iPhone or Android, you're talking about getting your phone basically free on contract
If you buy your phone on contract, you're getting it 'free' in the sense that you're getting a loan at 50-100% APR. I buy my phones myself and it would take me 2-3 years to spend as much on calls / data / SMS as even a mid-range phone.
Not sure why this is a troll. I have an Android phone that I bought in 2013 (new, shortly after that model was launched). It still gets occasional security updates, but the last one was about 8 months after the exploit was seen in the wild and it hasn't received updates for the latest string of vulnerabilities. If I wanted to use my phone as a vaguely trusted device, I would need to replace it. Add to that, it was a cheap low-end phone: there's no iOS equivalent, so no one wanting to buy a cheap disposable phone will get an iPhone (or, at least, not a new one).
The big difference between iOS and Android is that with iOS the hardware manufacturer gets a cut of all sales from the default app store, on Android they don't. This means that Apple has a financial incentive to ensure that everyone who bought an iPhone can run the latest apps. If an Android handset manufacturer does the same thing, they just make it easier for Google to make money and decrease the probability that the user will buy a new phone, which is a net loss for them.
Sure, they've improved a lot of mitigations, though PIE on 32-bit platforms is largely a waste of time as they end up with only 8 bits of entropy in their ASLR implementation, which is why it was trivial to bypass for StageFright (a JavaScript program could try the attack 128 times in a tiny fraction of a second and have a 50% chance of succeeding before the user has even finished reading the headline). The SELinux stuff is also an improvement, though iOS has been using the MAC framework for sandbox enforcement since day one, so the main reaction to that was 'they're only just doing this now!?'.
My main take-away wasn't that they're using FORTIFY_SOURCE, it's that they don't integrate static analysis into their normal development cycle. For anything vaguely security related, if your CI system isn't doing static analysis and guided fuzzing in 2016 then you're not even passing the low bar. Mitigation techniques should be a last resort when everything else has failed, not your first line of defence.
It's not trusted by my browser. I removed Comodo from my list of trusted CAs after their last breach. I'm astonished that they're still in business. Someone seriously suggesting trusting Comodo over StartCom is really showing how broken the CA system is.
The other poster's already mentioned client certs. Not so relevant for browsers, but I use a StartSSL cert for S/MIME in email. The other issue with Let's Encrypt is the thing last week where a bunch of security experts pointed out problems with the fact that they don't require revalidation and make it possible for a brief compromise to allow a third party to get valid certs for your domain for up to two years and the people running Let's Encrypt are claiming that this is not a problem. Coincidentally, the big backers of Let's Encrypt are the ones pushing hardest to remove StartCom's trusted status (ignoring the fact that they still trust a bunch of other CAs, such as the one that's basically owned by the Turkish intelligence agency).
My mom got an iPhone 5 in December of 2012 and it still can be updated to the latest iOS 10. If she had gotten a Nexus 4 offered by Google at the same time, the latest version of Android that Google would officially offer her is Android v5 (Lollipop).
That's not necessarily bad for Android. A more mature codebase receiving security updates isn't necessarily worse than a newer codebase. The problem is not that it's only running Android 5, it's that it's running Android 5 and not getting updates for known vulnerabilities. Remember the thing a year ago when Google said that they couldn't do security back ports, because they don't track which things fix security holes in their revision control system? Not exactly a company I'd place trust in.
We had the head of Google's Android security team come and give a talk about a year ago. He was very proud of the fact that they'd enabled FORTIFY_SOURCE on their code. I was a bit surprised, because I'd yet to have FORTIFY_SOURCE find a single bug that the clang static analyser didn't find - it was great technology 15 years ago, but these days it only lets you catch at run time things that you can find at compile time with free off-the-shelf tools. I asked him if his team had any counterexamples, which might make us reevaluate using it. His answer? Static analysis is not part of their development flow at all. In contrast, when I've asked Apple folks about it, they've told me that it's part of their CI process and changes that introduce new bugs that static analysis catches are reverted.
If your development process doesn't even try to catch the low-hanging fruit, then I find it really hard to take any claims that you make about security seriously. The DRAMMER attack, for example, was only possible because Google implemented a really stupid API in Android (allowing untrusted code to explicitly map uncached memory, which is a bad idea for so many reasons, rather than providing cache flushing APIs for DMA). The API review process for Android is a joke and there's no evidence that they'll ever fix that. Part of it is the internal culture at Google: they have very good refactoring tools that they regularly run on large codebases, so have little incentive to get APIs right the first time.
