The financial regulations that primarily apply to exchanges and trading platforms aren't what you think they are. As far as I'm aware, at least, there are no regulations that require "competence", perhaps because it's so company-specific and difficult to legislate. The regulations that DO apply are primarily about allowing governments to track money flows between identified parties for the purposes of crime fighting and who knows, maybe some general oppression as well;)
It's nice to think that regulators can solve these kinds of problems. Experience of the last few years suggests that it's a much harder thing to solve than you believe. For instance, you say 17 year olds shouldn't be allowed to handle other peoples money. So, when he turns 18 he magically becomes competent then? Regulating ownership like this is very hard. In the UK there is a requirement that owners of major media and financial organizations are "fit and proper". This requirement is now causing the Tories to tie themselves in knots trying to explain how Murdoch and News Corp are "fit and proper" despite being at the center of a complex case of hacking and political corruption. It ends up being more about politics and backscratching than any real clear definition of who is competent or not.
This is what happens when you deal with an unregulated currency supply.
Regulation of currency has nothing to do with this. In fact shortly before it closed Bitcoinica was boasting that it had recently come under regulatory supervision. And do you think dollars and euros are immune from incompetence leading to massive losses? If so, where have you been in the last few years?
The underlying problem here is simple, and actually has little to do with Bitcoin itself. The problem is that Bitcoin has grown so extremely fast that almost anyone who sets up a unique financial service, as Bitcoinica and MtGox did, is immediately flooded with users and vast sums of money. These guys are then plunged into the pain of scaling up their operations from zero almost overnight.... setting up customer support, dealing with bugs and new features, figuring out the relevant regulations so they can start to comply with them and attempting to secure their operations.
It does not help that many of these operations started out being run by rank amateurs. MtGox was written in amateurish PHP and had to be almost completely rewritten from scratch by Mark Karpeles, who appears to be fairly competent. Their big security breach came when the previous owner (the amateur) got hacked, he had retained too much access to the business internals. Bitcoinica was, notoriously, set up by a Chinese 17 year old who was able to build a nice UI and working trading platform, but quickly realized he was in over his head with regards to building a rock solid secure operation.
Securing IT systems is hard and Bitcoin as it stands today doesn't do much to help you with it. It's worth noting here that if you just want to sell things for coins (the common merchant case) your server does not need to have the ability to spend the received money at all. You can use a split wallet (also called a "watching wallet") on the server, and then only a totally diffferent secure machine of your choosing can actually move the money. So the difficulty mostly affects companies that need to automatically receive and send large sums of money. The community knows how to make improvements - the protocol allows for money to require multiple signatures to move it, so a framework for having an independent second system that verifies/risk-analyses a transaction stream before signing it would be a good step forward. Using trusted computing platforms like Intel TXT + the TPM chip allows you to secure your wallet in such a way that root level compromise of the machine cannot be used to extract the keys. And the use of "cold storage" wallets is already commonplace. Etc, etc.
The Bitcoin world is going through a period of rapid evolution in which amateur wildcat operations prove demand and are then rapidly replaced by companies designed by highly paranoid people. If you are skilled at computer security and willing to do a lot of paperwork, there's golden opportunities for you right now.
Well, there's certainly some truth to that, but you're assuming that there is a free market at work here. That isn't the case. Markets require property rights - if I can pay you or not pay you for something depending on, basically, whether I give a crap or not, what you have is not a market in the capitalist sense. That is what has happened to music and is happening to other types of creative works due to the failure of the tech industry to implement strong DRM, or to stop file sharing networks. There is no market any more. Only beggars and charitable individuals.
That's not a large exemption any more because the dollar has been sliding in value for a long time now. It's less than the average salary for software engineers in Switzerland, for instance, and that's with an aggressive currency peg to the Euro. If that peg wasn't in place or was weaker, it'd probably start including all kinds of non-professions, just due to exchange rate disparity.
Not really. Just forbid the government from spying on everyone with cameras in public places for any reason. The government doing it and individuals doing it are quite different things, as individuals aren't everywhere at once like the government's cameras.
Perhaps my original post was not clear enough, or you did not read it. There are very few "government cameras". There are a lot of cameras put in places by the owners/operators of that place. Eg at railway stations it's the station operators who pay for, install and operate the cameras with the police having no special or unusual access beyond what is allowed via law. Therefore the UK government is already unable to "spy on everyone with government cameras" because there is no legal or technical mechanism for them to do that.
