Yeah, because nearly everyone recovers to 100% from a paper cut, somewhat fewer recover from being stabbed (physical and psychologically) and history has only one very dubious record of a man recovering after being stabbed to death.
Maybe I should rephrase. The amount of economic damage done by murdering or crippling an individual is not just the act itself, it's the loss of that person's entire life after that point, and the loss of their children and their children's children. That's not the same as "the disutility of feeling a paperclip".
The PIN is typically verified on the card itself, not transmitted to the back end. The card has protection such that N={3 or 5} incorrect PIN entries will lock the chip, and it will not vend a signature over the transaction until it sees the correct PIN. That protection is implemented in the card software itself.
[ Well, actually, there are both online-PIN and offline-PIN scenarios. But most of Europe is offline-PIN. US Debit transactions are online PIN, but that has its own issues.]
Develop a PIN for use online and watch fraud drop tremendously there, too.
Either that or the first compromised sit would get both your PIN and your card # in one go. How do you think they harvest CC #s anyway? And how would recurring payments work, would the cable company have to persist my PIN into their $0.05 SQL database so they can enter the monthly charge?
The merchants that won't turn on their chip readers are already penalized (since 2015) by being liable for in-person fraud against their terminals, if the card used was chip-capable. In other words, both issuers and acquirers are incentivized to adopt chip-card.
For some merchants, however, the cost of a chip rollout might be more than the cost of eating the liability. The example that comes to mind is gas stations -- they have lots of readers, which are built directly into the pumps and not modular in any meaningful sense. I can imagine them being quoted astronomical costs to update them. And it's not that they are against chip card, because every terminal I see in the gas station is enabled.
Another example that comes to mind is automated parking machines. No one designed those things to be modular, and so who knows if there's even an upgrade path for them. For a small operator -- for example a mid-sized airport or a mall -- the cost could be truly out of proportion to just sucking it up.
The way I see it, this is a perfectly good bargain now (even a Coasian one) because they have both the cost and the liability. Let them figure out whether it's worth it for them.
The measurement is done based on new questions and that measuring usage by "activity" is kind of ridiculous. New frameworks seem much more likely to generate SO questions. Questions about an older framework can be answered by looking at an existing project, from a blog post, tutorial or from (shock) already-written SO answers. While the data aren't conclusive either way, I think it's more plausible to believe that much of the sharp decline is due to saturation of answers to many obvious questions.
There's also the question of how to measure 'usage' of a framework or language: is it number of new projects, number of new lines of code or amount of traffic served?
Finally, it seems like actually the number of SO questions might have some negative component correlated to usage. Wouldn't we imagine (?) that the frameworks/languages that are intuitive and that have excellent documentation would both be preferred by developers (I sure do) and would lead to fewer SO questions. Again, this is speculation, but it goes to the question of what in the world the SO trends are actually measuring.
TLDR: Their measurement methodology is (poorly defined and) bad and they should feel bad.
The people who are actually in charge are the hired bureaucrats......the current head of the CRTC at the behest of Bell, Rogers, and Telus tried to reclassify "last mile" for TPIA's(third party companies that lease the last mile from them), and up the amount that those TPIA's would have to pay.... It basically came down to a staring contest between the CRTC and Parliament. With the PMO's office openly stating that if the CRTC did increase those rates, they'd introduce new laws and regulations stripping the CRTC of regulatory power. The CRTC blinked first, rules remain unchanged, etc, etc.
I mean, first, that sounds to me like the "right" outcome in the sense that I would prefer it politically (i.e. if I were the CRTC I would not want to do the reclassification).
Second, it sounds like the CRTC is absolutely not "in charge" because as soon as they tried to do something that Parliament didn't like, they smacked them down.
That is, I'm not sure how this works ask example of agency independence when you've actually shown that they have no will they can impose against the political branches.
Not Australian, forgive my ignorance, but as far as I can see from Wikipedia, the AEC is answerable to parliament and run by a minister of the government. I don't get how it's reasonable to call it an 'independent body', when presumably the government (with support of parliament) can have it do whatever they please.
