No, I think you don't get the point - Samsung *cannot* push the patch out because.... there is no patch.
If there was a patch made by Google, then at least Samsung *might* pushed it out, you never know, maybe some marketing gimmick where they can say "look at us, we support 2 year old phones with security updates, buy our stuff because we're better than the competition", but no... Samsung has no choice in the matter, Google decided for them, and us.
Thanks Google - keep "doing no evil" because obviously a $50 billion pile of cash just isn't enough for you.
I think you should look up the term "quantitative easing". At least a cryptocurrency has some limits on arbitrary creation of coins.
and yes, the USD does fall in value when they do this - increase the money supply and although you won't notice much difference in domestic goods, you will as the exchange rate falls. Fortunately, most other governments are also 'printing' money too so their exchange rates fall at the same time making things even out.
So the net result (currently) is that interest rates fall providing smaller yields for investors (as the new money is used to buy government-issued loans which can pay less as they have an very unfussy buyer), and pushing them to other asset types, thus pushing their prices up (eg property) which ends up in the usual bubbles and disasters (again).
In the big scheme of things these cryptocurrencies introduce such a tiny amount to the overall economy, they're insignificant. To put it in perspective $100B dollars is less than half the interest payments for the USA per year on its debt.
I suppose we can feed it to farmed animals in great quantities instead of the usual antibiotics we feed them in great quantities.
(note there are strict withdrawal periods for all animals coming up to slaughter to ensure the antibiotics used in their feed is not present in the meat)
there's poor quality and then there's poor quality - you can compress it a bit too much after all, but assuming anything other than that there's little to no difference in sound quality.
I used to know a sound engineer and he told me about these frequency response levels that high-end audiophiles keep on about, expecting perfect reproduction at 10 or 10,000 Hz and he said that is was all a bit useless - the studio microphones weren't that sensitive so cutting off the top and bottom isn't cutting anything that's not already present... and then couple that to human hearing and you're trying sooo hard to reproduce nothing audible.
128kbps is enough for practically everyone, and even those who are able to tell the difference between it and 256 are only going to notice if you compare the same track side by side.
For me I use Mozy (note: referral code, gives me a little more space) for all important files (as you don't get hundreds of gigs of storage - 2GB for free, 50Gb for £5 a month). It periodically (twice a day IIRC) makes deltas of changed files and sends them off to the cloud somewhere, either encrypted with your own or their default key if you'd rather not worry about losing it.
You want to restore, click the icon, select files, and click the usual "yes overwrite" dialog options (or you can log on to the web and download an encrypted zip archive if you prefer). Its pretty slick now, and of course, acts as a backup for files you accidentally deleted or corrupted.
The big thinkers/marketing guys decided that it was just to complicated for citizens to manage and keep their secret key in a secure location
It is. Do not underestimate the ignorance of the common user, especially one who just wants to use their computer. Now if the government had charged $5 and sent a USB key with the certificate on it, maybe the end-user would take more care of it as they understand physical keys in a way that they don't with electronic versions.
Look at how many times you have to use the "I forgot my password" feature. For a service you use once or twice a year, the "forgot my password" link would be the login screen.
Secondly, if all keys are stored centrally, by the government, you can use them to decrypt end-user comms. I think someone must have been thinking ahead!
Thirdly, "bought" 30 million certs? They're the government, they can create their own certs and be their own authority. Then they can outsource the delivery of these to citizens to a private company for only a few hundred million dollars. (a company with a minister on the board as a non-exec director, of course)
well if you have to collect VAT then obviously you have already forfeited your "too small to matter" non-registered for VAT exemption! (ah, if only I could collect VAT but be exempted from passing it on to the taxman)
It would have been nice to have the exemption for small businesses across the EU, but the EU bureaucrats don't consider things like that, just those lovely rules and paperwork.
It'll be interesting to see what happens with payment processors, how they determine which country I'm in if the entire transaction and delivery is online. Which EU country deserves to receive my VAT the most?
taxes are a right of government, we have governments to organise stuff we couldn't do individually like national defence and such like and the tax pays for those things. How else could it work?
Of course, government itself is a thing we have to have but don't really want, a necessary evil if you like, and we have to pay tax for that too, but there's no other way round that.
Sure, but if you have 2 ISPs routing your traffic, you have 2 connections - ISP A doesn't manage traffic for ISP B - you probably have 2 lines in this circumstance (or what's the point of redundancy if its all carried through the same wire), so each ISP can filter their own IP traffic and ignore any from the other ISP - in fact, the 2nd ISP won;t even be seeing the 1st ISPs traffic.
