I guess you did not see that part about jobs and education.
There are people who are born with mental and physical disabilities such that it would be impossible to train them to perform any job whatsoever. There are also people who become this way later in life. Between them and yourself is a continuum where you'll find an example of somebody at virtually every possible level of performance (with or without training).
Some of them simply won't be able to get a job. As automation replaces many menial tasks, we basically raise the bar steadily making more and more of the population unemployable. In the more distant future there is no reason to think that machines won't be able to outperform people in every possible way, and at that point everybody will be unemployed (they might do makework of some kind, but they wouldn't be doing economically efficient work).
This is a good thing, actually, as long as you don't punish people who are unable to find work. We're a ways off from the point where we have 100% unemployment, but simply sending somebody to some classes isn't going to make them employable.
I've come to enjoy the Japanese system. It has a fundamental thread of responsibility that resonates with me and a strong sense of EVERYONE pays something
You're talking about the country where people literally work themselves to death. Their healthcare system is fairly distinctive, though there are so many cultural differences in Japan I'm not sure how much of their health stems from their healthcare system and how much stems from everything else.
It's not nearly as likely, though it is possible if the application is crap and relies on libraries no longer present in modern distros, or relies on specific versions of them which are obsolete, etc. Usually, though, proprietary stuff is all statically-linked and includes all the libraries it needs, so it shouldn't be much of a problem.
Windows stuff has this problem all the time, and they all bundle their own dlls. It doesn't seem likely that this would change if people switched from making $2k/user proprietary software for windows to $2k/user proprietary software for linux. I'm not talking about Libreoffice here, or even MS Office. I'm talking about WidgetWare v7, now with long filename support, just buy a new $100k widgetmaker and you can upgrade to our new software and get off of Windows XP! For the most part big companies don't tend to run this stuff on Linux.
My employer is still running XP on thousands of computers, because they're attached to widgetmakers and they don't want to upgrade all of those for $50-500k per machine just to get security updates. So, they firewall them all 14 ways and cross their fingers. Could you imagine proposing that they do all that starting at 5 years from introduction instead of 10 years from obsolescence?
Why not? It'll just appear that the user is using too much data. They'll either run out of data, get charged more or the use will figure out that their data/battery is acting unusually and sort it themselves. However you look at it, the problem will take care of itself!
If one user runs up a $10k bill MAYBE the phone company will get something out of it. When ALL their customers run up $50k bills and phone service stops working, then they'll be lucky if they just end up giving everybody a refund for the month. If they tried to collect on those bills the lawyers would have them for lunch.
If that were true RHEL and Ubuntu Server wouldn't have 5-year support on LTS. I do tend to agree that long-live matters less on servers than desktops, since there tends to not be as much software running on any single server. However, it certainly isn't true that a linux upgrade can't break things, especially proprietary stuff.
one is it maintains your privacy and that's good for you
This is asserted without historical proof. The open ballot worked fine in the US for 100 years. It's John Hancock, not Anonymous. It only changed when the country was in a civil war. In a stable country, open voting is better.
Isn't that a bit like saying that slavery worked fine for 100 years? The US was hardly problem-free for the first century of its existence. Considering how many people couldn't vote at all, it was barely a democracy by today's standards.
So the employer can demand your token, and you give it up. Would you give up your personal email password? Facebook password? The actions of the employer are illegal. Why aren't you reporting him?
It would be your word against theirs. How would you prove that they asked for your ID? It isn't like anybody with half a brain would fire you on the spot if you refused. They'd just wait for you to make a mistake, or decide they don't need your services in six months.
Today, nearly all absentee voting will allow voting outside the view of poll employees. So the employer can fill out ballots for all employees, have them come in and sign them. Then the employer sends them in. Oh, and on election day, everyone has a double-shift with no breaks (no time to vote). At best, the voter can send in a second, spoiling one (or both) votes, but I've not seen any absentee system used in the US that would allow the voter to control his own vote in that situation. If the employer is so aggressive about ensuring votes for his preferred candidate, why aren't more doing this already?
