The original question was how does a Tor-running geek prepare for a computer seizure by authorities. One answer is to backup your data to the cloud, so even after they have your computers, you can at least go buy a new beige box and keep working. That's what the GP was getting at.
Actually, the question had to do with running a Tor Exit Node...essentially, how to protect yourself in this situation.
"What backup plan, if any, should the average nerd have for something like this?"
...for an article about getting busted for running an exit node. And you can't have one, really. From a procedural perspective, that's the point. Half the intent of this kind of enforcement action is to utterly cripple the activity they suspect of taking place. If you're dealing in child porn, as was the trigger for this, they WANT to leave you without a backup plan. They deliberately do everything in their considerable power to leave you unable to send/receive/view/photoshop/make monopoly money out of the images/video/whatever. And they've had practice at it. They will take any computer you have, and demand access to any external storage you have as well. It's just like a physical search and seizure for physical evidence; the warrant covers all storage you own or have rights to, including your home, and even if you have a storage container they know about. And you can be absolutely sure that they will have watched your communications for a little while before raiding you, and would see if you're running backups to an external site. And the guy had dozens of storage devices...HP servers. Good luck backing that up to the cloud without it being incredibly obvious.
The other technical problem is this: your node will be seen as the point of origination for any traffic that goes to the Internet. You don't control that traffic, and don't have any insight into it before it arrives where you are. You're giving up control of your network, to some degree, to parties unknown with reason to hide. In some cases they have reason to hide because other people are bad, and in some cases they themselves are bad, which is why they want to hide. But you can't tell the difference without actually inspecting the content...all of it. (And if you have a way to do that reliably in a situation with no context please do let me know. I know a few VCs who will gladly fund you, because that level of automated content classification on-the-fly on a network is the holy grail of several aspects of information security.) There is no easy way to detect with any level of certainty that you are not actually involved in the activity you're facilitating without seizing your computers and validating that you're not actually running the software behind the traffic or storing the data that was sent to/from your node.
But you know what? None of that matters...because the problem is about running the exit node, not being the one with something to hide. It's not your traffic that got their attention, just the fact that you're the only person they could find who was associated with it. So your options are to take the risk, or don't be an exit node. And again, this is something the article pretty much states outright, so if you've read it, you'd know that.
Yeah, but if you RTFA, you'll see that he was pushing terabytes of data doing this. It's not a little thing, running an exit node. Yes, running one helps many people, some good, some bad. So what? It's still nowhere near something an "average" anything would do.
They have it wrong. It's on a tabletop. The goal of NetWars is to have a predefined and cheap proving ground for doing cyber war games, essentially. It doesn't require a literal city. And the tabletop thing is for the "ooh and ahhh" factor with brass.
From the recent SANS NewsBite entry about it:
The Air Force's NetWars cyber simulator won the 2011 National Cybersecurity Innovation Award presented by Howard Schmidt, then White House cyber advisor. CyberCity is the next generation of NetWars. Low cost cybersecurity flight simulators have been the "holy grail" in advanced cybersecurity training for the military, banks and the most advanced consulting firms for more than a decade. Ed Skoudis' team and the Air Force created the first affordable cyber range.
The ironic thing is that this can be easily addressed.
All modern ARM chips have the ability to run multiple "worlds", one secure, one insecure. It would be nice to have the ability to have a secure world just for credit card payments, having it use two forms of authentication on that app (face, fingerprint, and/or PIN.) Then, the other world would have the usual phone apps. This way, even if a thief gets the phone and it is unlocked, the critical banking stuff is protected at a low level, and too many guesses at the PIN will result in the partition with the Square or PayPal app getting erased.
On a more general level, it would allow a device to have one partition for work stuff, one for home.
This isn't actually so easy, it turns out. You're describing what's called MLS, or Multi-Level Security. The NSA has tried this on servers, on workstations, and most recently on phones. It's incredibly hard and the underlying system ends up either having security flaws or major usability issues, and either situation costs a fortune. They've ended up giving up on doing it for mobile devices; what they ended up with weighed over a pound and cost thousands of dollars per device. There are some features it has that wouldn't apply here...but the MLS challenge still has yet to be solved in a way that satisfies, on any platform. This "partition" you talk about has to be done in the OS, not the chip.
Separating things in the chip isn't even half the battle. What, do you run two instances of the OS? Have two separate storage areas? IOS has sandboxing of applications built in, but half the point of solutions like Square is that they can run on multiple types of devices...what if it's Android? It's not just a matter of telling the chip, "oh, this is that OTHER reality..." and walking away proud. If there's not a sandbox around access...in storage, transmission (remember, devices like Square use the audio jack) or in temporary processing in memory, then you don't have separation.
