I think you didn't read the link: The Golden Key Fallacy, because what you argue first is exactly the fallacy I pointed out there. You go on to make the same argument I made immediately below that link: It Wouldn't Accomplish the Goal, namely that encryption exists independently of whatever rules or laws might be made. It looks like you're ignoring the issues I was trying to raise for discussion.
So, first off, it is possible to keep a key secure. Apple has such a key and they've apparently kept it secure (paranoid speculation aside.) To make it absolutely clear, Apple has the ability to make breaking encryption trivial any time they decide to, whether by creating the software update that would do it themselves or by providing that key to someone in law enforcement. You can call that a backdoor or not, but the result is the same: Anytime Apple decides to, they can break your encryption or allow law enforcement to do the same. The only thing that keeps that from happening is Apple's desire to market privacy. (The same goes for Google, Samsung, HTC, LG, etc.)
The bigger issues are that most people don't care and most criminals don't plan that well. You and I, even most/. readers, understand what encryption is and why protecting it is important. Great. If you ask ten people on the street whether law enforcement should be able to access encrypted data with a warrant, you'll get at least nine people saying they should. The only thing preventing it from happening is that the ten percent who do understand the issue are vocal and have math on their side. If Congress decides they need to be "tough on crime" in order to get re-elected, then you can expect laws mandating phone manufacturers have a way to provide access to encrypted data. Then there is the biggest and most dangerous issue. It will work.
The first six months of government mandated decrypt capability will result in hundreds of criminals being successfully prosecuted. Every one of those will be a headline that trumpets the success of the laws. Public opinion will strongly support it. It won't catch smart criminals, but those are rare and won't make headlines when the laws fail. Government will strengthen its hold on the ability to spy on its citizens at will.
To quote my website, since most people won't read it:
When lawmakers consult sympathetic technology and security experts, guess what they'll hear:
* Golden keys are already in place to secure phones * Golden keys aren't necessary to accomplish the goal
The golden key fallacy hurts our case. Stop using it. We need better arguments. Help me find them.
The thought of a 3000+ pound hunk of steel hurtling mere feet away from people on sidewalks while a human is at the controls is insanity!!
FTFY.
At least computers are predictable. Software is guaranteed to have bugs. Humans are too. At least with computers, you can fix the bugs when you find them.
Lets go down a slightly different rabbit hole. Maybe what we've been told isn't true. Maybe Apple hasn't kept the private signing key secret from our government. Before I expound on that, I want to point out that Apple's key doesn't decrypt the data on the phone. Apple's key signs the software that the phone automatically downloads which is used to prompt for a password and use that password to decrypt the actual key which is in turn used to decrypt the actual data. This means that Apple's key could be used to create software which would allow a computer to run brute force guesses until it successfully gets the decryption key. It doesn't need to be that way. The phone doesn't need to automatically download software updates without first requiring a password. Why does it do that?
Is there any reason to believe that Apple hasn't been forced by a secret order to use a method which is intentionally corruptible? It doesn't have to mean that Apple has already been forced to provide a copy of it's private key to the NSA. But it could. It could mean that the NSA has software ready to load on any phone that they decide needs accessed. Software that appears identical to what was previously on the phone but now records the password for retrieval. Software that records keystrokes or passes screenshots to NSA servers. That'd be handy wouldn't it? Is there any reason to believe it hasn't been done?
My initial reaction is also one of outrage and frustration. I started to formulate a response to express that when I realized that most of the other commenters would be doing the same.
(Does it need to be said? Does it need be said now? Does it need to be said by me?) I answered "no" to the last one.
Having read through the comments, it appears to me that there are zero supporters of mandating government access to encrypted files. I haven't seen anything new added to the discussion either, which makes this whole comment section less useful than a poll. Lets change that. You're a writer, an effective communicator, someone who can think through alternate possibilities. I'd like you to tell me why giving government access to encrypted files, with a warrant, is bad IF it doesn't involve a back door. (I've written about this before. You'll read my arguments against access there but I'm looking for new and better ones.)
Justice is important to our society and we should be outraged when it isn't served. Sometimes that means that it is necessary to invade the security or privacy of someone who has committed a criminal act. That's what warrants are for. Abuses can happen, and we should be outraged when they do, but addressing those abuses when they happen is the correct response. It isn't good for society to instead decide to prevent law enforcement from being able to do their jobs.
I know, I know, don't feed the trolls. But that's why it works, I can't resist.
Under the control of the consumer? If I want to Binge On a website that my ISP hasn't made an agreement with, how's that under my control? I want to Binge On wimp.com for example, how do I, as a consumer, turn that on? Surely you won't tell me that I can't control what sites are available when I want to Binge On. That'd be like saying some parts of the internet get favored by the ISP instead of the consumer.
Lets say some small new site is offering really cool videos with awesome stand up comedy making fun of my ISP, so long as I can Binge On that new site that my ISP dislikes, I'll grant you it's '100% under the control of the consumer.'
