Well, in cities, there are millions of internet subscribers on cable or DSL lines.
There are not swaths of land where everyone living there has a satellite or 4G hookup that they use to sit around browsing the 'net like normal people. Typically those people just don't get the Internet. They're a small part of the country, but an important part, and Congress or the FCC occasionally make a show of promising to fix it so they all get high-speed broadband cable, and then go back to talking about other stuff in hopes that people forget why they have this warm fuzzy feeling about voting them back into office. It's not a conspiracy to keep broadband out of run-down rural areas so much as it is that you need to say something, and have a stance, but not necessarily have a (viable) plan, and so they step up and say yeah, that would be nice, we should look into doing stuff.
You use gross generalizations which include the famous appeal to emotion "people are suffering and dying because they don't have jobs" and an NGO. WTF?
No, I'm comparing the non-government organization (ProPublica)'s arguments to yours, and carrying them to completion, as a way to demonstrate your argument in a more-relatable context.
You claim that this person's actions can provide him a potential monetary benefit somewhere down the line, thus he has taken action for personal gain, regardless of all other factors or circumstance. I pointed out a similar claim made by someone else about cost overhead, and carried it out to its conclusion (that people's wages are also "overhead" and they should just work for free), and then carried that conclusion even farther into the absurd to demonstrate that your personal actions are the cause of somebody's suffering and, likely, somebody's death, all for your own personal financial gain by securing employment.
Your argument was that ridiculous. I made a square comparison to it.
I don't believe you fully understand moral relativism. Moral relativism is changing the rules when you believe it suits your position or beliefs
Actually,
Moral relativism may be any of several philosophical positions concerned with the differences in moral judgments across different people and cultures.
Moral relativism requires that exactly the same situation placed into the context of two different cultural groups be viewed as differently-moral. If you're trying to re-define air as "the liquid form of dihydrogen monoxide, generally occurring at standard atmospheric pressure between 0C and 100C", nobody's buying it.
Do you know how much it costs to buy a bottle of Gatorade or some kind of juice versus making half a gallon of FCOJ? A 10oz bottle of Minute Maid OJ costs like $1.89; a half gallon made from FCOJ costs $2.50.
Sometimes I go out to get food. I can get a double cheeseburger for $1.25 from McDonalds, but sometimes I spend $15 on something like Lamb Saag, which has 2-3 times the calories in total.
I throw $20s around willy-nilly. I've been using Mint for years to track my expenses and curtail a lot of that. You know I used to spend $670/month on food in 2008? I've had it as low as $120/month, but these days I spend around $300.
Tightening my budget up has allowed me to pass like 2/3 of my income to debt remediation and savings, although my personal accounts are a bit of a mess... I decided to put $18,000 into 401(k) last year so I can give myself an emergency loan in a pinch, and had a room that was uninsulated and had open airflow to the outside rebuilt; now I have a loan source in emergencies, I cut my utility bill by over 10%, and I'm trying to drive down cash advances on credit cards (plus a car loan, because my car broke and I bought a used Volt for $12,000). That doesn't mean I don't still leak money like a sieve.
Are you sure you don't throw silver dollars around when you walk down the street?
Rural areas are more likely to be unserved by fiber, cable, and DSL ISPs than people who live in more densely populated areas.
They're also not served by a lush economy of widely-available, high-subscribership satellite and 4G LTE Internet.
the banner blindness effect is likely to depress the click-through rate (CTR) of text ads
I only notice ads when they show me something I just browsed to. I otherwise get that blindness effect. On the other hand, I have a slight compulsion to take in information, and text ads are of a structure where they convey their information meaningfully in the same spatial format. In other words: I notice there was an ad, and that it had a picture or is colorful, but wasn't attention-grabbing; if the ad has the same information (product name, quick description, price, Web site) in the same place, I pick up a full understanding of everything in the brief milliseconds it takes for me to realize the thing I'm looking at is an ad. Image ads can shove enough information down my visual pathways to satisfy me before I even get to reading the pitch.
I can see how an image ad can stand out more and make a powerful impact, but only if someone looks at it. Putting charts, graphs, and bullet-point lists flying around in front of someone can just relay that there's shapes and colors and some objects of no contextual importance there; putting these into a body of information they're trying to take in can relay huge amounts of information, and is a great way to convey ideas. People don't sit down to do a hard study of your ad, so the nice, easy, 10-second flash loop isn't necessarily going to have the same effect as a graphical diagram of some physics bullshit they're trying to study.
It's possible that they'll get more people like me with text ads, and that a lot of people will actually stop to ingest an ad for a few dedicated seconds if it's there, thus the image ads are more-effective in total. Those of us with ad blockers and complaints about all these ads might be a loud minority.