They're too cheap to have 100% of their employee population standing around for two shifts with nothing to do on election day?
If you're going to make people fill out absentee ballots and then chain them in a dungeon, sure, you can abuse the current system. However, it is MUCH harder to do it today than in a system where people take home receipts. It is also unnecessary.
Just collect electronic votes with human-readable/machine-readable audit trails. The electronic tally can be used to provide instant results. The paper audit trail can be audited using random sampling to verify the integrity of the electronic tally. The paper trail would be printed behind a window so that the voter could see that it was recorded correctly, but it would not be modifiable or removable by the voter. Then you can use all the usual controls to prevent tampering with the paper.
How is that any different from your employer demanding your Facebook password or your private email history? If you can be fired for refusing either of those demands then sure, they could fire you for refusing to give them your voting ID. But I'd say that's a completely different issue, wouldn't you?
All of those are egregious to be sure, but at least the integrity of the democratic process doesn't rely on your email history or facebook password.
Print the code on the paper and fold it in half so that the code is not visible. The employee shows the card but the employer can not read the code. Problem solved. If the employer goes any further it is an invasion of privacy.
Do you really think that would deter anybody? They'll just ask you in private to show them everything. If you refuse they'll wait six months and fire you on some pretense. Good luck proving that the incident ever happened, let alone that it was the cause of your dismissal.
I'm sorry, but are people actually under the impression that their phones are secure?
Well, presumably the carriers would prefer to not have some worm flood their networks with terabytes of traffic. If that happens you might start to see this sort of thing taken seriously.
And then when google moves more stuff from the base system to play services, everyone is crying bloody murder for taking stuff away from AOSP and not open sourcing anything. There is no winning, is there
Well, nothing prevents Google from open-sourcing that stuff all the same, or splitting Google Play Services into a component that actually pertains to Google Play and another to core OS functionality and open-sourcing the latter.
Well, I doubt the contracts are public, but it probably works out like this:
1. Carrier gets to approve/control the updates. 2. If carrier doesn't do #1 on time, they don't get to sell new iThings, and there might be other penalties.
So, the carrier probably gets to do their testing, and Apple probably has to fix serious issues. However, if the carrier doesn't get it done on time, they will pay the price.
I had a G1 and that definitely quit receiving updates before the 2year contract ended.
The G1 and ADP stopped receiving updates before they even stopped selling them. They didn't even get Eclair (officially), despite the ADP being the official Google developer phone up until the Nexus One came out. Fortunately none of the Nexus devices suffered that fate, though many were only supported for 1.5 years.
Agree on everything but I think one area where longer support makes a big difference is the enterprise. Big companies with thousands of applications don't like to retest/redeploy those applications every few years.
You certainly didn't hear it from me. I'm sure I've posted here before that iOS's update policies are far better than Android's. I still prefer Android and I only buy devices that I know I can keep up-to-date myself if necessary, but I won't make excuses for a security policy that would have seemed backwards in 1995.
I've been wondering when people would start to take notice of this problem with Android. There is no general policy of security backports on it at all. Phones can have security vulnerabilities like anything else - it is just a matter of time before we start seeing exploits.
They're doing a better job with ChromeOS, with a 5 year support pledge. Ironically that still isn't as good as Windows (10yrs from obsolescence vs 5yrs from introduction). If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines. People like to joke about XP, but it was supported just a year ago and what was the latest version of your favorite Linux distro when XP first came out? Being secure without having to do major updates is a big selling point.
You really need both. You can't fly an airliner like a Cessna, but you also can't just depend on your ability to dial in an ILS and hit the approach button.
What you really need is good simulator training on top of general piloting skills. If you've been in a situation 10 times already, then the 11th won't be as much of a problem. Of course no two disasters are identical, but from what I've read the AAF situation was one that had a procedure. Obviously if the procedure isn't working you need to improvise, but if there is a procedure it is because a bunch of engineers/pilots/etc studied the situation and determined that it was the solution with the best likelihood of success.
The problem with that is that there are certain thoughts and concepts that can't be expressed in English.
