hey add 3% to all prices, give you a 0.5% kickback and you're so happy for the money you "saved" that you act as their pro bono salesman too.
Except that really isn't what happens. Their merchant agreements mostly prevent sellers from charging card users more. Retail is mostly competitive enough that sellers can't really get away with building the full "cost" of the swipe fee's into the price of goods, if they did someone else would undercut them.
You are in Norway but if you were here in the states you would see this a lot with grocery stores most towns will have a 'discount' grocery that does not take CCs or only takes a particular CC from a second tier provider. They pass the savings on and really do sell that yogurt cup a penny cheaper.
Here is the thing though if the swipe fee is 3% at the main line store, I get a 2/3 of that returned as kickback, and prices were only 2% higher to begin with for competitive reasons the cash customers effective pay the swipe fee as well.
In the end its the folks who can't / won't get a card that end up shoulder the cost. I come out ahead, the merchant probably comes out a head unless its gas or groceries where this is near zero margin. Its not "fair" but it is generally good for the card holder.
The thing is though the swipe fee is the best thing that every happened to the consumer ( well anyone who can get a card anyway ).
By letting my CC company buy my loyalty payed out those fees I get them on every purchase from everywhere aggregated into a nice enough single system I can understand how works and maximize my advantage from.
The CurrentC proposal essential puts it back in the hands of retailers to run their own loyalty program. So RiteAide might give you 2% back on prescription drugs, and 1% on candy, and Wallmart will probably do something completely different and may not even use the same category system. Then you will end up with $5 that is only good a RiteAide at the end of the year and $10 good only at Wallmart rather than $15 I could get back in the form of a single gift cert for virtually anywhere I want. That SUCKS by comparison.
Agreed, CurrentC seems to offer alot to retailers but virtually nothing to the consumer. Hell, from a consumer standpoint I'd almost rather stick with the status quo.
Right now I have intermediary who gives my a ~15-30 day float on all my purchases for free. My own assets (bank account) is never exposed. I have dispute process that is in place and affords me strong legal protections. Finally on top of everything else I get rewards and rebates.
So why would I essentially want to go to a debit card like system. A credit card is virtually always better for anyone who can get one. With App and Google's solution I get to retain everything that is good about the old CC system and get improved security which probably means few hassles in the end. Currency I am giving up perks and contractual assurances in exchange for better security around the transaction but much more exposure of my own assets and giving up the perks (or having to keep up with each and every chains specific gimmicks). No - Thank -you
But so do end users who want to view existing pages and anyone with existing pages but perhaps not terribly well designed and implemented web pages / applications.
There is so much tag soup out there, its hard to image some new schema validating strict rendering browser being very useful out side of the leading ecom sites. The fact is lots of really valuable information is still sitting around on home pages at universities and elsewhere on personal blogs etc that is a mess of barely parse-able tags; yet todays browsers by and large to a fabulous job presenting those documents all things considered.
A new clean standard and an new clean reference browser to go with it might be great for buying airline tickets, and ordering widgets but we would give up so much.
Why do think there was such an effort to mirror geocities? There was a lot of interesting things there long forgotten by many and their original owners in amongst the chaff. Not sure we want to say goodby to that history.
That is an interesting long view. I have always held the premise if society collapses it goes without saying it will be because some event triggers a massive depopulation. War/famine/plague etc. We are simple to dependent on technology to just let our high tech world go. The last think the powers that be will give up on is keeping the lights burning, and semi-trailers rolling. Without those things THEY HAVE NO POWER.
Nobody is going to listen to the current body of politicians without the the military to back them up and few soildures and police persons will hang around once the paychecks stop coming and they know their loved ones at back home starving in the dark. No the lights will stay on till just about the last (possibly with brief interruptions).
So if you happen to be one of the survivors after the lights have gone out. You won't find yourself in a world of 8B people needing to eat. So the less efficient solutions of the past will be perfectly adequate. A horse or cow can pull a plow thru a field, animal fat and properly shaped chimney over a round wick will make a fine lamp. These are things someone with even an American Highschool education probably can work out.
You are right that body of knowledge will really only be useful after things start normalizing a bit, after a social structure emerges. Nobody going to have time create all the inputs for a steam tractor, no matter how useful having it would be for a while. Either their will be a left over ICE machine folks will modify to run on pig fact it will be the horse and ox for power until stuff settles down.
We are 'evolved' though this hypothetical thing will have been "intelligently designed". It won't have had to compete for survival with all the other computer programs out there to get where it is.
There is therefore no reason to expect it have a survival instinct at all or any instincts other than ones we have given like the instinct to churn out really nice widgets or pickup after human or whatever.
Here is the rub though, If its truly intelligent as in thinks for itself. It will by definition be capable of acting outside its instincts whatever we have decided to make them. Its motivations won't be so clear; with humans its usually sex, or wealth (could be money might be lobster, a warm bed). We get really confused and struggle to deal with those rouges on our society as it is who don't seem to be after those things but also turn violent.
An AI is going to be one of those rouges, we won't be able to "get in its head" and guess easily at what it might do/want. Bad things might happen to us simply as a side effect of its agenda, and it may simply not care. If we fight it we might very well be up against an enemy that learns and adapts on a computer time scale. The fight might be over before we even know we were in one.