On the other hand, what if I as a consumer can't pick the sites I want to Binge On? Who does choose that? Who holds the power to decide what sites succeed and what sites fail? If it's not the consumer, it's the ISP. That doesn't sound neutral to me.
This right here is the reason Net Neutrality is going to fail folks.
Any time you get a bonus, that's someone else deciding what parts of the internet get priority. Try telling someone "Binge On is setting up a system where some sites are billed for and others are not." What they hear is "free" and nothing you can do will change their mind.
The company I worked for was starting to look for a replacement for Lynx, and I was in the position to choose OpenFire. I wanted to find a host, someone that would offer configuration services and a host for it. I reached out to the various listed supporting companies at the time and got nowhere. I would have been happy to pay someone for a dozen hours worth of configuration support. Instead I ended up setting it up and working through all the issues myself, but that was my least preferred option. There would have potential for ongoing reconfiguration assistance. Eventually we switched back to Office 365's (renamed) Lynx system. That's thousands of dollars I would have been happy to redirect to an open source support company if I'd been able to find one.
If there's a lesson to be learned there, it's that there is money to be had if you can find the demand.
What software you develop will determine what service you can offer for it. What I want to see more of is:
In the past, I was willing to allow ads to show up on the webpages I visited. I knew how to block them, but I was sympathetic to the idea that most of the pages I visit are funded by advertisers, so it seemed fair. Then Facebook decided I desperately needed a Russian bride. That was the final straw and so from then on, I've blocked them.
However, I still feel like it is reasonable to support the websites that I want to visit. I'd be willing to pay a pittance, but until Google (because it'd have to be built into Chrome) decides to handle micro-transactions, it doesn't really work. Now that they're going to start doing a built in ad-blocker on Chrome, perhaps the time has come to suggest a Faustian compromise.
Dear Google: Step up your game and I will help you advertise to me. You already have huge amounts of data about me, so I'm willing to trust that you can handle my advertising preferences as well. I will give you permission to see my purchase history with my credit card companies and with my banking companies. You already have my search and email info, but I'll check a box that says you can use it so you can make the EU regulators happy. Give me the button on Chrome that says "Only ads from Google" and I will let you be the middle man on every online ad that I see. I will even do the same for my phone. Surely that's appealing?
In return, I ask four things:
1) Keep my data secure.
2) Let me unsubscribe from the ads that I find distasteful. I want to uncheck the "lots of skin" preference and know that no ad that I see will be of a scantily clad model. I want to uncheck the "wine and spirits" and uncheck the "marital aid" and uncheck the "boner pills" boxes. And please, please let me uncheck the "find a date (if you know what we mean)" box.
3) Make it super easy for websites to use your advertising to make money. If this doesn't work out better for the sites that want to be supported by advertising, then this will never be a winnable war.
4) Do not fail. I visit one site multiple times each day. I cannot get uBlock to consistently block their stupid video advertisement boxes. I'm never going to do business of any kind with that company and don't need to see them. Somehow, that website has so many hooks into them that uBlock can't seem to keep a consistent grip on the problem. I end up having to block them at the DNS level and that's a stupidly manual approach to the problem. If you do a good enough job of ensuring that I don't see irritating advertisements, I will not only accept advertising again, I will actively help you do it well.
Yes. I am getting both the best and the worst of both worlds. I'm paying for convenience several times over. (Though I prefer to think of it as paying for entertainment.) I have the ability to do things that are interesting, but very little need to. As a result of my curiosity, I have the ability to pay to have dollars converted into bitcoin and pay more money to convert them to etherum or back into dollars again. In theory I might be able to partake in exchanges that are inconvenient with dollars or more expensive to do with dollars, but in practice it just means I'm throwing a couple bucks worth of bitcoin as applause to a couple people whose work online I appreciate. Oh, and I have yet another Visa card I never use.
I can receive payments in bitcoin or other crypto currencies and spend it just like I would with my other cards. By having some bitcoin/other on hand I also have the ability to pay someone who can't take payments from my regular cards or via cash.
The convenience of being able to pull from my bitcoin wallet with a Visa is handy if I need to do that. It was a small one time fee to set up and it's a novelty unless I need those funds suddenly for some reason. (Here's the tip of the day kids: Never put money you need into cryptocurrency.)
It all depends on the systems you use. I have a debit card with a Visa logo. Anywhere they take Visa, I can use it to spend money. In this particular card's case, it withdraws bitcoin from my coinbase account when I use it. I pay the price in whatever currency the merchant is using. McDonalds gets USD from Visa. Visa gets USD from coinbase. Coinbase gets bitcoin from my wallet.
Basically, I can spend my bitcoin anywhere that takes Visa. Or, I can sell bitcoin and get USD deposited to my credit union account. As a bonus, I can send bitcoin to people or organizations. If I ever need to pay someone who doesn't have a bank account, or need to pay a (cheap, cause I don't have much) crypto malware ransom, I can do that with bitcoins or ethereum. In theory, I could buy things on a black market with my crypto-currency holdings, but honestly I haven't looked into it because I don't want to connect myself to that world.