I don't see your point. For there to be a surveillance state, there'd have to be some capability to follow a specific person around across all these cameras, and as already pointed out, that capability does not exist. It's the modern equivalent of having security guards on patrol. Useful for security, not so useful as a method for the state to persecute annoying individuals.
If you aren't concerned about that specific capability of the state then you're making a more general argument which is very different, namely that you want some abstract notion of privacy in public places - moreover, public places that are highly trafficked and historically have been targeted by organizations like the IRA. That more abstract notion of privacy is significantly harder to guarantee (individuals would be unable to take photos or film in public places), so most countries draw the line after "the state can spy on anyone with impunity" but before "videoing people in public places is forbidden".
The idea that the UK is some kind of surveillance state is a myth propagated on Slashdot by people who don't know better. If I recall correctly the "highest density of CCTV" meme comes from an article in the Daily Mail (aka Daily Fail). They counted all CCTV cameras, including all private cameras, in one very small and specific part of London. Despite the fact that these cameras are subject to the data protection act and typically not even connected to a communications network, they then extrapolated that small area of London to the entirety of the UK and asserted everyone was "being watched all the time", which is about as accurate as saying your email is always being read (by automatic spam filters).
Internet censorship proposals keep getting floated every few years by "save the children" types in the UK, whereas the idea is taboo in the USA. That's good for America. Unfortunately, that doesn't mean there's no censorship in the states. US residents and citizens are subject to a comprehensive and effective system of financial censorship instead. For example, when politicians there decided that internet poker was bad, they decided to censor online poker sites. Rather than do it via DNS or IP blocking they commanded banks and payment processors to block financial transaction to those sites instead. The effect was the same - Americans cannot use these sites.
The financial censorship system operates the same as you would expect from an online censorship system. There is a large blocklist of questionable accuracy - it includes companies and people who do not exist and performs matching by name only. There is no right to appeal and no evidence is required to be added to the list. It is subject to political manipulation as we saw with the WikiLeaks blockade. It requires pervasive monitoring, implemented via government access to banks financial records. Foreign financial transfers are also available to the US government via the "Terrorist Finance Tracking Program", which basically dumps every wire transfer, credit card transaction etc into a giant database that is queried hundreds of times per day - essentially the equivalent of deep packet inspection.
Of course, like any form of censorship, ways around the system are also censored. Whilst attempting to evade online censorship is typically not treated as a serious crime even in places like China, attempting to evade US financial blocklists is considered to be money laundering and can result in imprisonment for up to 20 years. In fact, being used by third parties as a way to evade this type of censorship is also money laundering even if you're simply an unaware middleman! The original formulation of these laws had a "mens rea" requirement, ie, to be guilty you had to actually intend to break the law and have a guilty mind. Virtually all money laundering cases fell because of this, so Congress simply removed the requirement.
Finally, because censorship systems have to be global to be truly effective, the USA has been persistently "harmonizing" this system onto the rest of the world since its inception. It gets tiresome to read posts from Americans trashing the UK for being some kind of censorship crazy surveillance state when the depressing reality is the reverse.
Why do you claim it is "unsafe"? Almost all work done in Objective-C is very "safe", by any measure
Objective C, at least as used on iOS, is not a safe language. I don't see how anyone with serious programming experience could believe that.
Here are some things about it that are unsafe. Firstly, it's not garbage collected (on the phone). Manual memory management has a long history of resulting in memory corruptions, leaks, and even security vulnerabilities. Yes, on MacOS X there is GC available, so Apple clearly recognize this. They appear to believe that it's not OK on a phone.
Secondly, and this is just crazy to my mind, dereferencing a null pointer (ok, rephrase it in terms of sending messages to nil if you like)..... does not terminate the application. It's actually a "defined" operation in the sense that it's defined to return garbage or another nil. Sending a message to nil has no useful purpose so it is guaranteed to reflect a bug in your application, unless (worse) you have some "clever" programmer who decided to rely on this obscure behavior. The nonsense of accessing NULL is why it is defined to result in an application crash on any sane platform - you want to stop the app at that point to avoid possible data corruption. But Objective C apps will happily continue their merry way, overwriting internal state with garbage or more nils until it auto-saves your now hopelessly corrupted data to disk.