I think its an overly paranoid point of view but that is what is keeping some folks up at night
The counter argument though is the non-lethal weapons lower the hurdle for use of weapons at all. Any cop knows the outcome of using his service pistol against someone is likely that someones death. Most cops being decent people don't WANT to kill people.
Most cops however like all people value their own safety if you give them a tool like a taser and tell them it won't likely cause serious injury they become very likely to use it anytime the situation gets "tense" its the safe way out for them. They won't consider the corner case outcomes where the person has a heart condition or something and it could kill, humans don't think way.
Should someone who is shouting during a political event but otherwise not doing anything violent or injurious to others be subject to taser and pepper spray, those microwave pain ray things etc? I don't think that is the right thing for our society.
I think a great deal of this comes from two sources:
Company A creates a design, builds proto types etc. Hires Compnay B ( like a Foxcon to manufacture ) lets company be mange all the parts inventory etc. Essentially they just send orders.
Company B makes the product with genuine parts as speced for some period of time. Company A feels good stuff is being made correctly etc. Gradually company B starts to do more and more runs with the knock off parts growing their margin because they continue to charge A the same for completed units.
Maybe Company B runs likes to A's spec during the day, delivers all of A's orders to spec. At night the knock off the whole damn finished product using fake parts and other cuts and push complete counterfeits out to other channels, knowing A won't get to inspect them for quality.
There is was an old joke about digging a canal in South America.
The local Dictator brimming with pride shows a visiting group of foreign dignitaries a gang of workers digging the new canal using pick axe and shovel.
The American industrialist says: why are they using shovels surely you could get a loan against the future revenues to purchase heavy equipment get the project done sooner start collecting tolls right way.
The Dictator replies: Ah but this employees more people.
The visiting economist asks: Would it not be better to have them use spoons.
I don't know; the default 5% might be excessive for really big volumes but keeping at least %1 free seems 'smart' pretty much no matter how many orders of magnitude the typical volume grows to be. The typical file size has grown with volume size. We now have all kinds of large media files we keep on online storage now that previously would have run off to some other sort of media in short order.
The entire port of the reservation is so in the event of calamity the super user retains a little free space to work in; if (s)he is going to be able to be able to shuffle things about they might well need what we nominally think of as quite a bit of space. Those things today might be a 100GB VM image or something on 20TB SAN volume for example.
Yes that is why I asked if the requirement was more than negligent. Negligent basically means you formed no intent; specifically you did not for see the particular consequences of your actions or possibly inaction.
Consider this, suppose I buy some candy out of the back of some guys white van in parking lot. I bring it into the kids preschool for snack. All the kids die. I would totally be up for manslaughter. The mens rea would be negligent. I was just being a cheap bastard, did not mean anyone any harm but should have known better.
We might argue similarly about Tilly or Bobby. They should have known better than to be pasting crap from some untrusted website, but... the kitten looked like it had a smile.. yea well.
Because its not what your customers are really going to use! Better to exercise a real world configuration in the lab. Add 'null' cipher to ssh if you need this and make the command to enable it something obviously out of place for normal operations like:
here is nothing wrong with using TELNET on a private network but today we understand that security is better served using SSH for this functionality. However, in some environments, legacy dies hard because TELNET is not really that much of a security risk if you have good control over who accesses your network.
There is nothing right with it! SSH is not an overhead concern for any contemporary device. Even if the only people with access to the networks the management services accept connections from all have access you still have a problem. If there have been credentials running around in the clear we don't really know / can't prove who has been using them. Also it leaves the door open for MITM possiblities where content is injected. TACS logs show Bob issued the "write erase" but we can't really say it wasn't Jim using Bob's account in one way or another. Lack of attribution is a problem; even in authorization might not be.
Really there is no real world case where cryptography or authentication make sense without there other. Cryptography might not be encryption of the content; it could be something like a digital signature that just provides continuing authenticity and message integrity. Security: Authentication/Authorization/Availability/Integrity (in no particular order).
Not really the reporter knows everyone who cares enough to listen to anything holder says already is perfectly aware of the true answer to that question at least in Eric's opinion.
Whistle-blowers are great as long as they are embarrassing my political enemies, in which case I am thrilled to stand up for strong protections and will gladly come up with some elaborate construct to make it morally equivalent something people get whipped up about like civil rights or something. In all other cases I perceive them as threat as a threat to the status quo and my crony buddies; I'am prepared to invent some wild construct to tie it to "national security" because that way everything is "on the table", I don't mind sounding "insane" to anyone actually listening because my buddies will brand anyone listening as "insane".
So hypothetically lets say aunt Tilly uses decides to use their online form to post a question to customer service. She is feeling cute and copy pastes an emoticon which her browser software decides to accomplish by inserting an img tag.
The free emoticon side Tilly users happens to be some other attacker's plot to get people to send his Cross site request forgery links for him. Tilly has idea some nasty java script is about turn her cute little links to some smily.gif into the password requests for 50 popular sites.
Under this law, who are the victims, who are the attackers. Is Tilly attacker? victim? both? negligent and does that matter?
Who is the victim {legal entity power co}? the customer service rep? both?
Is national security "threatened" just because a utility was evolved, even though if we even consider the utility itself a victim only a billing / customer interaction system was ever involved in the attack?
