What sane person would use a debit card that mandates irreversible transactions
Anyone otherwise willing to use cash I guess.
if you are cheated by a merchant, makes you liable for all fraudulent use of the card
You are not liable, any more liable than you are with cash, getting your bitcoin back will be at least as difficult as getting your cash back would be. You will have to file some kind civil claim and convince a judge or possibly jury the other party did not honor their part the transaction contract and you require some kind of redress.
and takes several minutes for a purchase to be validated?
Well yea, that is the trade off, I could easily carry a USB stick or whatever with the equivalent value of $250K in btc and go buy a house or something. Its inconvenient to walk around with that much cash. Still sever minutes is much faster than the several days a check would require to clear.
Because that's basically what Bitcoin is. It's like stepping 50 years into the past, into a world without consumer protection laws.
You'd better get used to it. Between the changes with chip-and-pin and ideas like CurrentC, the powers that be are pretty determined to strip those protections away from you anyway.
Even if we assume DPRK is responsible sanctions against autocracies and oligarchies are mostly stupid. As you say its not like they hurt the person(s) that are really the bad actors.
What we have done with Russia is partly correct in that some effort was made to go after the assets of heads of state, etc rather than just imposing blanket trade embargo rules on the entire nation. It probably isn't a big enough lever though.
In the case of this smaller dictatorships the only ethical responses are incapacitation, destroy their war making assets ( this may have some collateral damage on the people and I think that is allowable when its especially effective and the collateral damage is minimal). The real response though should be a PERSONAL attack on the leadership. We should target their estates, their person, their families etc and leave the rest of the nation the hell alone as much as possible.
This would put the hurt where its deserved. It might actually change their behavior if they come to understand it will be things and people near and dear to them or their own life that will be lost rather than just causing some of their slaves to suffer a little more greatly. It would cost us lots less in blood and treasure to hit a few sites with conventional low yield warheads on ICBMs than to go invading half the planet.
You can only sanction an economy that has a mostly one way trade relationship with you. Otherwise you tend to hurt yourself as much or more than you hurt them.
"Flying from San Francisco to Boston, for example, would generate some 1,300 kilograms of greenhouse gases per passenger each way, while driving would account for only 930 kilograms per vehicle.
That is comparing a flight on airline to a passenger car. My guess can get the per person carbon down much lower than that if you use loaded buses.
The fact is all the pols screaming for us all to slit our throats to cut carbon while they jet all over the place for this summit and that, are the worst hypocrites of them all. If they really gave a damn they'd just have conference call.
The simple fact is Globalism is bad for the globe.
In the end it really does not matter what you are moving, the people, the goods, or both. It does not much matter how you are moving it, planes, trains, autos, freighters, or sail boats.
Fundamentally transportation is overhead. If your goal is to maximize the sustainable population (and I am not sure that actually is noble pursuit) than the solution will always be to find ways people can get things they need without having to move, and created out of local resources. Which does not mean you start growing rice in the desert, it means your find a substitute for rice that can be produced efficiently locally.
Okay fine you want to play word games have fun. Linus was obviously speaking in the context of the Von Neumann computers most of us are familiar with.
I suspect if you asked him, does your quote apply to radically different architectural paradigms, he'd say "no".
Programming is still a really fancy version of "IF A THEN B". "for X in GROUP do Z". "X = Y"
Yes it is, I don't care what language you are using for all the computing machines in common use at some point a series of fairly limited branch, jump, add, subtract, multiply, and move like instructions have to be generated. This may even hold true for the basic units of computation that participate whatever system is ultimately able to handle very arbitrary requests like "please rough me out a flyer for our yardsale on Saturday."
I say you are the one moving the goal posts, Linus and *most* of the other people working on parallelism solutions are working/speaking in the context of computers like the ones we know today, you they guy trying to apply what they say to *any* computer. Linus will probably be proved correct there. Past n cores the fundamental architecture in use today will not scale but for niche cases.
You are correct, a parallel algorithm is going to be more complex, requiring more total operations. In a world of frictionless pulls and perfectly spherical cattle you are sure to be right.
We don't live in that world though. In practice higher clock speeds usually require higher voltages for circuits to stabilize. Higher voltage means more current is going to flow, batter will be drained quicker.
