> If I am booking Hilton I expect to be staying at Hilton
Which is precisely the benefit of franchising.
With franchising, when you travel to a new city you'll see these options in hotels and food: Hilton Super 8 McDonald's Wendy's
Though you've never been to that city before, you can make a reasonable choice because you know what to expect from a Hilton, from a Super 8, and from a McDonald's.
Without franchising, when you visited a new city you'd see these choices: Bob's Hotel Hotel Mary Frank's Burgers Jeff's burgers
Which hotel is better? Which burger place will also have baked potatoes? No telling.
The franchise system means you, the consumer, can know more or less what you're going to get, by looking at the sign, though you've never been to that person's restaurant or hotel before. You know a McDonald's, any McDonald's, is going to offer certain menu choices, at a certain level of quality. You know what to expect from any hotel with a "Hilton" sign, without needing to know what particular owner ahead of time.
I'm looking over the CRA/FCA handbook and I don't immediately see anything relevant to this discussion. Perhaps you can point out what you're talking about? https://www.handbook.fca.org.u...
I see if a company criminally defrauds the government, the people involved in perpetrating that crime can (of course) be held criminally liable.
I don't see anything about "all the executives go to prison if a sysadmin doesn't a do a good job patching or a server, or any other security mistake". Can you help me find that?
That's precisely what any intelligent person would do if any mistakes by any of the thousands of employees at the company could cause the executives to go to prison. Only stupid or extremely ignorant people would accept an executive title. A company could either hire morons to actually run the company, meaning your job and your 401k would soon be gone, or have a string of puppets, where the moron who holds the title of CEO is controlled by people whose involvement is well hidden. The really stupid and desperate person, probably a crack head who had recently been homeless, would have the title "CEO". A crooked and easily influenced person, called the DWS, would relay orders to them from the person actually in control.
> After 100 years. In a similar fashion businesses that are a 100 years old should also become public domain. That means the Hilton Hotel is now a public domain business.
> So feel free to book a free Hilton hotel room for yourself, friends and family.
You realize most hotels with a Hilton sign aren't owned by Hilton, right? Individual hotel owners pay the brands a monthly fee to use the sign and get booking referrals from hilton.com
> The helmsman sent all control (not just throttle) the the other station.
And neither he nor the anyone else looking at the situation didn't realized all control had been sent away, because the UI didn't gray out of the inactive controls or anything. Two people looked at it and couldn't tell it had been inactivated. Guess which controls are disabled here:
> The second helmsman throttled down only one engine.
When he too couldn't tell that a) he had control of steering or that b) the engined weren't ganged. Again, try to figure out which controls are ganged and which aren't:
>. A trivial thought experiment is the comparison between research and distribution of a vaccine which can eliminate a crippling and/or fatal disease entirely (similiar to the Polio vaccine) and research for a treatment that allows people to live with said disease. In the hypothetical case where both were known to be possible, private industry would quite obviously pick the latter, as it would have the best projected profit margin.
That's an interesting thought, but factually FAR more money has been made selling billions of doses of the vaccine, including boosters, than could ever be made selling treatment. The fact is, because vaccines sell $55 billion every year, Merck did invest over a billion dollars in vaccine R&D before bringing the meningitis and HPV vaccine to market.
In the late 1970s, Ken Thompson added paging support to Multics so it could use the full 4MB of memory available in the first generation PDP-11 machines with the original Unibus. 4MB is 250 times as much memory as the 16KB PC.
By the time DOS was released, multi-user systems like the IBM System/370 3081 had 32MB, or two thousand times as much memory as the PC.
> The PC is notoriously poorly designed as if it were meant to be run disconnected from the internet and in a room hidden away from intruders.
Which, for those who don't know, is exactly the case. Prior PCs (PERSONAL computers) running DISK Operating System, there were time-sharing computers running NETWORK operating systems. Computers prior to the PC each had many users, hundreds of uses for each computer. They often used it over a network, using terminals. Security was of course important - you didn't want one authorized user to mess things up for another user.
Then technology advanced to the point that it was feasible fr a single person to have their own personal computer, with several KBs of RAM. What OS would run in just a few kilobytes of RAM, though? Just the security-related stuff was a couple KBs. But wait, a *personal* computer with only one user, running from local disk and not attached to a network didn't NEED security. So to fit the OS in 16KB, the smart thing to do was to make a minimal OS without any of that security or networking stuff. It worked great. Then the internet happened and the manufacturer of Disk Operating System shit bricks.
