Blame Google for not implementing it in Gmail -- Then they wouldn't be able to get ad revenue and user metrics from their "free" email service.
Someone doesn't understand how gmail works. I have used PGP with gmail, works fine. Oh, you mean you want Google to be able to read your email and display it on a web page... while at the same time not be able to read your email... okay then.....
Blame MS for not integrating it into Outlook, but why would we expect MS to actually want security in any of their products?
Because its a crap system to make user friendly. You can, of course, buy a plugin that does it just fine.
Blame Mozilla for the creaky plugin and cumbersome import/export publish keys interface in Thunderbird, and support for SMIME over GPG by default.
No, blame PGP for this, this is a PGP problem, not a plugin problem. The PGP philosophy is what makes this a problem, and its the same reason you're unaware of the fact that Outlook plugins exist. The entire PGP system is difficult to use on purpose, thats why it sucks.
Blame the users mostly for not giving a fuck about encryption.
No, I won't. Most users have no reason to care about encryption, most messages simply aren't that important, which is why the post office does its job just fine without encryption. Just because you think everything needs to be encrypted doesn't magically make it true. Are you a doctor? No? Do you blame yourself for failing to do medical procedures that aren't entirely automated because thats what you're saying here.
I can tell you this much: Fuck publishing ANY open source software without signed and verified GPG signatures.
Right, because then when you go verify the key by looking at a key thumbprint on an HTTP server... you know the thumbprint hasn't been tampered with... right... oh wait... you don't. Key distribution with PGP is a joke because you have ABSOLUTELY NO WAY to verify keys unless you are trading them physically with people directly. The instant you exchange your PGP thumbprint by looking at some website thats not encrypted or authenticated, you've already fucked up, you're just too ignorant of whats going on to realize it
Lets assume the website uses HTTPS... in which case, your trust depends on a CA... which means... it can not possibly be any safer than S/MIME certs from that CA... and is likely less secure because you've introduced a whole new chain of places for mistakes to be made.
PGP is intentionally broken by design.
And GPG is just a horrible implementation/bad copy of old PGP so lets not pretend like we're not talking about PGP here just because you're probably not been alive long enough to know what PGP is and that GNU did not create the universe.
Grow up, get a clue, your attitude is exactly what PGP sucks ass.
S/MIME does not rely on public key servers any more than PGP does. Technically less so since most clients come with some level of existing trust for certain certificate vendors. You can also include/distribute you own signing cert public key, making it pretty much exactly like the crap that is web-of-trust. The whole idea that 'web-of-trust' is usable is the exact reason PGP will never take off. Unless you are physically exchanging public keys with individuals you are susceptible to MITM attacks since you have many possibilities to fake it along the way.
Basically everything you said about S/MIME applies to PGP and in some cases doesn't apply to S/MIME.
CAs are NOT a single point of failure when you use more than one, which is perfectly acceptable and works in any client I've dealt with. You do not have to use a public CA even, every ActiveDirectory installation has limited CA capabilities built in, and installing the CA server is click next next next finish assuming you're using a version of windows that is licensed to do so.
PGP doesn't get used because its more obnoxious to use than any security it buys. 99.999% of the population don't want to dick around with encryption just because you think your ultra-distributed, no central authorities anyway crap is the way to go... except wait... PGP public key servers... whats that? A less secure system than CAs for various reasons, it is certainly impossible for them to be any more secure than a CA from a technical perspective.
Assuming safe key distribution, which is harder with PGP than S/MIME, then it is technically just as secure. Unfortunately, its fucking obnoxious to use for many reasons, so normal people who don't care about dicking around with software written by developers who don't give a flying fuck about usability, its not even in consideration.
The PGP argument is that individual people can setup trust webs, securely... more so than they can use the public CA system that S/MIME uses out of the box. This is simply wrong. Techies can do it, everyone else isn't going to because they aren't techies or they don't care, and then when one moron in your awesome little web of trust fucks up, the whole chain is compromised. So do you trust Mark's grandmother to do secure key exchange and not get backdoored? If you do, you're a moron.
Don't order it, go to your local computer repair shop.
You'll pay more on shipping if you order it than it costs at your local over priced repair shop.
The new machines lack LPT ports? WTF kind of machine did you buy without an LPT port? A laptop, sure, a desktop? You have to look hard, even today to find a machine that doesn't have a printer port.
With a printer port you could bother to buy lap link, or find any one of various OSS apps to do the same thing over LPT.
If he's asking slashdot, he hasn't looked and in that case I again refer to the local repair shop since if he's unable to Google for the basics, he's probably not qualified to do the transfer in any sane way either, certainly not taking the hardware apart.
As more and more devices of varying features and sizes have been released by Apple
Yea, its totally the same, there are a handful of different iOS device sizes... compared to well over 100 that I'm aware of for android during the same period of time.
It hasn't been until recently that Apple has given developers the tools to create views that don't need to know the specifics of the device it's running on, thereby avoiding silly checks like if(device == IPHONE) {....} else if(device == IPAD) {....}
I've been a developer since the day you could sign up... if you have checks like that for view size, you're doing it wrong. Apple has provided tools since day one to do so when it comes to size, like just using the proper NIB/XIB, hell the project wizard does it on project creation if you tell it your creating a universal app.
