I guess it's time to start punishing those who are unable or unwilling to keep their computers secure.
But as most people just use the tools they're given and can't control how secure those tools are, in practice that would mean punishing computer programmers.
If you want the usage of C and C++ to be considered equivalent to suicide then this would be a great policy to bring about such a world.
He said universal basic income, which is certainly not high enough to allow anyone to buy anything they want. There would still be a divide between rich and poor with such a policy.
BTW I don't think basic income has ever been tried. Certainly massive nationalisation of all industries a la Soviet communism is not it.
At the cost of ensuring any attempt to enforce the law results in a massive and relatively even firefight that is likely to result in a whole lot more blood spilled?
Generally, sane countries want police to have a systematic advantage over criminals when it comes to basic things like weaponry and ability to drive fast. The UK is able to have a mostly disarmed police force because the population is also mostly disarmed. So you can solve it in both directions.
It's been well established that the long term fall in violent crime is primarily (or totally?) due to the removal of lead from petrol, not due to changes in any policing policies. Also, the UK has extremely strict and well enforced gun prohibition which makes it very hard to engage in violent crime, gun crimes have been falling for the last 15 years or so.
No, you've got to do better than, "I wouldn't think of doing such a thing" when it comes to 21st century governments.
Alright. What do you propose?
Fundamentally, encrypting all traffic all the time requires a public key infrastructure and the only way we know how to build one that works is to have trusted third parties. You trust your browser, for example. Your browser maker outsources ID verification of websites to CA's.
Ultimately SSL cannot survive being explicitly banned or subverted by the state. It just can't. They can force browser makers to give them a back door. No system can survive explicitly being banned by the state. Luckily this has not (yet) happened - strong SSL is not illegal and there are no documents in Snowden's archive that discuss compromises of CA's, probably because when armed with a bunch of zero days you don't need to exploit a CA to strip SSL, you just infect the target. Much more stealthy.
What's more, Google is pushing certificate transparency forward quite hard. CT is a system that requires certificates to be published to an audit log for a browser to accept them. It should make it much harder for a CA to issue certificates in secret. The audit logs can be data mined to look for bogus certs, e.g. certs that are issued but never show up in production usage, either by big well known targets like Google or by third parties. So far it's the best proposal that exists for how to raise the security of SSL. All others are busts.
The libertarian view is that everyone should check that the vehicle is safe and the driver competent before making a contract to be transported with them.
Hardly. The anti-Uber-banning view (call it libertarian if you like) is that governments already require drivers licenses to check for competent drivers and road vehicle licensing to ensure safe vehicles, which is why most people are totally OK with getting into the car of a random friend or relative. But we're expected to believe that once you pay someone for a trip, suddenly all those existing licenses become irrelevant and we need extra new (invariably very expensive) licenses to provide safety and competency.
Here's a thought. Maybe if someone trusts Uber to do a better job of policing their drivers than their local government, they should be allowed to test that theory out? So far I haven't actually encountered anyone who has had a bad experience with Uber. I'm sure they exist, but people with bad experiences of regular licensed taxis are a dime a dozen. It's not like paying a big fat fee to your local city magically makes people awesome.
Unless you're the person in the lane next to the Uber car when its high-mileage, improperly-maintained components break, or the person crossing the road in front when the Uber driver falls asleep, and then you get to be in the accident too.
So I guess travelling salesmen have to get special licenses too, or anyone who has an especially long commute? I guess this government licensing regime applies to anyone who drives more than a certain number of hours per day? No? They apply only to people who are paid to take passengers around and thus have money to squeeze? Hmm.
Regulations on commercial drivers exist for a reason, and it's not just for the benefit of the passengers inside a commercial vehicle.
The entire Uber hullaballoo is happening exactly because nobody seems able to clearly articulate the value that this giant pile of red tape brings to the table. People handwave and say "of course regulations make things safer", but why Uber can't achieve the same outcomes better is not exactly clear. I don't think a government license magically makes people less likely to fall asleep at the wheel, for example - rules around how long any driver can drive would do that, but that's not what taxi licensing achieves.
It seems pretty clear that technology can solve some of the problems that historically have been achieved through government licensing. Governments are NEVER going to decide that some laws can be replaced with new technology, their history of doing this is non-existent because the people who pass laws are not technologists. So conflicts like Uber vs taxi licensing regimes are inevitable. But that doesn't make Uber automatically in the wrong. It's just a sad reflection on the lack of software ability at the top of our societies power structures.
The first airplane was created by Orville and Wilbur Wright, American brothers. No other craft was capable of flying prior to this. This is undisputed.
Interestingly, after inventing the airplane they then filed patents on it and their company stagnated, technologically. Meanwhile planes were being invented at around the same time in Europe, and they weren't protected in the same way, so by the time World War 1 started the American's had to fly in European made planes because the US ones weren't good enough. Eventually of course the patents expired and US aircraft caught up pretty fast.
The purpose of securities regulations is primarily to ensure people know what they're investing in, and secondarily to stop people investing in ways that are likely to lead to them losing their shirts.
