I think his point is that fingerprint and DNA false positives dont lead to a suspect that looks like what a witness saw. Whereas facial regonition false positives almost guarantee that the person will at least look similar to what the witness saw. Thus for facial recognition, the witness-as-a-confirmation is not as compelling. It's almost the same piece of evidence, rather than two corroborating pieces.
Not sure about behavior, but as a 501c3, Mozilla is not allowed to donate to candidates and has limits on lobbying. But I do not know what exactly the limits are.
The lobbying ceiling amount for any organization for any taxable year is 150 percent of the lobbying nontaxable amount for such organization for such taxable year, determined under section 4911.
Hopefully someone has a greater interest in deciphering that.^ It does not seem related to anything decided in Citizens v United as far as I can tell.
I wonder, though. When you buy a new Android phone and sign in to Play, it downloads (or at least offers to) all the apps you had on your old phone. Does the same thing happen there
No, this particular exploit requires the malicious app be on a phone prior to an OS update. Additionally these apps would never* make it on the Play store as they have detectable characteristics (such as trying to use the same "Shared UID" of another app). In order to upload an app with the same Shared UID, you would need the same keystore to sign your app. Basically the way this bug works is exploiting the reverse of how the package manager grants precedence. The package manager give precedence to what is on the device first. So anything "updated" from the Play store, even if they spoofed the Shared UID and signature, would fail to install. The bug is that an app can "steal" the ability to control the permission completely, AND install itself or block the install of the legit version of an app.
So TL;DR: This definitely is a rather nasty privilege escalation bug in the package manager (if the paper is correct and I am reading it correctly), but one would likely need to side-load (or use a different app store) the malicious app prior to an OS update to get caught by it.
Agreed about permissions in general though. Personally I try not to give out contacts to any app unless they happen to be a type of "contact manager/replacement". Most apps can request a user use the default "contact picker" to add a contact, or share, or the like. No permission is required for this. The only reason apps request this is to prefill those "share with a friend" fields and to spam. This is similar to READ_PHONE_STATE, there are few legit reasons for an app to need this anymore. Apps can launch the dialer and prefill the number sans the permission, just not complete the call. They also have other ways to generate a UUID for the device without the IMEI, or the other info provided by READ_PHONE_STATE.
The USB storage permissions are antiquated, but not as sensitive. Apps do have private storage but this used to be quite limited in the earlier days of Android. The Nexus S was one of the first to come with a single, large internal storage (although even that was still partitioned). Prior to that you had a limited protected storage and an SD card. Nowadays they are adding better "Read" file permissions.
Finally, I think much of this stuff could be requested at time-of-use, rather than install. But they have to balance the "Are you sure you want to allow X?" disaster that was Windows UAC vs. sensible permissions. It is not as easy as it looks.
* (Well maybe not never, but very close to never...)
This was actually an episode on Star Trek DS9. O'Brien was punished by some alien culture and served a ~20 year sentence in a matter of ~hours (iirc). They claimed it was more humane and economical than prison. However I think the moral of the episode is that it really scarred him mentally (and he was innocent, again iirc).
Could there be a humane way to use something like this? Personally I highly doubt it, but I can't completely rule it out as just barely plausible (Kinda like Star Trek in general). I just can't imagine how this would be used without causing mental instability.
And if they do a good job, they will push competition. This seems like a common theme with Apple. They come into a fractured mess of a product sector and make a good show of it. This is good news, car infotainment is terrible.
Plus maybe cars will be able to launch actual angry birds at each other to express road rage.
ISPs are not peers though, they are endpoints. The "equal data" argument only works between two backbone/transit providers. ISPs are requesting that data be sent to them. they don't get to request the data be sent to them and request that they also be paid to receive it.
Also what makes you think you only pay for upload? That makes no sense. Though I agree in that bandwidth caps are bad -- though mostly because they are generally misleading advertising.
1) it's the ISP's users requesting 30% of the internet traffic, not Netflix. The ISPs aren't peering at all, they are the termination point. They aren't providing a service to Netflix, or to anyone else on the internet for that matter, except their customers. 2) It's the ISPs responsibility to provide enough network infrastructure to their customers. They don't get to hold hostage their users as a product to be bought by Netflix or other content providers. 3) Netflix offers Open Connect CDN
ISPs can directly connect their networks to Open Connect for free. ISPs can do this either by free peering with us at common Internet exchanges, or can save even more transit costs by putting our free storage appliances in or near their network.
I think there is a fundamental misunderstanding of how peering arrangements are supposed to work that is being exploited by the PR departments of ISPs.
Well, there aren't really any apps that satisfy all of that. Open-source, secure, video and mobile. Thought the post I was replying to did not specify mobile (although that's WhatsApp's main platform I guess). But the Point I was trying to make is that WhatsApp didn't satisfy those requirements either. It wasn't open, nor secure.