With my current coinbase sell limits, it would take me ten weeks. That could be improved apparently, but I can't imagine how I could get to the point where that would matter. Alternatively, there are probably other major organizations that could absorb that level of transaction.
Okay, good point. Related, how does this not get audited and caught before it gets implemented? Shouldn't there be more checks than one guy could bypass?
As long as we're talking about concepts we don't advocate, let me add some reason for paranoia.
First, consider that any software with automatic updating can be compromised by the company providing the updates. If you get updates that you don't personally compile and test, then you can't prevent the entity with control of the updates from pushing something that would give access to your encrypted information.
Second, consider that almost all at rest data is encrypted with symmetric encryption which means that there is necessarily a key that could be used, without needing your password, for decryption. It may be stored locally in a file someone else has the key to decrypt, or it may be uploaded without your knowledge to a company or government server.
In almost every discussion about "backdoors" people describe the idea of a single key to unlock encrypted data from multiple targets. That's stupid. (Maybe not too stupid for government to demand.) If there were to be backdoor keys, there would be one unique key per device sold, held by the selling company or uploaded to a government server. The consumer would never even know there was such a key. If it's held by the software or hardware manufacturer, the key would be obtained by the government at request or subpoena.
You don't have any way with closed source software to know those scenarios haven't already happened. Even with open source software, in many instances it's practically impossible to prove that your encrypted information doesn't already contain a government accessible back door.
Right now with iOS, Android or Windows, you're probably already getting automatic updates. One of those updates you received may have already included a government mandated unique secret key.
Your device manufacturer may have included the unique secret key that your phone uses to encrypt your data. Your password is only used to decrypt that key which is then used to encrypt your data.
Right now, without any law changes, given sufficient leverage, time, and authority; I could gain access to 99.99% of the data that people think is encrypted without a "backdoor." Granted, I don't think that's happened, because I mostly trust the companies and people responsible for the hardware and software I use. However, that trust only goes so far as assuming I don't present a target worthy of attention from someone with scary level leverage to come after me.
I keep thinking back to the San Bernardino iPhone FBI vs Apple case. The FBI said they could do the decryption by using the auto-update system with a copy of Apple's signing key. They absolutely could have, though they rightly assumed Apple would resist that idea. The question I have is whether the FBI would have gone to court if it weren't for the attempt to set precedent. If a couple engineers from Apple got late night visits from men in black with badges and guns, do you really think the key could have been kept secure? It gets worse. Imagine you're one of the managers who is responsible for keeping the key secure. You go into your office and you have an unexpected meeting with someone who has a badge and letters explaining how you're going to keep quiet about the copying of your signing key that already happened. One the one hand, you could risk your career and all the good parts of your life to invalidate a key that has already been compromised, resulting in a requirement for every iPhone user to come to physically turn in their phone for an upgrade in order to accept new valid keys. On the other hand, you could just keep your mouth shut. Which do you think most people would do? What makes you think that hasn't already happened? What makes you think the same thing didn't happen at Microsoft, Google and your favorite Linux distributors?
If you let people choose passwords, they'll choose very bad ones. If you force them to change them regularly, they'll choose bad passwords with easily predictable permutations. If you force them to use generated good passwords, they'll write them on sticky notes and put them in email.
I used to work with a guy who specialized in information security. He would run cracking programs against our systems and report any bad passwords to the appropriate manager. One of my own staff had a bad password, obviously thought nobody would know, so I had to confront them after a couple denials by telling them the bad password that had been uncovered. This was a professional who had been educated on how and why good passwords were required.
On the one hand, you think education and testing will give your employees the understanding and tools they need to handle business securely. On the other hand, they're just there for a paycheck until they can get the better job they're really after. No amount of education can convince people to do what they should do if they really don't care.
My solution is to annually bring each employee into a room where there are two computers, one that displays a randomly generated complex password when they click start. The other computer requires them to type it correctly two hundred times in a row before they can leave the room. Before we start, I explain that every computer has keylogging software which will alert HR if they ever type that password except into their password database or primary login screen, resulting in immediate termination. I also explain that every workstation will be randomly inspected, sometimes daily, sometimes weekly and if that password, or a variation is ever found written down, they'll be immediately terminated. The password database generates complex passwords that must be used with copy/paste tools, never typed, for every other system they need to log into.
"This is your password this year. Keeping this password in your head is the key to not getting fired." I give this speech to every employee, once a year.
Other than getting stabbed regularly, shot three times, having my house burned down once, and still not knowing who kidnapped my cat, the system works great!
No, of course I don't do that, and our CEO would probably be one of the people who'd stab me if I did. Not that I don't think about it sometimes, but I don't think there is any good solution to the password problem. Multi-factor is a part of the solution, and in the future I hope that AI can make passwords a distant humorous memory. In the meantime, I try to encourage good tools, good education and just a tiny bit of fear for our employees.
