This is somewhat off-topic, perhaps, but it made me smile the other day when my three year old daughter started using multiplication and subtraction in her daily play recently.
Meanwhile, liberals like this guy figure ($86M + $10M) X 10 years + $42M = $50 million total.
I guess it's your business if you decided to ditch school and smoke pot all day, but please stay out of public policy. You only manage to completely fuck yourself when you try to make economic policy decisions without the ability to do basic arithmetic.
The company has been working on this for ten years. I looked at a breakdown of the R&D numbers for one of those ten years and found they spend $86 million on internal R&D and $20 million on external. So figure the total R&D cost alone to find and develop this treatment and move it through approvals is maybe $800 million. That doesn't include the carrying cost of the $800 million over ten years, administrative costs, etc.
If 1,000 patients get it, the treatment brings in $850 million retail minus roughly $80 million in corporate subsidies they've announced, minus distribution so maybe $750 million or so. They'll lose roughly $100 million on the US market, but hopefully make that up in Europe. It depends on how many of the 2,000 or so Europeans affected by the disease get the treatment.
The company may well lose money. The $86 million internal R&D was for 2016 only. They've been working on this treatment for ten years. I know they also had $10 million external R&D for this treatment in 2016; I don't exactly know how much of the $86 million was for this, but it looks like they had four "promising" ones that would account for most of it. So maybe $25 million internal and $10 million external on this treatment on 2016.
How much was spent on *this* one doesn't much matter, though, because most medications aren't approved. They need to R&D many in order to find one that works well, is safe, and gets approved. If they spend $100 million looking at 8 possible treatments and one of those gets approved and generates $80 million revenue, they've lost $20 million overall.
Overall, large pharmaceutical companies made an average 3.7% return on their R&D investment in 2016 and 3.2% in 2017 (Deloitte). Small firms do better on average, but also have a higher chance of bankruptcy if they don't score a hit.
You'd be guessing wrong, more or less. The company has been developing this drug since October 2007, ten years ago. Their 2016 annual report shows they spend about $86 million / year on internal R&D, mostly for this drug in recent years. That's "e.g. all the hard work".
They also booked $10 million in external R&D for this drug in 2016, but that number is going to get bigger. External R&D is the company paying the university (Penn) for the research the school did over ten years ago. Now that the drug has been approved and it's going on the market, the company will have to pay the school another $3.8 million plus about 5% royalty on all sales. 1,000 patients at $850,000 is $850 million. 5% of that is $42 million. So the school will get about $42 million royalty, plus the $3.8 million base, plus the millions they've already received. Figure the school may have spent $200,00-$500,000 on the initial research, they are doing extremely well. Something like $300K spent on research will net the school about $60 million.
A better analogy is probably that it's like they decide to go to the hobby shop, then they get on Google maps to find the exact route to take.
They decided they don't have the legal authority to enforce the 2015 regulations, then studied what they *can* legally do and decided on a general approach. Now they are finishing up the details of what their regulations will be under the current law, while awaiting Congress passing a NN law (or not).
Thanks. As I mentioned, we have noticed one machine makes far more errors than another. It sounds like you've been using reliable machines that are properly cleaned and aligned or whatever. Some variable(s) have your machine, and one of ours, working fairly well.
Do you give the student back the Scantron sheet, with each question marked according to what the machine read as their answer? That would be needed in order to see where the Scantron machine got it wrong.
At my last job exam scores were calculated with Scantron machines. Though the Scantron was faster than grading by hand, it is unreliable, so every sheet had to be double-checked by a human. The people had to correct the Scantron results rather often.
One Scantron machine was noticeably less reliable than another; perhaps some maintenance, aligning and cleaning it, makes a big difference.
Nobody said users should decide. People running web sites decide whether to use TLS or not, and if so which direction(s) the certificate authentication should go. If you have a login or payment form hosted on the site, it should probably use TLS
I had a web site that provided information for webmasters of small sites, tutorials and such, as well as product reviews. There was no login, no payment form, no PII of any kind. There is little reason to use TLS on such a site. TLS does provide a degree of integrity, but there are tradeoffs for that, a cost in security.
> So... your argument is that it's so important that they be able to scan incoming traffic for malware that HTTPS shouldn't be used... but they shouldn't be able to scan HTTPS traffic for malware?
My argument is that intelligent defense requires considering different threats, the likelihood of each threat and the damage it cause. When I'm reading instructables, perhaps getting ideas for how to mount the camera on my quadcopter, the main threat is malware on the page. Sending that through the ASA is a good idea. When I'm logging into my Scottrade account, the primary risk is exposing exposing Scottrade credentials. End to end encryption is the best defense.