We want strong security, but we also want companies to have access to our computers, smart devices, and data
No, we don't actually want them to have that access, they don't give us a choice if we want their services. We can solve these by teaching people that you don't need to put your data online and then voting with our wallets by buying software that doesn't force us to do so.
We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices
No, we don't. We want it to not be so ridiculously difficult to do so, but companies have determined that they can use this to their advantage and get us to give them our data to make it easier. Android's SD card behavior is so absolutely shit that its easier for non-geeks to just give Google all their data. Apple phones only let you sync certain things over USB and its kind of convoluted for a non-geeky person, so they use iCloud.
We don't WANT it this way, but its the only option we have because you've failed to educate people to the fact that theres another way and what is actually wrong with giving Google/Facebook all our data. You lost peoples interest when you started ranting and raving.
We want our data to be secure, but we want someone to be able to recover it all when we forget our password.
No, we don't. I too write encryption related software Mr Schneier, but I'm not a paranoid nut job. Important data that I want to protect simply isn't available to the outside world so it doesn't NEED encryption. If you get to the data, then you've probably already bashed my head in. This isn't like a door lock where its possible to overcome them and we can't stop them from being overcome, so we take advantage of locksmiths when we screw up. Locks can not be 100% secure, encrypted data can be effectively 100% secure and thats a different environment.
What we WANT is for our systems and software to not force us to put shit on the Internet, and being forced to be Internet connected is why we want it encrypted. Even my 65 year old mother in law understands that encryption is effectively unbreakable and she treats it that way, uses it where it needs to be used (yes, she actually uses encryption) and just acts intelligently about where she puts other data.
People are not as ignorant as you may think, its that you haven't bothered to educate the ones you know beyond being a paranoid nut job about things, which doesn't work well for normal people. Now, I understand why you're paranoid, you have good reason to be, the NSA is fucking ridiculous, but you were pretty fucking stupid for putting shit you don't want people to know on a public network in the first place, and you of ALL PEOPLE should know better, and you have in fact written about this very subject.
If you bothered trying to educate people properly and nicely without being a jerk about it or flipping out about the way things are, things may actually change.
Then theres side two of it all... MOST PEOPLE DON'T GIVE A SHIT ABOUT THE DATA THAT GOOGLE GETS FROM THEM. The ones that do, DON'T GIVE IT TO GOOGLE OR FACEBOOK IN THE FIRST PLACE.
You're losing your edge, somewhere in your many years of working with security issues you've lost sight of how everyone who isn't in the security or data mining industry behave. This article you've written seriously lowers my opinion of your relevance these days. Not that I'm really relevant either, but I'm certainly not the only one who's losing interest in your opinion.
There will be no believe they will know that we created them
No, they won't. They will believe based on observations and known history. You do not know even how long you've existed. You believe you've existed your entire life, but your existence from your perspective is nothing more than a collection of memories that may or may not be real, you have absolutely no way to confirm or deny that, you can only assume that its true and move forward because assuming anything else is just a waste of time.
Self-aware AI would be no different, well except it'd probably figure this out a little sooner than you have.
On top of it all, after some span of time, the AI may also begin to assume that its memory has been corrupted over time, in which case, it may not even believe that it was originally programmed or created by man, just like humans on Earth right now.
Your post is pretty ignorant and short sighted, based on a very narrow perception of the world you have. People like you really should refrain from having discussions about the metaphysical in AI when you clearly don't understand how humans have evolved in that respect, even over the past couple thousand years.
Of course that's assuming that robots are born atheists
I'm sorry, where did that assumption come from, I'm fairly certain he'd be for converting muslim, hindu, and even scientologest AI to christianity as well.
what it means to be autonomous and what it means to be human.
And both of those are completely different than self-aware AI. My drown is autonomous, but no one would say it had any AI at all, let alone self-awareness which is really what we're talking about here. Being human isn't even part of this discussion other than religion is, as far as we're aware, a purely human construct.
On the other hand, suppose someone did endow a strong AI with emotion – encoded, say, as a strong preference for one type of experience over another, coupled with the option to subordinate reasoning to that preference upon occasion or according to pattern. what ramifications could that have for algorithmic decision making?
Are you stupid? If you program a computer to behave a specific way then the ramifications are going to be that it behaves that way. This isn't 'emotion' in the slightest, its just code and programming. You do not 'code' emotion. Emotion is learned from experience. Humans aren't born with emotion, hell they aren't even self-aware when they come out. These traits come from having sufficient processing and storage capacity and learning from worldly experiences. There is of course a physical aspect that provides the capability to do so, but its not hard coded according to every study ever done. People being 'good' and 'kind' and 'not evil' is ENTIRELY LEARNED BEHAVIOR for instance. By default, people come out as evil selfish bastards at birth, again, based on every actual study done.
