They aren't a regulatory body, but they also aren't a regulated body either - this is the equivalent of going to a chinese medicine doctor instead of a sexual health clinic when your john thomas is oozing green puss.
Yes, but the day is coming when that will change. And they know it. If you were in their shoes, what would you want those regulations to look like? They'll be crafted to deal with what happens before they are written.
I dont believe Coinbase should be denying access to legitimate funds, that arent terrorism related, unless they want to get regulated... this would be the first step to ruining their little monopoly.
They aren't worried about "international law" (which, incidentally, is barely a thing unless you are a war criminal or something else so egregious that most of the world is willing to support a method around prosecuting you.) They're worried about local laws, which are a lot more real. The absence of relevant criminal statutes under international law will not protect you against regulatory or criminal proceedings in nations where you operate.
They're worried about being blamed for money laundering, so they're being proactive and trying to catch anything in their system that they can possibly tie to criminal activity. Unfortunately for everyone, not too many options for doing this exist outside of going after ransomware payments...so that's what they've gone after. I can sort of understand it...bitcoin isn't exactly transparent, and the day is coming when regulators will be deciding who is good and who is bad here. It does make good business sense to demonstrate a "best effort" to steer clear of being designated as "bad," or at least "bad-friendly." I think it's a dick move, but I do understand the motivation behind it.
Security companies should not be allowed to act as front companies for cybercriminals anymore than they should be allowed to assassinate people for pay. Let's hope there's a criminal investigation as well. Perhaps this one was even directly involved in the original crimes, not only encouraging them...
You're not paying attention.
The security company wasn't accepting payment on behalf of ransomware actors. They were facilitating the payment TO ransomware actors on behalf of companies that aren't familiar with bitcoin and have no accounting methodology to make such a payment before the ransomware runs out. They were a front for the victims, not the criminals.
It's akin, in a rough way, to what K&R companies like Control Risk do when it comes to ransoms in the real world. There are right ways and wrong ways to pay a ransom, and they are intimately familiar with the difference. As a result, they step in when one of their clients has a kidnapping situation and manage the whole thing to help get the person back safely. And yes, this usually does involve paying the ransom.
The real motive by Coinbase is probably a fear that they'll be accused of helping facilitate criminal activity. Bitcoin exchanges are on the narrow edge of falling under regulation, but it could also go another way (*cough*Liberty Reserve*cough*) for any particular exchange if the regulators in their country feel that they are guilty of money laundering. As a result, Coinbase is taking proactive measures to be able to prove that they, well, proactively avoid facilitating crime. I don't necessarily agree with it, but I can at least see where it came from.
The App Store is a marketplace. First and foremost, that is its purpose.
The mandate that it be used as an exclusive avenue for applications supports a broader cybersecurity model. Note that it's not a "security" model, which is potentially broader...it's a "cybersecurity" model. It's not a social solution, and won't protect you from apps that are overpriced, poor in functionality, overstated in their benefit, etc. It's not a "Good Housekeeping Seal of Approval" for apps. It's not a mechanism to prevent lies of scams of a sort that are non-technical in nature, either. Yes, Apple will help out as they can, and pull out apps when they see this kind of thing going too far. But even that is a "best effort" kind of thing, and there are no technical measures that work very well at detecting such issues.
The best they can do is mandate and enforce a standard for in-app purchase notifications (which they do) so that you'll be able to see, in normal print, that you're about to pay $99/week for something. If you're enough of a fucking moron to still go forward with it, that's on you.
You know, a few weeks ago there was a post on reviewing code before pushing it to production, and some people seemed appalled by the idea that another person...who would invariably be a coder, lest they be unable to understand what they were looking at...would be in the process flow for committing a change. I pointed out that this was actually an industry best practice in enterprise organizations, and an inherent part of any SDLC. In any large environment, people with access to development environments do not have the rights to push changes to production. This concept was not well-received.
And now, I see an awful lot of people saying that this problem above was the CTO's fault, for giving a developer sufficient access to change the production environment. I agree with that point...but it's amusing to me how a lot of us seem to live in a fantasy world where we must have access to everything, but when we screw up it's someone else's fault for giving it to us. We have to choose one of the other; either we are justified in having full autonomy and accept the consequences of our actions...for good and for bad...or we accept safeguards that protect both us and the organization we support.
Why do you people always single out sports channels and whine about them? I have no problem paying for ESPN, but I want to find a way to avoid paying for BET. It's racist that there's Black Entertainment Television but no White EntertainmentâTelevision. How can I combat this racism and avoid paying for BET while continuing to receive worthwhile channels like ESPN?
Why? Because I also get CourtTV. With that, I get all the coverage of the NFL I need:)
Well, you have you remember they didn't have much time to get a better name. When you innovate by chasing ambulances you don't have time to polish the turd..
Come an Apple, don't your cult members deserve better than another me too product to empty their wallets and put them for under your control?
Actually, the name that would have aligned with their naming scheme...which would be "iHome," was already taken by a purveyor of crappy consumer electronics. And the term "ambulance chasing" refers to people trying to profit off the tragedy of others...I don't think this is that.
But I do give you credit for posting on your account, instead of as an AC:)
"People Are Using Technology to Make the World More Unequal; Only People Can Fix This"
There, fixed that for you.
Technology doesn't do anything by itself. It has no animus of it's own (yet). It's a tool...and like any tool, it can be used in good ways, bad ways, stupid ways and ineffective ways. The difference between the choice of ways is, and always has been, a question of people, not of the technology in question. And addressing problems with bad choices remains, as ever, a people problem.
This doesn't even get into the reality that 70% of all the "computers" are embedded beasties...all those "IoT" processors and the bulk of them are programmed in C or C++. A Node.JS or Python option is available, but neither of those are what you'd call "secure". You might be able to get Go to "go" onto those platforms or Swift- but they're a bit largish and don't really target the small stuff.