Anyways. there is Xabber for Android -- but I don't think that has video. Also many Android users use Google Hangouts / Talk etc for chat and video, but that is not open-source. There seem to be a number of other XMPP clients for Android but I don't know enough about them.
Also, FYI that Wikipedia link covers lots of apps -- both desktop and mobile (including WhatsApp).
Scratch that, looking through the links, even one of the AOSP browsers is affected.
Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell.
Was WhatsApp ever secure or open? Wasn't it just a proprietary wrapper for xmpp?
There are other jabber/xmpp/jingle clients out there. I'm not sure what is the best client but pidgin works well for most things IIRC. Miranda IM may also be worth a look, or Adium. All three are a GPL or similar license I think.
Not saying it's the only thing the Chinese use, but it looks (based on this mess up by MS) to be at least one of the things they use. At least that's how it appears to me. Perhaps the great firewall re-wites Accepts-Lang headers. I am just guessing though.
Sounds like they are probably just slacking on their locale detection. I bet the browser is sending something like just the two letter language code "zh" (Chinese) in the Accepts-Language header, and bing is falling back on "zh-CN" (instead of "zh-US").
Still, seems like an awfully dumb way to censor search results, not to mention the chilling effect. Kinda puts their "Scroogled" campaign in context.
You're right, looks like most video services use a form of TCP with different strategies for chunking and ack'ing. Not sure why I thought video streaming was done using UDP. [pdf source]
if (trafficSource != VerzionOnDemand && trafficSource != Netflix) {
degradePerformance();//slightly and randomly degrades performance
}
Seems relatively easy from a logic point of view.
Would anyone notice if they randomly started dropping UDP packets? Your average web user would see pages load just as fast. Statistical analysis would have to be very large scale and long term to notice a trend that couldn't be attributed to the normal fluctuations of speed and reliability of the internet. But home users could get a subtle difference in viewing experience for video from their ISP and a competitor.
In reality, ISPs simply need to slack on peering arrangements so their competitors are hammered during peak usage. Something Verizon has already been accused of.
This all leads me to think the real problem is the vertical monopoly/integration of ISP and content provider. If the government doesnt step in, we'll continue to see this war over and over just with ever shifting battlefields. Even with common carrier, we would likely still have ISPs pulling these tricks. regardless of whether they can charge Netflix more.
*obviously it's more complicated than the pseudo code above
I think what we gain from the security of a consistent rule of law, and the protection from the abuse by law enforcement officers, far outweighs the difficulty in having to think through and create reasonable laws. I dont want to trade protection from abuse just because we're to lazy to write correct laws. I don't want the current system of "make everything illegal" + "trust the cops" as the solution for that.
Some type of shoulder, dash cam, or Google-Glass-like device could go a long way towards that. I also think that there can be clear distinction at least when the cops must act and when they cant. Most places seem to have speed limits that are too low causing everyone to drive 5-15 over. But if the chances were high that you would get a ticket for going a few miles per hour over the limit, would you always put yourself in a situation where your are likely to accidentally drive over the limit? I think people would find a natural "buffer" and protect themselves. And speed limits should probably be increased and if the law was consistent and strict, people would find a reasonable speed to travel. Most of the time driving the actual speed limit becomes dangerous when everyone else is going that much faster. Or, specifically regarding speeding, cops could be prevented from pulling someone over unless they were traveling at 15mph or higher over the limit. I don't think it's hard to work out the details.
As for smokers...walking past smokers is a minor nuisance, people should just get over that (IMHO). I recently quit, switching to e-cigs, and people still cough when I walk by. They think I am smoking because my e-cig looks like a cigarette. It is all in their heads (there is no second hand smoke with e-cigs). Second hand smoke only becomes a problem indoors. And any rude smokers should be asked to make way nicely. (I used to always try to keep away from doors to buildings and especially keep my distance from children). But I'm not sure a law is needed here. Smoking is largely on the way out in the US.
As for pot, I think that should be legalized.
As for parking, that is not done by cops usually. And I can't remember a time when parking was ignored as a minor offense. Most towns see those tickets as cash cows.
While I appreciate what you saying, I dont think that is a good enough reason. If the law was applied consistently, people would adjust. Right now people just roll the dice against how much they can get away with. And cops walk around with power they should never have been granted.
Slashdot Mirror
But the /. moderation system is infallible
I think his point is that fingerprint and DNA false positives dont lead to a suspect that looks like what a witness saw. Whereas facial regonition false positives almost guarantee that the person will at least look similar to what the witness saw. Thus for facial recognition, the witness-as-a-confirmation is not as compelling. It's almost the same piece of evidence, rather than two corroborating pieces.
Don't you remember? It was right there in the article. ;)
The Swedish Chef has started a new crypto currency.
I always thought it had something to do with the Swedish Chef.