Twitter shares are now a publicly traded investment. That means it's reasonable that people should understand what they're investing in when they buy those shares. As Twitter is the only source of reliable information on Twitter, securities regulations compel them to list risks investors should be aware of. A significant percentage of their users not actually being human is absolutely information that could affect the ROI of buying Twitter.
I can't say honestly say I love red-tape laden financial regulations but the spirit of these ones is at least reasonable, even if the implementation might leave a lot to be desired. Listing risks to your company is not the most burdensome part of issuing publicly traded stocks.
Google, if you set up a white listed email system, my friends and family will happily sign up.
They already happily sign up. Gmail is the largest email provider in the world.
BTW the Gmail spam filter, like any good one, does have per-user whitelists. If you reply to mail or mark mail from a sender as not spam, the filter will leave mail from those senders alone (modulo caveats like the sender properly authenticating). Thus the filter spends almost all of its effort on email from senders you haven't interacted with, like, for example, the password reset mail from the website you used 3 years ago and forgot how to log in. You wouldn't want to lose those, would you?
That's not "getting ignored". What did she expect? That she'd show up and immediately have people begging to work with her, just because she was blonde?
If you're a dude and you turn up to a CS class, then you make an effort to initiate conversations if you want to work with people, or make friends. You don't just sit around looking pretty. That's a basic social norm and everyone does it.
My own experience of this is that there's a huge work/expectations gap. It's not just CS that suffers low female enrollment. It's any subject that involves lots of maths and hard work. My own CS class had zero female students in it right from the start - that's rare, but obviously the women weren't deciding not to study it because they got harassed in class. I had plenty of female friends at university and one of them studied maths, one of them studied physics, and the rest all did subjects like history, archaeology or English. I was kind of blown away by how little work these subjects entailed compared to my own.
Although I know only a little about CPU design, this sounds like one of the most revolutionary design changes in many years. The question in my mind is how well it will work. The CPU can use information at runtime that a static analyser running on a separate core might not have ahead of time, most obviously branch prediction information. OOO CPU's can speculatively execute multiple branches at once and then discard the version that didn't happen, they can re-order code depending on what it's actually doing including things like self-modifying code and code that's generated on the fly by JITCs. On the other hand, if the external optimiser CPU can do a good job, it stands to reason that the resulting CPU should be faster and use way less power. Very interesting research, even if it doesn't pan out.
No, you don't understand FATCA at all. Go and read how the law works and then come back. Actually don't bother - I already explained to you how the recursive "pass thru provisions" work and you ignored me, instead insisting that the law works differently to how it actually does.
Additionally, the idea that borders stopped changing after 1948 (do you mean 1945?) is ridiculous. What do you think happened after the fall of the Soviet Union? What do you think happened in Iraq when America invaded it?
By every definition of Imperialism I've ever seen the Russians are doing a lot more of it then the US. Putin is trying to increase his sphere of influence with the Eurasian Union. eat bits of neighbors who rock his boat, refusing to give up control of a region that included a major military base, etc.
Hardly. If you buy the western line that the rebels in east Ukraine are all reporting directly to Putin then yes, but nobody with any knowledge does buy that line, it's clearly nonsense. Putin told them not to have a referendum, they ignored him. The rebels asked Russia to annex east Ukraine, Putin ignored them. He certainly did not order anyone to shoot down a civilian air liner.
Meanwhile, in the last few years the USA has formally established the global American empire for the first time. Yes, before 2010 it was largely a matter of pressure and the belief by world leaders that America would engage in economic warfare against anyone, including so called "allies", who defied it. But then America passed a law called FATCA that turns every bank or financial institution in the world into an arm of the IRS recursively. Not just institutions that trade with America, but all of them, every last one, with institutions exposed to the US economy punished unless they in turn enforce Washington's will upon their trading partners and so on. America has also started passing recursive trade sanctions, sanctions that say "you're either with us or against us and if you're against us, you get sanctioned in exactly the same way". They did this for Iran, for example.
Now tell me. What is a country that can tax anyone it likes, anywhere in the world, and punish anyone it likes, anywhere in the world, and force anyone to take part in their economic wars, anywhere in the world, regardless of what those people actually want? The ability to tax and the ability to draft into an army is the defining characteristic of an empire. Russia can't do shit to me here in western Europe but America can and will ruin me if I get on the wrong side of them. That makes me an unwilling citizen of the American empire.
They're not making technology for the sake of making better technology, they're doing it purely to monetize it and make money -- for example, Oracle's insistence on keeping that stupid ask.com toolbar in the Java installer.
Yes, that really sucks, but it's probably the only direct way Java makes money. Otherwise it's basically a charity, right?
Fortunately the last installer at least will not try and reinstall this crap on upgrades. So you get asked once. More importantly if you're wanting to distribute desktop apps, you don't have to request that the user installs Java anymore, it can be bundled. And the crapware was only ever a Windows thing. Mac and Linux users don't suffer from it.
My gut sense is that the Java team at Oracle know this is horrible and are doing their best to chip away at it, but can't go to management and ask them to give up the only direct revenue stream the entire project has.
