Mac browsers (Chrome, Safari, Firefox) don't run Java applets automatically anyway, so it doesn't matter what version of Java you have installed. Remember these exploits are all getting in because you run malicious code inside a sandbox and the sandbox fails. Don't download and run malicious code and you're OK.
Sun did that for years, that's hardly something new Oracle brought in. It's because Sun, despite their excellent engineering reputation, never figured out how to make money off Java. Lots of other companies did but Sun didn't. So they ended up resorting to pushing crapware through the Windows installer in a desperate attempt to monetize. Oracle merely continued that awful tradition.
The good news is that ever since Java has been open source, distributing it in other ways is possible and with Java 8 they're changing the license on the Oracle packagings of it so you can cut it down to size for your specific app. It's getting a lot close to just being a big runtime library than an entire parallel OS which it was trying to be in previous years.
As to whether Java is secure or not, I don't think we should be too hard on the Oracle/Sun developers here. Every attempt to do mobile code has turned into a security nightmare. Not just Java, ActiveX and Flash, but web browsers routinely patch exploits in their core rendering or JavaScript engines, and that's HTML5 - a vastly simpler and more crippled platform than even the most basic core Java system provides. In fact browser developers have given up trying to make renderers secure which is why they're all heavily sandboxed, it's inevitable people will find ways to exploit the mobile code aspects of the rendering engines. Even then, Chrome sandbox escapes still get found from time to time.
I don't think we should read these stories as "Java sucks". Programs written in Java or any other modern managed language are still much more secure than code written in C++. There are no stack or heap overflows to worry about, no double frees. These stories are not about how easy it is to write secure code in any given language or platform. Instead we should understand these stories as "sandboxing malicious code is incredibly hard". Java hurts from it more because Java was a lot more ambitious than other attempts.
You never actually had unlimited transfer quota, at the prices they were charging you it was physically impossible just due to the way spectrum works. What changed is that perhaps truth in advertising became more important (hah), or perhaps peoples understanding of what a gigabyte is got better so it became easier to tell it like it is.
Switch to ring learning-with-errors, which was proven by Regev to reduce in the average case to the hardness of some worst case integer lattice problems. Crypto systems built in this way are believed to not be affected by quantum computers and research is proceeding fast as a result. The fact that the NSA is no further ahead than anyone else is reassuring - we know how to build post-quantum crypto systems, the work that remains is largely in the "maturing" phase rather than the "wtf do we do now" phase.
It is useless for transactions that don't involve a computer to facilitate trade - i.e. cash transactions.
It's 2014. People carry computers around in their pockets these days, heck even my mother does. Even when you pay with cash, very likely that cash is placed immediately inside a computer controlled cash register. Of all the criticisms of Bitcoin I've seen over the years, this one has to be the strangest.
By the way, perhaps you aren't aware of how horrifically broken existing payment systems are. I've talked with all kinds of people at software companies both huge and tiny over the past few years. Ex PayPal executives to startup founders. Every single one has said the same thing: "payments is broken". The fact that money moves electronically at all never ceases to amaze me given the huge fraud levels, woeful lack of security (see: Target), huge fees, general dysfunctionality of the banks (wire transfers can "go missing" because someone has to sit in an office at each bank in the chain retyping details from one system into another). It's just amazing. Yes, Bitcoin is very young and has all kinds of issues. But the existing payment networks are all very old and have all kinds of other issues.
It might become less volatile (though I doubt it) but every single currency gets heavily speculated against. The Dollar, the Euro, etc. Every one.
Bitcoin will get less volatile over time as it becomes boring and mainstream. It's volatile today because lots of people are learning about it for the first time, and governments are still figuring out their initial positions on it. Give it 10 years and everyone will have made up their mind about it, things won't be changing so fast and assuming it's been able to continue growing, it'll probably be fairly stable. Just like it is when out of the public eye (go look at long term price charts and you will see long spans of time where the price was not particularly unstable even with much thinner markets than today, like when it was at $5).
Oyster cards upgraded past the broken old MiFARE Classic chips some time ago, I believe. NXP make several generations of cards of which the Classic is the oldest and most broken. The more modern/expensive cards, not so trivial to crack.
As for the 3des part, It just doesn't make any sense. As other people have already said, 3des is symmetrical, so saying they don't have the key is impossible.
The key for decrypting card PINs (on pre-EMV magstripe cards) is stored inside secure hardware inside the keypad inside ATMs. It's all based on old IBM secure hardware chips, the kind that are designed to self destruct if someone tries to open them. All this stuff dates from the 70's of course, the USA has never upgraded past that era, so the lack of asymmetric crypto is really no surprise. EMV chip cards do use asymmetric crypto and in those the PIN never leaves the card itself (except of course, if you enter a new one at an ATM).