It might be run non-partisanly as a matter of tradition, I suppose.
First, it's not clear to me that any evidence was destroyed. That's a claim that needs to be supported.
Second, I'm not sure what 'idea' you are thinking that I'm concluding here? I just wanted to make it clear there was a tactical decision that police made, that they make it often and that it comes with both benefits (surprise, access to incidental disclosure, contemporaneous statements, PR) and downsides (no duty to assist in any way, need to do your own forensics, you only get what you catch). I'm not advocating that police are not permitted to use both, at their discretion, when the law permits.
[ By the way, for the civil liberties minded: in the US a warrant requires probable cause whereas a subpoena doesn't. So in some sense the subpoena is a superior tool because it has a lower burden of proof associated to its issuance. ]
I mean, if you say "it's not open to interpretation" then I guess that's the final word and we can't have this discussion anymore.
But here's a parting thought anyway: a manager on site typically has no idea who their uninvited visitors are or why they are there. In the case of a compromise of physical security, it's not rational to start asking questions or inspecting credentials/documents -- by that point it's too late. The proper security posture is to assume the worst and then revise your estimates "upwards" if necessary because it is impossible to revise downwards.
So the choice of search warrant and subpoena in the case of a company like Uber depends on your estimate of their willingness to risk defying the law.
Indeed. Fully agree. Your choice should also depend on your estimate of your ability to actually secure the records that you are after by serving a warrant.
Uber isn't the only technology company that sees the physical seizure of digital records (not necessarily even by the police, mind you -- and once built an 'unexpected visitor' system is as effective against a thief as it is against a warrant) as a risk. The more they build against it, the more it suggests that working a subpoena through the courts is the way to go.
The best investigators are patient. Sadly their management sometimes doesn't appreciate the merits of a detailed investigation.
The point was, if you go in with a warrant, you take your chances on whether the objects of your search are there. You don't get the active help of the target to preserve/collect/deliver anything.
In other words, it's a practical choice. Do you want to retain the element of surprise? Fine, that method works like this. Do you want to compel the target to provide you with all responsive documents under pain of sanctions, fine, that method works like this.
Subpoenas have time limits associated with them. Judges can hand out sanctions for raising frivolous challenges or not responding in a timely manner.
Remember that whatever rules you empower for the government to go after Uber, they can use to go after anyone else. That's the purpose of the quote from Bolt.
Normally if police want records, they have to subpoena them and the company has a chance to contest the subpoena in front of a neutral judge. The judge can sustain the subpoena, quash it entirely or tweak just parts of it depending on their view of what is relevant to the ongoing investigation and any other claim of privilege. Most importantly, after any challenges are made and ruled on, the subpoena requires the positive action of the company to produce the responsive documents. The judge overseeing the case can penalize the company and the principles for not producing the records fast enough, for withholding responsive documents. This includes fines to induce compliance (usually a per-day fine) and contempt proceedings for gross misconduct.
Increasingly, the police see all this judicial process as an impediment rather than part of working in a country that respects rule of law. So instead they get a warrant and try to seize all the records they want that way. A warrant is usually pretty broad ("any electronic devices capable of holding evidence" really means anything with a circuit board) and lets them shift through at their leisure. It's also something they can do and execute without notifying the company until it happens and litigate after the fact. But importantly, warrants (generally) do not require the company to actively assist anything. And if the police miss something relevant, that's on them, whereas in the subpoena case it's the company's responsibility to ensure that all responsive records are found.
So there are tradeoffs: the warrant is quicker but doesn't guarantee that you'll get anything meaningful -- it just entitles the police to search/seize whatever they find. The subpoena can drag on in court, but once upheld requires the company to do the heavy lifting and deliver the responsive records directly to the police.
[ And before we get all up about "Uber is evil" and so.., I'll just leave this here ]
In no way do I think Rockefeller or anyone else are "not guilty". I just think the most productive and promising way to fight them is to come up with better alternatives so as to reduce the demand for their products. In the long run, those crimes they commit don't do them any good if it doesn't get them access to a product that people want.
