, that's what happens in antenna. very bad to be absorbing large amounts, that means you're blocking them and attenuating them.... bad for everyone's wifi, bluetooth, broadcast radio reception, etc.
Yeah, that was my thought; if you're extracting power, you're killing the signal. However, it might be a great idea to incorporate something like this into the walls in apartment complexes. A little "free" power and it will also reduce Wifi bandwidth contention by damping signals. But putting lots of it inside your house seems like it will just create a lot of Wifi dead zones.
We only need to send a proof of possession of the password. The website only needs enough info to verify that we have it. A little crypto magic makes that very possible.
This is false. I wish it were true, and I'd love it if you could explain what crypto can achieve this magic, but it can't be done.
There are lots of ways to verify a password without sending a copy, but only when the server has a copy of the password, or something deterministically derived from, it to verify against. I can think of several ways to diversify passwords so as to automatically create a unique password per site, derived from the "real" password and information about the site (e.g. host or domain name)... but since the process will have to be deterministic it will be easy to recover the source password with a brute force search, and from there to generate the derived versions for all other sites.
There is no crypto magic that allows you to remember only one password for all accounts and keeps someone who compromises one account database (or owns one, as in the XKCD) from discovering that password. To achieve security, it's necessary to have a unique, high-entropy secret per account, with no relationship between the secrets. Ideally, each secret should be an asymmetric private key, but since keeping track of a bunch of non-memorizable private keys requires a database, that's really not much better than just having a database of unique passwords. It's a little better, but not much, and really not in any significant ways.
No, the solution to this problem is one we have already in hand: the lowly password keeper, i.e. lastpass et al. For web site passwords, I highly recommend the password databases integrated into most (all?) modern web browsers. Most (all?) of them offer the ability to automatically store a copy of the encrypted database in the cloud and automatically sync it to your browser on all devices you use. Most (all?) of them will also generate high-entropy random passwords for you.
Actually, a slightly better solution is web single sign on using OAuth (which is essentially a cloud-based password store), especially if sites were to actually support arbitrary OAuth providers so you could pick from one of many. From a security perspective, the current widespread variation (log in with Facebook or Google) is fairly good, but it's too centralized. Given universal OAuth support, you could pick your OAuth provider of choice, or run your own OAuth server.
But, honestly, your browser's built-in password database is almost as good, and you already have it and it works with all web sites not run by idiots and most web sites that are run by idiots[*]. Use it. Personally, I use Chrome's password store. I let it generate all my passwords so I remember only two: my Google login password and my "Chrome sync" password. The latter is used to derive the encryption key used to protect my password store while it sits on Google's servers. Using it means I can't use passwords.google.com to manage my saved passwords, but that's okay.
There is one big caveat if you use a password database: Someone who gets into your machine can get all of your passwords. If you use only a handful of passwords this is probably true even without a password database, and it's definitely true that if someone compromises your machine while it's still in your possession they can simply snarf your passwords as you enter them. Plus, there's all of the other data about you on your machine. This just highlights the fact that your computers need to be well-secured. Patched up, with disk encryption enabled and with strong login passwords. And don't leave them unlocked and unattended. And note that "computer" includes phone, tablet, etc.
[*] Many bank web sites engage in a particularly obnoxious brand of idiocy, in which they actively attempt to prevent the use of browser password stores. Their theory is that your password to their web site is so critically important that y
Oh bullshit, I've seen law enforcement get interested over shoplifting at the 7-11, so fuck your "crimes only matter if they affect the rich" jibber jabber.
You've seen the FBI get interested in petty crimes? I don't believe you.
To an extent YouTube's hands are tied by the need to obey the DMCA.
YouTube doesn't really use the DMCA process. They'll honor it if they receive a DMCA takedown notice, of course, but they make it much easier to use their own complaint process, which has the three-strike rule. The YouTube process has nothing to do with the DMCA, other than the existence of the DMCA process wast the motivation for YouTube to create a different one that's less cumbersome to administer, in order to discourage people from using the DMCA process.
So in this case, the scammers sent no DMCA takedown, and YouTube has no legal obligation to do anything. Other, perhaps, than an obligation to follow their own published policy.
If they get claims they have to act on them, there is no provision for them to determine if the claimant really does own the copyright they are claiming to.
Under the DMCA process, they don't have to determine if the claimant really owns the copyright. They are required to respond to the takedown notice by taking the material down, period. BUT the person who posted it can file a counter-notice. If YouTube receives a DMCA notice and a counter-notice, they are free to put the material back up and let the claimant and defendant duke it out in court. They are also free to choose not to put it back up. Either way, they have no legal risk.
The onus is on the victim to sue.
No, the onus is on the victim to file a counter-notice. Then, assuming the hosting service chooses to put the material back up, the onus is on the alleged copyright holder to sue.
This all assumes the DMCA process is used, of course. But that's not what happened in this case, and it's basically never what happens with YouTube.
No matter what the form, extortion is illegal though.