So, if I hack into your bank account, I'm just standing outside your bank yelling, "Hey, can you give me some money? Maybe viperidaenz's? He's got some!" and they're handing me cash, and I haven't done anything wrong?
Fair enough. I haven't run into that as an issue, although I tend to not buy arbitrary IoT stuff. I know it was a problem with printers for a while--FTP and HTTP, not telnet--and otherwise only heard of routers having Telnet open.
Still. The strategy I describe would put the IoT hub on the Internet, but not the IoT devices. Any such vulnerability would be... rapidly exploited by the first laptop you used to brows Internet Web sites, ad-blocker or not, because of course it would.
It's still a good first step, and the god damned front door is iron-clad and bolted into a reinforced frame and wall. So there are windows; let's worry about that next.
What was this fallacy? I forgot. The one that says only one thing can happen at a time and everything else should stop happening until something like cancer is not a thing anymore.
You're going out to ridiculous lengths. It's like when ProPublica claimed Red Cross's "real overhead" is 40%, not the 9% they publish, because "they hire contractors, who have overhead." Well shit, son, the people doing the work get paid; that's overhead, and they should work for free!
I think we disagree on principle, where I don't subscribe to moral relativism.
Moral relativism is a matter of whether the same exact action is moral or amoral based on the society's culture and, essentially, how common it is, and if the society at large accepts it. The large problem with moral relativism is you can oppress a subculture (e.g. all women, blacks, Jews) and have your society at large accept things like rape and murder, while as an explicit part of the social structure a definable group of people are not afforded the security society is supposed to offer.
Moral relativism doesn't have anything to do with scale or intent, which is what's described here. You claim that, somewhere down the line, this guy profited. Well, you profit from having a job, and there are limited jobs available due to demand economics, and more people than jobs. People are suffering and dying because they don't have jobs; by your extreme reasoning, you are a murderer for taking a job which would have otherwise supported another person who now struggles to find food, or who is now dead.
April 2015. Look at the unemployment numbers. Down, down, down,... still down, but not as quickly. Inflection. I've been saying that such an inflection indicates the recovery is over, and that the long historical trend is to enter a new recession about 2 years later.
This is actually a large part of my justification for a Universal Social Security: to diminish the strength of recessions, to reduce their duration, to speed their recovery, and to protect the working-class American from the loss of life and livelihood through no personal fault. Make those peeks smaller, make recovery come sooner, make the jobs return faster, and help the people of this country weather the storm until it passes.
I've been looking for the second inflection point that says the recession is starting, but it takes like four months to confirm, and even then it could be a localized disturbance. Pretty much everything--even the 100% reliable, absolutely-repeatable trends--is just probability; there will be a new recession, and the likelihood that it's starting increases continuously, and these indicators are increasingly-likely to signal the start the longer they go on.
Pretty much, it's unlikely that a new recession is starting until 2 years after the indicator of recovery; it's likely a new recession is about to take off when the unemployment figure has shown continuous inability to hold a downward trend for a few months at the likely time of new recession. The further out you get from recovery and the longer the unemployment figure struggles to show a continued reduction, the more-likely you are to plunge suddenly into recession in the immediate future.
That implies that folks crying that the recession was coming in 2012 or 2014 were fantastically-wrong for reasons visible in 2012 and 2014; folks claiming a new recession was just about to land on our heads in 2015 were also demonstrably probably-wrong in 2015; and folks claiming it's coming today might be wrong, but are more-likely to be right. If the economy goes level for an unusually-long time and doesn't show any indication of changing its behavior, we're back to "we just don't know and we have no case for why we're more-likely to be right right now, so how 'bout we all just shut up?"
But yes, a lot of people have been crying that a new recession is right around the corner for a long, long time. People are noisy like that.
Ads should be a few kilobytes. The average Web user visits 1,200 pages per month; the top trend was 2,600 per month in 2010, and can be around 5,000 per month today.
If the ad is a 32kB image, that's 160MB per month, which is pretty significant at per-GB costs like that, but not for your standard broadband at all (you know, the stuff that keeps getting 200GB caps). If the ad is text, it's like 40-50 bytes, probably wrapped in 400 bytes of JS calls because why not, so 2MB per month.
Facebook is full of ads, but not really dense: Facebook users chew through tons of news feed, encounter videos getting shared around, and generally consume a lot of content. Ads are relatively-rare, but when you pull that much content... yeah.
Likewise, YouTube and Twitch belch the occasional video ad (!), but those come from places shoving video down your pipe anyway. The content is also a lot bigger than your pipe. For stuff like CNet, I find this obnoxious; and when Fark and Slashdot had video ads (!!!) that was unacceptable. For YouTube... you're on YouTube; a 15-second ad before your 5-minute video isn't going to kill you. If your bandwidth is that expensive, you should probably avoid YouTube.