Israelis are direct, and they can certainly be brutal, but they aren't idiots. They aren't going to send in teams to bust doors over a bunch of hacked public sites.
True. But Anonymous doesn't stop at just "a bunch of hacked sites." They go as big as they can, and if they are successful at that with the Israelis, they'll find themselves looking at the other side of that coin. That's the real problem. They've claimed success at hacking the FBI (which was debunked) and actually had success at hacking an Infragard chapter. If they have any real success at penetrating Shin Bet, for example, they will find themselves in a very nasty place. It's probably unlikely, but still something to consider.
(Love your Slashdot name, by the way...just wanted to add that too...)
I don't think it's falsified...I think the issue is that Anonymous is not a singular, totally cohesive group. I absolutely think there are parts of Anonymous who are that reckless that they'd poke at Israel over this. For their sake, I hope they don't accomplish much; Israel has exactly *no* sense of humor when it comes to their own national security. There comes a time when a cyber action can provoke a kinetic response, and the Israelis won't be hampered by the need for search warrants, due process, etc.
"The author of the article seems to believe that birth via artificial wombs could become the new norm, but is it really feasible, desirable or even affordable for the majority of Earth's population?"
This isn't something for the majority of Earth's population...it's a solution for women who are having trouble conceiving. IVF, while popular, is far from universally successful; often the problem is implantation and it's not uncommon to have a couple try as many as four or five times before successfully conceiving. An artificial uterus, on the other hand, would be free from such troubles. To that, add women who have had to undergo a hysterectomy for any number of reasons (like cervical or uterine cancer) who wish to have another child.
For the majority of Earth's population, the good old-fashioned way is plenty effective, more fun, and totally free...so it'll work for them. But there are those for whom this would be the best viable option for having a child.
Wow, it's nice to see Gabon is in a great economic position, has eliminated all poverty, improved education, public healthcare, great mass transit systems, and can afford the luxury to turn down an offer to host what's sure to become one of the most popular websites on Earth, which will generate millions in ad revenue.
Holding the TLD of the domain name and hosting the site have nothing to do with each other. First of all, the site was to be cloud-based, so as not to have a single hosting location that can easily be taken down. Second of all, absolutely no cloud services vendors have hosting facilities in Gabon. Gabon would gain nothing from hosting me.ga except diplomatic and economic pressure from North American and European countries, and I'm quite sure that such pressure is what led them to take this action. If they had anything to gain at all, that'd be one thing, but they had a lot to lose, and nothing to gain whatsoever.
This goes to Kim Dotcom's problem...that no matter how he scatters and fuzzes his infrastructure, he will still have to contend with single points of failure that can be attacked through procedural means. I don't know how to deal with it, frankly...all completely decentralized systems for content distribution and sharing that I know of (like Freenet) are somewhat awkward and a real pain in the ass. If you need to use a domain name, you've got a point of vulnerability where the powers that be have an undue procedural advantage. This doesn't even take into account the other challenges of payment processing, financial basis (gotta pay your bills from an account somewhere), hiring of personnel (what if the operation is deemed a criminal activity, and they go after the employees under RICO or an equivalent law?), and other things I probably haven't even thought of.
Must they report to investors and the SEC every time a building is physically broken into?
Of course not.
You could convince me, though, that they should be reported to the local gendarmes who should then forward it on to the FBI where it must be made public.
Actually, it depends. Is the building in question a guard shack, where some rent-a-cop's iPhone got stolen? No. Is the building Nakatomi Plaza, and the break-in resulted in $640,000,000 worth of bearer bonds being burned, stolen and/or spread to the winds? Then yes...the company very much has a requirement to disclose. The rule isn't based around the action, but the impact. VeriSign, for example, would be required to disclose a major physical security breach at their Mountatin View site which houses the root CA they operate. Why? Because the trust around that site is a material component of their intrinsic value as a corporation, and they are publicly traded. (Disregard for a moment the fact that they suck...let's just leave that aside for the time being.)
If they have an obligation to report losses by fire, storm, vandalism, or theft in meatspace, they should have the same obligations regarding over-the-net attacks.
Actually, when it has any basis on stock value (in other words, if the breach has any material effect on a company's true worth, either via direct or indirect losses), they do have that obligation with regard to "over-the-net" attacks. Shortly after this rule went into effect by the SEC, Nortel was forced to disclose not only that they had suffered a major breach, but that the attackers had been in their systems for nearly a decade, and that Nortel even knew about it.