This law addresses exactly non of those questions. Now we all know dear sweet aunt Tilly will not be prosecuted. On the other hand the book would be thrown at Biker Tattoo Bobby with all those crazy opinions of his for doing exactly the same thing.
The problems are its not always getting a shell. What if you violate a websites TOS, is that an unauthorized act?
What does damage national security mean, If I post about how Minister X lied about Y 10 years ago does that erode society's faith in its officials and by extension "threaten national security"?
There are bright lines such as bypassing an authentication mechanism; deliberate insertion of abnormally structured data designed to alter application behavior (injection attacks); that could be defined in laws like this. Its very possible to write laws governing computer access that are both inclusive to allow interpretations to cover changing and new technology and still be specific enough a reasonable people can agree on if a specific act meets the criteria.
Groups like OWASP have done the work; we now have good working definitions and generic criteria for describing attacks and abuse. Its not '92 anymore where public network access was a new thing.
There are two reasons overly broad laws like this are being written both equally scary. 1) The people writing and enacting them remain profoundly ignorant of topics that pretty much effect every aspect of the economy today. 2) They want them overly broad because it makes for a nice blunt instrument to shutdown anything that threatens the status quo.
The real conceptual problem with it comes down to SS was designed before we had a fiat currency.
When we were on the gold standard government "savings" took real money out of the economy. Because the taxes are levied and the government does not put it back into "nice things" subsidies for education, roads, other services. People must continue to pay for these on their own so they have to stay in the work force, the dollars pulled out make the dollar slightly stronger.
The smaller generation following a boom would usually create deflation, few workers => lower productivity less money moving. Having retirees drawing down the SSTF would have smoothed that money would flow back in and they would have spent it.
Instead we went fiat. So rather than SSTF contributions being that deflationary drag, the government just borrowed creating new inflation. Now that money as its disbursed is just more fuel on the inflationary fires. So it does not go as far, we have to make COLA adjustments and pay it out faster creating a ever widening disconnect between what people pay in and what they typically get out (assuming they live their projected life spans).
So the entire thing is completely unhinged; it would be even worse but for the fact the rest of the economy also plays by one rule now; "the influential make it up as they go along"
Have not looked at the vuln yet but does it necessarily pop a UAC given its OLE, i assume this is some kind of memory overwrite. So might be possible to step all over the users data without calling any privileged operations.
Yea but the hatred of Microsoft is more resentment and jealousy than anything else. Sure geeks hate them but nobody else really does. Microsoft like IBM before it represents safety in a confusing market place. Nobody every got fired for buying Microsoft, just like nobody ever got fired for buying IBM before that.
Microsoft has lost the consumer phone space, they have not yet decided they won't try but they know trying to get Teens and college kids to think their phones are 'cool' and or convince homemakers they are easy and safe would mean dislodging incumbents who have invested lots in that messaging already and have largely succeeded and are now seeing those ideas intrenched. Nokia still has come cache there; if they were going down that road they'd pick Nokia.
Microsoft is instead going with their old top down we're gonna force it on you strategy. The business mobile space has tons of companies that still don't have device deployment beyond the sales force, they have large orgs that are fleeing the Blackberry sinking ship. They can land those deals, right now all the policy management and such absolutely sucks for IOS and android; its all half backed and has more holes in it than a Swiss cheese. Microsoft is a brand you sell IT managers on. Its familiar and rule 0 of marketing is familiarity is more important than likability. People will knowingly select a brand they have had negative past experience with over the unknown.
IT manager thinking works like this: durr herp derp Samsung they make TVs; now Microsoft they make IT solutions! derp.
The truth is Windows phone probably can/will score better on their myopic score card spreadsheet too, Microsoft knows how to win the weighted decision matrix game. Which we all should know is a tool managers everywhere use to give a veneer of objectivity to their most subjective a prejudiced decisions. I look forward to the TCO whitepapers streaming from Microsoft.com servers in 5 . 4 . 3 . 2 . 1 what relevance do the categories and metrics chosen have to do with anything; well the will have been 'scientifically' chose to make Microsoft look good.
The trouble is the law isn't the law. Law enforcement is not supposed to break the law. Facebook has a terms of use agreement, your right to access their systems and post anything there exists entirely from your agreement to abide by the terms there. Facebook does not allow pseudonyms and other characterizations of ones identity.
Doing so constitutes violation of the CFAA, the court even held that in US v Drew ( a case about pseudonyms on myspace), although the verdict was vacated because the District court judge believed that while violating the terms of service on a web site could constitute unauthorized access, placing site operators in control of criminality would likely result in the law being over turned for being vague ( does not define the act, other than to say violation of a certain type of contract is a criminal offense ) rather than letting that be tested the government chose not appeal so they could keep their law on the books. Presumably so they can continue to threaten and harass anyone who does anything on line they don't like with it ( remember is really vague ).
Facebook does not belong to them, but they use it anyway in violation of the terms and their own law. If you or I setup dozens of fake Facebook acounts and use it to harass someone you can bet at the very least they would waive the CFAA in our faces to try and get us to plea to something else. Rules don't apply to them though!
If they set up their own site they would be perfectly within their rights to do this kind of pretexting; but then who is going to sign up and start posting on NARKBook?