The remark about.Net or Java means they're a real Headupassian. No clue whatsoever what they're managing- and it sadly shows.
This is very true, at least for the near future. For some solutions (like infotainment systems in cars) Java ME is heavily in use...but most IoT devices have neither the performance nor the need to do so. They're coded in C++, which means that they can use microprocessor architectures that cost a few dollars instead of dozens of dollars or more.
The simplicity of lower-powered embedded systems benefits you when you have to deal with environmental problems like heat and vibration; you can pot a low-powered system and not worry about it overheating, but if you try to do that with something more sophisticated you run into major issues. And then there are those applications that simply require that things be tiny...not small, but tiny. All of these obviate things like JVMs and interpreted code.
The president of Dice.com says "Right now, Java and Python are really hot. In five years they may not be... jobs are changing all the time, and that's a real pain point for tech professionals."
I think back to situations like steel workers or coal miners whose jobs disappear...and to the combination of where these people live, the lack of variety of the local economy, and the difficulty translating their skills to other industries. These things combine to make it nearly impossible for them to maintain their livelihoods. Conversely, in the tech field, that constant rate of change makes it not only relatively easy to change specialties, it eliminates any stigma that comes from having done so.
Yes, this means that fields and skills sometimes go out of favor...but at least you're not stranded when they do. You have options. Whether or not you exercise those options...that's another thing. I'd rather have options, and have it left up to me whether I fail or succeed.
This is the same HP that hasn't come up with a hit since the bubble jet printer, people. The same HP that pushed a cloud computing solution that was so pig-fucking awful that The Onion mocked them about it. I worked at HP at the time, and I really have to think that The Onion had someone on the inside...because their parody was unbelievably on target. "We have 4G, 5G, 6G...we have all the Gs. We have app." That's literally as bad as what some of the people at HP were about it...it defied belief. This is the same HP that came up with a small microchip that could hold information and push it to your phone...but alas, as good as it sounded to have them talk about it, the phone's receiver had to stay within an inch of the thing, and the data transfer rate was literally as bad as a modem from the late 80s. This is the same HP that couldn't come within billions of dollars of precision as they tried to evaluate the price of another company they bought...and then effectively sued themselves when they realized that they fucked up on the offer they'd made, had accepted, and consummated. HP had to state on their SEC filings that flight of talented people had become a major impediment to their achieving their business goals...starting several years ago. And it hasn't gotten better since. These are stupid motherfucking people.
Oh, in more recent news, this is the same HP whose business-grade laptops (since we're talking HPE here, really) had a keylogger built into the audio driver.
So yeah...I doubt that this "machine" is all that. I'm curious...have they ever actually managed to CONNECT it to 160 terabytes of RAM at once, or is this a theoretical capability? Because they lie like a rug about this kind of silly detail. I can't help but notice that those 160 TB all have to be in a "single bank of memory." Wow, that must be one long-ass DIMM!
Regardless of who her husband is, she achieved a degree of commercial success prior to this change, which means that she has managed to build enough audience to make transitioning to crowdfunding easier. Obviously being a signed act isn't the only way to build that audience, but it certainly has its advantages.
I'm not sure how much success constitutes a "degree" to you, but I've never heard of her any my tastes in music range pretty far and wide. And as for ease of transitioning to crowdfunding...if she's terrible and can't keep a record deal, then trading on the coattails of her husband in a crowdfunding model (instead of having to demonstrate her own talents to a record company) would be a lot easier, indeed.
Read any tutorial on Bayes theorem. Chances are most of the positive results will be false positives, but neither patients/consumers nor their doctors understand that, they hear "97 percent accuracy" and "You tested positive".
This is a crucial point.
When I see things like "97% accurate" with respect to a diagnostic function, I have to wonder about the definition of "success." Is that just a 3% false-negative rate? If so, what's the false-positive rate...because if it turns out that the watch is wrong half the time when it signals an abnormality, that's bad too. If a diagnostic function cries wolf too often, it gets ignored and becomes useless.
If, on the other hand, the 97% accuracy rate covers both false positives and false negatives...then all of a sudden you have a really useful diagnostic tool that would be free for the millions of people who have this watch, and an approach which can probably be applied to a lot of other wearable devices on the market today as well.
so now you have two coders looking at every line of code?
Yeah...because this is how it's done when it's done professionally. You have one coder...the guy who wrote the change...and then another coder...the one who tests it.
This happens in non-code places too, like journalism. One person writes the article, and another proofreads it. (Due to the acceleration of the news cycle, this has been going away...with predictably-bad results.) Consulting? Yes, you have quality control (another person reading and checking the deliverable..every line of it) before it goes to the client. Engineering? One engineer builds the spec, and another has to approve it; this is actually mandated by law for a lot of things, in fact, where permitting is involved (like construction).
Fundamentally, the question is "how to you keep code from being pushed to the public before it's tested." You seemed to miss that in your reply, because the very point of the question requires two people...people who must understand what their reading (and thus, are coders)...to look at the code. Also, your reply seems to imply that a code change requires reading ALL of the code, not just the new or changed code, and this is simply not true.
Burger King's ad campaigns have been the laughing stock of the advertising world forever. I was studying marketing back in the 80s, in college, and had a subscription to Advertising Age (the leading trade publication of the industry). At that time, Burger King's campaign revolved around the phrase, "Burger King. Sometimes you just gotta break the rules." It was considered so ridiculous that Advertising Age held a contest to see if anyone could come up with anything even more insane. Finalists in the top-5 included "Long John Silver's, for the seafood lover that is Allah"...and, of course because someone submitted it, "Burger King. Sometimes you just gotta break the rules." This was about three decades ago.