It's a shame this is at -1, but it's entirely right. If you have a Facebook account and you use it to communicate with people then you are responsible for giving Facebook this power. Don't want Facebook to abuse its power? Don't give it its power in the first place. Boycott Facebook, and more importantly boycott companies that use it to advertise.
while in truth the rulers got their asses handed to them.
Really? So Murdoch didn't make millions and the career politicians didn't just get a license to remove one of the few checks on their power? I must have been in a different UK to you.
You want to spin the brexit as some sort of bad thing
Let's see, we're trying to negotiate trade agreements with 27 countries that all want us to fail. That's not going to go well. Ah well, at least we can still negotiate good deals with the USA and China, after all a large trading block like the EU managed to negotiate TTIP, I'm sure the UK at a tenth the size will get far better terms than that abomination. After all, we're in a so much better bargaining position, what with having literally dozens of trained trade negotiators.
Rational choice? Did the people who had been routinely screwed over by the Westminster Parliament for decades make a rational choice to give more power to Westminster and remove one of its most significant checks? Did people close to the poverty line make a rational choice to vote for an increase in food prices (or was it the nice £200m overnight bonus for Rupert Murdoch's brother in law's investments that they were making their rational choice for)?
The entire reason that we have a representative democracy is that issues are complex and very few people have the time to be sufficiently well informed to make good choices. We elect people who are supposed to work full time to understand the issues and make the rational choices for us that we would have made if we had time to investigate the issues.
No one in the Brexit referendum made a rational choice because we weren't given two rational options to pick. Remain wasn't too bad: it was a vote for the status quo, which has both good and bad aspects. Leave was a vote for some totally unspecified other thing - is it better, is it worse? No one knew because no one actually stated what the other thing was and even three months later it looks as if we still don't know.
The only sad thing is all of the people who thought they were voting against the establishment when they voted leave.
It's a question of game theory. It doesn't matter too much if one person does it: the corporation offloads some of its taxes onto the employee and avoids things like pension and sick leave obligations, but that may be fine for the individual. That corporation now has a competitive advantage though: they're paying less for staffing because they're cutting corners. Now they are in a position to fire staff and hire them back as contractors and their competitors have to follow suit to remain competitive. Suddenly you're in a world where most of the protections that the labour movement won are gone.
This isn't some hypothetical scenario, by the way: these laws exist in the UK because IBM and a few other big companies were using contractor arrangements to get around various employment laws: they weren't giving statutory leave, paying sick days, paying pension, giving reasonable notice periods and redundancy pay, and so on. The laws were tightened up so that if someone is doing a job that's indistinguishable from being an employee, they have the same rights as an employee.
Yup. I have an Asus TF700 (released 2012). If it weren't for the fact that it stopped getting security updates and then went into a seemingly unrecoverable boot loop (lesson learned: if you buy an Android tablet, unlock the bootloader as soon as you buy it!), it would still be completely fine for everything that I use a tablet for: the hardware is fine, the problems are all software. If I'd bought one with the same specs from a less crappy manufacturer than Asus then I'd still be happy with it now. 2011 iPads just stopped getting software updates, late 2012 and 2013 ones are still getting them. There's little reason to bother upgrading - newer tablets are incremental improvements and we passed 'good enough' a long time ago.
I got a free HP TouchPad from the open source program just before they discontinued them and I'm still sad that WebOS died, but even that tablet would be fine in terms of hardware for a lot of uses (it's a bit bulky, but otherwise it's fine). Again, the software killed them (and, unfortunately, there's no recent CyanogenMod either and the old version doesn't support the latest TLS standard and so breaks with most web sites due to old cyphers and obsolete root certs).
Not sure about racism (though, anecdotally, the people I've met in the UK who are most opposed to immigration are first-generation immigrants), but there have been a couple of studies looking at perceptions of CVs for gender bias that have found that the implicit bias by women against women is stronger than the implicit bias by men against women. Somewhat ironically, this means that if you want to hire more women, you need to have fewer women on your hiring panel and in HR.
