Some places do. My former employer, which shall remain nameless, used swipe cards for access. There was talk of switching to RFID cards, but it was just about the time that the first vulnerability reports came out (little more than a year ago), and they apparently had someone who listened and decided that the system worked well enough as it was currently, and better not to mess with it. Either that, or the budget money evaporated. Choose whichever explanation you prefer.
But I think they're still using swipe cards, combined with actual human security guards, and a lot of cameras.
What does ImmuneID get you, that taking a conventional RFID card and putting it into a metallic badge holder wouldn't?
It seems like it's major feature is a 'safety' that keeps it from broadcasting or receiving, unless activated by skin contact. In other words, an on/off switch. Not a bad idea, but you could just as easily take a regular passive card, and put it into a metal case, and then take it out when it needs to be used.
Many people keep their cards in carrier-cases anyway (because they need to be removed to access magnetic strips that are also on them, or SmartCard contact pads, or because they want to put the card on a keychain or neck strap and can't punch holes in it), so all that needs to happen is these cases need to be made RF-tight.
Some other RFID devices -- like the EZ-Pass transponders used on highways -- come to the customer inside conductive, anti-static plastic bags. I'm not sure if they're effective enough to prevent 'subway cloning,' but it seems like a suitable conductive plastic could be developed pretty quickly if they're not.
Sure, you could make this a lot more secure, but it's not any worse than regular locks. It's basically the same as regular locks but with easy revocation.
And with a huge false sense of security. Oh, and it costs a lot more.
So, exactly what's the benefit again? Aside from the fact that employees can act all cool, by waving their badges at a sensor instead of sticking a metal piece in the door?
For the dollar value of the contracts they're working on, their profit margins are generally lower, overall, than similar outfits in the private-sector world. (That is, if you could really find an equivalent private sector company.) But they do a lot of work, and they basically know that the work's always going to be there.
Basically, it's just that 3% on a few billion a year is a lot better than 10% on a few million. They're not starving.
And not all government contracts are cost-plus. Most agencies won't let you work cost-plus or even time-and-materials for very long; they'll only run a short contract like that, and then switch it to firm-fixed-price.
In general, I have always found the USG to be niggardly about its cash, to the point of being penny-wise and pound-foolish; they hate spending money, and when they do spend it, it's generally on the wrong thing anyway.
I wasn't implying that it's all doom and gloom, what my point was, generally, was that if you don't like what corporations are doing, don't rail at the corporations, just change the profit structure to make the undesirable activity less profitable.
If you don't like people dumping toxic waste, make it riskier to do so (through increased enforcement), and make the loss greater in the event that you are caught (stiffer penalties). That's going to directly affect the economic decision to dump or not dump.
Rather than arguing about morality or ethics, I think it's more useful to just assume that all large organizations are going to be run by sociopaths, and build the laws to cope with it. If every once in a while, it turns out that one of them isn't, then all the better.
I couldn't find that, but you might find the statistics here interesting, they have a breakdown of coffee consumption in kg per year per capita, in various countries. The USA isn't anywhere near the top of the list. Those Northern Europeans are way ahead of us.
I suspect that their advertising budgets aren't as high, because in general coffee and other caffeine-based beverages don't have the image or PR problems that alcohol does. I doubt that alcohol producers spent much money on advertising, when anyone could buy their products, regardless of age, and there was no social stigma associated with drinking them at any time. A lot of alcohol advertising isn't necessarily the promotion of one product specifically (or isn't just the promotion of one brand or product) but is the promotion of the product in general. E.g. the Sam Adams commercial where a young guy and a few flunkies are at a business lunch with the big boss, and the young guy orders a beer, the flunkies order non-alcoholic drinks, and then the big boss decides to get a beer, too. In addition to just promoting the brand (Sam Adams), they're also promoting the whole concept of drinking beer in the middle of the day, in a business situation, which might or might not be thought of as appropriate. You don't run into that a lot with coffee. Nobody's going to get judgemental on you for drinking caffeine at any time of the day or night (well, although they might wonder about your sanity if it's 2AM). Coffee advertising is mostly about the promotion of one brand over another; it's internecine.
That doesn't really help or solve anything. The problem is that most of the right-of-ways are owned by the public (they run alongside roads or highways, etc.) or are actually on private property, which the government allows private companies to use, regardless of what the property owner thinks of it (e.g. the telephone company can put a pole or interface box on your lawn if it wants, and in most states there isn't shit you can do about it).
We don't want people going and digging stuff up all the time, and we also want to encourage the buildout of new networks, and also to make sure there's competition on the service level, so that one company doesn't monopolize. In order to have effective competition, the barriers to entry need to be as low as possible. Which would mean letting anyone who wants start laying fiber. But we don't want our roads dug up all the time, so the best solution anyone has come up with so far, is telling the first person who wants to lay fiber "okay, we'll let you use the right of ways, but you have to share the fiber you lay, either with us (the municipality) or another competitor that we designate." That allows another company that shows up later to compete, without having to re-dig everything.
Just mandating that they share the trenches isn't helpful, because then you've basically fixed the number of firms that are going to be in the market, as the firms that were around whenever the first one was ready to dig. If you're a smaller startup, later on, you're screwed. The trenches are all dug and filled in by then. At that point, you're just making it a first-takes-all game, where if you can get ready to lay fiber before your competitors have the capital raised, then you can corner the market in a particular area; that doesn't help the customers there any.
I think the suggestions of public funding for infrastructure construction are probably getting more and more appropriate. I wouldn't ever want to use a government-run ISP, because let's face it, as a service provider, the government sucks balls. But managing the construction of new infrastructure is a traditional role of government. Back in the last century, the government funded the construction of canals, and the economic benefit to the states they served, and to the country in general, was enormous. Recently, government funded the Interstate Highway system. I don't think that there's any reason why some sort of flexible, upgradable network for high speed data, wouldn't be the canals or interstates of the 21st century. The key is to get government to do the rough building, and then get them the hell out and get somebody (preferably multiple somebodys) in there to actually provide service, and pay rent back to the government until the investment is paid off.
Trying to mandate cooperation between companies that are naturally in competition with each other just seems doomed to failure; the solution seems to be to create someone else to build the infrastructure itself, and not let any of them control it.
Lucky little bastards. In my day, we had to buy our own drugs, at great risk and expense! Nowadays it's all Mommy and Daddy and the health insurance. Bah.