Then there was their whole "chicken fries" campaign, back in the...was that the 90s? I have no idea what the fuck that was all about, though the "band" that was prominently featured there openly admitted that they did the ads because they realized they weren't going to make it as real musicians so they may as well sell out. And this admission wasn't on some interview or a website off to the side...it was featured front-and-center on the official website that Burger King stood up for the ad campaign.
So, at least Burger King is keeping up with the times, finding new and innovative ways to blow dead goats with their ad campaigns.
In real production code you pretty much have to check the type "manually" of every argument to every function. And document the type in the comments. This is much more work that just using a strongly typed language in the first place. Python's a fine scripting language, a tier above the likes of Perl and PHP. But it's not for real code.
Yes, of course...because we all know that in "real" production code, the comments are ubiquitous, diligent, and comprehensive:)
You know, it only seems to take one line in a Slashdot post, out of context, to drive people batty here. I'm seeing a long stream of posts that seem to believe that GM just took all of these robots and plugged them directly into a cablemodem without any firewalling or other security, making it effortless for some dork to simply go fuck with the production lines.
Okay. So, there's "connected to the Internet" as in you have a connection to the Internet...like I am using to post this. I'm behind a firewall, with both ingress and egress filtering. But if I weren't connected, I wouldn't be able to send/receive email, I wouldn't be able to browse the web...you get the picture. I am connected, but it doesn't mean that people can just lay into my computer with wild abandon and hack me. Then there's "CONNECTED to tha' motherfucking INTERNET," without security, without security monitoring, etc. That's bad...and yes, if GM had done that then all kinds of bad things would happen because few automation systems are particularly robust from a security perspective. But that's not what GM has done. Connected securely or connected insecurely...both are actually a state of being 'connected to the Internet.'
They can't override criminal law, but they can certainly put language in like "DRM providers SHALL give a written statement to not sue as precondition for inclusion". Or like the letsencrypt API require agreement via the API itself. The people behind letsencrypt are not lawmakers either. I don't know of any country where criminal copyright charges are brought without someone asking that to happen, so contracts are quite efficient at that.
The protections needed are more than just civil in nature.
So, let's look at it this way...overlook the fact that W3C has no power to enforce a contract simply with a standard, or that someone can use most of the standard and leave a few bits out so as to avoid being bound by your proposed language. (While you're at it, overlook the fact that this would cause massive fracturing of exactly the sort that W3C is really trying to reverse, not make worse.)
So now you have no option for anyone to sue security researchers over copyright infringement when all they are doing is security testing. Okay. What will happen is that large industry groups will instead push for criminal law to come to bear instead, and you'll get what happened in Germany years ago. Under that situation, not only will security researchers testing DRM come under fire...ALL security research becomes dangerous to do without the express permission of the organization whose solution is being tested.
When you have an angry neanderthal waving a medium-sized stick around at you, and you break his stick...he picks up a bigger one. He doesn't just sit down and call it a day, and he doesn't reach for a twig.
Actual quote: "We believe this is a devastating blow to manatees," Patrick Rose, Executive Director for Save the Manatee Club, said in a statement. "A federal reclassification at this time will seriously undermine the chances of securing the manatee's long- term survival."
Translated for clarity and accuracy: "We believe this is a devastating blow to my career," Patrick Rose, Executive Director for Save the Manatee Club, said in a statement. "A federal reclassification at this time will seriously undermine my chances of maintaining long-term employment."
Seriously, he's not a god. He can't stop Google and so on pushing DRM if they want to (which they did, regardless of whether he accepted that he was powerless in this case).
I really don't understand the FSF anymore. "Let's go after the symptoms instead of the disease! Let's divide our own supporters! Let's act like if we just pretend that if DRM isn't an official web-spec, it won't still be a de-facto web-spec!" What difference will any of that make, really? It's a pathetic waste of everyone's time and donation money.
An excellent point, and there's another one as well that relates to the limits of what he can do.
What W3C is working on are "technical standards," which is within their realm. The OP speaks of "protection" for security researchers...this is a legal matter, not a technical one. The reason that W3C isn't putting any kind of protection in place for people who find vulnerabilities is that they have no power to do so. You can't say "by using http version 4, you legally agree to not prosecute security researchers," for a whole lot of different reasons...the most basic of which is that laws simply don't work that way in most countries. Then there's the fact that W3C has literally zero authority to promulgate policy of law in any nation on Earth...and I could keep going, but that would just open up the door for someone to nitpick on the details of a minor reason while ignoring any of the other deal-breakers for such a proposition.
TL;DR: W3C are engineers producing technical standards, not legislators, so they can't override criminal law as it stands in nations to protect vulnerability researchers.
Some kill-crazy sonofabitch off the chain and looking for body count.
How does one PROJECT this sort of thing without actually getting lost in it?
In essence, making the other dumb sonofabitch crap themselves for their country and not want to actually fight and die?
Scary naming conventions.
I don't know that I'd assign government-wide significance to this. At most, it was a small handful of people who gave it the name...it's not like the name went before Congress for ratification, after all. And as far as the "violence" aspect...for fuck's sake, it's a grenade launcher. It's a pretty violent device to begin with.:)
I think of it a bit more humorously, like this:
Maria Hill: What does S.H.I.E.L.D. stand for, Agent Ward?
Grant Ward: Strategic Homeland Intervention, Enforcement and Logistics Division.
Hill: And what does that mean to you?
Ward: It means someone really wanted our initials to spell out "shield."
"Decentralization" is the idea that a database works like a network "that's shared with everybody in the world, where anyone and anything can connect to it," writes Vinay Gupta for Harvard Business Review. "Decentralization offers the promise of nearly friction-free cooperation between members of complex networks that can add value to each other by enabling collaboration without central authorities and middle men."
