While I agree with your criticism of the parent comment regarding his lack of empiricism, if he were to change his assumption from
Why is it Microsoft Word 97 fits into my 8 megabyte 386 laptop, and has 99% of the same functions as modern Word, plus is quick and responsive. Why can't they bring that level of efficiency for today's Word 2010?
to
Why is it Microsoft Word 97 fits into my 8 megabyte 386 laptop, and has 75% of the same functions as modern Word, plus is quick and responsive. Why can't they bring that level of efficiency for today's Word 2010?
It all of a sudden holds more merit
While I'm not claiming to hunt down statistics to prove my point, I think it's safe to say there's absolutely some truth to lazy programming becoming more the norm than the exception in certain areas.
Do you really think some ratio of perceived/available functionality over ram usage has remained constant or significantly decreased?
Don't you hesitate when you're about to download an application for a simple task but the first one you find is, inexplicably, 100 megabtyes, compressed, whereas the 2nd one you find (and download) is 10 or 15?:)
that said, if it makes the network usable then it's a good sacrifice
besides, I have access to wifi most of the time anyway and this new policy is a first step to charging peak/off peak for data which has been done for voice for greater than a decade
FYI -- the 94.1M subscribers includes many people without a data plan, i.e. I seriously doubt 4.7M people will be subject to throttling.
Further, I think this is actually a great idea and I already bought some iphones from verizon. I'd much rather have a responsive and reliable connection and be within a 2 gb limit than have no limit and tons of dropped calls (in certain markets at least) like with AT&T.
In certain markets, even without a limit, the poor quality of AT&T's network wouldn't even allow a user to get to 2 gigs.
So how would your plan defend against regular small payments that add up to $150k if the authorizers are not checking supporting documents for every transaction?
It doesn't. It's presumed an attacker is less likely to be interested in wasting his time making many small transactions. Further, any decent bank should recognize repetitive transactions occurring in a short period of time (or, if over a longer period, it should be caught by reconciling cash). Keep in mind, my plan is not about mistake or fraud issues, it's about third party attackers (i.e. supporting documents are not the issue here).
Authenticating each large-value transaction by the means you suggest is just redundant. Why not handle it how most companies already handle it? That is: limits on the approving authority of each person, multiple authorizers needed over $x amount. Hard cap on very high amounts for online submission -- personal verification (via verified telephone or in-person signature) for extremely high amounts?
I agree with your suggestions, but those are designed to minimize mistake and fraud related events, not necessarily online redirection of funds. By requiring two different people from, most likely, two different computers to approve a transaction, it's less likely that both computers will be compromised. That said, having a small degree of inexpensive security in place via transactional authorization keys like I suggest would strongly minimize potential redirection of funds by an attacker (i.e. the point at issue in the article).
Session auth in and of itself is not considered good enough for the business banking systems of at least Citibank for one company I've worked with. That suggests to me, they also feel just session auth is insufficient.
Also, caller id can generally be manipulated, so that alone is not a bulletproof control from your bank. That said, all of these things are about low[est] hanging fruit, not 100% perfection, which is an impossible standard.
as an addendum and really a suggestion to banks out there if this doesn't exist, but should... perhaps (granted this would be potentially a bit tedious) -- for transactions exceeding a certain size, a special security token would be ideal where:
(1) the user enters the the wire/ach data on the token itself (amount, account number, transit number)
(2) the resulting number generated would both authenticate the user for the transaction and also authenticate the amount (i.e. the amount entered on the keypad would be a seed in the implicit PRNG which any attacker would, by design, not have access to)
(1) From this experience, I've observed that some of the better banks force the end user to enter numbers from security tokens not only to log in, but a new number to authorize each and every transaction (potentially limited by transaction size if desired). Further, transactions over a certain threshold may require two different individuals to log in to approve.