So, no, ads aren't a great deal of people's bandwidth and have a relative cost of about zero. They have an absolute cost of zero except under extremely-special circumstances. There are ads that try to break this mold with enormous flash downloads and HTML5 video; those ads need to die. What we need are more text ads.
Implementing a modern standard is easier than implementing general security. The vendors aren't leaving telnet ports open (most of them, anyway); they're implementing Web applications with shitty validation, listening and processing unauthenticated requests from anywhere and then simply not taking action because the (now-fully-processed) request wants to access a resource that requires authentication. You find a validation bug, you get fun stuff to happen.
The vendors are implementing standards. Poorly. Implementing this standard in any functional way makes them untouchable, so it doesn't matter how shitty their code is.
Arranging the infrastructure wouldn't be necessarily-legal. The ownership and control of the source of the attack may be illegal. The attack itself, however, would not constitute an additional illegal act beyond just having a botnet and sitting on it.
Likewise, if I just spun up several thousand micro-servers in AWS spread across all data centers and smashed the shit out of your site with requests declaring their source to a dead IP in the same subnet, I could have your servers pump out tons of HTTP responses with large images and other assets and kill itself. Totally legal, right?
Absolutely, this guy could have done this for personal gain and causing harm to others. Oh wait, isn't that exactly what happened?
Even criminal hacking is delineated by financial damage and, usually, criminal intent (mens rea). If you can't show more than $5,000 of damage, the FBI generally doesn't care.
Calling you a giant douchebag causes harm to others: you get your feelings hurt and feel bad for a little while. Psychological pain tends to cause maturation--even traumatized soldiers develop more mature defense mechanisms (they grow up and become actual adults) compared to people in the service with less or less-traumatic combat experience--but that's not generally a good excuse for tormenting people. Typically, we scale the torment: are you an asshole, or a malicious actor inflicting extreme psychiatric harm?
This guy's "personal gain" was some Internet fame. That's distinct from the usual meter of personal gain as a transfer from others: criminal "personal gain" implies you took something from someone else, so their loss is your gain. That's how scams work: you invest a bunch of money and I run away with it without delivering to you the benefit of which I've convinced you you'll receive.
So there isn't a viable harm or personal gain argument here; there's only a possible procedural complaint.
Right on, CNN is now out educating people about the dangers of fishing and teaching everyone how to read mail headers and verify! Oh wait, that is not what they are doing. They are using it to bash an administration that they dislike and have bashed since election day.
CNN is attempting to draw attention for personal gain, and laying out a narrative to influence thought. The Internet vigilante in this story was being a huge dork to amuse himself. The question was what information came out of this, not what service he offered; he didn't release private information (which shows an intent to not cause harm), and didn't provide a service. What's left? Only what we can derive from the experience--and it is an observable fact that the people and the staff around those people who got caught up in this are now asking questions beyond "how do we hang this guy for embarrassing us?", so they have themselves derived specific information. The fact that they need to continue this process to make use of said information is also important.
I've actually thought a lot about IoT security, as well as independence from service providers.
I had at some point started this but uh. Was... diverted.
The idea was to have an IoT hub that acts as the gateway to your IoT device. An IoT device or client would connect to an IoT hub via some system (e.g. Bluetooth) that's not flat-out open (e.g. you have to push a button and confirm pairing). The IoT hub uses a self-signed TLS certificate and exchanges it with a newly-generated certificate on the device or client. Viola: identity.
It works with self-signed certificates because you have to be physically present to exchange them: you've verified face-to-face with the issuer, so the certificate is valid. Because of this trust, the IoT hub can sign extra certificates, acting as a CA.
The IoT hub can get itself an IPv6 Internet address. If so, it can exchange that address to your client (e.g. phone, Yubikey) or IoT device (which might now be in another building, communicating over the Internet to your hub!). Now your devices know how to talk to the hub, and can tell it their address if they so desire when they're somewhere off in another network or on the local LAN.
When your phone, computer, or anything else tries to talk to the IoT Hub, the HTTPS connection initiates over TLS using the exchanged keys: each device authenticates the other by validating certificates first. Your entire attack surface is the Kernel's network stack and facilities it uses; the code paths in the Web server that handle the request; and the code paths in your encryption library that validate e.g. Curve 25519 ECC (TLS 1.3 required). If you have an exploitable vulnerability and it's not in that set of code, then your IoT Hub and your IoT devices are patently unhackable, period.
Let's face it: You can't hack what you can't access. The surface I describe above is equivalent to the air gap when you unplug a network cable, except this air gap might be hackable. If you can't hack that air gap, you can't hack what's behind it.