And this wonderful decentralization, where anyone and anything can connect to "the database," is why Bitcoin transactions take hours to confirm, the network is only capable of supporting a handful of transactions per second, etc. Don't even get me started on the laughs involved if "everybody in the world, anyone and anything" is keeping local copies of "the database," or enough of it to verify transactional integrity to a level necessary for shit like inventory management at Wal-Mart scale.
I can see it...it's happened before, on a smaller level and with the removal of a different choke point that required centralization of a different kind.
Anyone here remember "The Sharper Image"? They were stores...and a catalog...of incredibly cool stuff. This was before there was public access to the Internet or such a thing as a.com TLD; back then, you had to go to stores or catalogs to find things. As a result, for lack of a better way to put it, it was "harder to find stuff."
Today, if I wanted to buy...gird your loins...a "Slave Leia outfit in purple, size X-large," I would have to do research just to find out what kind of a store might carry something like that, and then find one such store within my physical reach. If I was really stretching, I could make a phone call to some other place and perhaps get them to ship it to me...sight unseen. (And hopefully, something like a Slave Leia outfit in size X-large would forever remain sight unseen, but I digress.)
Now, I simply go to Google, or some other search engine, and...gah! But yeah, I found it, in less time than it would have taken me to go grab my copy of the Yellow Pages.
As a result, The Sharper Image found themselves as a solution for which the problem no longer existed. Their shelves drew customers because it was the best way to get introduced to clever, interesting, or quirky high-end items that solved interesting problems or had unique appeal for some other reason. Before you could got into a Target and buy a Dyson vacuum cleaner (and before you could buy one online), they carried them, for example. They had the capital, business model and logistics to do this. But then, websites popped up (like ThinkGeek) which did what they did, but at an even more targeted scale...which was made possible because you no longer needed physical stores or a catalog to be accessible to your customers. The mass which made them successful was now a pair of cement shoes as they sank in the ocean of options.
So what exists now, as far as centralization? Amazon comes to mind. But note that Amazon is about logistics as much as anything else; hell, they don't even make sure that half of their "Apple" products actually came from Apple. And the hardest part of that logistics value proposition is payment handling. A lot of their products aren't shipped or handled by them, they just do the payment processing for the vendor. Anyone can go to a FedEx or UPS to ship something; heck, if you have a return to Amazon, that's what you end up doing. The main thing that Amazon, as a vendor, provides is the payment processing.
And yes, AWS is a real thing...I get that. But it's separate, and can exist outside of this concept of where the value proposition lies today vs. where it would lie in a blockchain-based economy. Indeed, it is the infrastructure that supports their payment processing, their shipping, their logistics, inventory, etc. But you could open up a blockchain-based vendor that competes with them...and run it on AWS, too. Amazon's main nemesis in the video content streaming space, for example, runs on AWS. It's called Netflix.:)
Evidence please? And not "it's been used 160,000 times".
Also if you think the asylum process is as simple as appealing a parking fine, you're fucking high. This guy appears to have more hubris than experience, and it reminds me of the $1 laptop programmes where somehow people without shelter and electricity and maintenance shops were somehow going to benefit from Wikipedia to tell them how to re-build the civilisation that the same cultures that delivered their laptop had destroyed.
While I agree that evidence of the claim would be useful, I also see no evidence of the implied accusation that his system has been unhelpful to anyone.
I can absolutely imagine how this kind of system would be useful to an asylum seeker. Some of the biggest challenges aren't about nuance of law or understanding of precedent. Imagine showing up in an industrialized country, not able to speak the language very well (or at all). You don't know what government agencies you're about to interact with, nor do you know what their roles and responsibilities are. You don't know what processes you're expected to follow, what they are called, what they do, or how they work. You don't know what you're going to be asked to do, produce as evidence, or answer as questions. The specifics of what you'll need to know vary based upon things like where you're from, what kind of danger you're worried about, and whether you are alone or with a family. The process is long and byzantine (despite what Trump thinks) and when you throw in the cultural and language differences in combination with simply just being scared about the future...yeah, wow.
Look at it from another perspective related to something that has to be about one one-hundredth as scary and intense. Say you're going to the DMV for the first time to take a driving test and get a license, and have never had any aspect of the process explained to you before. What would be easier...a sheet of paper explaining all the different things at the DMV and how they work, or a person that you could interactively ask questions of, so that you can find out what you, specifically, need to know and need to do?
From what I understand of the current asylum interview process, the key question is "is your life in danger" followed by variations on "prove it." (Sometimes the proof is as simple as pointing to death threats on Facebook.) Does anyone know if coaching this process is what this bot is doing?
Yes...but using that reductive approach, you can say that this is how almost any compliance/vetting process works.
PCI DSS: "Do you handle payment card information securely," followed by variations on "prove it." Yet, accomplishing this is expensive and challenging.
Tax audit: "Have you paid what you owe for taxes," followed by variations on "prove it." The visceral reaction of anyone who has been through a tax audit makes my point here.
Security clearance interview: "Can we trust you with state secrets," followed by variation on "prove it." This gets even more interesting if you get a polygraph exam...which is essentially nothing more than a twisted, mind-fucky variation of the same.
The trick is in the "prove it" part...or more specifically, the overlap between what actual means are feasible for providing proof combined with what the questioning entity defines as acceptable proof. In different situations, this overlap may be subject to negotiation as well (or not), and that is its own area of expertise unto itself in some cases. Almost all of these processes also involve setting legal precedents during their early days as well.
In short: sure, you can use a verbal metaphor to represent the process in an oversimplified manner. But that doesn't make the actual process...as required by anyone who engages with it...simple or easy.
