If he had been a regular cab driver, he might have done the same, and an official taxi would have been even better camouflage. If he had been a stock trader, he might have continued to do trades. If he was selling crap on Ebay, he might have continued doing that too. How is his driving for Uber at all relevant?
One thing I'd point out is that her apartment isn't in San Francisco, it's about 30 miles out.
Yes, but she was complaining about her long commute, suggesting that she really thought she deserved an SF apartment.
That said, Yelp might want to consider whether... It might also be smart to move a customer service call center somewhere else
Indeed, I think Yelp is mismanaged and doomed, like most tech companies that choose to locate themselves in SF. But that makes her choice of thinking about a career with them even dumber.
I wouldn't even care that much about any of this if all this bullshit wasn't likely to be eventually a burden on tax payers outside of SF.
You know it used to be that most families could support themselves with only a single income. My how times have changed.
True, and that was also a time in which women were working their fingers to the bone doing household chores, when single parenthood was socially unacceptable, and when people waited with getting married and starting a family until the husband was reasonably certain he could provide for a wife and kids. Are you saying you want to return to that?
Im not saying you are wrong, im saying you are an asshole
I'm a gay man who has wanted to live in SF for a couple of decades but never could afford it; that is, I could actually have paid for it out of my salary, but it would have cut sharply into my retirement savings, so I didn't do it. SF has been an expensive place for many decades, and you either have to be rich or foolish to live there.
The "assholes" are people like you and her who think that someone fresh out of college, with no marketable skills, somehow deserves their own apartment in San Francisco without roommates. Screw you and your selfish greed.
It's a warning to other young would-be Yelp workers to steer clear lest they suffer too. That's the only way these soulless corporations will ever feel the sting and be forced to raise wages.
I agree completely: people should think clearly about cost of living and desired standard of living relative to salaries when choosing where to work. Then, when corporations can't hire the workers they want at the salary they are offering, they will increase their salary offers. Talia's problem is that she obviously didn't do that.
No the problem is that her former EMPLOYER wants her to work in the most expensive city in the US
Her employer doesn't want her to do anything, they are offering her a job and a salary. She has to decide whether she can make ends meet. If she got roommates and lived frugally, it would be easy for her to live on that salary even in the Bay Area. If she wants her own apartment and her own car, the salary isn't enough and the job isn't for her.
and gives no fucks about how she makes that happen
Correct. And they shouldn't give a fuck how she makes that happen because her bad financial decisions are not the employer's problem.
She is fresh out of college with a worthless degree, moves to one of the most expensive areas in the country, rents an apartment by herself without roommates, buys a car, runs up debt, and she is wondering why she is running out of money?
Talia Jane, I have news for you: even people with far more worthwhile skills than you have, or will ever have, get roommates after college, don't buy cars right away, and live frugally. And if you keep doing the kind of stupid things you're doing, you will indeed end up bankrupt and homeless. You have nobody but yourself to blame.
Hypothetical: Before this happened, pretend someone asked that question here. Wouldn't security folks and Apple fanboys have told you it was impossible?
Of course it's not "impossible"; hardware and software can always have errors. But if that's what happened, Cook could simply have said "the 5c had weak security, but it's going to get fixed on the next iPhone".
What Cook actually has been saying is that "building a backdoor" to access the data on this particular iPhone 5c would result in backdoors in all of Apple's devices, compromise data security of future iPhones and would "undermine decades of security advancements", and that just doesn't make sense.
You said It [the data] is encrypted, but with a very short key length: It's a four-digit pin, only 10,000 possible keys.. That's not "keeping it brief", it's simply wrong. The data is not encrypted with a very short key length. The data is encrypted with a 256 bit key.
It's more a usability limitation: Do you want to have to enter a fifteen-character alpha-numer-symbolic passcode every time you want to use your phone?
No, that's not how it works. The PIN is not the encryption key, it is simply an identifier the user uses to identify himself to the device. The actual encryption key is a 256 bit key that you never see and that's inaccessible and inside the hardware.
PINs are secure as long as the hardware strictly enforces a limit on the number of authentication attempts; after that number of attempts, the system either needs to erase the keyring (and/or device), or it needs to switch to PUK or pass phrase authentication. Some hardware does this (e.g., SIM cards), but on Apple hardware, the limit can apparently be circumvented.
That's a shame, given how much Apple seems to have invested in special hardware to support encryption on their devices. http://www.darthnull.org/2014/...