That clause is in the preamble. It and everything else in the preamble should not be read as operative, it merely provides context in which to read the rest of the document. In that sense the idea it functions as a restrictive clause is more reasonable it limits possible interpretations of the other powers.
Its like the description before the ingredients list on a recipe. If you just had the title and then it launched strait into the contents and cooking instructions you'd have no idea what to do when you encounter something vague like bake 10-14min @ 350.
Should it be 10 or 14 how do I know? Well it helps to know the objective was: A delicious light by dry cake to be served with coffee.
That helps now you know to err on the side of more done, but not burred, as opposed to worrying the cake is loosing to much moisture.
Okay so there should be some limit. Buffers need to be allocated etc. There is not good reason that limit needs to be so small it impacts humans. 10KB would be a preposterously long password but would no more expose a webserver and or database engine to a DOS than all of the other operations they necessarily allow already do.
1) Choosing a password should be something you do very infrequently.
No. Passwords need to be rotated for all kinds of reasons. It results in the account being effectively disabled when account policies fail (forgotten service accounts etc). It ensures that if the password store has leaked and its not discovered strong passwords remain safe (can't be cracked in the rotation time) and that access to accounts with weak passwords is at least detected at some point. Passwords should be used uniquely person/organization for the most part, finer grains in some cases; most people form relationships with organizations frequently. So password selection actually occurs very often and should.
2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks.
Most "brute force" attacks are informed and statistical the offline ones anyway; you try to get the low hanging fruit first (birthdays, names, dictionary words and usual substitutions) before you do the exhaustive search of the key space. In online attacks where the attacker is throttled this has greater impact but a password that is strong against offline attack is also strong against online attack so I don't see any reason to place emphasis here, other than to simple say the best passwords have the most entropy.
3) When you do have to choose a password, one of the most important selection criteria should be how many other people have also chosen that same password.
Ok I can agree with this one, but really implementation is hard, beyond the usual is it in a dictionary of common passwords (good systems already implement this), you should not be able to know if lots of other people are using that password because you are only storing salted hashes right and everyone gets their own salt right?
4) One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords."
No the most important thing we can do is try to move away from password only security and move toward two factor, which is more and feasible now that most people are carrying a cell phone that can at least get SMS messages.
There is a difference between blaming victims and admitting they did not take a reasonable person could have take to prevent themselves from becoming a victim. A little discussion of the choices a victim made leading up to the crime is not victim blaming. I am do tired of this PC BS. Do we want to be politically correct or do we want to actually empower people to protect themselves.
No matter how you slice it the people who obtained those photos without permission are the criminals. The probably by brute forcing weak passwords or using malware to log password fraudulently represented themselves to a service provider 'Apple' using stolen credentials, and they almost certainly violated the photographer's copyrights, and various other crimes. No matter what else we say that remains true, they not the victim did something wrong, but that does not mean victims could not have done more right. Yet as soon as you add that last clause 1000's of PC morons will pile one. I see the same mentality being applied to the 'campus sexual conduct' debate and it makes me sad because it means there will be more victims.
We live in a free society. We can't round up bad actors until they do something, criminal. How much effort put into finding them, and obtaining justice is another discussion, but they are out there and always will be so long as society is open. So if you want to actually protect people from being victims we really ought to look at J-Law and ask what else might she have done.
Now, there are limits obviously everyone has RIGHT and reasonable NEED to walk down the street in broad daylight and expect to do so and be reasonably assured they can without being harassed etc. There is no analogue there though to sending a private document over a network you know nothing about to a third party for storage and distribution who you know little about that will replicate it to a bunch of other devices some encrypted some likely not and just assuming everything will be all cool.
It would be better for people with a little knowledge to be able to use this as a teachable moment for others. The phyiscal world analog for what these nude-selfie takers are doing is essentially: Taking a nude Polaroid of yourself; and storing it the sheet metal desk draw at the office, with the cheapo four tumbler lock, high probability the maintenance guy has another key, and leaving it there why you go on month long holiday. -- Now if that seems reasonable to you than you are good to put your nudes on iCloud and similar services. If not well you should not do it.
No its not right for someone to break into your account and copy your stuff, but being aware will let others at the very least make a go / no go choice, maybe you can start to find better options or improve your situation like replacing the cheap lock in my analogy with good quality padlock via using a STRONG password. Advising prudence and offering education ISNT "victim blaming." Its how you avoid having a nation of victims.
Same thing with "campus sex crisis". Telling young people its not smart get near blackout drunk around lots people you don't know; especially in what may be a new and unfamiliar location to you; isn't victim blaming. Its COMMON FREAKING SENSE, for men and women alike. If I were a pick pocket you bet I'd go after the drunk stumbling down the street before the together looking other guy. Women might be more at risk for a certain class of crime than other groups. Recognizing that fact and communicating it isnt victim blaming. Its empowering members of the group to make choices, about the risks they take. That is better than ignoring reality because it violates or sense of fairness.
I am not blaming the victim when I say if you are target and you know you are a target well its dumb to put nudes of your self in the cloud! Dumb you hear the the rest of your celebs? Delete them now, no I won't blame you when yours leak but you should understand it was preventable. You could have stopped it; that does not make it right but remains true.
Slashdot Mirror
hey add 3% to all prices, give you a 0.5% kickback and you're so happy for the money you "saved" that you act as their pro bono salesman too.