Nepotism is what happens when you promote people that you have some non-professional relationship with. Professional networking is what happens when you directly observe competent people and want to keep working with them. You develop a professional network over time without trying if you're competent, because coworkers move on to other companies but remember working with you. If you were annoying to work with, then they'll remember that and not bother to contact you. If you were good to work with then they'll remember that and flag you as a possible new hire when their new employer is looking for someone (or when they start up their own company).
When you go to a new company and your new boss says 'We need to hire three new developers for the project that you're working on. Any recommendations?' then what do you say?
Why? What do you think is a better way of deciding that someone is a good hire:
Read their (probably embellished) CV and ask them somewhat contrived interview questions for an hour or two.
Have someone you trust and have worked with work with them for a few months and see that they're competent.
Work with them for a few months and see that they're competent.
The best way is option 3, though that limits you to a depth of one in your professional network, which is not likely to give you a very large field. The middle option works almost as well: if you work well with someone and are impressed with their work then the people that they work well with and consider to do good work are also probably good hires. The first way is a really poor way of hiring (which is why it often comes with long probationary periods and so on), yet for some reason that's the one that you'd apparently place the most trust in.
I happen to be great at communicating with my team, support, services, sales, customers
And yet, in spite of all of that great communication you're doing with these people, if you were looking for a job you wouldn't contact any of them (current customers of your current employer, former employees of your current employer that you were 'great at communicating' with) and ask them if they had any openings? More tellingly, none of them ever get in contact with you and say 'we're hiring and I remember how great it was working with you. I don't know if you're in the market for a new job, but if you are then let me know?' I find that pretty hard to believe, if you're as good at communicating as you claim.
That said, Amazon didn't make this batter, and makes the third party vendor responsible for the assertions they make about product suitability and safety. Now, if Amazon KNEW that the vendor was lying, and Amazon didn't give them the heave as they do to thousands of vendors, regularly, that's another matter. But Amazon's not responsible for a third party misrepresenting things, just like they're not responsible for a death when a criminal uses a steak knife from Amazon to kill somebody.
Not sure how it works in the USA, but in the EU liability follows the supply chain. If I buy something from Amazon then Amazon is liable to me, the company that supplied it to Amazon is liable to them, and so on. Even if it's a 'marketplace seller', Amazon took the money, Amazon is responsible. If I sued Amazon, they'd probably settle and then immediately turn around and sue the supplier for the settlement amount plus their costs. If Amazon were sensible, then they'd require that their sellers have liability insurance so that they can't just go out of business and leave Amazon in trouble, but these rules exist specifically to protect consumers against fly-by-night wholesalers that produce something dangerous and then go out of business after paying their execs large salaries when the returns start coming in. The consumer if protected in the other case because if the direct seller goes out of business then the liability reverts up the supply chain.
When confronted, the Chinese government's response is "what a shame, we'll do something". The "something" is to rename the company and do it all over again.
In at least one recent case, it's also been to execute senior members of the company. In contrast, when a company in the US does the same the equivalent execs get a multi-million-dollar golden parachute.
What kind of person can't afford home insurance? It's basically impossible to find a mortgage that doesn't require that you have home insurance, so it must be someone who is able to afford to own a house outright, but not able to afford a few dollars a month.
Hiring someone who isn't good at communicating with the team is a good way of ending up with undocumented, unmaintainable code. Are they able to produce something that works? Maybe. Are they able to make something that works efficiently now? Again, maybe. Are they able to produce something that someone else can maintain after 10 years of incremental development? Very unlikely. If you're hiring someone who doesn't have good communication skills, you'll probably need to hire someone else to redo their work in the future.
Networking is a form of communication. If they're not good at this form, what others are they bad at? Code monkeys are cheap and plentiful, people who can communicate their designs, collaborate with others, and work on a team where everyone benefits from the specialist expertise that each individual has are rare. The latter are the ones worth hiring.
Also, it is probably a culture problem, but in Germany it is often impossible to bypass H
Bypassing means different things. If a company wants to hire you, then they'll put out a job ad that has a checklist of things for HR to approve that happen to be exactly the same things that you have on your CV.
My colleagues are not my friends. Regardless of job I had. I never would invite one to my birthday e.g. And for the same reason: I don't see any point to stay in contact with a colleague after he or I leave the company.