This is a specific instance of a more general problem with Objective-C, which is that despite being based on C it turns a lot of failures that would be compile failures in any modern language into runtime failures or heuristically driven compiler warnings. Most research into programming languages for the last 10-15 years has been about how to catch more errors earlier, mostly through better type systems (a lot of functional research is in this direction). Objective-C takes a massive step backwards in this regard, converting errors even C++ compilers can catch ahead of time into issues you may not even notice unless you have extremely thorough testing plans. Example: typos in method names.
Thirdly, Objective-C does not have any kind of real namespacing support. The Cocoa libraries use the convention of an API prefix, but there's no language support for it, meaning "namespaces" such as they are tend to be very short or non-existant. Combined with the way symbols can mishmash together in the same binary can lead to awkward to solve linking issues.
There are a lot of problems with Objective-C that make it difficult to consistently write correct code and flatly contradict how modern languages are designed (no surprise, as it's not modern).
I ask "where can you buy users data from Google" and you reply with a bunch of links that make varied and wild assertions, but none of them allow you to buy users data. So please stop repeating this tiresome FUD. It isn't possible, has never been possible, and almost certainly never will be possible.
This is the same woman who, upon learning that border control was overloaded and relaxing passport checks for low risk cases at peak time, decided to solve the problem by firing the guy in charge and forcing checks to never be relaxed. Result: planes stacking up in the sky because the queues at border control were too long. Prime Minister summons her and gives her a right ass-kicking and now risk-based enforcement is back on the table.
It will be tempting for Slashdot posters to over-generalize from this case to try and make sweeping statements about the entire UK or British people (just as it's tempting to do the same about Americans when the US Govt does something retarded). But the core problem in this case really boils down to one woman and her arbitrary and inconsistent management of the borders.
I've been reading and posting to Slashdot for over 10 years. The stories have always been sensationalist, trolling, or sometimes even deliberately deceptive. Despite that the comments nearly always put it right. If you read Slashdot, and care about understanding the many fascinating and important issues discussed, you need to read the high-modded comments too. That's always been true for as long as the site existed.
I don't know why you keep repeating that John. Have you actually attempted to buy users information from Google? Where, exactly, can one sign up to buy such information?
The answer is you don't know where, because no such service exists.
// The reason why the Triggs approximation becomes so poor is // because the curvature correction that it applies to the gauss // newton hessian goes from being a full rank correction to a rank // deficient correction making the inversion of the Hessian fraught // with all sorts of misery and suffering.
Yeah, that's pretty much how maths makes me feel as well...
That sort of argument is unlikely to fly in front of a jury given all the other evidence against him. Bear in mind this wasn't just a random stop-and-search, they already suspected he was an al-Qaeda member. He tried to hide the incriminating files. Probably more that isn't in the story.
Having said that, I think this sort of story just re-inforces the general impression that the counter-terrorism apparatus is way too big for the size of the threat it presently faces. If this is the way AQ move sensitive files around, they are clearly unable to recruit members with any technical sophistication. I can easily believe intelligence agencies have got a lot better over time, not to mention ruthless and focused, but it seems that if these guys can pull off a devastating attack then basically anyone can and we may as well give up now. No need for "training in Pakistan" for those guys.
Steganographically hide sensitive information in an innocuous looking video, and then hide it in your underpants thus guaranteeing it will arouse suspicion on discovery. How stupid are these guys??
Except that's garbage (for some reason I often think this about stuff Ross Anderson writes).
That paragraph basically asserts that CAP/EMV doesn't work at all, despite a lot of evidence to the contrary - like a sharp fall in fraud rates after the systems introduction. It also is based on the massive misconception that US banks are liable for fraudulent transactions. That is not the case. Typically in the case of fraudulent wires, US banks will simply reverse the transactions. ACH fraud is a huge problem for businesses that operate in the USA because ACH transfers are so soft. Banks there routinely "take back" transfers which turned out to be triggered by malware or phishing leaving the recipient of the stolen funds, often a hapless mule, out of pocket. Look at the problems the TradeHill bitcoin exchange had with this, where bad transfers were used to buy Bitcoins and then silently reversed months later by the banks.
The fact that Anderson seems to believe US banks eat the losses caused by their poor security undermines his whole argument. They don't; random victims do. Therefore unsurprisingly they don't invest in better security technology. And - reality check - digitally signing destination account numbers and transaction values with smartcards is better than asking users for an answer to their "secret question". Only somebody way off in academic lala land would believe otherwise. Anderson and his team have published a variety of papers on attacks against these systems, many of them somewhat theoretical or which have been patched later. For him to claim that because often quite obscure flaws have been found in the past, these systems "do not work", I find quite astonishing.