I think part of the reason for this (besides the obvious penis-length contest, which is definitely true -- IIRC what's important isn't what's printed on the cards so much as the color, e.g. white for USG employees, pink for contractors, etc.) is because you're told in security training to always keep the cards on your person, and not put them in a laptop bag / briefcase / purse. So people keep them hanging near their keys at home and put them on as they're leaving.
You really wouldn't want to encourage people to put them away, because they'd probably put them in purses or briefcases, and lose them, or put them in wallets and get them stolen (or read just as easily), and it would also defeat the physical-security purpose of the cards, which is to act as an ID badge when you're in a secure facility.
I think the solution is just to issue everyone a metallic container, which slips over the card and covers the portion of it that contains the antenna. Maybe you could even design one that would reveal (through a clear front) the name and picture of the bearer, but cover the back of the card and keep it from being read.
Most people keep their access cards in little clear-plastic holders anyway (because the new USG computer systems require you to jack the card into the keyboard in order to log in), so stepping up to some sort of metal one wouldn't be that big a deal, and it would prevent a lot of card-cloning/warscanning attacks.
Actually no, we didn't. Obeying the law is not a requirement for any corporation as the "fines" levied from breaking any laws is simply the cost of doing business. If the profit gained by an action outweighs the consequences of legal action, then any legal punishment in the form of fines is the cost of doing business and "good for the shareholders".
Bingo. I don't know why people get their panties in so much of a bunch over what corporations do. They're almost always utterly predictable. The only times when they aren't predictable, is when they're dominated by a particular personality, and then they tend to take on the irrationalisms (for better or worse) of the controlling person.
But most major corporations, run by boards of directors and their appointees, will do whatever is profitable based on the information and best-guess assessments that they have available. They will do this without regard to Law or really to Ethics, except insofar as those feed into the risk/benefit decisions.
I have no doubt that if the enforcement of laws against organ harvesting was lax enough, to the point where a person could expect to get away with it, corporations would probably get into that business, too. It's a straightforward calculation: what is the risk of getting caught, times the consequences of getting caught, and is that greater or less than the chances of succeeding, times the possible payout. If the latter exceeds the former, and it's greater than the opportunity cost, then the corporation does it. (And if they don't, someone else will. There's no such thing as universal ethics; you can always find somebody who'll "go there" regardless of how repugnant the opportunity for profit might be.)
You can look at an illegal act in the same way that an insurance company might approach a significant new risk: what are the odds of the insured-against action happening, and what would we have to pay out if that happened, so what should we charge in premiums? Except in the acting-illegally case, the "premiums" are what you'd need to expect you'd be able to get out of doing the illegal act, in order to make it, on average, worth doing.
So when you see a corporation dumping toxic waste, don't bother being surprised. Somebody, somewhere, did a calculation (either literally or figuratively), and decided that the potential gain of the dumping, even when the risk of getting caught was factored into it, was profitable.
As corporations get bigger and bigger, this is only going to become more apparent. If a major multinational corporation breaks some laws, it's probably not going to end the company. In the future, it could get to a point where they're so much bigger than governments, that no amount of illegal action would ever be 'fatal,' and thus they would follow the risk/benefit calculations even more closely, because they'd be able to more easily afford getting caught every once in a while (in the same way that a larger insurance company can sometimes offer lower premiums, because they're bigger and can absorb more risk).
Or by high priced did you mean things closer to the Apache than a Cadillac?
I meant more on the Apache end of the spectrum. Though I've worked with some robotics and industrial equipment from that timeframe that was more Cadillac-like in its cost, that came with detailed manuals. I'm trying to think of some specific examples that would have been mass produced... I think some HP/Tektronix (guessing here; could be wrong on the brands) test equipment might have. And going further back than the 70s and 80s, I have seen a lot of pre-IC test equipment that used to have detailed schematics of the entire device, usually in the repair manuals, which is sort of the analog analog (sorry, I had to say it) of source code. (Heck, if you go back far enough you used to get consumer electronics, radios and TVs, with full schematics and circuit diagrams.)
I think the difference has to do with the perceived capabilities of the end users. Where the users are people without a whole lot of technical background and equipment (average folks, most mechanics), there never was any thought given to source code or full schematics. But where the users were scientists and engineers, who might have the capability of digging in and modifying or repairing something at that individual part / microcode level, the information was provided. Today, there seems to be the assumption made now, that nobody would ever want to mess with the software at that level (which of course is provably false, as lots of consumer-hardware-hacking has demonstrated). Unfortunately, it's a self-fulfilling prophesy: when you don't give the users that low-level information, it's much tougher to modify gear, and in time people forget that they ever could.
I haven't bought any big-ticket test equipment, or really used any, that was manufactured recently, so I don't know what the policy is now. I've heard that Tektronix in particular has fairly relaxed stances on users republishing/copying their manuals, but I don't know if even the repair/service manuals contain the same sort of information that they used to. I highly doubt it.
Most sound effects / recordings of gunshots aren't accurate representations of the sound (aka, air pressure waves) produced when a gun actually goes off. They're more of an artists' interpretation of what the human mind thinks that a gun sounds like, based on what we remember them sounding like after we've heard one.
Most speakers can't accurately reproduce a gunshot, because they can't move enough air at one time to create the pressure wave. They play something that's more of a "boom," when in reality a gunshot is a sharp "crack" (followed by reverberations / reflections from the room or surrounding objects). Not being able to play the initial 'crack' very well, they over-emphasize the reverberations.
A 'gunshot sensor' would probably be a microphone or microphone-like device that was purposely de-sensitized so that it only received particularly loud, sharp sounds. You might be able to fool it with something explosive (like dry ice and water in a soda bottle), or where there was a significant release of pressure (car backfire), but most sound-reproduction systems wouldn't cut it -- they don't move that much air at once. Even with things like backfiring and explosions, you could probably filter them out if you wanted to, because I doubt they're the same when you really look at the waveforms (I suspect that the high pressure escaping from the small aperture of a gun's muzzle makes a very distinct sound from a car backfiring through the 1-2" muffler), even though they sound the same to a person, because we're not good at discriminating very loud, sharp sounds.
OT: I wonder what a nearby lightning strike "sounds" like to a microphone with the capacity to accurately measure the maximum amplitude of the sound?
The value provided in a hypothetical P2P service offered by the movie theaters is greater than just the content that it provides.
Should read: The value provided in a hypothetical P2P service offered by the movie studios is greater than just the content that it provides.
The theaters obviously don't own the back-catalog, so their ability to offer such a service would be minimal. (Although, some theaters are owned by studios, but that's not what I was getting at.)