It most certainly is copyrightable and IS unless specifically stated to be public domain, you just have additional rights as a citizen of the US because it was government work. It most certainly is NOT public domain to anyone not a US citizen, ever. The end result is that MANY but NOT ALL things the government does can be used freely by US citizens, but that doesn't make it public domain. You can't, for instance, legally transfer government work to a non-US citizen as that person/government/whatever does not have any right to that data.
Also, if any of these people are contractors, their work is NOT work of the US government and by default THEY own copyright unless contractually they've agreed to transfer ownership for all work paid for by the fed.
If you bought a million dollar drone (they don't) and only caught 80 people that it gets credit for (which is not the case), then your at 25k per drone. Thats assuming you discard it after catching those 80 people (they don't)
well considering that minimum wage for yearly is something around $22,283
This is why geek businesses fail.
If you're paying someone 22k a year in paychecks, you are almost certainly spending closer to $44k/year to actually have them as an employee. Assuming you had no office/uniform/tools to buy and maintain for them, at a bare minimum, you're still looking at $30k/year or so just due to taxes. Remember, your employe pays some taxes for you as well as what comes out of your paycheck that you see.
And then theres the whole ACA thing now, which is another cost, worst still, because of the ACA the cost has went up since insurance companies know you're required to buy it...
And I'm ignoring a whole bunch of other things that make employees far more expensive than just what their paycheck costs.
Why didn't the super majority and democrat president get a flipping thing done between 2009 and 2011 when they had a super majority in congress... you know, back when they could do whatever the fuck they wanted without the republicans having enough people in congress to do shit about it?
Democrats don't like the ACA either, its nothing but a scam for insurance companies to make a fucking killing and you're a idiot for being too wrapped up in your teams colors to not recognize that. Its sole purpose is to guarantee that insurance companies have income and can charge more than they were charging before... yes, MORE, because not a single fucking persons rates actually went down, some people just started subsiding other peoples while EVERYONES WENT UP.
This isn't a republic vs democrat thing, this is a 'THE ACA is BULLSHIT' thing.
If you want public healthcare, MAKE PUBLIC HEALTHCARE, which means no health insurance companies. It means we just pay taxes and everyone, read that again... EVERYONE gets THE EXACT SAME LEVEL OF CARE. That means homeless man on the street gets the same level of care as the president. That is entirely the opposite of what we have now.
What we have now is that you get fined if you don't pay insurance companies... EVEN IF YOU PAY YOUR OWN BILLS 100%. It means if you're poor and don't make a lot of money, your health insurance plan is so shitty that you can't afford to see the doctor anyway because the lower level of plan you have, the higher your prescriptions and co-pays and such. Every single subsidized plan from the ACA systems costs those who are qualified to be subsidized too fucking much to be seen by a doctor anyway.
Anyway, back on point.
You're an idiot. Not because you think the republicans are bad, they are gutter trash. You're an idiot because you think the democrats aren't exactly the same.
I had a nearly identical experience getting my current position, via a recruiter...
Since I've been hired and been here a few months, long enough to get to know everyone and whats going on, I've found out all sorts of neat edits they did to my resume. Like... changing the spelling of my freaking name!
When in the interview, I was essentially asked to prove I knew some of the things on my resume... in detail, the kind of detail that seemed ridiculous (very specific knowledge of very narrow ASP.NET problems that only a handful of people have ever dealt with outside of MS) after a bit they let me know that they believed me, and then proceeded to explain that they had an almost identical copy of my resume... from the same recruiter, with someone else's name on it. Best still is the copy of my resume they got from the recruiter was completely different than what I brought with me to the interview. When they saw what I brought with me, all sorts of red flags went off in their heads... rightfully so.
Needless to say, neither I nor the company will be using that recruiter again.
Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates.
Hardly. They give away a bunch of worthless email certs that aren't trusted by anyone, allow me to make wanking motions. No one that matters uses them and no browser that matters trusts their free certs by default.
Ahh, the post of someone who's riled up but doesn't actually understand what they are talking about.
People wonder how come NSA/GCHQ are able to intercept HTTPS connections so easily and in bulk.
Only the ignorant wonder that, just because you do, doesn't mean everyone does.
We need to remove the whole signing process and replace it with *time*. The one thing an attacker cannot do is go back in time and change a key exchanged in the past.
You don't have any idea how this system works currently, do you?
You want the websites to tell you their public key information, and for everyone else on the Internet to remember it and tell you when it changes...
or...
you could just learn what certificate pinning is.
We need to remove the certificate authorities, because they are the weak link in secure comms.
So you want me to ask Google what Google's public key is and then trust whatever I get sent is actually the public key, with no verification of that, other than it came from the request I sent asking Google for their public key. So... then the NSA just returns a key that says its Google and intercepts the traffic.
The certificate authorities purpose in life is to provide 3rd party verification of certificates in an automated way. What you want is to remove all of that, and do it ad-hoc, by everyone on the Internet. Slashdot doesn't allow posts long enough for me to explain all the ways why thats exactly the opposite of a actual solution.
'Web of trust' doesn't work, we know this because NO ONE FUCKING USES IT BECAUSE ITS TOO MUCH FUCKING EFFORT. END USERS DON'T GIVE A FUCK about verifying every cert they see and will just click Ok/Next/Allow. THAT is WHY we use certificate authorities.