Yes, they do try that however in practice it's very rare for a genuine dispute to happen, partly because the system is pretty secure. You simply don't get Target style bulk thefts. If money gets mysteriously withdrawn and the PIN was entered, you might be on the sharp end of a new zero-day breach against EMV, but much more likely, someone who knows you managed to figure out your PIN (or you told them) and turned out to not be quite as trustworthy as you thought they were.
You didn't read the request, did you. He said "that takes place in our time". The first ga,e is a civil war re-enactment. The second link game also does not take place in the modern world.
What he's asking for is a game where large numbers of players are tasked with a mission to, for example, successfully capture the White House and take the President as prisoner, killing lots of US soldiers along the way. That's much harder to find, though I think in some of the Call of Duty games you can play the part of the Russians and attack the US. That's not the default mode though.
It's no different to buying a gift card, scratching the code and then showing it on live TV. Doesn't say much about Bitcoin or indeed anything. The TV host thought it was funny.
If a court was dumb enough to regard spam filtering and ad targeting as "wiretapping" then what it would mean is that Gmail users would suddenly get (a) flooded with spam (but there would be no better place to go to) and (b) become expected to pay for their accounts, which means handing over credit card details, which include things like your full name and billing address. Be careful what you wish for!
No loopholes have been closed because (a) the system is working as designed and (b) this Italian rule is incompatible with all the treaties they signed and won't be enforced by the courts.
The first link provides no details. The second is about something else - look on that page for "Member States would maintain their full sovereign right to set their own corporate tax rate". I don't think it says what you think it says.
The law is written to stop Italian companies from buying services from foreign companies, which will seriously hurt Italian companies. Even if Google goes along with this and routes payments via Italy and pays Italian tax, lots of other ad networks won't and it's a competitive business.
It doesn't just seem onerous, it was onerous, which is why the EU single market was forged at great diplomatic difficulty and cost - exactly to avoid the crippling paperwork and bureaucracy that was involved with expanding companies.
Governments everywhere are passing stupid laws that try to tax foreign entities in a desperate attempt to fix their finances without impacting voters. Trying to tax people who are selling to their voters is a popular idea because it's harder for people to perceive a lack of goods and services being offered to them than a tax directly on their income. The USA is the worst - it's actually taking over the entire banking system so it can tax US persons (citizens, green card holders, ex green card holders, etc) wherever they are in the world regardless of whether they actually live in the USA or not.
I think this seems to be just a generic, structural problem with governments as we have them today. They are incentivised to grow as big as possible, become overloaded with debt and then try to throw their weight around to extract payments from people all over the world. International taxation with national voting can never lead to a healthy outcome.
You write that as if this "new EU level tax system" is being designed and deployed right now, but I've heard nothing about such a thing and it seems hard to imagine it happening, given that this was the system before the EU Common Market was created and it sucked hard, which is why it was replaced.
The common market makes everyone richer by massively reducing the paperwork involved in running a company. A small company can set up a one-man shop in Italy and sell to all of Europe pretty much immediately, with minimal or no interaction with the other countries governments. This is a GOOD THING.
The system you propose might be something very large and rich companies could swallow, but it'd be a nightmare for everyone else. If you look at the mess the US is getting itself into with state sales taxes you can see what a headache the EU avoids via its current system. Tax levels there can vary not only at the state level but even city or city-block level! In theory, to collect the correct sales tax and remit it would require even tiny companies to invest in hugely complex software and processes which is why they sort of muddle on through without doing it (and the seldom enforced use taxes).
If the EU was stupid enough to throw away decades of progress in paperwork reduction, purely to try and whack Google/Starbucks, it would be a massive own goal that would hurt an already weak economy: tax revenues from a few big companies would go up a little bit (really: be redistributed), and overall tax revenues would go sharply down as lots of other companies went bust.
So if eluding 20 € of taxes is a crime, why should eluding 10 billion € be considered fair?
Gah. Why do so many people not understand the difference between avoidance and evasion? Evasion is what happens when there's a rule, and you break it. Avoidance is what happens when politicians wish there was a rule someone was breaking, but there isn't, and as such tax avoidance is barely a well defined term at all. None of these companies are being accused of tax evasion. That would require someone demonstrate a rule that they were breaking. They are being accused of, well, it's hard to know what they're being accused of exactly.... basically they're being accused of being rich and not giving profligate and indebted governments free money.