Yes, no serious web mail service can be compromised by brute force attacks and that is not what happened here.
Almost certainly, the password in question has been re-used at some other third party website that then got hacked, its password database dumped and the hashes reversed using video cards.
I work on account security at Google and have spent the last 2.5 years of my life on Gmail anti-hacking. So I'm all too familiar with this type of problem, where spammers mail your contacts with a link to their online stores (or malware). Really feel for the Hotmail team here - it's a hard problem to solve. That said, we've made a lot of progress over time. We've blocked very large numbers of logins to compromised accounts (often between half a million to a million accounts per week). There are still occasional campaigns that get past us but it's getting rarer all the time. It may well be that this guys password was the same on Gmail (ie, he had one password for everything), and there was an attempt made against his account, but we redirected it to the identity verification quiz and thus it was blocked. It wouldn't be remarkable if so.
I did a public talk at RIPE64 on the topic of signup and login security at Google, for those who are interested. It's about 30 minutes long.
The advisory says that SSL/TLS code is not affected, and only software that parses ASN.1/DER structures from BIO or FILE streams could be impacted. Parsing ASN.1 from memory is also not affected. That would appear to restrict the vulnerable software quite a bit.
Whether you have a remote vulnerability or not would seem to depend very highly on what software you're running.
Er, the problem is exactly that people stopped buying movies and music, they just didn't stop consuming them.
"Revolution" is one way to fix the issue of bills like these. People giving up piracy and paying for what they use would probably also work, as it'd take away the rationale and I think the labels/studios would lose interest in lobbying at that point, given that it's expensive, slow and frustrating for all involved.
Of course most people want to shout "fuck the corporations" and feel radical at the same time as they guzzle down Hollywood movies from TPB. So that solution isn't going to happen.
Bingo. Getting root is useful but not required for viruses, and Windows has had very similar setups for a long time already. It's perfectly possible to make a program that hides itself, resists deletion, spams, steals passwords, logs keys etc all without having root and there are quite a few such viruses out there. MacOS isn't any better defended than Windows against malware, in fact it's significantly worse because so many users don't even have AV software installed (my Mac does, btw).
A lot of the Android "trojans" are little more than apps which declare what they'll do up front and then do them. I'm not sure that counts as exploits.
Well, the summary is written in a highly biased and inflammatory way - not surprising for an article about DRM on Slashdot.
In particular this part is very misleading:
Instead of spending time, money and effort on new DRM measures that get circumvented within a few days of release, the industry would do well to lower the launch price of Blu-rays.
However as far as I know (and the article does not contradict me) there is no way to remove Cinavia from protected titles. The article instead argues that it's useless because people play back the pirated videos using non-updated or non-licensed players.
There are a couple of issues with that line of argument. One is that whilst it's certainly true for certain classes of pirates, it is not true for all - piracy in places like Asia is still heavily based on selling dodgy discs. Another is that it ignores the (imho very likely) possibility that renewable watermark detection will migrate inside TV sets / projectors in future, along with a move by the industry to fully streaming based video distribution. Older TV sets that don't check for the watermarks could perversely become more expensive than newer sets as the pirate market drives up prices. I fully expect the TV market to consolidate over the next generation as Apple/Google/Microsoft start integrating their platforms with them and TV makers adopt such platforms to win a competitive edge in an otherwise saturated market that can't go bigger or thinner. Xbox 720 as part of TV sets? Why not?
Anyway, you don't have any evidence to say that there are no economic justifications and they should just lower prices. That's the kind of thing often assumed by Slashdotters because it'd be convenient for them, no better reason.
If you buy contraband once, you can immediately identify a large number of other wallets guilty of the same purchase, and you can trace each one's transaction history until they interacted with a legitimate business, and then you just subpoena for shipping addresses.
That is possible if the seller only ever uses one address. You could do it that way if you wanted, but it's not the default way the software works, nor is it how it's meant to be used.
Privacy is important dude, and there really is no such thing as anonymous online currenct. Even bitcoin (aka "comedy currency") isnt anonymous, in fact the oposite, once you know someones block address you can easily trace their transactions just by examining the record of the block-chain.
That's not really accurate. You might want to do more research before writing Bitcoin off as a comedy currency. Users of the system don't have just one address, the software will constantly create new addresses for you automatically. The standard way to use it is one address per transaction.