Sure, but even if a release group grabbed all the content, it would be difficult for them to duplicate the service.
The value provided in a hypothetical P2P service offered by the movie theaters is greater than just the content that it provides. It's about having all that content right there, waiting for you, with a predictable quality, all nicely sorted and reviewed, perhaps recommended to you by a nice Amazon or NetFlix-like smart system.
The value is in the service, in the aggregation, organization, and presentation of the data, not in the data itself.
Think of it like a newsfeed or wire service. You can get most of the same information elsewhere, but what you pay for is the constant feed of new information, that's tailored to your needs, in a consistent format and with some guarantee (hopefully) of minimum quality.
The movie studios are sitting on top of a gold mine in their back catalogs. Even though the value of each movie in the catalog might be low, and might not get many downloads, they would be able to advertise to customers that they'd have access to a vast repository of movies (anyone remember that commercial for one of the big telcos -- I think it was Lucent -- where a guy is standing in a seedy hotel talking to the clerk, and asks what they have on cable, and the clerk says 'every movie ever made'?) without screwing around with shady overseas sites or downloading a film only to find out afterwards that it's a shitty screener, or has foreign subtitles, etc. That service would have value, which people would pay to subscribe to, particularly if the movies themselves didn't have DRM and there wasn't an obvious lock-in. People would pay, and keep paying, for the same reason they pay for NetFlix and the Internet in general -- once you've drunk from a really fat pipe and seen what it's like to have instant access to vast amounts of info, it's tough to ever go back.
Absolutely it does. Which probably made the Apache a poor example, although if you go back into the 70s and 80s, it wasn't considered that strange to get a big book or binder of source code when you bought (high priced) items with embedded programming. The expectation that a company would sell you stuff with programming inside, and that you're expected not to wonder what it's doing, is fairly new. Getting the source code would make me feel a little better, but you're still depending on the object code on the chip being the same as the source code that you have in the binder, and that the code in the binder does what it appears to do (and isn't obfuscated as to its actual purpose). And if only a limited number of outside parties have ever had access to the code, the chances that it's really been audited well are low.
As you pile together more and more code, and perhaps more importantly, as you aggregate disparate systems together into uber-systems that aren't tasked with a single specific purpose, they become harder to test and verify. Even if you could get the source code, going line-by-line through Windows (or any other major closed-source OS) wouldn't be practical. In a dedicated engine management unit, it might be practical to step through the microcode (although depending on the complexity of the implementation that's not guaranteed). The increased complexity of integrated systems brings danger and increased opportunities for what effectively represents sabotage. Also, the number of sensors and inputs that the system interfaces with is a direct part of it's risk, since each sensor that it interfaces with at a low level (without being passed through a trusted system, e.g. 'bare metal') would be a possible vector for a killswitch command.
Since several people have brought up Iran, I think the important point there isn't that they're failing to keep their fighter fleet operational now, years after the U.S. cut them off, but that they have managed to keep it operational for as long as they have, through cannibalization and reverse-engineering. I'm sure the CIA would prefer if they hadn't been able to get any of them off the ground at all, once the Revolution happened; or better yet, if they had all power-dived into the desert at a few hundred miles an hour the first time they'd tried. With a potential "next generation" (well, maybe like 3 or 4 generations) fighter, where everything was computerized and managed by a single master system that interfaced with everything, from engine management to avionics to ECW to weapons, they never would have been able to do what they did. The system could just refuse to use spare parts taken from any other aircraft, or just brick itself on receiving some special command from a US satellite (received through, say, the targeting radar's receiver, rather than a specialized one, so it would be difficult to remove or disable). While this would be preferable for the US, any country buying any type of military system ought to put itself in the shoes of Iran, and consider how long it could keep things going if relations soured. Their current assumptions -- namely that systems would function until rendered unoperable due to lack of spares; a fairly simple logistics-management calculation -- might be pretty far from the truth.
Yes, but what I'm saying is that there's an assumption there, that Windows won't be worse, which seems backed up by scant evidence. The fact that the systems currently in place do strange things doesn't say anything about how Windows (or anything else) is going to work in its place. It's just being assumed that Windows will suck less, and having seen how much Windows-based custom systems can suck, I find this assumption to be suspicious at best.
There are a lot of ways that a compromised OS kernel could cause problems. It's never in complete isolation from the outside world.
Specific vulnerabilities would depend on function, but if you're designing a backdoor, you can certainly find a way to trigger it that doesn't depend on a network connection. Particularly if you have access to the device drivers and stuff at the same time, you could figure out a way to trigger the backdoor through a device that's not normally assumed to be a security threat.
It's just not the sort of thing you'd want to bet on; you're letting somebody else, presumably untrustworthy, write and compile the kernel code that runs on the bare metal. From that point onwards, you can't trust anything that the computer does. Unless you're keeping it inside a walled VM and inspecting every bit of data that it gets passed, you're vulnerable (and even then, you're just pitting yourself against the people trying to pass it some specially-crafted data to trigger the exploit).
Given Britain exports a lot of defence technology, use of foreign machenary is not that big a problem to many nations
Buying machinery is one thing; software is quite another. With a machine, even a fairly complicated one, you can with enough effort, understand what's going on inside it.
Say you have an Apache helicopter. When you buy that helicopter, you also buy training. Not only do you send the pilots in for training, but you also send all of the maintenance people, pad crews, etc. They learn how to service it, tear-down the engines, etc. So what you get back is far from just the machine, you get a machine, and a crew who (ought to) basically understands it. And if you really want to understand it, if you're any country worth discussing, you ought to have at least a few engineers who could spend a few weeks figuring out key parts.
But with software, you're buying a true black box. You're being handed something (which, if every line of code was the size of a watch-gear, would probably be as big as a trailer truck) that you cannot have any significant insight into the workings of. You have no idea how it really works, or what it's truly programmed to do.
With a machine, you can tear the thing apart on receipt and make sure there's nothing suspect in there; no bombs or homing beacons, etc. You really can't do that with a large piece of precompiled software. You are totally at the mercy of the people who built it; you're taking them at their word that they haven't backdoored it.
And for what it's worth, if I were the CIA in the U.S., you'd bet I'd be leaning on Microsoft to seriously backdoor every piece of software that it sold for military purposes abroad. To them, it's a perfect way to prevent resale to folks that we don't like (or later decide we don't like). Sure, we're friends with the British, but what if the British in 10 years sell a destroyer to the South Africans, who sell it to the Egyptians, who sell it to the Iranians? Suddenly, a way of making it go dead in the water would come in handy. You'd better bet that the folks in Langley, who are paid to be paranoid, have thought about this, too.
