This is no longer the case as of February 21st, when Google engineers pushed a fix to close this loophole. As far as we can tell, Google is now maintaining some per-session state to identify how you authenticated — did you log in using a MergeSession URL, or the normal username, password, 2-step verification flow? The account-settings portal will only allow you to access security-sensitive settings after username/password/2-step-verification prompt that you can’t skip.
So, yes, you are correct, that is how it used to work, but not any more.
Still these ASPs are not in fact "Application" specific. They probably should be, but that would be pretty convoluted and people would throw up their hands and walk away. (I read somewhere that something like 80% of the people that try 2-Factor give up when they see all the hoops that need jumping.
It's a privilege escalation problem. The surprise was that changing your main password or password recovery email should be only done by the full account, not an ASP context.
Actually TFA says the App Specific Password was encrypted with the device id. Google knows which device is talking to it.
You are correct that ANY one of your valid ASPs could be used for any Google service. This is the part that they fixed.
As you suggested, generating one single ASP and using it for everything would in fact work, but Google doesn't make this easy. You have to write them down somewhere, because once they show them to you, you can never see them again. You have to copy them into password fields in various apps (say for instance your favorite email app).
After the first showing of the actual ASP google only refers to them by the Name you gave it, so your naming convention is exactly what they expect you to do.
The problem was that, with a carefully set up network, and if you know the device id, you could capture and decrypt the ASP, and use the decrypted form from then on. But you had to be quick, as the encrypted ASP was time sensitive.
So, Google blows them off and the don;t go public for seven months? These are some nice guys!
Or perhaps they've been profiting for the past seven months. WFT Google?
Well, its not as easy as to pull off this exploit as it might seem.
From TFA:
So: given nothing but a username, an Application Specific Password, and a single request to https://android.clients.google.com/auth, we can log into any Google web property without any login prompt (or 2-step verification)!
So you had to know two things:
1) Someone's Username 2) Someones Application Specific Password.
You had to know their PASSWORD. Or you had to "set up an an intercepting proxy with a custom CA certificate to watch the network traffic" to try to capture the encrypted password". These ASPs are encrypted with the sending device id. (That Device ID is yet another thing that the attackers KNEW up front. If you didn't know that Device ID, setting up the Intercepting Proxy wouldn't help you.
Granted if you know the password its game over. Two factor authentication only works if every piece of software supports it, and until it does big long hairy App specific passwords still have to be used.
You can't derive this password unless you also know the device ID, because its encrypted.
The big HOLE here is that ANY one of your valid Application Specific Password gave you access to ALL parts of your Google Account. So an ASP for SMTP allowed you to access your Account dashboard. They really weren't Application Specific on Google's end. That is the part Google fixed.
But again, its not as big of a gaping hole as the summary makes it out to be. Because you still needed to carefully craft an intercepting proxy, know the originating device id, decrypt the password, and log in VERY QUICKLY because the encrypted password is date stamped with a short life span. This would be very hard to pull off in the real world.
So yeah, it needed fixing. I'm glad its fixed (for the most part), but there was no giant emergency here.
Absolutely impossible. It encounters Mars when it's closest to the sun: a basic principle of orbital mechanics is that applying a force at a given location changes the object's position at the *opposite* side of the orbit. So encountering Mars just makes the furthest part of its orbit (which is waaaaaaaaaaaaaay out beyond Pluto) a little closer or farther.
If you are talking about applying force to an object in orbit around the sun, that seems logical enough.
Mars is not what C/2013A1 is orbiting, but all of a sudden there is this huge gravity well (Mars) in its path that wasn't there before.
Is there any possible a close encounter to Mars that might cause C/2013A1 to act as if it were orbiting mars, (at least for half a rev duration of that single pass)? And if so, just how much can Mars deflect the orbit of C/2013A1 from what it might have been for centuries?
Surely there must be some approach to mars that might be close enough to perturb the asteroid's orbit. For that matter, might not the recent pass by earth deflected C/2013A1 somewhat?
An interesting article I saw about a year ago suggested that Earth Mood Sun combination is constantly deflecting small near earth objects in wild paths, which sometimes loop between earth and the moon, and sometimes give Earth additional minimoons, occasionally for decades.
Disclaimer: I have No clue where Earth might be at that predicted time of the Mars encounter. (And I'm too lazy to look it up).;-/
A near miss of Mars could possibly put Earth at point blank range.