Are you suggesting that one of the most promiscuous languages on the planet wouldn't just add a butchered version of the original word if that were truly the case? Words mean whatever we want them to mean - they're arbitrary combinations of symbols, kind of like unicode.:)
Pay indeed.... The only thing you need to pay for is somebody to QA your app who can read the foreign language. And maybe for half a clue about learning this stuff, because apparently you're too lazy too read all the free material on the web that explains this stuff.
I imagine the problem for many software companies is that localization is probably an afterthought unless they start out in Asia, and even then Thai is probably not a priority for them so while they'll certainly handle Unicode, they might not handle all of it.
I never claimed that it was. I just think that it is completely impractical for consumer use. I'm not even sure what the point of it would be for consumer use - when was the last time you bought a device for personal use via a controlled supply chain (ie you had a high level of assurance that from manufacture to your hands that it couldn't have been tampered with)?
Chinese New Year, everyone older gives present to everyone younger. Best deal is to be the youngest.
Yup, assuming you're young enough to have living relatives up to grandparents having 6 people buying gifts for you almost exclusively a few times a year has to do wonders for your personality.
The problem with what you propose is that the only way to prevent cloning of devices is to have a central registry that tracks them. Even that doesn't completely prevent cloning - you could swap out a device with a clone without any issues in such a design - the only thing you couldn't do is add a clone without getting rid of the original.
This is how online copy-protection schemes work - the game phones home with its serial number and the server keeps track of usage.
However, this system requires that any device to be tracked is basically always online, which is a constraint that doesn't always work. It requires establishing a server to keep track of everything. You have to be able to trust the server to do its job, and you also need to trust the server owner with knowledge of all the devices you're using (which might or might not be sensitive - do you really want some VIP's bluetooth keyboard phoning home to some server introducing the possibility of tracking? how about a spy's?).
A corporation might set up its own tracking system for items it procures via controlled sources (still a lot of admin overhead to check in every device, or get your vendors to do it for you). The average consumer or small organization wouldn't benefit from this at all unless the manufacturer ran a central server. Do you really want every peripheral you own phoning home all the time? Oh, and just wait until Apple determines that your audio cable isn't genuine.:)
But, yes, if you're willing to work at it you can certainly authenticate individual devices such that introducing a strange device into your environment requires replacing a legitimate one with a tailored replica. That would be pretty tricky to pull off unless the device is one that won't be noticed if it goes missing for a while (and if you're super-paranoid just having it go missing might be noticed by your central server).
Are you uniquely whitelisting devices or not? Right now every logitech keyboard model 123 on the planet identifies itself in the same way. If you can impersonate one of them, you can impersonate all of them. Your solution to that was to uniquely identify and authenticate each keyboard. I just pointed out that for this to work you now need to keep track of which logitech keyboard model 123s you're using, and ensure that only one of them works at a time. That means a central server keeping track of who is using which keyboard. That simply can't work at a consumer level. If you don't track who is using which keyboard then sure I might only be able to impersonate one keyboard, but it doesn't matter because every device on your network still trusts that one keyboard and you have no way of knowing that there are now two of them on your network.
You might think there is a trivial solution to these problems, but which seems more likely to you? Either you're right and I'm wrong and there is an easy way to secure USB peripherals and collectively every IT organization on the planet is just too lazy to implement it, or I'm right and the reason that it doesn't happen is because the potential solutions to these problems have so much complexity and so many trade-offs that they're just not great candidates for widespread adoption. Only governments have the kinds of money to throw at this problem that you'd need, and the problem there is that their adversaries have just as much money to throw at circumventing their solutions.
And I'm not sure how my reaction is emotional. I merely pointed out that your statement was misleading, even if completely factually true.
It wasn't even misleading if you take it in context
The same is true of any statement made by any salesman or politician anywhere. That could be used as the definition of misleading - a statement whose common interpretation changes when removed from a fairly detailed context.
Slashdot Mirror
Hanging out in a library reading and posting on Slashdot is probably a hell of a lot more fun than sitting on a park bench in the rain.