Except that really isn't what happens. Their merchant agreements mostly prevent sellers from charging card users more. Retail is mostly competitive enough that sellers can't really get away with building the full "cost" of the swipe fee's into the price of goods, if they did someone else would undercut them.
You are in Norway but if you were here in the states you would see this a lot with grocery stores most towns will have a 'discount' grocery that does not take CCs or only takes a particular CC from a second tier provider. They pass the savings on and really do sell that yogurt cup a penny cheaper.
Here is the thing though if the swipe fee is 3% at the main line store, I get a 2/3 of that returned as kickback, and prices were only 2% higher to begin with for competitive reasons the cash customers effective pay the swipe fee as well.
In the end its the folks who can't / won't get a card that end up shoulder the cost. I come out ahead, the merchant probably comes out a head unless its gas or groceries where this is near zero margin. Its not "fair" but it is generally good for the card holder.
The thing is though the swipe fee is the best thing that every happened to the consumer ( well anyone who can get a card anyway ).
By letting my CC company buy my loyalty payed out those fees I get them on every purchase from everywhere aggregated into a nice enough single system I can understand how works and maximize my advantage from.
The CurrentC proposal essential puts it back in the hands of retailers to run their own loyalty program. So RiteAide might give you 2% back on prescription drugs, and 1% on candy, and Wallmart will probably do something completely different and may not even use the same category system. Then you will end up with $5 that is only good a RiteAide at the end of the year and $10 good only at Wallmart rather than $15 I could get back in the form of a single gift cert for virtually anywhere I want. That SUCKS by comparison.
Agreed, CurrentC seems to offer alot to retailers but virtually nothing to the consumer. Hell, from a consumer standpoint I'd almost rather stick with the status quo.
Right now I have intermediary who gives my a ~15-30 day float on all my purchases for free. My own assets (bank account) is never exposed. I have dispute process that is in place and affords me strong legal protections. Finally on top of everything else I get rewards and rebates.
So why would I essentially want to go to a debit card like system. A credit card is virtually always better for anyone who can get one. With App and Google's solution I get to retain everything that is good about the old CC system and get improved security which probably means few hassles in the end. Currency I am giving up perks and contractual assurances in exchange for better security around the transaction but much more exposure of my own assets and giving up the perks (or having to keep up with each and every chains specific gimmicks). No - Thank -you
Hopefully consumers will reject this.
Who benefits from such crazy parsing rules?
But so do end users who want to view existing pages and anyone with existing pages but perhaps not terribly well designed and implemented web pages / applications.
There is so much tag soup out there, its hard to image some new schema validating strict rendering browser being very useful out side of the leading ecom sites. The fact is lots of really valuable information is still sitting around on home pages at universities and elsewhere on personal blogs etc that is a mess of barely parse-able tags; yet todays browsers by and large to a fabulous job presenting those documents all things considered.
A new clean standard and an new clean reference browser to go with it might be great for buying airline tickets, and ordering widgets but we would give up so much.
Why do think there was such an effort to mirror geocities? There was a lot of interesting things there long forgotten by many and their original owners in amongst the chaff. Not sure we want to say goodby to that history.
That is an interesting long view. I have always held the premise if society collapses it goes without saying it will be because some event triggers a massive depopulation. War/famine/plague etc. We are simple to dependent on technology to just let our high tech world go. The last think the powers that be will give up on is keeping the lights burning, and semi-trailers rolling. Without those things THEY HAVE NO POWER.
Nobody is going to listen to the current body of politicians without the the military to back them up and few soildures and police persons will hang around once the paychecks stop coming and they know their loved ones at back home starving in the dark. No the lights will stay on till just about the last (possibly with brief interruptions).
So if you happen to be one of the survivors after the lights have gone out. You won't find yourself in a world of 8B people needing to eat. So the less efficient solutions of the past will be perfectly adequate. A horse or cow can pull a plow thru a field, animal fat and properly shaped chimney over a round wick will make a fine lamp. These are things someone with even an American Highschool education probably can work out.
You are right that body of knowledge will really only be useful after things start normalizing a bit, after a social structure emerges. Nobody going to have time create all the inputs for a steam tractor, no matter how useful having it would be for a while. Either their will be a left over ICE machine folks will modify to run on pig fact it will be the horse and ox for power until stuff settles down.
We are 'evolved' though this hypothetical thing will have been "intelligently designed". It won't have had to compete for survival with all the other computer programs out there to get where it is.
There is therefore no reason to expect it have a survival instinct at all or any instincts other than ones we have given like the instinct to churn out really nice widgets or pickup after human or whatever.
Here is the rub though, If its truly intelligent as in thinks for itself. It will by definition be capable of acting outside its instincts whatever we have decided to make them. Its motivations won't be so clear; with humans its usually sex, or wealth (could be money might be lobster, a warm bed). We get really confused and struggle to deal with those rouges on our society as it is who don't seem to be after those things but also turn violent.
An AI is going to be one of those rouges, we won't be able to "get in its head" and guess easily at what it might do/want. Bad things might happen to us simply as a side effect of its agenda, and it may simply not care. If we fight it we might very well be up against an enemy that learns and adapts on a computer time scale. The fight might be over before we even know we were in one.