If it passes close enough to Mars that C/2013 A1's orbit is affected, it could conceivably put it on a collusion course for earth, we would have very little time to react to that.
It might be safer for all concerned if it did hit Mars.
That's true but we're talking about telco - they could be anywhere if they wanted to scam old poeple. Why are they in Florida instead of say California? Or Texas? Or Massachusetts? Could it be that Florida law enforcement is lax?
Maybe they don't want to attract the feds by scamming across a state line?
Not that it stopped this particular robo-caller, but for scamming the elderly, It might be easier just to start where you customers are.
Microsoft worked hard to make sure that their new exFAT filesystem was written into the SDXC standard.
Exactly right. Wiki says:
SDXC cards are pre-formatted with Microsoft's proprietary and patented exFAT file system, which the host device might not support. Since Microsoft does not publish the specifications of exFAT and its use requires a non-free license, many alternative or older operating systems do not support exFAT for technical or legal reasons. The use of exFAT on some SDXC cards may render SDXC unsuitable as a universal exchange medium, as an SDXC card that uses exFAT would not be usable in all host devices.
However, once Fat32 falls out of patent in 2013, you can fall back to using it on anything less than 2TB.
Since the FAT32 file system supports volumes up to the SDXC's maximum theoretical capacity of 2 TB as well, a user could reformat an SDXC card to use FAT32 for greater portability
Seeing this, Microsoft put a change into windows vista and windows 7 to prevent formatting cards that big in Fat32, (although you can still do so in Linux and some devices). They force the use of exFat, because it is under patent longer.
Why is it that the attack-dog AGs of the world are ready to go when somebody runs wget contrary to a site's terms of service; but people like this are allowed to operate unchecked?
Well, when Florida lumps their "Department of Agriculture and Consumer Services" into one agency, you really can't expect much from them except bullshit.
And apparently they are correct, because the link I posted also has a list of companies who decided it was cheaper to pay license fees than try to beat the patents in court.
The FAT patents end this year. The rest have several more years to run, unless someone beats them in court.
The key point here is that Microsoft is not claiming ownership of Android or ant core Android technology, but rather a miscellaneous collection of features the see in some smartphones and related devices. Most likely nikon is using fat patents and likely MTP patents as well.
From the article (first page, you should have spotted it)
It may seem counter-intuitive that capturing still images requires a faster card than shooting video, but Full HD footage isn’t as space-hungry as you might imagine. Despite the “high-definition” terminology, each HD frame has a comparatively low resolution of just over two megapixels. Plus, since consecutive frames of a video are often extremely similar, clever compression techniques can be used to store moving images efficiently. A data rate of 4-6MB/sec is ample for continuous shooting. Still photographs have a far higher resolution: a typical consumer DSLR may capture around 12 megapixels of detail, and high-end models often record more than 20 megapixels. Each scene may therefore contain ten times as much information as a comparable video frame
Right. Why do summary writers always try to force the story toward their pet peeve.
Further this FTC settlement had NOTHING to do with what version of Android was installed, but rather the diagnostics and monitoring applications they had installed, mostly at the carriers request.
Both "Carrier IQ", something demanded by carriers, till they got caught, and "Tell HTC" a bug reporting software, ended up leaving logs on the phone that contained private data in clear-text, and transmitted that data to the carriers or to HTC in un-encrypted format. It also had to do with the handling of that data once it was delivered to the carriers and more specifically to HTC.
Why the summary writer had to make it about something else is beyond me.
Then they shouldn't receive funds paid for in taxes, simple as that. If tax dollars go towards it, it should benefit the public. End of story.
Read what he said, instead of putting your own spin on it.
he said:
Just because something is paid for with public money doesn't mean the public is entitled to it.
Lots of things are paid for by public money. Nuclear weapons, fighter jets, germ warfare samples, Gold in Fort Knox, Missile launching GO codes. Clearly you are not entitled to any of that.
There are many fields of research which probably fall into the same area of risk, and must be kept confidential. Which is exactly why there are national security exemptions to Obama's new found openness.
I talked with one programmer for slot machines who said it is the worst software imaginable, and even the programmers have no clue how it really works. As long as the end result of thousands of runs does not favor the house by more then X% its "good enough", and the inspectors simply rely on accumulated results.
