Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.
Some notes on this... Merchant agreements PROHIBIT merchants from asking for ID and DO NOT REQUIRE that merchants check signatures. In fact Visa et al actually essentially PUNISH vendors who do. Famously, Wal-Mart used to have a policy to check signatures and VISA successfully argued that they should not be on the hook to cover fraudulent purchases that Wal-Mart should have caught via signature checks (ie, they said Wal-Mart's employees were inconsistent). So over 10 years ago Wal-Mart changed their corporate policy and cashiers are instructed to NOT check signatures. The same amount of fraud happens, but VISA et al are now on the hook and can't blame Wal-Mart employees.
In Europe, the card vendors were forced by law into Chip+Pin. VISA has more profit that the GDP of many countries and they don't even loan out money. They don't care about a little fraud. Their concern in the USA was users might periodically forget their PINs and pay with cash instead. So they lobbied to keep signatures, and of course our congress persons don't listen to security experts if corporate interests disagree.
He said "get a will and you're covered". I don't think he was talking about losing a computer to lightning, but getting struck personally while you're walking around.
That said, there are things you can do for that, too... try not to be the tallest object during a thunderstorm (ex, don't be in a boat on the lake, don't be in the middle of a field, and don't hide under the tallest tree). As you point out, there are very few times when burying your head in the sand is the best move.
Android has no API for "take_a_photo_with_permission()", there's just stuff to access the camera. It definitely makes sense why facebook app might need access to the camera: it clearly supports taking photos directly, and that's something users want. I'm not sure about Firefox or Chrome, but maybe flash runs within the brower's security context, so the browser would need permission to access the camera if flash was going to?
I highly doubt facebook, chrome, and firefox are using the camera without our knowledge. That said, the permission system on android could be improved to ensure this doesn't happen. Google has alread said they don't want to do that, though.
Is there a timeline on this? I see the lifetime purchase of Switchboard is currently discounted. Will I be able to get the linux version before the price goes up?
I could maybe justify it right now to secure the price, but I literally only have 1 windows machine at home: a laptop my wife uses, so it would be a tad useless.
Doesn't Open Source predate the free software movement? When Richard Stallman was fighting with that printer which he didn't have a driver for, he was using a Unix machine. Traditionally, Unix has come with the source code but you were restricted with what you could do with it. That sounds like Open Source to me.
The DOJ isn't involved yet, so cut the conspiracy bullshit.
Whether a monopoly is illegal isn't decided by how you acquired the monopoly. It's what you do after you achieve monopoly level market share which determines whether your monopoly is legal or illegal. You can be as anticompetitive as you want, but once you dominate any market segment, you have to be careful how you use that dominance.
I agree Google is probably fine, but for different reasons.
Really? Because we subscribe to Google Apps and let me tell you, Google Docs is incredible for shared content creation even if it is absolutely horrendous at formatting.
And LibreOffice/OpenOffice are almost as good as MS Office for sharing... put the files on a Samba share and then utilize the trackchanges and commenting systems built into the application.
So our process is often generate the content quickly in Google Docs, then 1 person copy/splats that into LibreOffice and cleans up the formatting (adding company watermarks, properly inserting figures, etc).
I won't be installing it on my desktop or servers any time soon,
I should hope not! Installing a browser kiosk on your desktop would be weird, and if you installed it on a server I might have to take away your keys to the server room.
While I'm sure to be modded down for asking the hard questions and I doubt anybody would have had the guts to ask him
What the hell is this shit? Your comment reads like you asked why he murdered your wife. You're not publically interogating Salvatore Riina, you're asking Linus about ABIs. That's not a question that takes "guts" to ask. Cut the dramatic bullshit.
I'm an engineer. We have a couple of copies of Matlab on a floating license, but mostly use the Sci lab. All the engineers run Linux, so MS Office isn't an option. Only management and sales have MS Office licenses. We do our documentation (internal and external data sheets, etc) in LaTeX. Other documents show up as LibreOffice.
So even for those of us that use that stuff... it needn't be important.
MatLab integrates with excel? How? By exporting to CSV? My copy of Matlab is several years old, so this could certainly be a new feature, but what exactly is the integration?