That leaves you one big, important piece of security: key management. You have to keep those private keys on the client devices away from malicious actors (hackers, worms, trojans). Pass-through to a Yubikey U2F would be great, but...tricky. The only way to use a hardware security key is to validate the certificate, then do a U2F validation, enlarging the attack surface. In theory, the client software could send a challenge to the Yubikey, get a response, and send a signed session key down the pipe encrypted with the IoT Hub's public key; but you can't use the Yubikey to decrypt something sent encrypted by the certificate, so it's a no-go.
This is actually app-to-app 2-factor if you're doing it by TLS exchange, then U2F: the app "knows" (permanently stores) its TLS key, and it "has" (is running on a machine physically capable of accessing) the Yubikey.
So, yeah. Unhackable IoT proxy, for some reasonable definition of "unhackable" (that being the reduction of probability of hackability by restricting the portion of running code in which vulnerabilities will enable a successful exploit).
The other part was to provide service, either in proxy or right on the IoT hub, packaged as Docker containers. You'd have to provide authentication per-app, validated by IoT device identity (i.e. your Nest Cams each have a separate key, and those keys identify them, and those devices are given access only to the Nest Cam service) or by Client identity (each client application would have a separate key) both at the front-end Web server and by the service itself. Services may be clients of each other.
So what have we got?
You can access your IoT devices through your own public IP, rather than bouncing through a cloud service.
You may be able to disconnect your IoT from the cloud. Google has a lot of stuff with the Ne
The fact that people can be fooled in this way in this particular organization. That's actually useful. The guy might be making an ass of folks, but that's harmless; people can do the same thing to cause harm. By his actions, he's made people more-vigilant; however, they need to take this information and instill permanent policies, as that vigilance is only temporary.
You have some rational basis for that trust, beyond the size and presumed motivations/ethics/history of that COMMUNITY?
One community is a corporate culture that builds an OS image in-house, publishes it for their particular phone, and gets scrutiny when someone decides to try to dismantle the binary image on their particular phone or snoop what's going out the cellular radio. Their OS can hide what's going out the radio, so they need a logic analyzer or specialized radio equipment (lots of effort, not necessarily lots of cost, enormous technical expertise). They can start with an open-source asset and modify it to their taste, and mostly restrict inspection--especially of their own source repositories--to a small number of eyes. You can even have most developers not know about some parts of the code, because they simply have no reason to inspect the entire code base.
The other is working out in the open. They publish binary images for hundreds of different phones, built from the same source. They're liable to inject the same Trojan horse into several, if not all, models if they're being nefarious. Their repositories are open, and so we can do a spot-check of differences between their code repositories and the official repositories. The official repositories are high-profile; the derived, open-source repositories are also high-profile, but less-so; even security researchers are significantly interested in what's going on with this stuff, and have the ready opportunity to examine it. Hiding things is more-difficult.
The likelihood of getting caught is higher for one of these than the other.
His argument is also internally-inconsistent. Android can't keep up with Apple because the hardware is just better, and Android won't support the better hardware; and on top of that, the hardware isn't even the difference, but rather the improvements are made in the software!... wait, hold on. The... fuck am I... hold on, let me check my notes here...
First thing I do with a new phone, I wipe it and install LineageOS. Somebody else builds the ROM and I don't have the time or resources to personally-inspect the source code, so it's mostly a more-trusted quantity; and everybody sees it and sees the build process, so there are at least a dozen primary developers, a couple hundred bored hobbyists, and the occasional security researcher looking at the built ROM and the source code. Between the diff against Android and the massive number of eyes on Android's source trees, a lot of people have to be involved in a conspiracy to mess with my phone for there to be anything intentionally-malicious in there.
I like OnePlus, but I'm not going to run their OS just so it can repeatedly try to sell themes to me. If there was a Lineage ChromiumOS, I'd put that on my Chromebook.
If you hide a time-lock safe, people go, "Shit, I didn't bring the tools for this." That's the odd thing about computers: they can be perfectly secure. A safe you can drill through in a week or so; code is math, and you have to find a mistake in the math or else no amount of axes and sledgehammers is getting you in.
That's why reducing attack surface and layered security are paramount: less attack surface means the flaws are more-likely to be somewhere else; layers of security means you need to find multiple flaws in your attack surface--and you may need to get through higher layers to exploit flaws in lower layers anyway (although that doesn't matter, since you still need to break it all). This is why hacking into a home network directly is nigh on impossible (you can't even get into the Web configuration UI! You're looking for a high-impact kernel-level networking bug in a NAT router!), while hacking banks and corporate Web services is a constant threat (lots and lots of shit to attack).