> I work with many other people who collectively have millenia of experience... and all agree that the security of the web is best-served by 100% TLS penetration.
You might be surprised. If you *asked* them, rather than assuming that everyone must always agree with you, you might find that most of them recognize the value of considering which threats apply in a given situation, involving a given asset, and applying defenses which best mitigate the relevant threats. Doing any one thing all the time, treating everything exactly the same, might not be as popular as you think it is.
I understand that thinking behind that. I've also seen it backfire over and over. The core Wordpress team suffered from that for years. They'd kinda sorta hide stuff that wasn't really security sensitive, except well maybe. For example user IDs were hidden, except when they aren't. Some people saw that user IDs were not displayed and treated them as secrets, as secure, or secure-ish. But they were readily visible in Wordpress forums. Several different Wordpress security vulnerabilities were caused by failing to be clear about what is secret, what is secured, and what is not.
We've all seen the mess caused by treating social security numbers as if they were secret authenticators, while also handing them out to many organizations to treat as identifiers. Based on these types of experiences, my rule is to be very clear about what's secure and what's not. I don't waste time and energy making something seem secure of it isn't secure or doesn't need to be. I'm very clear about exactly what needs to be secure and what elements of security it has.
As you said, TLS doesn't stop anyone from knowing which site you are accessing. Therefore encrypting the non-sensitive sites you read in no way obscures your connection to sensitive sites.
> By definition Slashdot readers are wildly atypical.
That's probably true. Yet, I often read the articles and find that the headline and summary posted here is very misleading clickbait. In the last several weeks many articles from Verge have been posted here. Most are very misleading, but nobody here questions them.
I do know what corp sec is doing. I know which products they use, and many of them are in-house, so I have the source code. (We're a security company, and eat our own dog food.)
Anyone reasonably competent can see if their employer has pushed a trusted certs that allows them to mitm all TLS connections. My last two employers have not.
The integrity aspect of TLS is a important, that's a good point. In many cases where there isn't PII involved it doesn't matter much - the RC drone page where I'm reading about quadcopters is more likely to be hacked or have malicious code / ads than it is to be MITM, but it's something worth considering. The question is "which is a more likely threat, a mitm or a hacked WordPress?" I can tell you a hacked WordPress plugin occurs thousands of times more often than a malicious mitm, so content inspection will improve security better than to will, for sites people *read* rather than log in and do stuff. Both are *theoretical* risks, hacked Wordpress plugins are truly a constant daily occurrence in the real world.
Mitm by Corp sec is an option. If corporate administers the computers, they can install a cert onto every computer which lets them (and anyone who gets their key) mitm ALL otherwise secure connections. Meaning NO connection is secure. Corpsec then sees your personal email, your banking password, etc - as does anyone who gets the corporate cert. That's an important cost to consider.
Personally, that seems to me a high cost to pay. My preference is that my employer's firewall can keep an eye out for malware added to public sites, but they don't mitm my secure connections and see the content of my personal Gmail, or my banking passwords.
>Your professional judgement is wrong,
You are normally smart enough to have interesting conversations in which you recognize that other people, people with decades of experience in their field, can see something differently than the way you see it. Typically you recognize that 20 years of practical experience, of dealing with attacks every day, might allow someone to learn something that didn't immediately come to mind.
That is an option. If corporate administers the computers, they can install a cert onto every computer which lets them (and anyone who gets their key) mitm ALL otherwise secure connections. Meaning NO connection is secure.
Personally, that seems to me a high cost to pay. My preference is that my employer's firewall can keep an eye out for malware added to public sites, but they don't mitm my secure connections and see the content of my personal Gmail, or my banking passwords.
I prefer to apply rules appropriate for different kinds of sites - news sites and banking and email are different. I'd like my secure connections to be secure, so nobody can Snoop on them. I'd like malware protection for sites where encryption is pointless.
However, the law says "these felonies are inherently dangerous", it does NOT say "no other felonies are inherently dangerous". One could argue that the list isn't exhaustive, and swating could also fall under the felony-murder rule.
In my professional judgement, there is little benefit to https for many sites, which simply present publicly available information. This is based on my 20+ years of internet security work throughout my career. Payment pages where people enter credit card information obviously need encryption, but in my opinion most sites see little to no benefit.
Https means it can't be loaded from your ISP or company's cache, making popular sites slower. It also prevents corporate security or your own router / firewall from seeing the malware or whatever that some hacker added to the page, and generally keeping an eye out for security problems. For public sites where you don't log in, I think https is a net reduction of security.
