Unfortunately they designed to certification limits. [...] and market conditions prevented them from designing a new plane.
If market conditions prevented them from designing a new plane, then legal conditions should have prevented them from releasing an unsafe upgrade. I have personally had a system I designed put through the wringer of a full safety certification, you probably can't imagine how stringent and thorough these are - and should be. It is beyond comprehensible that such a blatant safety risk situation remained undetected. Apparently "we are going to lose a few percent market share to Airbus" was seen as the higher safety risk.
This sounds like a very similar problem to what firewalls have solved in IP space decades ago. There may be a gazillion of legitimate reasons why a company calling from anywhere wants a specific number to show up, but generally allowing display of arbitrary numbers is not the solution to this. Like with IP firewalls, the preferred mode of operations would be explicit whitelisting of legitimate uses.
Yes, this could rack up some extra cost to carriers, but it would turn our land line phones into useful devices for communication again.
Of course you know that as a licensed amateur radio operator in the United States, one has frequency privileges near and inside the 2.4 GHz ISM band. You can quite legally modify a home router for Amateur Radio use.
As long as you aren't in a country where that wasn't suddenly rendered illegal, that is.
You still have power limits with this equipment. Since spurious emissions are typically a constant fraction of (and sometimes grow more than proportionally with) actual power output, you may well end up causing interferences with your equipment that the original configuration did not.
And at least in my country amateur radio transmissions have to be of trivial matter, not the transfer of important files from point A to point B. I live in a small European country, which most likely did not come up with this rule by itself, therefore I would assume that a similar rule applies to most radio amateurs worldwide.
Therefore even with a full amateur radio license, you can not modify your random ISM device to transmit at 10W without having a solid handle on your spurious emissions, you can not use a modified ISM device to extend your home network to some distant building, and you can not make methods&processes for modifying existing ISM equipment by unskilled people available.
We could have had a strong Mozilla, now we got a weak one. Imagine a Firefox released in 2000, not 2004. We could have defeated IE earlier and avoid IE6 all together.
It was the dominance of IE and Microsoft's hubris which together brought down IE. Apart from a small bunch of Microsoft haters most people used IE until browser specific malware broke their computers in unacceptably short intervals. This trend did not catch on before 2003-2004, and fortunately Firefox was ready for prime time by then.
BTW IE6 (with its legendary web standard non-compliance) hurts Microsoft a lot more these days than it hurts Firefox, so we might as well cheer the former appearance and ubiquity of IE6:-)
There are a gazillion hacks out there to reroute or sniff telephone data traffic, but pretty much nothing for messing with the billing. For whatever reason, phone companies got the latter designed and implemented very well. Makes one wonder...
After years of "stopping evil hackers in their tracks" by making possession of hacking tools illegal, and mostly by hoping for the best while furiously clicking in some Internet Explorer input mask, Germany finally wakes up to the real world. Well, not really yet, because Seehofer still hasn't stepped down over this, the BSI still hasn't been disbanded and restarted from scratch (this time with real people), and I guess Munich is still going ahead full steam towards a Windows only administration, because "some essential educational software package really, really requires it". Now they go crying to big Mommy USA, pleading for help, making even bigger fools of themselves in front of the general public (which doesn't really seem to care all that much anyway).
Hint to all Germans: if some right wing nutter can grab this much data from that many politicians across the political spectrum, without most of them even noticing, imagine what the Chinese/Russians/North Koreans are doing to you every day. And sorry, Seehofer, airtight surveillance of all your citizen's internet traffic will not fix that.
Hint to all other Europeans: quit laughing about the silly Germans already, you know you will be next in line if anyone ever cared about you.
You can not defend 100% against dedicated attackers in IT space, just as you can't reasonably prevent all violent crime upfront. With violent crime, it is commonly accepted, that suspected offenders are prosecuted, and in many cases extradited to the country the alleged offense took place. If a country does not cooperate in such a prosecution, the country affected by the crime will at some respond with travel restrictions or with sanctions against individuals associated with the crime, c.f. Skripal assassination attempt.