You are proposing nothing new. Its been done, and its failed repeatedly.
Certificate authorities ARE the solution you want, the problem is, no one actually cares enough about security to black ball the certificate authorities that aren't trust worthy (i.e. all of them), which means they certainly don't care enough to deal with the method you propose.
I always have my phone, I don't always have my wallet. Thats problem they solved.
Tap and Pay cards are no more secure than Swipe and Sign cards, they are nearly as easy to clone too.
Tap and Pay phones (at least with ApplePay) require me to actually verify it with something somewhat secure like a finger print or pin number on MY device, not one that someone else maintains and may be hacked to steal my PIN.
ApplePay also doesn't require any communications at the time of transaction with the bank after the initial security exchange.
Theres no reason that the upgrade process which brings everything up to chip&pin can't easily bring it to NFC capable as well.
ApplePay is more convenient if you don't always carry your cards on you, but do your phone and/or if you value secure transactions.
And if your machine can automatically do all those things... so can third party software because in order for you to do everything you want to do, there has to be a pragmatic way to do so, and if the OS can do it, so can any other software that has admin rights.
Either way, you don't want to put that sort of power into the vendors hands, since it means they effectively have created the Apple App store, and if thats what you really want, just buy a Mac and stop using Windows (your first mistake).
The only way to prevent this sort of thing is by not installing software that does it.
But lets ignore all the problems with what you're suggesting and assume it works... Lenovo would have just approved the certs before they shipped the machine. Or the machine would prompt the user, who would blindly do so on boot, just like all the other things users blindly do.
If you want to prevent this from happening, put the people who do this AND the people who make the decisions to do this, IN JAIL.
Both the developers who write the code to do it and the management who tells them to do so. Assign some personal responsibility for this shit and watch how it suddenly changes. The problem in America is that anyone in a company can basically do whatever they want and hide behind 'the company' who then gets some minor fine (Relatively) and the guy who did it doesn't care one bit.
I'm fairly certain just installing this software is illegal.
Its not protected by some EULA because the device is sold before the EULA can be read, which courts have already ruled invalidates the EULA.
It violates the same laws that were used to put Kevin Mitnick in jail (and lets be clear, he deserved it), unauthorized access to a computer system and unauthorized access to data flowing across a network.
Hang'em high, I say. Bring Lenovo's leaders out to the chopping block, as well as the leadership of the companies who made any other software that works like this. Its a scam from the very beginning, theres no 'well, maybe its not bad' or 'maybe it was an accident' to it. This is outright bullshit behavior by companies trying to sell a product to someone and then turn that someone into the product for someone else. The entire legal system AND THE PUBLIC need to come down on this like a ton of bricks and make it clear that its unacceptable and will not be tolerated. And by not tolerated I mean 'you will be jailed, not fined'.
Apple apps/products are NOT pay to play. Many people sell apps that are, Apple apps are not. You pay a premium, yes, but then you're done and you get updates/improvements longer than anyone else in the industry except maybe for Microsoft with their OS support terms.
Seriously, if you're going to troll, get a clue about who you're trolling.
It will take longer to get into the neighborhood, setup for launch, launch, deliver, return, and manually recover than it will take your standard fedex/UPS guy to do his job.
Oh, and its going to carry small objects and drop them in the front yard. Not under the car park or the stoop. Most objects will still need carried by a person large enough to carry them for more than 30 seconds and NO ONE is going to want their shit left out in the front yard or otherwise somewhere not leaning up against their home where its safe and dry.
Again, this is another stupid idea. Perhaps people should actually try to implement their projects and compare them to the existing conventional method before starting a 'business' around the idea.
Flying and fighting gravity constantly is expensive, thats why we currently all drive cars and not fly everywhere. Its not because we can't have a flying car, its because it'll cost more fuel just to get that flying car off the ground in the morning than it does for most people to drive to work and back. Flying ANYWHERE takes more time than driving when its less than about 100 miles due to the extra time consumed by taking off and landing SAFELY. Drones don't change that in any way, they just take the human flying out of it. The human flying a problem or a cost when you look at the other expenses. Well, and the human flying doesn't have a death wish, but thats not any different than a broken down drone that flys itself into a mountain.
Mom and Dad are the panic button for a freaking 2 year old. WTF are is he doing that has his eyes off his two year old in an environment where they can hurt themselves long enough that a panic button makes sense?
This post just absolutely screams 'horrible parent'
Slashdot Mirror
Blame Google for not implementing it in Gmail -- Then they wouldn't be able to get ad revenue and user metrics from their "free" email service.
Someone doesn't understand how gmail works. I have used PGP with gmail, works fine. Oh, you mean you want Google to be able to read your email and display it on a web page ... while at the same time not be able to read your email ... okay then .....
Blame MS for not integrating it into Outlook, but why would we expect MS to actually want security in any of their products?
Because its a crap system to make user friendly. You can, of course, buy a plugin that does it just fine.
Blame Mozilla for the creaky plugin and cumbersome import/export publish keys interface in Thunderbird, and support for SMIME over GPG by default.