The change is simple, and exactly what you propose; cyber security incidents are not explicitly lumped in with other actions that would negatively affect the value of a company, and thus the true value of its stock.
You can't quite reverse engineer machinery with your bare hands. Sure, you can take the thing apart (for the most part) and examine how the parts are shaped and how they fit together. But the metallurgy alone is a whooole other ball game.
Here's an example: my espresso machine. Yes, I know, it's not a farm combine, but work with me for a second. It's stainless steel, but if you look carefully at it, you'll see that the body of the machine is a different color metal than the tray at the bottom. And there's a reason for this: the steel of those two sections, while both considered "stainless steel," are different alloys. Why is this? Well, I happen to know that it's for reasons of ductility with regard to the body of the machine, and of stiffness for the tray. But what I don't know is the exact composition of those alloys. I also don't know how to make the dies that produced either component, how to smelt the raw metals that went into the alloys, and so on...
Now, that was just the outside body of a relatively simple device with relatively minimal demands with regards to physical strain or usage. Just a household espresso machine. Take that a step further, onto a device that has waaaaay more moving parts, exerts far more force, and must also be weatherproof. Something that will be exposed to grit, dust, moisture, mud, snow, and rain. Something with hydraulics (good luck reverse-engineering the fluid, by the way) and an internal combustion engine, and an electrical system. Try reverse engineering the metal of the cogs and bearings, the plastic/neoprene of the seals, the wires, the chips inside the microprocessors. And then try to imagine how to build them all.
I'd hang out with the Amish, and cast my lot with them...
Oddly, the government is also pushing (heavily) into using cloud services. Does that mean that for when they use public cloud, we can just go look at their data anytime we want?:)
Totally irrelevant. But just the same, also factually wrong, so I'll reply:
Actually, no he didn't...not even close. You can go back a couple of decades to the Black Chamber, or even further back by centuries to Sir Walsingham. You could argue that Sun Tzu was a forerunner, but if I had to pick a single person to actually start the surveillance of citizens by government, I'd choose Walsingham. And you know what? He stopped a number of plots against Queen Elizabeth I that way, and it's really hard to argue that his methods were unnecessary or heavy-handed.
Yes, but that effect covers casual attackers. When your attacker is well-resourced and determined to hack YOU...then it's not such a good thing, because they're willing to find the specific vulnerabilities in an obscure OS or application. Microsoft Windows gets pretty well wrung-out because of all the attention. For a long time, OSX was full of vulnerabilities until they started to get enough market share to become a good target. Then the flaws started getting detected and patched. But if a nation-state actor or large criminal organization had a reason to hack OSX, they probably would have looked for (and found) some 0-days on their own, then leveraged them.
I like the same big boxes as are used for everything else. NTP server, running on a Mac Mini...really? Get a GPS-driven device that serves the purpose. They run an embedded OS, so they're very low-maintenance and straightforward, and they perform extremely well. As far as uptime/network/performance monitoring functions, these need to be at least as reliable as everything else. And the mainframe interfaces are awfully important...imagine how much good you'd be if you maintained you intellect but became paralyzed, deaf, mute, and blind all at the same time? If those fail, your big iron is a big anchor.
Don't skimp on the support infrastructure of a data center. Those systems impact everything.
I don't think the problem is the lack of hip factor.
Question: What's the motto of a developer who focuses on "hip factor" above market size?
Answer: "Would you like fries with that?"
There are many problems facing a developer writing for Windows Phone 8. Windows CE/Phone 6/Phone 6.5/Phone 7 have always had poor uptake and very upset users. I used to work for HP, and before they bought Palm, every HP smartphone ran Windows Phone, and that's all that was issued to people. To a man, everyone *hated* them with a vengeance. Eventually, we all broke the rules and BYOB'ed iPhones...nobody got in trouble because EVERYONE did it. And I mean, freaking everyone. And this is not news. So Microsoft is at a natural disadvantage, out of the gate, since there's this relatively large base of users who either had a Windows Phone and hated it or know someone who did. Add the talk/rumors about marketplace issues, the fact that it's one more platform to support, on top of iOS and Android, and I don't see why having good dev tools for the platform would be all that great a balancing factor. The tools are great, sure...but so what? The tools have absolutely nothing to do with the demand for the platform the apps would run on.
Buy a Windows Phone, and then tell me that the number of useful apps is equal between the three platforms. Good luck with that...been there, done that, know better.