With cyber attacks this is not the case, even if a nation state actively protects the perpetrators, or even worse, actively encourages them. For China the reasoning is simple: cyber crime pays off, espionage boosts their economy, and right now it has no adverse consequences. Commonly accepted perception in the west is, that we can't do anything about cyber crime coming from Russia and China, that we are sitting ducks who simply have to put up with it. Mr. Freeh may not be the only one in DC to think differently, let's see how this plays out... looking forward to some investigative news outlet suddenly having access to Putin's or Jinping's financial records:)
Yes, a few terrorists caused some mayhem by slamming cars into crowds of people. No, a few simple hand guns would not have changed that, quite to the contrary. There would be general lack of situational awareness towards people suddenly opening fire at a car. Casualty count would have likely increased by an order of magnitude in every single one of these terror acts committed by car. Do not underestimate the amount of friendly fire, if hundreds of unprepared but well armed people are suddenly confronted with gun shots, screams, blood and panic. Add a bunch of gun crazy nutcases to this mix, who think they'll turn into today's heroes by shooting at whatever they think is a threat, and you'd have a bloodbath with every other traffic accident.
And yes, police often stops aspiring criminals in their tracks, when these people try to arm themselves. Note, that this only works, if possession of a firearm is already limited to people with a proven legitimate need for one. BTW, people with mental issues are frequently denied a full driver's license, that's what keeps most people honest during these military examinations - they'd rather serve than lose their driver's license.
My home country has mandatory military draft for men, so most men at the age of 18 have to go through medical examination to check their fitness for service. Of these men, about 10% are excluded due to mental issues. Yes, these examiners know well, that most folks want to dodge draft, so typical scams to fake medical issues don't go very far.
Think about it: 10% unfit for military service for mental reasons, and this is young people, not very old people with their own set of problems. Are you 100% sure you want to arm each and every one of these?
I really love the statement "seem to be focusing their messaging on high risk internet users and C-level employees", which pretty much sums up, why so few security products successfully protect companies.
There is a product which does this, albeit in a very kludgy way. It would be trivial to provide a similar solution based on QEMU, linux/*BSD and some browser, but I guess most people who want that just roll their own.
There are several problems involved with this:
Lots of people do most of their stuff through their browser, and this includes banking, shopping, consuming music&video,... if you hack their browser, there isn't much else to look for on their computer
A computer hacked through the browser for running a botnet/spamrelay is the same as a VM hacked through the browser for running a botnet/spamrelay - no help on this front
Users often want to download applications or data to use on their regular computer. If you create a path to bridge the gap between VM and host, the solution won't protect you long. If you don't bridge that gap, the system is much less usefull.
This is not specific to the US, EU has laws just like that already in place, maybe even more restrictive. Next on the list will be crime novels, since these heinous books provide detailed information how to commit and cover up awful crimes, sometimes even murder!
If you have talent in computer security, you have basically two options: if you also happen to have morals, forget everything you learned until now, study some other subject to pursue a less dangerous professional career, lean back and smile, while stoned 15 year olds from abroad hack deep into our country's most valuable basic infrastructure. If you have no morals, or are willing to sell out to the highest bidder, go work for Palantir or some Russian troll factory. Saudis are looking for talent, too...
You can't learn hacking from a few theoretical courses, and anything practical is illegal by now - highly illegal. Even possession of hacking tools can get you in legal trouble.
A bunch of incompetent, scared chickens wrote laws, which permanently put the western hemisphere into a massive strategic disadvantage. Enjoy the results! I wish the Brits best of luck finding 2000 skilled and motivated people for their silly cyber corps.
We just lived through decades of criminalizing trivial transgressions (whenever "with a computer" would apply), of making even copyright circumvention (think: copying a DVD) a criminal act more punishable than assault. At the same time countless cases of extreme carelessness regarding security, many of them leading to massive private data dumps, were without any adverse consequences to the responsible decision makers.
There will be two kinds of people signing up for these newly created cyber corps: reckless people with a criminal past who could be blackmailed into service, and people who fancy the term "cyber corps", which makes them feel like space marines from SC2. Every decently skilled and responsible hacker in the western hemisphere wants nothing to do with this whole topic any more, and even less with the two groups of people I just described.
The days of 2600 are gone in the west, and they ain't coming back through cyber corps.
We have reached a state, where several large swathes of the software market are controlled by few large, quasi-monopolistic entities - world wide. Neither Intel, nor Apple will lose significant revenue over these root holes, embarrassing as they may be, so why would they care one bit?