(2) I'm not a web designer or a real programmer, but does this setup still yield a possible attack? I could foresee a situation where all of this data is intercepted, but most of these security tokens are time sensitive and the end-user would notice delays on the website in use with interception. That said, if an attacker were essentially acting as a proxy for the bank site and just rekeying/scripting information from the bank user, the attacker could insert their own bank accounts in for a wire or ACH transaction. Does this described situation ever happen?
Because someone who offers to show a receipt is inherently lower risk.
In fact, I always offer to show my receipt, because I don't want to have to wait extra time while the fellow checks my bag. As a result, the door guy has NEVER checked my bag at ANY store since I offer to show a receipt.
Accordingly, someone who is actually stealing would seemingly pass under the radar that much more easily if they just offer to show a receipt when they leave.
I'd imagine they're given a certain degree of discretion in their job... e.g.
(1) if you offer to show them your bag contents, they probably won't examine it
(2) if you have a small bag it receives less scrutiny
(3) if you otherwise look to be a mature professional, you'll receive less scrutiny
That may be the choke point, but how is this really any different from voice in the early 90's and earlier?
They did something crazy, which persists to this day --> they charge more for the same minutes in peak versus off-peak.
Why don't we have different buckets of data for different times of the day like with minutes?
I suspect it's because if they started selling data like that, their corporate cash-cow blackberry customers might start to realize how ripped off they are and might even lobby to not pay a special fee just to access an exchange server, etc. The folks who pay those extra fees are, on average, the same folks who use the least data.
If using more bandwidth costs the cell carriers more money, perhaps they should charge people for using more bandwidth. This is the only industry I've ever heard of where when demand exceeds supply, they simply refuse to increase capacity.
I suspect the hesitance to have prices mimic costs is that fact that the [oligopolistic] carriers don't want to lose money from one of their highest revenue users who incidentally use very little bandwidth -- corporate blackberries. In fact they are designed to be use data minimally for most users, e.g. only text parts of emails are downloaded at first, email is push rather than pull. If the carriers actually had a system which tracked costs, the $5 verizon "feature phone" plan would cost $50 and the $50 BES blackberry account would cost $5 and accordingly substantially screw with their highly precise and profitable price discrimination. Granted, they could have a segmented system where blackberries existed outside of it, but why rock the boat when they're making tons of money and only stand to lose it in this situation.
Keep in mind, all of this price discrimination is made possible by the carriers being able to identify the phone you are using and how you are using it since they only allow their phones on the network generally. GSM has some minimal exceptions to this, but even if you bring your own equipment, they might have a database of its IMEI and charge by that and/or identify that you're accessing an exchange server/skype... Don't get me started on MEID/ESN databases for CDMA, it's even more despotic
Also, more specifically in this context re: 3G on skype, consider that's it's not a data issue per se, but more a money issue for minutes, after all, look into how verizon blackberries handle skype traffic and minutes in the context of high value plans...
...it has link customization, i.e. with bit.ly, it will assign me a link but then I can change it to something like "Bourdain1" which is easier to read off the phone and type in then some random, albeit short, alphanumeric characters
Fair enough, I know there's at least some degree of interdependence/reciprocity between the entities (e.g. I live and work in NY yet my BCBS is based in another state (also EST though); all of my bills are, at one point, submitted to the NY BCBS since they are the ones who have the contracts with the local doctors).
In the case of the scrip fulfillment, perhaps that's handled by a PBM who has incompetent/overworked devs (in PST).
I also fully appreciate the essence of "non-profit" in name only. Being a non-profit seems to, at least in organizations where lots of money is involved and there isn't a true humanitarian mission, only yield inefficiency because there's so little transparency and no shareholder incentive -- only an incentive for top management and their lieutenants to individually profit.
If I screw up, people can't get the correct pills.
It's fun to make other people live dangerously.:-p
FTFY. Well, for certain values of "pharmacy benefit management system". If your production hacking can botch scrip fulfillment, please say what company you're working for so I can try to avoid it like the plague it is.