Of course, if you ever beat these machines and win the super grand bonus payout of a gazillion dollars, the casino will simply claim a software error, and give you some token winnings and the bums rush out the door.
The peer review system is not dependent on academic publishers. Reviewers and editors are volunteers under the current system, and would continue to do their voluntary work without the publishing industry.
How does that work in practice?
Lets say Joe Biologist has a paper he wants to publish, how does he get it reviewed by peers without the appearance of hand-picking his own reviewers? I always assumed the publishers solicited these reviews. Is there another mechanism?
Disclaimer: Not a scientist, so I have no knowledge of how this happens, but I've seen a lot of total quack "science" published as if it were real on the web.
Its not Android that Microsoft is licensing, its some of their protocols, (MTP most likely).
Nikon didn't have to use MTP in their cameras, and many would be happier if they didn't, but is solves a lot of problems for them with regard to getting pictures off of the camera. It means the don't have to include any software drivers for the camera, because they can just use what is already available on end-user's machines.
It could also be some elements of Fat32, NTFS, for storage card access, or Windows Networking, for wifi access / printing.
When Android provides replacement for these technologies they manufacturers can avoid them. But until then, if manufacturers continue to use Microsoft technology patents they are going to have to pay. There are many open source replacements that Google could have provided, but these haven't caught on.
Wireless radio systems have been around for about a century now, and Im not aware of anyone ever pulling off a hack of a car radio system or a radio tower through radio transmission.
But you don't have to gain control of a car to do damage. If you can convince a V2V car that the 5 cars immediately ahead just came to a full stop because of a collision, you may be able to trick it into braking hard, causing a collision behind you.
Broadcasting movies off of your Blue-Ray to a Tablet downstairs? Gaming between the desktops? Watching the game from your Cable TV on your portable device out on the deck, or by the pool?
is gonna get anywhere anytime soon... it's nearly worthless until every car on the road has it.. which will take a LONG time.. even getting to something like 90%+ v2v-enabled will take decades.
The benefits start accruing once 10 percent of the vehicles on the road have it. You don't need 90%. You don't even need 30%.
As you rush headlong into a fogged in traffic jam, there is a good chance that at least one vehicle in that jam will this technology and warn your car well ahead of time, so you can slow down (also slowing those behind you). You don't need every car to have this. Similarly, in-road transmitters can warn just enough new cars of trouble ahead to slow an entire stream of traffic.
Sure, not ALL of the capabilities of V2V will be available immediately, but plenty of them will work even with a small percentage of participants.
That being said, development of these systems is far from complete, and shifting them to new frequencies is really a last minute decision. There is no real reason that 5GHZ is ideal for this V2V use, and something much higher up in the spectrum might actually work just as well, if not better.
Yeah, it seems the Sheriff of New York City amounts to a revenue collection role only. (Which is exactly what Sheriffs in Ye Olde England were, the Kings revenue officers first and foremost).
County government in New York City is largely a puppet of the city.
I thought the same thing when I read the summary. In one breath they are talking about Major crimes, and in the next sentence they lump in iphone theft in that group. Yet if you report an iPhone theft the police won't do a damn thing about it other than give you some paper to fill out. How is that considered a Major Crime?
No I did not overlook Tiananmen, which happened 23 years ago, the same year as the Exxon Valdez disaster, and the US invasion of Panama.
This is not a political issue, it is an economic issue.
My point is that it is simply ridiculous to state that China is just now entering the industrial revolution, when the truth is that China is in the later stages of that revolution, and is quietly entering a social revolution, which is being allowed to happen by the (nominally) communist government.
Contrary to your assertion, I don't expect any violent upheaval in China, nor do I expect progress toward greater freedom and environmental responsibility to slow. China has never known democracy as we understand it in the west. Yet for the average Chinese citizen these are the Good Old Times. They have never had it so good in their long history. They have always lived in a feudal serfdom. It will take perhaps 50 years but they will eventually get to current western standards.
From TFA:
This is no longer the case as of February 21st, when Google engineers pushed a fix to close this loophole. As far as we can tell, Google is now maintaining some per-session state to identify how you authenticated — did you log in using a MergeSession URL, or the normal username, password, 2-step verification flow? The account-settings portal will only allow you to access security-sensitive settings after username/password/2-step-verification prompt that you can’t skip.
So, yes, you are correct, that is how it used to work, but not any more.
