My laptop is good at being a calculator. It's a two-keystroke combination to bring up something where I can type quick calculations, it has better editing facilities than any stand-alone calculator I've used, and I can copy a simple calculation and stick it into a proper programming language for really complicated things. Most importantly, I'm already using my laptop 99% of the time that I want a calculator, so there's less overhead from using my laptop as one than there is of switching to a separate physical device.
In contrast, the main use of a watch is convenience. My watch doesn't appear to be made anymore, but this is the closest model. It's a few millimetres thick and so light that I can forget that I'm wearing it and it tells the time accurately enough that I only ever adjust it when I cross time zones. The battery lasts about 4 years (it's about 11 years old now and is on its third battery).
For a smart watch to be useful, it must provide similar levels of convenience. Everything it does is weighted against reaching into my pocket to get out my phone (or, in my case, wandering to the other side of the room to get my phone, because I don't always have it with me). The same company that made my watch also makes some Android Wear devices, but they're 50% thicker, more than 50% heavier, and have a battery that's rated for 24 hours (I've been that long between being near a convenient place to charge one, and you can bet that it doesn't last 24 hours if you actually use it). And the things where it's more convenient than my phone are quite limited. I could receive SMS there, but replying is hard. I have a friend who finds his convenient for 2 factor authentication, but that's a fairly limited use.
It needs local admin priviledges FFS, the big prize for all hacks, root admin, is a pre-requisite for even starting this attack.
Not necessarily. Imagine this scenario: You have a secured machine, it is using SecureBoot to verify the bootloader and kernel image, signed using your org's keys. When it boots, the user must enter a pass phrase, which is used to decrypt the keys stored in the TPM to decrypt the hard disk. Without the correct pass phrase, entered into the verified boot loads, you have no way of accessing any of the confidential data on the disk. I'm pretty sure Windows supports this configuration out of the box and I believe that you can do the same with Linux / GRUB.
This setup is incredibly hard to bypass. Except with a vulnerability like this, because no if you have 2 minutes of physical access to the machine, you can reboot into an OS from a USB disk and install persistent malware that can fake the boot attestation, extract the keys when the TPM unlocks them, and access all of the data on the disk. The malware can also establish network connections without the OS being aware of them, so it can exfiltrate the data if there isn't a decent IDS on the network (or it can just let the attacker dump the entire disk contents to a USB drive the next day, or the attacker can take the encrypted disk image the first time and then the malware just needs to transmit the key, which can be hidden as a single HTTPS request and probably not blocked by anything).
How much confidential data is stored on your organisation's computers? How sure are you that your cleaners would say no if someone offered them $100,000 to stick a USB drive in each of the desktops in an office, reboot, and then remove it a couple of minutes later?
Do you want someone with 5 minutes of physical access to the machine (e.g. the minimum wage cleaners provided by an agency) to be able to install malware that the OS can't see, which survives complete reinstalls or even physically replacing the disk, and which can intercept everything that the OS does? If so, I really hope you don't work for a company with any confidential data.
You know who actually cares about, and values, TPM chips?
Users of Windows who use it to handle full-disk encryption in such a way that the OS (and therefore, importantly, malware that compromises the OS) can't exfiltrate the keys and it's impossible (or, at least, infeasibly expensive) for anyone to access them if they steal the machine? Cloud users who rely on the TPM for remote attestation that the hypervisor hasn't been compromised?
Just because it appears to work doesn't mean that it's good code. A bubblesort works, but if you're using it on large data then it's a terrible idea. Copied code may contain security vulnerabilities, inefficient algorithms, or subtle bugs that aren't found in cursory inspection or token amounts of testing but which cause data loss in real-world use.
No, the goal (for a malicious device) is to intercept the sync between iTunes and the iOS device, compromise the key exchange, and exfiltrate credentials (and possibly other sensitive information. The goal for a less malicious device is to do the same interception during a firmware update and allow jailbreaking. Nothing I have written has anything to do with audio.