No, blame PGP for this, this is a PGP problem, not a plugin problem. The PGP philosophy is what makes this a problem, and its the same reason you're unaware of the fact that Outlook plugins exist. The entire PGP system is difficult to use on purpose, thats why it sucks.
Blame the users mostly for not giving a fuck about encryption.
No, I won't. Most users have no reason to care about encryption, most messages simply aren't that important, which is why the post office does its job just fine without encryption. Just because you think everything needs to be encrypted doesn't magically make it true. Are you a doctor? No? Do you blame yourself for failing to do medical procedures that aren't entirely automated because thats what you're saying here.
I can tell you this much: Fuck publishing ANY open source software without signed and verified GPG signatures.
Right, because then when you go verify the key by looking at a key thumbprint on an HTTP server ... you know the thumbprint hasn't been tampered with ... right ... oh wait ... you don't. Key distribution with PGP is a joke because you have ABSOLUTELY NO WAY to verify keys unless you are trading them physically with people directly. The instant you exchange your PGP thumbprint by looking at some website thats not encrypted or authenticated, you've already fucked up, you're just too ignorant of whats going on to realize it
Lets assume the website uses HTTPS ... in which case, your trust depends on a CA ... which means ... it can not possibly be any safer than S/MIME certs from that CA ... and is likely less secure because you've introduced a whole new chain of places for mistakes to be made.
PGP is intentionally broken by design.
And GPG is just a horrible implementation/bad copy of old PGP so lets not pretend like we're not talking about PGP here just because you're probably not been alive long enough to know what PGP is and that GNU did not create the universe.
Grow up, get a clue, your attitude is exactly what PGP sucks ass.
S/MIME does not rely on public key servers any more than PGP does. Technically less so since most clients come with some level of existing trust for certain certificate vendors. You can also include/distribute you own signing cert public key, making it pretty much exactly like the crap that is web-of-trust. The whole idea that 'web-of-trust' is usable is the exact reason PGP will never take off. Unless you are physically exchanging public keys with individuals you are susceptible to MITM attacks since you have many possibilities to fake it along the way.
Basically everything you said about S/MIME applies to PGP and in some cases doesn't apply to S/MIME.
CAs are NOT a single point of failure when you use more than one, which is perfectly acceptable and works in any client I've dealt with. You do not have to use a public CA even, every ActiveDirectory installation has limited CA capabilities built in, and installing the CA server is click next next next finish assuming you're using a version of windows that is licensed to do so.
PGP doesn't get used because its more obnoxious to use than any security it buys. 99.999% of the population don't want to dick around with encryption just because you think your ultra-distributed, no central authorities anyway crap is the way to go ... except wait ... PGP public key servers ... whats that? A less secure system than CAs for various reasons, it is certainly impossible for them to be any more secure than a CA from a technical perspective.
Assuming safe key distribution, which is harder with PGP than S/MIME, then it is technically just as secure. Unfortunately, its fucking obnoxious to use for many reasons, so normal people who don't care about dicking around with software written by developers who don't give a flying fuck about usability, its not even in consideration.
The PGP argument is that individual people can setup trust webs, securely ... more so than they can use the public CA system that S/MIME uses out of the box. This is simply wrong. Techies can do it, everyone else isn't going to because they aren't techies or they don't care, and then when one moron in your awesome little web of trust fucks up, the whole chain is compromised. So do you trust Mark's grandmother to do secure key exchange and not get backdoored? If you do, you're a moron.
Don't order it, go to your local computer repair shop.
You'll pay more on shipping if you order it than it costs at your local over priced repair shop.
The new machines lack LPT ports? WTF kind of machine did you buy without an LPT port? A laptop, sure, a desktop? You have to look hard, even today to find a machine that doesn't have a printer port.
With a printer port you could bother to buy lap link, or find any one of various OSS apps to do the same thing over LPT.
If he's asking slashdot, he hasn't looked and in that case I again refer to the local repair shop since if he's unable to Google for the basics, he's probably not qualified to do the transfer in any sane way either, certainly not taking the hardware apart.
As more and more devices of varying features and sizes have been released by Apple
Yea, its totally the same, there are a handful of different iOS device sizes ... compared to well over 100 that I'm aware of for android during the same period of time.
It hasn't been until recently that Apple has given developers the tools to create views that don't need to know the specifics of the device it's running on, thereby avoiding silly checks like
if(device == IPHONE) {....} else if(device == IPAD) {....}
I've been a developer since the day you could sign up ... if you have checks like that for view size, you're doing it wrong. Apple has provided tools since day one to do so when it comes to size, like just using the proper NIB/XIB, hell the project wizard does it on project creation if you tell it your creating a universal app.
We want strong security, but we also want companies to have access to our computers, smart devices, and data
No, we don't actually want them to have that access, they don't give us a choice if we want their services. We can solve these by teaching people that you don't need to put your data online and then voting with our wallets by buying software that doesn't force us to do so.