It's because iPhone's are very visually consistent, so it's easy to quickly spot them. Other phones are much more mixed so they don't tend to stick in your mind so much.
Take a compact binary encoding of a CPU instruction set, convert it to text, run it through gzip, ungzip it, translate it back to binary instructions for a CPU.
Am I the only one who is wondering what the hell is going on? Distribute a binary already!
This is the crux of the issue in my mind. The tour buses are a symbol, not just of gentrification, but also of the failure to promote progress.
Wait, what? You're complaining that these companies don't promote public transport at the same time as complaining that they're already running bus services for their employees? Would you prefer those employees are all using cars? Do you think there is huge pent up demand for commuter bus routes from central SF into the bay area? If the buses were open to the public, either there would not be much additional actual demand beyond the tech industry (in which case nothing would change), or there would be a lot of additional public demand, in which case there'd have to be even more giant buses sitting at the bus stops.
Public transport in that part of the world is useless, but it's not useless because SF can't afford to invest. California is one of the worlds largest economies all by itself and SF is one of America's richest cities. Public transport there is useless because the entire layout of the region creates too little density for working transit, and any attempt to upgrade infrastructure or increase density runs into protests.
I know lots of Google employees would love to work in the SF office, but they can't because it's not big enough. Why is there not more office space in SF? Well, go see the comments above.
Here's another example - Google has been trying to build a bridge in a part of Mountain View for its buses for a long time. Surely this is the kind of investment you would like to see. Private corporations paying to build new roads to take some of the pressure off the 101. It got voted down. If Google can't even build a simple bridge in its own back yard, how do you expect these companies to re-build most of San Francisco? Surely that's the governments job anyway?
If that were the case they'd all live in the valley and not care that it's a staggeringly low density suburban joy-killer for anyone who doesn't have kids. Obviously some of them DON'T spend all their time at the Google HQ otherwise they wouldn't endure the 2 hour commute to live in San Francisco, would they?
Many of the tech workers they're protesting are working in places like Mountain View, which is about an hours commute from SF each way. So when you give a 2+ hour commute as 'unreasonable', consider that these tech workers are already commuting those distances to get to where they work - if they can do it, why is it unreasonable for janitors to do the reverse direction?
I don't actually live in the US, by the way, but was in SF recently and have been watching this situation with interest. It's easy to understand why these protesters are upset but hard to come up with anything which is actually "wrong" in a logical sense.
Slashdot Mirror
Mac browsers (Chrome, Safari, Firefox) don't run Java applets automatically anyway, so it doesn't matter what version of Java you have installed. Remember these exploits are all getting in because you run malicious code inside a sandbox and the sandbox fails. Don't download and run malicious code and you're OK.
Sun did that for years, that's hardly something new Oracle brought in. It's because Sun, despite their excellent engineering reputation, never figured out how to make money off Java. Lots of other companies did but Sun didn't. So they ended up resorting to pushing crapware through the Windows installer in a desperate attempt to monetize. Oracle merely continued that awful tradition.
The good news is that ever since Java has been open source, distributing it in other ways is possible and with Java 8 they're changing the license on the Oracle packagings of it so you can cut it down to size for your specific app. It's getting a lot close to just being a big runtime library than an entire parallel OS which it was trying to be in previous years.
As to whether Java is secure or not, I don't think we should be too hard on the Oracle/Sun developers here. Every attempt to do mobile code has turned into a security nightmare. Not just Java, ActiveX and Flash, but web browsers routinely patch exploits in their core rendering or JavaScript engines, and that's HTML5 - a vastly simpler and more crippled platform than even the most basic core Java system provides. In fact browser developers have given up trying to make renderers secure which is why they're all heavily sandboxed, it's inevitable people will find ways to exploit the mobile code aspects of the rendering engines. Even then, Chrome sandbox escapes still get found from time to time.
I don't think we should read these stories as "Java sucks". Programs written in Java or any other modern managed language are still much more secure than code written in C++. There are no stack or heap overflows to worry about, no double frees. These stories are not about how easy it is to write secure code in any given language or platform. Instead we should understand these stories as "sandboxing malicious code is incredibly hard". Java hurts from it more because Java was a lot more ambitious than other attempts.
You never actually had unlimited transfer quota, at the prices they were charging you it was physically impossible just due to the way spectrum works. What changed is that perhaps truth in advertising became more important (hah), or perhaps peoples understanding of what a gigabyte is got better so it became easier to tell it like it is.