FreeBSD has 64-bit images for the RPI3, unfortunately I believe that it's still lacking a 64-bit-clean driver for the sound device (the device lets you provide a 32-bit cookie value that's returned back to the kernel when an event completes, but the current driver uses a pointer and this needs to be changed to use an indirection table). The WiFi wasn't working because of a lack of SDIO support: SDIO is now supported, but I don't think the WiFi chip is yet.
If people are using Stack Overflow for copy-paste programming, then that's a testament to the quality and flexibility of the code found there.
Your implicit assumption is that the people copying and pasting the code are capable of judging the quality of the code. I would hypothesise that people who are most able to judge the quality of code are the least likely to copy and paste code from any source.
It's the Mac app store, not the iOS app store. I'm sure both users of the store are going to be very happy with this decision, but I doubt that it will impact Apple's revenue much...
Maybe I'm wrong, but I thought that part of the NSA's obligations is only to protect US infrastructure vital to national security and DoD It systems, not private infrastructure, individual citizens' home networks or companies in general.
This is mostly true, though it's all US government infrastructure and not just the DoD; however, there's a lot of private infrastructure that is critical for national security and so they don't make such a hard distinction. It doesn't matter if your air force is still working fine if none of your personnel can make it to the airbase because civilian infrastructure has collapsed. If a vulnerability is discovered in a home router, you'd better be very sure that no one in the chain of command (and no elected officials with national security responsibilities) is using one at home.
If you want a 16:10 22" screen, get a 23-24" screen and configure the display to be vertically letterboxed. Or just don't put things in the edges.
I understand complaining about the aspect ratio on laptops, because you have to carry the spare bit of screen around with you, but for desktops that's not really an issue.
It sounds as if Apple is worried that malicious devices will attempt to MITM the connections from iTunes to the device. Even if none of the certified devices do this, making iOS users expect other bits of hardware to be on the line in the nominally secure path makes it easier for uncertified devices to find their way into common use. In theory, everything is encrypted, but there may well be timing attacks that work if you can interpose some hardware.
It also sounds as if they're also worried that things won't correctly forward the power control signals or manipulate them to account for the drain of the device on the line and so the iOS device will get more or (more likely) less power than it expects. This is important with regards to the throttling that they do: peak power consumption for an unthrottled iPhone is more than the peak power output of an old battery. This isn't normally a problem on mains power, but it is if the mains power is lower than advertised.
The NSA has a dual mission. They are charged with finding attacks that will work on foreign powers and securing US infrastructure. Any time they find a vulnerability, they have to make a judgement call over whether it's more important to fix it domestically or to have it available to attack other people with. If they didn't publicly disclose something, it means that either:
They made this judgement call that it was worth the risk of other people attacking, or
They didn't find it in the first place
If there's something widely being used as an attack vector that they didn't find, then that implies incompetence because it's their job to find these things and protect US infrastructure against attacks that other people use. If they did know about it, it's been used to attack US infrastructure, and hasn't been used by the US, then that also implies incompetence because they made the wrong judgement call and left a real vulnerability open for attack in the hope that it would allow a hypothetical future attack on others by them.
The original justification for turning on a computer at airport security was that it might just be a bomb in a laptop case. That's far less convincing now that you can buy a cheap single-board computer and put both a bomb and a computer in a typical laptop case.
When the games are defined by simple sets of rules and the way of beating a human is to have a better heuristic for approximating the winning strategy, the GP is exactly right. One of the things I've discovered working with some of the world experts in machine learning is that there is a very clear inverse correlation between understanding of modern AI and belief in the capabilities of AI.
The current deep neural networks are strictly less expressive than Turing-complete programming languages. They provide an easier programming model (though at the expense of being really computationally expensive) for a category of problems where no one knows how to build an optimal solution, but an approximation is usually good enough. They're not magic.
With most cabs of my past...my main concern was often holding my breath due to odors and trying not to stick to anything for the duration of the ride.
The fact that this was your main concern and not the dying because the taxi didn't have properly maintained brakes or the driver didn't have a license, or being driven to the middle of nowhere and charged a large fee to be taken back, or just mugged and left on the side of the road, tells me all I need to know: you've benefitted hugely from regulations to the degree that regulated behaviour is so normal to you that you don't notice it.