Its only once that data gets to the common carrier level for routing over the wider internet does this kind of thing occur - at at that point its too late, the dodgy packets have left the building and are now considered valid.
And again, if a customer is an ISP then they are the ones who should be egress filtering their traffic in the first place, anything else is just irresponsible and letting others do your dirty work (as best they can, which as we see, isn't the best).
I find it interesting that carriers will complain about traffic and try to charge companies like Netflix, yet won't do anything about ISPs that send them large amounts of spoofed SYN packets. surely they should be asking for more money off ISPs who flood the upstream provider with such crap, then we might see them do something to prevent it!
Absolutely, but the only downside to Cosmic Encounter is that you need more than a couple of players - the more the better the game is. As for design aspects, the powers make each game different so it keeps people's attentions in a way that playing for the hundredth time can't.
But how can the target ISP tell if the packets are valid? The easiest way is simply not to allow any packet to leave your network that doesn't originate with one of that ISPs IP addresses.
Surely its easier if the source ISP does this, as they know which IPs were allocated to them.
this wouldn't stop infecting computers acting as botnets, but there's no single solution to fix it all, so egress filtering like this would help massively.
So - how do we persuade ISPs to stop allowing spoofed packets leaving their networks? What can we do to either hurt their marketing or force them to implement this?
You seriously want an edge router to track every user that passes through them, the same routers you say handle gigabits of traffic per second? How would you handle such authentication? Do you have to have a user account with every ISP between you and your destination?
You don't need to authenticate users - they're already authenticated on every source ISP network, or you wouldn't be allowed to send packets at all. The problem is the ISPs are sloppy with everything after that, they assume you're legit, when you may be sending out all kinds of crap packets - mostly if you've been hacked and are sending out spoofed packets for the purpose of helping in a DDoS attack. Egress filtering fixes that one.
We are talking about DDoS attacks, not Microsoft who is frankly a very big boy and can look after himself (assuming all but a skeleton crew weren't on holiday at the time)
Depends - if you're running on a shared webhost for $5 then you'll have more issues than cost to deal with - reliability and performance for instance.
But you don't need full-on dedicated servers where the DB is completely disconnected from the web server, if you are just trying to mitigate the issue of an insecure front-end, then simply running the rest of the system secured from each other with different user accounts and a application layer running as a service (written n something else) will provide you with some benefit. Obviously it won;t help if the attacker gets root access to the underlying OS as then you're screwed, but it'd be a start.
You need to ensure that your web site doesn't have access to your DB or other critical resources. If the attacker can gain access to your web server, then all he can do is call the same API you expose to the website, which often will do just what is needed (ie will not let you download every cc number, or see any critical data like cc or password at all)
But overall, if you can afford $5 for a website, you are not storing anything critical at all. If you're paying more your site is important enough to pay the extra for security. You could still have a couple of $5 websites for the front end and then run the rest on a more serious VPS setup that is better secured, that's not going to break the bank.
Seriously, if you assume this, and code your way in a more secure, 3-tier manner, with a separate, and secured, application server, then you will mitigate all the problems with an insecure web server - well, at least they won't have full unfettered access to your database.
This may mean giving up those "all in one" frameworks people so love (whether its PHP or.NET or any other language), but that can only be a good thing - write an app server with a secure API isn't so hard to do, but will mean your CEO won't have to appear on the news explaining why every user of his site needs to change their password and replace their credit cards.
is an NTP request good or bad? You can't always tell the difference as they're all good, only not if you're getting 10,000 of them per second.
I'm sure every little website can afford to have a filtering proxy at all the exchanges around the world - after all, rack space in one of those is crazy cheap, and they let anyone put servers in there. Microsoft may be able to, but that doesn't help anyone else who will be subject to extortion from these scumbags. We need to improve our overall response to reduce the ability of these cunts to operate, not pay a fortune to mitigate their attacks when they decide (with almost impunity) to inflict them.
Its not the service coding that is the issue - there's only so much network pipe to go round, and unless we build our entire networks to handle gigabits of traffic for ever server that will almost never be used (at great expense) we'll have to find other ways to stop such attacks.
Of course, egress filtering would be a good first step. If only every big ISP did this, we'd make most DDoS attacks useless instantly. Then we only have to deal with compromised computers sending data, but if they cannot fake their IP source, we'll at least know who they are to clean them.