I think the problem is Oracle isn't innovating, isn't advancing the technology, some aspects of it are essentially dead, the Java Community Process is largely ignored...
Eh, this wasn't my experience so far.
There are many things that suck about Oracle, but so far what I've seen is that they've increased investment in Java, they're resolving a lot of basic, every day problems people face when writing regular apps and overall Java is getting a lot better. There sure was a time when Java stagnated.... when Sun owned it. Now? Well, Java 8 resolves a lot of the more irritating problems with the language (lambdas make a huge difference, even though they're just syntax sugar), but more importantly the Java team have accepted that the real language innovation will happen with other languages that target the JVM and they've got serious about making the JVM a multi-language runtime. For example, in Java 7 they did a lot of work to support dynamic languages and in Java 8 they built on that work to make a fast Javascript implementation on the JVM. It's not as fast as V8 at the moment but it's certainly a respectable showing. Meanwhile Scala, Clojure, Kotlin etc are busy creating the next-gen languages that the Java team is too conservative to tackle.
With respect to community involvement, I don't personally give a shit about some "community process". What I care about is: can I check the sources out of version control, email the developers with a question and get a response the same day? Can I file bugs and have them be fixed? My experience with the JavaFX component of the OpenJDK is yes yes and yes. In fact I've kind of been blown away by how responsive the JFX team are. Right now I'd say they've got a great UI toolkit (easily as good as Cocoa), but it only got good in the last couple of years, so they're relatively unknown and as a result you get fantastic service - for free!
Most importantly the JavaFX team aren't trying to create some uber-platform that replaces the operating system. They've built a tool that bundles the JVM and creates native installers/DMGs/packages for each platform. Finally you can use Java as if it were just a big library. No applets, no Web Start, no fucking about - just make an app that looks normal to your users, but shares 99.9% of the code across platforms. Which is what it always promised.
None of the leaked documents from Snowden appear to mention compromised CA's, or at least no kind of compromise at scale. This is most likely because (1) CA's are not the weakest link, the browser security is and (2) they need to find their targets traffic streams before they can do the MITM attack, which would mean doing MITM on all SSL connections which would be detected almost immediately. A compromised CA would be useful only if they were unable to exploit the targets computer, and they needed to view SSLd traffic anyway, which does not appear to be a common situation for them circa 2013.
Google has only one way to know if a CA is trustworthy: running its own.
No. They can develop a system that involves every certificate produced by every CA being published in public audit logs, and then make Chrome verify that any given cert is in those public audit logs, thus allowing savvy site operators to find fake certs issued in their name (also useful for old fashioned phishing). And in fact that's exactly what they are doing.
SSL DNS certs are not expensive. You can get them for free (as pointed out) or for perhaps $20 per year. Your hosting costs are almost certainly higher than that.
Yes, for news and such it doesn't make that much sense. Still, HTTPS would at least prevent your ISP from monitoring your browsing activity.
It's actually a lot more than that. HTTPS isn't just about protecting passwords anymore, not post Snowden.
Let us recall one of the more interesting things we learned about SSL via the NSA leaks: the Five Eyes countries apparently have not broken SSL yet despite that the internet is still not capable of stopping them. The reason is a system they've built called QUANTUM.
QUANTUM is a series of systems that work together. Imagine it like being a giant set of guard towers on the internet backbone. QUANTUM is called that because it's based on deep packet inspection and insertion. The first part is a massive set of DPI devices that trawl unencrypted internet traffic passing through intercept points. These DPI devices can be configured by NSA/GCHQ analysts to look for selectors - personal identifiers like email addresses, IP addresses, cookies and so on. QUANTUM does not run on every internet link and cannot see through encrypted traffic, but that doesn't matter: it's like a searchlight crawling the grounds of a prison at night. It doesn't matter that it can't light up everywhere simultaneously - once tasked it will keep searching until it finds you. Given enough time and good selectors, it will always find you, simply because the average internet user makes many different unencrypted connections to many different websites.
Once QUANTUM locates an un-SSLd traffic stream that matches your selectors, the next step begins, this is called QUANTUM INSERT. You see these DPI devices are not only capable of reading traffic but also injecting packets directly onto the backbone as well. This allows them to race legitimate answers from the real servers, and redirect the victim to an entirely different server (this is probably based on racing DNS lookups although I think the leaked docs were fuzzy on this aspect). These races are called "shots" and interestingly, they don't always succeed - sometimes the NSA is slower than the real server. But QUANTUM keeps trying and eventually you end up connected to this new FOXACID server, which then proceeds to act as an HTTP proxy for the real request and injects an exploit kit. That then pwns your system such that the NSA can now see all your encrypted traffic, along with turning on your microphone and so on.
An observant reader will notice something very important about the above description. The longer you can stay in the SSLd web, the longer it will take for QUANTUM to hack you. That means you directly benefit from a website being SSLd even if all it contains is cat pictures and you don't even log in. Once QUANTUM has figured out your IP address, any non-SSLd HTTP connection is a useful foothold.
I didn't make a false claim. You quoted me saying we stopped bulk stolen password based attacks like the ones I described, and then proceeded to argue with a statement I never made (that we stopped all attacks).