1. DMCA Complaint filed with service provider (ISP, webhost, youtube). 2. Offending content (image, song, etc) removed by ISP (or could be held liable). 3. (optional) Counter-claim filed, restores content. 4. (optional) Remaining details worked out in court.
And prior to the DMCA, your way is exactly how it worked, except the ISP didn't have to pull the content and the rights owner had more difficulty finding the individual who posted the content as the service provider was under no obligation to tell them without a court order. That abuse of the DMCA system is already rampant and congress wants to expand the power to include DNS blocking is madness.
Do you think the UPS/USPS/FedEx guy dropping goods off at your home is doing it for free? They're providing a service that is paid for - Amazon may be giving you "free shipping" but it's really just rolled into your purchase price.
He already addressed this when he said
And besides, how do you think the merchandise gets to your brick and mortar store? Magic?? They pay suppliers too, who obviously factor in cost of delivery into their pricing scheme. Granted, stores obviously pay less for shipping in bulk, but then again, Amazon has deals with the shipping companies to get discounts too...
The shipping cost Amazon pays to get individual items to your home is probably more than the cost the brick and motor store pays, but since Amazon has fewer employees, they have more room to cut prices and still have the same or higher profit margins.
There's a form you're supposed to fill out each year to account for all the spending you made and didn't pay local sales tax on. Corporations are policed pretty well, so they fill it out; talk to your purchasing dept or accounting dept if you are skeptical... everything they buy online is taxed, and if the tax isn't already taken out by the seller, then your company fills out the paperwork and pays it on their own.
As a private citizen, you're supposed to do the same. You obviously don't. It's ok, I don't either.
but they have little incentive to lock out all the systems.
Here I disagree. There's a reason Google makes it a requirement than OEMs include the ability to turn off secure boot... Google doesn't trust the OEMs -- for good reason.
It would be safe to assume that any PC marketed towards enthusiast or enterprise will have the option to disable the Secure Boot in the bios
That's probably true. I don't think I've every purchased an enthusiast or enterprise PC. I've built a number of my own enthusiast rigs and I've purchased a fair dozen Acer/eMachine/HP low end boxes. These are the ones that risk loosing dual boot.
Buy a Dell. Or an HP. Or an Acer. Now compare the BIOS/UEFI setup menu with an off the shelf motherboard (Asus, ASRock, Epox, etc). The off the shelf motherboard will have WAY more features than the Dell, HP, or Acer.
That you haven't seen a BIOS with minimal features either means you've a) never built a computer, b) never run a major whitebox system, or c) never looked and compared.
Disclaimer: I don't believe being a language designer adds or removes any credibility from your statement, regardless of the company you work for.
I wonder if people that decide to purchase Windows 8 to use directly on a PC they built would be required to install some firmware update to give Microsoft its way.
No. Microsoft is not preventing Windows 8 from running anywhere. The OS does not check to ensure the hardware is secure. The hardware (or rather, UEFI... the new BIOS) checks the kernel to ensure the signature matches before running it. Hardware that doesn't do this check will still boot Windows 8 just fine. Hardware that does this check will still run Windows 9 when it comes out. It won't run Linux and probably not Windows 7 or Vista, unless you get copies that have signed binaries OR the hardware allows you to disable the check.
Microsoft isn't telling OEMs that they can't allow the user to disable the check, but they're also not telling OEMs that they have to allow the user to disable the check.
Windows 8 competes with Windows 7 and they have to allow users to upgrade with an old PC. It would be stupid to implement an OS that requires a Secure Boot mode, because it would mean that mean that users would have to buy new hardware.
You don't understand binary signing or secure boot, do you? Windows 8 binaries will be signed. Signed binaries can run anywhere. It's only when hardware or the BIOS checks the signature before allowing code to execute that binary signing matters, and then only for binaries that are unsigned. Nobody has suggested that Windows 8 won't run on computers without UEFI secure boot. Microsoft has stated that computers which ship with the "Microsoft Windows 8 Certified" sticker must have secure boot enabled by default and ship with MS's public key such that the UEFI system can check the signature before allowing the system to boot.
