There is a bug, but it is not what most would consider a lock screen bypass. iOS7 has a new task switcher and you can access this, but it has reduced privileges meaning you can't access any app that you couldn't from the lock screen. And even then it isn't reliable (very likely due to it being the result of a bug).
What it *does* do is leak information about what is installed on the phone, and badges for installed apps (e.g., number of unread emails). But only if those applications are running. Doing a fresh upgrade from 6 to 7 somehow resulted in every application being listed by the task switcher -- its as if they were all started by iOS. You can remove the apps from the task switcher (killing inactive applications).
So, yes, there is a bug. No, it isn't a lock screen bypass. Other than some information leakage ("active" apps) there is no access that did not occur from the lock screen itself.
well, as I said, I'm not familiar with the details of Abu Ghraib. Doing a quick check I see wikipedia claims "When the U.S. military first reported abuse in early 2004, much of the U.S. media again showed little initial interest" so it would appear that people in service *did* take exception.
Yes, it was apparently first outed by ex-detainees, but despite being reported by the AP, "The article gained little notice."
Just because you don't hear of "Bradley Manning" doesn't mean people weren't reporting. And, with military experience, you should know that it often isn't so easy to walk into a situation and do things. Especially if you are not ranking. Especially if the problem goes to the top.
The problem at Abu Ghraib does not appear to be that internal military was all happy about it, but rather that they were ignored. And, yes, I firmly believe that the military should police itself. But it is a mistake to *rely* on that, just like it is a mistake to rely on the NSA to oversee itself. It makes a mockery of oversight.
It is easy to get angry about things. I hope that people don't generalize too much when there are plenty of good soldiers.
And, yes, when JAG doesn't (or can't) help then moving outside is certainly necessary. Whistleblowing is a much needed outlet to account for systemic abuses.
(Interestingly, even though technically all soldiers are instructed about JAG, the culture is such that few make use of it -- at least that was my experience. Kind of like the culture discourages treating illness in favor of staying on the books as active and ready. I saw abuse by those in power much more often than I could actually do anything about it -- never underestimate the good ole boy network amoung NCOs... JAG wants to take on cases, but can't when soldiers refuse to testify.)
I would not say the same for the soldiers I knew. It isn't that they were bad (far from it), but it depends on what you are talking about.
Abu Ghraib is something I do not have enough specific details on so there is some speculation going on, but with humans you don't typically immediately jump into the abuse. It tends to be gradual. Maybe a small number of people are initially rough with detainees. Few, if any, common soldiers would likely be privy to the fact that some were detained with no substantive reason. They would "know" they were being brought "bad guys".
Maybe I'm wrong and it was evil from get go, but I strongly suspect that it was one of gradual escalation. And, in such a case, even if a given soldier didn't directly commit an abuse they were complicit by not saying anything initially. And it can be hard to know when to draw the line. Maybe easier for some than others. It sounds like you would. I certainly had my issues with command and took advantage of JAG.
With respect to "further from the action" -- it is less distant and less real to read something in a report. Snowden dug to get the data he released: it isn't like it jumped into his inbox and demanded attention. From the various releases and interviews it sounds like he realized how loose and lax the "controls" really were and he started pushing the envelope and digging for details. Contractors (or soldiers involved) aren't being ordered into directly and obviously illegal conduct -- a lot of it is issues with aggregation, scope, lack of controls and lack of oversight.
Although the data collection and correlation is the fundamental enabler in that case a lot of it probably doesn't seem that bad when you are just showing up to your job and doing searches for bad guys. Having dealt with law enforcement at various times I'm quite familiar with the frustrations they can feel when hampered by legal requirements. When your gut tells you that something is wrong it can be hard to ignore it -- and this can lead to an illegal search because there just isn't enough evidence to get a search warrant. The road to hell is paved with good intentions.
I guess what I'm trying to say is two fold:
1) the military is not effective at policing itself. You can't rely on insiders outing incorrect behavior.
2) don't be too hard on soldiers who don't raise flags. Everyone is susceptible to some degree to "going along" with events. Should people raise flags and blow whistles? If there is wrong doing, absolutely! It needs to be encouraged. But I would avoid black-and-white views where someone is either guilty or whistle blower.
people who buy new cars for the "security" they think they will get in lack of repair haven't bothered to look at the market. Cars depreciate very fast for a short time after sale, then (generally) decline slowly. Buying a recent, but not new, car saves a lot of money up front and the repair costs are comparable to that of the new car. Basically, the new car is over valued and the market quickly adjusts it to the proper valuation.
And, no thanks to car salesmen, people generally pay too much for a car. Its a cyclic system where the base value is derived from a sales average (blue book). Put another way, if you pay more than blue book you are a sucker. if you paid blue book you are even. The goal is *less* than blue book. (Actual, not the supposed pristine condition they claim for the vehicle). Last car I got from a lot we paid 80% blue book -- and that brings the average down for all the other buyers.
More than five years later had a first major repair: nearly $1000. I grumbled long and loud, but someone I know with a younger "new" car is out for twice that, and it isn't the first major expense.
Don't buy from lots. Buy before you *need* the car so you aren't under pressure and can pick a good deal. Don't buy expensive vehicles (econocars are better value than trucks, SUVs, vans, etc.) unless you *need* a status symbol (or actually *need* a truck to haul things rather than using that as an excuse -- trucks are premium priced).
I've had to grit my teeth and take my cars to dealerships of late rather than real mechanics, but them's the breaks. Even getting bent by a dealership on an older car is cheaper than getting bent on a newer one.
well, odds are they didn't have to do have of the extreme measures you suggest. Maybe this guy was exceptional, but all it usually takes is a good dose of cold water. A normal arrest and careful explanation of the consequences will get most people with family to fold. Of course, in the event they get a true idealist, then, yes, some or all of those measures will get the desired result.
Torture may not be that great for getting truthful information, but it works wonders to get someone to say something, anything, to make the pain stop.
yeah, in basic training there's a brief mention of the constitution. The resisting unlawful orders is hit pretty well, too. But then, when you leave basic training, it gets a bit different. How do you know that an order is unlawful? Can you properly interpret the constitution? Do you have *time* to work through the issues -- particularly when they aren't evident at the outset and build up over time so you are complicit in the results? Having access to JAG is great, and I really mean that. But being stateside is one thing, deployed in country is another altogether.