I believe you're right, but there is a tipping point. As with many things, working well small does not equal working well large.
An office of three people may be better off without trying to manage AD where every OU has to be customized for one person. At three hundred, that same management style will break down in a never-ending cycle of fixing dozens of issues every day that could have been avoided with group policy.
The trick is knowing when a system will save you work vs when it will cost you more. Our office is definitely better off for AD, but we're just large enough to sometimes benefit from a print server and just small enough that managing it sometimes costs us more time than it would take to manage printer resources on an individual basis.
"The insurance business is completely screwy now. You know they've reintroduced the death penalty for insurance company directors?"
"Really?" said Arthur. "No, I didn't. For what offense?"
Trillian frowned.
"What do you mean, offense?"
"I see."
We've gone off the rails and nobody wants to accept the pain necessary to fix it.
Governments recognize the need to incentivize intellectual achievement. We want inventors and creators to have sufficient incentive to create the things we all benefit from. The problem is that not all intellectual property creations benefit the public equally. Lawmakers are rightfully wary of creating a mess by valuing them on a case by case basis. As a result, we give the same value to a company's patent on an ink cartridge design necessary to work in the company's printer as we do to a replacement for a carburetor that cuts fuel cost and emissions.
If I own a printer company and I design a novel ink cartridge that I can get a patent on and I make all of the printers I create require said design of printer cartridge, I've given myself a monopoly. That's not really a bad thing in itself, because that cartridge design really is novel. The problem is that the public only benefits from maybe five years of protection on that patent, but we give twenty because we don't want the hassle of determining which inventions are worth protecting for twenty years and which are worth protecting for one year.
There is a fix, and it's simple. The problem is that it will piss off a lot of companies that sway public opinion and thus re-electability of politicians. If you're the politician who removes the profit from a thousand successful companies, your time in office is suddenly curtailed. Still, if we can elect enough politicians who care more about doing public good than getting reelected, they should make patents and copyrights default to one year, with a special hearing needed to extend it to five years and another to ten and a final one to extend it to the max of twenty (with grandfathering to ensure the economy doesn't flip out immediately.) Ditto for copyright and other forms of intellectual property protection.
And while we're on the subject of electability, it seems that every commenter I've seen in recent times agrees that getting money for a campaign determines who gets elected, but that's confusing causality with correlation. (If you're one of them, you've probably already stopped reading and are getting your angry rant and insults keyboard plugged in, but read on so you can insult my arguments properly.) Popular politicians win elections and popular politicians get campaign money. It's not one because of the other, it's a correlation. I doubt most people who believe money buys elections will bother to learn more, but there is some good info and links at http://freakonomics.com/2012/0....
If Mr. Adams were writing the line today, I suspect it would be patent lawyers instead.
I did this. Before I understood reality, I thought a college educated person could "downgrade" to a trade. There was a man who came to my high school and tried to tell us what a person who excelled at a trade could do versus someone who was ill equipped to attempt a college degree. He tried to tell us that somebody practiced and educated with a trade could be more successful than someone who attempted something diverging from their talent. I didn't understand then. I'm a little more mature now.
If you're good at something, do that. Don't let society tell you it's not the right choice; do what you love and excel at it.
You'll want something that people don't have any allergies to. Something that tastes familiar.
I recall reading a story once, something I can't entirely recall, but there was a pertinent part. Imagine you're an alien race in possession of a human who needs complex food. There is an obvious solution, grow meat that you know will be safe for consumption. Simply clone some tissue, tweak it a little for stem cells, grow differentiating tissues, massage mechanically, and viola, human edible, human, meat.
Yeah, I know, rings of Futurama, but that's not the story I'm thinking of.
Username-password management is pretty much acknowledged as a broken system. I trust LastPass so I turn most of my password management over to it. Where I don't turn it over to them, I use KeePass. I back up my credentials in backups encrypted with two systems. (I trust three so I actually do combinations of each so that even if one is broken, the other backs it up.)
We're getting close to a solution. I predict that not far in the future, we'll have simple encrypted email. Not because people understand how to do it, but rather because we can't manage passwords ourselves and we're getting tools to do it for us. We won't do it because we desire to learn how, but rather because we're finally reaching a tipping point where everybody needs a tool that can manage it for us.
I expect to work until I'm physically incapable of working anymore. I'm good with that. I enjoy maybe 50% of my job and I think that's better than most. I'm not retirement age, but if I do the job I'm doing right now until the day I die, I'll be happy with my life.
The 50% of my job I don't like could be automated. I wish it already was.
Slashdot Mirror
I think you didn't read the link: The Golden Key Fallacy, because what you argue first is exactly the fallacy I pointed out there. You go on to make the same argument I made immediately below that link: It Wouldn't Accomplish the Goal, namely that encryption exists independently of whatever rules or laws might be made. It looks like you're ignoring the issues I was trying to raise for discussion.