A back door is something that bypasses the cryptographic requirements of encrypted data.
A "back door" can be many things: it can be a weakness in the cryptographic algorithms, but it can also be a weakness in they keyring or even just failing to clear memory somewhere. Apple's devices appear to have a weak keyring.
And if general relativity breaks down, it would throw everything upside down, because it would no longer have any predictive power -- it could no longer be considered as a standalone theory to explain the universe."
This is hardly a shocker, since general relativity and quantum mechanics have not been successfully unified, and since general relativity simply cannot work at the quantum level as it is.
I don't think you've thought this through. If pin checking is implemented in the silicon, not the software, it cannot be changed by the user, unless you include the ability to flash the firmware, and then we are back to the current situation.
This isn't something I "need to think through"; SIM cards and smart cards have been around for decades. All GSM SIMs provide the PIN/PUK system, which does exactly what I say. If you don't understand how that works or why it is secure, I suggest you read up on it before making a fool of yourself.
No. The pin code can be brute forced, period. It is an inherent limitation of using them
Well, I'm sure the same ignorance and stupidity is why Apple is in this mess in the first place. Try brute forcing the PIN on your SIM card some time and see how far you get.
No, the real problem, that is not Apple's, is that the pin passcodes are trivially brute-forceable. If you really care about security, you have to guard against brute-force attacks, which you do by using a long alphanumeric password, not a pin code.
Properly implemented PIN codes can't be brute forced, because you only get a small, limited number of tries.
Apple has done a great thing by trying to mitigate the brute-force vulnerability with their software lockout policy, but there is only so much they can do. There are only three ways out of Apple's current situation: 2) make the brute-force limiting rules in hardware instead of software, but then they wouldn't be configurable by the user,
This is the correct solution, and it is easy to do on phones. You can either use the SIM card itself, or you can put an extra secure element on the phone; either of them is capable of holding passwords securely and rigidly enforcing a small number of attempts at the PIN before switching to a longer password or self-destructing.
The limit rules are still configurable by the user, they simply can't be changed until you have successfully unlocked the hardware.
They just need to make it clear that security is not guaranteed with a pin passcode.
But security should be guaranteed with a PIN. That is, if I configure my phone for three trials and use a 4 digit code, then I should be certain that the risk of someone unlocking the phone by trial and error is no more than 3:10000, short of someone actually modifying the innards of a secure processor.
The FBI is trying to get Apple to push a special version of iOS software to JUST that phone that would allow them to have unlimited attempts at guessing the pin code and allow them to do it programmatically.
Yes, and I'm saying: that should be impossible to do. The fact that this is possible on iPhones is a design flaw of iPhones and iOS.
The user data is encrypted with a key that is, itself, encrypted with a couple of unique pieces of data, one of which is the pin code to unlock the phone
PINs need to be implemented in some form of secure hardware, either a special chip or the SIM card itself (that's what it's designed to do). If what you describe is what the iPhone does, then that's the problem: that is not a secure way of implementing PINs.
http://nelenkov.blogspot.com/2...
I pray to every god known to mankind that Apple fights this until the DOJ gives up or is bitch slapped back into place by someone with the power and the intelligence to see how overreaching and dangerous this step would be.
The fact that the FBI can demand this from Apple and that we are even talking about it is a technical deficiency in Apple products; that's not going to get fixed by winning legal cases. Manufacturers like Apple need to fix their products, not engage in legal posturing.
The only fundamental flaw with an iPhone here is anyone thinking that a 4 digit PIN might protect the data on it.
Properly implemented, a 4 digit PIN is perfectly reasonable. The PIN is used to retrieve the actual encryption key from secure storage. If you give an attacker 3 tries, it means they get a 1:3000 chance of unlocking the phone, that's it. That's a reasonable risk. After that, the phone needs to disable the pin authentication method irrevocably and require a much longer password.
The problem is that for that to work, you need to guarantee that an attacker only gets three tries. That requires careful hardware and software design, but this is such a common problem that there are lots of secure, embedded processors that do this. Every modern phone has at least one of those processors inside a SIM card; Apple could use that. Alternatively, they could put a separate secure processor into their phones for this purpose; they are dirt cheap.
Key management isn't vulnerable at all. Only the user's choices make it vulnerable. Just like if I run an SSH server with all the best encryption but the login is "root" and the password is "password", the underlying process isn't weak at all, only the user inputs are.