It's easy. They'll secretly stop paying attention to comments at all, thus mitigating the whole thing.
This has already been put through numerous test runs over the past months.
The point wasn't that they used a password; there was a further point down that LinkedIn had de-authorized them from non-password-protected mechanisms: they told them they're now specifically not allowed to do that, which means they're not.
Imagine if you ssh'd to a bank's accounting system across the 'net and found that it just lets you log in as root, no password. Is that also legal?
Slashdot Mirror
I'm not sure what you mean by this.
Well, in cities, there are millions of internet subscribers on cable or DSL lines.
There are not swaths of land where everyone living there has a satellite or 4G hookup that they use to sit around browsing the 'net like normal people. Typically those people just don't get the Internet. They're a small part of the country, but an important part, and Congress or the FCC occasionally make a show of promising to fix it so they all get high-speed broadband cable, and then go back to talking about other stuff in hopes that people forget why they have this warm fuzzy feeling about voting them back into office. It's not a conspiracy to keep broadband out of run-down rural areas so much as it is that you need to say something, and have a stance, but not necessarily have a (viable) plan, and so they step up and say yeah, that would be nice, we should look into doing stuff.
You use gross generalizations which include the famous appeal to emotion "people are suffering and dying because they don't have jobs" and an NGO. WTF?
No, I'm comparing the non-government organization (ProPublica)'s arguments to yours, and carrying them to completion, as a way to demonstrate your argument in a more-relatable context.
You claim that this person's actions can provide him a potential monetary benefit somewhere down the line, thus he has taken action for personal gain, regardless of all other factors or circumstance. I pointed out a similar claim made by someone else about cost overhead, and carried it out to its conclusion (that people's wages are also "overhead" and they should just work for free), and then carried that conclusion even farther into the absurd to demonstrate that your personal actions are the cause of somebody's suffering and, likely, somebody's death, all for your own personal financial gain by securing employment.
Your argument was that ridiculous. I made a square comparison to it.
I don't believe you fully understand moral relativism. Moral relativism is changing the rules when you believe it suits your position or beliefs
Actually,
Moral relativism may be any of several philosophical positions concerned with the differences in moral judgments across different people and cultures.
Moral relativism requires that exactly the same situation placed into the context of two different cultural groups be viewed as differently-moral. If you're trying to re-define air as "the liquid form of dihydrogen monoxide, generally occurring at standard atmospheric pressure between 0C and 100C", nobody's buying it.
I do.
Do you know how much it costs to buy a bottle of Gatorade or some kind of juice versus making half a gallon of FCOJ? A 10oz bottle of Minute Maid OJ costs like $1.89; a half gallon made from FCOJ costs $2.50.
Sometimes I go out to get food. I can get a double cheeseburger for $1.25 from McDonalds, but sometimes I spend $15 on something like Lamb Saag, which has 2-3 times the calories in total.
I throw $20s around willy-nilly. I've been using Mint for years to track my expenses and curtail a lot of that. You know I used to spend $670/month on food in 2008? I've had it as low as $120/month, but these days I spend around $300.
Tightening my budget up has allowed me to pass like 2/3 of my income to debt remediation and savings, although my personal accounts are a bit of a mess... I decided to put $18,000 into 401(k) last year so I can give myself an emergency loan in a pinch, and had a room that was uninsulated and had open airflow to the outside rebuilt; now I have a loan source in emergencies, I cut my utility bill by over 10%, and I'm trying to drive down cash advances on credit cards (plus a car loan, because my car broke and I bought a used Volt for $12,000). That doesn't mean I don't still leak money like a sieve.
Are you sure you don't throw silver dollars around when you walk down the street?
No because it would be illegal. People do pay thousands of dollars to borrow an illegal botnet for DDoS, though.
Rural areas are more likely to be unserved by fiber, cable, and DSL ISPs than people who live in more densely populated areas.
They're also not served by a lush economy of widely-available, high-subscribership satellite and 4G LTE Internet.
the banner blindness effect is likely to depress the click-through rate (CTR) of text ads
I only notice ads when they show me something I just browsed to. I otherwise get that blindness effect. On the other hand, I have a slight compulsion to take in information, and text ads are of a structure where they convey their information meaningfully in the same spatial format. In other words: I notice there was an ad, and that it had a picture or is colorful, but wasn't attention-grabbing; if the ad has the same information (product name, quick description, price, Web site) in the same place, I pick up a full understanding of everything in the brief milliseconds it takes for me to realize the thing I'm looking at is an ad. Image ads can shove enough information down my visual pathways to satisfy me before I even get to reading the pitch.