Its likely the case manufacturing and materials constraints are such that we can economically build a 1.5GHz part that uses fewer watt/hours per operation than 3GHz part, if the overhead of parallelism is kept to a minimum its entirely possible two 1.5GHz parts could do the same work as a single 3GHz part in nearly the same amount of time using less power.
The problem will always be has always been people. The trouble is somebody somewhere is malicious and lots of people all over the place are rubes. That is it in a nutshell. We don't see the big drive-by-malware and worms of the past very often anymore. The fact is most of the time someone has to run a trojan and often someone has to run a torjan with privileges.
Your real options are,
1) Take general use, user programmable computers away from most folks and give them iPad like devices that only run signed code, from approved vendors who never sign anything that is itself a programing environment, interpreter, emulator, spreadsheet with macro support, etc.
2) Start treating the Internet like a public resource, and set some rules of the road that must be followed. Make individuals responsible for the impact their machines has on the network; even when its been p3wd. Make people pass a basic exam about how IP (at the highest level) and computer security practices, to get an internet license. No license no Internet connection. Let others use your connection, your liability. Liablity needs to follow a negligence standard, if someone gets p3wd by a zero day and used in bot net, they get some protection; if they get owned an a patch had been available for three weeks they may be held responsible for the damage their machine caused.
^This^ there aint nothing like having a mountain of cash with witch to re-invent yourself. People thought Nintendo was doomed right up until Wii was released too and that was huge success.
They just need to hit their stride again. They probably can too, they have plenty of talent, and all that money buys lots of time.
That is how we got the F'ed up pricing structure in the first place, its legacy. There was a mortal fear among the pols that if certain parts of the country did not receive good airline service they would basically die.
A 737 on up can go from point-to-point pretty much anywhere in the lower 48. The airlines make their money two ways charging a premium for non-stops on popular routes like JFK->LAXetc, and second selling higher price tickets for things like JFK->DTW while at the same time filling most of that bird with JFK->DTW->{Someplace more popular} passengers.
I suspect if the airline industry had been left to develop without government intervention in the first place, routes to smaller destinations on the majors would never have been implemented.
You mean to say there were problems with radically altering the release plans for a major motion picture at the last moment!
Trying to do a for rent feature on kernel, which correct me if I am wrong normally just provides users with some code to redeem their move on some other VOD providers site, on short notice meant software issues and implementation holes is no surprise.
Now if Sony had been planing from the begging to make the Interview the first major direct to VOD feature release, we might have story. All we have here is "there were problems with a rush job".
Honestly I think the fact the mostly people seem to be able to pay their money and watch the file issue free speaks pretty highly of the folks that put it all together so quickly.
Its a little surprising that risked doing a seetheinterview.com and actually "screening" the movie there rather than just having a bunch pointers to youtrube, amazon prime, xbox-live, playstation network; in other words the folks that have been doing this for a while.
This is true, but the issue is that is dumb! You really should be able to unbox a toy on Christmas morning have it work without going out the Internet and connecting to some account.
Maybe not all the functionality can be there, but functions that don't naturally require network access should not require network access.
I think at least some blame does need to be lay at the feat of Sony and Microsoft here, but not because of 'network security' but rather creating the risk in the first place where there does not need to be one.
This was basically a DDOS attack. By and large those are difficult to defend, and the usual defense is just having over whelming resources. Should everyone just go an 90% under subscribe systems just to make the DDOS proof? I don't know does not see practical.
Why do these systems need network access to play a game bought on a disk? That is the bigger question, sure I can understand only supporting multiplayer through a centralized service, my issue is with the activation and phone home crap. There is no "good" reason someone should not be able to use these things without network access for single player experiences.
Customers out realize that the system is brittle because Sony and Microsft created a hard dependency where there never needed to be one. It might not be their fault they are attacked, but they do know or should have know they are targets. Hopefully the lession they take away from this is that basic functionality should be there if you have the system and game disk fresh out of box. Maybe you can't update, download new content, do multiplayer but folks ought to be able to at least play with it even if the network is down.
That way the scope of these little disasters would be limited.