Slashdot Mirror
They aren't a regulatory body, but they also aren't a regulated body either - this is the equivalent of going to a chinese medicine doctor instead of a sexual health clinic when your john thomas is oozing green puss.
Yes, but the day is coming when that will change. And they know it. If you were in their shoes, what would you want those regulations to look like? They'll be crafted to deal with what happens before they are written.
As discussed here Cyber extortion - legality of ransom payments and the approach of businesses and insurers it shows under international law, cyber extortion payments arent illegal unless they are terrorism related.
I dont believe Coinbase should be denying access to legitimate funds, that arent terrorism related, unless they want to get regulated... this would be the first step to ruining their little monopoly.
They aren't worried about "international law" (which, incidentally, is barely a thing unless you are a war criminal or something else so egregious that most of the world is willing to support a method around prosecuting you.) They're worried about local laws, which are a lot more real. The absence of relevant criminal statutes under international law will not protect you against regulatory or criminal proceedings in nations where you operate.
They're worried about being blamed for money laundering, so they're being proactive and trying to catch anything in their system that they can possibly tie to criminal activity. Unfortunately for everyone, not too many options for doing this exist outside of going after ransomware payments...so that's what they've gone after. I can sort of understand it...bitcoin isn't exactly transparent, and the day is coming when regulators will be deciding who is good and who is bad here. It does make good business sense to demonstrate a "best effort" to steer clear of being designated as "bad," or at least "bad-friendly." I think it's a dick move, but I do understand the motivation behind it.
Security companies should not be allowed to act as front companies for cybercriminals anymore than they should be allowed to assassinate people for pay. Let's hope there's a criminal investigation as well. Perhaps this one was even directly involved in the original crimes, not only encouraging them...
You're not paying attention.
The security company wasn't accepting payment on behalf of ransomware actors. They were facilitating the payment TO ransomware actors on behalf of companies that aren't familiar with bitcoin and have no accounting methodology to make such a payment before the ransomware runs out. They were a front for the victims, not the criminals.
It's akin, in a rough way, to what K&R companies like Control Risk do when it comes to ransoms in the real world. There are right ways and wrong ways to pay a ransom, and they are intimately familiar with the difference. As a result, they step in when one of their clients has a kidnapping situation and manage the whole thing to help get the person back safely. And yes, this usually does involve paying the ransom.
The real motive by Coinbase is probably a fear that they'll be accused of helping facilitate criminal activity. Bitcoin exchanges are on the narrow edge of falling under regulation, but it could also go another way (*cough*Liberty Reserve*cough*) for any particular exchange if the regulators in their country feel that they are guilty of money laundering. As a result, Coinbase is taking proactive measures to be able to prove that they, well, proactively avoid facilitating crime. I don't necessarily agree with it, but I can at least see where it came from.
The App Store is a marketplace. First and foremost, that is its purpose.
The mandate that it be used as an exclusive avenue for applications supports a broader cybersecurity model. Note that it's not a "security" model, which is potentially broader...it's a "cybersecurity" model. It's not a social solution, and won't protect you from apps that are overpriced, poor in functionality, overstated in their benefit, etc. It's not a "Good Housekeeping Seal of Approval" for apps. It's not a mechanism to prevent lies of scams of a sort that are non-technical in nature, either. Yes, Apple will help out as they can, and pull out apps when they see this kind of thing going too far. But even that is a "best effort" kind of thing, and there are no technical measures that work very well at detecting such issues.
The best they can do is mandate and enforce a standard for in-app purchase notifications (which they do) so that you'll be able to see, in normal print, that you're about to pay $99/week for something. If you're enough of a fucking moron to still go forward with it, that's on you.
You know, a few weeks ago there was a post on reviewing code before pushing it to production, and some people seemed appalled by the idea that another person...who would invariably be a coder, lest they be unable to understand what they were looking at...would be in the process flow for committing a change. I pointed out that this was actually an industry best practice in enterprise organizations, and an inherent part of any SDLC. In any large environment, people with access to development environments do not have the rights to push changes to production. This concept was not well-received.
And now, I see an awful lot of people saying that this problem above was the CTO's fault, for giving a developer sufficient access to change the production environment. I agree with that point...but it's amusing to me how a lot of us seem to live in a fantasy world where we must have access to everything, but when we screw up it's someone else's fault for giving it to us. We have to choose one of the other; either we are justified in having full autonomy and accept the consequences of our actions...for good and for bad...or we accept safeguards that protect both us and the organization we support.
Why do you people always single out sports channels and whine about them? I have no problem paying for ESPN, but I want to find a way to avoid paying for BET. It's racist that there's Black Entertainment Television but no White EntertainmentâTelevision. How can I combat this racism and avoid paying for BET while continuing to receive worthwhile channels like ESPN?
Why? Because I also get CourtTV. With that, I get all the coverage of the NFL I need :)
I'm getting a huge kick out of reading all the critiques of this device...considering that nobody who loves or hates it has ever seen one in person.
How about this, guys...let's actually wait until they start selling them to decide how much they rock/suck balls? You know, just an idea...
Well, you have you remember they didn't have much time to get a better name.
When you innovate by chasing ambulances you don't have time to polish the turd..
Come an Apple, don't your cult members deserve better than another me too product to empty their wallets and put them for under your control?
Actually, the name that would have aligned with their naming scheme...which would be "iHome," was already taken by a purveyor of crappy consumer electronics. And the term "ambulance chasing" refers to people trying to profit off the tragedy of others...I don't think this is that.
But I do give you credit for posting on your account, instead of as an AC :)
"People Are Using Technology to Make the World More Unequal; Only People Can Fix This"
There, fixed that for you.