The first I would do if I was the youtuber would be to report the extortion to the fbi or police. If the youtuber can't get a response from Google I'm sure the FBI would.
The dollar amount is too small for law enforcement to be interested. That's probably *why* the amount is so small.
Another option is to take it up with Paypal, since apparently the scammer has a Paypal address. If Paypal makes a complaint to the police, that would be more likely to get action. The amount is still trivial, but Paypal has an incentive to nip this sort of thing in the bud.
Whilst I agree that e-cigs are a good way to quit, I don't agree with this. A traditional cigarette gives a handy cue when to stop (the cig is all smoked, if I want to continue I have to light another one). When I tried an e-cig this cue to stop was absent, once I started puffing and then got distracted I often found myself still puffing away an hour later, consuming many times more nicotine than I would have from a single normal cig. YMMV.
You're comparing different things than apoc.famine is. He's comparing the difficulty of a cigarette smoker gradually weaning while smoking to the difficulty of a vaper gradually weaning while vaping. You're talking about the transition from cigarettes to vaping. Clearly, if you want to vape in order to quit entirely, you have to make that transition, but you have to do that first, and establish a new set of habits. In the short term, it's possible that will result in an increase of nicotine intake. In the longer term, once you've made that switch, you can then start reducing your nicotine intake by changing the percentage of the nicotine in the stuff you're vaping, decreasing it gradually until you get to zero. After you've been vaping without any nicotine for a while, then you can work on killing the vaping habit -- but now you're just changing a habit, not going through drug withdrawals at the same time.
An anecdote isn't data, but it worked very well for my daughter. She switched to vaping and within a couple of months quit completely.
Hold up. There's a very important adjective missing from anything you've just said: informed. Where was the informed consent?
In the case of the Google app, you're talking about people who were invited to join a panel, regularly answer questionnaires, place additional monitoring devices near the TVs in their homes... I think they are well-informed.
But . . . but . . . ."Google's app is relatively transparent about what it does and who runs it"
Because announcing "I am a rapist and I am here to rape you" makes it OK.
If the rapee consents (and is competent to consent; of legal age, of sound mind, etc.)... it does make it okay.
One thing I hadn't read yet, do Facebook and Google have similar apps for Android? It seems likely they would... but I had not read that they did.
https://play.google.com/store/apps/details?id=com.google.android.apps.userpanel&hl=en_US
Apparently there are "Screenwise" devices that you put near your TV that track usage (a la Nielsen, I guess), and the Screenwise Meter app works with them somehow. The panel enrollment page is here, but it's by invitation only.
Facebook got around this protection by asking you to give it root access to your device so that it could install its signing certificate in the trusted root certificates on your device, right along side VeriSign, DigiCert and the other majors.
Note that Facebook can't ask for "root access" on Android or iOS, at least not as "root" is commonly interpreted in Unix-like OSes (which both Android and iOS are). It can ask you to install a new trusted root certificate.
The term "root" is overloaded here, but "root access" sounds like something different from what this is.
I'm probably in a minority here, but I disagree with this. For some reason white text on a black background makes my eyes strain after a while. I prefer dark text on light.
You're actually in the non-vocal majority.
"But, yes, I'm assuming competence. When it comes to statisticians at Google, that's an eminently reasonable assumption."
You're also assuming honesty & good will. When it comes to leadership at Google, that's an eminently unreasonable assumption.
(Note: In this reply, I'm assuming that you are interested in an actual conversation about this topic, and are willing to logically evaluate an opposing point of view. If that's an unreasonable assumption, you can just stop reading now. Otherwise, know that I'm also willing to logically and honestly evaluate counter arguments. This topic is personally important to me.)
It's not unreasonable at all to assume honesty and goodwill, but let's ignore that. Honesty and good will need not be assumed if motivation is sufficient, and Google's motivation here is clearly to thoroughly anonymize the data.
In general, Google is has no interest in disclosing information about users... indeed Google's most important business model is based completely on not disclosing information about users. I challenge you to find any evidence of Google selling identifiable private data. To anyone. Ever. (No, Google didn't participate in PRISM. Snowden's documents show that the NSA was tapping fiber between Google data centers. Google's response was a crash program to encrypt everything. Google spent millions to avoid leaking to the government, rather than selling to them.) This isn't to say that no one at Google makes mistakes -- there have obviously been some. People are fallible. On the other hand, Google pioneered the transparency report and the notion of making users' data available for downloading and deletion. And Google has invested heavily in research into and tools for really strong anonymization. (For example.)
I understand that the way Google collects data about people bothers you. It bothers me, too, though not as much as it bothers many people, for a couple of reasons that I'll go into if you're interested. I actually spend a portion of my working day on preventing Google (and others) from being able to collect data from Android users (with the complete support of my director, VP and SVP, and without any real pushback from the teams I'm blocking -- as soon as I point out the risk, they agree and back off). But what you're talking about here isn't about collection, it's about disclosure... and when was the last time you saw an article about data disclosed by or leaking from Google? The only one I can think of is the G+ APIs which overshared. And note the thoroughness of Google's response to the discovery of that problem (no, the API problems aren't the whole reason for shutting down G+, but they were the proximate cause).