The summary says the marketers claimed "excellent random read performance to quickly locate and deliver video". Which is it, random read or video? Because video is about throughput. Random read is data that fits in a few blocks - a few 512 byte or 4K blocks. Once you get into hundreds of megabytes or gigabytes, a million consecutive blocks, that's not random.
The same-origin policy is mostly about frames/iframes and cookies. It says that scripts from one origin my not read the contents from a different origin except: Scripts from another origin (predates the policy) Websockets
A script from a.com may not read a cookie or a reponse body from b.com
Scripts MAY create tags which will then load resources from another origin. So a script from a.com may create an img element that loads an image from b.com. As a special case, it may NOT load an image from b.com into an HTML canvas object, because that would allow it to read the contents.
I got so annoyed with that too. Then I decided to try clicking the paperclip-looking icon at the top of AMP pages. Clicking that displays the source url (to share it), clicking the URL loads the original origin page.
That is not a browser bug. Scripts can add elements, including images and other scripts, to a page, and those elements may be sourced from another origin. See jsonp, for example.
The bug is that the server-side script allows the attacker to add elements to the page by echoing the request variable directly, rather than HTML encoding it.
Following my own advice, I'll give you solutions instead of problems.
Use basename() rather than writing your own code to avoid filesystem transversal.
Call ob_end_flush() before sending the file.
Use X-Send-File on Apache or lighttpd. Of X-Send-File isn't available on your server, use readfile() rather than reading the file but by agonizing bye.
Slashdot's failure to have correct defense against XSS mangled my post. The point is, if the script echoes the input, and the input contains JavaScript, it'll each the JavaScript - which will then run in the context of the victim site. That allows attackers to steal session cookies or whatever.
The general solution is to html encode the output, so if someone enters a character such as the less than sign (which starts a new tag), the script outputs & gt ; which causes the browser to DISPLAY the specified character, rather than treating it as the beginning of a script.
Cross site scripting is normally an issue in a web application. A browser can also have bugs in it's same-origin restrictions, but issues in web applications are far more common. Here's a very simple cross site scripting attack. Consider the following server-side code:
echo "hello $_GET['name']"
If you call script.lng?name=Bob the displayed page will say "hello Bob".
The JavaScript runs under site.com, so it would have access to the session cookie for site.com. Which it then sends to hacker.com. Now the hacker can be logged in as the victim.
Your basic, essential defense looks something like this:
echo "hello " . htmlencode($_GET['name'])
That way instead of sending JavaScript back to the browser, the server side script will encode as < so it'll just display the character, not interpret it as a script tag.
My experience is the same, most (but not all) experienced people are people who have been doing the same stupid shit for a long time. Some people put in the effort to learn something new and improve every week. Most people don't.
For those who DO try to constantly learn and improve, the security community has made a mistake in how we try to help them. The OWASP top 10 list was mentioned. I'm a member of OWASP. The list, which we promote, is a basically list of how bad guys can exploit vulnerabilities. We say "SQL injection". What does that mean to a developer? What is the developer supposed to do or not do with that? Perhaps it would be more useful to publish a list of SOLUTIONS, best practices, things developers should do.
Instead of saying "SQL injection" it might be more useful to list "parameterize SQL statements". That's something developers can do.
Instead of "cross site scripting", how about putting "hrmlencode all output strings" on list. A developer can call htmlencode(). They know how to do that. They don't know how to "don't allow cross-site scripting". The proof of that is in 90% of code that TRIES to prevent cross-site scripting; it doesn't work. Most attempts at stopping cross site scripting are easily defeated. Even when they try it doesn't work, so why should they bother to try? If we tell them "use htmlencode()" that will work, and it's easy for them to do.
I have two top things. When developing software for a disk-based operating system where everything happens on the local computer, it made sense to think in terms of "how can I make this work?" Programmers thought in terms of starting with (valid) input and ending up with usable output.
When your software is exposed to the internet, it will be attacked hundreds or thousands of times a day, so the question isn't so much "how can it work?" but "how can someone break it?". Your web page has a "name" field in a form. What happens if the enter several megabytes in that field? What if they enter SQL code there? How can things break? Perhaps your software retrieves something over the internet. What happens if that retrieval stops half way through? What if the short text you meant to retrieve is instead several megabytes? What if it's JavaScript? How can things break?