You appear to labor under the misconception that the pin you use to access the phone is the password or key used for encrypting the data; it is not. Pins (or fingerprints) are merely identifiers you can use to identify yourself a small number of times to a secure piece of hardware; that secure piece of hardware holds the real key that's used for encrypting and decrypting your data. If you fail to identify yourself within a small number of tries with your pin, unlocking with pins needs to be disabled and the system needs to switch to a longer password-based or token-based decryption method that cannot be brute forced.
That "secure hardware" can either be the entire phone, or it can be a secure embedded processors. Most phones actually have a secure, embedded processor just for this purpose in their SIM card. And SIM card authentication works this way: you get a small number of trials with a PIN, and if you fail to enter that correctly three times, it switches to a longer PUK. Assuming the SIM card doesn't have hardware or software back doors, that's also secure against hardware attacks.
You have to reboot for an iOS update as well. However, the update would let you try all 10,000 pin combinations if the FBI had their way.
The issue isn't whether you have to reboot the phone, but whether you have to unlock it for the upgrade and how they implement the unlock count. This is complicated because there are many different ways of implementing it. But whichever way you look at it, a secure system must guarantee that no matter what an external user does, you get to try your pin combinations only 10 times before the system requires a full password.
If he had been a regular cab driver, he might have done the same, and an official taxi would have been even better camouflage. If he had been a stock trader, he might have continued to do trades. If he was selling crap on Ebay, he might have continued doing that too. How is his driving for Uber at all relevant?
You say that as if it's a bad thing.
You're imagining things. The bill of rights says that the government can't deprive you of life without due process, nothing more.
Yes, but she was complaining about her long commute, suggesting that she really thought she deserved an SF apartment.
Indeed, I think Yelp is mismanaged and doomed, like most tech companies that choose to locate themselves in SF. But that makes her choice of thinking about a career with them even dumber.
I wouldn't even care that much about any of this if all this bullshit wasn't likely to be eventually a burden on tax payers outside of SF.
True, and that was also a time in which women were working their fingers to the bone doing household chores, when single parenthood was socially unacceptable, and when people waited with getting married and starting a family until the husband was reasonably certain he could provide for a wife and kids. Are you saying you want to return to that?
I'm a gay man who has wanted to live in SF for a couple of decades but never could afford it; that is, I could actually have paid for it out of my salary, but it would have cut sharply into my retirement savings, so I didn't do it. SF has been an expensive place for many decades, and you either have to be rich or foolish to live there.
The "assholes" are people like you and her who think that someone fresh out of college, with no marketable skills, somehow deserves their own apartment in San Francisco without roommates. Screw you and your selfish greed.
I agree completely: people should think clearly about cost of living and desired standard of living relative to salaries when choosing where to work. Then, when corporations can't hire the workers they want at the salary they are offering, they will increase their salary offers. Talia's problem is that she obviously didn't do that.
She could live just fine on this salary if she got roommates or if she was part of a two income family.
Her employer doesn't want her to do anything, they are offering her a job and a salary. She has to decide whether she can make ends meet. If she got roommates and lived frugally, it would be easy for her to live on that salary even in the Bay Area. If she wants her own apartment and her own car, the salary isn't enough and the job isn't for her.
Correct. And they shouldn't give a fuck how she makes that happen because her bad financial decisions are not the employer's problem.
Talia Jane, I have news for you: even people with far more worthwhile skills than you have, or will ever have, get roommates after college, don't buy cars right away, and live frugally. And if you keep doing the kind of stupid things you're doing, you will indeed end up bankrupt and homeless. You have nobody but yourself to blame.
Of course it's not "impossible"; hardware and software can always have errors. But if that's what happened, Cook could simply have said "the 5c had weak security, but it's going to get fixed on the next iPhone".
What Cook actually has been saying is that "building a backdoor" to access the data on this particular iPhone 5c would result in backdoors in all of Apple's devices, compromise data security of future iPhones and would "undermine decades of security advancements", and that just doesn't make sense.
It has everything to do with key management, according to the very article you point to. Are you illiterate?
You said It [the data] is encrypted, but with a very short key length: It's a four-digit pin, only 10,000 possible keys.. That's not "keeping it brief", it's simply wrong. The data is not encrypted with a very short key length. The data is encrypted with a 256 bit key.
No, that's not how it works. The PIN is not the encryption key, it is simply an identifier the user uses to identify himself to the device. The actual encryption key is a 256 bit key that you never see and that's inaccessible and inside the hardware.