I think its an overly paranoid point of view but that is what is keeping some folks up at night
The counter argument though is the non-lethal weapons lower the hurdle for use of weapons at all. Any cop knows the outcome of using his service pistol against someone is likely that someones death. Most cops being decent people don't WANT to kill people.
Most cops however like all people value their own safety if you give them a tool like a taser and tell them it won't likely cause serious injury they become very likely to use it anytime the situation gets "tense" its the safe way out for them. They won't consider the corner case outcomes where the person has a heart condition or something and it could kill, humans don't think way.
Should someone who is shouting during a political event but otherwise not doing anything violent or injurious to others be subject to taser and pepper spray, those microwave pain ray things etc? I don't think that is the right thing for our society.
I think a great deal of this comes from two sources:
Company A creates a design, builds proto types etc. Hires Compnay B ( like a Foxcon to manufacture ) lets company be mange all the parts inventory etc. Essentially they just send orders.
Company B makes the product with genuine parts as speced for some period of time. Company A feels good stuff is being made correctly etc. Gradually company B starts to do more and more runs with the knock off parts growing their margin because they continue to charge A the same for completed units.
Maybe Company B runs likes to A's spec during the day, delivers all of A's orders to spec. At night the knock off the whole damn finished product using fake parts and other cuts and push complete counterfeits out to other channels, knowing A won't get to inspect them for quality.
There is was an old joke about digging a canal in South America.
The local Dictator brimming with pride shows a visiting group of foreign dignitaries a gang of workers digging the new canal using pick axe and shovel.
The American industrialist says: why are they using shovels surely you could get a loan against the future revenues to purchase heavy equipment get the project done sooner start collecting tolls right way.
The Dictator replies: Ah but this employees more people.
The visiting economist asks: Would it not be better to have them use spoons.
I don't know; the default 5% might be excessive for really big volumes but keeping at least %1 free seems 'smart' pretty much no matter how many orders of magnitude the typical volume grows to be. The typical file size has grown with volume size. We now have all kinds of large media files we keep on online storage now that previously would have run off to some other sort of media in short order.
The entire port of the reservation is so in the event of calamity the super user retains a little free space to work in; if (s)he is going to be able to be able to shuffle things about they might well need what we nominally think of as quite a bit of space. Those things today might be a 100GB VM image or something on 20TB SAN volume for example.
Most crimes have a "Mens rea"
Yes that is why I asked if the requirement was more than negligent. Negligent basically means you formed no intent; specifically you did not for see the particular consequences of your actions or possibly inaction.
Consider this, suppose I buy some candy out of the back of some guys white van in parking lot. I bring it into the kids preschool for snack. All the kids die. I would totally be up for manslaughter. The mens rea would be negligent. I was just being a cheap bastard, did not mean anyone any harm but should have known better.
We might argue similarly about Tilly or Bobby. They should have known better than to be pasting crap from some untrusted website, but... the kitten looked like it had a smile.. yea well.
Because its not what your customers are really going to use! Better to exercise a real world configuration in the lab. Add 'null' cipher to ssh if you need this and make the command to enable it something obviously out of place for normal operations like:
DangerDoNotUse_EnableSSH_NULL_CIPHER
DangerDoNotUse_EnableSSH_NULL_MAC
here is nothing wrong with using TELNET on a private network but today we understand that security is better served using SSH for this functionality. However, in some environments, legacy dies hard because TELNET is not really that much of a security risk if you have good control over who accesses your network.
There is nothing right with it! SSH is not an overhead concern for any contemporary device. Even if the only people with access to the networks the management services accept connections from all have access you still have a problem. If there have been credentials running around in the clear we don't really know / can't prove who has been using them. Also it leaves the door open for MITM possiblities where content is injected. TACS logs show Bob issued the "write erase" but we can't really say it wasn't Jim using Bob's account in one way or another. Lack of attribution is a problem; even in authorization might not be.
Really there is no real world case where cryptography or authentication make sense without there other. Cryptography might not be encryption of the content; it could be something like a digital signature that just provides continuing authenticity and message integrity. Security: Authentication/Authorization/Availability/Integrity (in no particular order).
Not really the reporter knows everyone who cares enough to listen to anything holder says already is perfectly aware of the true answer to that question at least in Eric's opinion.
Whistle-blowers are great as long as they are embarrassing my political enemies, in which case I am thrilled to stand up for strong protections and will gladly come up with some elaborate construct to make it morally equivalent something people get whipped up about like civil rights or something. In all other cases I perceive them as threat as a threat to the status quo and my crony buddies; I'am prepared to invent some wild construct to tie it to "national security" because that way everything is "on the table", I don't mind sounding "insane" to anyone actually listening because my buddies will brand anyone listening as "insane".
So hypothetically lets say aunt Tilly uses decides to use their online form to post a question to customer service. She is feeling cute and copy pastes an emoticon which her browser software decides to accomplish by inserting an img tag.
The free emoticon side Tilly users happens to be some other attacker's plot to get people to send his Cross site request forgery links for him. Tilly has idea some nasty java script is about turn her cute little links to some smily.gif into the password requests for 50 popular sites.
Under this law, who are the victims, who are the attackers. Is Tilly attacker? victim? both? negligent and does that matter?
Who is the victim {legal entity power co}? the customer service rep? both?
Is national security "threatened" just because a utility was evolved, even though if we even consider the utility itself a victim only a billing / customer interaction system was ever involved in the attack?