The smart phone market long ago stopped being about features and now turns on the number of apps.
Smartphones have stopped being basic embedded devices and are full-fledged platforms. The apps *are* the features, and thus the number of apps directly affects the features. Nobody who is even the least bit savvy runs just the applications built into a phone, or even just apps that replace existing features that are built in. The most popular apps are usually either games, or things that provide some unique and clever functionality that nobody else had thought of yet, like Shazam.
Slashdot Mirror
The original question was how does a Tor-running geek prepare for a computer seizure by authorities. One answer is to backup your data to the cloud, so even after they have your computers, you can at least go buy a new beige box and keep working. That's what the GP was getting at.
Actually, the question had to do with running a Tor Exit Node...essentially, how to protect yourself in this situation.
The other technical problem is this: your node will be seen as the point of origination for any traffic that goes to the Internet. You don't control that traffic, and don't have any insight into it before it arrives where you are. You're giving up control of your network, to some degree, to parties unknown with reason to hide. In some cases they have reason to hide because other people are bad, and in some cases they themselves are bad, which is why they want to hide. But you can't tell the difference without actually inspecting the content...all of it. (And if you have a way to do that reliably in a situation with no context please do let me know. I know a few VCs who will gladly fund you, because that level of automated content classification on-the-fly on a network is the holy grail of several aspects of information security.) There is no easy way to detect with any level of certainty that you are not actually involved in the activity you're facilitating without seizing your computers and validating that you're not actually running the software behind the traffic or storing the data that was sent to/from your node.
But you know what? None of that matters...because the problem is about running the exit node, not being the one with something to hide. It's not your traffic that got their attention, just the fact that you're the only person they could find who was associated with it. So your options are to take the risk, or don't be an exit node. And again, this is something the article pretty much states outright, so if you've read it, you'd know that.
He wasn't storing the data in question...do you even know what TOR is? Did you even read the article?
Yeah, but if you RTFA, you'll see that he was pushing terabytes of data doing this. It's not a little thing, running an exit node. Yes, running one helps many people, some good, some bad. So what? It's still nowhere near something an "average" anything would do.
What average nerd runs a TOR exit node?
Corporations do it better than governments ever could.
That's because there are no laws against corporations doing it.
They have it wrong. It's on a tabletop. The goal of NetWars is to have a predefined and cheap proving ground for doing cyber war games, essentially. It doesn't require a literal city. And the tabletop thing is for the "ooh and ahhh" factor with brass.
From the recent SANS NewsBite entry about it:
Why does the input air need to be chilled? Does this have something to do with using hydrogen in a turbine engine?
Design considerations. The front of the engine intake is where they keep all the Coors Light.
As a former employee of HP? FUCK YES.
The ironic thing is that this can be easily addressed.
All modern ARM chips have the ability to run multiple "worlds", one secure, one insecure. It would be nice to have the ability to have a secure world just for credit card payments, having it use two forms of authentication on that app (face, fingerprint, and/or PIN.) Then, the other world would have the usual phone apps. This way, even if a thief gets the phone and it is unlocked, the critical banking stuff is protected at a low level, and too many guesses at the PIN will result in the partition with the Square or PayPal app getting erased.
On a more general level, it would allow a device to have one partition for work stuff, one for home.
This isn't actually so easy, it turns out. You're describing what's called MLS, or Multi-Level Security. The NSA has tried this on servers, on workstations, and most recently on phones. It's incredibly hard and the underlying system ends up either having security flaws or major usability issues, and either situation costs a fortune. They've ended up giving up on doing it for mobile devices; what they ended up with weighed over a pound and cost thousands of dollars per device. There are some features it has that wouldn't apply here...but the MLS challenge still has yet to be solved in a way that satisfies, on any platform. This "partition" you talk about has to be done in the OS, not the chip.
Separating things in the chip isn't even half the battle. What, do you run two instances of the OS? Have two separate storage areas? IOS has sandboxing of applications built in, but half the point of solutions like Square is that they can run on multiple types of devices...what if it's Android? It's not just a matter of telling the chip, "oh, this is that OTHER reality..." and walking away proud. If there's not a sandbox around access...in storage, transmission (remember, devices like Square use the audio jack) or in temporary processing in memory, then you don't have separation.
Israelis are direct, and they can certainly be brutal, but they aren't idiots. They aren't going to send in teams to bust doors over a bunch of hacked public sites.