I can see how an image ad can stand out more and make a powerful impact, but only if someone looks at it. Putting charts, graphs, and bullet-point lists flying around in front of someone can just relay that there's shapes and colors and some objects of no contextual importance there; putting these into a body of information they're trying to take in can relay huge amounts of information, and is a great way to convey ideas. People don't sit down to do a hard study of your ad, so the nice, easy, 10-second flash loop isn't necessarily going to have the same effect as a graphical diagram of some physics bullshit they're trying to study.
It's possible that they'll get more people like me with text ads, and that a lot of people will actually stop to ingest an ad for a few dedicated seconds if it's there, thus the image ads are more-effective in total. Those of us with ad blockers and complaints about all these ads might be a loud minority.
So, if I hack into your bank account, I'm just standing outside your bank yelling, "Hey, can you give me some money? Maybe viperidaenz's? He's got some!" and they're handing me cash, and I haven't done anything wrong?
Fair enough. I haven't run into that as an issue, although I tend to not buy arbitrary IoT stuff. I know it was a problem with printers for a while--FTP and HTTP, not telnet--and otherwise only heard of routers having Telnet open.
Still. The strategy I describe would put the IoT hub on the Internet, but not the IoT devices. Any such vulnerability would be ... rapidly exploited by the first laptop you used to brows Internet Web sites, ad-blocker or not, because of course it would.
It's still a good first step, and the god damned front door is iron-clad and bolted into a reinforced frame and wall. So there are windows; let's worry about that next.
The senators are just having trouble finding girls on Craigslist who aren't hookers.
What was this fallacy? I forgot. The one that says only one thing can happen at a time and everything else should stop happening until something like cancer is not a thing anymore.
You're going out to ridiculous lengths. It's like when ProPublica claimed Red Cross's "real overhead" is 40%, not the 9% they publish, because "they hire contractors, who have overhead." Well shit, son, the people doing the work get paid; that's overhead, and they should work for free!
I think we disagree on principle, where I don't subscribe to moral relativism.
Moral relativism is a matter of whether the same exact action is moral or amoral based on the society's culture and, essentially, how common it is, and if the society at large accepts it. The large problem with moral relativism is you can oppress a subculture (e.g. all women, blacks, Jews) and have your society at large accept things like rape and murder, while as an explicit part of the social structure a definable group of people are not afforded the security society is supposed to offer.
Moral relativism doesn't have anything to do with scale or intent, which is what's described here. You claim that, somewhere down the line, this guy profited. Well, you profit from having a job, and there are limited jobs available due to demand economics, and more people than jobs. People are suffering and dying because they don't have jobs; by your extreme reasoning, you are a murderer for taking a job which would have otherwise supported another person who now struggles to find food, or who is now dead.
April 2015. Look at the unemployment numbers. Down, down, down, ... still down, but not as quickly. Inflection. I've been saying that such an inflection indicates the recovery is over, and that the long historical trend is to enter a new recession about 2 years later.
This is actually a large part of my justification for a Universal Social Security: to diminish the strength of recessions, to reduce their duration, to speed their recovery, and to protect the working-class American from the loss of life and livelihood through no personal fault. Make those peeks smaller, make recovery come sooner, make the jobs return faster, and help the people of this country weather the storm until it passes.
I've been looking for the second inflection point that says the recession is starting, but it takes like four months to confirm, and even then it could be a localized disturbance. Pretty much everything--even the 100% reliable, absolutely-repeatable trends--is just probability; there will be a new recession, and the likelihood that it's starting increases continuously, and these indicators are increasingly-likely to signal the start the longer they go on.
Pretty much, it's unlikely that a new recession is starting until 2 years after the indicator of recovery; it's likely a new recession is about to take off when the unemployment figure has shown continuous inability to hold a downward trend for a few months at the likely time of new recession. The further out you get from recovery and the longer the unemployment figure struggles to show a continued reduction, the more-likely you are to plunge suddenly into recession in the immediate future.
That implies that folks crying that the recession was coming in 2012 or 2014 were fantastically-wrong for reasons visible in 2012 and 2014; folks claiming a new recession was just about to land on our heads in 2015 were also demonstrably probably-wrong in 2015; and folks claiming it's coming today might be wrong, but are more-likely to be right. If the economy goes level for an unusually-long time and doesn't show any indication of changing its behavior, we're back to "we just don't know and we have no case for why we're more-likely to be right right now, so how 'bout we all just shut up?"
But yes, a lot of people have been crying that a new recession is right around the corner for a long, long time. People are noisy like that.
Ads should be a few kilobytes. The average Web user visits 1,200 pages per month; the top trend was 2,600 per month in 2010, and can be around 5,000 per month today.