The other thing is please have a ten minute conversation with me about your design, and a ten minute conversation about the implementation. After 20 years, I know the common problems, so I pretty much know where your main vulnerabilities will probably be as soon as you mention certain keywords. When you say "user downloads the file", or "download.php" or other similar words, there are three vulnerabilities that immediately spring to mind. You'll probably have two of the three in your application, unless you consult with a security person.
I can do a lot of good in making your application more secure not only in terms of confidentiality but also in terms of reliability if we have three short discussions:
Review your overall design / architecture up front About 25% into the project, review more detailed implementation decisions (such as which hash is being used) Near the end of the project, let me browse your source code and run a static analysis that looks for constructs such as "exec" and "system", and other red flags.
Certainly you should pay attention to the expenses. As you said, those with higher expenses don't consistently best the indexes, so generally you're better off buying an index fund with very low expenses.
I own both index mutual funds and index ETFs. You can, of course, get higher risk ETFs. A leveraged gold ETF is more risky than just buying gold, which is more risky than almost any mutual fund.
Now I'm considering investing a part of my investment opposite my job prospects, so if my industry goes to shit my investments will do well, counter-balancing the weaker job prospects. In particular, I'll have an opportunity to buy my employer's stock pre-ipo. That SHOULD make a nice gain after the lock-out period. However, if things don't go well for the company I could end up losing both my investment and my job. It therefore seems prudent to consider counter-balancing that risk with investment which will likely do well if my company doesn't.
That's absolutely right, in the US, at least, there is no copyright on a collection of facts. I don't know if any other countries might allow it on a specific compilation of data. Obviously copyright on a single, discreet fact wouldn't make any sense.
In the US, a copyright could apply to a creative arrangement and formatting of facts. (Much as there is no copyright on musical notes, but there can be on a specific, creative arrangement of specific notes, a song).
So under copyright, you can take someone's dataset and distribute it without asking, but in some cases you can't just redistribute their data FILE. You'd need to produce your own arrangement and formatting of the data, if their work is creative.
There are, however, potentially other considerations other than copyright - trade secrets, unfair competition, etc. Granting permission under the license would estop the producer from filing suit under these other theories, providing users (and those who redistribute) some assurance that they can do so safely.
It also explicitly disclaims any right under copyright, that *probably* doesn't apply anyway in *most* cases. "We definitely have explicit written permission" is better than "we probably don't need permission".
That's an interesting idea, and I see why you say that. IPSec (mostly used for vpns) is an example of this done fairly well. IPSec and ISAKMP don't specify any specific ciphers, different types of authentication can be dropped in, etc.
On the other hand, plugins are very frequently the source of security problems. Third-party plugins have a MUCH worse security record than major software such as Chrome. As a career security professional, I'd prefer that essential security functions be designed in, and baked in.
You're right that investing a lot in a single stock is certainly risky, especially over the short term (it's reasonable to think General Mills or Walmart will make money in the LONG term).
The risk is greatly reduced by mutual funds, which allow small investors to easily diversify - they are investing in a hundred different companies, along with many other investors. Because they hold so many different companies, mutual funds, especially index funds, are pretty predictable. Some of their holdings will do very well, some won't, so the fund as a whole will return about 7% over inflation over a period of years.
Where you're slightly off is the timing. Mutual funds, or investment funds as they were called, were created around 1780 by Abraham van Ketwich. So you're absolutely right on the concepts, just 200 years off on the timing.
401(k) is a TAX rule. It says investment profits will be taxed when you take the money out to spend it, if you don't spend it before retirement age. It has nothing whatever to do with the risks of the investments people can make. You can apply the 401(k) tax rule to be extremely safe investments like US Treasury bonds, or to risky investments like startup companies or oil futures.
> Should that even be a desired title - richest person of the world? Gates (and dozens of other billionaires) is giving away much of his fortune to charity
I'll leave the "should" to others and just point out a couple factual things. As you said, people who get mega rich typically give away most of it to charitable causes. Also, they tend to get that rich partially because they do want the high score a drive to be "the richest" motivates them to build things like Amazon and US Steel. Carnegie didn't amass billions (which were used to build libraries) because he needed to the money to pay bills, he was winning the game. They go so big because they're trying to get the high score in a very interesting game, American business. Once you have a billion, another billion is just for fun and "win" compared to the other guy (Musk etc).
Thinking about that, btw, is one way to understand Trump's personality - he very much enjoys being the biggest, richest, flashiest. Winning the game. And he knows that APPEARING big, and looking rich, helps get press, which helps get actual wealth.