It took years of ridicule and severe loss of market share, before Microsoft made their first serious attempts of fixing their most blatant security barn doors. Apple and Intel are nowhere near that - yet.
The downfall meme is typically used for outrageous things. The whole Equifax story has gone down to such a level of ridiculousness, that it would rather call for the Risitas meme...
Don't forget that the "man" in the MITM can as well be some kind of trojan sitting inside your computer, proxying the connection.
Once you lost control over your computer, encryption won't be of much help - just think of keyloggers...
It boils down to the problem of determining whether the certificate presented to you is actually one issued by the server you are connecting to. This can of course also be solved with self-signed certificates.
This is generally not practical, since it would require you to receive authentication through a distinct communication channel - not happening at least in WWW. Current situation goes like this: 1. you call phone number you found somewhere. 2. party claims to be someone. 3. party sends you SMS confirming that part is really who they claim they are 4. you send SMS to someone else, asking "is this really who I think it is?" and 5. that someone else tells you "yes, it is!"
Since that "someone else" owes you exactly nothing, whereas that "someone else" gets paid by the party you actually got on the phone, whoever that may be, you have a massive conflict of interest working against you, making self signed certs not less credible than CA signed ones.
Actually, in all really important cases, I do solve it with self signed certificates, but it means that you somehow have to solve the problem of verifying authenticity. This is acceptable when you are dealing with a handful of critical servers that MUST be verifiably genuine, where you do not want to rely on the trust to a certain CA.
I agree, that's hardly feasible for world wide web traffic. Still: SSL/TLS is great for protecting against sniffing by peers (=other folks on the same LAN), but not for much else, regardless of who signed your certificate.
I would assume that 99.99% of all MITM attacks were executed by, or per request from, a government, typically the one the client resides in. I just don't see my Telco or some upstream provider sniff on my banking or gmail traffic unless my government would specifically instruct them to do so. Once that is the case, no browser automated CA signature check can save you.
SSL/TLS are mechanisms to ensure, that traffic is encrypted such that only you and the actual endpoint of the connection can read its contents. Putting any trust beyond this in such a connection is likely going to lead to a compromise. Once we settle for this, a self signed certificate is just as trustworthy as one signed by some CA.
Small companies with few installations were only affected, if they opened and executed the malicious email (let's for a moment ignore imbeciles with XP servers and port 139/445 open to the internet, these are beyond redemption anyway). The exploit kit packaged with this piece of malware affected large companies mostly and most strongly, because one single mistake (opening email by any staff member) could corrupt so many computers at once.
As far as small outfits are concerned, this attack was no different from previous malware laden email mass attacks and could have struck any OS or version thereof.
CA signed certificates protect you only in those cases where you don't need protection anyway, and as soon as you really need this protection against MITM, they are the first to fall while instilling a wrong sense of security. As long as there is no truly dependable CA out there, one might as well put the same amount of trust in self signed certificates.
US/UK based companies have shown on multiple occasions, that they are ready to bend over for authorities as fast as they could, just remember the shameful behavior of Mastercard/Visa/Amazon during the wikileaks/cablegate episode, or Google/Yahoo with regard to Chinese dissidents. CAs from other countries are either borderline incompetent (remember Diginotar) or just as easily manipulated/coerced, just with less media coverage than US based companies.
The biggest issue with half-arsed solutions like this CA mess are that people put way too much trust in them. These "solutions" switch people into ignorance=bliss mode. While everybody will agree, that security is a process and not a product, it's just so damn convenient to forget this once in a while.
By trusting a signed cert I basically trust that signing company (certificate authority), and this doesn't always work out. Stolen certs were used to spread virus/malware infections, and political activists in Iran were spied on by their gov't because some CA's root certificate was hacked.
Certs signed by registered CAs may offer a tad more protection against MITM attacks than self signed ones, but they are definitely no silver bullets.
You do realize, that it was huge enterprise scale deployments which were hit by this worm. Nobody bats an eye if small mom&pop shops get wormed and ransomwared.
While we take networking and wifi as more or less granted on new devices, these services are quite computationally expensive and draw a lot of battery. If you want this feature, you pretty much have to go the whole way to smart phone, except for maybe the display. But honestly: once you have the clunky size and crappy battery life of a smart phone, you may as well get that large display screen, too.