On the other hand there is only so much wireless spectrum available that is set aside for 802.11x. Ever been to big even in a hotel where eveybody and their brother has the hot spot function enabled on their phones, is caring around those mobile hot spot things, folks are running classes in conference with their own wireless AP setup for their students, etc.
Wireless gets pretty unusable for everyone pretty fast. I can understand how the hotel which has just charged 100s of their other guest $14 for Wifi in their rooms does want to hear all the complaints about how they are constantly getting disconnected and everything is dirt slow.
I don't know what the right answer is exactly but the for any hotel hosting a large event, the status quo isn't work so well.
That and Cisco sells blocking of APs that are not your own as a feature of their WLC and Aironet equipment. If the FCC changes the rules I imagine they would not be able to release new firmwares and ISO images with the feature intact. A situation certain to irritate some customers who bought a lot of extra AP devices so they could support that functionality, and to create a situation where people won't apply updates and fixes as a result.
Well, sure if someone finds an RCE all bets or off. Its also as you say true that at the network layer in many (probably most cases) the authentication is the same. Two factor on Windows networks is a great example, it does little to stop pass the hash attacks, for example. Internal threats will always be a problems because they have access to lots of intelligence about the target and they have access to a large attack surface.
On the other hand two fact is a very strong control against external threats. Most orgs, even large ones now days can get their attack surface down to handfuls of web servers and vpn devices. Its mostly true that web servers themselves are relatively well hardened now days. While Apache still provides us a with the DOS attack vector of the week, I have not seen an Apache specific RCE in a long time; ditto for IIS although it looks like one *might* have been possible before the recent schannel patches. So that leaves all the vulns in the application frameworks and applications themselves to exploit.
Basic advice:
Separate your DMZs one for your home page public information, rule 0 of your firewall policy separating your internal organization from those hosts is allow only inbound {inside} -> {dmz} connections for content pushes / management. Never allow those hosts to open a socket to the inside themselves, ever. Rule 1 is the inside is only allowed to connect on handfull of specific ports that you IPS/IDS the hell outa.
You next DMZ is where you handle accounts, shopping carts, etc. That one obviously is going to have to have some well defined communication with the inside, but rule 0 here is none of the external services are un-authenticated. The only thing anyone should be able to get here without authenticating is the authentication prompt. If you can manage to code up a login page / prompt without introducing a major vulnerability you'll probably be okay; or if you are ow3d post authentication you know who you can sue.
Seems the the State Department could just get various friendlies to start announcing DPRKs prefixes from all over the places in BGP and pretty much nullify their ability to use the Internet.
Also given the attack did not originate from DPRK but is simply suspected sponsored by DPRK, this does not seem like it would be an effective response.
The protocol needs to start over clear voice, but than you do the equivalent of "STARTTLS" and see if the remote end answers. If it does you disable squelch and start applying the cipher to the payload in the audio packets as you build them, leaving the containers format in place, headers, sync bytes etc.
As far as the network is concerned it will still look like parametrized g.729 audio to the network. It will just decode as noise unless you possess the cipher. Which will be much more economical for most wireless customers until the carriers wise up and realize they ought to be metering the jitter controlled, packet loss intolerant voice traffic on their networks and selling best effort data as all your can eat, rather than the other way around.
I don't even bother "compromising" an initial host on many engagements when the engagement has me to go on site. Its trivially easy to tailgate your way onto most corporate campuses; and set yourself up in an empty conference room.
Then you wait for LLMNR or NetBIOS/tcp messages on your subnet; which nobody disables, ever. Then you just collect the hashes for a while. No need even to mess around with PTH half the time, more often than not hashcat can crack at least one before you finish your first soda and you have your foot hold.
Slashdot Mirror
What sane person would use a debit card that mandates irreversible transactions
Anyone otherwise willing to use cash I guess.
if you are cheated by a merchant, makes you liable for all fraudulent use of the card
You are not liable, any more liable than you are with cash, getting your bitcoin back will be at least as difficult as getting your cash back would be. You will have to file some kind civil claim and convince a judge or possibly jury the other party did not honor their part the transaction contract and you require some kind of redress.
and takes several minutes for a purchase to be validated?