> if you weigh only 90lb and eat an apple smothered with half an ounce of Pyrethrum you still have a 50% chance of surviving.
Yes you'll probably *survive* after eating organic produce. Is that the standard you use for choosing the best foods, "it probably won't outright kill me the first time"?
The simple fact is, the regulations for organic labeling are that to labeled "organic" they are not allowed to use the less toxic pesticides; they must use more toxic ones which are extracted rather than synthesised. So the GP's idea of "get (organic) produce that doesn't have Poison on it" is exactly backwards. The organic label means it uses the *more* toxic pesticides.
You probably won't die the first time you drink natural, unprocessed water from a lake, either - so I guess that's what you do? I prefer the more pure, processed water because it's safer. Personally, I prefer pure and safe rather than natural. In nature, primates have a MAXIMUM life span of about 20-30 years, and an average of about 7 years. No thanks.
> Spain kind of has a responsibility to the citizens of the region who DON'T want to go
Good point.
> they don't have a lot of responsibility for those who are at least technically traitors
It seems to me traitors support the enemy. Separately isn't treason, I don't think. If during World World II some people in California were trying to have California join the Axis, acting in unlawful ways to make that happen, they would be traitors. I don't know that voting to separate into two friendly nations is treason.
> it seems like the only government-run places where you'll see even halfway decently managed IT is in agencies that handle state secrets relating to subjects like defense and diplomacy.
You might be surprised at the crap you see at those agencies too. "Defense and diplomacy" you say, so for example the State Department. Can you imagine if the top-level head of the State Department, the Secretary of State, was handling "subjects like defense and diplomacy" by using an out-of-date, unpatched mail server set up in her house by some idiot whose education in the field consisted of asking basic questions on Reddit, a guy who apparently couldn't even be bothered to read the manual? Yeah, that's the IT security we get for " state secrets relating to subjects like defense and diplomacy".
Slashdot Mirror
> If I am booking Hilton I expect to be staying at Hilton
Which is precisely the benefit of franchising.
With franchising, when you travel to a new city you'll see these options in hotels and food:
Hilton
Super 8
McDonald's
Wendy's
Though you've never been to that city before, you can make a reasonable choice because you know what to expect from a Hilton, from a Super 8, and from a McDonald's.
Without franchising, when you visited a new city you'd see these choices:
Bob's Hotel
Hotel Mary
Frank's Burgers
Jeff's burgers
Which hotel is better? Which burger place will also have baked potatoes? No telling.
The franchise system means you, the consumer, can know more or less what you're going to get, by looking at the sign, though you've never been to that person's restaurant or hotel before. You know a McDonald's, any McDonald's, is going to offer certain menu choices, at a certain level of quality. You know what to expect from any hotel with a "Hilton" sign, without needing to know what particular owner ahead of time.
I'm looking over the CRA/FCA handbook and I don't immediately see anything relevant to this discussion. Perhaps you can point out what you're talking about?
https://www.handbook.fca.org.u...
I see if a company criminally defrauds the government, the people involved in perpetrating that crime can (of course) be held criminally liable.
I don't see anything about "all the executives go to prison if a sysadmin doesn't a do a good job patching or a server, or any other security mistake". Can you help me find that?
>. get a Job like the rest of us.
That's precisely what any intelligent person would do if any mistakes by any of the thousands of employees at the company could cause the executives to go to prison. Only stupid or extremely ignorant people would accept an executive title. A company could either hire morons to actually run the company, meaning your job and your 401k would soon be gone, or have a string of puppets, where the moron who holds the title of CEO is controlled by people whose involvement is well hidden. The really stupid and desperate person, probably a crack head who had recently been homeless, would have the title "CEO". A crooked and easily influenced person, called the DWS, would relay orders to them from the person actually in control.
> After 100 years. In a similar fashion businesses that are a 100 years old should also become public domain. That means the Hilton Hotel is now a public domain business.
Uhm, Hilton is less than 100 years old.
It is, however, publicly owned
https://finance.yahoo.com/quot...
> So feel free to book a free Hilton hotel room for yourself, friends and family.
You realize most hotels with a Hilton sign aren't owned by Hilton, right? Individual hotel owners pay the brands a monthly fee to use the sign and get booking referrals from hilton.com
> The helmsman sent all control (not just throttle) the the other station.