So, first off, it is possible to keep a key secure. Apple has such a key and they've apparently kept it secure (paranoid speculation aside.) To make it absolutely clear, Apple has the ability to make breaking encryption trivial any time they decide to, whether by creating the software update that would do it themselves or by providing that key to someone in law enforcement. You can call that a backdoor or not, but the result is the same: Anytime Apple decides to, they can break your encryption or allow law enforcement to do the same. The only thing that keeps that from happening is Apple's desire to market privacy. (The same goes for Google, Samsung, HTC, LG, etc.)
The bigger issues are that most people don't care and most criminals don't plan that well. You and I, even most /. readers, understand what encryption is and why protecting it is important. Great. If you ask ten people on the street whether law enforcement should be able to access encrypted data with a warrant, you'll get at least nine people saying they should. The only thing preventing it from happening is that the ten percent who do understand the issue are vocal and have math on their side. If Congress decides they need to be "tough on crime" in order to get re-elected, then you can expect laws mandating phone manufacturers have a way to provide access to encrypted data. Then there is the biggest and most dangerous issue. It will work.
The first six months of government mandated decrypt capability will result in hundreds of criminals being successfully prosecuted. Every one of those will be a headline that trumpets the success of the laws. Public opinion will strongly support it. It won't catch smart criminals, but those are rare and won't make headlines when the laws fail. Government will strengthen its hold on the ability to spy on its citizens at will.
To quote my website, since most people won't read it:
When lawmakers consult sympathetic technology and security experts, guess what they'll hear:
* Golden keys are already in place to secure phones
* Golden keys aren't necessary to accomplish the goal
The golden key fallacy hurts our case. Stop using it. We need better arguments. Help me find them.
The thought of a 3000+ pound hunk of steel hurtling mere feet away from people on sidewalks while a human is at the controls is insanity!!
FTFY.
At least computers are predictable. Software is guaranteed to have bugs. Humans are too. At least with computers, you can fix the bugs when you find them.
Somebody who gets it.
Lets go down a slightly different rabbit hole. Maybe what we've been told isn't true. Maybe Apple hasn't kept the private signing key secret from our government. Before I expound on that, I want to point out that Apple's key doesn't decrypt the data on the phone. Apple's key signs the software that the phone automatically downloads which is used to prompt for a password and use that password to decrypt the actual key which is in turn used to decrypt the actual data. This means that Apple's key could be used to create software which would allow a computer to run brute force guesses until it successfully gets the decryption key. It doesn't need to be that way. The phone doesn't need to automatically download software updates without first requiring a password. Why does it do that?
Is there any reason to believe that Apple hasn't been forced by a secret order to use a method which is intentionally corruptible? It doesn't have to mean that Apple has already been forced to provide a copy of it's private key to the NSA. But it could. It could mean that the NSA has software ready to load on any phone that they decide needs accessed. Software that appears identical to what was previously on the phone but now records the password for retrieval. Software that records keystrokes or passes screenshots to NSA servers. That'd be handy wouldn't it? Is there any reason to believe it hasn't been done?
My initial reaction is also one of outrage and frustration. I started to formulate a response to express that when I realized that most of the other commenters would be doing the same.
(Does it need to be said? Does it need be said now? Does it need to be said by me?) I answered "no" to the last one.
Having read through the comments, it appears to me that there are zero supporters of mandating government access to encrypted files. I haven't seen anything new added to the discussion either, which makes this whole comment section less useful than a poll. Lets change that. You're a writer, an effective communicator, someone who can think through alternate possibilities. I'd like you to tell me why giving government access to encrypted files, with a warrant, is bad IF it doesn't involve a back door. (I've written about this before. You'll read my arguments against access there but I'm looking for new and better ones.)
Justice is important to our society and we should be outraged when it isn't served. Sometimes that means that it is necessary to invade the security or privacy of someone who has committed a criminal act. That's what warrants are for. Abuses can happen, and we should be outraged when they do, but addressing those abuses when they happen is the correct response. It isn't good for society to instead decide to prevent law enforcement from being able to do their jobs.
I know, I know, don't feed the trolls. But that's why it works, I can't resist.
Under the control of the consumer? If I want to Binge On a website that my ISP hasn't made an agreement with, how's that under my control? I want to Binge On wimp.com for example, how do I, as a consumer, turn that on? Surely you won't tell me that I can't control what sites are available when I want to Binge On. That'd be like saying some parts of the internet get favored by the ISP instead of the consumer.
Lets say some small new site is offering really cool videos with awesome stand up comedy making fun of my ISP, so long as I can Binge On that new site that my ISP dislikes, I'll grant you it's '100% under the control of the consumer.'
On the other hand, what if I as a consumer can't pick the sites I want to Binge On? Who does choose that? Who holds the power to decide what sites succeed and what sites fail? If it's not the consumer, it's the ISP. That doesn't sound neutral to me.