Well yea, that is the trade off, I could easily carry a USB stick or whatever with the equivalent value of $250K in btc and go buy a house or something. Its inconvenient to walk around with that much cash. Still sever minutes is much faster than the several days a check would require to clear.
Because that's basically what Bitcoin is. It's like stepping 50 years into the past, into a world without consumer protection laws.
You'd better get used to it. Between the changes with chip-and-pin and ideas like CurrentC, the powers that be are pretty determined to strip those protections away from you anyway.
Netflix spokesperson saying that there was no change in their policy on VPNs.
Might very well be true, but that statement says nothing about the frequency of enforcement; which might have changed.
Agreed.
Even if we assume DPRK is responsible sanctions against autocracies and oligarchies are mostly stupid. As you say its not like they hurt the person(s) that are really the bad actors.
What we have done with Russia is partly correct in that some effort was made to go after the assets of heads of state, etc rather than just imposing blanket trade embargo rules on the entire nation. It probably isn't a big enough lever though.
In the case of this smaller dictatorships the only ethical responses are incapacitation, destroy their war making assets ( this may have some collateral damage on the people and I think that is allowable when its especially effective and the collateral damage is minimal). The real response though should be a PERSONAL attack on the leadership. We should target their estates, their person, their families etc and leave the rest of the nation the hell alone as much as possible.
This would put the hurt where its deserved. It might actually change their behavior if they come to understand it will be things and people near and dear to them or their own life that will be lost rather than just causing some of their slaves to suffer a little more greatly. It would cost us lots less in blood and treasure to hit a few sites with conventional low yield warheads on ICBMs than to go invading half the planet.
Two words: Trade War
You can only sanction an economy that has a mostly one way trade relationship with you. Otherwise you tend to hurt yourself as much or more than you hurt them.
No it isn't. Flying is probably among the most carbon intensive thing you could possible do. I have heard that from multiple sources.
this ( I don't how great a source it is), says
"Flying from San Francisco to Boston, for example, would generate some 1,300 kilograms of greenhouse gases per passenger each way, while driving would account for only 930 kilograms per vehicle.
That is comparing a flight on airline to a passenger car. My guess can get the per person carbon down much lower than that if you use loaded buses.
The fact is all the pols screaming for us all to slit our throats to cut carbon while they jet all over the place for this summit and that, are the worst hypocrites of them all. If they really gave a damn they'd just have conference call.
The simple fact is Globalism is bad for the globe.
In the end it really does not matter what you are moving, the people, the goods, or both. It does not much matter how you are moving it, planes, trains, autos, freighters, or sail boats.
Fundamentally transportation is overhead. If your goal is to maximize the sustainable population (and I am not sure that actually is noble pursuit) than the solution will always be to find ways people can get things they need without having to move, and created out of local resources. Which does not mean you start growing rice in the desert, it means your find a substitute for rice that can be produced efficiently locally.
Okay fine you want to play word games have fun. Linus was obviously speaking in the context of the Von Neumann computers most of us are familiar with.
I suspect if you asked him, does your quote apply to radically different architectural paradigms, he'd say "no".
Programming is still a really fancy version of "IF A THEN B". "for X in GROUP do Z". "X = Y"
Yes it is, I don't care what language you are using for all the computing machines in common use at some point a series of fairly limited branch, jump, add, subtract, multiply, and move like instructions have to be generated. This may even hold true for the basic units of computation that participate whatever system is ultimately able to handle very arbitrary requests like "please rough me out a flyer for our yardsale on Saturday."
I say you are the one moving the goal posts, Linus and *most* of the other people working on parallelism solutions are working/speaking in the context of computers like the ones we know today, you they guy trying to apply what they say to *any* computer. Linus will probably be proved correct there. Past n cores the fundamental architecture in use today will not scale but for niche cases.
You are correct, a parallel algorithm is going to be more complex, requiring more total operations. In a world of frictionless pulls and perfectly spherical cattle you are sure to be right.
We don't live in that world though. In practice higher clock speeds usually require higher voltages for circuits to stabilize. Higher voltage means more current is going to flow, batter will be drained quicker.