The concern is not that Windows 8 won't run on old computers (it will.) The concern is that hardware manufactures will ship computers will ship UEFI systems that don't allow the consumer to add their own public keys or a means to disable secure boot (such as the hardware switch Google requires on ChromeBooks). It's not a concern that MS is requiring they don't allow secure boot to be disabled (and that's why its not an antitrust concern), but that OEMs will not allow the user to disable it.
Garret/RedHat has apparently confirmed that some OEMs intend to do just that. And it's in their interest. They already try to require that you boot windows to run their goofy utility to prove your CD-ROM is non-functioning. With secure boot required, the OEM (Dell, HP, Acer) knows the computer will only run Windows, so they won't have to train their employees about how to handle cases where the consumer is running an unsupported configuration and unable to run the tool.
It would be a stupid business decision especially when over 95% of consumers prefer Windows over Linux anyways. There is little to gain for Microsoft and a lot to lose
Indeed it would. And that's why they're not doing whatever it is you thought secure boot meant, nor are they requiring that OEMs only allow Windows to boot. However, they also aren't following Google's lead and requiring OEMs include a way to boot anything other than Windows. And some OEMs might take that cheaper route. Indeed, RedHat says some intend to.
Consumers who care about this issue should look for this feature in whatever device they purchase. What's all the fuss?
When you first installed Linux on your computer, was it on a computer you purchased for the purpose of installing Linux on, or on a computer that you already owned? While existing Linux users might care enough to search for hardware that has a hardware switch like the Chromebook or an option to disable signed binaries via the UEFI setup menus, but new Linux users will not. They will see/hear about their friends and co-workers using Linux and decide to experiment on their own, only to find out their computer isn't able to install anything but Windows 8+ because of something about keys. And for most people, that's as far as it will go.
The fuss is about locking out new users and preventing people from using systems they bought as they wish.
Modern floppies were made much more cheaply. I have a 20yr old computer that still boots from 5.25" floppies, and it works fine. I also had 3.5" floppies in the 2003-2005 range that lost all their data if you looked at them funny.
Slashdot Mirror
A lot is an article or set of articles for sale at an auction. Both sausage and stolen credit card numbers are often sold via online auctions.
Since no one ever checks signatures properly, stolen cards can easily be used for fraud in the US, without needing to shoulder surf for a PIN first.
Some notes on this... Merchant agreements PROHIBIT merchants from asking for ID and DO NOT REQUIRE that merchants check signatures. In fact Visa et al actually essentially PUNISH vendors who do. Famously, Wal-Mart used to have a policy to check signatures and VISA successfully argued that they should not be on the hook to cover fraudulent purchases that Wal-Mart should have caught via signature checks (ie, they said Wal-Mart's employees were inconsistent). So over 10 years ago Wal-Mart changed their corporate policy and cashiers are instructed to NOT check signatures. The same amount of fraud happens, but VISA et al are now on the hook and can't blame Wal-Mart employees.
In Europe, the card vendors were forced by law into Chip+Pin. VISA has more profit that the GDP of many countries and they don't even loan out money. They don't care about a little fraud. Their concern in the USA was users might periodically forget their PINs and pay with cash instead. So they lobbied to keep signatures, and of course our congress persons don't listen to security experts if corporate interests disagree.
This may be helpful. It was posted to slashdot a few years ago.
He said "get a will and you're covered". I don't think he was talking about losing a computer to lightning, but getting struck personally while you're walking around.
That said, there are things you can do for that, too... try not to be the tallest object during a thunderstorm (ex, don't be in a boat on the lake, don't be in the middle of a field, and don't hide under the tallest tree). As you point out, there are very few times when burying your head in the sand is the best move.
Android has no API for "take_a_photo_with_permission()", there's just stuff to access the camera. It definitely makes sense why facebook app might need access to the camera: it clearly supports taking photos directly, and that's something users want. I'm not sure about Firefox or Chrome, but maybe flash runs within the brower's security context, so the browser would need permission to access the camera if flash was going to?
I highly doubt facebook, chrome, and firefox are using the camera without our knowledge. That said, the permission system on android could be improved to ensure this doesn't happen. Google has alread said they don't want to do that, though.