To clarify, the attacks I'm talking about are ones where the attacker has a large list of passwords (in the order of hundreds of thousands of passwords or more) and try the password to see if it matches. If it does they log in, if it doesn't they give up and try the next one. Government sponsored attacks tend to care an awful lot about a small set of targets which is the exact opposite.
Google was able to stop these attacks so effectively the people behind them gave up, and there was a large but not infinite number of people who were carrying out such attacks, so eventually they became no longer a real issue for the userbase. Note that our competitors (with the notable exception of Facebook) were NOT able to do this, so if a small ISP struggles to do it too, that would not be very surprising.
More than 1B credentials does not sound implausible to me, though it's on the high end. You may be wondering why my opinion on this is more relevant than anyone else's, so let me explain.
Although I left the company in January, for about 7.5 years I worked at Google and for ~3 of those years I worked on security and anti-spam related matters. Starting around April 2010 we started to see absolutely enormous numbers of compromised accounts sending spam to their contacts. This was not a problem that grew slowly. It went from zero to one gang compromising on the order of 100,000 accounts per day and that happened in the space of, it seemed, a few weeks. We learned about this problem through user complaints and by watching the flow of spam mails being reported to us via the "Report spam" button. We quickly realised this wasn't a Gmail specific problem but was simultaneously impacting Hotmail and Yahoo. Further investigation revealed that although this gang was capable of compromising ~100,000 accounts per day (more than one per second) this was the result of a 10-15% success rate for more like a million attempts per day: most account/password pairs they tried did not work. The reason was they were reversing password hashes stolen from third party websites using GPUs, and it turns out that people who use the same password everywhere make up (surprisingly) only about 10-15% of the user population. People suck less at security than you might imagine.
When this problem first started we believed that such an enormous supply of credentials must surely be some kind of freak one off, the result of compromising an unusually large site. I mean; one million credentials every fucking day was an unimaginably vast pool of stolen passwords. But as the user complaints of being hacked failed to dry up we came to accept the horrible truth - this was not some freak one off but the result of some kind of production line of passwords. Most likely a combination of automated web crawls to discover vulnerable sites, semi-automated popping of those sites, farms of GPUs reversing the passwords and the resulting packages being sold on the black market to spammers who then abused them for bypassing spam filters (mail from contacts is whitelisted by any good spam filter). We only got occasional snapshots of this market, for example we were able to find adverts on Russian blackhat forums by people advertising lists of "washed" vs "unwashed" account/password lists for hotmail, gmail etc, but mostly it was opaque.
Anyway, long story short, we formed a team that built a full blown risk analysis system for every single login (Google has a bajillion logins per second thanks to mail clients that poll Gmail and have to log in each time) and after several years of work managed to block logins with bulk-stolen passwords so successfully that they went away. But the underlying supply of passwords is still out there, and should those defences fall the problem would come back.
I gave a talk about this and various other webmail abuse related topics at the RIPE 64 conference in Ljubljana (video link) in case anyone is interested in this. The slides are also available though lots of info from the talk is missing from them.
Based on the indictments it's hard to know how he was found. The indictment certainly gives a plausible explanation for how it happened - he was sloppy about linkage of his personal and alter-ego accounts online, but as noted in the articles, there are certain gaps and inconsistencies in the story and parts of it may have been filled out retroactively (the notorious "parallel construction"). Apparently what his lawyer is hoping, is that they get a judge who feels like putting the FBI in their place with respect to such issues, and it turns out that they found the Silk Road servers via some NSA related trickery then worked backwards to find Ulbricht, then worked out a plausible but untrue alternative explanation for how he was located. Such a thing if found to have happened could plausibly throw a spanner in the entire prosecution.
You think anyone who does not conform to your morale standard is "sick" and needs help? You're arrogant, egocentric and intrinsically extremely manipulative.
He is either well informed or (more likely) simply able to point out the obvious in a world where most don't dare. It is proven beyond doubt that brain tumours can cause paedophilia. That article is a summary of one well known and notorious case, but note that he checked himself into the hospital just one day before he was going to prison. The chances are great that there are more people like him rotting inside the prison system.
Given that the sex drive is an inherently biological thing that evolution has given tremendous influence over people's behaviour, the fact that a malfunctioning sex drive might have a biological root cause should not surprise anyone. And yes, it's absolutely a malfunction and obviously so - the purpose of sex is to reproduce and create offspring that survive to adulthood. The chances of having a child that grows up to be a strong adult by having sex with another child is massively reduced or close to zero, so from an evolutionary perspective it makes little sense.
You condescendingly show "sympathy", but you have absolutely no respect. You say child molesters suffer from a mental illness? Strange, isn't what some people are saying about gays?
Yes, some people do say that, and for all we know they might be right. Homosexuality is another biological dead end that doesn't lead to offspring. However this kind of deviation from the sexual norm is something most enlightened societies have got over because it doesn't harm anyone. OK, those people will not have kids. So be it. They aren't hurting anyone so it's unreasonable and unjustified to cause them problems.