But neither of them claimed these were the official unemployment figures. Both were stating YOUTH unemployment, which I think every sane person knows is a different figure and it's entirely possible for it to vastly differ from the national figure - which includes all the not-yet-retired baby-boomers and all the thirty-somethings and forty-somethings.
The numbers stated by Sanders and Trump also contradict the BLS numbers for youth unemployment by a wide margin.
Losing credibility with the alt-right is really not something I would be concerned about - it should be a badge of honour if a bunch of crazy conspiracy theorists think you aren't credible - because the things they DO find credible are crazy conspiracy theories.
This statement may have been insightful, when alt-right readers were a small, noisy minority. Allow me to remind you that this 'basket of deplorables', or whatever you call them here, just won the presidential election, and right wing nutcases pour into high ranking offices and functions like it's a bath tub drain.
Allow me to also remind you that according to Reuters, which is not exactly an alt-right news outlet, main stream media enjoy credibility with about 30% of US people, and that many people turn to facebook news feeds intentionally and exactly, because they trust shared breitbart news stories more than New York Times or CNN. The MSM narrative of "we are liberal, modern and left wing, therefore we are correct at all times, so we have no need to prove this to right wing imbeciles" no longer works with the general public.
The simple fact is - after actually reading both articles I completely agree with those scores.
Sanders' statement may not have been literally wrong, but it was used in an intentionally misleading way. And Sanders' statement is only correct, when it comes with an explanation such as that offered by politifact, which it didn't come with originally. Stated in isolation it is meant to be interpreted as a number comparable to BLS numbers, which it clearly isn't. In conjunction these two numbers together with politifact's judgment made the fact checking crews vulnerable to dismissal and ridicule by alt-right sites, thereby making them widely ineffective in reaching alt-right minds and hearts when Trump's campaign blurted out gross falsehoods.
The trump campaign gave no indication of where it got the figure - politifact made a sincere effort to see if there was anything that could support it, found something that came sort of close but assessed that the figure really wasn't a valid representation.
Trump's campaign didn't bother with arguing their case with politifact, instead they trashed politifact in their loyal news outlets, and thereby avoided not only the debate about these unemployment numbers, but exposure of all other falsehoods put forward by Trump and his campaign. You may not endorse this strategy, but hell, did it work!
Slashdot Mirror
Once this new monitor is sold to regular consumers, I am sure that Sony will not forget to upload this important patch
.
Unfortunately they designed to certification limits. [...] and market conditions prevented them from designing a new plane.
If market conditions prevented them from designing a new plane, then legal conditions should have prevented them from releasing an unsafe upgrade. I have personally had a system I designed put through the wringer of a full safety certification, you probably can't imagine how stringent and thorough these are - and should be. It is beyond comprehensible that such a blatant safety risk situation remained undetected. Apparently "we are going to lose a few percent market share to Airbus" was seen as the higher safety risk.
This sounds like a very similar problem to what firewalls have solved in IP space decades ago. There may be a gazillion of legitimate reasons why a company calling from anywhere wants a specific number to show up, but generally allowing display of arbitrary numbers is not the solution to this. Like with IP firewalls, the preferred mode of operations would be explicit whitelisting of legitimate uses.
Yes, this could rack up some extra cost to carriers, but it would turn our land line phones into useful devices for communication again.
Of course you know that as a licensed amateur radio operator in the United States, one has frequency privileges near and inside the 2.4 GHz ISM band. You can quite legally modify a home router for Amateur Radio use.
As long as you aren't in a country where that wasn't suddenly rendered illegal, that is.
You still have power limits with this equipment. Since spurious emissions are typically a constant fraction of (and sometimes grow more than proportionally with) actual power output, you may well end up causing interferences with your equipment that the original configuration did not.
And at least in my country amateur radio transmissions have to be of trivial matter, not the transfer of important files from point A to point B. I live in a small European country, which most likely did not come up with this rule by itself, therefore I would assume that a similar rule applies to most radio amateurs worldwide.
Therefore even with a full amateur radio license, you can not modify your random ISM device to transmit at 10W without having a solid handle on your spurious emissions, you can not use a modified ISM device to extend your home network to some distant building, and you can not make methods&processes for modifying existing ISM equipment by unskilled people available.