Look, I'm not trying to disagree with your basic statement, but do you honestly think that there were many others in any unit you were in who would do what Bradley Manning or Edward Snowden did? Such people are rare. The military, all branches (but especially the marines) teaches subservience. This is a basic military necessity: taking a particular hill might be critical for the battle, or even a strategic victory, but you might expect to lose a company doing so. The officers and the soldiers have to be willing to do their part, which sometimes includes dying for their country. People don't like to die, so there are various tactics for that, but the most basic is incomplete, misleading, or wrong information combined with an insistence that orders be obeyed. And disobeying an order gets seriously bad fast. Just being late for formation is a charge under the UCMJ!
So there is every attempt to condition soldiers to not think about things too much and not to question orders. If you do, you can end up with some unwanted scrutiny (and be *very* glad that JAG exists and -- stateside at least -- you have unrestricted, unmonitored access to legal counsel).
Put another way, I would not look to soldiers to expose the wrong doings of the military. If it happens, you got lucky. But that is why oversight is necessary. For the military, for the NSA, for whatever branch. And because of the "who watches the watchers" issue our government was setup with the intent of a balance of power, a tension between three branches so that one could not overpower both of the others.
actually, this is terrorism and unless you understand it you make foolish arguments. And I mean real terrorism, not what a talking head is spouting.
Some terrorists choose schools because it upsets people more to have a dozen children executed than a dozen geriatrics or even a dozen adults.
Or, with the religious right terrorists, putting in secondary bombs timed to kill emergency responders (the goal is to terrorize emergency responders into not responding if the emergency involves an "abortion clinic" so that people running or visiting such places will feel more isolated and fearful.
The truth is, you *can't* stop "any massacre in any school". There is no absolute safety or security. Once you get the mindset it is easy to devise terrorist strategies, and painfully obvious how hard it is to stop anyone who is determined to hurt others.
Call in a bomb threat at target, observe where people go. Wait. Plant a bomb where people went, call in a bomb threat. The structure isn't the terrorist target, its the people.
Bomb goes off outside a building. Security responds by establishing a perimeter. Use a really big bomb sufficient to make the perimeter insignificant. Security responds by relocation and a *really* big perimeter. Switch from bombs to agile vehicles carrying armed lunatics.
Bomb or crash an airline. Security responds by tightening up passenger screening, which results in long queues and masses of unscreened people. Walk a bomb into the crowd and get more people than you could from bombing a single plane. Security pushes perimeter outward -- but as long as there are a significant number of flights at some point there is going to be screening and thus choke points. For the terrorist it really doesn't matter where the choke point is, what matters is that it exists.
Shoot children in a school. Someone arms the teachers without bothering to look at facts, such as accuracy in a fire fight. There are some interesting FBI statistics on this, though I can't find a citation for the one I saw back in the 80s. But a more recent report suggests a hit rate of 15% [http://www.handgunsmag.com/2013/06/20/new-fbi-handgun-training/]. Even if the teachers are balls-to-the-wall gung-ho types who have no issue shooting under pressure and don't mind killing another human being... the simple truth is that it is easier to fire into a crowd of people and hit *someone* than it is to lethally hit a *specific* target. But lets pretend for a moment that all of the teachers are seasoned veterans who have lost respect for human life. A grenade through a window, a planted claymore, a called in bomb threat and observe response (almost certainly an attempt to evacuate so a sniper or claymores planted around exterior doors -- or wherever the exit choke points are will do just fine.
The goal of a terrorist is to strike with fear. To let you know that you are not safe. That your government cannot protect you.
The truth is, they never could and never can. Not completely.
Some say that terrorism is the price of living in a free society, but that isn't true. The threat of terrorism is the price of being alive. The bar can be raised (it would be easier to assassinate a random citizen than a protected person with personal security), but it cannot be prevented.
You disagree with the founding fathers then, on philosophical grounds, with respect to inalienable rights. Just because you don't believe that any such thing as an inalienable right can exist does not alter or change the fact that the rights enumerated were *specifically* and *explicitly* considered to be such.
You are welcome to your differing philosophy, but any interpretation you then make of documents whose writing was *predicated* on the existence and validity of inalienable rights is automatically wrong.
You got me: I was too quick to respond. The secret court documents were (according to the summary) about bulk telephone records. Those guys were already granted immunity and it is well known that they cooperated fully. Oh, except for Qwest I think. Which simply never complied and did not contest through the mechanism. So the court records match up with other known facts.
Yahoo, Google, etc., do not hold telephone records. Well, I suppose google might after google voice, but those calls would be routed through an actual telecoms at some point and the telecoms records would have been provided per above without any need to involve google. The business with yahoo, google, etc., are their provision of email records to the government.
As to their contesting it? Maybe they did, but it is hard to argue with federal monies, or the potential of them (google has been trying to get in on lucrative government bid jobs in competition with microsoft). I would not be surprised if their claims of contestation were never supported by facts.
I differ. The secret court does not have clear reason to have lied: this information comes from revelation of secret court documents, not a PR statement itself.
OTOH, Yahoo, Google, etc., all have a vested interest in lying to the public in order to assert some damage control. The statements from these individuals were definitively PR and, as such, can reasonably be expected to put as much spin as necessary to put them in the best possible light. I'm not saying they were bad for doing so (though I'm not saying they weren't...), that is a function of their *job*.
As others have noted, why would they contest it? Anyone who gets federal monies is susceptible to federal manipulation. Look at the so-called "Higher Education Opportunities Act" which uses the threat of witholding federal funding to exert control over universities. Or the use of federal funds to require a speed limit on interstates.
It would have to be based on a statistical analysis which means it isn't a proof, it is demonstrated to a confidence level. How confident do you need to be?
Secondly, to properly evaluate to greater number of bits of entropy is going to require a larger sampling and I expect this increases exponentially. How much time do you have to reach your confidence?
The testing would be balancing those two questions, but in no case could an absolute answer be found.
But, from the horses mouth:
The subject of statistical testing and its relation to cryptanalysis is also discussed, and some recommended statistical tests are provided. These tests may be useful as a first step in determining whether or not a generator is suitable for a particular cryptographic application. However, no set of statistical tests can absolutely certify a generator as appropriate for usage in a particular application, i.e., statistical testing cannot serve as a substitute for cryptanalysis. The design and cryptanalysis of generators is outside the scope of this paper.
This is a real problem with incomplete understanding of entropy and how it is used. The question is not "does rdrand provide X entropy" it is "does rdrand provide at least X entropy that it is being credited for".