Its likely the case manufacturing and materials constraints are such that we can economically build a 1.5GHz part that uses fewer watt/hours per operation than 3GHz part, if the overhead of parallelism is kept to a minimum its entirely possible two 1.5GHz parts could do the same work as a single 3GHz part in nearly the same amount of time using less power.
The problem will always be has always been people. The trouble is somebody somewhere is malicious and lots of people all over the place are rubes. That is it in a nutshell. We don't see the big drive-by-malware and worms of the past very often anymore. The fact is most of the time someone has to run a trojan and often someone has to run a torjan with privileges.
Your real options are,
1) Take general use, user programmable computers away from most folks and give them iPad like devices that only run signed code, from approved vendors who never sign anything that is itself a programing environment, interpreter, emulator, spreadsheet with macro support, etc.
2) Start treating the Internet like a public resource, and set some rules of the road that must be followed. Make individuals responsible for the impact their machines has on the network; even when its been p3wd. Make people pass a basic exam about how IP (at the highest level) and computer security practices, to get an internet license. No license no Internet connection. Let others use your connection, your liability. Liablity needs to follow a negligence standard, if someone gets p3wd by a zero day and used in bot net, they get some protection; if they get owned an a patch had been available for three weeks they may be held responsible for the damage their machine caused.
^This^ there aint nothing like having a mountain of cash with witch to re-invent yourself. People thought Nintendo was doomed right up until Wii was released too and that was huge success.
They just need to hit their stride again. They probably can too, they have plenty of talent, and all that money buys lots of time.
Why what is the worst that could happen to your out of warranty no functional part?
I suppose there is some risk to the cookie sheet!
That is how we got the F'ed up pricing structure in the first place, its legacy. There was a mortal fear among the pols that if certain parts of the country did not receive good airline service they would basically die.
A 737 on up can go from point-to-point pretty much anywhere in the lower 48. The airlines make their money two ways charging a premium for non-stops on popular routes like JFK->LAXetc, and second selling higher price tickets for things like JFK->DTW while at the same time filling most of that bird with JFK->DTW->{Someplace more popular} passengers.
I suspect if the airline industry had been left to develop without government intervention in the first place, routes to smaller destinations on the majors would never have been implemented.
That is very good to know! Sounds like Sony did a better job than I was giving them credit for.
I don't have a current generation system yet so i am legitimately curious. Were you able to unbox the PS4 without a connection?
I know things will keep working can a newly out of cardboard unit be make functional without calling home at least once?
Please understand none of my observations were intended to be supportive of Lixard Squads' actions.
I think what they did really sucks. I just think it also sucks Sony and Microsoft put them in a position to do it.
You mean to say there were problems with radically altering the release plans for a major motion picture at the last moment!
Trying to do a for rent feature on kernel, which correct me if I am wrong normally just provides users with some code to redeem their move on some other VOD providers site, on short notice meant software issues and implementation holes is no surprise.
Now if Sony had been planing from the begging to make the Interview the first major direct to VOD feature release, we might have story. All we have here is "there were problems with a rush job".
Honestly I think the fact the mostly people seem to be able to pay their money and watch the file issue free speaks pretty highly of the folks that put it all together so quickly.
Its a little surprising that risked doing a seetheinterview.com and actually "screening" the movie there rather than just having a bunch pointers to youtrube, amazon prime, xbox-live, playstation network; in other words the folks that have been doing this for a while.
This is true, but the issue is that is dumb! You really should be able to unbox a toy on Christmas morning have it work without going out the Internet and connecting to some account.
Maybe not all the functionality can be there, but functions that don't naturally require network access should not require network access.
I think at least some blame does need to be lay at the feat of Sony and Microsoft here, but not because of 'network security' but rather creating the risk in the first place where there does not need to be one.
This was basically a DDOS attack. By and large those are difficult to defend, and the usual defense is just having over whelming resources. Should everyone just go an 90% under subscribe systems just to make the DDOS proof? I don't know does not see practical.
Why do these systems need network access to play a game bought on a disk? That is the bigger question, sure I can understand only supporting multiplayer through a centralized service, my issue is with the activation and phone home crap. There is no "good" reason someone should not be able to use these things without network access for single player experiences.