We could have had a strong Mozilla, now we got a weak one. Imagine a Firefox released in 2000, not 2004. We could have defeated IE earlier and avoid IE6 all together.
It was the dominance of IE and Microsoft's hubris which together brought down IE. Apart from a small bunch of Microsoft haters most people used IE until browser specific malware broke their computers in unacceptably short intervals. This trend did not catch on before 2003-2004, and fortunately Firefox was ready for prime time by then.
BTW IE6 (with its legendary web standard non-compliance) hurts Microsoft a lot more these days than it hurts Firefox, so we might as well cheer the former appearance and ubiquity of IE6 :-)
There are a gazillion hacks out there to reroute or sniff telephone data traffic, but pretty much nothing for messing with the billing. For whatever reason, phone companies got the latter designed and implemented very well. Makes one wonder ...
After years of "stopping evil hackers in their tracks" by making possession of hacking tools illegal, and mostly by hoping for the best while furiously clicking in some Internet Explorer input mask, Germany finally wakes up to the real world. Well, not really yet, because Seehofer still hasn't stepped down over this, the BSI still hasn't been disbanded and restarted from scratch (this time with real people), and I guess Munich is still going ahead full steam towards a Windows only administration, because "some essential educational software package really, really requires it". Now they go crying to big Mommy USA, pleading for help, making even bigger fools of themselves in front of the general public (which doesn't really seem to care all that much anyway).
Hint to all Germans: if some right wing nutter can grab this much data from that many politicians across the political spectrum, without most of them even noticing, imagine what the Chinese/Russians/North Koreans are doing to you every day. And sorry, Seehofer, airtight surveillance of all your citizen's internet traffic will not fix that.
Hint to all other Europeans: quit laughing about the silly Germans already, you know you will be next in line if anyone ever cared about you.
You can not defend 100% against dedicated attackers in IT space, just as you can't reasonably prevent all violent crime upfront. With violent crime, it is commonly accepted, that suspected offenders are prosecuted, and in many cases extradited to the country the alleged offense took place. If a country does not cooperate in such a prosecution, the country affected by the crime will at some respond with travel restrictions or with sanctions against individuals associated with the crime, c.f. Skripal assassination attempt.
With cyber attacks this is not the case, even if a nation state actively protects the perpetrators, or even worse, actively encourages them. For China the reasoning is simple: cyber crime pays off, espionage boosts their economy, and right now it has no adverse consequences. Commonly accepted perception in the west is, that we can't do anything about cyber crime coming from Russia and China, that we are sitting ducks who simply have to put up with it. Mr. Freeh may not be the only one in DC to think differently, let's see how this plays out ... looking forward to some investigative news outlet suddenly having access to Putin's or Jinping's financial records :)
Yes, a few terrorists caused some mayhem by slamming cars into crowds of people. No, a few simple hand guns would not have changed that, quite to the contrary. There would be general lack of situational awareness towards people suddenly opening fire at a car. Casualty count would have likely increased by an order of magnitude in every single one of these terror acts committed by car. Do not underestimate the amount of friendly fire, if hundreds of unprepared but well armed people are suddenly confronted with gun shots, screams, blood and panic. Add a bunch of gun crazy nutcases to this mix, who think they'll turn into today's heroes by shooting at whatever they think is a threat, and you'd have a bloodbath with every other traffic accident.
And yes, police often stops aspiring criminals in their tracks, when these people try to arm themselves. Note, that this only works, if possession of a firearm is already limited to people with a proven legitimate need for one. BTW, people with mental issues are frequently denied a full driver's license, that's what keeps most people honest during these military examinations - they'd rather serve than lose their driver's license.
My home country has mandatory military draft for men, so most men at the age of 18 have to go through medical examination to check their fitness for service. Of these men, about 10% are excluded due to mental issues. Yes, these examiners know well, that most folks want to dodge draft, so typical scams to fake medical issues don't go very far.
Think about it: 10% unfit for military service for mental reasons, and this is young people, not very old people with their own set of problems. Are you 100% sure you want to arm each and every one of these?
Interesting links!
I really love the statement "seem to be focusing their messaging on high risk internet users and C-level employees", which pretty much sums up, why so few security products successfully protect companies.