True. But Anonymous doesn't stop at just "a bunch of hacked sites." They go as big as they can, and if they are successful at that with the Israelis, they'll find themselves looking at the other side of that coin. That's the real problem. They've claimed success at hacking the FBI (which was debunked) and actually had success at hacking an Infragard chapter. If they have any real success at penetrating Shin Bet, for example, they will find themselves in a very nasty place. It's probably unlikely, but still something to consider.
(Love your Slashdot name, by the way...just wanted to add that too...)
I don't think it's falsified...I think the issue is that Anonymous is not a singular, totally cohesive group. I absolutely think there are parts of Anonymous who are that reckless that they'd poke at Israel over this. For their sake, I hope they don't accomplish much; Israel has exactly *no* sense of humor when it comes to their own national security. There comes a time when a cyber action can provoke a kinetic response, and the Israelis won't be hampered by the need for search warrants, due process, etc.
The "Vin Diesel."
The "Chuck Norris."
The "Houseguest."
This isn't something for the majority of Earth's population...it's a solution for women who are having trouble conceiving. IVF, while popular, is far from universally successful; often the problem is implantation and it's not uncommon to have a couple try as many as four or five times before successfully conceiving. An artificial uterus, on the other hand, would be free from such troubles. To that, add women who have had to undergo a hysterectomy for any number of reasons (like cervical or uterine cancer) who wish to have another child.
For the majority of Earth's population, the good old-fashioned way is plenty effective, more fun, and totally free...so it'll work for them. But there are those for whom this would be the best viable option for having a child.
Wow, it's nice to see Gabon is in a great economic position, has eliminated all poverty, improved education, public healthcare, great mass transit systems, and can afford the luxury to turn down an offer to host what's sure to become one of the most popular websites on Earth, which will generate millions in ad revenue.
Holding the TLD of the domain name and hosting the site have nothing to do with each other. First of all, the site was to be cloud-based, so as not to have a single hosting location that can easily be taken down. Second of all, absolutely no cloud services vendors have hosting facilities in Gabon. Gabon would gain nothing from hosting me.ga except diplomatic and economic pressure from North American and European countries, and I'm quite sure that such pressure is what led them to take this action. If they had anything to gain at all, that'd be one thing, but they had a lot to lose, and nothing to gain whatsoever.
This goes to Kim Dotcom's problem...that no matter how he scatters and fuzzes his infrastructure, he will still have to contend with single points of failure that can be attacked through procedural means. I don't know how to deal with it, frankly...all completely decentralized systems for content distribution and sharing that I know of (like Freenet) are somewhat awkward and a real pain in the ass. If you need to use a domain name, you've got a point of vulnerability where the powers that be have an undue procedural advantage. This doesn't even take into account the other challenges of payment processing, financial basis (gotta pay your bills from an account somewhere), hiring of personnel (what if the operation is deemed a criminal activity, and they go after the employees under RICO or an equivalent law?), and other things I probably haven't even thought of.
Must they report to investors and the SEC every time a building is physically broken into?
Of course not.
You could convince me, though, that they should be reported to the local gendarmes who should then forward it on to the FBI where it must be made public.
Actually, it depends. Is the building in question a guard shack, where some rent-a-cop's iPhone got stolen? No. Is the building Nakatomi Plaza, and the break-in resulted in $640,000,000 worth of bearer bonds being burned, stolen and/or spread to the winds? Then yes...the company very much has a requirement to disclose. The rule isn't based around the action, but the impact. VeriSign, for example, would be required to disclose a major physical security breach at their Mountatin View site which houses the root CA they operate. Why? Because the trust around that site is a material component of their intrinsic value as a corporation, and they are publicly traded. (Disregard for a moment the fact that they suck...let's just leave that aside for the time being.)
If they have an obligation to report losses by fire, storm, vandalism, or theft in meatspace, they should have the same obligations regarding over-the-net attacks.
Actually, when it has any basis on stock value (in other words, if the breach has any material effect on a company's true worth, either via direct or indirect losses), they do have that obligation with regard to "over-the-net" attacks. Shortly after this rule went into effect by the SEC, Nortel was forced to disclose not only that they had suffered a major breach, but that the attackers had been in their systems for nearly a decade, and that Nortel even knew about it.
The change is simple, and exactly what you propose; cyber security incidents are not explicitly lumped in with other actions that would negatively affect the value of a company, and thus the true value of its stock.
You can't quite reverse engineer machinery with your bare hands. Sure, you can take the thing apart (for the most part) and examine how the parts are shaped and how they fit together. But the metallurgy alone is a whooole other ball game.