Child abuse is a more complicated area. People tend to think of the "we know it when we see it" type cases, you know, 40 year old men trying to have sex with 8 year olds. Unfortunately the laws are badly written enough that all kinds of other basically harmless behaviour gets tangled up with it. For example, I know for a fact that the NCMEC database contains cartoons. Having a racy cartoon in your Gmail account is now enough to get busted by the police. Other cases of idiocy around these laws include the UK where the legal age of consent is 16 but the age to be considered not child porn is 18, meaning two people can legally have sex but can go to jail if they take a photo of themselves doing it. Cases where two teenagers have a relationship and the older one ends up being busted for child abuse have been reported in the USA. The harm in these cases is hard to see but it all gets dumped into the same bucket, legally.
Slashdot Mirror
But as most people just use the tools they're given and can't control how secure those tools are, in practice that would mean punishing computer programmers.
If you want the usage of C and C++ to be considered equivalent to suicide then this would be a great policy to bring about such a world.
He said universal basic income, which is certainly not high enough to allow anyone to buy anything they want. There would still be a divide between rich and poor with such a policy.
BTW I don't think basic income has ever been tried. Certainly massive nationalisation of all industries a la Soviet communism is not it.
At the cost of ensuring any attempt to enforce the law results in a massive and relatively even firefight that is likely to result in a whole lot more blood spilled?
Generally, sane countries want police to have a systematic advantage over criminals when it comes to basic things like weaponry and ability to drive fast. The UK is able to have a mostly disarmed police force because the population is also mostly disarmed. So you can solve it in both directions.
It's been well established that the long term fall in violent crime is primarily (or totally?) due to the removal of lead from petrol, not due to changes in any policing policies. Also, the UK has extremely strict and well enforced gun prohibition which makes it very hard to engage in violent crime, gun crimes have been falling for the last 15 years or so.
Alright. What do you propose?
Fundamentally, encrypting all traffic all the time requires a public key infrastructure and the only way we know how to build one that works is to have trusted third parties. You trust your browser, for example. Your browser maker outsources ID verification of websites to CA's.
Ultimately SSL cannot survive being explicitly banned or subverted by the state. It just can't. They can force browser makers to give them a back door. No system can survive explicitly being banned by the state. Luckily this has not (yet) happened - strong SSL is not illegal and there are no documents in Snowden's archive that discuss compromises of CA's, probably because when armed with a bunch of zero days you don't need to exploit a CA to strip SSL, you just infect the target. Much more stealthy.
What's more, Google is pushing certificate transparency forward quite hard. CT is a system that requires certificates to be published to an audit log for a browser to accept them. It should make it much harder for a CA to issue certificates in secret. The audit logs can be data mined to look for bogus certs, e.g. certs that are issued but never show up in production usage, either by big well known targets like Google or by third parties. So far it's the best proposal that exists for how to raise the security of SSL. All others are busts.
Hardly. The anti-Uber-banning view (call it libertarian if you like) is that governments already require drivers licenses to check for competent drivers and road vehicle licensing to ensure safe vehicles, which is why most people are totally OK with getting into the car of a random friend or relative. But we're expected to believe that once you pay someone for a trip, suddenly all those existing licenses become irrelevant and we need extra new (invariably very expensive) licenses to provide safety and competency.
Here's a thought. Maybe if someone trusts Uber to do a better job of policing their drivers than their local government, they should be allowed to test that theory out? So far I haven't actually encountered anyone who has had a bad experience with Uber. I'm sure they exist, but people with bad experiences of regular licensed taxis are a dime a dozen. It's not like paying a big fat fee to your local city magically makes people awesome.
So I guess travelling salesmen have to get special licenses too, or anyone who has an especially long commute? I guess this government licensing regime applies to anyone who drives more than a certain number of hours per day? No? They apply only to people who are paid to take passengers around and thus have money to squeeze? Hmm.
The entire Uber hullaballoo is happening exactly because nobody seems able to clearly articulate the value that this giant pile of red tape brings to the table. People handwave and say "of course regulations make things safer", but why Uber can't achieve the same outcomes better is not exactly clear. I don't think a government license magically makes people less likely to fall asleep at the wheel, for example - rules around how long any driver can drive would do that, but that's not what taxi licensing achieves.
It seems pretty clear that technology can solve some of the problems that historically have been achieved through government licensing. Governments are NEVER going to decide that some laws can be replaced with new technology, their history of doing this is non-existent because the people who pass laws are not technologists. So conflicts like Uber vs taxi licensing regimes are inevitable. But that doesn't make Uber automatically in the wrong. It's just a sad reflection on the lack of software ability at the top of our societies power structures.
Interestingly, after inventing the airplane they then filed patents on it and their company stagnated, technologically. Meanwhile planes were being invented at around the same time in Europe, and they weren't protected in the same way, so by the time World War 1 started the American's had to fly in European made planes because the US ones weren't good enough. Eventually of course the patents expired and US aircraft caught up pretty fast.
The purpose of securities regulations is primarily to ensure people know what they're investing in, and secondarily to stop people investing in ways that are likely to lead to them losing their shirts.