Software is inherently different than physical machinery, because while physical devices can be taken apart and investigated, and follow basically well-understood rules (physics, chemistry, etc.), software does not. A large binary blob is as close to indecipherable as a functional object can get, and there's really no way to secure it. It is an inherent risk, and one that I'm not sure many established militaries are putting enough thought into.
You'd know that Win2k, however bad, is far better than what they have now.
I find this hard to believe. This sounds like something that you'd hear from someone who had already decided to upgrade.
Their current system works; therefore, it is inherently superior to any new, unproven, new system. There should be a huge barrier to upgrading with anything, because you're replacing a devil you know with a devil you don't. The new system should have to have demonstrated credentials in other similar situations, proving that it's at least as capable as what it's replacing. Things like ease-of-use and training should all fall under the system's core purpose.
I've seen companies replace "legacy" systems because some manager walked out onto the production floor / cube-pit and was horrified to see green-screen terminals sitting around. To them, terminals = old, old = bad, end of discussion. So they would come up with reasons to upgrade, and say things like 'well, it couldn't be worse than what we have!' with complete neglect for the fact that the old systems, by virtue of having been there for a long time, clearly did their job.
And, bottom line, it's a lot easier to train someone on a complicated green-screen system that always works, than on an unpredictable new system, where you have a ton of gotchas and error modes. Generally, once you get everything worked out, and people know what things they just can't do because it'll crash the system, you haven't really simplified anything. I have personally seen tens of millions of dollars wasted on 'upgrades' like this, where the result was so much worse than the beginning, that it immediately rolled into a new cycle of upgrades -- the executives believing, like deranged poker players, that as long as they had tossed that many millions into the pot, that they would surely solve it with a few million more.
This sounds like the same thing is happening; someone freaked because the equipment and software is old, but didn't realize that there's no logical reason why something that's old is necessarily bad, if it's still doing it's job. "Anything is better than this" is always false if what you have right now gets you through the day and does its job. Unless the system you're implementing has a strong track record of doing the same job elsewhere, you have nothing besides a salesman's promise that it's going to be better. And remember: at the end of the job, that salesman is going to disappear, and you're going to be stuck using whatever is left.
Realistically, how else do you propose to sell stuff over a P2P network?
This comes up every time there's a thread about the new "legit" BitTorrent service. I don't think it's possible. If this service attracts enough attention, the DRM is going to be bypassed. I doubt it's even going to be that hard, because the nature of P2P services makes end-to-end DRM impossible. So not only do you have the inherent flaws in the DRM system you choose, but you also have an inherent incompatibility between the DRM (which makes every user's file different) and P2P distribution, which depends on many users wanting files that are bit-for-bit identical with each other.
There's no good way to do both. They can layer on the encryption but it's nothing but turd polish; the data that's coming down the wire from the other clients has to be encrypted on a non-per-user basis (perhaps a per-file basis), and then the application of the per-user DRM needs to be done in the client. Which means the layer of encryption that presumably protected it in transit needs to be removed. So if you can play spot-the-key, and grab the per-file key as the client program decrypts it in preparation for applying the per-user DRM encryption, you can get a key that lets everyone decrypt the file.
In short, you cannot sell content via a service like this. Not going to happen in the long run, I think. What you probably could do, is sell access to the network, where the value is in the subscription to the content and not in the content itself per se. (Of course the movie studios would hate that, since they want to think of each movie "copy" sold as a revenue source.)
Looking forward, the future of services is to market the services and the access, rather than the content. Digitization and the resulting ease of copying makes it nearly impossible to sell pieces of information as distinct products, like aspirin tablets, in the same way that the content producers have grown used to. The game is up, it's just not going to work any more; they're fighting against inherent problems with DRM, inherent problems with P2P distribution, and inherent problems with the nonconservative nature of information.
However, what you can sell, is the access to a large repository or service which lets you access a lot of information in an organized and reliable manner. That represents a value to the customer, above and beyond just getting ahold of the movies/books/articles/whatever themselves. If a customer just wants to watch a single movie, say Pirates of the Caribbean, they can just go download a pirated copy. They are always going to be able to go and download a pirated copy. As long as the studios and "legit" alternatives mess around with DRM, it is always going to be easier for them to go download a pirated copy. However, what the studios could sell, would be instantaneous access to all the films ever made by Hollywood in the past century. Doing that -- putting together the database, organizing everything, providing a method of distribution, etc. -- is a value that's separate from the movies themselves, and the organization and logistics aren't readily copied. That wouldn't even require DRM; it wouldn't be practical for an end-user to copy more than a tiny fraction of the available material, so there's no risk. It's like a cable company and your VCR: the amount of content you can tape is never going to compete with the amount of content that's being pushed down to you all the time (I'd need to have 600+ VCRs running continuously in order to capture what Comcast pushes to me). Without DRM, you can use P2P to distribute without layers of useless encryption. To monetize it, you sell access to the network (the network is managed by a central server that tells clients where seeds and other clients are -- you don't pay, it doesn't tell you).
People don't want to buy content, they want to buy access to streams of content; they don't want to buy data, they want access to repositories of data that contain more stuff than t
Re:Could this be avoided?
on
Tor Open To Attack
·
· Score: 3, Interesting
Well, if they knew the access point you were using (based on the IP address, which they'd then take to the ISP and demand to know the customer address), they'd just go down there and sniff packets for your MAC address. It's fairly trivial at that point to determine the direction that the radio signals are coming from. (There are guys that do it as a hobby.)
Probably your best bet would be to use a spoofed MAC address, and change both the AP you connect to, the MAC address you report, and the PC's physical location, on a regular and frequent basis. That would make it difficult to determine whether you were a single location that's moving a lot and using different MAC addresses, or were multiple computers each just using the AP periodically.
Still, there's no foolproof way to avoid discovery against an omnipotent adversary.
The military and secretive NSA operations do not care about you or your open source proxy software. Stop trying to make yourself feel special by writing convoluted conspiracy theories.
No, but the Chinese equivalent of the FBI probably cares a lot about what its citizens are doing on the net, and the ability of users living under hostile regimes to get unfettered network access is one of the goals of projects like Tor.