And neither he nor the anyone else looking at the situation didn't realized all control had been sent away, because the UI didn't gray out of the inactive controls or anything. Two people looked at it and couldn't tell it had been inactivated. Guess which controls are disabled here:
https://upload.wikimedia.org/w...
> The second helmsman throttled down only one engine.
When he too couldn't tell that a) he had control of steering or that b) the engined weren't ganged. Again, try to figure out which controls are ganged and which aren't:
http://3.bp.blogspot.com/_IOWi...
It's not hard to make it obvious.
>. A trivial thought experiment is the comparison between research and distribution of a vaccine which can eliminate a crippling and/or fatal disease entirely (similiar to the Polio vaccine) and research for a treatment that allows people to live with said disease. In the hypothetical case where both were known to be possible, private industry would quite obviously pick the latter, as it would have the best projected profit margin.
That's an interesting thought, but factually FAR more money has been made selling billions of doses of the vaccine, including boosters, than could ever be made selling treatment. The fact is, because vaccines sell $55 billion every year, Merck did invest over a billion dollars in vaccine R&D before bringing the meningitis and HPV vaccine to market.
You're simply wrong on the facts.
In the late 1970s, Ken Thompson added paging support to Multics so it could use the full 4MB of memory available in the first generation PDP-11 machines with the original Unibus. 4MB is 250 times as much memory as the 16KB PC.
By the time DOS was released, multi-user systems like the IBM System/370 3081 had 32MB, or two thousand times as much memory as the PC.
> The PC is notoriously poorly designed as if it were meant to be run disconnected from the internet and in a room hidden away from intruders.
Which, for those who don't know, is exactly the case. Prior PCs (PERSONAL computers) running DISK Operating System, there were time-sharing computers running NETWORK operating systems. Computers prior to the PC each had many users, hundreds of uses for each computer. They often used it over a network, using terminals. Security was of course important - you didn't want one authorized user to mess things up for another user.
Then technology advanced to the point that it was feasible fr a single person to have their own personal computer, with several KBs of RAM. What OS would run in just a few kilobytes of RAM, though? Just the security-related stuff was a couple KBs. But wait, a *personal* computer with only one user, running from local disk and not attached to a network didn't NEED security. So to fit the OS in 16KB, the smart thing to do was to make a minimal OS without any of that security or networking stuff. It worked great. Then the internet happened and the manufacturer of Disk Operating System shit bricks.
The summary says the marketers claimed "excellent random read performance to quickly locate and deliver video". Which is it, random read or video? Because video is about throughput. Random read is data that fits in a few blocks - a few 512 byte or 4K blocks. Once you get into hundreds of megabytes or gigabytes, a million consecutive blocks, that's not random.
It does not violate the same-origin policy.
The same-origin policy is mostly about frames/iframes and cookies. It says that scripts from one origin my not read the contents from a different origin except:
Scripts from another origin (predates the policy)
Websockets
A script from a.com may not read a cookie or a reponse body from b.com
Scripts MAY create tags which will then load resources from another origin. So a script from a.com may create an img element that loads an image from b.com. As a special case, it may NOT load an image from b.com into an HTML canvas object, because that would allow it to read the contents.
I got so annoyed with that too. Then I decided to try clicking the paperclip-looking icon at the top of AMP pages. Clicking that displays the source url (to share it), clicking the URL loads the original origin page.
That is not a browser bug. Scripts can add elements, including images and other scripts, to a page, and those elements may be sourced from another origin. See jsonp, for example.
The bug is that the server-side script allows the attacker to add elements to the page by echoing the request variable directly, rather than HTML encoding it.
Following my own advice, I'll give you solutions instead of problems.
Use basename() rather than writing your own code to avoid filesystem transversal.
Call ob_end_flush() before sending the file.
Use X-Send-File on Apache or lighttpd. Of X-Send-File isn't available on your server, use readfile() rather than reading the file but by agonizing bye.
Slashdot's failure to have correct defense against XSS mangled my post. The point is, if the script echoes the input, and the input contains JavaScript, it'll each the JavaScript - which will then run in the context of the victim site. That allows attackers to steal session cookies or whatever.
The general solution is to html encode the output, so if someone enters a character such as the less than sign (which starts a new tag), the script outputs & gt ; which causes the browser to DISPLAY the specified character, rather than treating it as the beginning of a script.
Cross site scripting is normally an issue in a web application.