Okay, but to give it a level playing field, we have to also charge drivers the real cost of using roads (including externalities for polluting in a populated area).
Of course, we're not going to do that because one of the few things that all economists agree on is that subsidised efficient transportation infrastructure causes economic growth and if you actually did pass on the costs of transport directly to users then you'd quickly see a recession.
Why do you think those regulations exist? Okay, some of them (particularly in places like NYC) are there as a result of regulator capture, but a lot of them are there because unregulated taxis ended up with things like poorly maintained and uninsured vehicles being involved in collisions and injuring their passengers. Try going somewhere with a completely unregulated taxi infrastructure sometime, it's not a pleasant experience.
What do you use? I ran INN for a while, but it's really designed around the idea that you have unauthenticated users (authentication is possible, but configuring it for anything other than can/can't post was hard - for example, no requirements of from address) and a model where news is distributed between servers but doesn't have any persistence guarantees (bumping the cache size to a huge number seemed to let it keep messages forever, but seemed fragile). I also had issues with clients: news is largely unmaintained in a lot of things that used to be mail/news readers and various ones don't support MIME attachments, don't support the binary encodings that others use, and so on.
That's true - for companies that require capital investment. One the reasons Amazon took so long to become profitable was they were (and are) investing in their warehouses and distribution network. In the same vein, Tesla has had to spend tremendous amounts of effort and money retooling it's factories to produce the Model 3 and solving production problems.
The other thing that these companies had in common was large economies of scale. Amazon was selling books at less than their cost, but more than what their costs would be once they had sufficient volume. This let them grow to the point where they were able to sell at the volumes that they needed to be able to make a profit. There was some truth to the old joke that they were making a loss on each sale, but making it up in volume.
With Uber, it's not clear that the cost of providing a taxi ride is noticeable different if you have 100 taxis or 1,000. Particularly if you're not actually building things like the centralised maintenance / fuelling facilities that normal taxi companies use to lower their costs.
Slashdot Mirror
My laptop is good at being a calculator. It's a two-keystroke combination to bring up something where I can type quick calculations, it has better editing facilities than any stand-alone calculator I've used, and I can copy a simple calculation and stick it into a proper programming language for really complicated things. Most importantly, I'm already using my laptop 99% of the time that I want a calculator, so there's less overhead from using my laptop as one than there is of switching to a separate physical device.
In contrast, the main use of a watch is convenience. My watch doesn't appear to be made anymore, but this is the closest model. It's a few millimetres thick and so light that I can forget that I'm wearing it and it tells the time accurately enough that I only ever adjust it when I cross time zones. The battery lasts about 4 years (it's about 11 years old now and is on its third battery).
For a smart watch to be useful, it must provide similar levels of convenience. Everything it does is weighted against reaching into my pocket to get out my phone (or, in my case, wandering to the other side of the room to get my phone, because I don't always have it with me). The same company that made my watch also makes some Android Wear devices, but they're 50% thicker, more than 50% heavier, and have a battery that's rated for 24 hours (I've been that long between being near a convenient place to charge one, and you can bet that it doesn't last 24 hours if you actually use it). And the things where it's more convenient than my phone are quite limited. I could receive SMS there, but replying is hard. I have a friend who finds his convenient for 2 factor authentication, but that's a fairly limited use.
It needs local admin priviledges FFS, the big prize for all hacks, root admin, is a pre-requisite for even starting this attack.
Not necessarily. Imagine this scenario: You have a secured machine, it is using SecureBoot to verify the bootloader and kernel image, signed using your org's keys. When it boots, the user must enter a pass phrase, which is used to decrypt the keys stored in the TPM to decrypt the hard disk. Without the correct pass phrase, entered into the verified boot loads, you have no way of accessing any of the confidential data on the disk. I'm pretty sure Windows supports this configuration out of the box and I believe that you can do the same with Linux / GRUB.