We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices
No, we don't. We want it to not be so ridiculously difficult to do so, but companies have determined that they can use this to their advantage and get us to give them our data to make it easier. Android's SD card behavior is so absolutely shit that its easier for non-geeks to just give Google all their data. Apple phones only let you sync certain things over USB and its kind of convoluted for a non-geeky person, so they use iCloud.
We don't WANT it this way, but its the only option we have because you've failed to educate people to the fact that theres another way and what is actually wrong with giving Google/Facebook all our data. You lost peoples interest when you started ranting and raving.
We want our data to be secure, but we want someone to be able to recover it all when we forget our password.
No, we don't. I too write encryption related software Mr Schneier, but I'm not a paranoid nut job. Important data that I want to protect simply isn't available to the outside world so it doesn't NEED encryption. If you get to the data, then you've probably already bashed my head in. This isn't like a door lock where its possible to overcome them and we can't stop them from being overcome, so we take advantage of locksmiths when we screw up. Locks can not be 100% secure, encrypted data can be effectively 100% secure and thats a different environment.
What we WANT is for our systems and software to not force us to put shit on the Internet, and being forced to be Internet connected is why we want it encrypted. Even my 65 year old mother in law understands that encryption is effectively unbreakable and she treats it that way, uses it where it needs to be used (yes, she actually uses encryption) and just acts intelligently about where she puts other data.
People are not as ignorant as you may think, its that you haven't bothered to educate the ones you know beyond being a paranoid nut job about things, which doesn't work well for normal people. Now, I understand why you're paranoid, you have good reason to be, the NSA is fucking ridiculous, but you were pretty fucking stupid for putting shit you don't want people to know on a public network in the first place, and you of ALL PEOPLE should know better, and you have in fact written about this very subject.
If you bothered trying to educate people properly and nicely without being a jerk about it or flipping out about the way things are, things may actually change.
Then theres side two of it all ... MOST PEOPLE DON'T GIVE A SHIT ABOUT THE DATA THAT GOOGLE GETS FROM THEM. The ones that do, DON'T GIVE IT TO GOOGLE OR FACEBOOK IN THE FIRST PLACE.
You're losing your edge, somewhere in your many years of working with security issues you've lost sight of how everyone who isn't in the security or data mining industry behave. This article you've written seriously lowers my opinion of your relevance these days. Not that I'm really relevant either, but I'm certainly not the only one who's losing interest in your opinion.
There will be no believe they will know that we created them
No, they won't. They will believe based on observations and known history. You do not know even how long you've existed. You believe you've existed your entire life, but your existence from your perspective is nothing more than a collection of memories that may or may not be real, you have absolutely no way to confirm or deny that, you can only assume that its true and move forward because assuming anything else is just a waste of time.
Self-aware AI would be no different, well except it'd probably figure this out a little sooner than you have.
On top of it all, after some span of time, the AI may also begin to assume that its memory has been corrupted over time, in which case, it may not even believe that it was originally programmed or created by man, just like humans on Earth right now.
Your post is pretty ignorant and short sighted, based on a very narrow perception of the world you have. People like you really should refrain from having discussions about the metaphysical in AI when you clearly don't understand how humans have evolved in that respect, even over the past couple thousand years.
Of course that's assuming that robots are born atheists
I'm sorry, where did that assumption come from, I'm fairly certain he'd be for converting muslim, hindu, and even scientologest AI to christianity as well.
what it means to be autonomous and what it means to be human.
And both of those are completely different than self-aware AI. My drown is autonomous, but no one would say it had any AI at all, let alone self-awareness which is really what we're talking about here. Being human isn't even part of this discussion other than religion is, as far as we're aware, a purely human construct.
On the other hand, suppose someone did endow a strong AI with emotion – encoded, say, as a strong preference for one type of experience over another, coupled with the option to subordinate reasoning to that preference upon occasion or according to pattern. what ramifications could that have for algorithmic decision making?
Are you stupid? If you program a computer to behave a specific way then the ramifications are going to be that it behaves that way. This isn't 'emotion' in the slightest, its just code and programming. You do not 'code' emotion. Emotion is learned from experience. Humans aren't born with emotion, hell they aren't even self-aware when they come out. These traits come from having sufficient processing and storage capacity and learning from worldly experiences. There is of course a physical aspect that provides the capability to do so, but its not hard coded according to every study ever done. People being 'good' and 'kind' and 'not evil' is ENTIRELY LEARNED BEHAVIOR for instance. By default, people come out as evil selfish bastards at birth, again, based on every actual study done.
It most certainly is copyrightable and IS unless specifically stated to be public domain, you just have additional rights as a citizen of the US because it was government work. It most certainly is NOT public domain to anyone not a US citizen, ever. The end result is that MANY but NOT ALL things the government does can be used freely by US citizens, but that doesn't make it public domain. You can't, for instance, legally transfer government work to a non-US citizen as that person/government/whatever does not have any right to that data.
Also, if any of these people are contractors, their work is NOT work of the US government and by default THEY own copyright unless contractually they've agreed to transfer ownership for all work paid for by the fed.
28k is just bullshit.