Switch to ring learning-with-errors, which was proven by Regev to reduce in the average case to the hardness of some worst case integer lattice problems. Crypto systems built in this way are believed to not be affected by quantum computers and research is proceeding fast as a result. The fact that the NSA is no further ahead than anyone else is reassuring - we know how to build post-quantum crypto systems, the work that remains is largely in the "maturing" phase rather than the "wtf do we do now" phase.
It's 2014. People carry computers around in their pockets these days, heck even my mother does. Even when you pay with cash, very likely that cash is placed immediately inside a computer controlled cash register. Of all the criticisms of Bitcoin I've seen over the years, this one has to be the strangest.
By the way, perhaps you aren't aware of how horrifically broken existing payment systems are. I've talked with all kinds of people at software companies both huge and tiny over the past few years. Ex PayPal executives to startup founders. Every single one has said the same thing: "payments is broken". The fact that money moves electronically at all never ceases to amaze me given the huge fraud levels, woeful lack of security (see: Target), huge fees, general dysfunctionality of the banks (wire transfers can "go missing" because someone has to sit in an office at each bank in the chain retyping details from one system into another). It's just amazing. Yes, Bitcoin is very young and has all kinds of issues. But the existing payment networks are all very old and have all kinds of other issues.
Bitcoin will get less volatile over time as it becomes boring and mainstream. It's volatile today because lots of people are learning about it for the first time, and governments are still figuring out their initial positions on it. Give it 10 years and everyone will have made up their mind about it, things won't be changing so fast and assuming it's been able to continue growing, it'll probably be fairly stable. Just like it is when out of the public eye (go look at long term price charts and you will see long spans of time where the price was not particularly unstable even with much thinner markets than today, like when it was at $5).
NSA doesn't but the CIA does.
Oyster cards upgraded past the broken old MiFARE Classic chips some time ago, I believe. NXP make several generations of cards of which the Classic is the oldest and most broken. The more modern/expensive cards, not so trivial to crack.
The key for decrypting card PINs (on pre-EMV magstripe cards) is stored inside secure hardware inside the keypad inside ATMs. It's all based on old IBM secure hardware chips, the kind that are designed to self destruct if someone tries to open them. All this stuff dates from the 70's of course, the USA has never upgraded past that era, so the lack of asymmetric crypto is really no surprise. EMV chip cards do use asymmetric crypto and in those the PIN never leaves the card itself (except of course, if you enter a new one at an ATM).
Yes, they do try that however in practice it's very rare for a genuine dispute to happen, partly because the system is pretty secure. You simply don't get Target style bulk thefts. If money gets mysteriously withdrawn and the PIN was entered, you might be on the sharp end of a new zero-day breach against EMV, but much more likely, someone who knows you managed to figure out your PIN (or you told them) and turned out to not be quite as trustworthy as you thought they were.
You didn't read the request, did you. He said "that takes place in our time". The first ga,e is a civil war re-enactment. The second link game also does not take place in the modern world.
What he's asking for is a game where large numbers of players are tasked with a mission to, for example, successfully capture the White House and take the President as prisoner, killing lots of US soldiers along the way. That's much harder to find, though I think in some of the Call of Duty games you can play the part of the Russians and attack the US. That's not the default mode though.
It's no different to buying a gift card, scratching the code and then showing it on live TV. Doesn't say much about Bitcoin or indeed anything. The TV host thought it was funny.
If a court was dumb enough to regard spam filtering and ad targeting as "wiretapping" then what it would mean is that Gmail users would suddenly get (a) flooded with spam (but there would be no better place to go to) and (b) become expected to pay for their accounts, which means handing over credit card details, which include things like your full name and billing address. Be careful what you wish for!
No loopholes have been closed because (a) the system is working as designed and (b) this Italian rule is incompatible with all the treaties they signed and won't be enforced by the courts.
The first link provides no details. The second is about something else - look on that page for "Member States would maintain their full sovereign right to set their own corporate tax rate". I don't think it says what you think it says.
The law is written to stop Italian companies from buying services from foreign companies, which will seriously hurt Italian companies. Even if Google goes along with this and routes payments via Italy and pays Italian tax, lots of other ad networks won't and it's a competitive business.
Being taxed where you are headquartered is not a scam, it's how the system is designed to work.
It doesn't just seem onerous, it was onerous, which is why the EU single market was forged at great diplomatic difficulty and cost - exactly to avoid the crippling paperwork and bureaucracy that was involved with expanding companies.