Still these ASPs are not in fact "Application" specific. They probably should be, but that would be pretty convoluted and people would throw up their hands and walk away. (I read somewhere that something like 80% of the people that try 2-Factor give up when they see all the hoops that need jumping.
It's a privilege escalation problem. The surprise was that changing your main password or password recovery email should be only done by the full account, not an ASP context.
But that was the part that they fixed, No?
Actually TFA says the App Specific Password was encrypted with the device id. Google knows which device is talking to it.
You are correct that ANY one of your valid ASPs could be used for any Google service. This is the part that they fixed.
As you suggested, generating one single ASP and using it for everything would in fact work, but Google doesn't make this easy. You have to write them down somewhere, because once they show them to you, you can never see them again. You have to copy them into password fields in various apps (say for instance your favorite email app).
After the first showing of the actual ASP google only refers to them by the Name you gave it, so your naming convention is exactly what they expect you to do.
The problem was that, with a carefully set up network, and if you know the device id, you could capture and decrypt the ASP, and use the decrypted form from then on. But you had to be quick, as the encrypted ASP was time sensitive.
So, Google blows them off and the don;t go public for seven months? These are some nice guys!
Or perhaps they've been profiting for the past seven months. WFT Google?
Well, its not as easy as to pull off this exploit as it might seem.
From TFA:
So: given nothing but a username, an Application Specific Password, and a single request to https://android.clients.google.com/auth, we can log into any Google web property without any login prompt (or 2-step verification)!
So you had to know two things:
1) Someone's Username
2) Someones Application Specific Password.
You had to know their PASSWORD. Or you had to "set up an an intercepting proxy with a custom CA certificate to watch the network traffic" to try to capture the encrypted password". These ASPs are encrypted with the sending device id. (That Device ID is yet another thing that the attackers KNEW up front. If you didn't know that Device ID, setting up the Intercepting Proxy wouldn't help you.
Granted if you know the password its game over. Two factor authentication only works if every piece of software supports it, and until it does big long hairy App specific passwords still have to be used.
You can't derive this password unless you also know the device ID, because its encrypted.
The big HOLE here is that ANY one of your valid Application Specific Password gave you access to ALL parts of your Google Account.
So an ASP for SMTP allowed you to access your Account dashboard. They really weren't Application Specific on Google's end. That is the part Google fixed.
But again, its not as big of a gaping hole as the summary makes it out to be. Because you still needed to carefully craft an intercepting proxy, know the originating device id, decrypt the password, and log in VERY QUICKLY because the encrypted password is date stamped with a short life span. This would be very hard to pull off in the real world.
So yeah, it needed fixing.
I'm glad its fixed (for the most part), but there was no giant emergency here.
Absolutely impossible. It encounters Mars when it's closest to the sun: a basic principle of orbital mechanics is that applying a force at a given location changes the object's position at the *opposite* side of the orbit. So encountering Mars just makes the furthest part of its orbit (which is waaaaaaaaaaaaaay out beyond Pluto) a little closer or farther.
If you are talking about applying force to an object in orbit around the sun, that seems logical enough.
Mars is not what C/2013A1 is orbiting, but all of a sudden there is this huge gravity well (Mars) in its path that wasn't there before.
Is there any possible a close encounter to Mars that might cause C/2013A1 to act as if it were orbiting mars, (at least for half a rev duration of that single pass)? And if so, just how much can Mars deflect the orbit of C/2013A1 from what it might have been for centuries?
Surely there must be some approach to mars that might be close enough to perturb the asteroid's orbit.
For that matter, might not the recent pass by earth deflected C/2013A1 somewhat?
An interesting article I saw about a year ago suggested that Earth Mood Sun combination is constantly deflecting small near earth objects in wild paths, which sometimes loop between earth and the moon, and sometimes give Earth additional minimoons, occasionally for decades.
Disclaimer: I have No clue where Earth might be at that predicted time of the Mars encounter. (And I'm too lazy to look it up). ;-/
Said the Earth.
A near miss of Mars could possibly put Earth at point blank range.
If it passes close enough to Mars that C/2013 A1's orbit is affected, it could conceivably put it on a collusion course for earth, we would have very little time to react to that.
It might be safer for all concerned if it did hit Mars.
Yeah, that will work!