I wonder what his viewing history would be like.
They have been doing it for years: http://lifehacker.com/5849589/...
Not sure about behavior, but as a 501c3, Mozilla is not allowed to donate to candidates and has limits on lobbying. But I do not know what exactly the limits are.
https://en.wikisource.org/wiki...
Something in there...
The lobbying ceiling amount for any organization for any taxable year is 150 percent of the lobbying nontaxable amount for such organization for such taxable year, determined under section 4911.
Hopefully someone has a greater interest in deciphering that.^ It does not seem related to anything decided in Citizens v United as far as I can tell.
That's kinda the idea behind Aereo (except they do live TV)
http://www.salon.com/2014/03/2...
I wonder, though. When you buy a new Android phone and sign in to Play, it downloads (or at least offers to) all the apps you had on your old phone. Does the same thing happen there
No, this particular exploit requires the malicious app be on a phone prior to an OS update. Additionally these apps would never* make it on the Play store as they have detectable characteristics (such as trying to use the same "Shared UID" of another app). In order to upload an app with the same Shared UID, you would need the same keystore to sign your app. Basically the way this bug works is exploiting the reverse of how the package manager grants precedence. The package manager give precedence to what is on the device first. So anything "updated" from the Play store, even if they spoofed the Shared UID and signature, would fail to install. The bug is that an app can "steal" the ability to control the permission completely, AND install itself or block the install of the legit version of an app.
So TL;DR: This definitely is a rather nasty privilege escalation bug in the package manager (if the paper is correct and I am reading it correctly), but one would likely need to side-load (or use a different app store) the malicious app prior to an OS update to get caught by it.
Agreed about permissions in general though. Personally I try not to give out contacts to any app unless they happen to be a type of "contact manager/replacement". Most apps can request a user use the default "contact picker" to add a contact, or share, or the like. No permission is required for this. The only reason apps request this is to prefill those "share with a friend" fields and to spam. This is similar to READ_PHONE_STATE, there are few legit reasons for an app to need this anymore. Apps can launch the dialer and prefill the number sans the permission, just not complete the call. They also have other ways to generate a UUID for the device without the IMEI, or the other info provided by READ_PHONE_STATE.
The USB storage permissions are antiquated, but not as sensitive. Apps do have private storage but this used to be quite limited in the earlier days of Android. The Nexus S was one of the first to come with a single, large internal storage (although even that was still partitioned). Prior to that you had a limited protected storage and an SD card. Nowadays they are adding better "Read" file permissions.
Finally, I think much of this stuff could be requested at time-of-use, rather than install. But they have to balance the "Are you sure you want to allow X?" disaster that was Windows UAC vs. sensible permissions. It is not as easy as it looks.
* (Well maybe not never, but very close to never...)
This was actually an episode on Star Trek DS9. O'Brien was punished by some alien culture and served a ~20 year sentence in a matter of ~hours (iirc). They claimed it was more humane and economical than prison. However I think the moral of the episode is that it really scarred him mentally (and he was innocent, again iirc).
Could there be a humane way to use something like this? Personally I highly doubt it, but I can't completely rule it out as just barely plausible (Kinda like Star Trek in general). I just can't imagine how this would be used without causing mental instability.
But what does it do? What is it encoding/decoding?
"Be sure to drink your Ovaltine"
And if they do a good job, they will push competition. This seems like a common theme with Apple. They come into a fractured mess of a product sector and make a good show of it. This is good news, car infotainment is terrible.
Plus maybe cars will be able to launch actual angry birds at each other to express road rage.
Not sure if trolling but that's not really what trivial means in this context.
adjective: trivial
1. of little value or importance.
synonyms: unimportant, banal, trite, commonplace, insignificant, inconsequential,
Think "the average airspeed of an unladen swallow". "The atomic weight of cobalt"
ISPs are not peers though, they are endpoints. The "equal data" argument only works between two backbone/transit providers. ISPs are requesting that data be sent to them. they don't get to request the data be sent to them and request that they also be paid to receive it.
Also what makes you think you only pay for upload? That makes no sense. Though I agree in that bandwidth caps are bad -- though mostly because they are generally misleading advertising.
1) it's the ISP's users requesting 30% of the internet traffic, not Netflix. The ISPs aren't peering at all, they are the termination point. They aren't providing a service to Netflix, or to anyone else on the internet for that matter, except their customers.
2) It's the ISPs responsibility to provide enough network infrastructure to their customers. They don't get to hold hostage their users as a product to be bought by Netflix or other content providers.
3) Netflix offers Open Connect CDN
ISPs can directly connect their networks to Open Connect for free. ISPs can do this either by free peering with us at common Internet exchanges, or can save even more transit costs by putting our free storage appliances in or near their network.
https://signup.netflix.com/ope...
I think there is a fundamental misunderstanding of how peering arrangements are supposed to work that is being exploited by the PR departments of ISPs.