If a process in linux asks for a random number the current pool is evaluated. Each input to the pool provides (theoretically) some X entropy and is credited with having provided some Y entropy where (presumably) X >= Y. If the *credited* entropy is enough then a number is returned, otherwise it depends on whether or not the blocking or non-blocking call was used.
So if rdrand is *credited* with providing X bits of entropy, but in fact provides 0 bits, and the "lie" causes credited entropy to cross the threshold then you will get a number generated from insufficient entropy.
Now, I haven't looked at the kernel or read up on this to see what the case is but the consideration is "does rdrand provide at least the entropy it is being credited for?"
If rdrand is used as a source of entropy but is *never* credited then it could only possibly hurt if there was some magic that allowed it to *reduce* the entropy pool by its inclusion. That seems more than a little far fetched.
If rdrand is used as a source of entropy and is credited for at least 1 bit then the inclusion is harmful if it has been compromised to the extent that it is credited.
When I had sociology 101 it was taught, due to unusual circumstances, by the department chair. This was at a reasonably large university and, being a required freshman course, had large classrooms. I was not, however, a freshman. By that time I had two years behind me and was picking up the required courses at the university I had transferred to.
If you had surveyed the students they would have indicated the instruction was terrible. Not because it was, but because they were nearly all freshman. Straight from highschool with over rated opinions of their own intellectual capacity, no ethic for study or class participation, and no interest in the class. Although it was hampered by class size it was one of the better taught classes I've been in.
Yes, I realize you are emphasizing "freshman undergraduates" and "introductory courses", but the problem isn't (necessarily) that tenure track professors are less effective at teaching them but (more likely) that they push and expect more (something) from the students.
Students are an amazingly lazy lot*. At a third university (yeah, I moved around a bit) I took a medieval history course. It was flooded with students and it turns out that 1) there was either no class size limit or it was not enforced and 2) the prof had (deservedly or not) gained a reputation as being an "easy A". I had a genuine interest in the topic and, being new, had not heard of the rep until the first day of class. It was a "flash enrollment" situation -- apparently the class had been small up to that semester and he spent an undue amount of time trying to convince people to drop. When taking a survey of students concerning their professors the group bias needs to be taken into account.
I've known tenured professors who taught at various levels (introductory courses on up) who were absolutely *loved* by students because you got an A simply by being enrolled. Top approval ratings, voted for teaching excellence, etc. Conversely, another tenured professor, on the first day of class for a required course, bragged that he (and one other) prof accounted for something like 90% of the students taking it semester after semester and that 60% of those students didn't pass. It was a point of pride with him. Without knowing more about the situation, student evaluation of professors is basically meaningless.
What it boils down to is that some professors are gas bags who just like to hear themselves talk. Some are there for the pay check. Others are just there for the research and resent having any class load at all. In other words, they vary.
About the one valid generalization that can be made of tenured vs non-tenure track vs non-tenured tenure track is that non-tenure track tend to try harder and care more about student approval; non-tenured tenure track tend to try to meet tenure requirements and care more about student approval. In other words, tenured faculty (as a generalization) tend to be less concerned with student approval. They've also been doing it long enough to have learned that students want contradictory things (e.g., there was too much classroom discussion vs there was not enough).
* I'm using this as a generalization of undergraduates in general. Graduate students are, in my experience, more motivated than nearly any undergraduate. But the motivation levels of undergraduate students varies a lot ranging from the "I can't be bothered to show up for class" freshman to the rare "I will exceed the expectations for all assignments". Students suffer from a range of maladies, such as believing they can pass a class without doing any assigned work or reading.
a good comment and I think we basically agree, but you appear to overrate the lethality of influenza. Further, with many chemical agents it isn't just a matter of their lethality, but permanent damage. Someone who had significant exposure and survives nerve gas is never right afterwards.
From a military stand point this is as good or even better than being lethal as the ongoing cost to the enemy can exceed that of simple death. From a terror stand point having people who are, effectively, permanently crippled in some way can also be a good way of delivering the message of fear.
This is just hard to achieve with biological agents. The only significant use of biological agents against people I can think of was by colonists against American Indians, and even there it isn't clear how wide spread or effective it was [http://www.straightdope.com/columns/read/1088/did-whites-ever-give-native-americans-blankets-infected-with-smallpox] and despite isolated (and largely ineffective) attempts to use agents like anthrax there seems to be no significant use of it. [http://aarc.org/resources/biological/history.asp]. That references the "rashneeshee" terrror attack which had localized impact at best, no fatalities and the attackers failed to accomplish their objective [https://en.wikipedia.org/wiki/1984_Rajneeshee_bioterror_attack].
I've had salmonella poisoning and it is *not* fun. But you recover from it. I've also seen, but not personally experienced (thankfully) the effect of nerve agents. I'd much rather bad guys pursue biological warfare.
all you asked for was a citation about the claim that it "reads" subdermal tissue. If you want to argue semantics I'm not going to play. I haven't seen anyone claiming it can't be defeated, just pointing out that the "ooo use a picture" isn't enough, which apparently you aren't trying to dispute.
Part of the problem is the science of allergies. Or, rather, the lack thereof. Combine this with a growing awareness of allergies and a burgeoning market in telling people what they are allergic to and you get the current state of affairs. This is complicated because no one seems to have even the slightest interest in the science of the field.
An allergy, at least when I was growing up, was a reaction that ultimately resulted in anaphylactic shock. In principle, an allergy can kill you.
People are complex biological organisms that are very poorly understood. There are allergies to various environmental factors (dust mites, certain plants, etc.) and to foods (peanuts and soy are perhaps the most common). But there are other ways/reasons for a body to react poorly to environmental factors or foods. I react poorly to (something in) eggs. I have an issue with casein (which is what makes cheese good, and fake cheese lacking it bad). I'm not allergic to eggs, nor do I have a milk allergy. Nevertheless, my body functions better when I consume neither.
Allergy testing is like something out of medieval medicine. There's a common sensical understanding of it, but apparently no actual science. And if you want to make an "allergy doctor" dance, suggest that you get closely repeated testing. They don't like to admit it, but the reproducibility of allergy testing is almost non-existent and having a reasonable time interval allows insertion of vague claims such as "your body has changed". They have fluid ideas about the subject and are more interested in running tests, administering "innoculation" witch's brews, and generally making money off of the fad than actually studying the subject.
Even better, when you want to plant a fingerprint to cast blame elsewhere for a crime it really helps to have these nice databases. Hmmm... thoromyr made a comment that could be construed as anti-government. Let's see, correlating the user id the real name is... address... ah, fingerprint!