Twitter shares are now a publicly traded investment. That means it's reasonable that people should understand what they're investing in when they buy those shares. As Twitter is the only source of reliable information on Twitter, securities regulations compel them to list risks investors should be aware of. A significant percentage of their users not actually being human is absolutely information that could affect the ROI of buying Twitter.
I can't say honestly say I love red-tape laden financial regulations but the spirit of these ones is at least reasonable, even if the implementation might leave a lot to be desired. Listing risks to your company is not the most burdensome part of issuing publicly traded stocks.
They already happily sign up. Gmail is the largest email provider in the world.
BTW the Gmail spam filter, like any good one, does have per-user whitelists. If you reply to mail or mark mail from a sender as not spam, the filter will leave mail from those senders alone (modulo caveats like the sender properly authenticating). Thus the filter spends almost all of its effort on email from senders you haven't interacted with, like, for example, the password reset mail from the website you used 3 years ago and forgot how to log in. You wouldn't want to lose those, would you?
That's not "getting ignored". What did she expect? That she'd show up and immediately have people begging to work with her, just because she was blonde?
If you're a dude and you turn up to a CS class, then you make an effort to initiate conversations if you want to work with people, or make friends. You don't just sit around looking pretty. That's a basic social norm and everyone does it.
My own experience of this is that there's a huge work/expectations gap. It's not just CS that suffers low female enrollment. It's any subject that involves lots of maths and hard work. My own CS class had zero female students in it right from the start - that's rare, but obviously the women weren't deciding not to study it because they got harassed in class. I had plenty of female friends at university and one of them studied maths, one of them studied physics, and the rest all did subjects like history, archaeology or English. I was kind of blown away by how little work these subjects entailed compared to my own.
Although I know only a little about CPU design, this sounds like one of the most revolutionary design changes in many years. The question in my mind is how well it will work. The CPU can use information at runtime that a static analyser running on a separate core might not have ahead of time, most obviously branch prediction information. OOO CPU's can speculatively execute multiple branches at once and then discard the version that didn't happen, they can re-order code depending on what it's actually doing including things like self-modifying code and code that's generated on the fly by JITCs. On the other hand, if the external optimiser CPU can do a good job, it stands to reason that the resulting CPU should be faster and use way less power. Very interesting research, even if it doesn't pan out.
Try asking the US Post Office to print stamps with the flag of jihad and see what happens.
No, you don't understand FATCA at all. Go and read how the law works and then come back. Actually don't bother - I already explained to you how the recursive "pass thru provisions" work and you ignored me, instead insisting that the law works differently to how it actually does.
Additionally, the idea that borders stopped changing after 1948 (do you mean 1945?) is ridiculous. What do you think happened after the fall of the Soviet Union? What do you think happened in Iraq when America invaded it?
Hardly. If you buy the western line that the rebels in east Ukraine are all reporting directly to Putin then yes, but nobody with any knowledge does buy that line, it's clearly nonsense. Putin told them not to have a referendum, they ignored him. The rebels asked Russia to annex east Ukraine, Putin ignored them. He certainly did not order anyone to shoot down a civilian air liner.
Meanwhile, in the last few years the USA has formally established the global American empire for the first time. Yes, before 2010 it was largely a matter of pressure and the belief by world leaders that America would engage in economic warfare against anyone, including so called "allies", who defied it. But then America passed a law called FATCA that turns every bank or financial institution in the world into an arm of the IRS recursively. Not just institutions that trade with America, but all of them, every last one, with institutions exposed to the US economy punished unless they in turn enforce Washington's will upon their trading partners and so on. America has also started passing recursive trade sanctions, sanctions that say "you're either with us or against us and if you're against us, you get sanctioned in exactly the same way". They did this for Iran, for example.
Now tell me. What is a country that can tax anyone it likes, anywhere in the world, and punish anyone it likes, anywhere in the world, and force anyone to take part in their economic wars, anywhere in the world, regardless of what those people actually want? The ability to tax and the ability to draft into an army is the defining characteristic of an empire. Russia can't do shit to me here in western Europe but America can and will ruin me if I get on the wrong side of them. That makes me an unwilling citizen of the American empire.
Yes, that really sucks, but it's probably the only direct way Java makes money. Otherwise it's basically a charity, right?
Fortunately the last installer at least will not try and reinstall this crap on upgrades. So you get asked once. More importantly if you're wanting to distribute desktop apps, you don't have to request that the user installs Java anymore, it can be bundled. And the crapware was only ever a Windows thing. Mac and Linux users don't suffer from it.
My gut sense is that the Java team at Oracle know this is horrible and are doing their best to chip away at it, but can't go to management and ask them to give up the only direct revenue stream the entire project has.
Eh, this wasn't my experience so far.