This right here is the reason Net Neutrality is going to fail folks.
Any time you get a bonus, that's someone else deciding what parts of the internet get priority. Try telling someone "Binge On is setting up a system where some sites are billed for and others are not." What they hear is "free" and nothing you can do will change their mind.
Pinky and the Brain? For a minute, I thought you meant Yarp.
The company I worked for was starting to look for a replacement for Lynx, and I was in the position to choose OpenFire. I wanted to find a host, someone that would offer configuration services and a host for it. I reached out to the various listed supporting companies at the time and got nowhere. I would have been happy to pay someone for a dozen hours worth of configuration support. Instead I ended up setting it up and working through all the issues myself, but that was my least preferred option. There would have potential for ongoing reconfiguration assistance. Eventually we switched back to Office 365's (renamed) Lynx system. That's thousands of dollars I would have been happy to redirect to an open source support company if I'd been able to find one.
If there's a lesson to be learned there, it's that there is money to be had if you can find the demand.
What software you develop will determine what service you can offer for it. What I want to see more of is:
In the past, I was willing to allow ads to show up on the webpages I visited. I knew how to block them, but I was sympathetic to the idea that most of the pages I visit are funded by advertisers, so it seemed fair. Then Facebook decided I desperately needed a Russian bride. That was the final straw and so from then on, I've blocked them.
However, I still feel like it is reasonable to support the websites that I want to visit. I'd be willing to pay a pittance, but until Google (because it'd have to be built into Chrome) decides to handle micro-transactions, it doesn't really work. Now that they're going to start doing a built in ad-blocker on Chrome, perhaps the time has come to suggest a Faustian compromise.
Dear Google: Step up your game and I will help you advertise to me. You already have huge amounts of data about me, so I'm willing to trust that you can handle my advertising preferences as well. I will give you permission to see my purchase history with my credit card companies and with my banking companies. You already have my search and email info, but I'll check a box that says you can use it so you can make the EU regulators happy. Give me the button on Chrome that says "Only ads from Google" and I will let you be the middle man on every online ad that I see. I will even do the same for my phone. Surely that's appealing?
In return, I ask four things:
1) Keep my data secure.
2) Let me unsubscribe from the ads that I find distasteful. I want to uncheck the "lots of skin" preference and know that no ad that I see will be of a scantily clad model. I want to uncheck the "wine and spirits" and uncheck the "marital aid" and uncheck the "boner pills" boxes. And please, please let me uncheck the "find a date (if you know what we mean)" box.
3) Make it super easy for websites to use your advertising to make money. If this doesn't work out better for the sites that want to be supported by advertising, then this will never be a winnable war.
4) Do not fail. I visit one site multiple times each day. I cannot get uBlock to consistently block their stupid video advertisement boxes. I'm never going to do business of any kind with that company and don't need to see them. Somehow, that website has so many hooks into them that uBlock can't seem to keep a consistent grip on the problem. I end up having to block them at the DNS level and that's a stupidly manual approach to the problem. If you do a good enough job of ensuring that I don't see irritating advertisements, I will not only accept advertising again, I will actively help you do it well.
Good question. If I want to cash out, I guess I'll have to figure it out.
Yes. I am getting both the best and the worst of both worlds. I'm paying for convenience several times over. (Though I prefer to think of it as paying for entertainment.) I have the ability to do things that are interesting, but very little need to. As a result of my curiosity, I have the ability to pay to have dollars converted into bitcoin and pay more money to convert them to etherum or back into dollars again. In theory I might be able to partake in exchanges that are inconvenient with dollars or more expensive to do with dollars, but in practice it just means I'm throwing a couple bucks worth of bitcoin as applause to a couple people whose work online I appreciate. Oh, and I have yet another Visa card I never use.
I can receive payments in bitcoin or other crypto currencies and spend it just like I would with my other cards. By having some bitcoin/other on hand I also have the ability to pay someone who can't take payments from my regular cards or via cash.
The convenience of being able to pull from my bitcoin wallet with a Visa is handy if I need to do that. It was a small one time fee to set up and it's a novelty unless I need those funds suddenly for some reason. (Here's the tip of the day kids: Never put money you need into cryptocurrency.)
It all depends on the systems you use. I have a debit card with a Visa logo. Anywhere they take Visa, I can use it to spend money. In this particular card's case, it withdraws bitcoin from my coinbase account when I use it. I pay the price in whatever currency the merchant is using. McDonalds gets USD from Visa. Visa gets USD from coinbase. Coinbase gets bitcoin from my wallet.
Basically, I can spend my bitcoin anywhere that takes Visa. Or, I can sell bitcoin and get USD deposited to my credit union account. As a bonus, I can send bitcoin to people or organizations. If I ever need to pay someone who doesn't have a bank account, or need to pay a (cheap, cause I don't have much) crypto malware ransom, I can do that with bitcoins or ethereum. In theory, I could buy things on a black market with my crypto-currency holdings, but honestly I haven't looked into it because I don't want to connect myself to that world.