(I'm not sugggesting that Apple is collecting fingerprints, or that the NSA would stoop to framing someone for a crime to ruin their life, but hill climbing is a technique for reversing "unreversable" processes and the planting of prints is an unfortunate reality.)
Different kind of fingerprint. It doesn't help that the same word refers to closely related things.
1. fingerprint: an impression left by a finger providing a (typically smudged) two-dimensional image of the pattern of ridges on the skin of a finger.
2. fingerprint: the pattern of ridges on the skin of a finger.
To further complicate things there are different kinds of fingerprint "readers"
1. fingerprint reader: device to create an optical image (or hash from such) of a finger. Some are enhanced to require warmth to avoid being defeated by presentation of a picture or photocopy of the finger in question.
2. fingerprint reader: device to measure the capacitance of the ridges that make up a finger print and generate a "key" from them.
The "glass is device" is covered by the first kind of finger print and the "reader" is of the second type.
About twenty years ago, late at night driving in some part of California (the trip was from Monterey to Arizona) there was no traffic in sight and many lanes -- I am assuming during a different time of day it would've been packed for there to have been so many lanes. The road was basically flat and straight, a good spot if you wanted to go insanely fast. I was driving a dodge colt and probably managing around 70mph.
I really didn't see the car that passed me, but it was memorable. By the time I'd registered headlights behind me it had disappeared in front of me, despite the considerable visibility both directions.
The next thing that happened was they highway patrol car that blew by. Sure enough, some miles down the road, someone's ride was pulled over.
I'm assuming the thrill was worth the ticket/bribe...
biological weapons might have a chance in a subway, but the reason they have not been broadly developed is that they are both unreliable and ineffective. Chemical weapons, on the other hand, are both reliable and effective.
The reasons for this are several, but consider:
biological agents simply do not have good longevity. They are not shelf stable (which is a problem for stock piling munitions). They require special storage to preserve viability. They are prone to being killed off by ultraviolet light (i.e., outside during the day). They do not have consistent potency. Their effect on a given individual varies considerably.
Chemical agents can have good longevity. They can be shelf stable. Storage concerns are more about accidental leaks than loss of potency. They are equally good at night and day. They have consistent potency. Their effect on individuals is relatively constant.
I'm not sure what you are trying to say by bringing up the Tokyo sarin gas attack. You say that it was *less* effective because it was so lethal? Is your argument then that you could seed some mythical biological agent and keep dispersing it but no one would know until you had exposed more people? If that is indeed your point I can see where your coming from, but it relies on things that simply aren't true for biological weapons.
Longer exposure would be *required* to even have a chance at affecting anywhere near the same number of people. If you rig a biological weapons container to slowly output its contents so as to provide continuing exposure in a region then you are also increasing the likelihood of its discovery simply because it is present. On the other hand you could improve coverage of a chemical attack simply by not limiting it to a single location. If you are willing to risk discovery of the weapons containers (which shouldn't be an issue if willing to accept biowarfare) then the devices could be pre-planted and triggered simultaneously, or staggered via timers, remote activation, whatever.
In short, biological warfare is not seen in practice because it is expensive, unreliable, and generally ineffective. Chemical weapons are often cheap to manufacture, are generally reliable and often quite effective.
there's a problem with your interpretation: it isn't (necessarily) where the magic numbers came from, but that some non-NSA researchers into ECC discovered that you could select a "key" A and from it derive a "key" B whereby anything that utilized B would be crackable with knowledge of A. The issue is that the magic numbers provided by the NSA could be a B where they hold an A.
This is a lot different than simply not knowing why particular numbers were picked. With present public knowledge it isn't the particular numbers as such, but rather that *any* numbers were proposed. Particularly when this feature was not publicly known. Particularly when the NSA has been pushing ECC as "the next thing".
At one time it might have seemed a stretch, especially in light of DES (though that was likely just a PR job*), but given current information anything the NSA pushes requires an explanation involving solid, mathemetical and cryptographically sound reasoning.
* there was suspicion about DES when introduced, particularly that the NSA provided unexplained S numbers. The NSA worked to keep the key length of DES/small/ which leads to a suspicion that they may have felt confident they alone had the capability to brute force it, but wanted it free of a weakness from a (at the time) non-public attack that might have made it vulnerable to competing agencies.
I didn't pay that much (nor was it that long ago), but when my previous "HD" TV died I read up on TVs. LCD/LED was all the rage, but things were still couched in terms of how close they approached the picture quality of a plasma TV. I paid $1000 for mine and it was well worth it as well. Sure, it takes more juice than an LCD or LED display, but it can also display darker images well and you don't have to be dead center on the screen to get a decent image.
Friends and family have bragged about the picture quality of their newer LED displays, but none of them have as good a picture or color, or even hold up to viewing off angle.
Yes, just like a CRT you get ghosting and the residual lasts for a while. And, as noted, it takes more power. Nothing is perfect. But for quality viewing I much prefer plasma.
Wait, you claim to have actually read Google's revised AUP? And your fine with the "we protect the correlated data so that only those we knowingly give it to (contractors, customers and the government) can have it"? It isn't stated *quite* that succinctly, but it wasn't far removed from it either. I haven't read it since the change and at the time they were revising it without notice (next day to get a quote for someone and the wording had been altered) but I seriously doubt that the gist of it is any different.
"Linux kernel code is constantly vetted, and well, by a huge userbase. And it works very well for the kernel."
Really? This is exactly the same "reasoning" that gets us:
- who needs AV? I don't run it and I've never been compromised
- you don't need to patch Windows, I have an unpatched WinXP box directly on the Internet and it has never been compromised
- you don't need to patch linux, I have an unpatched linux box directly on the Internet and it has never been compromised
All of these boil down to the same thing: the person doesn't know that there is a problem so there must not be one.
I disagree with hairyfeet that "many eyes" adds nothing, but it really doesn't mean anything by itself. With the NSA actively infiltrating software (as revealed recently) there is every reason to expect them to have at least tried to insert vulnerabilities into the linux kernel and related software. The fact that it was never outed somewhat increases the likelihood of success.
Code review is very helpful and a good way to identify unintentional bugs, and open source at least facilitates this. But not finding inserted vulnerabilities does not mean they aren't there.
Slashdot Mirror
There is a bug, but it is not what most would consider a lock screen bypass. iOS7 has a new task switcher and you can access this, but it has reduced privileges meaning you can't access any app that you couldn't from the lock screen. And even then it isn't reliable (very likely due to it being the result of a bug).