Customers out realize that the system is brittle because Sony and Microsft created a hard dependency where there never needed to be one. It might not be their fault they are attacked, but they do know or should have know they are targets. Hopefully the lession they take away from this is that basic functionality should be there if you have the system and game disk fresh out of box. Maybe you can't update, download new content, do multiplayer but folks ought to be able to at least play with it even if the network is down.
That way the scope of these little disasters would be limited.
Maybe with like an Eric fischl style water color filter, that would make it tasteful.
On the other hand there is only so much wireless spectrum available that is set aside for 802.11x. Ever been to big even in a hotel where eveybody and their brother has the hot spot function enabled on their phones, is caring around those mobile hot spot things, folks are running classes in conference with their own wireless AP setup for their students, etc.
Wireless gets pretty unusable for everyone pretty fast. I can understand how the hotel which has just charged 100s of their other guest $14 for Wifi in their rooms does want to hear all the complaints about how they are constantly getting disconnected and everything is dirt slow.
I don't know what the right answer is exactly but the for any hotel hosting a large event, the status quo isn't work so well.
That and Cisco sells blocking of APs that are not your own as a feature of their WLC and Aironet equipment. If the FCC changes the rules I imagine they would not be able to release new firmwares and ISO images with the feature intact. A situation certain to irritate some customers who bought a lot of extra AP devices so they could support that functionality, and to create a situation where people won't apply updates and fixes as a result.
Well, sure if someone finds an RCE all bets or off. Its also as you say true that at the network layer in many (probably most cases) the authentication is the same. Two factor on Windows networks is a great example, it does little to stop pass the hash attacks, for example. Internal threats will always be a problems because they have access to lots of intelligence about the target and they have access to a large attack surface.
On the other hand two fact is a very strong control against external threats. Most orgs, even large ones now days can get their attack surface down to handfuls of web servers and vpn devices. Its mostly true that web servers themselves are relatively well hardened now days. While Apache still provides us a with the DOS attack vector of the week, I have not seen an Apache specific RCE in a long time; ditto for IIS although it looks like one *might* have been possible before the recent schannel patches. So that leaves all the vulns in the application frameworks and applications themselves to exploit.
Basic advice:
Separate your DMZs one for your home page public information, rule 0 of your firewall policy separating your internal organization from those hosts is allow only inbound {inside} -> {dmz} connections for content pushes / management. Never allow those hosts to open a socket to the inside themselves, ever. Rule 1 is the inside is only allowed to connect on handfull of specific ports that you IPS/IDS the hell outa.
You next DMZ is where you handle accounts, shopping carts, etc. That one obviously is going to have to have some well defined communication with the inside, but rule 0 here is none of the external services are un-authenticated. The only thing anyone should be able to get here without authenticating is the authentication prompt. If you can manage to code up a login page / prompt without introducing a major vulnerability you'll probably be okay; or if you are ow3d post authentication you know who you can sue.
Seems the the State Department could just get various friendlies to start announcing DPRKs prefixes from all over the places in BGP and pretty much nullify their ability to use the Internet.
Also given the attack did not originate from DPRK but is simply suspected sponsored by DPRK, this does not seem like it would be an effective response.
The protocol needs to start over clear voice, but than you do the equivalent of "STARTTLS" and see if the remote end answers. If it does you disable squelch and start applying the cipher to the payload in the audio packets as you build them, leaving the containers format in place, headers, sync bytes etc.
As far as the network is concerned it will still look like parametrized g.729 audio to the network. It will just decode as noise unless you possess the cipher. Which will be much more economical for most wireless customers until the carriers wise up and realize they ought to be metering the jitter controlled, packet loss intolerant voice traffic on their networks and selling best effort data as all your can eat, rather than the other way around.
I don't even bother "compromising" an initial host on many engagements when the engagement has me to go on site. Its trivially easy to tailgate your way onto most corporate campuses; and set yourself up in an empty conference room.
Then you wait for LLMNR or NetBIOS/tcp messages on your subnet; which nobody disables, ever. Then you just collect the hashes for a while. No need even to mess around with PTH half the time, more often than not hashcat can crack at least one before you finish your first soda and you have your foot hold.