Yup, and a lot more fun than what I'll be doing for the next 8 hours... Your point?
I guess you did not see that part about jobs and education.
There are people who are born with mental and physical disabilities such that it would be impossible to train them to perform any job whatsoever. There are also people who become this way later in life. Between them and yourself is a continuum where you'll find an example of somebody at virtually every possible level of performance (with or without training).
Some of them simply won't be able to get a job. As automation replaces many menial tasks, we basically raise the bar steadily making more and more of the population unemployable. In the more distant future there is no reason to think that machines won't be able to outperform people in every possible way, and at that point everybody will be unemployed (they might do makework of some kind, but they wouldn't be doing economically efficient work).
This is a good thing, actually, as long as you don't punish people who are unable to find work. We're a ways off from the point where we have 100% unemployment, but simply sending somebody to some classes isn't going to make them employable.
I've come to enjoy the Japanese system. It has a fundamental thread of responsibility that resonates with me and a strong sense of EVERYONE pays something
You're talking about the country where people literally work themselves to death. Their healthcare system is fairly distinctive, though there are so many cultural differences in Japan I'm not sure how much of their health stems from their healthcare system and how much stems from everything else.
It's not nearly as likely, though it is possible if the application is crap and relies on libraries no longer present in modern distros, or relies on specific versions of them which are obsolete, etc. Usually, though, proprietary stuff is all statically-linked and includes all the libraries it needs, so it shouldn't be much of a problem.
Windows stuff has this problem all the time, and they all bundle their own dlls. It doesn't seem likely that this would change if people switched from making $2k/user proprietary software for windows to $2k/user proprietary software for linux. I'm not talking about Libreoffice here, or even MS Office. I'm talking about WidgetWare v7, now with long filename support, just buy a new $100k widgetmaker and you can upgrade to our new software and get off of Windows XP! For the most part big companies don't tend to run this stuff on Linux.
My employer is still running XP on thousands of computers, because they're attached to widgetmakers and they don't want to upgrade all of those for $50-500k per machine just to get security updates. So, they firewall them all 14 ways and cross their fingers. Could you imagine proposing that they do all that starting at 5 years from introduction instead of 10 years from obsolescence?
Why not? It'll just appear that the user is using too much data. They'll either run out of data, get charged more or the use will figure out that their data/battery is acting unusually and sort it themselves. However you look at it, the problem will take care of itself!
If one user runs up a $10k bill MAYBE the phone company will get something out of it. When ALL their customers run up $50k bills and phone service stops working, then they'll be lucky if they just end up giving everybody a refund for the month. If they tried to collect on those bills the lawyers would have them for lunch.
If that were true RHEL and Ubuntu Server wouldn't have 5-year support on LTS. I do tend to agree that long-live matters less on servers than desktops, since there tends to not be as much software running on any single server. However, it certainly isn't true that a linux upgrade can't break things, especially proprietary stuff.
one is it maintains your privacy and that's good for you
This is asserted without historical proof. The open ballot worked fine in the US for 100 years. It's John Hancock, not Anonymous. It only changed when the country was in a civil war. In a stable country, open voting is better.
Isn't that a bit like saying that slavery worked fine for 100 years? The US was hardly problem-free for the first century of its existence. Considering how many people couldn't vote at all, it was barely a democracy by today's standards.
So the employer can demand your token, and you give it up. Would you give up your personal email password? Facebook password? The actions of the employer are illegal. Why aren't you reporting him?
It would be your word against theirs. How would you prove that they asked for your ID? It isn't like anybody with half a brain would fire you on the spot if you refused. They'd just wait for you to make a mistake, or decide they don't need your services in six months.
Today, nearly all absentee voting will allow voting outside the view of poll employees. So the employer can fill out ballots for all employees, have them come in and sign them. Then the employer sends them in. Oh, and on election day, everyone has a double-shift with no breaks (no time to vote). At best, the voter can send in a second, spoiling one (or both) votes, but I've not seen any absentee system used in the US that would allow the voter to control his own vote in that situation. If the employer is so aggressive about ensuring votes for his preferred candidate, why aren't more doing this already?