A browser can also have bugs in it's same-origin restrictions, but issues in web applications are far more common. Here's a very simple cross site scripting attack. Consider the following server-side code:
echo "hello $_GET['name']"
If you call script.lng?name=Bob the displayed page will say "hello Bob".
Consider of the user follows this link:
http://site.com/script.lng?nam...body.innerhtml='
The script would then output:
Hello body.innerhtml='
The JavaScript runs under site.com, so it would have access to the session cookie for site.com. Which it then sends to hacker.com. Now the hacker can be logged in as the victim.
Your basic, essential defense looks something like this:
echo "hello " . htmlencode($_GET['name'])
That way instead of sending JavaScript back to the browser, the server side script will encode as < so it'll just display the character, not interpret it as a script tag.
My experience is the same, most (but not all) experienced people are people who have been doing the same stupid shit for a long time. Some people put in the effort to learn something new and improve every week. Most people don't.
For those who DO try to constantly learn and improve, the security community has made a mistake in how we try to help them. The OWASP top 10 list was mentioned. I'm a member of OWASP. The list, which we promote, is a basically list of how bad guys can exploit vulnerabilities. We say "SQL injection". What does that mean to a developer? What is the developer supposed to do or not do with that? Perhaps it would be more useful to publish a list of SOLUTIONS, best practices, things developers should do.
Instead of saying "SQL injection" it might be more useful to list "parameterize SQL statements". That's something developers can do.
Instead of "cross site scripting", how about putting "hrmlencode all output strings" on list. A developer can call htmlencode(). They know how to do that. They don't know how to "don't allow cross-site scripting". The proof of that is in 90% of code that TRIES to prevent cross-site scripting; it doesn't work. Most attempts at stopping cross site scripting are easily defeated. Even when they try it doesn't work, so why should they bother to try? If we tell them "use htmlencode()" that will work, and it's easy for them to do.
I have two top things. When developing software for a disk-based operating system where everything happens on the local computer, it made sense to think in terms of "how can I make this work?" Programmers thought in terms of starting with (valid) input and ending up with usable output.
When your software is exposed to the internet, it will be attacked hundreds or thousands of times a day, so the question isn't so much "how can it work?" but "how can someone break it?". Your web page has a "name" field in a form. What happens if the enter several megabytes in that field? What if they enter SQL code there? How can things break? Perhaps your software retrieves something over the internet. What happens if that retrieval stops half way through? What if the short text you meant to retrieve is instead several megabytes? What if it's JavaScript? How can things break?
The other thing is please have a ten minute conversation with me about your design, and a ten minute conversation about the implementation. After 20 years, I know the common problems, so I pretty much know where your main vulnerabilities will probably be as soon as you mention certain keywords. When you say "user downloads the file", or "download.php" or other similar words, there are three vulnerabilities that immediately spring to mind. You'll probably have two of the three in your application, unless you consult with a security person.
I can do a lot of good in making your application more secure not only in terms of confidentiality but also in terms of reliability if we have three short discussions:
Review your overall design / architecture up front
About 25% into the project, review more detailed implementation decisions (such as which hash is being used)
Near the end of the project, let me browse your source code and run a static analysis that looks for constructs such as "exec" and "system", and other red flags.
Certainly you should pay attention to the expenses. As you said, those with higher expenses don't consistently best the indexes, so generally you're better off buying an index fund with very low expenses.
I own both index mutual funds and index ETFs. You can, of course, get higher risk ETFs. A leveraged gold ETF is more risky than just buying gold, which is more risky than almost any mutual fund.
Now I'm considering investing a part of my investment opposite my job prospects, so if my industry goes to shit my investments will do well, counter-balancing the weaker job prospects. In particular, I'll have an opportunity to buy my employer's stock pre-ipo. That SHOULD make a nice gain after the lock-out period. However, if things don't go well for the company I could end up losing both my investment and my job. It therefore seems prudent to consider counter-balancing that risk with investment which will likely do well if my company doesn't.
That's absolutely right, in the US, at least, there is no copyright on a collection of facts. I don't know if any other countries might allow it on a specific compilation of data. Obviously copyright on a single, discreet fact wouldn't make any sense.
In the US, a copyright could apply to a creative arrangement and formatting of facts. (Much as there is no copyright on musical notes, but there can be on a specific, creative arrangement of specific notes, a song).
So under copyright, you can take someone's dataset and distribute it without asking, but in some cases you can't just redistribute their data FILE. You'd need to produce your own arrangement and formatting of the data, if their work is creative.