With my current coinbase sell limits, it would take me ten weeks. That could be improved apparently, but I can't imagine how I could get to the point where that would matter. Alternatively, there are probably other major organizations that could absorb that level of transaction.
Okay, good point. Related, how does this not get audited and caught before it gets implemented? Shouldn't there be more checks than one guy could bypass?
As long as we're talking about concepts we don't advocate, let me add some reason for paranoia.
First, consider that any software with automatic updating can be compromised by the company providing the updates. If you get updates that you don't personally compile and test, then you can't prevent the entity with control of the updates from pushing something that would give access to your encrypted information.
Second, consider that almost all at rest data is encrypted with symmetric encryption which means that there is necessarily a key that could be used, without needing your password, for decryption. It may be stored locally in a file someone else has the key to decrypt, or it may be uploaded without your knowledge to a company or government server.
In almost every discussion about "backdoors" people describe the idea of a single key to unlock encrypted data from multiple targets. That's stupid. (Maybe not too stupid for government to demand.) If there were to be backdoor keys, there would be one unique key per device sold, held by the selling company or uploaded to a government server. The consumer would never even know there was such a key. If it's held by the software or hardware manufacturer, the key would be obtained by the government at request or subpoena.
You don't have any way with closed source software to know those scenarios haven't already happened. Even with open source software, in many instances it's practically impossible to prove that your encrypted information doesn't already contain a government accessible back door.
Right now with iOS, Android or Windows, you're probably already getting automatic updates. One of those updates you received may have already included a government mandated unique secret key.
Your device manufacturer may have included the unique secret key that your phone uses to encrypt your data. Your password is only used to decrypt that key which is then used to encrypt your data.
Right now, without any law changes, given sufficient leverage, time, and authority; I could gain access to 99.99% of the data that people think is encrypted without a "backdoor." Granted, I don't think that's happened, because I mostly trust the companies and people responsible for the hardware and software I use. However, that trust only goes so far as assuming I don't present a target worthy of attention from someone with scary level leverage to come after me.
I keep thinking back to the San Bernardino iPhone FBI vs Apple case. The FBI said they could do the decryption by using the auto-update system with a copy of Apple's signing key. They absolutely could have, though they rightly assumed Apple would resist that idea. The question I have is whether the FBI would have gone to court if it weren't for the attempt to set precedent. If a couple engineers from Apple got late night visits from men in black with badges and guns, do you really think the key could have been kept secure? It gets worse. Imagine you're one of the managers who is responsible for keeping the key secure. You go into your office and you have an unexpected meeting with someone who has a badge and letters explaining how you're going to keep quiet about the copying of your signing key that already happened. One the one hand, you could risk your career and all the good parts of your life to invalidate a key that has already been compromised, resulting in a requirement for every iPhone user to come to physically turn in their phone for an upgrade in order to accept new valid keys. On the other hand, you could just keep your mouth shut. Which do you think most people would do? What makes you think that hasn't already happened? What makes you think the same thing didn't happen at Microsoft, Google and your favorite Linux distributors?
People are always, always, the weakest link.
If you let people choose passwords, they'll choose very bad ones. If you force them to change them regularly, they'll choose bad passwords with easily predictable permutations. If you force them to use generated good passwords, they'll write them on sticky notes and put them in email.
I used to work with a guy who specialized in information security. He would run cracking programs against our systems and report any bad passwords to the appropriate manager. One of my own staff had a bad password, obviously thought nobody would know, so I had to confront them after a couple denials by telling them the bad password that had been uncovered. This was a professional who had been educated on how and why good passwords were required.
On the one hand, you think education and testing will give your employees the understanding and tools they need to handle business securely. On the other hand, they're just there for a paycheck until they can get the better job they're really after. No amount of education can convince people to do what they should do if they really don't care.
My solution is to annually bring each employee into a room where there are two computers, one that displays a randomly generated complex password when they click start. The other computer requires them to type it correctly two hundred times in a row before they can leave the room. Before we start, I explain that every computer has keylogging software which will alert HR if they ever type that password except into their password database or primary login screen, resulting in immediate termination. I also explain that every workstation will be randomly inspected, sometimes daily, sometimes weekly and if that password, or a variation is ever found written down, they'll be immediately terminated. The password database generates complex passwords that must be used with copy/paste tools, never typed, for every other system they need to log into.
"This is your password this year. Keeping this password in your head is the key to not getting fired." I give this speech to every employee, once a year.
Other than getting stabbed regularly, shot three times, having my house burned down once, and still not knowing who kidnapped my cat, the system works great!
No, of course I don't do that, and our CEO would probably be one of the people who'd stab me if I did. Not that I don't think about it sometimes, but I don't think there is any good solution to the password problem. Multi-factor is a part of the solution, and in the future I hope that AI can make passwords a distant humorous memory. In the meantime, I try to encourage good tools, good education and just a tiny bit of fear for our employees.