They're too cheap to have 100% of their employee population standing around for two shifts with nothing to do on election day?
If you're going to make people fill out absentee ballots and then chain them in a dungeon, sure, you can abuse the current system. However, it is MUCH harder to do it today than in a system where people take home receipts. It is also unnecessary.
Just collect electronic votes with human-readable/machine-readable audit trails. The electronic tally can be used to provide instant results. The paper audit trail can be audited using random sampling to verify the integrity of the electronic tally. The paper trail would be printed behind a window so that the voter could see that it was recorded correctly, but it would not be modifiable or removable by the voter. Then you can use all the usual controls to prevent tampering with the paper.
How is that any different from your employer demanding your Facebook password or your private email history? If you can be fired for refusing either of those demands then sure, they could fire you for refusing to give them your voting ID. But I'd say that's a completely different issue, wouldn't you?
All of those are egregious to be sure, but at least the integrity of the democratic process doesn't rely on your email history or facebook password.
Print the code on the paper and fold it in half so that the code is not visible. The employee shows the card but the employer can not read the code. Problem solved. If the employer goes any further it is an invasion of privacy.
Do you really think that would deter anybody? They'll just ask you in private to show them everything. If you refuse they'll wait six months and fire you on some pretense. Good luck proving that the incident ever happened, let alone that it was the cause of your dismissal.
I'm sorry, but are people actually under the impression that their phones are secure?
Well, presumably the carriers would prefer to not have some worm flood their networks with terabytes of traffic. If that happens you might start to see this sort of thing taken seriously.
And then when google moves more stuff from the base system to play services, everyone is crying bloody murder for taking stuff away from AOSP and not open sourcing anything.
There is no winning, is there
Well, nothing prevents Google from open-sourcing that stuff all the same, or splitting Google Play Services into a component that actually pertains to Google Play and another to core OS functionality and open-sourcing the latter.
Well, I doubt the contracts are public, but it probably works out like this:
1. Carrier gets to approve/control the updates.
2. If carrier doesn't do #1 on time, they don't get to sell new iThings, and there might be other penalties.
So, the carrier probably gets to do their testing, and Apple probably has to fix serious issues. However, if the carrier doesn't get it done on time, they will pay the price.
I had a G1 and that definitely quit receiving updates before the 2year contract ended.
The G1 and ADP stopped receiving updates before they even stopped selling them. They didn't even get Eclair (officially), despite the ADP being the official Google developer phone up until the Nexus One came out. Fortunately none of the Nexus devices suffered that fate, though many were only supported for 1.5 years.
Agree on everything but I think one area where longer support makes a big difference is the enterprise. Big companies with thousands of applications don't like to retest/redeploy those applications every few years.
You certainly didn't hear it from me. I'm sure I've posted here before that iOS's update policies are far better than Android's. I still prefer Android and I only buy devices that I know I can keep up-to-date myself if necessary, but I won't make excuses for a security policy that would have seemed backwards in 1995.
I've been wondering when people would start to take notice of this problem with Android. There is no general policy of security backports on it at all. Phones can have security vulnerabilities like anything else - it is just a matter of time before we start seeing exploits.
They're doing a better job with ChromeOS, with a 5 year support pledge. Ironically that still isn't as good as Windows (10yrs from obsolescence vs 5yrs from introduction). If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines. People like to joke about XP, but it was supported just a year ago and what was the latest version of your favorite Linux distro when XP first came out? Being secure without having to do major updates is a big selling point.
You really need both. You can't fly an airliner like a Cessna, but you also can't just depend on your ability to dial in an ILS and hit the approach button.
What you really need is good simulator training on top of general piloting skills. If you've been in a situation 10 times already, then the 11th won't be as much of a problem. Of course no two disasters are identical, but from what I've read the AAF situation was one that had a procedure. Obviously if the procedure isn't working you need to improvise, but if there is a procedure it is because a bunch of engineers/pilots/etc studied the situation and determined that it was the solution with the best likelihood of success.