There are many things that suck about Oracle, but so far what I've seen is that they've increased investment in Java, they're resolving a lot of basic, every day problems people face when writing regular apps and overall Java is getting a lot better. There sure was a time when Java stagnated .... when Sun owned it. Now? Well, Java 8 resolves a lot of the more irritating problems with the language (lambdas make a huge difference, even though they're just syntax sugar), but more importantly the Java team have accepted that the real language innovation will happen with other languages that target the JVM and they've got serious about making the JVM a multi-language runtime. For example, in Java 7 they did a lot of work to support dynamic languages and in Java 8 they built on that work to make a fast Javascript implementation on the JVM. It's not as fast as V8 at the moment but it's certainly a respectable showing. Meanwhile Scala, Clojure, Kotlin etc are busy creating the next-gen languages that the Java team is too conservative to tackle.
With respect to community involvement, I don't personally give a shit about some "community process". What I care about is: can I check the sources out of version control, email the developers with a question and get a response the same day? Can I file bugs and have them be fixed? My experience with the JavaFX component of the OpenJDK is yes yes and yes. In fact I've kind of been blown away by how responsive the JFX team are. Right now I'd say they've got a great UI toolkit (easily as good as Cocoa), but it only got good in the last couple of years, so they're relatively unknown and as a result you get fantastic service - for free!
Most importantly the JavaFX team aren't trying to create some uber-platform that replaces the operating system. They've built a tool that bundles the JVM and creates native installers/DMGs/packages for each platform. Finally you can use Java as if it were just a big library. No applets, no Web Start, no fucking about - just make an app that looks normal to your users, but shares 99.9% of the code across platforms. Which is what it always promised.
That's not quite true actually. VirusBulletin is a third party spam filtering company that made a blog post stating that based on their own measurements, Gmail was indeed dramatically better at stopping hijackings than other providers.
None of the leaked documents from Snowden appear to mention compromised CA's, or at least no kind of compromise at scale. This is most likely because (1) CA's are not the weakest link, the browser security is and (2) they need to find their targets traffic streams before they can do the MITM attack, which would mean doing MITM on all SSL connections which would be detected almost immediately. A compromised CA would be useful only if they were unable to exploit the targets computer, and they needed to view SSLd traffic anyway, which does not appear to be a common situation for them circa 2013.
No. They can develop a system that involves every certificate produced by every CA being published in public audit logs, and then make Chrome verify that any given cert is in those public audit logs, thus allowing savvy site operators to find fake certs issued in their name (also useful for old fashioned phishing). And in fact that's exactly what they are doing.
SSL DNS certs are not expensive. You can get them for free (as pointed out) or for perhaps $20 per year. Your hosting costs are almost certainly higher than that.
It's actually a lot more than that. HTTPS isn't just about protecting passwords anymore, not post Snowden.
Let us recall one of the more interesting things we learned about SSL via the NSA leaks: the Five Eyes countries apparently have not broken SSL yet despite that the internet is still not capable of stopping them. The reason is a system they've built called QUANTUM.
QUANTUM is a series of systems that work together. Imagine it like being a giant set of guard towers on the internet backbone. QUANTUM is called that because it's based on deep packet inspection and insertion. The first part is a massive set of DPI devices that trawl unencrypted internet traffic passing through intercept points. These DPI devices can be configured by NSA/GCHQ analysts to look for selectors - personal identifiers like email addresses, IP addresses, cookies and so on. QUANTUM does not run on every internet link and cannot see through encrypted traffic, but that doesn't matter: it's like a searchlight crawling the grounds of a prison at night. It doesn't matter that it can't light up everywhere simultaneously - once tasked it will keep searching until it finds you. Given enough time and good selectors, it will always find you, simply because the average internet user makes many different unencrypted connections to many different websites.
Once QUANTUM locates an un-SSLd traffic stream that matches your selectors, the next step begins, this is called QUANTUM INSERT. You see these DPI devices are not only capable of reading traffic but also injecting packets directly onto the backbone as well. This allows them to race legitimate answers from the real servers, and redirect the victim to an entirely different server (this is probably based on racing DNS lookups although I think the leaked docs were fuzzy on this aspect). These races are called "shots" and interestingly, they don't always succeed - sometimes the NSA is slower than the real server. But QUANTUM keeps trying and eventually you end up connected to this new FOXACID server, which then proceeds to act as an HTTP proxy for the real request and injects an exploit kit. That then pwns your system such that the NSA can now see all your encrypted traffic, along with turning on your microphone and so on.
An observant reader will notice something very important about the above description. The longer you can stay in the SSLd web, the longer it will take for QUANTUM to hack you. That means you directly benefit from a website being SSLd even if all it contains is cat pictures and you don't even log in. Once QUANTUM has figured out your IP address, any non-SSLd HTTP connection is a useful foothold.
I didn't make a false claim. You quoted me saying we stopped bulk stolen password based attacks like the ones I described, and then proceeded to argue with a statement I never made (that we stopped all attacks).
To clarify, the attacks I'm talking about are ones where the attacker has a large list of passwords (in the order of hundreds of thousands of passwords or more) and try the password to see if it matches. If it does they log in, if it doesn't they give up and try the next one. Government sponsored attacks tend to care an awful lot about a small set of targets which is the exact opposite.