Is there a timeline on this? I see the lifetime purchase of Switchboard is currently discounted. Will I be able to get the linux version before the price goes up?
I could maybe justify it right now to secure the price, but I literally only have 1 windows machine at home: a laptop my wife uses, so it would be a tad useless.
Doesn't Open Source predate the free software movement? When Richard Stallman was fighting with that printer which he didn't have a driver for, he was using a Unix machine. Traditionally, Unix has come with the source code but you were restricted with what you could do with it. That sounds like Open Source to me.
Doom is open source. You still need the level file (*.wad) to play the game. You have to pay for that.
The DOJ isn't involved yet, so cut the conspiracy bullshit.
Whether a monopoly is illegal isn't decided by how you acquired the monopoly. It's what you do after you achieve monopoly level market share which determines whether your monopoly is legal or illegal. You can be as anticompetitive as you want, but once you dominate any market segment, you have to be careful how you use that dominance.
I agree Google is probably fine, but for different reasons.
Really? Because we subscribe to Google Apps and let me tell you, Google Docs is incredible for shared content creation even if it is absolutely horrendous at formatting.
And LibreOffice/OpenOffice are almost as good as MS Office for sharing... put the files on a Samba share and then utilize the trackchanges and commenting systems built into the application.
So our process is often generate the content quickly in Google Docs, then 1 person copy/splats that into LibreOffice and cleans up the formatting (adding company watermarks, properly inserting figures, etc).
I won't be installing it on my desktop or servers any time soon,
I should hope not! Installing a browser kiosk on your desktop would be weird, and if you installed it on a server I might have to take away your keys to the server room.
Is he afraid of kids getting access to porn or is he afraid of kids becoming politically active and starting a "Russian Spring" or sorts?
While I'm sure to be modded down for asking the hard questions and I doubt anybody would have had the guts to ask him
What the hell is this shit? Your comment reads like you asked why he murdered your wife. You're not publically interogating Salvatore Riina, you're asking Linus about ABIs. That's not a question that takes "guts" to ask. Cut the dramatic bullshit.
I'm an engineer. We have a couple of copies of Matlab on a floating license, but mostly use the Sci lab. All the engineers run Linux, so MS Office isn't an option. Only management and sales have MS Office licenses. We do our documentation (internal and external data sheets, etc) in LaTeX. Other documents show up as LibreOffice.
So even for those of us that use that stuff... it needn't be important.
MatLab integrates with excel? How? By exporting to CSV? My copy of Matlab is several years old, so this could certainly be a new feature, but what exactly is the integration?
The DMCA already provides this sort of action.
1. DMCA Complaint filed with service provider (ISP, webhost, youtube).
2. Offending content (image, song, etc) removed by ISP (or could be held liable).
3. (optional) Counter-claim filed, restores content.
4. (optional) Remaining details worked out in court.
And prior to the DMCA, your way is exactly how it worked, except the ISP didn't have to pull the content and the rights owner had more difficulty finding the individual who posted the content as the service provider was under no obligation to tell them without a court order. That abuse of the DMCA system is already rampant and congress wants to expand the power to include DNS blocking is madness.
Applying a state tax to interstate commerce is a clear violation of that authority, and the authority of the US government to levy excises.
Good thing it's a Sales and Use Tax, and not just a Sales Tax so that it's not technically a tax on interstate trade.
Do you think the UPS/USPS/FedEx guy dropping goods off at your home is doing it for free? They're providing a service that is paid for - Amazon may be giving you "free shipping" but it's really just rolled into your purchase price.
He already addressed this when he said
And besides, how do you think the merchandise gets to your brick and mortar store? Magic?? They pay suppliers too, who obviously factor in cost of delivery into their pricing scheme. Granted, stores obviously pay less for shipping in bulk, but then again, Amazon has deals with the shipping companies to get discounts too...
The shipping cost Amazon pays to get individual items to your home is probably more than the cost the brick and motor store pays, but since Amazon has fewer employees, they have more room to cut prices and still have the same or higher profit margins.
What "use" taxes?