There are a variety of interesting theoretical attacks on Bitcoins privacy using graph analysis, etc, but so far theoretical is all they are - I don't know of any examples of somebodies identity being discovered from the block chain. This is despite several large thefts that would have strongly incentivized people with the right technical knowledge to try.
There are real and interesting issues with things like Bitcoin around the balance between the need to enforce the law and the need for privacy from overbearing/abusive governments, the need for efficient tax collection, etc. They are topics that are being explored by the research community. But simply writing it off as non-workable isn't a good idea.
Slashdot Mirror
The financial regulations that primarily apply to exchanges and trading platforms aren't what you think they are. As far as I'm aware, at least, there are no regulations that require "competence", perhaps because it's so company-specific and difficult to legislate. The regulations that DO apply are primarily about allowing governments to track money flows between identified parties for the purposes of crime fighting and who knows, maybe some general oppression as well ;)
It's nice to think that regulators can solve these kinds of problems. Experience of the last few years suggests that it's a much harder thing to solve than you believe. For instance, you say 17 year olds shouldn't be allowed to handle other peoples money. So, when he turns 18 he magically becomes competent then? Regulating ownership like this is very hard. In the UK there is a requirement that owners of major media and financial organizations are "fit and proper". This requirement is now causing the Tories to tie themselves in knots trying to explain how Murdoch and News Corp are "fit and proper" despite being at the center of a complex case of hacking and political corruption. It ends up being more about politics and backscratching than any real clear definition of who is competent or not.
Regulation of currency has nothing to do with this. In fact shortly before it closed Bitcoinica was boasting that it had recently come under regulatory supervision. And do you think dollars and euros are immune from incompetence leading to massive losses? If so, where have you been in the last few years?
The underlying problem here is simple, and actually has little to do with Bitcoin itself. The problem is that Bitcoin has grown so extremely fast that almost anyone who sets up a unique financial service, as Bitcoinica and MtGox did, is immediately flooded with users and vast sums of money. These guys are then plunged into the pain of scaling up their operations from zero almost overnight .... setting up customer support, dealing with bugs and new features, figuring out the relevant regulations so they can start to comply with them and attempting to secure their operations.
It does not help that many of these operations started out being run by rank amateurs. MtGox was written in amateurish PHP and had to be almost completely rewritten from scratch by Mark Karpeles, who appears to be fairly competent. Their big security breach came when the previous owner (the amateur) got hacked, he had retained too much access to the business internals. Bitcoinica was, notoriously, set up by a Chinese 17 year old who was able to build a nice UI and working trading platform, but quickly realized he was in over his head with regards to building a rock solid secure operation.
Securing IT systems is hard and Bitcoin as it stands today doesn't do much to help you with it. It's worth noting here that if you just want to sell things for coins (the common merchant case) your server does not need to have the ability to spend the received money at all. You can use a split wallet (also called a "watching wallet") on the server, and then only a totally diffferent secure machine of your choosing can actually move the money. So the difficulty mostly affects companies that need to automatically receive and send large sums of money. The community knows how to make improvements - the protocol allows for money to require multiple signatures to move it, so a framework for having an independent second system that verifies/risk-analyses a transaction stream before signing it would be a good step forward. Using trusted computing platforms like Intel TXT + the TPM chip allows you to secure your wallet in such a way that root level compromise of the machine cannot be used to extract the keys. And the use of "cold storage" wallets is already commonplace. Etc, etc.
The Bitcoin world is going through a period of rapid evolution in which amateur wildcat operations prove demand and are then rapidly replaced by companies designed by highly paranoid people. If you are skilled at computer security and willing to do a lot of paperwork, there's golden opportunities for you right now.
Well, there's certainly some truth to that, but you're assuming that there is a free market at work here. That isn't the case. Markets require property rights - if I can pay you or not pay you for something depending on, basically, whether I give a crap or not, what you have is not a market in the capitalist sense. That is what has happened to music and is happening to other types of creative works due to the failure of the tech industry to implement strong DRM, or to stop file sharing networks. There is no market any more. Only beggars and charitable individuals.
That's not a large exemption any more because the dollar has been sliding in value for a long time now. It's less than the average salary for software engineers in Switzerland, for instance, and that's with an aggressive currency peg to the Euro. If that peg wasn't in place or was weaker, it'd probably start including all kinds of non-professions, just due to exchange rate disparity.