Technology doesn't do anything by itself. It has no animus of it's own (yet). It's a tool...and like any tool, it can be used in good ways, bad ways, stupid ways and ineffective ways. The difference between the choice of ways is, and always has been, a question of people, not of the technology in question. And addressing problems with bad choices remains, as ever, a people problem.
Which makes them quite the Tool.
This doesn't even get into the reality that 70% of all the "computers" are embedded beasties...all those "IoT" processors and the bulk of them are programmed in C or C++. A Node.JS or Python option is available, but neither of those are what you'd call "secure". You might be able to get Go to "go" onto those platforms or Swift- but they're a bit largish and don't really target the small stuff.
The remark about .Net or Java means they're a real Headupassian. No clue whatsoever what they're managing- and it sadly shows.
This is very true, at least for the near future. For some solutions (like infotainment systems in cars) Java ME is heavily in use...but most IoT devices have neither the performance nor the need to do so. They're coded in C++, which means that they can use microprocessor architectures that cost a few dollars instead of dozens of dollars or more.
The simplicity of lower-powered embedded systems benefits you when you have to deal with environmental problems like heat and vibration; you can pot a low-powered system and not worry about it overheating, but if you try to do that with something more sophisticated you run into major issues. And then there are those applications that simply require that things be tiny...not small, but tiny. All of these obviate things like JVMs and interpreted code.
I think back to situations like steel workers or coal miners whose jobs disappear...and to the combination of where these people live, the lack of variety of the local economy, and the difficulty translating their skills to other industries. These things combine to make it nearly impossible for them to maintain their livelihoods. Conversely, in the tech field, that constant rate of change makes it not only relatively easy to change specialties, it eliminates any stigma that comes from having done so.
Yes, this means that fields and skills sometimes go out of favor...but at least you're not stranded when they do. You have options. Whether or not you exercise those options...that's another thing. I'd rather have options, and have it left up to me whether I fail or succeed.
This is the same HP that hasn't come up with a hit since the bubble jet printer, people. The same HP that pushed a cloud computing solution that was so pig-fucking awful that The Onion mocked them about it. I worked at HP at the time, and I really have to think that The Onion had someone on the inside...because their parody was unbelievably on target. "We have 4G, 5G, 6G...we have all the Gs. We have app." That's literally as bad as what some of the people at HP were about it...it defied belief. This is the same HP that came up with a small microchip that could hold information and push it to your phone...but alas, as good as it sounded to have them talk about it, the phone's receiver had to stay within an inch of the thing, and the data transfer rate was literally as bad as a modem from the late 80s. This is the same HP that couldn't come within billions of dollars of precision as they tried to evaluate the price of another company they bought...and then effectively sued themselves when they realized that they fucked up on the offer they'd made, had accepted, and consummated. HP had to state on their SEC filings that flight of talented people had become a major impediment to their achieving their business goals...starting several years ago. And it hasn't gotten better since. These are stupid motherfucking people.
Oh, in more recent news, this is the same HP whose business-grade laptops (since we're talking HPE here, really) had a keylogger built into the audio driver.
So yeah...I doubt that this "machine" is all that. I'm curious...have they ever actually managed to CONNECT it to 160 terabytes of RAM at once, or is this a theoretical capability? Because they lie like a rug about this kind of silly detail. I can't help but notice that those 160 TB all have to be in a "single bank of memory." Wow, that must be one long-ass DIMM!
Regardless of who her husband is, she achieved a degree of commercial success prior to this change, which means that she has managed to build enough audience to make transitioning to crowdfunding easier. Obviously being a signed act isn't the only way to build that audience, but it certainly has its advantages.
I'm not sure how much success constitutes a "degree" to you, but I've never heard of her any my tastes in music range pretty far and wide. And as for ease of transitioning to crowdfunding...if she's terrible and can't keep a record deal, then trading on the coattails of her husband in a crowdfunding model (instead of having to demonstrate her own talents to a record company) would be a lot easier, indeed.
Read any tutorial on Bayes theorem. Chances are most of the positive results will be false positives, but neither patients/consumers nor their doctors understand that, they hear "97 percent accuracy" and "You tested positive".
This is a crucial point.
When I see things like "97% accurate" with respect to a diagnostic function, I have to wonder about the definition of "success." Is that just a 3% false-negative rate? If so, what's the false-positive rate...because if it turns out that the watch is wrong half the time when it signals an abnormality, that's bad too. If a diagnostic function cries wolf too often, it gets ignored and becomes useless.
If, on the other hand, the 97% accuracy rate covers both false positives and false negatives...then all of a sudden you have a really useful diagnostic tool that would be free for the millions of people who have this watch, and an approach which can probably be applied to a lot of other wearable devices on the market today as well.
so now you have two coders looking at every line of code?
Yeah...because this is how it's done when it's done professionally. You have one coder...the guy who wrote the change...and then another coder...the one who tests it.
This happens in non-code places too, like journalism. One person writes the article, and another proofreads it. (Due to the acceleration of the news cycle, this has been going away...with predictably-bad results.) Consulting? Yes, you have quality control (another person reading and checking the deliverable..every line of it) before it goes to the client. Engineering? One engineer builds the spec, and another has to approve it; this is actually mandated by law for a lot of things, in fact, where permitting is involved (like construction).
Fundamentally, the question is "how to you keep code from being pushed to the public before it's tested." You seemed to miss that in your reply, because the very point of the question requires two people...people who must understand what their reading (and thus, are coders)...to look at the code. Also, your reply seems to imply that a code change requires reading ALL of the code, not just the new or changed code, and this is simply not true.