Ok, so there are many aspects to this - big corporation, single points of failure, 'improve security', steal credit cards/passwords, offline play, etc but there's one that stands out for me:
DDoS. Its trivially easy to send massive amounts of data at something and we have pitiful ways of mitigating it - in fact there is nothing you can do to mitigate it except buy more pipe than the attacker can fill. This is pants and isn't something the attacked companies can do anything about (except buy more pipe - which is ok if you're the size of Microsoft)
We need to start putting egress filtering in place to prevent these easy attacks, if the networks dropped all packets that didn't have a correct source IP, most DDoS would disappear as an attack (sure you'd still be able to gather lots of people/hacked machines together to instigate a DDoS but the attacker would be able to tell who they were and possibly get them fixed/cleaned for future).
The definition of a correct source IP - its an IP address the ISP owns. Its too easy to just create packets that have a random source IP or the IP of the target. We should be fixing this aspect of the internet years ago.
He did it in LotR too - the Ents for example, decide (eventually) to fight out of responsibility. But in the film, they instantly change their mind in a simple, emotionally-crippled act of revenge.
Its like PJ doesn't understand complex emotions at all. He could have had the Ents gathered around slowly making their minds up like the UN deciding whether to intervene in the latest atrocity, but no - it had to be a very simplistic and obvious excuse for another CGI battle.
I'm only surprised he didn't have Wormtongue going "look into my eyes, you are feeling sleepy" at the start of any discussion with Theoden.
I don;t think he meant "scrap copyright" but more keep it to the original terms of protecting the original author, not his great-great-great-grandkids.
FYI if the original terms of copyright that were in force when Tolkein was alive, the copyright to the books would have lapsed in 2011. Surely that's long enough for the author to make money on his work?
Slashdot Mirror
No, I think you don't get the point - Samsung *cannot* push the patch out because .... there is no patch.
If there was a patch made by Google, then at least Samsung *might* pushed it out, you never know, maybe some marketing gimmick where they can say "look at us, we support 2 year old phones with security updates, buy our stuff because we're better than the competition", but no... Samsung has no choice in the matter, Google decided for them, and us.
Thanks Google - keep "doing no evil" because obviously a $50 billion pile of cash just isn't enough for you.
I think you should look up the term "quantitative easing". At least a cryptocurrency has some limits on arbitrary creation of coins.
and yes, the USD does fall in value when they do this - increase the money supply and although you won't notice much difference in domestic goods, you will as the exchange rate falls. Fortunately, most other governments are also 'printing' money too so their exchange rates fall at the same time making things even out.
So the net result (currently) is that interest rates fall providing smaller yields for investors (as the new money is used to buy government-issued loans which can pay less as they have an very unfussy buyer), and pushing them to other asset types, thus pushing their prices up (eg property) which ends up in the usual bubbles and disasters (again).
In the big scheme of things these cryptocurrencies introduce such a tiny amount to the overall economy, they're insignificant. To put it in perspective $100B dollars is less than half the interest payments for the USA per year on its debt.
I suppose we can feed it to farmed animals in great quantities instead of the usual antibiotics we feed them in great quantities.
(note there are strict withdrawal periods for all animals coming up to slaughter to ensure the antibiotics used in their feed is not present in the meat)
there's poor quality and then there's poor quality - you can compress it a bit too much after all, but assuming anything other than that there's little to no difference in sound quality.
I used to know a sound engineer and he told me about these frequency response levels that high-end audiophiles keep on about, expecting perfect reproduction at 10 or 10,000 Hz and he said that is was all a bit useless - the studio microphones weren't that sensitive so cutting off the top and bottom isn't cutting anything that's not already present... and then couple that to human hearing and you're trying sooo hard to reproduce nothing audible.
128kbps is enough for practically everyone, and even those who are able to tell the difference between it and 256 are only going to notice if you compare the same track side by side.
I do not recall any intelligence agency stopping a DDoS attack, ever
they'll be the DDoS attacks that were stopped, no wonder you didn't hear of them.
right, so that makes denial-of-service and extortion ok?
One day they might attack a service you use, then I'm sure you'll be singing a different tune.
For me I use Mozy (note: referral code, gives me a little more space) for all important files (as you don't get hundreds of gigs of storage - 2GB for free, 50Gb for £5 a month). It periodically (twice a day IIRC) makes deltas of changed files and sends them off to the cloud somewhere, either encrypted with your own or their default key if you'd rather not worry about losing it.