Slashdot Mirror
Some places do. My former employer, which shall remain nameless, used swipe cards for access. There was talk of switching to RFID cards, but it was just about the time that the first vulnerability reports came out (little more than a year ago), and they apparently had someone who listened and decided that the system worked well enough as it was currently, and better not to mess with it. Either that, or the budget money evaporated. Choose whichever explanation you prefer.
But I think they're still using swipe cards, combined with actual human security guards, and a lot of cameras.
What does ImmuneID get you, that taking a conventional RFID card and putting it into a metallic badge holder wouldn't?
It seems like it's major feature is a 'safety' that keeps it from broadcasting or receiving, unless activated by skin contact. In other words, an on/off switch. Not a bad idea, but you could just as easily take a regular passive card, and put it into a metal case, and then take it out when it needs to be used.
Many people keep their cards in carrier-cases anyway (because they need to be removed to access magnetic strips that are also on them, or SmartCard contact pads, or because they want to put the card on a keychain or neck strap and can't punch holes in it), so all that needs to happen is these cases need to be made RF-tight.
Some other RFID devices -- like the EZ-Pass transponders used on highways -- come to the customer inside conductive, anti-static plastic bags. I'm not sure if they're effective enough to prevent 'subway cloning,' but it seems like a suitable conductive plastic could be developed pretty quickly if they're not.
What does it say about our current lifestyle when even the bees are over stressed?
That we need to make smaller Prozac pills?
Sure, you could make this a lot more secure, but it's not any worse than regular locks. It's basically the same as regular locks but with easy revocation.
And with a huge false sense of security. Oh, and it costs a lot more.
So, exactly what's the benefit again? Aside from the fact that employees can act all cool, by waving their badges at a sensor instead of sticking a metal piece in the door?
For the dollar value of the contracts they're working on, their profit margins are generally lower, overall, than similar outfits in the private-sector world. (That is, if you could really find an equivalent private sector company.) But they do a lot of work, and they basically know that the work's always going to be there.
Basically, it's just that 3% on a few billion a year is a lot better than 10% on a few million. They're not starving.
And not all government contracts are cost-plus. Most agencies won't let you work cost-plus or even time-and-materials for very long; they'll only run a short contract like that, and then switch it to firm-fixed-price.
In general, I have always found the USG to be niggardly about its cash, to the point of being penny-wise and pound-foolish; they hate spending money, and when they do spend it, it's generally on the wrong thing anyway.
I wasn't implying that it's all doom and gloom, what my point was, generally, was that if you don't like what corporations are doing, don't rail at the corporations, just change the profit structure to make the undesirable activity less profitable.
If you don't like people dumping toxic waste, make it riskier to do so (through increased enforcement), and make the loss greater in the event that you are caught (stiffer penalties). That's going to directly affect the economic decision to dump or not dump.
Rather than arguing about morality or ethics, I think it's more useful to just assume that all large organizations are going to be run by sociopaths, and build the laws to cope with it. If every once in a while, it turns out that one of them isn't, then all the better.
I couldn't find that, but you might find the statistics here interesting, they have a breakdown of coffee consumption in kg per year per capita, in various countries. The USA isn't anywhere near the top of the list. Those Northern Europeans are way ahead of us.
h tm
http://www.coffeeresearch.org/market/consumption.
I suspect that their advertising budgets aren't as high, because in general coffee and other caffeine-based beverages don't have the image or PR problems that alcohol does. I doubt that alcohol producers spent much money on advertising, when anyone could buy their products, regardless of age, and there was no social stigma associated with drinking them at any time. A lot of alcohol advertising isn't necessarily the promotion of one product specifically (or isn't just the promotion of one brand or product) but is the promotion of the product in general. E.g. the Sam Adams commercial where a young guy and a few flunkies are at a business lunch with the big boss, and the young guy orders a beer, the flunkies order non-alcoholic drinks, and then the big boss decides to get a beer, too. In addition to just promoting the brand (Sam Adams), they're also promoting the whole concept of drinking beer in the middle of the day, in a business situation, which might or might not be thought of as appropriate. You don't run into that a lot with coffee. Nobody's going to get judgemental on you for drinking caffeine at any time of the day or night (well, although they might wonder about your sanity if it's 2AM). Coffee advertising is mostly about the promotion of one brand over another; it's internecine.
That doesn't really help or solve anything. The problem is that most of the right-of-ways are owned by the public (they run alongside roads or highways, etc.) or are actually on private property, which the government allows private companies to use, regardless of what the property owner thinks of it (e.g. the telephone company can put a pole or interface box on your lawn if it wants, and in most states there isn't shit you can do about it).
We don't want people going and digging stuff up all the time, and we also want to encourage the buildout of new networks, and also to make sure there's competition on the service level, so that one company doesn't monopolize. In order to have effective competition, the barriers to entry need to be as low as possible. Which would mean letting anyone who wants start laying fiber. But we don't want our roads dug up all the time, so the best solution anyone has come up with so far, is telling the first person who wants to lay fiber "okay, we'll let you use the right of ways, but you have to share the fiber you lay, either with us (the municipality) or another competitor that we designate." That allows another company that shows up later to compete, without having to re-dig everything.
Just mandating that they share the trenches isn't helpful, because then you've basically fixed the number of firms that are going to be in the market, as the firms that were around whenever the first one was ready to dig. If you're a smaller startup, later on, you're screwed. The trenches are all dug and filled in by then. At that point, you're just making it a first-takes-all game, where if you can get ready to lay fiber before your competitors have the capital raised, then you can corner the market in a particular area; that doesn't help the customers there any.
I think the suggestions of public funding for infrastructure construction are probably getting more and more appropriate. I wouldn't ever want to use a government-run ISP, because let's face it, as a service provider, the government sucks balls. But managing the construction of new infrastructure is a traditional role of government. Back in the last century, the government funded the construction of canals, and the economic benefit to the states they served, and to the country in general, was enormous. Recently, government funded the Interstate Highway system. I don't think that there's any reason why some sort of flexible, upgradable network for high speed data, wouldn't be the canals or interstates of the 21st century. The key is to get government to do the rough building, and then get them the hell out and get somebody (preferably multiple somebodys) in there to actually provide service, and pay rent back to the government until the investment is paid off.
Trying to mandate cooperation between companies that are naturally in competition with each other just seems doomed to failure; the solution seems to be to create someone else to build the infrastructure itself, and not let any of them control it.
If we are going to talk about drugs that are mass marketed, we might as well go for the big one.
Caffeine?