What it *does* do is leak information about what is installed on the phone, and badges for installed apps (e.g., number of unread emails). But only if those applications are running. Doing a fresh upgrade from 6 to 7 somehow resulted in every application being listed by the task switcher -- its as if they were all started by iOS. You can remove the apps from the task switcher (killing inactive applications).
So, yes, there is a bug. No, it isn't a lock screen bypass. Other than some information leakage ("active" apps) there is no access that did not occur from the lock screen itself.
well, as I said, I'm not familiar with the details of Abu Ghraib. Doing a quick check I see wikipedia claims "When the U.S. military first reported abuse in early 2004, much of the U.S. media again showed little initial interest" so it would appear that people in service *did* take exception.
Yes, it was apparently first outed by ex-detainees, but despite being reported by the AP, "The article gained little notice."
Just because you don't hear of "Bradley Manning" doesn't mean people weren't reporting. And, with military experience, you should know that it often isn't so easy to walk into a situation and do things. Especially if you are not ranking. Especially if the problem goes to the top.
The problem at Abu Ghraib does not appear to be that internal military was all happy about it, but rather that they were ignored. And, yes, I firmly believe that the military should police itself. But it is a mistake to *rely* on that, just like it is a mistake to rely on the NSA to oversee itself. It makes a mockery of oversight.
It is easy to get angry about things. I hope that people don't generalize too much when there are plenty of good soldiers.
And, yes, when JAG doesn't (or can't) help then moving outside is certainly necessary. Whistleblowing is a much needed outlet to account for systemic abuses.
(Interestingly, even though technically all soldiers are instructed about JAG, the culture is such that few make use of it -- at least that was my experience. Kind of like the culture discourages treating illness in favor of staying on the books as active and ready. I saw abuse by those in power much more often than I could actually do anything about it -- never underestimate the good ole boy network amoung NCOs... JAG wants to take on cases, but can't when soldiers refuse to testify.)
I would not say the same for the soldiers I knew. It isn't that they were bad (far from it), but it depends on what you are talking about.
Abu Ghraib is something I do not have enough specific details on so there is some speculation going on, but with humans you don't typically immediately jump into the abuse. It tends to be gradual. Maybe a small number of people are initially rough with detainees. Few, if any, common soldiers would likely be privy to the fact that some were detained with no substantive reason. They would "know" they were being brought "bad guys".
Maybe I'm wrong and it was evil from get go, but I strongly suspect that it was one of gradual escalation. And, in such a case, even if a given soldier didn't directly commit an abuse they were complicit by not saying anything initially. And it can be hard to know when to draw the line. Maybe easier for some than others. It sounds like you would. I certainly had my issues with command and took advantage of JAG.
With respect to "further from the action" -- it is less distant and less real to read something in a report. Snowden dug to get the data he released: it isn't like it jumped into his inbox and demanded attention. From the various releases and interviews it sounds like he realized how loose and lax the "controls" really were and he started pushing the envelope and digging for details. Contractors (or soldiers involved) aren't being ordered into directly and obviously illegal conduct -- a lot of it is issues with aggregation, scope, lack of controls and lack of oversight.
Although the data collection and correlation is the fundamental enabler in that case a lot of it probably doesn't seem that bad when you are just showing up to your job and doing searches for bad guys. Having dealt with law enforcement at various times I'm quite familiar with the frustrations they can feel when hampered by legal requirements. When your gut tells you that something is wrong it can be hard to ignore it -- and this can lead to an illegal search because there just isn't enough evidence to get a search warrant. The road to hell is paved with good intentions.
I guess what I'm trying to say is two fold:
1) the military is not effective at policing itself. You can't rely on insiders outing incorrect behavior.
2) don't be too hard on soldiers who don't raise flags. Everyone is susceptible to some degree to "going along" with events. Should people raise flags and blow whistles? If there is wrong doing, absolutely! It needs to be encouraged. But I would avoid black-and-white views where someone is either guilty or whistle blower.
people who buy new cars for the "security" they think they will get in lack of repair haven't bothered to look at the market. Cars depreciate very fast for a short time after sale, then (generally) decline slowly. Buying a recent, but not new, car saves a lot of money up front and the repair costs are comparable to that of the new car. Basically, the new car is over valued and the market quickly adjusts it to the proper valuation.
And, no thanks to car salesmen, people generally pay too much for a car. Its a cyclic system where the base value is derived from a sales average (blue book). Put another way, if you pay more than blue book you are a sucker. if you paid blue book you are even. The goal is *less* than blue book. (Actual, not the supposed pristine condition they claim for the vehicle). Last car I got from a lot we paid 80% blue book -- and that brings the average down for all the other buyers.
More than five years later had a first major repair: nearly $1000. I grumbled long and loud, but someone I know with a younger "new" car is out for twice that, and it isn't the first major expense.
Don't buy from lots. Buy before you *need* the car so you aren't under pressure and can pick a good deal. Don't buy expensive vehicles (econocars are better value than trucks, SUVs, vans, etc.) unless you *need* a status symbol (or actually *need* a truck to haul things rather than using that as an excuse -- trucks are premium priced).
I've had to grit my teeth and take my cars to dealerships of late rather than real mechanics, but them's the breaks. Even getting bent by a dealership on an older car is cheaper than getting bent on a newer one.
well, odds are they didn't have to do have of the extreme measures you suggest. Maybe this guy was exceptional, but all it usually takes is a good dose of cold water. A normal arrest and careful explanation of the consequences will get most people with family to fold. Of course, in the event they get a true idealist, then, yes, some or all of those measures will get the desired result.
Torture may not be that great for getting truthful information, but it works wonders to get someone to say something, anything, to make the pain stop.
yeah, in basic training there's a brief mention of the constitution. The resisting unlawful orders is hit pretty well, too. But then, when you leave basic training, it gets a bit different. How do you know that an order is unlawful? Can you properly interpret the constitution? Do you have *time* to work through the issues -- particularly when they aren't evident at the outset and build up over time so you are complicit in the results? Having access to JAG is great, and I really mean that. But being stateside is one thing, deployed in country is another altogether.