There's a form you're supposed to fill out each year to account for all the spending you made and didn't pay local sales tax on. Corporations are policed pretty well, so they fill it out; talk to your purchasing dept or accounting dept if you are skeptical... everything they buy online is taxed, and if the tax isn't already taken out by the seller, then your company fills out the paperwork and pays it on their own.
As a private citizen, you're supposed to do the same. You obviously don't. It's ok, I don't either.
I agree.
Here I disagree. There's a reason Google makes it a requirement than OEMs include the ability to turn off secure boot... Google doesn't trust the OEMs -- for good reason.
That's probably true. I don't think I've every purchased an enthusiast or enterprise PC. I've built a number of my own enthusiast rigs and I've purchased a fair dozen Acer/eMachine/HP low end boxes. These are the ones that risk loosing dual boot.
Buy a Dell. Or an HP. Or an Acer. Now compare the BIOS/UEFI setup menu with an off the shelf motherboard (Asus, ASRock, Epox, etc). The off the shelf motherboard will have WAY more features than the Dell, HP, or Acer.
That you haven't seen a BIOS with minimal features either means you've a) never built a computer, b) never run a major whitebox system, or c) never looked and compared.
Disclaimer: I don't believe being a language designer adds or removes any credibility from your statement, regardless of the company you work for.
No. Microsoft is not preventing Windows 8 from running anywhere. The OS does not check to ensure the hardware is secure. The hardware (or rather, UEFI... the new BIOS) checks the kernel to ensure the signature matches before running it. Hardware that doesn't do this check will still boot Windows 8 just fine. Hardware that does this check will still run Windows 9 when it comes out. It won't run Linux and probably not Windows 7 or Vista, unless you get copies that have signed binaries OR the hardware allows you to disable the check.
Microsoft isn't telling OEMs that they can't allow the user to disable the check, but they're also not telling OEMs that they have to allow the user to disable the check.
You don't understand binary signing or secure boot, do you? Windows 8 binaries will be signed. Signed binaries can run anywhere. It's only when hardware or the BIOS checks the signature before allowing code to execute that binary signing matters, and then only for binaries that are unsigned. Nobody has suggested that Windows 8 won't run on computers without UEFI secure boot. Microsoft has stated that computers which ship with the "Microsoft Windows 8 Certified" sticker must have secure boot enabled by default and ship with MS's public key such that the UEFI system can check the signature before allowing the system to boot.
The concern is not that Windows 8 won't run on old computers (it will.) The concern is that hardware manufactures will ship computers will ship UEFI systems that don't allow the consumer to add their own public keys or a means to disable secure boot (such as the hardware switch Google requires on ChromeBooks). It's not a concern that MS is requiring they don't allow secure boot to be disabled (and that's why its not an antitrust concern), but that OEMs will not allow the user to disable it.
Garret/RedHat has apparently confirmed that some OEMs intend to do just that. And it's in their interest. They already try to require that you boot windows to run their goofy utility to prove your CD-ROM is non-functioning. With secure boot required, the OEM (Dell, HP, Acer) knows the computer will only run Windows, so they won't have to train their employees about how to handle cases where the consumer is running an unsupported configuration and unable to run the tool.
Indeed it would. And that's why they're not doing whatever it is you thought secure boot meant, nor are they requiring that OEMs only allow Windows to boot. However, they also aren't following Google's lead and requiring OEMs include a way to boot anything other than Windows. And some OEMs might take that cheaper route. Indeed, RedHat says some intend to.
Consumers who care about this issue should look for this feature in whatever device they purchase. What's all the fuss?
When you first installed Linux on your computer, was it on a computer you purchased for the purpose of installing Linux on, or on a computer that you already owned? While existing Linux users might care enough to search for hardware that has a hardware switch like the Chromebook or an option to disable signed binaries via the UEFI setup menus, but new Linux users will not. They will see/hear about their friends and co-workers using Linux and decide to experiment on their own, only to find out their computer isn't able to install anything but Windows 8+ because of something about keys. And for most people, that's as far as it will go.
The fuss is about locking out new users and preventing people from using systems they bought as they wish.
Modern floppies were made much more cheaply. I have a 20yr old computer that still boots from 5.25" floppies, and it works fine. I also had 3.5" floppies in the 2003-2005 range that lost all their data if you looked at them funny.