Lucky little bastards. In my day, we had to buy our own drugs, at great risk and expense! Nowadays it's all Mommy and Daddy and the health insurance. Bah.
I think part of the reason for this (besides the obvious penis-length contest, which is definitely true -- IIRC what's important isn't what's printed on the cards so much as the color, e.g. white for USG employees, pink for contractors, etc.) is because you're told in security training to always keep the cards on your person, and not put them in a laptop bag / briefcase / purse. So people keep them hanging near their keys at home and put them on as they're leaving.
You really wouldn't want to encourage people to put them away, because they'd probably put them in purses or briefcases, and lose them, or put them in wallets and get them stolen (or read just as easily), and it would also defeat the physical-security purpose of the cards, which is to act as an ID badge when you're in a secure facility.
I think the solution is just to issue everyone a metallic container, which slips over the card and covers the portion of it that contains the antenna. Maybe you could even design one that would reveal (through a clear front) the name and picture of the bearer, but cover the back of the card and keep it from being read.
Most people keep their access cards in little clear-plastic holders anyway (because the new USG computer systems require you to jack the card into the keyboard in order to log in), so stepping up to some sort of metal one wouldn't be that big a deal, and it would prevent a lot of card-cloning/warscanning attacks.
Actually no, we didn't. Obeying the law is not a requirement for any corporation as the "fines" levied from breaking any laws is simply the cost of doing business. If the profit gained by an action outweighs the consequences of legal action, then any legal punishment in the form of fines is the cost of doing business and "good for the shareholders".
Bingo. I don't know why people get their panties in so much of a bunch over what corporations do. They're almost always utterly predictable. The only times when they aren't predictable, is when they're dominated by a particular personality, and then they tend to take on the irrationalisms (for better or worse) of the controlling person.
But most major corporations, run by boards of directors and their appointees, will do whatever is profitable based on the information and best-guess assessments that they have available. They will do this without regard to Law or really to Ethics, except insofar as those feed into the risk/benefit decisions.
I have no doubt that if the enforcement of laws against organ harvesting was lax enough, to the point where a person could expect to get away with it, corporations would probably get into that business, too. It's a straightforward calculation: what is the risk of getting caught, times the consequences of getting caught, and is that greater or less than the chances of succeeding, times the possible payout. If the latter exceeds the former, and it's greater than the opportunity cost, then the corporation does it. (And if they don't, someone else will. There's no such thing as universal ethics; you can always find somebody who'll "go there" regardless of how repugnant the opportunity for profit might be.)
You can look at an illegal act in the same way that an insurance company might approach a significant new risk: what are the odds of the insured-against action happening, and what would we have to pay out if that happened, so what should we charge in premiums? Except in the acting-illegally case, the "premiums" are what you'd need to expect you'd be able to get out of doing the illegal act, in order to make it, on average, worth doing.
So when you see a corporation dumping toxic waste, don't bother being surprised. Somebody, somewhere, did a calculation (either literally or figuratively), and decided that the potential gain of the dumping, even when the risk of getting caught was factored into it, was profitable.
As corporations get bigger and bigger, this is only going to become more apparent. If a major multinational corporation breaks some laws, it's probably not going to end the company. In the future, it could get to a point where they're so much bigger than governments, that no amount of illegal action would ever be 'fatal,' and thus they would follow the risk/benefit calculations even more closely, because they'd be able to more easily afford getting caught every once in a while (in the same way that a larger insurance company can sometimes offer lower premiums, because they're bigger and can absorb more risk).
Or by high priced did you mean things closer to the Apache than a Cadillac?
... I think some HP/Tektronix (guessing here; could be wrong on the brands) test equipment might have. And going further back than the 70s and 80s, I have seen a lot of pre-IC test equipment that used to have detailed schematics of the entire device, usually in the repair manuals, which is sort of the analog analog (sorry, I had to say it) of source code. (Heck, if you go back far enough you used to get consumer electronics, radios and TVs, with full schematics and circuit diagrams.)
I meant more on the Apache end of the spectrum. Though I've worked with some robotics and industrial equipment from that timeframe that was more Cadillac-like in its cost, that came with detailed manuals. I'm trying to think of some specific examples that would have been mass produced
I think the difference has to do with the perceived capabilities of the end users. Where the users are people without a whole lot of technical background and equipment (average folks, most mechanics), there never was any thought given to source code or full schematics. But where the users were scientists and engineers, who might have the capability of digging in and modifying or repairing something at that individual part / microcode level, the information was provided. Today, there seems to be the assumption made now, that nobody would ever want to mess with the software at that level (which of course is provably false, as lots of consumer-hardware-hacking has demonstrated). Unfortunately, it's a self-fulfilling prophesy: when you don't give the users that low-level information, it's much tougher to modify gear, and in time people forget that they ever could.
I haven't bought any big-ticket test equipment, or really used any, that was manufactured recently, so I don't know what the policy is now. I've heard that Tektronix in particular has fairly relaxed stances on users republishing/copying their manuals, but I don't know if even the repair/service manuals contain the same sort of information that they used to. I highly doubt it.
Most sound effects / recordings of gunshots aren't accurate representations of the sound (aka, air pressure waves) produced when a gun actually goes off. They're more of an artists' interpretation of what the human mind thinks that a gun sounds like, based on what we remember them sounding like after we've heard one.
Most speakers can't accurately reproduce a gunshot, because they can't move enough air at one time to create the pressure wave. They play something that's more of a "boom," when in reality a gunshot is a sharp "crack" (followed by reverberations / reflections from the room or surrounding objects). Not being able to play the initial 'crack' very well, they over-emphasize the reverberations.
A 'gunshot sensor' would probably be a microphone or microphone-like device that was purposely de-sensitized so that it only received particularly loud, sharp sounds. You might be able to fool it with something explosive (like dry ice and water in a soda bottle), or where there was a significant release of pressure (car backfire), but most sound-reproduction systems wouldn't cut it -- they don't move that much air at once. Even with things like backfiring and explosions, you could probably filter them out if you wanted to, because I doubt they're the same when you really look at the waveforms (I suspect that the high pressure escaping from the small aperture of a gun's muzzle makes a very distinct sound from a car backfiring through the 1-2" muffler), even though they sound the same to a person, because we're not good at discriminating very loud, sharp sounds.
OT: I wonder what a nearby lightning strike "sounds" like to a microphone with the capacity to accurately measure the maximum amplitude of the sound?
The value provided in a hypothetical P2P service offered by the movie studios is greater than just the content that it provides.