Here's an example: my espresso machine. Yes, I know, it's not a farm combine, but work with me for a second. It's stainless steel, but if you look carefully at it, you'll see that the body of the machine is a different color metal than the tray at the bottom. And there's a reason for this: the steel of those two sections, while both considered "stainless steel," are different alloys. Why is this? Well, I happen to know that it's for reasons of ductility with regard to the body of the machine, and of stiffness for the tray. But what I don't know is the exact composition of those alloys. I also don't know how to make the dies that produced either component, how to smelt the raw metals that went into the alloys, and so on...
Now, that was just the outside body of a relatively simple device with relatively minimal demands with regards to physical strain or usage. Just a household espresso machine. Take that a step further, onto a device that has waaaaay more moving parts, exerts far more force, and must also be weatherproof. Something that will be exposed to grit, dust, moisture, mud, snow, and rain. Something with hydraulics (good luck reverse-engineering the fluid, by the way) and an internal combustion engine, and an electrical system. Try reverse engineering the metal of the cogs and bearings, the plastic/neoprene of the seals, the wires, the chips inside the microprocessors. And then try to imagine how to build them all.
I'd hang out with the Amish, and cast my lot with them...
Oddly, the government is also pushing (heavily) into using cloud services. Does that mean that for when they use public cloud, we can just go look at their data anytime we want? :)
Totally irrelevant. But just the same, also factually wrong, so I'll reply:
Actually, no he didn't...not even close. You can go back a couple of decades to the Black Chamber, or even further back by centuries to Sir Walsingham. You could argue that Sun Tzu was a forerunner, but if I had to pick a single person to actually start the surveillance of citizens by government, I'd choose Walsingham. And you know what? He stopped a number of plots against Queen Elizabeth I that way, and it's really hard to argue that his methods were unnecessary or heavy-handed.
Yes, but that effect covers casual attackers. When your attacker is well-resourced and determined to hack YOU...then it's not such a good thing, because they're willing to find the specific vulnerabilities in an obscure OS or application. Microsoft Windows gets pretty well wrung-out because of all the attention. For a long time, OSX was full of vulnerabilities until they started to get enough market share to become a good target. Then the flaws started getting detected and patched. But if a nation-state actor or large criminal organization had a reason to hack OSX, they probably would have looked for (and found) some 0-days on their own, then leveraged them.
I like the same big boxes as are used for everything else. NTP server, running on a Mac Mini...really? Get a GPS-driven device that serves the purpose. They run an embedded OS, so they're very low-maintenance and straightforward, and they perform extremely well. As far as uptime/network/performance monitoring functions, these need to be at least as reliable as everything else. And the mainframe interfaces are awfully important...imagine how much good you'd be if you maintained you intellect but became paralyzed, deaf, mute, and blind all at the same time? If those fail, your big iron is a big anchor.
Don't skimp on the support infrastructure of a data center. Those systems impact everything.
I don't think the problem is the lack of hip factor.
Question:
What's the motto of a developer who focuses on "hip factor" above market size?
Answer:
"Would you like fries with that?"
There are many problems facing a developer writing for Windows Phone 8. Windows CE/Phone 6/Phone 6.5/Phone 7 have always had poor uptake and very upset users. I used to work for HP, and before they bought Palm, every HP smartphone ran Windows Phone, and that's all that was issued to people. To a man, everyone *hated* them with a vengeance. Eventually, we all broke the rules and BYOB'ed iPhones...nobody got in trouble because EVERYONE did it. And I mean, freaking everyone. And this is not news. So Microsoft is at a natural disadvantage, out of the gate, since there's this relatively large base of users who either had a Windows Phone and hated it or know someone who did. Add the talk/rumors about marketplace issues, the fact that it's one more platform to support, on top of iOS and Android, and I don't see why having good dev tools for the platform would be all that great a balancing factor. The tools are great, sure...but so what? The tools have absolutely nothing to do with the demand for the platform the apps would run on.
Buy a Windows Phone, and then tell me that the number of useful apps is equal between the three platforms. Good luck with that...been there, done that, know better.
The smart phone market long ago stopped being about features and now turns on the number of apps.
Smartphones have stopped being basic embedded devices and are full-fledged platforms. The apps *are* the features, and thus the number of apps directly affects the features. Nobody who is even the least bit savvy runs just the applications built into a phone, or even just apps that replace existing features that are built in. The most popular apps are usually either games, or things that provide some unique and clever functionality that nobody else had thought of yet, like Shazam.
Windows CE.