If you bought a million dollar drone (they don't) and only caught 80 people that it gets credit for (which is not the case), then your at 25k per drone. Thats assuming you discard it after catching those 80 people (they don't)
well considering that minimum wage for yearly is something around $22,283
This is why geek businesses fail.
If you're paying someone 22k a year in paychecks, you are almost certainly spending closer to $44k/year to actually have them as an employee. Assuming you had no office/uniform/tools to buy and maintain for them, at a bare minimum, you're still looking at $30k/year or so just due to taxes. Remember, your employe pays some taxes for you as well as what comes out of your paycheck that you see.
And then theres the whole ACA thing now, which is another cost, worst still, because of the ACA the cost has went up since insurance companies know you're required to buy it ...
And I'm ignoring a whole bunch of other things that make employees far more expensive than just what their paycheck costs.
...
So, democrat fanboy ... riddle me this ...
Why didn't the super majority and democrat president get a flipping thing done between 2009 and 2011 when they had a super majority in congress ... you know, back when they could do whatever the fuck they wanted without the republicans having enough people in congress to do shit about it?
Democrats don't like the ACA either, its nothing but a scam for insurance companies to make a fucking killing and you're a idiot for being too wrapped up in your teams colors to not recognize that. Its sole purpose is to guarantee that insurance companies have income and can charge more than they were charging before ... yes, MORE, because not a single fucking persons rates actually went down, some people just started subsiding other peoples while EVERYONES WENT UP.
This isn't a republic vs democrat thing, this is a 'THE ACA is BULLSHIT' thing.
If you want public healthcare, MAKE PUBLIC HEALTHCARE, which means no health insurance companies. It means we just pay taxes and everyone, read that again ... EVERYONE gets THE EXACT SAME LEVEL OF CARE. That means homeless man on the street gets the same level of care as the president. That is entirely the opposite of what we have now.
What we have now is that you get fined if you don't pay insurance companies ... EVEN IF YOU PAY YOUR OWN BILLS 100%. It means if you're poor and don't make a lot of money, your health insurance plan is so shitty that you can't afford to see the doctor anyway because the lower level of plan you have, the higher your prescriptions and co-pays and such. Every single subsidized plan from the ACA systems costs those who are qualified to be subsidized too fucking much to be seen by a doctor anyway.
Anyway, back on point.
You're an idiot. Not because you think the republicans are bad, they are gutter trash. You're an idiot because you think the democrats aren't exactly the same.
Open your eyes.
Go fuck yourself.
That is all.
Taliban warrior walks into a cell phone store in Pakistan.
Tells the clerk he wants a phone
Clerk does all the various bits of things required ... asks for a finger print.
Taliban member lays down someones finger on the counter, says 'use this one'.
Taliban sympathetic clerk says 'Okay!'
pornhub?
I had a nearly identical experience getting my current position, via a recruiter ...
Since I've been hired and been here a few months, long enough to get to know everyone and whats going on, I've found out all sorts of neat edits they did to my resume. Like ... changing the spelling of my freaking name!
When in the interview, I was essentially asked to prove I knew some of the things on my resume ... in detail, the kind of detail that seemed ridiculous (very specific knowledge of very narrow ASP.NET problems that only a handful of people have ever dealt with outside of MS) after a bit they let me know that they believed me, and then proceeded to explain that they had an almost identical copy of my resume ... from the same recruiter, with someone else's name on it. Best still is the copy of my resume they got from the recruiter was completely different than what I brought with me to the interview. When they saw what I brought with me, all sorts of red flags went off in their heads ... rightfully so.
Needless to say, neither I nor the company will be using that recruiter again.
Morphine != Heroine, but you probably think crack and powdered cocaine are the same as well, right?
In university some pharmacy or chemistry guys could scrounge pure ethanol. (98 or 99%.)
...
Its called Everclear, you buy it at any liquor store. They didn't exactly have to do much scrounging.
Screwdrives with that were nasty.
No shit, EVERYTHING with 98% pure poison in it is nasty. You do realize alcohol is a poison by definition, right?
Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates.
Hardly. They give away a bunch of worthless email certs that aren't trusted by anyone, allow me to make wanking motions. No one that matters uses them and no browser that matters trusts their free certs by default.
Ahh, the post of someone who's riled up but doesn't actually understand what they are talking about.
People wonder how come NSA/GCHQ are able to intercept HTTPS connections so easily and in bulk.
Only the ignorant wonder that, just because you do, doesn't mean everyone does.
We need to remove the whole signing process and replace it with *time*. The one thing an attacker cannot do is go back in time and change a key exchanged in the past.
You don't have any idea how this system works currently, do you?
You want the websites to tell you their public key information, and for everyone else on the Internet to remember it and tell you when it changes ...
or ...
you could just learn what certificate pinning is.
We need to remove the certificate authorities, because they are the weak link in secure comms.
So you want me to ask Google what Google's public key is and then trust whatever I get sent is actually the public key, with no verification of that, other than it came from the request I sent asking Google for their public key. So ... then the NSA just returns a key that says its Google and intercepts the traffic.