I believe you're right, but there is a tipping point. As with many things, working well small does not equal working well large.
An office of three people may be better off without trying to manage AD where every OU has to be customized for one person. At three hundred, that same management style will break down in a never-ending cycle of fixing dozens of issues every day that could have been avoided with group policy.
The trick is knowing when a system will save you work vs when it will cost you more. Our office is definitely better off for AD, but we're just large enough to sometimes benefit from a print server and just small enough that managing it sometimes costs us more time than it would take to manage printer resources on an individual basis.
"The insurance business is completely screwy now.
You know they've reintroduced the death penalty for insurance company directors?"
"Really?" said Arthur. "No, I didn't. For what offense?"
Trillian frowned.
"What do you mean, offense?"
"I see."
We've gone off the rails and nobody wants to accept the pain necessary to fix it.
Governments recognize the need to incentivize intellectual achievement. We want inventors and creators to have sufficient incentive to create the things we all benefit from. The problem is that not all intellectual property creations benefit the public equally. Lawmakers are rightfully wary of creating a mess by valuing them on a case by case basis. As a result, we give the same value to a company's patent on an ink cartridge design necessary to work in the company's printer as we do to a replacement for a carburetor that cuts fuel cost and emissions.
If I own a printer company and I design a novel ink cartridge that I can get a patent on and I make all of the printers I create require said design of printer cartridge, I've given myself a monopoly. That's not really a bad thing in itself, because that cartridge design really is novel. The problem is that the public only benefits from maybe five years of protection on that patent, but we give twenty because we don't want the hassle of determining which inventions are worth protecting for twenty years and which are worth protecting for one year.
There is a fix, and it's simple. The problem is that it will piss off a lot of companies that sway public opinion and thus re-electability of politicians. If you're the politician who removes the profit from a thousand successful companies, your time in office is suddenly curtailed. Still, if we can elect enough politicians who care more about doing public good than getting reelected, they should make patents and copyrights default to one year, with a special hearing needed to extend it to five years and another to ten and a final one to extend it to the max of twenty (with grandfathering to ensure the economy doesn't flip out immediately.) Ditto for copyright and other forms of intellectual property protection.
And while we're on the subject of electability, it seems that every commenter I've seen in recent times agrees that getting money for a campaign determines who gets elected, but that's confusing causality with correlation. (If you're one of them, you've probably already stopped reading and are getting your angry rant and insults keyboard plugged in, but read on so you can insult my arguments properly.) Popular politicians win elections and popular politicians get campaign money. It's not one because of the other, it's a correlation. I doubt most people who believe money buys elections will bother to learn more, but there is some good info and links at http://freakonomics.com/2012/0... .
If Mr. Adams were writing the line today, I suspect it would be patent lawyers instead.
I don't know if that's original or not, but that's beautiful.
I spent a month in an Amarillo motel room one stormy night
If you didn't catch it, and I didn't the first glance, then re-read it.
I did this. Before I understood reality, I thought a college educated person could "downgrade" to a trade. There was a man who came to my high school and tried to tell us what a person who excelled at a trade could do versus someone who was ill equipped to attempt a college degree. He tried to tell us that somebody practiced and educated with a trade could be more successful than someone who attempted something diverging from their talent. I didn't understand then. I'm a little more mature now.
If you're good at something, do that. Don't let society tell you it's not the right choice; do what you love and excel at it.
You'll want something that people don't have any allergies to. Something that tastes familiar.
I recall reading a story once, something I can't entirely recall, but there was a pertinent part. Imagine you're an alien race in possession of a human who needs complex food. There is an obvious solution, grow meat that you know will be safe for consumption. Simply clone some tissue, tweak it a little for stem cells, grow differentiating tissues, massage mechanically, and viola, human edible, human, meat.
Yeah, I know, rings of Futurama, but that's not the story I'm thinking of.
Makes you wonder exactly who has mod points today.
We're getting close.
Username-password management is pretty much acknowledged as a broken system. I trust LastPass so I turn most of my password management over to it. Where I don't turn it over to them, I use KeePass. I back up my credentials in backups encrypted with two systems. (I trust three so I actually do combinations of each so that even if one is broken, the other backs it up.)
We're getting close to a solution. I predict that not far in the future, we'll have simple encrypted email. Not because people understand how to do it, but rather because we can't manage passwords ourselves and we're getting tools to do it for us. We won't do it because we desire to learn how, but rather because we're finally reaching a tipping point where everybody needs a tool that can manage it for us.
I expect to work until I'm physically incapable of working anymore. I'm good with that. I enjoy maybe 50% of my job and I think that's better than most. I'm not retirement age, but if I do the job I'm doing right now until the day I die, I'll be happy with my life.
The 50% of my job I don't like could be automated. I wish it already was.