We aren't going to make a better future by dragging them down, we are going to make a better future by making them obsolete.
To be fair, the oil companies are rich because people want to continue buying their oil to drive their cars and heat their houses. They use that money to buy political influence, suppress research and do other evil things to continue supplying that demand. That doesn't morally excuse their evil deeds or mean we can't go after them, but it's the continued demand for their product that enables them to fight back so hard and effectively.
In other words, the morality of what they do and the conditions that enable them to do it are two separate topics. I don't know how to fix people to be more moral (at least not any ethical ways...), but I do think we can better fight them by following Elon's example and making a better product at a lower price that people actually prefer.
(2) There are not 15,000 versions of jQuery. It's pretty strictly maintained and versioned. You source it explicitly by version, meaning that you don't get updated versions until you decide.
(3) If you are really worried about Google hosted libraries going down, then you have must have no real problems to solve. On the scale of possibilities, it's so far remote.
Everything you said was right except the 'huge JS framework part'. Those are all cached on the client and so the entirety of loading them is reading the HTTP headers and comparing the 'Last-Modified' field. Total query is one round trip and 50 bytes, plus the rare occasion where the contents have changed and you have to load the entire thing.
Want to make it sound more impressive? Microsoft currently has 45 supported variants of Windows. They shipped patches for 41 of those versions.
Of course, it's crazy to support so many different variants. At the same time it's crazy to support Windows 7 for years after 10 comes out, but people will complain mightily if you EOL it and don't provide security patches.
And it's even more crazy that none of this was Microsoft's fault to begin with.
You could make it fully compatible with x86, no problem. That's not the issue at all.
The cost would be much more than 10% of performance. OOO and speculative execution would probably cost at least 50% of the performance (and, for mobile, this is perf/watt, which translates directly into usable battery life).
Think about it this way: the CPU hits a plain old branch. The branch has a condition variable that's in L3 or main memory. In your "brute force" model, the processor sits idle for 200-300 instructions while the operand is fetched. In the speculative execution model, it uses that (otherwise idle) time to precompute one of the branches. If it's wrong, the cost is a rollback to the branch point (10-16 instructions), it it's right, the win is 200-300 instructions (time that would have been idling around waiting). It's a huge improvement.
Dude, they agreed with this conclusion and moved font rendering out of the kernel.
I can't imagine being your coworker if every time someone admits they made a mistake and correct it, you harp about how wrong they were in the first place. We get that you are Very Smart and were in fact right along along, being ungracious about it is not making you seem smarter, it's making you seem just as smart but more of a jerk.
Sorry, I should have been more clear. I'm assuming (and I think it's a very safe assumption) that Microsoft will fix the issue and restore support in short order. If that does not come to pass, then I will gracefully concede the entire point.
But anyway you look at it, users who are affected by this are being forced into a pain in the ass situation.
Yes. But that would be just as true if Microsoft corrupted the OS of newer machines as well. The PITA situation is that there is a machine-wrecking bug.
It doesn't matter if they did it intentionally or through incompetence. They are still causing the issue.
Sure. They caused the issue. I assume they will fix it forthwith.
And, at least to me, it matters that they caused the issue while fixing a critical time-sensitive issue of global proportion. If they had incompetently broken your machine while installing a new Solitaire, we'd be having a different conversation.
being told that something is obsolete and I should go buy a new one
Which is just not what is happening here. The hardware is old, Microsoft regrettably missed testing it in a fairly catastrophic way and they will fix it. No one needs to suggest you buy a new computer over it.
Slashdot Mirror
Yeah, because nearly everyone recovers to 100% from a paper cut, somewhat fewer recover from being stabbed (physical and psychologically) and history has only one very dubious record of a man recovering after being stabbed to death.
Maybe I should rephrase. The amount of economic damage done by murdering or crippling an individual is not just the act itself, it's the loss of that person's entire life after that point, and the loss of their children and their children's children. That's not the same as "the disutility of feeling a paperclip".