The theaters obviously don't own the back-catalog, so their ability to offer such a service would be minimal. (Although, some theaters are owned by studios, but that's not what I was getting at.)
Sure, but even if a release group grabbed all the content, it would be difficult for them to duplicate the service.
The value provided in a hypothetical P2P service offered by the movie theaters is greater than just the content that it provides. It's about having all that content right there, waiting for you, with a predictable quality, all nicely sorted and reviewed, perhaps recommended to you by a nice Amazon or NetFlix-like smart system.
The value is in the service, in the aggregation, organization, and presentation of the data, not in the data itself.
Think of it like a newsfeed or wire service. You can get most of the same information elsewhere, but what you pay for is the constant feed of new information, that's tailored to your needs, in a consistent format and with some guarantee (hopefully) of minimum quality.
The movie studios are sitting on top of a gold mine in their back catalogs. Even though the value of each movie in the catalog might be low, and might not get many downloads, they would be able to advertise to customers that they'd have access to a vast repository of movies (anyone remember that commercial for one of the big telcos -- I think it was Lucent -- where a guy is standing in a seedy hotel talking to the clerk, and asks what they have on cable, and the clerk says 'every movie ever made'?) without screwing around with shady overseas sites or downloading a film only to find out afterwards that it's a shitty screener, or has foreign subtitles, etc. That service would have value, which people would pay to subscribe to, particularly if the movies themselves didn't have DRM and there wasn't an obvious lock-in. People would pay, and keep paying, for the same reason they pay for NetFlix and the Internet in general -- once you've drunk from a really fat pipe and seen what it's like to have instant access to vast amounts of info, it's tough to ever go back.
Does that software not trouble you at all?
Absolutely it does. Which probably made the Apache a poor example, although if you go back into the 70s and 80s, it wasn't considered that strange to get a big book or binder of source code when you bought (high priced) items with embedded programming. The expectation that a company would sell you stuff with programming inside, and that you're expected not to wonder what it's doing, is fairly new. Getting the source code would make me feel a little better, but you're still depending on the object code on the chip being the same as the source code that you have in the binder, and that the code in the binder does what it appears to do (and isn't obfuscated as to its actual purpose). And if only a limited number of outside parties have ever had access to the code, the chances that it's really been audited well are low.
As you pile together more and more code, and perhaps more importantly, as you aggregate disparate systems together into uber-systems that aren't tasked with a single specific purpose, they become harder to test and verify. Even if you could get the source code, going line-by-line through Windows (or any other major closed-source OS) wouldn't be practical. In a dedicated engine management unit, it might be practical to step through the microcode (although depending on the complexity of the implementation that's not guaranteed). The increased complexity of integrated systems brings danger and increased opportunities for what effectively represents sabotage. Also, the number of sensors and inputs that the system interfaces with is a direct part of it's risk, since each sensor that it interfaces with at a low level (without being passed through a trusted system, e.g. 'bare metal') would be a possible vector for a killswitch command.
Since several people have brought up Iran, I think the important point there isn't that they're failing to keep their fighter fleet operational now, years after the U.S. cut them off, but that they have managed to keep it operational for as long as they have, through cannibalization and reverse-engineering. I'm sure the CIA would prefer if they hadn't been able to get any of them off the ground at all, once the Revolution happened; or better yet, if they had all power-dived into the desert at a few hundred miles an hour the first time they'd tried. With a potential "next generation" (well, maybe like 3 or 4 generations) fighter, where everything was computerized and managed by a single master system that interfaced with everything, from engine management to avionics to ECW to weapons, they never would have been able to do what they did. The system could just refuse to use spare parts taken from any other aircraft, or just brick itself on receiving some special command from a US satellite (received through, say, the targeting radar's receiver, rather than a specialized one, so it would be difficult to remove or disable). While this would be preferable for the US, any country buying any type of military system ought to put itself in the shoes of Iran, and consider how long it could keep things going if relations soured. Their current assumptions -- namely that systems would function until rendered unoperable due to lack of spares; a fairly simple logistics-management calculation -- might be pretty far from the truth.
+1 Priceless.
Yes, but what I'm saying is that there's an assumption there, that Windows won't be worse, which seems backed up by scant evidence. The fact that the systems currently in place do strange things doesn't say anything about how Windows (or anything else) is going to work in its place. It's just being assumed that Windows will suck less, and having seen how much Windows-based custom systems can suck, I find this assumption to be suspicious at best.
There are a lot of ways that a compromised OS kernel could cause problems. It's never in complete isolation from the outside world.
Specific vulnerabilities would depend on function, but if you're designing a backdoor, you can certainly find a way to trigger it that doesn't depend on a network connection. Particularly if you have access to the device drivers and stuff at the same time, you could figure out a way to trigger the backdoor through a device that's not normally assumed to be a security threat.
It's just not the sort of thing you'd want to bet on; you're letting somebody else, presumably untrustworthy, write and compile the kernel code that runs on the bare metal. From that point onwards, you can't trust anything that the computer does. Unless you're keeping it inside a walled VM and inspecting every bit of data that it gets passed, you're vulnerable (and even then, you're just pitting yourself against the people trying to pass it some specially-crafted data to trigger the exploit).
Given Britain exports a lot of defence technology, use of foreign machenary is not that big a problem to many nations
Buying machinery is one thing; software is quite another. With a machine, even a fairly complicated one, you can with enough effort, understand what's going on inside it.
Say you have an Apache helicopter. When you buy that helicopter, you also buy training. Not only do you send the pilots in for training, but you also send all of the maintenance people, pad crews, etc. They learn how to service it, tear-down the engines, etc. So what you get back is far from just the machine, you get a machine, and a crew who (ought to) basically understands it. And if you really want to understand it, if you're any country worth discussing, you ought to have at least a few engineers who could spend a few weeks figuring out key parts.
But with software, you're buying a true black box. You're being handed something (which, if every line of code was the size of a watch-gear, would probably be as big as a trailer truck) that you cannot have any significant insight into the workings of. You have no idea how it really works, or what it's truly programmed to do.
With a machine, you can tear the thing apart on receipt and make sure there's nothing suspect in there; no bombs or homing beacons, etc. You really can't do that with a large piece of precompiled software. You are totally at the mercy of the people who built it; you're taking them at their word that they haven't backdoored it.