Google was able to stop these attacks so effectively the people behind them gave up, and there was a large but not infinite number of people who were carrying out such attacks, so eventually they became no longer a real issue for the userbase. Note that our competitors (with the notable exception of Facebook) were NOT able to do this, so if a small ISP struggles to do it too, that would not be very surprising.
More than 1B credentials does not sound implausible to me, though it's on the high end. You may be wondering why my opinion on this is more relevant than anyone else's, so let me explain.
Although I left the company in January, for about 7.5 years I worked at Google and for ~3 of those years I worked on security and anti-spam related matters. Starting around April 2010 we started to see absolutely enormous numbers of compromised accounts sending spam to their contacts. This was not a problem that grew slowly. It went from zero to one gang compromising on the order of 100,000 accounts per day and that happened in the space of, it seemed, a few weeks. We learned about this problem through user complaints and by watching the flow of spam mails being reported to us via the "Report spam" button. We quickly realised this wasn't a Gmail specific problem but was simultaneously impacting Hotmail and Yahoo. Further investigation revealed that although this gang was capable of compromising ~100,000 accounts per day (more than one per second) this was the result of a 10-15% success rate for more like a million attempts per day: most account/password pairs they tried did not work. The reason was they were reversing password hashes stolen from third party websites using GPUs, and it turns out that people who use the same password everywhere make up (surprisingly) only about 10-15% of the user population. People suck less at security than you might imagine.
When this problem first started we believed that such an enormous supply of credentials must surely be some kind of freak one off, the result of compromising an unusually large site. I mean; one million credentials every fucking day was an unimaginably vast pool of stolen passwords. But as the user complaints of being hacked failed to dry up we came to accept the horrible truth - this was not some freak one off but the result of some kind of production line of passwords. Most likely a combination of automated web crawls to discover vulnerable sites, semi-automated popping of those sites, farms of GPUs reversing the passwords and the resulting packages being sold on the black market to spammers who then abused them for bypassing spam filters (mail from contacts is whitelisted by any good spam filter). We only got occasional snapshots of this market, for example we were able to find adverts on Russian blackhat forums by people advertising lists of "washed" vs "unwashed" account/password lists for hotmail, gmail etc, but mostly it was opaque.
Anyway, long story short, we formed a team that built a full blown risk analysis system for every single login (Google has a bajillion logins per second thanks to mail clients that poll Gmail and have to log in each time) and after several years of work managed to block logins with bulk-stolen passwords so successfully that they went away. But the underlying supply of passwords is still out there, and should those defences fall the problem would come back.
I gave a talk about this and various other webmail abuse related topics at the RIPE 64 conference in Ljubljana (video link) in case anyone is interested in this. The slides are also available though lots of info from the talk is missing from them.
Based on the indictments it's hard to know how he was found. The indictment certainly gives a plausible explanation for how it happened - he was sloppy about linkage of his personal and alter-ego accounts online, but as noted in the articles, there are certain gaps and inconsistencies in the story and parts of it may have been filled out retroactively (the notorious "parallel construction"). Apparently what his lawyer is hoping, is that they get a judge who feels like putting the FBI in their place with respect to such issues, and it turns out that they found the Silk Road servers via some NSA related trickery then worked backwards to find Ulbricht, then worked out a plausible but untrue alternative explanation for how he was located. Such a thing if found to have happened could plausibly throw a spanner in the entire prosecution.
However, it seems a long shot.
He is either well informed or (more likely) simply able to point out the obvious in a world where most don't dare. It is proven beyond doubt that brain tumours can cause paedophilia. That article is a summary of one well known and notorious case, but note that he checked himself into the hospital just one day before he was going to prison. The chances are great that there are more people like him rotting inside the prison system.
Given that the sex drive is an inherently biological thing that evolution has given tremendous influence over people's behaviour, the fact that a malfunctioning sex drive might have a biological root cause should not surprise anyone. And yes, it's absolutely a malfunction and obviously so - the purpose of sex is to reproduce and create offspring that survive to adulthood. The chances of having a child that grows up to be a strong adult by having sex with another child is massively reduced or close to zero, so from an evolutionary perspective it makes little sense.
Yes, some people do say that, and for all we know they might be right. Homosexuality is another biological dead end that doesn't lead to offspring. However this kind of deviation from the sexual norm is something most enlightened societies have got over because it doesn't harm anyone. OK, those people will not have kids. So be it. They aren't hurting anyone so it's unreasonable and unjustified to cause them problems.
Child abuse is a more complicated area. People tend to think of the "we know it when we see it" type cases, you know, 40 year old men trying to have sex with 8 year olds. Unfortunately the laws are badly written enough that all kinds of other basically harmless behaviour gets tangled up with it. For example, I know for a fact that the NCMEC database contains cartoons. Having a racy cartoon in your Gmail account is now enough to get busted by the police. Other cases of idiocy around these laws include the UK where the legal age of consent is 16 but the age to be considered not child porn is 18, meaning two people can legally have sex but can go to jail if they take a photo of themselves doing it. Cases where two teenagers have a relationship and the older one ends up being busted for child abuse have been reported in the USA. The harm in these cases is hard to see but it all gets dumped into the same bucket, legally.