You want to restore, click the icon, select files, and click the usual "yes overwrite" dialog options (or you can log on to the web and download an encrypted zip archive if you prefer). Its pretty slick now, and of course, acts as a backup for files you accidentally deleted or corrupted.
The big thinkers/marketing guys decided that it was just to complicated for citizens to manage and keep their secret key in a secure location
It is. Do not underestimate the ignorance of the common user, especially one who just wants to use their computer. Now if the government had charged $5 and sent a USB key with the certificate on it, maybe the end-user would take more care of it as they understand physical keys in a way that they don't with electronic versions.
Look at how many times you have to use the "I forgot my password" feature. For a service you use once or twice a year, the "forgot my password" link would be the login screen.
Secondly, if all keys are stored centrally, by the government, you can use them to decrypt end-user comms. I think someone must have been thinking ahead!
Thirdly, "bought" 30 million certs? They're the government, they can create their own certs and be their own authority. Then they can outsource the delivery of these to citizens to a private company for only a few hundred million dollars. (a company with a minister on the board as a non-exec director, of course)
Is Switzerland part of the EU VAT system?
Regardless forget 8% - the place to be this year is Heligoland, part of Germany but with a 0% VAT rate.
Or the Channel Islands, a British Crown Dependency and though not part of the EU they are part of the EU Customs Territory. They too have 0% VAT.
well if you have to collect VAT then obviously you have already forfeited your "too small to matter" non-registered for VAT exemption! (ah, if only I could collect VAT but be exempted from passing it on to the taxman)
It would have been nice to have the exemption for small businesses across the EU, but the EU bureaucrats don't consider things like that, just those lovely rules and paperwork.
It'll be interesting to see what happens with payment processors, how they determine which country I'm in if the entire transaction and delivery is online. Which EU country deserves to receive my VAT the most?
taxes are a right of government, we have governments to organise stuff we couldn't do individually like national defence and such like and the tax pays for those things. How else could it work?
Of course, government itself is a thing we have to have but don't really want, a necessary evil if you like, and we have to pay tax for that too, but there's no other way round that.
Sure, but if you have 2 ISPs routing your traffic, you have 2 connections - ISP A doesn't manage traffic for ISP B - you probably have 2 lines in this circumstance (or what's the point of redundancy if its all carried through the same wire), so each ISP can filter their own IP traffic and ignore any from the other ISP - in fact, the 2nd ISP won;t even be seeing the 1st ISPs traffic.
Its only once that data gets to the common carrier level for routing over the wider internet does this kind of thing occur - at at that point its too late, the dodgy packets have left the building and are now considered valid.
And again, if a customer is an ISP then they are the ones who should be egress filtering their traffic in the first place, anything else is just irresponsible and letting others do your dirty work (as best they can, which as we see, isn't the best).
I find it interesting that carriers will complain about traffic and try to charge companies like Netflix, yet won't do anything about ISPs that send them large amounts of spoofed SYN packets. surely they should be asking for more money off ISPs who flood the upstream provider with such crap, then we might see them do something to prevent it!
Absolutely, but the only downside to Cosmic Encounter is that you need more than a couple of players - the more the better the game is. As for design aspects, the powers make each game different so it keeps people's attentions in a way that playing for the hundredth time can't.
But how can the target ISP tell if the packets are valid? The easiest way is simply not to allow any packet to leave your network that doesn't originate with one of that ISPs IP addresses.
Surely its easier if the source ISP does this, as they know which IPs were allocated to them.
this wouldn't stop infecting computers acting as botnets, but there's no single solution to fix it all, so egress filtering like this would help massively.
So - how do we persuade ISPs to stop allowing spoofed packets leaving their networks? What can we do to either hurt their marketing or force them to implement this?
You seriously want an edge router to track every user that passes through them, the same routers you say handle gigabits of traffic per second? How would you handle such authentication? Do you have to have a user account with every ISP between you and your destination?
You don't need to authenticate users - they're already authenticated on every source ISP network, or you wouldn't be allowed to send packets at all. The problem is the ISPs are sloppy with everything after that, they assume you're legit, when you may be sending out all kinds of crap packets - mostly if you've been hacked and are sending out spoofed packets for the purpose of helping in a DDoS attack. Egress filtering fixes that one.