And for what it's worth, if I were the CIA in the U.S., you'd bet I'd be leaning on Microsoft to seriously backdoor every piece of software that it sold for military purposes abroad. To them, it's a perfect way to prevent resale to folks that we don't like (or later decide we don't like). Sure, we're friends with the British, but what if the British in 10 years sell a destroyer to the South Africans, who sell it to the Egyptians, who sell it to the Iranians? Suddenly, a way of making it go dead in the water would come in handy. You'd better bet that the folks in Langley, who are paid to be paranoid, have thought about this, too.
Software is inherently different than physical machinery, because while physical devices can be taken apart and investigated, and follow basically well-understood rules (physics, chemistry, etc.), software does not. A large binary blob is as close to indecipherable as a functional object can get, and there's really no way to secure it. It is an inherent risk, and one that I'm not sure many established militaries are putting enough thought into.
You'd know that Win2k, however bad, is far better than what they have now.
I find this hard to believe. This sounds like something that you'd hear from someone who had already decided to upgrade.
Their current system works; therefore, it is inherently superior to any new, unproven, new system. There should be a huge barrier to upgrading with anything, because you're replacing a devil you know with a devil you don't. The new system should have to have demonstrated credentials in other similar situations, proving that it's at least as capable as what it's replacing. Things like ease-of-use and training should all fall under the system's core purpose.
I've seen companies replace "legacy" systems because some manager walked out onto the production floor / cube-pit and was horrified to see green-screen terminals sitting around. To them, terminals = old, old = bad, end of discussion. So they would come up with reasons to upgrade, and say things like 'well, it couldn't be worse than what we have!' with complete neglect for the fact that the old systems, by virtue of having been there for a long time, clearly did their job.
And, bottom line, it's a lot easier to train someone on a complicated green-screen system that always works, than on an unpredictable new system, where you have a ton of gotchas and error modes. Generally, once you get everything worked out, and people know what things they just can't do because it'll crash the system, you haven't really simplified anything. I have personally seen tens of millions of dollars wasted on 'upgrades' like this, where the result was so much worse than the beginning, that it immediately rolled into a new cycle of upgrades -- the executives believing, like deranged poker players, that as long as they had tossed that many millions into the pot, that they would surely solve it with a few million more.
This sounds like the same thing is happening; someone freaked because the equipment and software is old, but didn't realize that there's no logical reason why something that's old is necessarily bad, if it's still doing it's job. "Anything is better than this" is always false if what you have right now gets you through the day and does its job. Unless the system you're implementing has a strong track record of doing the same job elsewhere, you have nothing besides a salesman's promise that it's going to be better. And remember: at the end of the job, that salesman is going to disappear, and you're going to be stuck using whatever is left.
Realistically, how else do you propose to sell stuff over a P2P network?
This comes up every time there's a thread about the new "legit" BitTorrent service. I don't think it's possible. If this service attracts enough attention, the DRM is going to be bypassed. I doubt it's even going to be that hard, because the nature of P2P services makes end-to-end DRM impossible. So not only do you have the inherent flaws in the DRM system you choose, but you also have an inherent incompatibility between the DRM (which makes every user's file different) and P2P distribution, which depends on many users wanting files that are bit-for-bit identical with each other.
There's no good way to do both. They can layer on the encryption but it's nothing but turd polish; the data that's coming down the wire from the other clients has to be encrypted on a non-per-user basis (perhaps a per-file basis), and then the application of the per-user DRM needs to be done in the client. Which means the layer of encryption that presumably protected it in transit needs to be removed. So if you can play spot-the-key, and grab the per-file key as the client program decrypts it in preparation for applying the per-user DRM encryption, you can get a key that lets everyone decrypt the file.
In short, you cannot sell content via a service like this. Not going to happen in the long run, I think. What you probably could do, is sell access to the network, where the value is in the subscription to the content and not in the content itself per se. (Of course the movie studios would hate that, since they want to think of each movie "copy" sold as a revenue source.)
Looking forward, the future of services is to market the services and the access, rather than the content. Digitization and the resulting ease of copying makes it nearly impossible to sell pieces of information as distinct products, like aspirin tablets, in the same way that the content producers have grown used to. The game is up, it's just not going to work any more; they're fighting against inherent problems with DRM, inherent problems with P2P distribution, and inherent problems with the nonconservative nature of information.
However, what you can sell, is the access to a large repository or service which lets you access a lot of information in an organized and reliable manner. That represents a value to the customer, above and beyond just getting ahold of the movies/books/articles/whatever themselves. If a customer just wants to watch a single movie, say Pirates of the Caribbean, they can just go download a pirated copy. They are always going to be able to go and download a pirated copy. As long as the studios and "legit" alternatives mess around with DRM, it is always going to be easier for them to go download a pirated copy. However, what the studios could sell, would be instantaneous access to all the films ever made by Hollywood in the past century. Doing that -- putting together the database, organizing everything, providing a method of distribution, etc. -- is a value that's separate from the movies themselves, and the organization and logistics aren't readily copied. That wouldn't even require DRM; it wouldn't be practical for an end-user to copy more than a tiny fraction of the available material, so there's no risk. It's like a cable company and your VCR: the amount of content you can tape is never going to compete with the amount of content that's being pushed down to you all the time (I'd need to have 600+ VCRs running continuously in order to capture what Comcast pushes to me). Without DRM, you can use P2P to distribute without layers of useless encryption. To monetize it, you sell access to the network (the network is managed by a central server that tells clients where seeds and other clients are -- you don't pay, it doesn't tell you).
People don't want to buy content, they want to buy access to streams of content; they don't want to buy data, they want access to repositories of data that contain more stuff than t
Well, if they knew the access point you were using (based on the IP address, which they'd then take to the ISP and demand to know the customer address), they'd just go down there and sniff packets for your MAC address. It's fairly trivial at that point to determine the direction that the radio signals are coming from. (There are guys that do it as a hobby.)
Probably your best bet would be to use a spoofed MAC address, and change both the AP you connect to, the MAC address you report, and the PC's physical location, on a regular and frequent basis. That would make it difficult to determine whether you were a single location that's moving a lot and using different MAC addresses, or were multiple computers each just using the AP periodically.
Still, there's no foolproof way to avoid discovery against an omnipotent adversary.
The military and secretive NSA operations do not care about you or your open source proxy software. Stop trying to make yourself feel special by writing convoluted conspiracy theories.
No, but the Chinese equivalent of the FBI probably cares a lot about what its citizens are doing on the net, and the ability of users living under hostile regimes to get unfettered network access is one of the goals of projects like Tor.
There are people with resources besides the NSA.