Yup, we're pretty much there in the States, just a. few years late to the party.
The PIN is typically verified on the card itself, not transmitted to the back end. The card has protection such that N={3 or 5} incorrect PIN entries will lock the chip, and it will not vend a signature over the transaction until it sees the correct PIN. That protection is implemented in the card software itself.
[ Well, actually, there are both online-PIN and offline-PIN scenarios. But most of Europe is offline-PIN. US Debit transactions are online PIN, but that has its own issues.]
Develop a PIN for use online and watch fraud drop tremendously there, too.
Either that or the first compromised sit would get both your PIN and your card # in one go. How do you think they harvest CC #s anyway? And how would recurring payments work, would the cable company have to persist my PIN into their $0.05 SQL database so they can enter the monthly charge?
The merchants that won't turn on their chip readers are already penalized (since 2015) by being liable for in-person fraud against their terminals, if the card used was chip-capable. In other words, both issuers and acquirers are incentivized to adopt chip-card.
For some merchants, however, the cost of a chip rollout might be more than the cost of eating the liability. The example that comes to mind is gas stations -- they have lots of readers, which are built directly into the pumps and not modular in any meaningful sense. I can imagine them being quoted astronomical costs to update them. And it's not that they are against chip card, because every terminal I see in the gas station is enabled.
Another example that comes to mind is automated parking machines. No one designed those things to be modular, and so who knows if there's even an upgrade path for them. For a small operator -- for example a mid-sized airport or a mall -- the cost could be truly out of proportion to just sucking it up.
The way I see it, this is a perfectly good bargain now (even a Coasian one) because they have both the cost and the liability. Let them figure out whether it's worth it for them.
The measurement is done based on new questions and that measuring usage by "activity" is kind of ridiculous. New frameworks seem much more likely to generate SO questions. Questions about an older framework can be answered by looking at an existing project, from a blog post, tutorial or from (shock) already-written SO answers. While the data aren't conclusive either way, I think it's more plausible to believe that much of the sharp decline is due to saturation of answers to many obvious questions.
There's also the question of how to measure 'usage' of a framework or language: is it number of new projects, number of new lines of code or amount of traffic served?
Finally, it seems like actually the number of SO questions might have some negative component correlated to usage. Wouldn't we imagine (?) that the frameworks/languages that are intuitive and that have excellent documentation would both be preferred by developers (I sure do) and would lead to fewer SO questions. Again, this is speculation, but it goes to the question of what in the world the SO trends are actually measuring.
TLDR: Their measurement methodology is (poorly defined and) bad and they should feel bad.
The people who are actually in charge are the hired bureaucrats ... ...the current head of the CRTC at the behest of Bell, Rogers, and Telus tried to reclassify "last mile" for TPIA's(third party companies that lease the last mile from them), and up the amount that those TPIA's would have to pay. ... It basically came down to a staring contest between the CRTC and Parliament. With the PMO's office openly stating that if the CRTC did increase those rates, they'd introduce new laws and regulations stripping the CRTC of regulatory power. The CRTC blinked first, rules remain unchanged, etc, etc.
I mean, first, that sounds to me like the "right" outcome in the sense that I would prefer it politically (i.e. if I were the CRTC I would not want to do the reclassification).
Second, it sounds like the CRTC is absolutely not "in charge" because as soon as they tried to do something that Parliament didn't like, they smacked them down.
That is, I'm not sure how this works ask example of agency independence when you've actually shown that they have no will they can impose against the political branches.
Not Australian, forgive my ignorance, but as far as I can see from Wikipedia, the AEC is answerable to parliament and run by a minister of the government. I don't get how it's reasonable to call it an 'independent body', when presumably the government (with support of parliament) can have it do whatever they please.
It might be run non-partisanly as a matter of tradition, I suppose.
Doesn't that make it even more amazing that they are the top taxpayer in the US even though they allegedly have all these great breaks?