Maintaining a professional relationship with someone doesn't mean maintaining a close personal relationship with them. Can you name 10 people that you've worked with in the last decade who you'd want to hire? Most competent people know which of their coworkers are also competent and which aren't. If they're given the choice, they'd rather work with someone competent. If you moved jobs, who would you want to come with you and who would you want to leave behind? If none of the people you've worked with recently seem competent to you then either you're in a job below your ability or you're the incompetent one on the team.
Common sense dictates that copyright should not extend to API
Common sense dictates nothing of the sort. Common sense tells you that it's a difficult legal problem: On the one hand, good APIs are obviously creative works (don't believe me? Try writing code that uses OpenSSL sometime. A bad API is far less valuable than a good API). On the other hand, not allowing clean-room reimplementations of well-defined interfaces makes it very easy for vendor lock-in, which is problematic for a well functioning industry. Striking the balance between these is difficult.
Slashdot Mirror
iPhone or Android, you're talking about getting your phone basically free on contract
If you buy your phone on contract, you're getting it 'free' in the sense that you're getting a loan at 50-100% APR. I buy my phones myself and it would take me 2-3 years to spend as much on calls / data / SMS as even a mid-range phone.
Not sure why this is a troll. I have an Android phone that I bought in 2013 (new, shortly after that model was launched). It still gets occasional security updates, but the last one was about 8 months after the exploit was seen in the wild and it hasn't received updates for the latest string of vulnerabilities. If I wanted to use my phone as a vaguely trusted device, I would need to replace it. Add to that, it was a cheap low-end phone: there's no iOS equivalent, so no one wanting to buy a cheap disposable phone will get an iPhone (or, at least, not a new one).
The big difference between iOS and Android is that with iOS the hardware manufacturer gets a cut of all sales from the default app store, on Android they don't. This means that Apple has a financial incentive to ensure that everyone who bought an iPhone can run the latest apps. If an Android handset manufacturer does the same thing, they just make it easier for Google to make money and decrease the probability that the user will buy a new phone, which is a net loss for them.
Sure, they've improved a lot of mitigations, though PIE on 32-bit platforms is largely a waste of time as they end up with only 8 bits of entropy in their ASLR implementation, which is why it was trivial to bypass for StageFright (a JavaScript program could try the attack 128 times in a tiny fraction of a second and have a 50% chance of succeeding before the user has even finished reading the headline). The SELinux stuff is also an improvement, though iOS has been using the MAC framework for sandbox enforcement since day one, so the main reaction to that was 'they're only just doing this now!?'.
My main take-away wasn't that they're using FORTIFY_SOURCE, it's that they don't integrate static analysis into their normal development cycle. For anything vaguely security related, if your CI system isn't doing static analysis and guided fuzzing in 2016 then you're not even passing the low bar. Mitigation techniques should be a last resort when everything else has failed, not your first line of defence.
It's not trusted by my browser. I removed Comodo from my list of trusted CAs after their last breach. I'm astonished that they're still in business. Someone seriously suggesting trusting Comodo over StartCom is really showing how broken the CA system is.
The other poster's already mentioned client certs. Not so relevant for browsers, but I use a StartSSL cert for S/MIME in email. The other issue with Let's Encrypt is the thing last week where a bunch of security experts pointed out problems with the fact that they don't require revalidation and make it possible for a brief compromise to allow a third party to get valid certs for your domain for up to two years and the people running Let's Encrypt are claiming that this is not a problem. Coincidentally, the big backers of Let's Encrypt are the ones pushing hardest to remove StartCom's trusted status (ignoring the fact that they still trust a bunch of other CAs, such as the one that's basically owned by the Turkish intelligence agency).
My mom got an iPhone 5 in December of 2012 and it still can be updated to the latest iOS 10. If she had gotten a Nexus 4 offered by Google at the same time, the latest version of Android that Google would officially offer her is Android v5 (Lollipop).
That's not necessarily bad for Android. A more mature codebase receiving security updates isn't necessarily worse than a newer codebase. The problem is not that it's only running Android 5, it's that it's running Android 5 and not getting updates for known vulnerabilities. Remember the thing a year ago when Google said that they couldn't do security back ports, because they don't track which things fix security holes in their revision control system? Not exactly a company I'd place trust in.