If the ad is a 32kB image, that's 160MB per month, which is pretty significant at per-GB costs like that, but not for your standard broadband at all (you know, the stuff that keeps getting 200GB caps). If the ad is text, it's like 40-50 bytes, probably wrapped in 400 bytes of JS calls because why not, so 2MB per month.
Facebook is full of ads, but not really dense: Facebook users chew through tons of news feed, encounter videos getting shared around, and generally consume a lot of content. Ads are relatively-rare, but when you pull that much content... yeah.
Likewise, YouTube and Twitch belch the occasional video ad (!), but those come from places shoving video down your pipe anyway. The content is also a lot bigger than your pipe. For stuff like CNet, I find this obnoxious; and when Fark and Slashdot had video ads (!!!) that was unacceptable. For YouTube... you're on YouTube; a 15-second ad before your 5-minute video isn't going to kill you. If your bandwidth is that expensive, you should probably avoid YouTube.
So, no, ads aren't a great deal of people's bandwidth and have a relative cost of about zero. They have an absolute cost of zero except under extremely-special circumstances. There are ads that try to break this mold with enormous flash downloads and HTML5 video; those ads need to die. What we need are more text ads.
Implementing a modern standard is easier than implementing general security. The vendors aren't leaving telnet ports open (most of them, anyway); they're implementing Web applications with shitty validation, listening and processing unauthenticated requests from anywhere and then simply not taking action because the (now-fully-processed) request wants to access a resource that requires authentication. You find a validation bug, you get fun stuff to happen.
The vendors are implementing standards. Poorly. Implementing this standard in any functional way makes them untouchable, so it doesn't matter how shitty their code is.
Arranging the infrastructure wouldn't be necessarily-legal. The ownership and control of the source of the attack may be illegal. The attack itself, however, would not constitute an additional illegal act beyond just having a botnet and sitting on it.
Likewise, if I just spun up several thousand micro-servers in AWS spread across all data centers and smashed the shit out of your site with requests declaring their source to a dead IP in the same subnet, I could have your servers pump out tons of HTTP responses with large images and other assets and kill itself. Totally legal, right?
Standards require organization, or you get 14 standards.
Absolutely, this guy could have done this for personal gain and causing harm to others. Oh wait, isn't that exactly what happened?
Even criminal hacking is delineated by financial damage and, usually, criminal intent (mens rea). If you can't show more than $5,000 of damage, the FBI generally doesn't care.
Calling you a giant douchebag causes harm to others: you get your feelings hurt and feel bad for a little while. Psychological pain tends to cause maturation--even traumatized soldiers develop more mature defense mechanisms (they grow up and become actual adults) compared to people in the service with less or less-traumatic combat experience--but that's not generally a good excuse for tormenting people. Typically, we scale the torment: are you an asshole, or a malicious actor inflicting extreme psychiatric harm?
This guy's "personal gain" was some Internet fame. That's distinct from the usual meter of personal gain as a transfer from others: criminal "personal gain" implies you took something from someone else, so their loss is your gain. That's how scams work: you invest a bunch of money and I run away with it without delivering to you the benefit of which I've convinced you you'll receive.
So there isn't a viable harm or personal gain argument here; there's only a possible procedural complaint.
Right on, CNN is now out educating people about the dangers of fishing and teaching everyone how to read mail headers and verify! Oh wait, that is not what they are doing. They are using it to bash an administration that they dislike and have bashed since election day.
CNN is attempting to draw attention for personal gain, and laying out a narrative to influence thought. The Internet vigilante in this story was being a huge dork to amuse himself. The question was what information came out of this, not what service he offered; he didn't release private information (which shows an intent to not cause harm), and didn't provide a service. What's left? Only what we can derive from the experience--and it is an observable fact that the people and the staff around those people who got caught up in this are now asking questions beyond "how do we hang this guy for embarrassing us?", so they have themselves derived specific information. The fact that they need to continue this process to make use of said information is also important.
I've actually thought a lot about IoT security, as well as independence from service providers.
I had at some point started this but uh. Was ... diverted.
The idea was to have an IoT hub that acts as the gateway to your IoT device. An IoT device or client would connect to an IoT hub via some system (e.g. Bluetooth) that's not flat-out open (e.g. you have to push a button and confirm pairing). The IoT hub uses a self-signed TLS certificate and exchanges it with a newly-generated certificate on the device or client. Viola: identity.
It works with self-signed certificates because you have to be physically present to exchange them: you've verified face-to-face with the issuer, so the certificate is valid. Because of this trust, the IoT hub can sign extra certificates, acting as a CA.