There *is* the argument that it makes it harder for governments to know which pages you're viewing on a site, but they still see which sites you connect to.
When a person commits a felony, and as a result someone dies, it's murder.
A classic example would be a robbery. John and Rob plan to rob a convenience store. Rob shots the clerk. John claims "I didn't mean for anyone to get shot - I was just doing an armed robbery". John is guilty of felony murder because a) he was committing a felony and b) it resulted in death. There is a presumption that you know felonies are dangerous, and that you shouldn't commit felonies. So although John didn't WANT someone to die, he was criminally reckless by committing armed robbery, which he knew *could* result in death.
Another, perhaps more interesting example:
John and Rob plan an armed robbery of a convenience store. When they pull out their guns, an armed civilian behind them shots Rob, who later dies. John is once again guilty of felony murder. He didn't plan for Rob to die, but he did know that committing armed robbery could get someone killed.
>. I'll also need it to run pretty fast due to my desired complexity for the game. Therefore, a scripting language like Python probably isn't the best choice
The language has little impact on the speed. When using "a scripting language like Python", the few operations that take up most of the time should generally be done in the interpreter / library anyway. For example, sorting is a slow operation - a shell script can sort just about as fast as any language, because the actual sort is done by the "sort" program.
Profile your program to find out the two or three functions that need to run faster. Refactor them to be just a few lines, then profile to see which *lines* of code are slow. If those lines are being called thousands or millions of times, fix the algorithm. Then figure out how to leverage a thorough understanding of the language to make the few problem bits much faster. That may well involve figuring out how to have that bit done by the interpreter / library, which is written in a fast language like C. As an example, though "write quicksort" is a common interview question, you should almost never write sorting code. Every high-level language already *has* a fast sort already provided. Use it.
It's also not uncommon that the slow operations can be entirely removed by using a faster algorithm or pattern.
Several things can make a big impact on execution speed. Language choice isn't near the top of that list.
Slashdot Mirror
I tried several web sites, and went to lunch with dozens of women. eHarmony was the worst of the bunch, in my experience. Mate1 was my favorite.
eHarmony always wanted to match me with women a thousand miles away.
I went out with a lot of women because I was looking for a very special lady, a one-in-a-million. I did end up finding the love of my life, on mate1.
This is somewhat off-topic, perhaps, but it made me smile the other day when my three year old daughter started using multiplication and subtraction in her daily play recently.
Meanwhile, liberals like this guy figure ($86M + $10M) X 10 years + $42M = $50 million total.
I guess it's your business if you decided to ditch school and smoke pot all day, but please stay out of public policy. You only manage to completely fuck yourself when you try to make economic policy decisions without the ability to do basic arithmetic.
The company has been working on this for ten years. I looked at a breakdown of the R&D numbers for one of those ten years and found they spend $86 million on internal R&D and $20 million on external. So figure the total R&D cost alone to find and develop this treatment and move it through approvals is maybe $800 million. That doesn't include the carrying cost of the $800 million over ten years, administrative costs, etc.
If 1,000 patients get it, the treatment brings in $850 million retail minus roughly $80 million in corporate subsidies they've announced, minus distribution so maybe $750 million or so. They'll lose roughly $100 million on the US market, but hopefully make that up in Europe. It depends on how many of the 2,000 or so Europeans affected by the disease get the treatment.
The company may well lose money. The $86 million internal R&D was for 2016 only. They've been working on this treatment for ten years. I know they also had $10 million external R&D for this treatment in 2016; I don't exactly know how much of the $86 million was for this, but it looks like they had four "promising" ones that would account for most of it. So maybe $25 million internal and $10 million external on this treatment on 2016.
How much was spent on *this* one doesn't much matter, though, because most medications aren't approved. They need to R&D many in order to find one that works well, is safe, and gets approved. If they spend $100 million looking at 8 possible treatments and one of those gets approved and generates $80 million revenue, they've lost $20 million overall.
Overall, large pharmaceutical companies made an average 3.7% return on their R&D investment in 2016 and 3.2% in 2017 (Deloitte). Small firms do better on average, but also have a higher chance of bankruptcy if they don't score a hit.
You'd be guessing wrong, more or less. The company has been developing this drug since October 2007, ten years ago. Their 2016 annual report shows they spend about $86 million / year on internal R&D, mostly for this drug in recent years. That's "e.g. all the hard work".