Finally, given the target audience of this data, it seems highly unlikely that they would be interested in buying identifiable data, even if Google were interested in selling it. Also, note that having made public statements about the anonymous nature of this data, Google is legally obligated to ensure that's true, or be subject to lawsuits and fines from both citizens and regulators. People at Google would have to be really dumb to expose themselves to that risk.
Bottom line: Google has zero interest in disclosing identifiable data about user movements, and lots of PR and regulatory reasons not to do it. I assert that Google employees also have a deep and abiding altruistic interest in not disclosing identifiable user data, but even if that weren't true, the self-interested reasons are sufficient.
You're also forgetting the fact that the data reported is from a simulation derived from the model built from the de-identiied data, not from the input data. And the most logical implication of the list of techniques used is that all of them are used where appropriate.
But, yes, I'm assuming competence. When it comes to statisticians at Google, that's an eminently reasonable assumption.
I hope this practice get squashed under avalanche of privacy-related lawsuits.
Not likely, since Google can prove -- mathematically! -- that there's no privacy impact.
But I thought AT&T, Sprint and T-Mobile stated that they'll no longer sell location data...
Believing a promise from a corporation that isn't legally compelled to comply was your first mistake.
Corporations are legally required to abide by any public statement that may affect the share price, which would include statements about how they treat customer data.
Data which has been anonymized poorly, if the raw data is distributed rather than statistics, can sometimes be de-anonymized. I see differential privacy mathematically guarantees that the statistics they provide cannot be de-anonymized back to data about individuals.
Yep, it's pretty cool. Differential privacy as a concept is just about proving the maximum amount of information that can be extracted from an anonymized data set, but in practice we usually talk more about specific algorithms that are designed to anonymize data such that the differential privacy falls below a certain threshold, while still enabling highly-accurate statistics to be calculated over the anonymized data. They work on the principle that if you inject noise of a known distribution into the data, you can then perform statistical analysis on the noisy data and apply corrections to remove the effects of the noise such that the result of the corrected calculations is within an error bound of the result of calculations performed on the raw data. Of course, the error bound can be predicted, and the math also allows calculation of the minimum amount of noise required to ensure privacy.
For a simple example, suppose you have a data set D and want to compute the mean of that data set. You inject a uniformly-distributed noise set N, either by adding fake samples or by randomly perturbing real samples, then compute the mean of the result. Now notice that mean(D + N) = (mean(D) * |D| + mean(N) * |N|)/(|D| + |N|). If you knew the actual noise set N, then you could solve for mean(D). For differential privacy, it's important that you not know N, or even mean(N), exactly. But if you generate noise corresponding to some distribution, then given |N|, with standard statistical techniques you can estimate the distribution of your noise sample mean(N), and you can take those error bounds and work them back through, so you end up with an estimate for mean(D) and error bounds on that estimate (of course, those error bounds need to be combined correctly with the error bounds from the sampling method used to obtain D in order to get bounds on your estimate for the population mean).
Anyway, while the math gets a little complicated, the concept is actually quite simple and can be easily applied (with the help of a good statistician) to a wide variety of data sets and statistical calculations. Google has excellent tools for doing this, and a staff of helpful statisticians to make sure they're used correctly.
Oh, and the best way to ensure that D and N are unknown is to avoid reporting either of them. This is extremely easy on mobile devices: You just program the device to add the random noise, then upload the result. Since the servers never receive either D or N, but only D+N, and the noise parameters were carefully chosen to ensure differential privacy, the data cannot be deanonymized. Where that can't be done (I don't think it would work for location data, but maybe there's a clever way to do it), the data can be anonymized server-side and only the anonymized data stored.
And note that, as the summary says, after the data is anonymized it's used to construct a model of cellphone user movement which is then simulated to create a set of synthetic tracks which follow the same patterns as real cellphone users, but have no relationship whatsoever to any specific individuals. This seems like it would be a sufficient anonymization process by itself, even if the model were built from non-anonymous data, but adding the noise-based anonymization step allows differential privacy to be proven, and privacy therefore guaranteed.
This seems like a responsible, careful and privacy-conscious approach to producing a really useful data set.
Yeah, I've seen that. Pretty cool attack, and very professionally executed. Tesla has added an optional PIN authentication to limit the risk, but that makes their RF key system about as inconvenient as inserting a physical key into a keyhole, which sucks. UWB distance bounding provides a solid solution to this problem, both more convenient and more secure than a physical key.
The system partition is already far larger than it needs to be. Manufactures reserve space for future upgrades. There's no reason to think that they would significantly shrink the system partition just because you forced them to make some of the bloat deletable
OEMs leave extra space for upgrades, but they definitely make them smaller when fewer apps are preinstalled. I've spoken to several about exactly this topic.