Perhaps my original post was not clear enough, or you did not read it. There are very few "government cameras". There are a lot of cameras put in places by the owners/operators of that place. Eg at railway stations it's the station operators who pay for, install and operate the cameras with the police having no special or unusual access beyond what is allowed via law. Therefore the UK government is already unable to "spy on everyone with government cameras" because there is no legal or technical mechanism for them to do that.
I don't see your point. For there to be a surveillance state, there'd have to be some capability to follow a specific person around across all these cameras, and as already pointed out, that capability does not exist. It's the modern equivalent of having security guards on patrol. Useful for security, not so useful as a method for the state to persecute annoying individuals.
If you aren't concerned about that specific capability of the state then you're making a more general argument which is very different, namely that you want some abstract notion of privacy in public places - moreover, public places that are highly trafficked and historically have been targeted by organizations like the IRA. That more abstract notion of privacy is significantly harder to guarantee (individuals would be unable to take photos or film in public places), so most countries draw the line after "the state can spy on anyone with impunity" but before "videoing people in public places is forbidden".
The idea that the UK is some kind of surveillance state is a myth propagated on Slashdot by people who don't know better. If I recall correctly the "highest density of CCTV" meme comes from an article in the Daily Mail (aka Daily Fail). They counted all CCTV cameras, including all private cameras, in one very small and specific part of London. Despite the fact that these cameras are subject to the data protection act and typically not even connected to a communications network, they then extrapolated that small area of London to the entirety of the UK and asserted everyone was "being watched all the time", which is about as accurate as saying your email is always being read (by automatic spam filters).
Internet censorship proposals keep getting floated every few years by "save the children" types in the UK, whereas the idea is taboo in the USA. That's good for America. Unfortunately, that doesn't mean there's no censorship in the states. US residents and citizens are subject to a comprehensive and effective system of financial censorship instead. For example, when politicians there decided that internet poker was bad, they decided to censor online poker sites. Rather than do it via DNS or IP blocking they commanded banks and payment processors to block financial transaction to those sites instead. The effect was the same - Americans cannot use these sites.
The financial censorship system operates the same as you would expect from an online censorship system. There is a large blocklist of questionable accuracy - it includes companies and people who do not exist and performs matching by name only. There is no right to appeal and no evidence is required to be added to the list. It is subject to political manipulation as we saw with the WikiLeaks blockade. It requires pervasive monitoring, implemented via government access to banks financial records. Foreign financial transfers are also available to the US government via the "Terrorist Finance Tracking Program", which basically dumps every wire transfer, credit card transaction etc into a giant database that is queried hundreds of times per day - essentially the equivalent of deep packet inspection.
Of course, like any form of censorship, ways around the system are also censored. Whilst attempting to evade online censorship is typically not treated as a serious crime even in places like China, attempting to evade US financial blocklists is considered to be money laundering and can result in imprisonment for up to 20 years. In fact, being used by third parties as a way to evade this type of censorship is also money laundering even if you're simply an unaware middleman! The original formulation of these laws had a "mens rea" requirement, ie, to be guilty you had to actually intend to break the law and have a guilty mind. Virtually all money laundering cases fell because of this, so Congress simply removed the requirement.
Finally, because censorship systems have to be global to be truly effective, the USA has been persistently "harmonizing" this system onto the rest of the world since its inception. It gets tiresome to read posts from Americans trashing the UK for being some kind of censorship crazy surveillance state when the depressing reality is the reverse.
Objective C, at least as used on iOS, is not a safe language. I don't see how anyone with serious programming experience could believe that.
Here are some things about it that are unsafe. Firstly, it's not garbage collected (on the phone). Manual memory management has a long history of resulting in memory corruptions, leaks, and even security vulnerabilities. Yes, on MacOS X there is GC available, so Apple clearly recognize this. They appear to believe that it's not OK on a phone.
Secondly, and this is just crazy to my mind, dereferencing a null pointer (ok, rephrase it in terms of sending messages to nil if you like) ..... does not terminate the application. It's actually a "defined" operation in the sense that it's defined to return garbage or another nil. Sending a message to nil has no useful purpose so it is guaranteed to reflect a bug in your application, unless (worse) you have some "clever" programmer who decided to rely on this obscure behavior. The nonsense of accessing NULL is why it is defined to result in an application crash on any sane platform - you want to stop the app at that point to avoid possible data corruption. But Objective C apps will happily continue their merry way, overwriting internal state with garbage or more nils until it auto-saves your now hopelessly corrupted data to disk.