There is a product which does this, albeit in a very kludgy way. It would be trivial to provide a similar solution based on QEMU, linux/*BSD and some browser, but I guess most people who want that just roll their own.
There are several problems involved with this:
This is not specific to the US, EU has laws just like that already in place, maybe even more restrictive. Next on the list will be crime novels, since these heinous books provide detailed information how to commit and cover up awful crimes, sometimes even murder!
If you have talent in computer security, you have basically two options: if you also happen to have morals, forget everything you learned until now, study some other subject to pursue a less dangerous professional career, lean back and smile, while stoned 15 year olds from abroad hack deep into our country's most valuable basic infrastructure. If you have no morals, or are willing to sell out to the highest bidder, go work for Palantir or some Russian troll factory. Saudis are looking for talent, too ...
You can't learn hacking from a few theoretical courses, and anything practical is illegal by now - highly illegal. Even possession of hacking tools can get you in legal trouble.
A bunch of incompetent, scared chickens wrote laws, which permanently put the western hemisphere into a massive strategic disadvantage. Enjoy the results! I wish the Brits best of luck finding 2000 skilled and motivated people for their silly cyber corps.
We just lived through decades of criminalizing trivial transgressions (whenever "with a computer" would apply), of making even copyright circumvention (think: copying a DVD) a criminal act more punishable than assault. At the same time countless cases of extreme carelessness regarding security, many of them leading to massive private data dumps, were without any adverse consequences to the responsible decision makers.
There will be two kinds of people signing up for these newly created cyber corps: reckless people with a criminal past who could be blackmailed into service, and people who fancy the term "cyber corps", which makes them feel like space marines from SC2. Every decently skilled and responsible hacker in the western hemisphere wants nothing to do with this whole topic any more, and even less with the two groups of people I just described.
The days of 2600 are gone in the west, and they ain't coming back through cyber corps.
We have reached a state, where several large swathes of the software market are controlled by few large, quasi-monopolistic entities - world wide. Neither Intel, nor Apple will lose significant revenue over these root holes, embarrassing as they may be, so why would they care one bit?
It took years of ridicule and severe loss of market share, before Microsoft made their first serious attempts of fixing their most blatant security barn doors. Apple and Intel are nowhere near that - yet.
The downfall meme is typically used for outrageous things. The whole Equifax story has gone down to such a level of ridiculousness, that it would rather call for the Risitas meme ...
Don't forget that the "man" in the MITM can as well be some kind of trojan sitting inside your computer, proxying the connection.
Once you lost control over your computer, encryption won't be of much help - just think of keyloggers ...
It boils down to the problem of determining whether the certificate presented to you is actually one issued by the server you are connecting to. This can of course also be solved with self-signed certificates.
This is generally not practical, since it would require you to receive authentication through a distinct communication channel - not happening at least in WWW. Current situation goes like this: 1. you call phone number you found somewhere. 2. party claims to be someone. 3. party sends you SMS confirming that part is really who they claim they are 4. you send SMS to someone else, asking "is this really who I think it is?" and 5. that someone else tells you "yes, it is!"
Since that "someone else" owes you exactly nothing, whereas that "someone else" gets paid by the party you actually got on the phone, whoever that may be, you have a massive conflict of interest working against you, making self signed certs not less credible than CA signed ones.
Actually, in all really important cases, I do solve it with self signed certificates, but it means that you somehow have to solve the problem of verifying authenticity. This is acceptable when you are dealing with a handful of critical servers that MUST be verifiably genuine, where you do not want to rely on the trust to a certain CA.
I agree, that's hardly feasible for world wide web traffic. Still: SSL/TLS is great for protecting against sniffing by peers (=other folks on the same LAN), but not for much else, regardless of who signed your certificate.
I would assume that 99.99% of all MITM attacks were executed by, or per request from, a government, typically the one the client resides in. I just don't see my Telco or some upstream provider sniff on my banking or gmail traffic unless my government would specifically instruct them to do so. Once that is the case, no browser automated CA signature check can save you.
SSL/TLS are mechanisms to ensure, that traffic is encrypted such that only you and the actual endpoint of the connection can read its contents. Putting any trust beyond this in such a connection is likely going to lead to a compromise. Once we settle for this, a self signed certificate is just as trustworthy as one signed by some CA.