Burger King's ad campaigns have been the laughing stock of the advertising world forever. I was studying marketing back in the 80s, in college, and had a subscription to Advertising Age (the leading trade publication of the industry). At that time, Burger King's campaign revolved around the phrase, "Burger King. Sometimes you just gotta break the rules." It was considered so ridiculous that Advertising Age held a contest to see if anyone could come up with anything even more insane. Finalists in the top-5 included "Long John Silver's, for the seafood lover that is Allah"...and, of course because someone submitted it, "Burger King. Sometimes you just gotta break the rules." This was about three decades ago.
Then there was their whole "chicken fries" campaign, back in the...was that the 90s? I have no idea what the fuck that was all about, though the "band" that was prominently featured there openly admitted that they did the ads because they realized they weren't going to make it as real musicians so they may as well sell out. And this admission wasn't on some interview or a website off to the side...it was featured front-and-center on the official website that Burger King stood up for the ad campaign.
So, at least Burger King is keeping up with the times, finding new and innovative ways to blow dead goats with their ad campaigns.
In real production code you pretty much have to check the type "manually" of every argument to every function. And document the type in the comments. This is much more work that just using a strongly typed language in the first place. Python's a fine scripting language, a tier above the likes of Perl and PHP. But it's not for real code.
Yes, of course...because we all know that in "real" production code, the comments are ubiquitous, diligent, and comprehensive :)
You know, it only seems to take one line in a Slashdot post, out of context, to drive people batty here. I'm seeing a long stream of posts that seem to believe that GM just took all of these robots and plugged them directly into a cablemodem without any firewalling or other security, making it effortless for some dork to simply go fuck with the production lines.
Okay. So, there's "connected to the Internet" as in you have a connection to the Internet...like I am using to post this. I'm behind a firewall, with both ingress and egress filtering. But if I weren't connected, I wouldn't be able to send/receive email, I wouldn't be able to browse the web...you get the picture. I am connected, but it doesn't mean that people can just lay into my computer with wild abandon and hack me. Then there's "CONNECTED to tha' motherfucking INTERNET," without security, without security monitoring, etc. That's bad...and yes, if GM had done that then all kinds of bad things would happen because few automation systems are particularly robust from a security perspective. But that's not what GM has done. Connected securely or connected insecurely...both are actually a state of being 'connected to the Internet.'
They can't override criminal law, but they can certainly put language in like "DRM providers SHALL give a written statement to not sue as precondition for inclusion".
Or like the letsencrypt API require agreement via the API itself. The people behind letsencrypt are not lawmakers either.
I don't know of any country where criminal copyright charges are brought without someone asking that to happen, so contracts are quite efficient at that.
The protections needed are more than just civil in nature.
So, let's look at it this way...overlook the fact that W3C has no power to enforce a contract simply with a standard, or that someone can use most of the standard and leave a few bits out so as to avoid being bound by your proposed language. (While you're at it, overlook the fact that this would cause massive fracturing of exactly the sort that W3C is really trying to reverse, not make worse.)
So now you have no option for anyone to sue security researchers over copyright infringement when all they are doing is security testing. Okay. What will happen is that large industry groups will instead push for criminal law to come to bear instead, and you'll get what happened in Germany years ago. Under that situation, not only will security researchers testing DRM come under fire...ALL security research becomes dangerous to do without the express permission of the organization whose solution is being tested.
When you have an angry neanderthal waving a medium-sized stick around at you, and you break his stick...he picks up a bigger one. He doesn't just sit down and call it a day, and he doesn't reach for a twig.
Actual quote:
"We believe this is a devastating blow to manatees," Patrick Rose, Executive Director for Save the Manatee Club, said in a statement. "A federal reclassification at this time will seriously undermine the chances of securing the manatee's long- term survival."
Translated for clarity and accuracy:
"We believe this is a devastating blow to my career," Patrick Rose, Executive Director for Save the Manatee Club, said in a statement. "A federal reclassification at this time will seriously undermine my chances of maintaining long-term employment."
Seriously, he's not a god. He can't stop Google and so on pushing DRM if they want to (which they did, regardless of whether he accepted that he was powerless in this case).
I really don't understand the FSF anymore. "Let's go after the symptoms instead of the disease! Let's divide our own supporters! Let's act like if we just pretend that if DRM isn't an official web-spec, it won't still be a de-facto web-spec!" What difference will any of that make, really? It's a pathetic waste of everyone's time and donation money.
An excellent point, and there's another one as well that relates to the limits of what he can do.
What W3C is working on are "technical standards," which is within their realm. The OP speaks of "protection" for security researchers...this is a legal matter, not a technical one. The reason that W3C isn't putting any kind of protection in place for people who find vulnerabilities is that they have no power to do so. You can't say "by using http version 4, you legally agree to not prosecute security researchers," for a whole lot of different reasons...the most basic of which is that laws simply don't work that way in most countries. Then there's the fact that W3C has literally zero authority to promulgate policy of law in any nation on Earth...and I could keep going, but that would just open up the door for someone to nitpick on the details of a minor reason while ignoring any of the other deal-breakers for such a proposition.
TL;DR: W3C are engineers producing technical standards, not legislators, so they can't override criminal law as it stands in nations to protect vulnerability researchers.
Some kill-crazy sonofabitch off the chain and looking for body count.
How does one PROJECT this sort of thing without actually getting lost in it?
In essence, making the other dumb sonofabitch crap themselves for their country and not want to actually fight and die?
Scary naming conventions.
I don't know that I'd assign government-wide significance to this. At most, it was a small handful of people who gave it the name...it's not like the name went before Congress for ratification, after all. And as far as the "violence" aspect...for fuck's sake, it's a grenade launcher. It's a pretty violent device to begin with. :)
I think of it a bit more humorously, like this:
"Decentralization" is the idea that a database works like a network "that's shared with everybody in the world, where anyone and anything can connect to it," writes Vinay Gupta for Harvard Business Review. "Decentralization offers the promise of nearly friction-free cooperation between members of complex networks that can add value to each other by enabling collaboration without central authorities and middle men."