This is a specific instance of a more general problem with Objective-C, which is that despite being based on C it turns a lot of failures that would be compile failures in any modern language into runtime failures or heuristically driven compiler warnings. Most research into programming languages for the last 10-15 years has been about how to catch more errors earlier, mostly through better type systems (a lot of functional research is in this direction). Objective-C takes a massive step backwards in this regard, converting errors even C++ compilers can catch ahead of time into issues you may not even notice unless you have extremely thorough testing plans. Example: typos in method names.
Thirdly, Objective-C does not have any kind of real namespacing support. The Cocoa libraries use the convention of an API prefix, but there's no language support for it, meaning "namespaces" such as they are tend to be very short or non-existant. Combined with the way symbols can mishmash together in the same binary can lead to awkward to solve linking issues.
There are a lot of problems with Objective-C that make it difficult to consistently write correct code and flatly contradict how modern languages are designed (no surprise, as it's not modern).
I ask "where can you buy users data from Google" and you reply with a bunch of links that make varied and wild assertions, but none of them allow you to buy users data. So please stop repeating this tiresome FUD. It isn't possible, has never been possible, and almost certainly never will be possible.
This is the same woman who, upon learning that border control was overloaded and relaxing passport checks for low risk cases at peak time, decided to solve the problem by firing the guy in charge and forcing checks to never be relaxed. Result: planes stacking up in the sky because the queues at border control were too long. Prime Minister summons her and gives her a right ass-kicking and now risk-based enforcement is back on the table.
It will be tempting for Slashdot posters to over-generalize from this case to try and make sweeping statements about the entire UK or British people (just as it's tempting to do the same about Americans when the US Govt does something retarded). But the core problem in this case really boils down to one woman and her arbitrary and inconsistent management of the borders.
I've been reading and posting to Slashdot for over 10 years. The stories have always been sensationalist, trolling, or sometimes even deliberately deceptive. Despite that the comments nearly always put it right. If you read Slashdot, and care about understanding the many fascinating and important issues discussed, you need to read the high-modded comments too. That's always been true for as long as the site existed.
I don't know why you keep repeating that John. Have you actually attempted to buy users information from Google? Where, exactly, can one sign up to buy such information?
The answer is you don't know where, because no such service exists.
Oh yes, you're right. It sounds like it only impacts people who actually want / need security. So that's OK then.
From the source code:
Yeah, that's pretty much how maths makes me feel as well ...
That sort of argument is unlikely to fly in front of a jury given all the other evidence against him. Bear in mind this wasn't just a random stop-and-search, they already suspected he was an al-Qaeda member. He tried to hide the incriminating files. Probably more that isn't in the story.
Having said that, I think this sort of story just re-inforces the general impression that the counter-terrorism apparatus is way too big for the size of the threat it presently faces. If this is the way AQ move sensitive files around, they are clearly unable to recruit members with any technical sophistication. I can easily believe intelligence agencies have got a lot better over time, not to mention ruthless and focused, but it seems that if these guys can pull off a devastating attack then basically anyone can and we may as well give up now. No need for "training in Pakistan" for those guys.
Steganographically hide sensitive information in an innocuous looking video, and then hide it in your underpants thus guaranteeing it will arouse suspicion on discovery. How stupid are these guys??
Except that's garbage (for some reason I often think this about stuff Ross Anderson writes).
That paragraph basically asserts that CAP/EMV doesn't work at all, despite a lot of evidence to the contrary - like a sharp fall in fraud rates after the systems introduction. It also is based on the massive misconception that US banks are liable for fraudulent transactions. That is not the case. Typically in the case of fraudulent wires, US banks will simply reverse the transactions. ACH fraud is a huge problem for businesses that operate in the USA because ACH transfers are so soft. Banks there routinely "take back" transfers which turned out to be triggered by malware or phishing leaving the recipient of the stolen funds, often a hapless mule, out of pocket. Look at the problems the TradeHill bitcoin exchange had with this, where bad transfers were used to buy Bitcoins and then silently reversed months later by the banks.
The fact that Anderson seems to believe US banks eat the losses caused by their poor security undermines his whole argument. They don't; random victims do. Therefore unsurprisingly they don't invest in better security technology. And - reality check - digitally signing destination account numbers and transaction values with smartcards is better than asking users for an answer to their "secret question". Only somebody way off in academic lala land would believe otherwise. Anderson and his team have published a variety of papers on attacks against these systems, many of them somewhat theoretical or which have been patched later. For him to claim that because often quite obscure flaws have been found in the past, these systems "do not work", I find quite astonishing.