I don't know if Blue Cross Blue Shield has fixed this but, as of a few weeks ago (and this probably has existed for a while), living in EST has made it impossible for scrips to be fulfilled via insurance between midnight and 3AM. This is because, according to the late night pharmacist who is familiar with the issue, the servers are in PST and won't allow fulfillment from the anything but the "current day" regardless of time zone. Too bad the devs there don't understand time zones adjustments / UTC/GMT. Yet again, non-profit environments don't tend to attract the swiftest of folk in general.
I actually did read the, admittedly, rather short article and actually quoted (using "block quotes" instead of italics might I add) the only part which mentioned the methodology undertaken. (The word "relative" does not appear anywhere in the article. Even if it did, it's an ambiguous term.)
My interpretation of the methodology is one of, e.g.:
Teacher A (a true bad teacher) has 20 good students
Teacher B (a true good teacher) has 20 bad students
(such a situation is common from what I gather at least in NY state school districts by principal design such that those students who need the most help can get it from a better teacher)
Let's say that the kids in Teacher B's class yield less of an improvement than those in Teacher A's class even though Teacher B is really a better teacher.
How could any analysis, not knowing the characteristics of the students in an admittedly biased assignment, yield the true teaching quality of Teacher A versus Teacher B?
The reporters ranked the teachers using "value added" scores, which are based on the amount of progress individual students make from year to year on standardized tests administered by the school district. The teachers whose students consistently made more than a year's progress over a school term were judged to be the most effective, and those whose students made the least progress were considered the worst.
This sounds like an unbiased system, and assuming there are no substantial confounding variables, it is. However, having had many protracted discussions with friends of mine who are teachers, I've found out that in many districts the principals identify the best teachers in the school themselves and assign the worst students to them. The "sampling" of sorts is most likely very unrandom and biased.
I'm certain this isn't captured in these test scores or being adjusted for. This would be difficult if not impossible to tease out but might be by looking for the expected patterns, i.e. a student's poor performance is less than it was with a previous teacher. Unfortunately, there are relatively objective ways to identify these problem students and add variables in a regression to adjust for them but it doesn't appear they were applied as predictors (e.g. IQ, parents taxable income, birthday, single parent household, distance to school, ADHD or not, height, weight, play a sport, play an instrument. etc.)
Slashdot Mirror
to
It all of a sudden holds more merit
:)
While I'm not claiming to hunt down statistics to prove my point, I think it's safe to say there's absolutely some truth to lazy programming becoming more the norm than the exception in certain areas.
Do you really think some ratio of perceived/available functionality over ram usage has remained constant or significantly decreased?
Don't you hesitate when you're about to download an application for a simple task but the first one you find is, inexplicably, 100 megabtyes, compressed, whereas the 2nd one you find (and download) is 10 or 15?
I know I do
you're totally right, 5% does seem to be a lot
that said, if it makes the network usable then it's a good sacrifice
besides, I have access to wifi most of the time anyway and this new policy is a first step to charging peak/off peak for data which has been done for voice for greater than a decade
FYI -- the 94.1M subscribers includes many people without a data plan, i.e. I seriously doubt 4.7M people will be subject to throttling.
Further, I think this is actually a great idea and I already bought some iphones from verizon. I'd much rather have a responsive and reliable connection and be within a 2 gb limit than have no limit and tons of dropped calls (in certain markets at least) like with AT&T.
In certain markets, even without a limit, the poor quality of AT&T's network wouldn't even allow a user to get to 2 gigs.
my 1.5 cents
It doesn't. It's presumed an attacker is less likely to be interested in wasting his time making many small transactions. Further, any decent bank should recognize repetitive transactions occurring in a short period of time (or, if over a longer period, it should be caught by reconciling cash). Keep in mind, my plan is not about mistake or fraud issues, it's about third party attackers (i.e. supporting documents are not the issue here).
I agree with your suggestions, but those are designed to minimize mistake and fraud related events, not necessarily online redirection of funds. By requiring two different people from, most likely, two different computers to approve a transaction, it's less likely that both computers will be compromised. That said, having a small degree of inexpensive security in place via transactional authorization keys like I suggest would strongly minimize potential redirection of funds by an attacker (i.e. the point at issue in the article).