If your development process doesn't even try to catch the low-hanging fruit, then I find it really hard to take any claims that you make about security seriously. The DRAMMER attack, for example, was only possible because Google implemented a really stupid API in Android (allowing untrusted code to explicitly map uncached memory, which is a bad idea for so many reasons, rather than providing cache flushing APIs for DMA). The API review process for Android is a joke and there's no evidence that they'll ever fix that. Part of it is the internal culture at Google: they have very good refactoring tools that they regularly run on large codebases, so have little incentive to get APIs right the first time.
It's a shame this is at -1, but it's entirely right. If you have a Facebook account and you use it to communicate with people then you are responsible for giving Facebook this power. Don't want Facebook to abuse its power? Don't give it its power in the first place. Boycott Facebook, and more importantly boycott companies that use it to advertise.
while in truth the rulers got their asses handed to them.
Really? So Murdoch didn't make millions and the career politicians didn't just get a license to remove one of the few checks on their power? I must have been in a different UK to you.
You want to spin the brexit as some sort of bad thing
Let's see, we're trying to negotiate trade agreements with 27 countries that all want us to fail. That's not going to go well. Ah well, at least we can still negotiate good deals with the USA and China, after all a large trading block like the EU managed to negotiate TTIP, I'm sure the UK at a tenth the size will get far better terms than that abomination. After all, we're in a so much better bargaining position, what with having literally dozens of trained trade negotiators.
If you are a lower/middle class person in the UK, you are fearful of unchecked immigration as it affects you and your family directly
And yet, in polling, the people who are most opposed to immigration are the ones who live in areas with the least immigration.
Rational choice? Did the people who had been routinely screwed over by the Westminster Parliament for decades make a rational choice to give more power to Westminster and remove one of its most significant checks? Did people close to the poverty line make a rational choice to vote for an increase in food prices (or was it the nice £200m overnight bonus for Rupert Murdoch's brother in law's investments that they were making their rational choice for)?
The entire reason that we have a representative democracy is that issues are complex and very few people have the time to be sufficiently well informed to make good choices. We elect people who are supposed to work full time to understand the issues and make the rational choices for us that we would have made if we had time to investigate the issues.
No one in the Brexit referendum made a rational choice because we weren't given two rational options to pick. Remain wasn't too bad: it was a vote for the status quo, which has both good and bad aspects. Leave was a vote for some totally unspecified other thing - is it better, is it worse? No one knew because no one actually stated what the other thing was and even three months later it looks as if we still don't know.
The only sad thing is all of the people who thought they were voting against the establishment when they voted leave.
It's a question of game theory. It doesn't matter too much if one person does it: the corporation offloads some of its taxes onto the employee and avoids things like pension and sick leave obligations, but that may be fine for the individual. That corporation now has a competitive advantage though: they're paying less for staffing because they're cutting corners. Now they are in a position to fire staff and hire them back as contractors and their competitors have to follow suit to remain competitive. Suddenly you're in a world where most of the protections that the labour movement won are gone.
This isn't some hypothetical scenario, by the way: these laws exist in the UK because IBM and a few other big companies were using contractor arrangements to get around various employment laws: they weren't giving statutory leave, paying sick days, paying pension, giving reasonable notice periods and redundancy pay, and so on. The laws were tightened up so that if someone is doing a job that's indistinguishable from being an employee, they have the same rights as an employee.
Who said anything about talking to non-tech people? Professional networking is about talking to people with similar skill sets to you.
I got a free HP TouchPad from the open source program just before they discontinued them and I'm still sad that WebOS died, but even that tablet would be fine in terms of hardware for a lot of uses (it's a bit bulky, but otherwise it's fine). Again, the software killed them (and, unfortunately, there's no recent CyanogenMod either and the old version doesn't support the latest TLS standard and so breaks with most web sites due to old cyphers and obsolete root certs).
Not sure about racism (though, anecdotally, the people I've met in the UK who are most opposed to immigration are first-generation immigrants), but there have been a couple of studies looking at perceptions of CVs for gender bias that have found that the implicit bias by women against women is stronger than the implicit bias by men against women. Somewhat ironically, this means that if you want to hire more women, you need to have fewer women on your hiring panel and in HR.
When you go to a new company and your new boss says 'We need to hire three new developers for the project that you're working on. Any recommendations?' then what do you say?