That's true but we're talking about telco - they could be anywhere if they wanted to scam old poeple. Why are they in Florida instead of say California? Or Texas? Or Massachusetts? Could it be that Florida law enforcement is lax?
Maybe they don't want to attract the feds by scamming across a state line?
Not that it stopped this particular robo-caller, but for scamming the elderly, It might be easier just to start where you customers are.
Microsoft worked hard to make sure that their new exFAT filesystem was written into the SDXC standard.
Exactly right. Wiki says:
SDXC cards are pre-formatted with Microsoft's proprietary and patented exFAT file system, which the host device might not support. Since Microsoft does not publish the specifications of exFAT and its use requires a non-free license, many alternative or older operating systems do not support exFAT for technical or legal reasons. The use of exFAT on some SDXC cards may render SDXC unsuitable as a universal exchange medium, as an SDXC card that uses exFAT would not be usable in all host devices.
However, once Fat32 falls out of patent in 2013, you can fall back to using it on anything less than 2TB.
Since the FAT32 file system supports volumes up to the SDXC's maximum theoretical capacity of 2 TB as well, a user could reformat an SDXC card to use FAT32 for greater portability
Seeing this, Microsoft put a change into windows vista and windows 7 to prevent formatting cards that big in Fat32, (although you can still do so in Linux and some devices). They force the use of exFat, because it is under patent longer.
Why is it that the attack-dog AGs of the world are ready to go when somebody runs wget contrary to a site's terms of service; but people like this are allowed to operate unchecked?
Well, when Florida lumps their "Department of Agriculture and Consumer Services" into one agency, you really can't expect much from them except bullshit.
And apparently they are correct, because the link I posted also has a list of companies who decided it was cheaper to pay license fees than try to beat the patents in court.
The FAT patents end this year.
The rest have several more years to run, unless someone beats them in court.
The key point here is that Microsoft is not claiming ownership of Android or ant core Android technology, but rather a miscellaneous collection of features the see in some smartphones and related devices.
Most likely nikon is using fat patents and likely MTP patents as well.
The complete list is here http://www.dailytech.com/Of+Lawsuits+and+Licensing+The+Full+Microsoft+v+Android+Story/article23088.htm
Any remnants of Fat32 is exhausted after 2013.
It will when you record highres video
From the article (first page, you should have spotted it)
It may seem counter-intuitive that capturing still images requires a faster card than shooting video, but Full HD footage isn’t as space-hungry as you might imagine. Despite the “high-definition” terminology, each HD frame has a comparatively low resolution of just over two megapixels. Plus, since consecutive frames of a video are often extremely similar, clever compression techniques can be used to store moving images efficiently. A data rate of 4-6MB/sec is ample for continuous shooting.
Still photographs have a far higher resolution: a typical consumer DSLR may capture around 12 megapixels of detail, and high-end models often record more than 20 megapixels. Each scene may therefore contain ten times as much information as a comparable video frame
Nothing makes the phone more secure than facebook processes
Say what?
Oh, I see, humor. Swoosh!
At least with the later versions of Android, you can go in and Disable these apps, and they won't run, won't get updates, and only take up storage.
Right. Why do summary writers always try to force the story toward their pet peeve.
Further this FTC settlement had NOTHING to do with what version of Android was installed, but rather the diagnostics and monitoring applications they had installed, mostly at the carriers request.
Both "Carrier IQ", something demanded by carriers, till they got caught, and "Tell HTC" a bug reporting software, ended up leaving logs on the phone that contained private data in clear-text, and transmitted that data to the carriers or to HTC in un-encrypted format. It also had to do with the handling of that data once it was delivered to the carriers and more specifically to HTC.
Why the summary writer had to make it about something else is beyond me.
Then they shouldn't receive funds paid for in taxes, simple as that. If tax dollars go towards it, it should benefit the public. End of story.
Read what he said, instead of putting your own spin on it.
he said:
Just because something is paid for with public money doesn't mean the public is entitled to it.
Lots of things are paid for by public money. Nuclear weapons, fighter jets, germ warfare samples, Gold in Fort Knox, Missile launching GO codes.
Clearly you are not entitled to any of that.
There are many fields of research which probably fall into the same area of risk, and must be kept confidential. Which is exactly why there are national security exemptions to Obama's new found openness.
Dono if Vegas is the model you want to follow.