Session auth in and of itself is not considered good enough for the business banking systems of at least Citibank for one company I've worked with. That suggests to me, they also feel just session auth is insufficient.
Also, caller id can generally be manipulated, so that alone is not a bulletproof control from your bank. That said, all of these things are about low[est] hanging fruit, not 100% perfection, which is an impossible standard.
dude -- as I suggested -- this would just be for large amounts
not unlike having checks over a certain threshold signed by two people instead of just one
I don't think the "small" businesses referenced in this article have so many 150k wires/ach's going out all the time
as an addendum and really a suggestion to banks out there if this doesn't exist, but should... perhaps (granted this would be potentially a bit tedious) -- for transactions exceeding a certain size, a special security token would be ideal where:
(1) the user enters the the wire/ach data on the token itself (amount, account number, transit number)
(2) the resulting number generated would both authenticate the user for the transaction and also authenticate the amount (i.e. the amount entered on the keypad would be a seed in the implicit PRNG which any attacker would, by design, not have access to)
I'm a CPA and work in corporate accounting.
(1) From this experience, I've observed that some of the better banks force the end user to enter numbers from security tokens not only to log in, but a new number to authorize each and every transaction (potentially limited by transaction size if desired). Further, transactions over a certain threshold may require two different individuals to log in to approve.
(2) I'm not a web designer or a real programmer, but does this setup still yield a possible attack? I could foresee a situation where all of this data is intercepted, but most of these security tokens are time sensitive and the end-user would notice delays on the website in use with interception. That said, if an attacker were essentially acting as a proxy for the bank site and just rekeying/scripting information from the bank user, the attacker could insert their own bank accounts in for a wire or ACH transaction. Does this described situation ever happen?
I guess slashdot is also missing a bit of QA :)
time and attendance?
Because someone who offers to show a receipt is inherently lower risk.
In fact, I always offer to show my receipt, because I don't want to have to wait extra time while the fellow checks my bag. As a result, the door guy has NEVER checked my bag at ANY store since I offer to show a receipt.
Accordingly, someone who is actually stealing would seemingly pass under the radar that much more easily if they just offer to show a receipt when they leave.
I'd imagine they're given a certain degree of discretion in their job... e.g.
(1) if you offer to show them your bag contents, they probably won't examine it
(2) if you have a small bag it receives less scrutiny
(3) if you otherwise look to be a mature professional, you'll receive less scrutiny
That may be the choke point, but how is this really any different from voice in the early 90's and earlier?
They did something crazy, which persists to this day --> they charge more for the same minutes in peak versus off-peak.
Why don't we have different buckets of data for different times of the day like with minutes?
I suspect it's because if they started selling data like that, their corporate cash-cow blackberry customers might start to realize how ripped off they are and might even lobby to not pay a special fee just to access an exchange server, etc. The folks who pay those extra fees are, on average, the same folks who use the least data.
I bet the "working with law enforcement part" is not even true
Well, until now I thought that feature among Terrans was useless...
I suspect the hesitance to have prices mimic costs is that fact that the [oligopolistic] carriers don't want to lose money from one of their highest revenue users who incidentally use very little bandwidth -- corporate blackberries. In fact they are designed to be use data minimally for most users, e.g. only text parts of emails are downloaded at first, email is push rather than pull. If the carriers actually had a system which tracked costs, the $5 verizon "feature phone" plan would cost $50 and the $50 BES blackberry account would cost $5 and accordingly substantially screw with their highly precise and profitable price discrimination. Granted, they could have a segmented system where blackberries existed outside of it, but why rock the boat when they're making tons of money and only stand to lose it in this situation.