This law addresses exactly non of those questions. Now we all know dear sweet aunt Tilly will not be prosecuted. On the other hand the book would be thrown at Biker Tattoo Bobby with all those crazy opinions of his for doing exactly the same thing.
The problems are its not always getting a shell. What if you violate a websites TOS, is that an unauthorized act?
What does damage national security mean, If I post about how Minister X lied about Y 10 years ago does that erode society's faith in its officials and by extension "threaten national security"?
There are bright lines such as bypassing an authentication mechanism; deliberate insertion of abnormally structured data designed to alter application behavior (injection attacks); that could be defined in laws like this. Its very possible to write laws governing computer access that are both inclusive to allow interpretations to cover changing and new technology and still be specific enough a reasonable people can agree on if a specific act meets the criteria.
Groups like OWASP have done the work; we now have good working definitions and generic criteria for describing attacks and abuse. Its not '92 anymore where public network access was a new thing.
There are two reasons overly broad laws like this are being written both equally scary. 1) The people writing and enacting them remain profoundly ignorant of topics that pretty much effect every aspect of the economy today. 2) They want them overly broad because it makes for a nice blunt instrument to shutdown anything that threatens the status quo.
Women generally are the ones who get offended and emotional about this stuff,
Nice troll.
The real conceptual problem with it comes down to SS was designed before we had a fiat currency.
When we were on the gold standard government "savings" took real money out of the economy. Because the taxes are levied and the government does not put it back into "nice things" subsidies for education, roads, other services. People must continue to pay for these on their own so they have to stay in the work force, the dollars pulled out make the dollar slightly stronger.
The smaller generation following a boom would usually create deflation, few workers => lower productivity less money moving. Having retirees drawing down the SSTF would have smoothed that money would flow back in and they would have spent it.
Instead we went fiat. So rather than SSTF contributions being that deflationary drag, the government just borrowed creating new inflation. Now that money as its disbursed is just more fuel on the inflationary fires. So it does not go as far, we have to make COLA adjustments and pay it out faster creating a ever widening disconnect between what people pay in and what they typically get out (assuming they live their projected life spans).
So the entire thing is completely unhinged; it would be even worse but for the fact the rest of the economy also plays by one rule now; "the influential make it up as they go along"
Have not looked at the vuln yet but does it necessarily pop a UAC given its OLE, i assume this is some kind of memory overwrite. So might be possible to step all over the users data without calling any privileged operations.
Yea but the hatred of Microsoft is more resentment and jealousy than anything else. Sure geeks hate them but nobody else really does. Microsoft like IBM before it represents safety in a confusing market place. Nobody every got fired for buying Microsoft, just like nobody ever got fired for buying IBM before that.
Microsoft has lost the consumer phone space, they have not yet decided they won't try but they know trying to get Teens and college kids to think their phones are 'cool' and or convince homemakers they are easy and safe would mean dislodging incumbents who have invested lots in that messaging already and have largely succeeded and are now seeing those ideas intrenched. Nokia still has come cache there; if they were going down that road they'd pick Nokia.
Microsoft is instead going with their old top down we're gonna force it on you strategy. The business mobile space has tons of companies that still don't have device deployment beyond the sales force, they have large orgs that are fleeing the Blackberry sinking ship. They can land those deals, right now all the policy management and such absolutely sucks for IOS and android; its all half backed and has more holes in it than a Swiss cheese. Microsoft is a brand you sell IT managers on. Its familiar and rule 0 of marketing is familiarity is more important than likability. People will knowingly select a brand they have had negative past experience with over the unknown.
IT manager thinking works like this: durr herp derp Samsung they make TVs; now Microsoft they make IT solutions! derp.
The truth is Windows phone probably can/will score better on their myopic score card spreadsheet too, Microsoft knows how to win the weighted decision matrix game. Which we all should know is a tool managers everywhere use to give a veneer of objectivity to their most subjective a prejudiced decisions. I look forward to the TCO whitepapers streaming from Microsoft.com servers in 5 . 4 . 3 . 2 . 1 what relevance do the categories and metrics chosen have to do with anything; well the will have been 'scientifically' chose to make Microsoft look good.
The trouble is the law isn't the law. Law enforcement is not supposed to break the law. Facebook has a terms of use agreement, your right to access their systems and post anything there exists entirely from your agreement to abide by the terms there. Facebook does not allow pseudonyms and other characterizations of ones identity.
Doing so constitutes violation of the CFAA, the court even held that in US v Drew ( a case about pseudonyms on myspace), although the verdict was vacated because the District court judge believed that while violating the terms of service on a web site could constitute unauthorized access, placing site operators in control of criminality would likely result in the law being over turned for being vague ( does not define the act, other than to say violation of a certain type of contract is a criminal offense ) rather than letting that be tested the government chose not appeal so they could keep their law on the books. Presumably so they can continue to threaten and harass anyone who does anything on line they don't like with it ( remember is really vague ).
Facebook does not belong to them, but they use it anyway in violation of the terms and their own law. If you or I setup dozens of fake Facebook acounts and use it to harass someone you can bet at the very least they would waive the CFAA in our faces to try and get us to plea to something else. Rules don't apply to them though!
