I imagine the more reputable (i.e. common) ad networks will/already prohibit such specific targeting.
No. I've worked in ad-tech, and I can tell you the answer is no. There is absolutely no motivation for ad companies to even think about this problem beyond a token effort.
Ad companies have every motivation, indeed they have people paying them to give them as much information about a person as possible. This isn't even a new thing: decades ago you could buy mailing lists with names, addresses, gender, and income.
Good has some really good programmers, and so does Microsoft. In the past they were even more impressive.
But both of them are now process driven companies, primarily focused on not overturning the boat, and the result is code that follows process. As long as process is followed, you don't have to worry about whether you did a good job or not. Just go home at the end of the day. That is the mentality of the vast majority of mediocre programmers at both companies.
It's not just Tim Cook. After the iPhone was released, a lot of people who had been at Apple from the Next days began to retire. The average quality of libraries at the code level began to suffer first, then it became more and more noticeable (XCode? What monstrosity of Agility got inflicted on that?) Now there are strange things like the touch bar. The drop in quality is obvious because good people left and they got infected by process.
Such technologies -- from fingerprint scans to facial and retinal scans -- promise more secure and reliable factors than alphanumeric passwords, the executives agreed.
No, no no, my god, no. Something that can be acquired just by looking at you is not secure. Using as authentication something that can only be changed by destructive surgery is not sane.
I haven't signed my credit card for the last decade (if I lose my card, do I really want to give them my signature too?), and in that time only one person has asked to see my signature.
Incidentally, there has been some good work on improving the quality of fuzzing. In the future we may have fuzzing tools that use genetic algorithms to modify the input and get as deep into the program as they can. I don't know of any tools that have incorporated this yet, but it's an area worth paying attention to.
The answer is lots and lots of random input. If you just start injecting random data into a field, you'll find a lot.
The difficult part is that you want the random data to get past the initial sanity checks. To do that, you need to have relatively deep knowledge of the thing you are fuzzing. That is why automated fuzzing tools tend to be a bit frustrating.
Thanks. Mainly I was wondering if he had particular exploits in mind, or if he was just going on some vague hunch. If he had some particulars in mind, I was interested in seeing them.
But if you pull out the lawyerish CYA language it works a lot better:
"Dear Bossman, In my considered professional opinion proposal X will be severely detrimental to the security of our systems. By going ahead with X, we are exposing both the company and our customers to unnecessary and potentially disastrous risk. Having notified you of this unacceptable risk, I disclaim any and all personal responsibility for any adverse effects that may result."
That is a nice trick, I am definitely adding it to my toolkit.
ok, I looked it up. Found this, I'm liking what I see. Their manifesto needs some conciseness, though. Indeed, if security isn't a part of the product from the beginning, it can't be added later.
The purpose and intent of DevSecOps is to build on the mindset that "everyone is responsible for security"
If that's literally the worst exploit out there, then Javascript is the most secure platform and VM ever invented. The only antivirus we'll ever need is "close the browser window."
The point (which you seemed to have missed) is that any vaguely legitimate website will be able to make more money selling ads than they will by mining bitcoin on their visitor's computers. (Note that as Bitcoin value increases, the effort required to mine increases as well.)
Since you can make more money by selling ads than mining bitcoin in Javascript, the only ones who will do it are those who don't have the ability to sell ads.
Which part exactly do you disagree with?
I imagine the more reputable (i.e. common) ad networks will/already prohibit such specific targeting.
No. I've worked in ad-tech, and I can tell you the answer is no. There is absolutely no motivation for ad companies to even think about this problem beyond a token effort.
Ad companies have every motivation, indeed they have people paying them to give them as much information about a person as possible. This isn't even a new thing: decades ago you could buy mailing lists with names, addresses, gender, and income.
Good has some really good programmers, and so does Microsoft. In the past they were even more impressive.
But both of them are now process driven companies, primarily focused on not overturning the boat, and the result is code that follows process. As long as process is followed, you don't have to worry about whether you did a good job or not. Just go home at the end of the day. That is the mentality of the vast majority of mediocre programmers at both companies.
oh yeah, I forgot about that credit card things. fubar.
It's not just Tim Cook. After the iPhone was released, a lot of people who had been at Apple from the Next days began to retire. The average quality of libraries at the code level began to suffer first, then it became more and more noticeable (XCode? What monstrosity of Agility got inflicted on that?) Now there are strange things like the touch bar. The drop in quality is obvious because good people left and they got infected by process.
I recently switched back to Linux. I couldn't be happier. As a bonus, GNU radio is easier to set up on Linux.
Such technologies -- from fingerprint scans to facial and retinal scans -- promise more secure and reliable factors than alphanumeric passwords, the executives agreed.
No, no no, my god, no. Something that can be acquired just by looking at you is not secure. Using as authentication something that can only be changed by destructive surgery is not sane.
I haven't signed my credit card for the last decade (if I lose my card, do I really want to give them my signature too?), and in that time only one person has asked to see my signature.
This blunts the hypothesis that Mensa is a dating service for smart guys.
I can't say I've ever heard that hypothesis........
The other half is planning on leaving and hope they get severance pay.
Incidentally, there has been some good work on improving the quality of fuzzing. In the future we may have fuzzing tools that use genetic algorithms to modify the input and get as deep into the program as they can. I don't know of any tools that have incorporated this yet, but it's an area worth paying attention to.
The answer is lots and lots of random input. If you just start injecting random data into a field, you'll find a lot.
The difficult part is that you want the random data to get past the initial sanity checks. To do that, you need to have relatively deep knowledge of the thing you are fuzzing. That is why automated fuzzing tools tend to be a bit frustrating.
Thanks. Mainly I was wondering if he had particular exploits in mind, or if he was just going on some vague hunch. If he had some particulars in mind, I was interested in seeing them.
But if you pull out the lawyerish CYA language it works a lot better:
"Dear Bossman, In my considered professional opinion proposal X will be severely detrimental to the security of our systems. By going ahead with X, we are exposing both the company and our customers to unnecessary and potentially disastrous risk. Having notified you of this unacceptable risk, I disclaim any and all personal responsibility for any adverse effects that may result."
That is a nice trick, I am definitely adding it to my toolkit.
The purpose and intent of DevSecOps is to build on the mindset that "everyone is responsible for security"
You might as well ask me to stop using Windows
Yes please. It would make the world a better place.
What percentage of people eligible to join MENSA actually do join MENSA?
Measuring only people from MENSA is one hell of a confounding factor. They are a self-selected group by definition.
The answer is no, and provably so, because it is not Turing complete.
Nice links.
Nice link, good find.
Oh, I dunno... Maybe... mining?
If that's literally the worst exploit out there, then Javascript is the most secure platform and VM ever invented. The only antivirus we'll ever need is "close the browser window."
Javascript is not only a theoretical security problem, it's one that's very commonly exploited.
What exploits are you talking about here?
We are just a few short steps from asm.js becoming a reality, and all the benefits that will flow from there.
Webassembly is here NOW and available in all major browsers. The major drawback right now is that it can't access the DOM, but that will change in the future.
The point (which you seemed to have missed) is that any vaguely legitimate website will be able to make more money selling ads than they will by mining bitcoin on their visitor's computers. (Note that as Bitcoin value increases, the effort required to mine increases as well.)
Since you can make more money by selling ads than mining bitcoin in Javascript, the only ones who will do it are those who don't have the ability to sell ads.