The problem with that is that there are certain thoughts and concepts that can't be expressed in English.
Are you suggesting that one of the most promiscuous languages on the planet wouldn't just add a butchered version of the original word if that were truly the case? Words mean whatever we want them to mean - they're arbitrary combinations of symbols, kind of like unicode. :)
Pay indeed.... The only thing you need to pay for is somebody to QA your app who can read the foreign language. And maybe for half a clue about learning this stuff, because apparently you're too lazy too read all the free material on the web that explains this stuff.
I imagine the problem for many software companies is that localization is probably an afterthought unless they start out in Asia, and even then Thai is probably not a priority for them so while they'll certainly handle Unicode, they might not handle all of it.
I do disagree it's impossible.
I never claimed that it was. I just think that it is completely impractical for consumer use. I'm not even sure what the point of it would be for consumer use - when was the last time you bought a device for personal use via a controlled supply chain (ie you had a high level of assurance that from manufacture to your hands that it couldn't have been tampered with)?
Chinese New Year, everyone older gives present to everyone younger. Best deal is to be the youngest.
Yup, assuming you're young enough to have living relatives up to grandparents having 6 people buying gifts for you almost exclusively a few times a year has to do wonders for your personality.
The problem with what you propose is that the only way to prevent cloning of devices is to have a central registry that tracks them. Even that doesn't completely prevent cloning - you could swap out a device with a clone without any issues in such a design - the only thing you couldn't do is add a clone without getting rid of the original.
This is how online copy-protection schemes work - the game phones home with its serial number and the server keeps track of usage.
However, this system requires that any device to be tracked is basically always online, which is a constraint that doesn't always work. It requires establishing a server to keep track of everything. You have to be able to trust the server to do its job, and you also need to trust the server owner with knowledge of all the devices you're using (which might or might not be sensitive - do you really want some VIP's bluetooth keyboard phoning home to some server introducing the possibility of tracking? how about a spy's?).
A corporation might set up its own tracking system for items it procures via controlled sources (still a lot of admin overhead to check in every device, or get your vendors to do it for you). The average consumer or small organization wouldn't benefit from this at all unless the manufacturer ran a central server. Do you really want every peripheral you own phoning home all the time? Oh, and just wait until Apple determines that your audio cable isn't genuine. :)
But, yes, if you're willing to work at it you can certainly authenticate individual devices such that introducing a strange device into your environment requires replacing a legitimate one with a tailored replica. That would be pretty tricky to pull off unless the device is one that won't be noticed if it goes missing for a while (and if you're super-paranoid just having it go missing might be noticed by your central server).
Yikes, don't take it so personally!
Are you uniquely whitelisting devices or not? Right now every logitech keyboard model 123 on the planet identifies itself in the same way. If you can impersonate one of them, you can impersonate all of them. Your solution to that was to uniquely identify and authenticate each keyboard. I just pointed out that for this to work you now need to keep track of which logitech keyboard model 123s you're using, and ensure that only one of them works at a time. That means a central server keeping track of who is using which keyboard. That simply can't work at a consumer level. If you don't track who is using which keyboard then sure I might only be able to impersonate one keyboard, but it doesn't matter because every device on your network still trusts that one keyboard and you have no way of knowing that there are now two of them on your network.
You might think there is a trivial solution to these problems, but which seems more likely to you? Either you're right and I'm wrong and there is an easy way to secure USB peripherals and collectively every IT organization on the planet is just too lazy to implement it, or I'm right and the reason that it doesn't happen is because the potential solutions to these problems have so much complexity and so many trade-offs that they're just not great candidates for widespread adoption. Only governments have the kinds of money to throw at this problem that you'd need, and the problem there is that their adversaries have just as much money to throw at circumventing their solutions.
And I'm not sure how my reaction is emotional. I merely pointed out that your statement was misleading, even if completely factually true.
It wasn't even misleading if you take it in context
The same is true of any statement made by any salesman or politician anywhere. That could be used as the definition of misleading - a statement whose common interpretation changes when removed from a fairly detailed context.