Look, I'm not trying to disagree with your basic statement, but do you honestly think that there were many others in any unit you were in who would do what Bradley Manning or Edward Snowden did? Such people are rare. The military, all branches (but especially the marines) teaches subservience. This is a basic military necessity: taking a particular hill might be critical for the battle, or even a strategic victory, but you might expect to lose a company doing so. The officers and the soldiers have to be willing to do their part, which sometimes includes dying for their country. People don't like to die, so there are various tactics for that, but the most basic is incomplete, misleading, or wrong information combined with an insistence that orders be obeyed. And disobeying an order gets seriously bad fast. Just being late for formation is a charge under the UCMJ!
So there is every attempt to condition soldiers to not think about things too much and not to question orders. If you do, you can end up with some unwanted scrutiny (and be *very* glad that JAG exists and -- stateside at least -- you have unrestricted, unmonitored access to legal counsel).
Put another way, I would not look to soldiers to expose the wrong doings of the military. If it happens, you got lucky. But that is why oversight is necessary. For the military, for the NSA, for whatever branch. And because of the "who watches the watchers" issue our government was setup with the intent of a balance of power, a tension between three branches so that one could not overpower both of the others.
actually, this is terrorism and unless you understand it you make foolish arguments. And I mean real terrorism, not what a talking head is spouting.
Some terrorists choose schools because it upsets people more to have a dozen children executed than a dozen geriatrics or even a dozen adults.
Or, with the religious right terrorists, putting in secondary bombs timed to kill emergency responders (the goal is to terrorize emergency responders into not responding if the emergency involves an "abortion clinic" so that people running or visiting such places will feel more isolated and fearful.
The truth is, you *can't* stop "any massacre in any school". There is no absolute safety or security. Once you get the mindset it is easy to devise terrorist strategies, and painfully obvious how hard it is to stop anyone who is determined to hurt others.
Call in a bomb threat at target, observe where people go. Wait. Plant a bomb where people went, call in a bomb threat. The structure isn't the terrorist target, its the people.
Bomb goes off outside a building. Security responds by establishing a perimeter. Use a really big bomb sufficient to make the perimeter insignificant. Security responds by relocation and a *really* big perimeter. Switch from bombs to agile vehicles carrying armed lunatics.
Bomb or crash an airline. Security responds by tightening up passenger screening, which results in long queues and masses of unscreened people. Walk a bomb into the crowd and get more people than you could from bombing a single plane. Security pushes perimeter outward -- but as long as there are a significant number of flights at some point there is going to be screening and thus choke points. For the terrorist it really doesn't matter where the choke point is, what matters is that it exists.
Shoot children in a school. Someone arms the teachers without bothering to look at facts, such as accuracy in a fire fight. There are some interesting FBI statistics on this, though I can't find a citation for the one I saw back in the 80s. But a more recent report suggests a hit rate of 15% [http://www.handgunsmag.com/2013/06/20/new-fbi-handgun-training/]. Even if the teachers are balls-to-the-wall gung-ho types who have no issue shooting under pressure and don't mind killing another human being... the simple truth is that it is easier to fire into a crowd of people and hit *someone* than it is to lethally hit a *specific* target. But lets pretend for a moment that all of the teachers are seasoned veterans who have lost respect for human life. A grenade through a window, a planted claymore, a called in bomb threat and observe response (almost certainly an attempt to evacuate so a sniper or claymores planted around exterior doors -- or wherever the exit choke points are will do just fine.
The goal of a terrorist is to strike with fear. To let you know that you are not safe. That your government cannot protect you.
The truth is, they never could and never can. Not completely.
Some say that terrorism is the price of living in a free society, but that isn't true. The threat of terrorism is the price of being alive. The bar can be raised (it would be easier to assassinate a random citizen than a protected person with personal security), but it cannot be prevented.
You disagree with the founding fathers then, on philosophical grounds, with respect to inalienable rights. Just because you don't believe that any such thing as an inalienable right can exist does not alter or change the fact that the rights enumerated were *specifically* and *explicitly* considered to be such.
You are welcome to your differing philosophy, but any interpretation you then make of documents whose writing was *predicated* on the existence and validity of inalienable rights is automatically wrong.
http://dictionary.reference.com/browse/inalienable+right
https://en.wikipedia.org/wiki/Natural_and_legal_rights
You got me: I was too quick to respond. The secret court documents were (according to the summary) about bulk telephone records. Those guys were already granted immunity and it is well known that they cooperated fully. Oh, except for Qwest I think. Which simply never complied and did not contest through the mechanism. So the court records match up with other known facts.
Yahoo, Google, etc., do not hold telephone records. Well, I suppose google might after google voice, but those calls would be routed through an actual telecoms at some point and the telecoms records would have been provided per above without any need to involve google. The business with yahoo, google, etc., are their provision of email records to the government.
As to their contesting it? Maybe they did, but it is hard to argue with federal monies, or the potential of them (google has been trying to get in on lucrative government bid jobs in competition with microsoft). I would not be surprised if their claims of contestation were never supported by facts.
I differ. The secret court does not have clear reason to have lied: this information comes from revelation of secret court documents, not a PR statement itself.
OTOH, Yahoo, Google, etc., all have a vested interest in lying to the public in order to assert some damage control. The statements from these individuals were definitively PR and, as such, can reasonably be expected to put as much spin as necessary to put them in the best possible light. I'm not saying they were bad for doing so (though I'm not saying they weren't...), that is a function of their *job*.
As others have noted, why would they contest it? Anyone who gets federal monies is susceptible to federal manipulation. Look at the so-called "Higher Education Opportunities Act" which uses the threat of witholding federal funding to exert control over universities. Or the use of federal funds to require a speed limit on interstates.
It would have to be based on a statistical analysis which means it isn't a proof, it is demonstrated to a confidence level. How confident do you need to be?
Secondly, to properly evaluate to greater number of bits of entropy is going to require a larger sampling and I expect this increases exponentially. How much time do you have to reach your confidence?
The testing would be balancing those two questions, but in no case could an absolute answer be found.
But, from the horses mouth:
The subject of statistical testing and its relation to cryptanalysis is also discussed, and some recommended statistical tests are provided. These tests may be useful as a first step in determining whether or not a generator is suitable for a particular cryptographic application. However, no set of statistical tests can absolutely certify a generator as appropriate for usage in a particular application, i.e., statistical testing cannot serve as a substitute for cryptanalysis. The design and cryptanalysis of generators is outside the scope of this paper.
Random Number Generation
In other words, NIST says their recommended tests are statistics based and insufficient.
This is a real problem with incomplete understanding of entropy and how it is used. The question is not "does rdrand provide X entropy" it is "does rdrand provide at least X entropy that it is being credited for".