First, it's not clear to me that any evidence was destroyed. That's a claim that needs to be supported.
Second, I'm not sure what 'idea' you are thinking that I'm concluding here? I just wanted to make it clear there was a tactical decision that police made, that they make it often and that it comes with both benefits (surprise, access to incidental disclosure, contemporaneous statements, PR) and downsides (no duty to assist in any way, need to do your own forensics, you only get what you catch). I'm not advocating that police are not permitted to use both, at their discretion, when the law permits.
[ By the way, for the civil liberties minded: in the US a warrant requires probable cause whereas a subpoena doesn't. So in some sense the subpoena is a superior tool because it has a lower burden of proof associated to its issuance. ]
I mean, if you say "it's not open to interpretation" then I guess that's the final word and we can't have this discussion anymore.
But here's a parting thought anyway: a manager on site typically has no idea who their uninvited visitors are or why they are there. In the case of a compromise of physical security, it's not rational to start asking questions or inspecting credentials/documents -- by that point it's too late. The proper security posture is to assume the worst and then revise your estimates "upwards" if necessary because it is impossible to revise downwards.
So the choice of search warrant and subpoena in the case of a company like Uber depends on your estimate of their willingness to risk defying the law.
Indeed. Fully agree. Your choice should also depend on your estimate of your ability to actually secure the records that you are after by serving a warrant.
Uber isn't the only technology company that sees the physical seizure of digital records (not necessarily even by the police, mind you -- and once built an 'unexpected visitor' system is as effective against a thief as it is against a warrant) as a risk. The more they build against it, the more it suggests that working a subpoena through the courts is the way to go.
The best investigators are patient. Sadly their management sometimes doesn't appreciate the merits of a detailed investigation.
The point was, if you go in with a warrant, you take your chances on whether the objects of your search are there. You don't get the active help of the target to preserve/collect/deliver anything.
In other words, it's a practical choice. Do you want to retain the element of surprise? Fine, that method works like this. Do you want to compel the target to provide you with all responsive documents under pain of sanctions, fine, that method works like this.
Subpoenas have time limits associated with them. Judges can hand out sanctions for raising frivolous challenges or not responding in a timely manner.
Remember that whatever rules you empower for the government to go after Uber, they can use to go after anyone else. That's the purpose of the quote from Bolt.
Normally if police want records, they have to subpoena them and the company has a chance to contest the subpoena in front of a neutral judge. The judge can sustain the subpoena, quash it entirely or tweak just parts of it depending on their view of what is relevant to the ongoing investigation and any other claim of privilege. Most importantly, after any challenges are made and ruled on, the subpoena requires the positive action of the company to produce the responsive documents. The judge overseeing the case can penalize the company and the principles for not producing the records fast enough, for withholding responsive documents. This includes fines to induce compliance (usually a per-day fine) and contempt proceedings for gross misconduct.
Increasingly, the police see all this judicial process as an impediment rather than part of working in a country that respects rule of law. So instead they get a warrant and try to seize all the records they want that way. A warrant is usually pretty broad ("any electronic devices capable of holding evidence" really means anything with a circuit board) and lets them shift through at their leisure. It's also something they can do and execute without notifying the company until it happens and litigate after the fact. But importantly, warrants (generally) do not require the company to actively assist anything. And if the police miss something relevant, that's on them, whereas in the subpoena case it's the company's responsibility to ensure that all responsive records are found.
So there are tradeoffs: the warrant is quicker but doesn't guarantee that you'll get anything meaningful -- it just entitles the police to search/seize whatever they find. The subpoena can drag on in court, but once upheld requires the company to do the heavy lifting and deliver the responsive records directly to the police.
[ And before we get all up about "Uber is evil" and so .., I'll just leave this here ]
In no way do I think Rockefeller or anyone else are "not guilty". I just think the most productive and promising way to fight them is to come up with better alternatives so as to reduce the demand for their products. In the long run, those crimes they commit don't do them any good if it doesn't get them access to a product that people want.
We aren't going to make a better future by dragging them down, we are going to make a better future by making them obsolete.