This setup is incredibly hard to bypass. Except with a vulnerability like this, because no if you have 2 minutes of physical access to the machine, you can reboot into an OS from a USB disk and install persistent malware that can fake the boot attestation, extract the keys when the TPM unlocks them, and access all of the data on the disk. The malware can also establish network connections without the OS being aware of them, so it can exfiltrate the data if there isn't a decent IDS on the network (or it can just let the attacker dump the entire disk contents to a USB drive the next day, or the attacker can take the encrypted disk image the first time and then the malware just needs to transmit the key, which can be hidden as a single HTTPS request and probably not blocked by anything).
How much confidential data is stored on your organisation's computers? How sure are you that your cleaners would say no if someone offered them $100,000 to stick a USB drive in each of the desktops in an office, reboot, and then remove it a couple of minutes later?
Do you want someone with 5 minutes of physical access to the machine (e.g. the minimum wage cleaners provided by an agency) to be able to install malware that the OS can't see, which survives complete reinstalls or even physically replacing the disk, and which can intercept everything that the OS does? If so, I really hope you don't work for a company with any confidential data.
Perhaps we should stop taking the rather ignorant approach that even admins should have access to *everything*. Fuck that. It's called need to know.
Actually, we call it the Principle of Least Privilege and it's been a core idea in computer security for decades.
You know who actually cares about, and values, TPM chips?
Users of Windows who use it to handle full-disk encryption in such a way that the OS (and therefore, importantly, malware that compromises the OS) can't exfiltrate the keys and it's impossible (or, at least, infeasibly expensive) for anyone to access them if they steal the machine? Cloud users who rely on the TPM for remote attestation that the hypervisor hasn't been compromised?
Just because it appears to work doesn't mean that it's good code. A bubblesort works, but if you're using it on large data then it's a terrible idea. Copied code may contain security vulnerabilities, inefficient algorithms, or subtle bugs that aren't found in cursory inspection or token amounts of testing but which cause data loss in real-world use.
No, the goal (for a malicious device) is to intercept the sync between iTunes and the iOS device, compromise the key exchange, and exfiltrate credentials (and possibly other sensitive information. The goal for a less malicious device is to do the same interception during a firmware update and allow jailbreaking. Nothing I have written has anything to do with audio.
FreeBSD has 64-bit images for the RPI3, unfortunately I believe that it's still lacking a 64-bit-clean driver for the sound device (the device lets you provide a 32-bit cookie value that's returned back to the kernel when an event completes, but the current driver uses a pointer and this needs to be changed to use an indirection table). The WiFi wasn't working because of a lack of SDIO support: SDIO is now supported, but I don't think the WiFi chip is yet.
If people are using Stack Overflow for copy-paste programming, then that's a testament to the quality and flexibility of the code found there.
Your implicit assumption is that the people copying and pasting the code are capable of judging the quality of the code. I would hypothesise that people who are most able to judge the quality of code are the least likely to copy and paste code from any source.
If you're referring to software that intercepts audio for recording
No, I'm talking about hardware that intercepts the digital signals during sync. Not sure how you'd read what I wrote to talk about intercepting audio.
It's the Mac app store, not the iOS app store. I'm sure both users of the store are going to be very happy with this decision, but I doubt that it will impact Apple's revenue much...
Maybe I'm wrong, but I thought that part of the NSA's obligations is only to protect US infrastructure vital to national security and DoD It systems, not private infrastructure, individual citizens' home networks or companies in general.
This is mostly true, though it's all US government infrastructure and not just the DoD; however, there's a lot of private infrastructure that is critical for national security and so they don't make such a hard distinction. It doesn't matter if your air force is still working fine if none of your personnel can make it to the airbase because civilian infrastructure has collapsed. If a vulnerability is discovered in a home router, you'd better be very sure that no one in the chain of command (and no elected officials with national security responsibilities) is using one at home.
If you want a 16:10 22" screen, get a 23-24" screen and configure the display to be vertically letterboxed. Or just don't put things in the edges.
I understand complaining about the aspect ratio on laptops, because you have to carry the spare bit of screen around with you, but for desktops that's not really an issue.
It sounds as if Apple is worried that malicious devices will attempt to MITM the connections from iTunes to the device. Even if none of the certified devices do this, making iOS users expect other bits of hardware to be on the line in the nominally secure path makes it easier for uncertified devices to find their way into common use. In theory, everything is encrypted, but there may well be timing attacks that work if you can interpose some hardware.