We are talking about DDoS attacks, not Microsoft who is frankly a very big boy and can look after himself (assuming all but a skeleton crew weren't on holiday at the time)
Depends - if you're running on a shared webhost for $5 then you'll have more issues than cost to deal with - reliability and performance for instance.
But you don't need full-on dedicated servers where the DB is completely disconnected from the web server, if you are just trying to mitigate the issue of an insecure front-end, then simply running the rest of the system secured from each other with different user accounts and a application layer running as a service (written n something else) will provide you with some benefit. Obviously it won;t help if the attacker gets root access to the underlying OS as then you're screwed, but it'd be a start.
You need to ensure that your web site doesn't have access to your DB or other critical resources. If the attacker can gain access to your web server, then all he can do is call the same API you expose to the website, which often will do just what is needed (ie will not let you download every cc number, or see any critical data like cc or password at all)
But overall, if you can afford $5 for a website, you are not storing anything critical at all. If you're paying more your site is important enough to pay the extra for security. You could still have a couple of $5 websites for the front end and then run the rest on a more serious VPS setup that is better secured, that's not going to break the bank.
I don't think that means what you think it does...
to assume every web server is hacked already.
Seriously, if you assume this, and code your way in a more secure, 3-tier manner, with a separate, and secured, application server, then you will mitigate all the problems with an insecure web server - well, at least they won't have full unfettered access to your database.
This may mean giving up those "all in one" frameworks people so love (whether its PHP or .NET or any other language), but that can only be a good thing - write an app server with a secure API isn't so hard to do, but will mean your CEO won't have to appear on the news explaining why every user of his site needs to change their password and replace their credit cards.
but what data is "good" data?
is an NTP request good or bad? You can't always tell the difference as they're all good, only not if you're getting 10,000 of them per second.
I'm sure every little website can afford to have a filtering proxy at all the exchanges around the world - after all, rack space in one of those is crazy cheap, and they let anyone put servers in there. Microsoft may be able to, but that doesn't help anyone else who will be subject to extortion from these scumbags. We need to improve our overall response to reduce the ability of these cunts to operate, not pay a fortune to mitigate their attacks when they decide (with almost impunity) to inflict them.
Its not the service coding that is the issue - there's only so much network pipe to go round, and unless we build our entire networks to handle gigabits of traffic for ever server that will almost never be used (at great expense) we'll have to find other ways to stop such attacks.
Of course, egress filtering would be a good first step. If only every big ISP did this, we'd make most DDoS attacks useless instantly. Then we only have to deal with compromised computers sending data, but if they cannot fake their IP source, we'll at least know who they are to clean them.
Ok, so there are many aspects to this - big corporation, single points of failure, 'improve security', steal credit cards/passwords, offline play, etc but there's one that stands out for me:
DDoS. Its trivially easy to send massive amounts of data at something and we have pitiful ways of mitigating it - in fact there is nothing you can do to mitigate it except buy more pipe than the attacker can fill. This is pants and isn't something the attacked companies can do anything about (except buy more pipe - which is ok if you're the size of Microsoft)
We need to start putting egress filtering in place to prevent these easy attacks, if the networks dropped all packets that didn't have a correct source IP, most DDoS would disappear as an attack (sure you'd still be able to gather lots of people/hacked machines together to instigate a DDoS but the attacker would be able to tell who they were and possibly get them fixed/cleaned for future).
The definition of a correct source IP - its an IP address the ISP owns. Its too easy to just create packets that have a random source IP or the IP of the target. We should be fixing this aspect of the internet years ago.
It's like someone in a film about King Arthur's knights turning out to be a cyborg,
Alas there is such a film
He did it in LotR too - the Ents for example, decide (eventually) to fight out of responsibility. But in the film, they instantly change their mind in a simple, emotionally-crippled act of revenge.
Its like PJ doesn't understand complex emotions at all. He could have had the Ents gathered around slowly making their minds up like the UN deciding whether to intervene in the latest atrocity, but no - it had to be a very simplistic and obvious excuse for another CGI battle.
I'm only surprised he didn't have Wormtongue going "look into my eyes, you are feeling sleepy" at the start of any discussion with Theoden.
I don;t think he meant "scrap copyright" but more keep it to the original terms of protecting the original author, not his great-great-great-grandkids.
FYI if the original terms of copyright that were in force when Tolkein was alive, the copyright to the books would have lapsed in 2011. Surely that's long enough for the author to make money on his work?