If a process in linux asks for a random number the current pool is evaluated. Each input to the pool provides (theoretically) some X entropy and is credited with having provided some Y entropy where (presumably) X >= Y. If the *credited* entropy is enough then a number is returned, otherwise it depends on whether or not the blocking or non-blocking call was used.
So if rdrand is *credited* with providing X bits of entropy, but in fact provides 0 bits, and the "lie" causes credited entropy to cross the threshold then you will get a number generated from insufficient entropy.
Now, I haven't looked at the kernel or read up on this to see what the case is but the consideration is "does rdrand provide at least the entropy it is being credited for?"
If rdrand is used as a source of entropy but is *never* credited then it could only possibly hurt if there was some magic that allowed it to *reduce* the entropy pool by its inclusion. That seems more than a little far fetched.
If rdrand is used as a source of entropy and is credited for at least 1 bit then the inclusion is harmful if it has been compromised to the extent that it is credited.
When I had sociology 101 it was taught, due to unusual circumstances, by the department chair. This was at a reasonably large university and, being a required freshman course, had large classrooms. I was not, however, a freshman. By that time I had two years behind me and was picking up the required courses at the university I had transferred to.
If you had surveyed the students they would have indicated the instruction was terrible. Not because it was, but because they were nearly all freshman. Straight from highschool with over rated opinions of their own intellectual capacity, no ethic for study or class participation, and no interest in the class. Although it was hampered by class size it was one of the better taught classes I've been in.
Yes, I realize you are emphasizing "freshman undergraduates" and "introductory courses", but the problem isn't (necessarily) that tenure track professors are less effective at teaching them but (more likely) that they push and expect more (something) from the students.
Students are an amazingly lazy lot*. At a third university (yeah, I moved around a bit) I took a medieval history course. It was flooded with students and it turns out that 1) there was either no class size limit or it was not enforced and 2) the prof had (deservedly or not) gained a reputation as being an "easy A". I had a genuine interest in the topic and, being new, had not heard of the rep until the first day of class. It was a "flash enrollment" situation -- apparently the class had been small up to that semester and he spent an undue amount of time trying to convince people to drop. When taking a survey of students concerning their professors the group bias needs to be taken into account.
I've known tenured professors who taught at various levels (introductory courses on up) who were absolutely *loved* by students because you got an A simply by being enrolled. Top approval ratings, voted for teaching excellence, etc. Conversely, another tenured professor, on the first day of class for a required course, bragged that he (and one other) prof accounted for something like 90% of the students taking it semester after semester and that 60% of those students didn't pass. It was a point of pride with him. Without knowing more about the situation, student evaluation of professors is basically meaningless.
What it boils down to is that some professors are gas bags who just like to hear themselves talk. Some are there for the pay check. Others are just there for the research and resent having any class load at all. In other words, they vary.
About the one valid generalization that can be made of tenured vs non-tenure track vs non-tenured tenure track is that non-tenure track tend to try harder and care more about student approval; non-tenured tenure track tend to try to meet tenure requirements and care more about student approval. In other words, tenured faculty (as a generalization) tend to be less concerned with student approval. They've also been doing it long enough to have learned that students want contradictory things (e.g., there was too much classroom discussion vs there was not enough).
* I'm using this as a generalization of undergraduates in general. Graduate students are, in my experience, more motivated than nearly any undergraduate. But the motivation levels of undergraduate students varies a lot ranging from the "I can't be bothered to show up for class" freshman to the rare "I will exceed the expectations for all assignments". Students suffer from a range of maladies, such as believing they can pass a class without doing any assigned work or reading.
a good comment and I think we basically agree, but you appear to overrate the lethality of influenza. Further, with many chemical agents it isn't just a matter of their lethality, but permanent damage. Someone who had significant exposure and survives nerve gas is never right afterwards.
From a military stand point this is as good or even better than being lethal as the ongoing cost to the enemy can exceed that of simple death. From a terror stand point having people who are, effectively, permanently crippled in some way can also be a good way of delivering the message of fear.
This is just hard to achieve with biological agents. The only significant use of biological agents against people I can think of was by colonists against American Indians, and even there it isn't clear how wide spread or effective it was [http://www.straightdope.com/columns/read/1088/did-whites-ever-give-native-americans-blankets-infected-with-smallpox] and despite isolated (and largely ineffective) attempts to use agents like anthrax there seems to be no significant use of it. [http://aarc.org/resources/biological/history.asp]. That references the "rashneeshee" terrror attack which had localized impact at best, no fatalities and the attackers failed to accomplish their objective [https://en.wikipedia.org/wiki/1984_Rajneeshee_bioterror_attack].
I've had salmonella poisoning and it is *not* fun. But you recover from it. I've also seen, but not personally experienced (thankfully) the effect of nerve agents. I'd much rather bad guys pursue biological warfare.
all you asked for was a citation about the claim that it "reads" subdermal tissue. If you want to argue semantics I'm not going to play. I haven't seen anyone claiming it can't be defeated, just pointing out that the "ooo use a picture" isn't enough, which apparently you aren't trying to dispute.
Part of the problem is the science of allergies. Or, rather, the lack thereof. Combine this with a growing awareness of allergies and a burgeoning market in telling people what they are allergic to and you get the current state of affairs. This is complicated because no one seems to have even the slightest interest in the science of the field.
An allergy, at least when I was growing up, was a reaction that ultimately resulted in anaphylactic shock. In principle, an allergy can kill you.
People are complex biological organisms that are very poorly understood. There are allergies to various environmental factors (dust mites, certain plants, etc.) and to foods (peanuts and soy are perhaps the most common). But there are other ways/reasons for a body to react poorly to environmental factors or foods. I react poorly to (something in) eggs. I have an issue with casein (which is what makes cheese good, and fake cheese lacking it bad). I'm not allergic to eggs, nor do I have a milk allergy. Nevertheless, my body functions better when I consume neither.
Allergy testing is like something out of medieval medicine. There's a common sensical understanding of it, but apparently no actual science. And if you want to make an "allergy doctor" dance, suggest that you get closely repeated testing. They don't like to admit it, but the reproducibility of allergy testing is almost non-existent and having a reasonable time interval allows insertion of vague claims such as "your body has changed". They have fluid ideas about the subject and are more interested in running tests, administering "innoculation" witch's brews, and generally making money off of the fad than actually studying the subject.