PINs are secure as long as the hardware strictly enforces a limit on the number of authentication attempts; after that number of attempts, the system either needs to erase the keyring (and/or device), or it needs to switch to PUK or pass phrase authentication. Some hardware does this (e.g., SIM cards), but on Apple hardware, the limit can apparently be circumvented.
That's a shame, given how much Apple seems to have invested in special hardware to support encryption on their devices. http://www.darthnull.org/2014/...
A "back door" can be many things: it can be a weakness in the cryptographic algorithms, but it can also be a weakness in they keyring or even just failing to clear memory somewhere. Apple's devices appear to have a weak keyring.
The PIN isn't the encryption key.
This is hardly a shocker, since general relativity and quantum mechanics have not been successfully unified, and since general relativity simply cannot work at the quantum level as it is.
This isn't something I "need to think through"; SIM cards and smart cards have been around for decades. All GSM SIMs provide the PIN/PUK system, which does exactly what I say. If you don't understand how that works or why it is secure, I suggest you read up on it before making a fool of yourself.
Well, I'm sure the same ignorance and stupidity is why Apple is in this mess in the first place. Try brute forcing the PIN on your SIM card some time and see how far you get.
Properly implemented PIN codes can't be brute forced, because you only get a small, limited number of tries.
This is the correct solution, and it is easy to do on phones. You can either use the SIM card itself, or you can put an extra secure element on the phone; either of them is capable of holding passwords securely and rigidly enforcing a small number of attempts at the PIN before switching to a longer password or self-destructing.
The limit rules are still configurable by the user, they simply can't be changed until you have successfully unlocked the hardware.
But security should be guaranteed with a PIN. That is, if I configure my phone for three trials and use a 4 digit code, then I should be certain that the risk of someone unlocking the phone by trial and error is no more than 3:10000, short of someone actually modifying the innards of a secure processor.
Yes, and I'm saying: that should be impossible to do. The fact that this is possible on iPhones is a design flaw of iPhones and iOS.
PINs need to be implemented in some form of secure hardware, either a special chip or the SIM card itself (that's what it's designed to do). If what you describe is what the iPhone does, then that's the problem: that is not a secure way of implementing PINs. http://nelenkov.blogspot.com/2...
The fact that the FBI can demand this from Apple and that we are even talking about it is a technical deficiency in Apple products; that's not going to get fixed by winning legal cases. Manufacturers like Apple need to fix their products, not engage in legal posturing.
Properly implemented, a 4 digit PIN is perfectly reasonable. The PIN is used to retrieve the actual encryption key from secure storage. If you give an attacker 3 tries, it means they get a 1:3000 chance of unlocking the phone, that's it. That's a reasonable risk. After that, the phone needs to disable the pin authentication method irrevocably and require a much longer password.
The problem is that for that to work, you need to guarantee that an attacker only gets three tries. That requires careful hardware and software design, but this is such a common problem that there are lots of secure, embedded processors that do this. Every modern phone has at least one of those processors inside a SIM card; Apple could use that. Alternatively, they could put a separate secure processor into their phones for this purpose; they are dirt cheap.
(By "update" I mean pushing any kind of software into the phone that can be used to decrypt, not just a regular iOS upgrade.)
Every phone with a SIM card has hardware for just this function: the SIM card itself.
You appear to labor under the misconception that the pin you use to access the phone is the password or key used for encrypting the data; it is not. Pins (or fingerprints) are merely identifiers you can use to identify yourself a small number of times to a secure piece of hardware; that secure piece of hardware holds the real key that's used for encrypting and decrypting your data. If you fail to identify yourself within a small number of tries with your pin, unlocking with pins needs to be disabled and the system needs to switch to a longer password-based or token-based decryption method that cannot be brute forced.
That "secure hardware" can either be the entire phone, or it can be a secure embedded processors. Most phones actually have a secure, embedded processor just for this purpose in their SIM card. And SIM card authentication works this way: you get a small number of trials with a PIN, and if you fail to enter that correctly three times, it switches to a longer PUK. Assuming the SIM card doesn't have hardware or software back doors, that's also secure against hardware attacks.
The issue isn't whether you have to reboot the phone, but whether you have to unlock it for the upgrade and how they implement the unlock count. This is complicated because there are many different ways of implementing it. But whichever way you look at it, a secure system must guarantee that no matter what an external user does, you get to try your pin combinations only 10 times before the system requires a full password.