Governments everywhere are passing stupid laws that try to tax foreign entities in a desperate attempt to fix their finances without impacting voters. Trying to tax people who are selling to their voters is a popular idea because it's harder for people to perceive a lack of goods and services being offered to them than a tax directly on their income. The USA is the worst - it's actually taking over the entire banking system so it can tax US persons (citizens, green card holders, ex green card holders, etc) wherever they are in the world regardless of whether they actually live in the USA or not.
I think this seems to be just a generic, structural problem with governments as we have them today. They are incentivised to grow as big as possible, become overloaded with debt and then try to throw their weight around to extract payments from people all over the world. International taxation with national voting can never lead to a healthy outcome.
In some countries (like Ireland), yes it was the banks.
In countries like Italy, it was largely the governments. In countries like Greece, it was 100% the government.
You write that as if this "new EU level tax system" is being designed and deployed right now, but I've heard nothing about such a thing and it seems hard to imagine it happening, given that this was the system before the EU Common Market was created and it sucked hard, which is why it was replaced.
The common market makes everyone richer by massively reducing the paperwork involved in running a company. A small company can set up a one-man shop in Italy and sell to all of Europe pretty much immediately, with minimal or no interaction with the other countries governments. This is a GOOD THING.
The system you propose might be something very large and rich companies could swallow, but it'd be a nightmare for everyone else. If you look at the mess the US is getting itself into with state sales taxes you can see what a headache the EU avoids via its current system. Tax levels there can vary not only at the state level but even city or city-block level! In theory, to collect the correct sales tax and remit it would require even tiny companies to invest in hugely complex software and processes which is why they sort of muddle on through without doing it (and the seldom enforced use taxes).
If the EU was stupid enough to throw away decades of progress in paperwork reduction, purely to try and whack Google/Starbucks, it would be a massive own goal that would hurt an already weak economy: tax revenues from a few big companies would go up a little bit (really: be redistributed), and overall tax revenues would go sharply down as lots of other companies went bust.
Gah. Why do so many people not understand the difference between avoidance and evasion? Evasion is what happens when there's a rule, and you break it. Avoidance is what happens when politicians wish there was a rule someone was breaking, but there isn't, and as such tax avoidance is barely a well defined term at all. None of these companies are being accused of tax evasion. That would require someone demonstrate a rule that they were breaking. They are being accused of, well, it's hard to know what they're being accused of exactly .... basically they're being accused of being rich and not giving profligate and indebted governments free money.
It's because iPhone's are very visually consistent, so it's easy to quickly spot them. Other phones are much more mixed so they don't tend to stick in your mind so much.
Take a compact binary encoding of a CPU instruction set, convert it to text, run it through gzip, ungzip it, translate it back to binary instructions for a CPU.
Am I the only one who is wondering what the hell is going on? Distribute a binary already!
Wait, what? You're complaining that these companies don't promote public transport at the same time as complaining that they're already running bus services for their employees? Would you prefer those employees are all using cars? Do you think there is huge pent up demand for commuter bus routes from central SF into the bay area? If the buses were open to the public, either there would not be much additional actual demand beyond the tech industry (in which case nothing would change), or there would be a lot of additional public demand, in which case there'd have to be even more giant buses sitting at the bus stops.
Public transport in that part of the world is useless, but it's not useless because SF can't afford to invest. California is one of the worlds largest economies all by itself and SF is one of America's richest cities. Public transport there is useless because the entire layout of the region creates too little density for working transit, and any attempt to upgrade infrastructure or increase density runs into protests.
I know lots of Google employees would love to work in the SF office, but they can't because it's not big enough. Why is there not more office space in SF? Well, go see the comments above.
Here's another example - Google has been trying to build a bridge in a part of Mountain View for its buses for a long time. Surely this is the kind of investment you would like to see. Private corporations paying to build new roads to take some of the pressure off the 101. It got voted down. If Google can't even build a simple bridge in its own back yard, how do you expect these companies to re-build most of San Francisco? Surely that's the governments job anyway?
If that were the case they'd all live in the valley and not care that it's a staggeringly low density suburban joy-killer for anyone who doesn't have kids. Obviously some of them DON'T spend all their time at the Google HQ otherwise they wouldn't endure the 2 hour commute to live in San Francisco, would they?
Many of the tech workers they're protesting are working in places like Mountain View, which is about an hours commute from SF each way. So when you give a 2+ hour commute as 'unreasonable', consider that these tech workers are already commuting those distances to get to where they work - if they can do it, why is it unreasonable for janitors to do the reverse direction?
I don't actually live in the US, by the way, but was in SF recently and have been watching this situation with interest. It's easy to understand why these protesters are upset but hard to come up with anything which is actually "wrong" in a logical sense.