The best way is option 3, though that limits you to a depth of one in your professional network, which is not likely to give you a very large field. The middle option works almost as well: if you work well with someone and are impressed with their work then the people that they work well with and consider to do good work are also probably good hires. The first way is a really poor way of hiring (which is why it often comes with long probationary periods and so on), yet for some reason that's the one that you'd apparently place the most trust in.
I happen to be great at communicating with my team, support, services, sales, customers
And yet, in spite of all of that great communication you're doing with these people, if you were looking for a job you wouldn't contact any of them (current customers of your current employer, former employees of your current employer that you were 'great at communicating' with) and ask them if they had any openings? More tellingly, none of them ever get in contact with you and say 'we're hiring and I remember how great it was working with you. I don't know if you're in the market for a new job, but if you are then let me know?' I find that pretty hard to believe, if you're as good at communicating as you claim.
That said, Amazon didn't make this batter, and makes the third party vendor responsible for the assertions they make about product suitability and safety. Now, if Amazon KNEW that the vendor was lying, and Amazon didn't give them the heave as they do to thousands of vendors, regularly, that's another matter. But Amazon's not responsible for a third party misrepresenting things, just like they're not responsible for a death when a criminal uses a steak knife from Amazon to kill somebody.
Not sure how it works in the USA, but in the EU liability follows the supply chain. If I buy something from Amazon then Amazon is liable to me, the company that supplied it to Amazon is liable to them, and so on. Even if it's a 'marketplace seller', Amazon took the money, Amazon is responsible. If I sued Amazon, they'd probably settle and then immediately turn around and sue the supplier for the settlement amount plus their costs. If Amazon were sensible, then they'd require that their sellers have liability insurance so that they can't just go out of business and leave Amazon in trouble, but these rules exist specifically to protect consumers against fly-by-night wholesalers that produce something dangerous and then go out of business after paying their execs large salaries when the returns start coming in. The consumer if protected in the other case because if the direct seller goes out of business then the liability reverts up the supply chain.
When confronted, the Chinese government's response is "what a shame, we'll do something". The "something" is to rename the company and do it all over again.
In at least one recent case, it's also been to execute senior members of the company. In contrast, when a company in the US does the same the equivalent execs get a multi-million-dollar golden parachute.
What kind of person can't afford home insurance? It's basically impossible to find a mortgage that doesn't require that you have home insurance, so it must be someone who is able to afford to own a house outright, but not able to afford a few dollars a month.
Hiring someone who isn't good at communicating with the team is a good way of ending up with undocumented, unmaintainable code. Are they able to produce something that works? Maybe. Are they able to make something that works efficiently now? Again, maybe. Are they able to produce something that someone else can maintain after 10 years of incremental development? Very unlikely. If you're hiring someone who doesn't have good communication skills, you'll probably need to hire someone else to redo their work in the future.
Some people are not good at networking
Networking is a form of communication. If they're not good at this form, what others are they bad at? Code monkeys are cheap and plentiful, people who can communicate their designs, collaborate with others, and work on a team where everyone benefits from the specialist expertise that each individual has are rare. The latter are the ones worth hiring.
Also, it is probably a culture problem, but in Germany it is often impossible to bypass H
Bypassing means different things. If a company wants to hire you, then they'll put out a job ad that has a checklist of things for HR to approve that happen to be exactly the same things that you have on your CV.
My colleagues are not my friends. Regardless of job I had. I never would invite one to my birthday e.g. And for the same reason: I don't see any point to stay in contact with a colleague after he or I leave the company.
Maintaining a professional relationship with someone doesn't mean maintaining a close personal relationship with them. Can you name 10 people that you've worked with in the last decade who you'd want to hire? Most competent people know which of their coworkers are also competent and which aren't. If they're given the choice, they'd rather work with someone competent. If you moved jobs, who would you want to come with you and who would you want to leave behind? If none of the people you've worked with recently seem competent to you then either you're in a job below your ability or you're the incompetent one on the team.
If only there were some mechanism by which people in one country could communicate with people in another country.
Common sense dictates that copyright should not extend to API
Common sense dictates nothing of the sort. Common sense tells you that it's a difficult legal problem: On the one hand, good APIs are obviously creative works (don't believe me? Try writing code that uses OpenSSL sometime. A bad API is far less valuable than a good API). On the other hand, not allowing clean-room reimplementations of well-defined interfaces makes it very easy for vendor lock-in, which is problematic for a well functioning industry. Striking the balance between these is difficult.