There are, however, potentially other considerations other than copyright - trade secrets, unfair competition, etc. Granting permission under the license would estop the producer from filing suit under these other theories, providing users (and those who redistribute) some assurance that they can do so safely.
It also explicitly disclaims any right under copyright, that *probably* doesn't apply anyway in *most* cases. "We definitely have explicit written permission" is better than "we probably don't need permission".
That's an interesting idea, and I see why you say that. IPSec (mostly used for vpns) is an example of this done fairly well. IPSec and ISAKMP don't specify any specific ciphers, different types of authentication can be dropped in, etc.
On the other hand, plugins are very frequently the source of security problems. Third-party plugins have a MUCH worse security record than major software such as Chrome. As a career security professional, I'd prefer that essential security functions be designed in, and baked in.
You're right that investing a lot in a single stock is certainly risky, especially over the short term (it's reasonable to think General Mills or Walmart will make money in the LONG term).
The risk is greatly reduced by mutual funds, which allow small investors to easily diversify - they are investing in a hundred different companies, along with many other investors. Because they hold so many different companies, mutual funds, especially index funds, are pretty predictable. Some of their holdings will do very well, some won't, so the fund as a whole will return about 7% over inflation over a period of years.
Where you're slightly off is the timing. Mutual funds, or investment funds as they were called, were created around 1780 by Abraham van Ketwich. So you're absolutely right on the concepts, just 200 years off on the timing.
401(k) is a TAX rule. It says investment profits will be taxed when you take the money out to spend it, if you don't spend it before retirement age. It has nothing whatever to do with the risks of the investments people can make. You can apply the 401(k) tax rule to be extremely safe investments like US Treasury bonds, or to risky investments like startup companies or oil futures.
> Should that even be a desired title - richest person of the world? Gates (and dozens of other billionaires) is giving away much of his fortune to charity
I'll leave the "should" to others and just point out a couple factual things. As you said, people who get mega rich typically give away most of it to charitable causes. Also, they tend to get that rich partially because they do want the high score a drive to be "the richest" motivates them to build things like Amazon and US Steel. Carnegie didn't amass billions (which were used to build libraries) because he needed to the money to pay bills, he was winning the game. They go so big because they're trying to get the high score in a very interesting game, American business. Once you have a billion, another billion is just for fun and "win" compared to the other guy (Musk etc).
Thinking about that, btw, is one way to understand Trump's personality - he very much enjoys being the biggest, richest, flashiest. Winning the game. And he knows that APPEARING big, and looking rich, helps get press, which helps get actual wealth.
> if you weigh only 90lb and eat an apple smothered with half an ounce of Pyrethrum you still have a 50% chance of surviving.
Yes you'll probably *survive* after eating organic produce. Is that the standard you use for choosing the best foods, "it probably won't outright kill me the first time"?
The simple fact is, the regulations for organic labeling are that to labeled "organic" they are not allowed to use the less toxic pesticides; they must use more toxic ones which are extracted rather than synthesised. So the GP's idea of "get (organic) produce that doesn't have Poison on it" is exactly backwards. The organic label means it uses the *more* toxic pesticides.
You probably won't die the first time you drink natural, unprocessed water from a lake, either - so I guess that's what you do? I prefer the more pure, processed water because it's safer. Personally, I prefer pure and safe rather than natural. In nature, primates have a MAXIMUM life span of about 20-30 years, and an average of about 7 years. No thanks.
> Spain kind of has a responsibility to the citizens of the region who DON'T want to go
Good point.
> they don't have a lot of responsibility for those who are at least technically traitors
It seems to me traitors support the enemy. Separately isn't treason, I don't think. If during World World II some people in California were trying to have California join the Axis, acting in unlawful ways to make that happen, they would be traitors. I don't know that voting to separate into two friendly nations is treason.
> it seems like the only government-run places where you'll see even halfway decently managed IT is in agencies that handle state secrets relating to subjects like defense and diplomacy.
You might be surprised at the crap you see at those agencies too. "Defense and diplomacy" you say, so for example the State Department. Can you imagine if the top-level head of the State Department, the Secretary of State, was handling "subjects like defense and diplomacy" by using an out-of-date, unpatched mail server set up in her house by some idiot whose education in the field consisted of asking basic questions on Reddit, a guy who apparently couldn't even be bothered to read the manual? Yeah, that's the IT security we get for " state secrets relating to subjects like defense and diplomacy".