I talked with one programmer for slot machines who said it is the worst software imaginable, and even the programmers have no clue how it really works. As long as the end result of thousands of runs does not favor the house by more then X% its "good enough", and the inspectors simply rely on accumulated results.
Of course, if you ever beat these machines and win the super grand bonus payout of a gazillion dollars, the casino will simply claim a software error, and give you some token winnings and the bums rush out the door.
The peer review system is not dependent on academic publishers. Reviewers and editors are volunteers under the current system, and would continue to do their voluntary work without the publishing industry.
How does that work in practice?
Lets say Joe Biologist has a paper he wants to publish, how does he get it reviewed by peers without the appearance of hand-picking his own reviewers? I always assumed the publishers solicited these reviews. Is there another mechanism?
Disclaimer: Not a scientist, so I have no knowledge of how this happens, but I've seen a lot of total quack "science" published as if it were real on the web.
Oh, climb down before you hurt yourself.
Its not Android that Microsoft is licensing, its some of their protocols, (MTP most likely).
Nikon didn't have to use MTP in their cameras, and many would be happier if they didn't, but is solves a lot of problems for them with regard to getting pictures off of the camera. It means the don't have to include any software drivers for the camera, because they can just use what is already available on end-user's machines.
It could also be some elements of Fat32, NTFS, for storage card access, or Windows Networking, for wifi access / printing.
When Android provides replacement for these technologies they manufacturers can avoid them. But until then, if manufacturers continue to use Microsoft technology patents they are going to have to pay. There are many open source replacements that Google could have provided, but these haven't caught on.
Wireless radio systems have been around for about a century now, and Im not aware of anyone ever pulling off a hack of a car radio system or a radio tower through radio transmission.
http://www.computerworld.com/s/article/9229919/Car_hacking_Remote_access_and_other_security_issues
http://www.caranddriver.com/features/can-your-car-be-hacked-feature
But you don't have to gain control of a car to do damage. If you can convince a V2V car that the 5 cars immediately ahead just came to a full stop because of a collision, you may be able to trick it into braking hard, causing a collision behind you.
What is the limit between devices?
Broadcasting movies off of your Blue-Ray to a Tablet downstairs? Gaming between the desktops? Watching the game from your Cable TV on your portable device out on the deck, or by the pool?
is gonna get anywhere anytime soon... it's nearly worthless until every car on the road has it.. which will take a LONG time.. even getting to something like 90%+ v2v-enabled will take decades.
The benefits start accruing once 10 percent of the vehicles on the road have it. You don't need 90%. You don't even need 30%.
As you rush headlong into a fogged in traffic jam, there is a good chance that at least one vehicle in that jam will this technology and warn your car well ahead of time, so you can slow down (also slowing those behind you). You don't need every car to have this. Similarly, in-road transmitters can warn just enough new cars of trouble ahead to slow an entire stream of traffic.
Sure, not ALL of the capabilities of V2V will be available immediately, but plenty of them will work even with a small percentage of participants.
That being said, development of these systems is far from complete, and shifting them to new frequencies is really a last minute decision. There is no real reason that 5GHZ is ideal for this V2V use, and something much higher up in the spectrum might actually work just as well, if not better.
Yeah, it seems the Sheriff of New York City amounts to a revenue collection role only. (Which is exactly what Sheriffs in Ye Olde England were, the Kings revenue officers first and foremost).
County government in New York City is largely a puppet of the city.
Chuckle.
I thought the same thing when I read the summary. In one breath they are talking about Major crimes, and in the next sentence they lump in iphone theft in that group. Yet if you report an iPhone theft the police won't do a damn thing about it other than give you some paper to fill out. How is that considered a Major Crime?
No I did not overlook Tiananmen, which happened 23 years ago, the same year as the Exxon Valdez disaster, and the US invasion of Panama.
This is not a political issue, it is an economic issue.
My point is that it is simply ridiculous to state that China is just now entering the industrial revolution, when the truth is that China is in the later stages of that revolution, and is quietly entering a social revolution, which is being allowed to happen by the (nominally) communist government.
Contrary to your assertion, I don't expect any violent upheaval in China, nor do I expect progress toward greater freedom and environmental responsibility to slow. China has never known democracy as we understand it in the west. Yet for the average Chinese citizen these are the Good Old Times. They have never had it so good in their long history. They have always lived in a feudal serfdom. It will take perhaps 50 years but they will eventually get to current western standards.