Well, there aren't really any apps that satisfy all of that. Open-source, secure, video and mobile. Thought the post I was replying to did not specify mobile (although that's WhatsApp's main platform I guess). But the Point I was trying to make is that WhatsApp didn't satisfy those requirements either. It wasn't open, nor secure.
Anyways. there is Xabber for Android -- but I don't think that has video. Also many Android users use Google Hangouts / Talk etc for chat and video, but that is not open-source. There seem to be a number of other XMPP clients for Android but I don't know enough about them.
Also, FYI that Wikipedia link covers lots of apps -- both desktop and mobile (including WhatsApp).
Scratch that, looking through the links, even one of the AOSP browsers is affected.
Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell.
I think it's that it gains the permissions of the app hosting the webview. This isn't really browser related AFAICT
Was WhatsApp ever secure or open? Wasn't it just a proprietary wrapper for xmpp?
There are other jabber/xmpp/jingle clients out there. I'm not sure what is the best client but pidgin works well for most things IIRC. Miranda IM may also be worth a look, or Adium. All three are a GPL or similar license I think.
https://en.wikipedia.org/wiki/...
Not saying it's the only thing the Chinese use, but it looks (based on this mess up by MS) to be at least one of the things they use. At least that's how it appears to me. Perhaps the great firewall re-wites Accepts-Lang headers. I am just guessing though.
Liquid ducks offer the best fuel economy for hybird SUVs.
Sounds like they are probably just slacking on their locale detection. I bet the browser is sending something like just the two letter language code "zh" (Chinese) in the Accepts-Language header, and bing is falling back on "zh-CN" (instead of "zh-US").
Still, seems like an awfully dumb way to censor search results, not to mention the chilling effect. Kinda puts their "Scroogled" campaign in context.
You're right, looks like most video services use a form of TCP with different strategies for chunking and ack'ing. Not sure why I thought video streaming was done using UDP. [pdf source]
Thanks for the correction.
if (trafficSource != VerzionOnDemand && trafficSource != Netflix) {
degradePerformance(); //slightly and randomly degrades performance
}
Seems relatively easy from a logic point of view.
Would anyone notice if they randomly started dropping UDP packets? Your average web user would see pages load just as fast. Statistical analysis would have to be very large scale and long term to notice a trend that couldn't be attributed to the normal fluctuations of speed and reliability of the internet. But home users could get a subtle difference in viewing experience for video from their ISP and a competitor.
In reality, ISPs simply need to slack on peering arrangements so their competitors are hammered during peak usage. Something Verizon has already been accused of.
This all leads me to think the real problem is the vertical monopoly/integration of ISP and content provider. If the government doesnt step in, we'll continue to see this war over and over just with ever shifting battlefields. Even with common carrier, we would likely still have ISPs pulling these tricks. regardless of whether they can charge Netflix more.
*obviously it's more complicated than the pseudo code above
I think what we gain from the security of a consistent rule of law, and the protection from the abuse by law enforcement officers, far outweighs the difficulty in having to think through and create reasonable laws. I dont want to trade protection from abuse just because we're to lazy to write correct laws. I don't want the current system of "make everything illegal" + "trust the cops" as the solution for that.
Some type of shoulder, dash cam, or Google-Glass-like device could go a long way towards that. I also think that there can be clear distinction at least when the cops must act and when they cant. Most places seem to have speed limits that are too low causing everyone to drive 5-15 over. But if the chances were high that you would get a ticket for going a few miles per hour over the limit, would you always put yourself in a situation where your are likely to accidentally drive over the limit? I think people would find a natural "buffer" and protect themselves. And speed limits should probably be increased and if the law was consistent and strict, people would find a reasonable speed to travel. Most of the time driving the actual speed limit becomes dangerous when everyone else is going that much faster. Or, specifically regarding speeding, cops could be prevented from pulling someone over unless they were traveling at 15mph or higher over the limit. I don't think it's hard to work out the details.
As for smokers...walking past smokers is a minor nuisance, people should just get over that (IMHO). I recently quit, switching to e-cigs, and people still cough when I walk by. They think I am smoking because my e-cig looks like a cigarette. It is all in their heads (there is no second hand smoke with e-cigs). Second hand smoke only becomes a problem indoors. And any rude smokers should be asked to make way nicely. (I used to always try to keep away from doors to buildings and especially keep my distance from children). But I'm not sure a law is needed here. Smoking is largely on the way out in the US.
As for pot, I think that should be legalized.
As for parking, that is not done by cops usually. And I can't remember a time when parking was ignored as a minor offense. Most towns see those tickets as cash cows.
While I appreciate what you saying, I dont think that is a good enough reason. If the law was applied consistently, people would adjust. Right now people just roll the dice against how much they can get away with. And cops walk around with power they should never have been granted.