Yes, no serious web mail service can be compromised by brute force attacks and that is not what happened here.
Almost certainly, the password in question has been re-used at some other third party website that then got hacked, its password database dumped and the hashes reversed using video cards.
I work on account security at Google and have spent the last 2.5 years of my life on Gmail anti-hacking. So I'm all too familiar with this type of problem, where spammers mail your contacts with a link to their online stores (or malware). Really feel for the Hotmail team here - it's a hard problem to solve. That said, we've made a lot of progress over time. We've blocked very large numbers of logins to compromised accounts (often between half a million to a million accounts per week). There are still occasional campaigns that get past us but it's getting rarer all the time. It may well be that this guys password was the same on Gmail (ie, he had one password for everything), and there was an attempt made against his account, but we redirected it to the identity verification quiz and thus it was blocked. It wouldn't be remarkable if so.
I did a public talk at RIPE64 on the topic of signup and login security at Google, for those who are interested. It's about 30 minutes long.
Are you sure about that?
The advisory says that SSL/TLS code is not affected, and only software that parses ASN.1/DER structures from BIO or FILE streams could be impacted. Parsing ASN.1 from memory is also not affected. That would appear to restrict the vulnerable software quite a bit.
Whether you have a remote vulnerability or not would seem to depend very highly on what software you're running.
Er, the problem is exactly that people stopped buying movies and music, they just didn't stop consuming them.
"Revolution" is one way to fix the issue of bills like these. People giving up piracy and paying for what they use would probably also work, as it'd take away the rationale and I think the labels/studios would lose interest in lobbying at that point, given that it's expensive, slow and frustrating for all involved.
Of course most people want to shout "fuck the corporations" and feel radical at the same time as they guzzle down Hollywood movies from TPB. So that solution isn't going to happen.
Bingo. Getting root is useful but not required for viruses, and Windows has had very similar setups for a long time already. It's perfectly possible to make a program that hides itself, resists deletion, spams, steals passwords, logs keys etc all without having root and there are quite a few such viruses out there. MacOS isn't any better defended than Windows against malware, in fact it's significantly worse because so many users don't even have AV software installed (my Mac does, btw).
A lot of the Android "trojans" are little more than apps which declare what they'll do up front and then do them. I'm not sure that counts as exploits.
Well, the summary is written in a highly biased and inflammatory way - not surprising for an article about DRM on Slashdot.
In particular this part is very misleading:
However as far as I know (and the article does not contradict me) there is no way to remove Cinavia from protected titles. The article instead argues that it's useless because people play back the pirated videos using non-updated or non-licensed players.
There are a couple of issues with that line of argument. One is that whilst it's certainly true for certain classes of pirates, it is not true for all - piracy in places like Asia is still heavily based on selling dodgy discs. Another is that it ignores the (imho very likely) possibility that renewable watermark detection will migrate inside TV sets / projectors in future, along with a move by the industry to fully streaming based video distribution. Older TV sets that don't check for the watermarks could perversely become more expensive than newer sets as the pirate market drives up prices. I fully expect the TV market to consolidate over the next generation as Apple/Google/Microsoft start integrating their platforms with them and TV makers adopt such platforms to win a competitive edge in an otherwise saturated market that can't go bigger or thinner. Xbox 720 as part of TV sets? Why not?
Anyway, you don't have any evidence to say that there are no economic justifications and they should just lower prices. That's the kind of thing often assumed by Slashdotters because it'd be convenient for them, no better reason.
That is possible if the seller only ever uses one address. You could do it that way if you wanted, but it's not the default way the software works, nor is it how it's meant to be used.
That's not really accurate. You might want to do more research before writing Bitcoin off as a comedy currency. Users of the system don't have just one address, the software will constantly create new addresses for you automatically. The standard way to use it is one address per transaction.
There are a variety of interesting theoretical attacks on Bitcoins privacy using graph analysis, etc, but so far theoretical is all they are - I don't know of any examples of somebodies identity being discovered from the block chain. This is despite several large thefts that would have strongly incentivized people with the right technical knowledge to try.
There are real and interesting issues with things like Bitcoin around the balance between the need to enforce the law and the need for privacy from overbearing/abusive governments, the need for efficient tax collection, etc. They are topics that are being explored by the research community. But simply writing it off as non-workable isn't a good idea.