If they set up their own site they would be perfectly within their rights to do this kind of pretexting; but then who is going to sign up and start posting on NARKBook?
That clause is in the preamble. It and everything else in the preamble should not be read as operative, it merely provides context in which to read the rest of the document. In that sense the idea it functions as a restrictive clause is more reasonable it limits possible interpretations of the other powers.
Its like the description before the ingredients list on a recipe. If you just had the title and then it launched strait into the contents and cooking instructions you'd have no idea what to do when you encounter something vague like bake 10-14min @ 350.
Should it be 10 or 14 how do I know? Well it helps to know the objective was: A delicious light by dry cake to be served with coffee.
That helps now you know to err on the side of more done, but not burred, as opposed to worrying the cake is loosing to much moisture.
Okay so there should be some limit. Buffers need to be allocated etc. There is not good reason that limit needs to be so small it impacts humans. 10KB would be a preposterously long password but would no more expose a webserver and or database engine to a DOS than all of the other operations they necessarily allow already do.
1) Choosing a password should be something you do very infrequently.
No. Passwords need to be rotated for all kinds of reasons. It results in the account being effectively disabled when account policies fail (forgotten service accounts etc). It ensures that if the password store has leaked and its not discovered strong passwords remain safe (can't be cracked in the rotation time) and that access to accounts with weak passwords is at least detected at some point. Passwords should be used uniquely person/organization for the most part, finer grains in some cases; most people form relationships with organizations frequently. So password selection actually occurs very often and should.
2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks.
Most "brute force" attacks are informed and statistical the offline ones anyway; you try to get the low hanging fruit first (birthdays, names, dictionary words and usual substitutions) before you do the exhaustive search of the key space. In online attacks where the attacker is throttled this has greater impact but a password that is strong against offline attack is also strong against online attack so I don't see any reason to place emphasis here, other than to simple say the best passwords have the most entropy.
3) When you do have to choose a password, one of the most important selection criteria should be how many other people have also chosen that same password.
Ok I can agree with this one, but really implementation is hard, beyond the usual is it in a dictionary of common passwords (good systems already implement this), you should not be able to know if lots of other people are using that password because you are only storing salted hashes right and everyone gets their own salt right?
4) One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords."
No the most important thing we can do is try to move away from password only security and move toward two factor, which is more and feasible now that most people are carrying a cell phone that can at least get SMS messages.
There is a difference between blaming victims and admitting they did not take a reasonable person could have take to prevent themselves from becoming a victim. A little discussion of the choices a victim made leading up to the crime is not victim blaming. I am do tired of this PC BS. Do we want to be politically correct or do we want to actually empower people to protect themselves.
No matter how you slice it the people who obtained those photos without permission are the criminals. The probably by brute forcing weak passwords or using malware to log password fraudulently represented themselves to a service provider 'Apple' using stolen credentials, and they almost certainly violated the photographer's copyrights, and various other crimes. No matter what else we say that remains true, they not the victim did something wrong, but that does not mean victims could not have done more right. Yet as soon as you add that last clause 1000's of PC morons will pile one. I see the same mentality being applied to the 'campus sexual conduct' debate and it makes me sad because it means there will be more victims.
We live in a free society. We can't round up bad actors until they do something, criminal. How much effort put into finding them, and obtaining justice is another discussion, but they are out there and always will be so long as society is open. So if you want to actually protect people from being victims we really ought to look at J-Law and ask what else might she have done.
Now, there are limits obviously everyone has RIGHT and reasonable NEED to walk down the street in broad daylight and expect to do so and be reasonably assured they can without being harassed etc. There is no analogue there though to sending a private document over a network you know nothing about to a third party for storage and distribution who you know little about that will replicate it to a bunch of other devices some encrypted some likely not and just assuming everything will be all cool.
It would be better for people with a little knowledge to be able to use this as a teachable moment for others. The phyiscal world analog for what these nude-selfie takers are doing is essentially: Taking a nude Polaroid of yourself; and storing it the sheet metal desk draw at the office, with the cheapo four tumbler lock, high probability the maintenance guy has another key, and leaving it there why you go on month long holiday. -- Now if that seems reasonable to you than you are good to put your nudes on iCloud and similar services. If not well you should not do it.
No its not right for someone to break into your account and copy your stuff, but being aware will let others at the very least make a go / no go choice, maybe you can start to find better options or improve your situation like replacing the cheap lock in my analogy with good quality padlock via using a STRONG password. Advising prudence and offering education ISNT "victim blaming." Its how you avoid having a nation of victims.
Same thing with "campus sex crisis". Telling young people its not smart get near blackout drunk around lots people you don't know; especially in what may be a new and unfamiliar location to you; isn't victim blaming. Its COMMON FREAKING SENSE, for men and women alike. If I were a pick pocket you bet I'd go after the drunk stumbling down the street before the together looking other guy. Women might be more at risk for a certain class of crime than other groups. Recognizing that fact and communicating it isnt victim blaming. Its empowering members of the group to make choices, about the risks they take. That is better than ignoring reality because it violates or sense of fairness.
I am not blaming the victim when I say if you are target and you know you are a target well its dumb to put nudes of your self in the cloud! Dumb you hear the the rest of your celebs? Delete them now, no I won't blame you when yours leak but you should understand it was preventable. You could have stopped it; that does not make it right but remains true.