They also booked $10 million in external R&D for this drug in 2016, but that number is going to get bigger. External R&D is the company paying the university (Penn) for the research the school did over ten years ago. Now that the drug has been approved and it's going on the market, the company will have to pay the school another $3.8 million plus about 5% royalty on all sales. 1,000 patients at $850,000 is $850 million. 5% of that is $42 million. So the school will get about $42 million royalty, plus the $3.8 million base, plus the millions they've already received. Figure the school may have spent $200,00-$500,000 on the initial research, they are doing extremely well. Something like $300K spent on research will net the school about $60 million.
http://ir.sparktx.com/static-f...
Last I checked, Microsoft's battery claim is for sitting there watching a video, without the browser actually doing anything at all.
> even though he could illegally keep them in place
FTFY
A better analogy is probably that it's like they decide to go to the hobby shop, then they get on Google maps to find the exact route to take.
They decided they don't have the legal authority to enforce the 2015 regulations, then studied what they *can* legally do and decided on a general approach. Now they are finishing up the details of what their regulations will be under the current law, while awaiting Congress passing a NN law (or not).
> We still need real net neutrality in law, not a regulation that three people can overturn
I commend you for having the courage to say that here, to agree completely with exactly what chairman Pai has been saying.
Thanks. As I mentioned, we have noticed one machine makes far more errors than another. It sounds like you've been using reliable machines that are properly cleaned and aligned or whatever. Some variable(s) have your machine, and one of ours, working fairly well.
Do you give the student back the Scantron sheet, with each question marked according to what the machine read as their answer? That would be needed in order to see where the Scantron machine got it wrong.
At my last job exam scores were calculated with Scantron machines. Though the Scantron was faster than grading by hand, it is unreliable, so every sheet had to be double-checked by a human. The people had to correct the Scantron results rather often.
One Scantron machine was noticeably less reliable than another; perhaps some maintenance, aligning and cleaning it, makes a big difference.
Nobody said users should decide. People running web sites decide whether to use TLS or not, and if so which direction(s) the certificate authentication should go. If you have a login or payment form hosted on the site, it should probably use TLS
I had a web site that provided information for webmasters of small sites, tutorials and such, as well as product reviews. There was no login, no payment form, no PII of any kind. There is little reason to use TLS on such a site. TLS does provide a degree of integrity, but there are tradeoffs for that, a cost in security.
> So... your argument is that it's so important that they be able to scan incoming traffic for malware that HTTPS shouldn't be used... but they shouldn't be able to scan HTTPS traffic for malware?
My argument is that intelligent defense requires considering different threats, the likelihood of each threat and the damage it cause. When I'm reading instructables, perhaps getting ideas for how to mount the camera on my quadcopter, the main threat is malware on the page. Sending that through the ASA is a good idea. When I'm logging into my Scottrade account, the primary risk is exposing exposing Scottrade credentials. End to end encryption is the best defense.
> I work with many other people who collectively have millenia of experience... and all agree that the security of the web is best-served by 100% TLS penetration.
You might be surprised. If you *asked* them, rather than assuming that everyone must always agree with you, you might find that most of them recognize the value of considering which threats apply in a given situation, involving a given asset, and applying defenses which best mitigate the relevant threats. Doing any one thing all the time, treating everything exactly the same, might not be as popular as you think it is.
I understand that thinking behind that. I've also seen it backfire over and over. The core Wordpress team suffered from that for years. They'd kinda sorta hide stuff that wasn't really security sensitive, except well maybe. For example user IDs were hidden, except when they aren't. Some people saw that user IDs were not displayed and treated them as secrets, as secure, or secure-ish. But they were readily visible in Wordpress forums. Several different Wordpress security vulnerabilities were caused by failing to be clear about what is secret, what is secured, and what is not.
We've all seen the mess caused by treating social security numbers as if they were secret authenticators, while also handing them out to many organizations to treat as identifiers. Based on these types of experiences, my rule is to be very clear about what's secure and what's not. I don't waste time and energy making something seem secure of it isn't secure or doesn't need to be. I'm very clear about exactly what needs to be secure and what elements of security it has.
As you said, TLS doesn't stop anyone from knowing which site you are accessing. Therefore encrypting the non-sensitive sites you read in no way obscures your connection to sensitive sites.
> By definition Slashdot readers are wildly atypical.
That's probably true. Yet, I often read the articles and find that the headline and summary posted here is very misleading clickbait. In the last several weeks many articles from Verge have been posted here. Most are very misleading, but nobody here questions them.
I do know what corp sec is doing. I know which products they use, and many of them are in-house, so I have the source code. (We're a security company, and eat our own dog food.)
Anyone reasonably competent can see if their employer has pushed a trusted certs that allows them to mitm all TLS connections. My last two employers have not.