The certificate authorities purpose in life is to provide 3rd party verification of certificates in an automated way. What you want is to remove all of that, and do it ad-hoc, by everyone on the Internet. Slashdot doesn't allow posts long enough for me to explain all the ways why thats exactly the opposite of a actual solution.
'Web of trust' doesn't work, we know this because NO ONE FUCKING USES IT BECAUSE ITS TOO MUCH FUCKING EFFORT. END USERS DON'T GIVE A FUCK about verifying every cert they see and will just click Ok/Next/Allow. THAT is WHY we use certificate authorities.
You are proposing nothing new. Its been done, and its failed repeatedly.
Certificate authorities ARE the solution you want, the problem is, no one actually cares enough about security to black ball the certificate authorities that aren't trust worthy (i.e. all of them), which means they certainly don't care enough to deal with the method you propose.
I always have my phone, I don't always have my wallet. Thats problem they solved.
Tap and Pay cards are no more secure than Swipe and Sign cards, they are nearly as easy to clone too.
Tap and Pay phones (at least with ApplePay) require me to actually verify it with something somewhat secure like a finger print or pin number on MY device, not one that someone else maintains and may be hacked to steal my PIN.
ApplePay also doesn't require any communications at the time of transaction with the bank after the initial security exchange.
Theres no reason that the upgrade process which brings everything up to chip&pin can't easily bring it to NFC capable as well.
ApplePay is more convenient if you don't always carry your cards on you, but do your phone and/or if you value secure transactions.
And if your machine can automatically do all those things ... so can third party software because in order for you to do everything you want to do, there has to be a pragmatic way to do so, and if the OS can do it, so can any other software that has admin rights.
Either way, you don't want to put that sort of power into the vendors hands, since it means they effectively have created the Apple App store, and if thats what you really want, just buy a Mac and stop using Windows (your first mistake).
The only way to prevent this sort of thing is by not installing software that does it.
But lets ignore all the problems with what you're suggesting and assume it works ... Lenovo would have just approved the certs before they shipped the machine. Or the machine would prompt the user, who would blindly do so on boot, just like all the other things users blindly do.
If you want to prevent this from happening, put the people who do this AND the people who make the decisions to do this, IN JAIL.
Both the developers who write the code to do it and the management who tells them to do so. Assign some personal responsibility for this shit and watch how it suddenly changes. The problem in America is that anyone in a company can basically do whatever they want and hide behind 'the company' who then gets some minor fine (Relatively) and the guy who did it doesn't care one bit.
I'm fairly certain just installing this software is illegal.
Its not protected by some EULA because the device is sold before the EULA can be read, which courts have already ruled invalidates the EULA.
It violates the same laws that were used to put Kevin Mitnick in jail (and lets be clear, he deserved it), unauthorized access to a computer system and unauthorized access to data flowing across a network.
Hang'em high, I say. Bring Lenovo's leaders out to the chopping block, as well as the leadership of the companies who made any other software that works like this. Its a scam from the very beginning, theres no 'well, maybe its not bad' or 'maybe it was an accident' to it. This is outright bullshit behavior by companies trying to sell a product to someone and then turn that someone into the product for someone else. The entire legal system AND THE PUBLIC need to come down on this like a ton of bricks and make it clear that its unacceptable and will not be tolerated. And by not tolerated I mean 'you will be jailed, not fined'.
So essentially you know nothing about Apple.
Apple apps/products are NOT pay to play. Many people sell apps that are, Apple apps are not. You pay a premium, yes, but then you're done and you get updates/improvements longer than anyone else in the industry except maybe for Microsoft with their OS support terms.
Seriously, if you're going to troll, get a clue about who you're trolling.
I fly fully autonomous quads.
This is another stupid idea.
It will take longer to get into the neighborhood, setup for launch, launch, deliver, return, and manually recover than it will take your standard fedex/UPS guy to do his job.
Oh, and its going to carry small objects and drop them in the front yard. Not under the car park or the stoop. Most objects will still need carried by a person large enough to carry them for more than 30 seconds and NO ONE is going to want their shit left out in the front yard or otherwise somewhere not leaning up against their home where its safe and dry.
Again, this is another stupid idea. Perhaps people should actually try to implement their projects and compare them to the existing conventional method before starting a 'business' around the idea.
Flying and fighting gravity constantly is expensive, thats why we currently all drive cars and not fly everywhere. Its not because we can't have a flying car, its because it'll cost more fuel just to get that flying car off the ground in the morning than it does for most people to drive to work and back. Flying ANYWHERE takes more time than driving when its less than about 100 miles due to the extra time consumed by taking off and landing SAFELY. Drones don't change that in any way, they just take the human flying out of it. The human flying a problem or a cost when you look at the other expenses. Well, and the human flying doesn't have a death wish, but thats not any different than a broken down drone that flys itself into a mountain.
None!
But then, I'm a programmer rather than some guy who learned about goto in his coursework.
Or, he could, you know ... BE A FUCKING PARENT.
Mom and Dad are the panic button for a freaking 2 year old. WTF are is he doing that has his eyes off his two year old in an environment where they can hurt themselves long enough that a panic button makes sense?
This post just absolutely screams 'horrible parent'
Something's wrong with this dude dude.