You know oil companies pay 30-40% royalties on oil leases, on top of corporate taxes. 3 of the top 10 taxpayers are oil firms.
Even if they underpaid royalties (I doubt it), that doesn't help them without a robust demand for their product.
To be fair, the oil companies are rich because people want to continue buying their oil to drive their cars and heat their houses. They use that money to buy political influence, suppress research and do other evil things to continue supplying that demand. That doesn't morally excuse their evil deeds or mean we can't go after them, but it's the continued demand for their product that enables them to fight back so hard and effectively.
In other words, the morality of what they do and the conditions that enable them to do it are two separate topics. I don't know how to fix people to be more moral (at least not any ethical ways ...), but I do think we can better fight them by following Elon's example and making a better product at a lower price that people actually prefer.
(1) Everyone refers to jQuery at the official URL
(2) There are not 15,000 versions of jQuery. It's pretty strictly maintained and versioned. You source it explicitly by version, meaning that you don't get updated versions until you decide.
(3) If you are really worried about Google hosted libraries going down, then you have must have no real problems to solve. On the scale of possibilities, it's so far remote.
Everything you said was right except the 'huge JS framework part'. Those are all cached on the client and so the entirety of loading them is reading the HTTP headers and comparing the 'Last-Modified' field. Total query is one round trip and 50 bytes, plus the rare occasion where the contents have changed and you have to load the entire thing.
Want to make it sound more impressive? Microsoft currently has 45 supported variants of Windows. They shipped patches for 41 of those versions.
Of course, it's crazy to support so many different variants. At the same time it's crazy to support Windows 7 for years after 10 comes out, but people will complain mightily if you EOL it and don't provide security patches.
And it's even more crazy that none of this was Microsoft's fault to begin with.
You could make it fully compatible with x86, no problem. That's not the issue at all.
The cost would be much more than 10% of performance. OOO and speculative execution would probably cost at least 50% of the performance (and, for mobile, this is perf/watt, which translates directly into usable battery life).
Think about it this way: the CPU hits a plain old branch. The branch has a condition variable that's in L3 or main memory. In your "brute force" model, the processor sits idle for 200-300 instructions while the operand is fetched. In the speculative execution model, it uses that (otherwise idle) time to precompute one of the branches. If it's wrong, the cost is a rollback to the branch point (10-16 instructions), it it's right, the win is 200-300 instructions (time that would have been idling around waiting). It's a huge improvement.
Dude, they agreed with this conclusion and moved font rendering out of the kernel.
I can't imagine being your coworker if every time someone admits they made a mistake and correct it, you harp about how wrong they were in the first place. We get that you are Very Smart and were in fact right along along, being ungracious about it is not making you seem smarter, it's making you seem just as smart but more of a jerk.
Spectre is actually applicable to Intel, AMD, and the various ARMs (Samsung, Qualcomm, ...)
You're thinking of Meltdown, that's Intel specific.
You know they fixed that and now fonts are no longer rendered in the kernel. Or you would know that, if you RTFA.
Sorry, I should have been more clear. I'm assuming (and I think it's a very safe assumption) that Microsoft will fix the issue and restore support in short order. If that does not come to pass, then I will gracefully concede the entire point.
But anyway you look at it, users who are affected by this are being forced into a pain in the ass situation.
Yes. But that would be just as true if Microsoft corrupted the OS of newer machines as well. The PITA situation is that there is a machine-wrecking bug.
It doesn't matter if they did it intentionally or through incompetence. They are still causing the issue.
Sure. They caused the issue. I assume they will fix it forthwith.
And, at least to me, it matters that they caused the issue while fixing a critical time-sensitive issue of global proportion. If they had incompetently broken your machine while installing a new Solitaire, we'd be having a different conversation.
being told that something is obsolete and I should go buy a new one
Which is just not what is happening here. The hardware is old, Microsoft regrettably missed testing it in a fairly catastrophic way and they will fix it. No one needs to suggest you buy a new computer over it.