The integrity aspect of TLS is a important, that's a good point. In many cases where there isn't PII involved it doesn't matter much - the RC drone page where I'm reading about quadcopters is more likely to be hacked or have malicious code / ads than it is to be MITM, but it's something worth considering. The question is "which is a more likely threat, a mitm or a hacked WordPress?" I can tell you a hacked WordPress plugin occurs thousands of times more often than a malicious mitm, so content inspection will improve security better than to will, for sites people *read* rather than log in and do stuff. Both are *theoretical* risks, hacked Wordpress plugins are truly a constant daily occurrence in the real world.
Mitm by Corp sec is an option. If corporate administers the computers, they can install a cert onto every computer which lets them (and anyone who gets their key) mitm ALL otherwise secure connections. Meaning NO connection is secure. Corpsec then sees your personal email, your banking password, etc - as does anyone who gets the corporate cert. That's an important cost to consider.
Personally, that seems to me a high cost to pay. My preference is that my employer's firewall can keep an eye out for malware added to public sites, but they don't mitm my secure connections and see the content of my personal Gmail, or my banking passwords.
>Your professional judgement is wrong,
You are normally smart enough to have interesting conversations in which you recognize that other people, people with decades of experience in their field, can see something differently than the way you see it. Typically you recognize that 20 years of practical experience, of dealing with attacks every day, might allow someone to learn something that didn't immediately come to mind.
That is an option. If corporate administers the computers, they can install a cert onto every computer which lets them (and anyone who gets their key) mitm ALL otherwise secure connections. Meaning NO connection is secure.
Personally, that seems to me a high cost to pay. My preference is that my employer's firewall can keep an eye out for malware added to public sites, but they don't mitm my secure connections and see the content of my personal Gmail, or my banking passwords.
I prefer to apply rules appropriate for different kinds of sites - news sites and banking and email are different. I'd like my secure connections to be secure, so nobody can Snoop on them. I'd like malware protection for sites where encryption is pointless.
The Kansas legislature listed which felonies are "inherently dangerous" for the purpose of this statute and I don't see it listed.
K.S.A. 21-3436
https://law.justia.com/codes/k...
However, the law says "these felonies are inherently dangerous", it does NOT say "no other felonies are inherently dangerous". One could argue that the list isn't exhaustive, and swating could also fall under the felony-murder rule.
In my professional judgement, there is little benefit to https for many sites, which simply present publicly available information. This is based on my 20+ years of internet security work throughout my career. Payment pages where people enter credit card information obviously need encryption, but in my opinion most sites see little to no benefit.
Https means it can't be loaded from your ISP or company's cache, making popular sites slower. It also prevents corporate security or your own router / firewall from seeing the malware or whatever that some hacker added to the page, and generally keeping an eye out for security problems. For public sites where you don't log in, I think https is a net reduction of security.
There *is* the argument that it makes it harder for governments to know which pages you're viewing on a site, but they still see which sites you connect to.
The felony murder rule is:
When a person commits a felony, and as a result someone dies, it's murder.
A classic example would be a robbery. John and Rob plan to rob a convenience store. Rob shots the clerk. John claims "I didn't mean for anyone to get shot - I was just doing an armed robbery". John is guilty of felony murder because a) he was committing a felony and b) it resulted in death. There is a presumption that you know felonies are dangerous, and that you shouldn't commit felonies. So although John didn't WANT someone to die, he was criminally reckless by committing armed robbery, which he knew *could* result in death.
Another, perhaps more interesting example:
John and Rob plan an armed robbery of a convenience store. When they pull out their guns, an armed civilian behind them shots Rob, who later dies. John is once again guilty of felony murder. He didn't plan for Rob to die, but he did know that committing armed robbery could get someone killed.
>. I'll also need it to run pretty fast due to my desired complexity for the game. Therefore, a scripting language like Python probably isn't the best choice
The language has little impact on the speed. When using "a scripting language like Python", the few operations that take up most of the time should generally be done in the interpreter / library anyway. For example, sorting is a slow operation - a shell script can sort just about as fast as any language, because the actual sort is done by the "sort" program.
Profile your program to find out the two or three functions that need to run faster. Refactor them to be just a few lines, then profile to see which *lines* of code are slow. If those lines are being called thousands or millions of times, fix the algorithm. Then figure out how to leverage a thorough understanding of the language to make the few problem bits much faster. That may well involve figuring out how to have that bit done by the interpreter / library, which is written in a fast language like C. As an example, though "write quicksort" is a common interview question, you should almost never write sorting code. Every high-level language already *has* a fast sort already provided. Use it.
It's also not uncommon that the slow operations can be entirely removed by using a faster algorithm or pattern.
Several things can make a big impact on execution speed. Language choice isn't near the top of that list.
That's great