And this wonderful decentralization, where anyone and anything can connect to "the database," is why Bitcoin transactions take hours to confirm, the network is only capable of supporting a handful of transactions per second, etc. Don't even get me started on the laughs involved if "everybody in the world, anyone and anything" is keeping local copies of "the database," or enough of it to verify transactional integrity to a level necessary for shit like inventory management at Wal-Mart scale.
I can see it...it's happened before, on a smaller level and with the removal of a different choke point that required centralization of a different kind.
Anyone here remember "The Sharper Image"? They were stores...and a catalog...of incredibly cool stuff. This was before there was public access to the Internet or such a thing as a .com TLD; back then, you had to go to stores or catalogs to find things. As a result, for lack of a better way to put it, it was "harder to find stuff."
Today, if I wanted to buy...gird your loins...a "Slave Leia outfit in purple, size X-large," I would have to do research just to find out what kind of a store might carry something like that, and then find one such store within my physical reach. If I was really stretching, I could make a phone call to some other place and perhaps get them to ship it to me...sight unseen. (And hopefully, something like a Slave Leia outfit in size X-large would forever remain sight unseen, but I digress.)
Now, I simply go to Google, or some other search engine, and...gah! But yeah, I found it, in less time than it would have taken me to go grab my copy of the Yellow Pages.
As a result, The Sharper Image found themselves as a solution for which the problem no longer existed. Their shelves drew customers because it was the best way to get introduced to clever, interesting, or quirky high-end items that solved interesting problems or had unique appeal for some other reason. Before you could got into a Target and buy a Dyson vacuum cleaner (and before you could buy one online), they carried them, for example. They had the capital, business model and logistics to do this. But then, websites popped up (like ThinkGeek) which did what they did, but at an even more targeted scale...which was made possible because you no longer needed physical stores or a catalog to be accessible to your customers. The mass which made them successful was now a pair of cement shoes as they sank in the ocean of options.
So what exists now, as far as centralization? Amazon comes to mind. But note that Amazon is about logistics as much as anything else; hell, they don't even make sure that half of their "Apple" products actually came from Apple. And the hardest part of that logistics value proposition is payment handling. A lot of their products aren't shipped or handled by them, they just do the payment processing for the vendor. Anyone can go to a FedEx or UPS to ship something; heck, if you have a return to Amazon, that's what you end up doing. The main thing that Amazon, as a vendor, provides is the payment processing.
And yes, AWS is a real thing...I get that. But it's separate, and can exist outside of this concept of where the value proposition lies today vs. where it would lie in a blockchain-based economy. Indeed, it is the infrastructure that supports their payment processing, their shipping, their logistics, inventory, etc. But you could open up a blockchain-based vendor that competes with them...and run it on AWS, too. Amazon's main nemesis in the video content streaming space, for example, runs on AWS. It's called Netflix. :)
Evidence please? And not "it's been used 160,000 times".
Also if you think the asylum process is as simple as appealing a parking fine, you're fucking high. This guy appears to have more hubris than experience, and it reminds me of the $1 laptop programmes where somehow people without shelter and electricity and maintenance shops were somehow going to benefit from Wikipedia to tell them how to re-build the civilisation that the same cultures that delivered their laptop had destroyed.
While I agree that evidence of the claim would be useful, I also see no evidence of the implied accusation that his system has been unhelpful to anyone.
I can absolutely imagine how this kind of system would be useful to an asylum seeker. Some of the biggest challenges aren't about nuance of law or understanding of precedent. Imagine showing up in an industrialized country, not able to speak the language very well (or at all). You don't know what government agencies you're about to interact with, nor do you know what their roles and responsibilities are. You don't know what processes you're expected to follow, what they are called, what they do, or how they work. You don't know what you're going to be asked to do, produce as evidence, or answer as questions. The specifics of what you'll need to know vary based upon things like where you're from, what kind of danger you're worried about, and whether you are alone or with a family. The process is long and byzantine (despite what Trump thinks) and when you throw in the cultural and language differences in combination with simply just being scared about the future...yeah, wow.
Look at it from another perspective related to something that has to be about one one-hundredth as scary and intense. Say you're going to the DMV for the first time to take a driving test and get a license, and have never had any aspect of the process explained to you before. What would be easier...a sheet of paper explaining all the different things at the DMV and how they work, or a person that you could interactively ask questions of, so that you can find out what you, specifically, need to know and need to do?
From what I understand of the current asylum interview process, the key question is "is your life in danger" followed by variations on "prove it." (Sometimes the proof is as simple as pointing to death threats on Facebook.) Does anyone know if coaching this process is what this bot is doing?
Yes...but using that reductive approach, you can say that this is how almost any compliance/vetting process works.
PCI DSS: "Do you handle payment card information securely," followed by variations on "prove it." Yet, accomplishing this is expensive and challenging.
Tax audit: "Have you paid what you owe for taxes," followed by variations on "prove it." The visceral reaction of anyone who has been through a tax audit makes my point here.
Security clearance interview: "Can we trust you with state secrets," followed by variation on "prove it." This gets even more interesting if you get a polygraph exam...which is essentially nothing more than a twisted, mind-fucky variation of the same.
The trick is in the "prove it" part...or more specifically, the overlap between what actual means are feasible for providing proof combined with what the questioning entity defines as acceptable proof. In different situations, this overlap may be subject to negotiation as well (or not), and that is its own area of expertise unto itself in some cases. Almost all of these processes also involve setting legal precedents during their early days as well.
In short: sure, you can use a verbal metaphor to represent the process in an oversimplified manner. But that doesn't make the actual process...as required by anyone who engages with it...simple or easy.