Small companies with few installations were only affected, if they opened and executed the malicious email (let's for a moment ignore imbeciles with XP servers and port 139/445 open to the internet, these are beyond redemption anyway). The exploit kit packaged with this piece of malware affected large companies mostly and most strongly, because one single mistake (opening email by any staff member) could corrupt so many computers at once.
As far as small outfits are concerned, this attack was no different from previous malware laden email mass attacks and could have struck any OS or version thereof.
CA signed certificates protect you only in those cases where you don't need protection anyway, and as soon as you really need this protection against MITM, they are the first to fall while instilling a wrong sense of security. As long as there is no truly dependable CA out there, one might as well put the same amount of trust in self signed certificates.
US/UK based companies have shown on multiple occasions, that they are ready to bend over for authorities as fast as they could, just remember the shameful behavior of Mastercard/Visa/Amazon during the wikileaks/cablegate episode, or Google/Yahoo with regard to Chinese dissidents. CAs from other countries are either borderline incompetent (remember Diginotar) or just as easily manipulated/coerced, just with less media coverage than US based companies.
The biggest issue with half-arsed solutions like this CA mess are that people put way too much trust in them. These "solutions" switch people into ignorance=bliss mode. While everybody will agree, that security is a process and not a product, it's just so damn convenient to forget this once in a while.
By trusting a signed cert I basically trust that signing company (certificate authority), and this doesn't always work out. Stolen certs were used to spread virus/malware infections, and political activists in Iran were spied on by their gov't because some CA's root certificate was hacked.
Certs signed by registered CAs may offer a tad more protection against MITM attacks than self signed ones, but they are definitely no silver bullets.
You do realize, that it was huge enterprise scale deployments which were hit by this worm. Nobody bats an eye if small mom&pop shops get wormed and ransomwared.
While we take networking and wifi as more or less granted on new devices, these services are quite computationally expensive and draw a lot of battery. If you want this feature, you pretty much have to go the whole way to smart phone, except for maybe the display. But honestly: once you have the clunky size and crappy battery life of a smart phone, you may as well get that large display screen, too.
But neither of them claimed these were the official unemployment figures. Both were stating YOUTH unemployment, which I think every sane person knows is a different figure and it's entirely possible for it to vastly differ from the national figure - which includes all the not-yet-retired baby-boomers and all the thirty-somethings and forty-somethings.
The numbers stated by Sanders and Trump also contradict the BLS numbers for youth unemployment by a wide margin.
Losing credibility with the alt-right is really not something I would be concerned about - it should be a badge of honour if a bunch of crazy conspiracy theorists think you aren't credible - because the things they DO find credible are crazy conspiracy theories.
This statement may have been insightful, when alt-right readers were a small, noisy minority. Allow me to remind you that this 'basket of deplorables', or whatever you call them here, just won the presidential election, and right wing nutcases pour into high ranking offices and functions like it's a bath tub drain.
Allow me to also remind you that according to Reuters, which is not exactly an alt-right news outlet, main stream media enjoy credibility with about 30% of US people, and that many people turn to facebook news feeds intentionally and exactly, because they trust shared breitbart news stories more than New York Times or CNN. The MSM narrative of "we are liberal, modern and left wing, therefore we are correct at all times, so we have no need to prove this to right wing imbeciles" no longer works with the general public.
The simple fact is - after actually reading both articles I completely agree with those scores.
Sanders' statement may not have been literally wrong, but it was used in an intentionally misleading way. And Sanders' statement is only correct, when it comes with an explanation such as that offered by politifact, which it didn't come with originally. Stated in isolation it is meant to be interpreted as a number comparable to BLS numbers, which it clearly isn't. In conjunction these two numbers together with politifact's judgment made the fact checking crews vulnerable to dismissal and ridicule by alt-right sites, thereby making them widely ineffective in reaching alt-right minds and hearts when Trump's campaign blurted out gross falsehoods.
The trump campaign gave no indication of where it got the figure - politifact made a sincere effort to see if there was anything that could support it, found something that came sort of close but assessed that the figure really wasn't a valid representation.
Trump's campaign didn't bother with arguing their case with politifact, instead they trashed politifact in their loyal news outlets, and thereby avoided not only the debate about these unemployment numbers, but exposure of all other falsehoods put forward by Trump and his campaign. You may not endorse this strategy, but hell, did it work!