It also sounds as if they're also worried that things won't correctly forward the power control signals or manipulate them to account for the drain of the device on the line and so the iOS device will get more or (more likely) less power than it expects. This is important with regards to the throttling that they do: peak power consumption for an unthrottled iPhone is more than the peak power output of an old battery. This isn't normally a problem on mains power, but it is if the mains power is lower than advertised.
If there's something widely being used as an attack vector that they didn't find, then that implies incompetence because it's their job to find these things and protect US infrastructure against attacks that other people use. If they did know about it, it's been used to attack US infrastructure, and hasn't been used by the US, then that also implies incompetence because they made the wrong judgement call and left a real vulnerability open for attack in the hope that it would allow a hypothetical future attack on others by them.
The original justification for turning on a computer at airport security was that it might just be a bomb in a laptop case. That's far less convincing now that you can buy a cheap single-board computer and put both a bomb and a computer in a typical laptop case.
The current deep neural networks are strictly less expressive than Turing-complete programming languages. They provide an easier programming model (though at the expense of being really computationally expensive) for a category of problems where no one knows how to build an optimal solution, but an approximation is usually good enough. They're not magic.
With most cabs of my past...my main concern was often holding my breath due to odors and trying not to stick to anything for the duration of the ride.
The fact that this was your main concern and not the dying because the taxi didn't have properly maintained brakes or the driver didn't have a license, or being driven to the middle of nowhere and charged a large fee to be taken back, or just mugged and left on the side of the road, tells me all I need to know: you've benefitted hugely from regulations to the degree that regulated behaviour is so normal to you that you don't notice it.
Of course, we're not going to do that because one of the few things that all economists agree on is that subsidised efficient transportation infrastructure causes economic growth and if you actually did pass on the costs of transport directly to users then you'd quickly see a recession.
Uh, no they didn't, they said that the $3 figure was incorrect and that, when they corrected it, they found that the median profit was $8.55 per hour, rather than $3.37, and only 8% of drivers lose money on on-demand platforms. Using another methodology, he added, the median rises to $10 per hour and only 4% of drivers lose money. Oh, and Uber's initial complaint argued that their drivers average hour earnings were $15.68, not the $23/hr that you claim.
Why do you think those regulations exist? Okay, some of them (particularly in places like NYC) are there as a result of regulator capture, but a lot of them are there because unregulated taxis ended up with things like poorly maintained and uninsured vehicles being involved in collisions and injuring their passengers. Try going somewhere with a completely unregulated taxi infrastructure sometime, it's not a pleasant experience.
What do you use? I ran INN for a while, but it's really designed around the idea that you have unauthenticated users (authentication is possible, but configuring it for anything other than can/can't post was hard - for example, no requirements of from address) and a model where news is distributed between servers but doesn't have any persistence guarantees (bumping the cache size to a huge number seemed to let it keep messages forever, but seemed fragile). I also had issues with clients: news is largely unmaintained in a lot of things that used to be mail/news readers and various ones don't support MIME attachments, don't support the binary encodings that others use, and so on.
There is a native version of MS Office for Android (which is Linux). There isn't a version for X11, but that's not what you asked for.
That's true - for companies that require capital investment. One the reasons Amazon took so long to become profitable was they were (and are) investing in their warehouses and distribution network. In the same vein, Tesla has had to spend tremendous amounts of effort and money retooling it's factories to produce the Model 3 and solving production problems.
The other thing that these companies had in common was large economies of scale. Amazon was selling books at less than their cost, but more than what their costs would be once they had sufficient volume. This let them grow to the point where they were able to sell at the volumes that they needed to be able to make a profit. There was some truth to the old joke that they were making a loss on each sale, but making it up in volume.
With Uber, it's not clear that the cost of providing a taxi ride is noticeable different if you have 100 taxis or 1,000. Particularly if you're not actually building things like the centralised maintenance / fuelling facilities that normal taxi companies use to lower their costs.
I didn't ask if it was done, I asked if it was acceptable. I don't have a Facebook account because I don't believe that it is.