It isn't hard to find, but here's a citation: http://www.macworld.com/article/2048514/the-iphone-5s-fingerprint-reader-what-you-need-to-know.html
Even better, when you want to plant a fingerprint to cast blame elsewhere for a crime it really helps to have these nice databases. Hmmm... thoromyr made a comment that could be construed as anti-government. Let's see, correlating the user id the real name is... address... ah, fingerprint!
(I'm not sugggesting that Apple is collecting fingerprints, or that the NSA would stoop to framing someone for a crime to ruin their life, but hill climbing is a technique for reversing "unreversable" processes and the planting of prints is an unfortunate reality.)
Different kind of fingerprint. It doesn't help that the same word refers to closely related things.
1. fingerprint: an impression left by a finger providing a (typically smudged) two-dimensional image of the pattern of ridges on the skin of a finger.
2. fingerprint: the pattern of ridges on the skin of a finger.
To further complicate things there are different kinds of fingerprint "readers"
1. fingerprint reader: device to create an optical image (or hash from such) of a finger. Some are enhanced to require warmth to avoid being defeated by presentation of a picture or photocopy of the finger in question.
2. fingerprint reader: device to measure the capacitance of the ridges that make up a finger print and generate a "key" from them.
The "glass is device" is covered by the first kind of finger print and the "reader" is of the second type.
About twenty years ago, late at night driving in some part of California (the trip was from Monterey to Arizona) there was no traffic in sight and many lanes -- I am assuming during a different time of day it would've been packed for there to have been so many lanes. The road was basically flat and straight, a good spot if you wanted to go insanely fast. I was driving a dodge colt and probably managing around 70mph.
I really didn't see the car that passed me, but it was memorable. By the time I'd registered headlights behind me it had disappeared in front of me, despite the considerable visibility both directions.
The next thing that happened was they highway patrol car that blew by. Sure enough, some miles down the road, someone's ride was pulled over.
I'm assuming the thrill was worth the ticket/bribe...
biological weapons might have a chance in a subway, but the reason they have not been broadly developed is that they are both unreliable and ineffective. Chemical weapons, on the other hand, are both reliable and effective.
The reasons for this are several, but consider:
biological agents simply do not have good longevity. They are not shelf stable (which is a problem for stock piling munitions). They require special storage to preserve viability. They are prone to being killed off by ultraviolet light (i.e., outside during the day). They do not have consistent potency. Their effect on a given individual varies considerably.
Chemical agents can have good longevity. They can be shelf stable. Storage concerns are more about accidental leaks than loss of potency. They are equally good at night and day. They have consistent potency. Their effect on individuals is relatively constant.
I'm not sure what you are trying to say by bringing up the Tokyo sarin gas attack. You say that it was *less* effective because it was so lethal? Is your argument then that you could seed some mythical biological agent and keep dispersing it but no one would know until you had exposed more people? If that is indeed your point I can see where your coming from, but it relies on things that simply aren't true for biological weapons.
Longer exposure would be *required* to even have a chance at affecting anywhere near the same number of people. If you rig a biological weapons container to slowly output its contents so as to provide continuing exposure in a region then you are also increasing the likelihood of its discovery simply because it is present. On the other hand you could improve coverage of a chemical attack simply by not limiting it to a single location. If you are willing to risk discovery of the weapons containers (which shouldn't be an issue if willing to accept biowarfare) then the devices could be pre-planted and triggered simultaneously, or staggered via timers, remote activation, whatever.
In short, biological warfare is not seen in practice because it is expensive, unreliable, and generally ineffective. Chemical weapons are often cheap to manufacture, are generally reliable and often quite effective.
there's a problem with your interpretation: it isn't (necessarily) where the magic numbers came from, but that some non-NSA researchers into ECC discovered that you could select a "key" A and from it derive a "key" B whereby anything that utilized B would be crackable with knowledge of A. The issue is that the magic numbers provided by the NSA could be a B where they hold an A.
This is a lot different than simply not knowing why particular numbers were picked. With present public knowledge it isn't the particular numbers as such, but rather that *any* numbers were proposed. Particularly when this feature was not publicly known. Particularly when the NSA has been pushing ECC as "the next thing".
At one time it might have seemed a stretch, especially in light of DES (though that was likely just a PR job*), but given current information anything the NSA pushes requires an explanation involving solid, mathemetical and cryptographically sound reasoning.
* there was suspicion about DES when introduced, particularly that the NSA provided unexplained S numbers. The NSA worked to keep the key length of DES /small/ which leads to a suspicion that they may have felt confident they alone had the capability to brute force it, but wanted it free of a weakness from a (at the time) non-public attack that might have made it vulnerable to competing agencies.
I didn't pay that much (nor was it that long ago), but when my previous "HD" TV died I read up on TVs. LCD/LED was all the rage, but things were still couched in terms of how close they approached the picture quality of a plasma TV. I paid $1000 for mine and it was well worth it as well. Sure, it takes more juice than an LCD or LED display, but it can also display darker images well and you don't have to be dead center on the screen to get a decent image.
Friends and family have bragged about the picture quality of their newer LED displays, but none of them have as good a picture or color, or even hold up to viewing off angle.
Yes, just like a CRT you get ghosting and the residual lasts for a while. And, as noted, it takes more power. Nothing is perfect. But for quality viewing I much prefer plasma.
Wait, you claim to have actually read Google's revised AUP? And your fine with the "we protect the correlated data so that only those we knowingly give it to (contractors, customers and the government) can have it"? It isn't stated *quite* that succinctly, but it wasn't far removed from it either. I haven't read it since the change and at the time they were revising it without notice (next day to get a quote for someone and the wording had been altered) but I seriously doubt that the gist of it is any different.
"Linux kernel code is constantly vetted, and well, by a huge userbase. And it works very well for the kernel."
Really? This is exactly the same "reasoning" that gets us:
- who needs AV? I don't run it and I've never been compromised
- you don't need to patch Windows, I have an unpatched WinXP box directly on the Internet and it has never been compromised
- you don't need to patch linux, I have an unpatched linux box directly on the Internet and it has never been compromised
All of these boil down to the same thing: the person doesn't know that there is a problem so there must not be one.
I disagree with hairyfeet that "many eyes" adds nothing, but it really doesn't mean anything by itself. With the NSA actively infiltrating software (as revealed recently) there is every reason to expect them to have at least tried to insert vulnerabilities into the linux kernel and related software. The fact that it was never outed somewhat increases the likelihood of success.
Code review is very helpful and a good way to identify unintentional bugs, and open source at least facilitates this. But not finding inserted vulnerabilities does not mean they aren't there.