Keep in mind, all of this price discrimination is made possible by the carriers being able to identify the phone you are using and how you are using it since they only allow their phones on the network generally. GSM has some minimal exceptions to this, but even if you bring your own equipment, they might have a database of its IMEI and charge by that and/or identify that you're accessing an exchange server/skype... Don't get me started on MEID/ESN databases for CDMA, it's even more despotic
Also, more specifically in this context re: 3G on skype, consider that's it's not a data issue per se, but more a money issue for minutes, after all, look into how verizon blackberries handle skype traffic and minutes in the context of high value plans...
My two cents
...it has link customization, i.e. with bit.ly, it will assign me a link but then I can change it to something like "Bourdain1" which is easier to read off the phone and type in then some random, albeit short, alphanumeric characters
too true, hadn't thought of that [apt] interpretation
I'm still waiting to find out the conversion rate for unladen swallows.
I always just use strong tape to remove adhesive glue from surfaces
i.e. I repeatedly apply and reapply a piece of packing tape to any left over adhesive a few times and it removes residue quite easily
I can't use my Encyclopædia Britannica DVD from a few years ago, because it's incompatible with modern operating systems..
You could use a VM, if you really wanted to
Fair enough, I know there's at least some degree of interdependence/reciprocity between the entities (e.g. I live and work in NY yet my BCBS is based in another state (also EST though); all of my bills are, at one point, submitted to the NY BCBS since they are the ones who have the contracts with the local doctors).
In the case of the scrip fulfillment, perhaps that's handled by a PBM who has incompetent/overworked devs (in PST).
I also fully appreciate the essence of "non-profit" in name only. Being a non-profit seems to, at least in organizations where lots of money is involved and there isn't a true humanitarian mission, only yield inefficiency because there's so little transparency and no shareholder incentive -- only an incentive for top management and their lieutenants to individually profit.
If I screw up, people can't get the correct pills. It's fun to make other people live dangerously. :-p
FTFY. Well, for certain values of "pharmacy benefit management system". If your production hacking can botch scrip fulfillment, please say what company you're working for so I can try to avoid it like the plague it is.
I don't know if Blue Cross Blue Shield has fixed this but, as of a few weeks ago (and this probably has existed for a while), living in EST has made it impossible for scrips to be fulfilled via insurance between midnight and 3AM. This is because, according to the late night pharmacist who is familiar with the issue, the servers are in PST and won't allow fulfillment from the anything but the "current day" regardless of time zone. Too bad the devs there don't understand time zones adjustments / UTC/GMT. Yet again, non-profit environments don't tend to attract the swiftest of folk in general.
I actually did read the, admittedly, rather short article and actually quoted (using "block quotes" instead of italics might I add) the only part which mentioned the methodology undertaken. (The word "relative" does not appear anywhere in the article. Even if it did, it's an ambiguous term.)
My interpretation of the methodology is one of, e.g.:
Teacher A (a true bad teacher) has 20 good students
Teacher B (a true good teacher) has 20 bad students
(such a situation is common from what I gather at least in NY state school districts by principal design such that those students who need the most help can get it from a better teacher)
Let's say that the kids in Teacher B's class yield less of an improvement than those in Teacher A's class even though Teacher B is really a better teacher.
How could any analysis, not knowing the characteristics of the students in an admittedly biased assignment, yield the true teaching quality of Teacher A versus Teacher B?
This sounds like an unbiased system, and assuming there are no substantial confounding variables, it is. However, having had many protracted discussions with friends of mine who are teachers, I've found out that in many districts the principals identify the best teachers in the school themselves and assign the worst students to them. The "sampling" of sorts is most likely very unrandom and biased.
I'm certain this isn't captured in these test scores or being adjusted for. This would be difficult if not impossible to tease out but might be by looking for the expected patterns, i.e. a student's poor performance is less than it was with a previous teacher. Unfortunately, there are relatively objective ways to identify these problem students and add variables in a regression to adjust for them but it doesn't appear they were applied as predictors (e.g. IQ, parents taxable income, birthday, single parent household, distance to school, ADHD or not, height, weight, play a sport, play an instrument. etc.)
Too bad Lulu doesn't also integrate underpants theft .