The IoT hub can get itself an IPv6 Internet address. If so, it can exchange that address to your client (e.g. phone, Yubikey) or IoT device (which might now be in another building, communicating over the Internet to your hub!). Now your devices know how to talk to the hub, and can tell it their address if they so desire when they're somewhere off in another network or on the local LAN.
When your phone, computer, or anything else tries to talk to the IoT Hub, the HTTPS connection initiates over TLS using the exchanged keys: each device authenticates the other by validating certificates first. Your entire attack surface is the Kernel's network stack and facilities it uses; the code paths in the Web server that handle the request; and the code paths in your encryption library that validate e.g. Curve 25519 ECC (TLS 1.3 required). If you have an exploitable vulnerability and it's not in that set of code, then your IoT Hub and your IoT devices are patently unhackable, period.
Let's face it: You can't hack what you can't access. The surface I describe above is equivalent to the air gap when you unplug a network cable, except this air gap might be hackable. If you can't hack that air gap, you can't hack what's behind it.
That leaves you one big, important piece of security: key management. You have to keep those private keys on the client devices away from malicious actors (hackers, worms, trojans). Pass-through to a Yubikey U2F would be great, but ...tricky. The only way to use a hardware security key is to validate the certificate, then do a U2F validation, enlarging the attack surface. In theory, the client software could send a challenge to the Yubikey, get a response, and send a signed session key down the pipe encrypted with the IoT Hub's public key; but you can't use the Yubikey to decrypt something sent encrypted by the certificate, so it's a no-go.
This is actually app-to-app 2-factor if you're doing it by TLS exchange, then U2F: the app "knows" (permanently stores) its TLS key, and it "has" (is running on a machine physically capable of accessing) the Yubikey.
So, yeah. Unhackable IoT proxy, for some reasonable definition of "unhackable" (that being the reduction of probability of hackability by restricting the portion of running code in which vulnerabilities will enable a successful exploit).
The other part was to provide service, either in proxy or right on the IoT hub, packaged as Docker containers. You'd have to provide authentication per-app, validated by IoT device identity (i.e. your Nest Cams each have a separate key, and those keys identify them, and those devices are given access only to the Nest Cam service) or by Client identity (each client application would have a separate key) both at the front-end Web server and by the service itself. Services may be clients of each other.
So what have we got?
You can access your IoT devices through your own public IP, rather than bouncing through a cloud service.
You may be able to disconnect your IoT from the cloud. Google has a lot of stuff with the Ne
Your bandwidth is enormous and ads which aren't enormous don't cost it significantly. Some of these things are 30kB images or even text ads.
The fact that people can be fooled in this way in this particular organization. That's actually useful. The guy might be making an ass of folks, but that's harmless; people can do the same thing to cause harm. By his actions, he's made people more-vigilant; however, they need to take this information and instill permanent policies, as that vigilance is only temporary.
You have some rational basis for that trust, beyond the size and presumed motivations/ethics/history of that COMMUNITY?
One community is a corporate culture that builds an OS image in-house, publishes it for their particular phone, and gets scrutiny when someone decides to try to dismantle the binary image on their particular phone or snoop what's going out the cellular radio. Their OS can hide what's going out the radio, so they need a logic analyzer or specialized radio equipment (lots of effort, not necessarily lots of cost, enormous technical expertise). They can start with an open-source asset and modify it to their taste, and mostly restrict inspection--especially of their own source repositories--to a small number of eyes. You can even have most developers not know about some parts of the code, because they simply have no reason to inspect the entire code base.
The other is working out in the open. They publish binary images for hundreds of different phones, built from the same source. They're liable to inject the same Trojan horse into several, if not all, models if they're being nefarious. Their repositories are open, and so we can do a spot-check of differences between their code repositories and the official repositories. The official repositories are high-profile; the derived, open-source repositories are also high-profile, but less-so; even security researchers are significantly interested in what's going on with this stuff, and have the ready opportunity to examine it. Hiding things is more-difficult.
The likelihood of getting caught is higher for one of these than the other.
His argument is also internally-inconsistent. Android can't keep up with Apple because the hardware is just better, and Android won't support the better hardware; and on top of that, the hardware isn't even the difference, but rather the improvements are made in the software! ... wait, hold on. The... fuck am I... hold on, let me check my notes here...
First thing I do with a new phone, I wipe it and install LineageOS. Somebody else builds the ROM and I don't have the time or resources to personally-inspect the source code, so it's mostly a more-trusted quantity; and everybody sees it and sees the build process, so there are at least a dozen primary developers, a couple hundred bored hobbyists, and the occasional security researcher looking at the built ROM and the source code. Between the diff against Android and the massive number of eyes on Android's source trees, a lot of people have to be involved in a conspiracy to mess with my phone for there to be anything intentionally-malicious in there.
I like OnePlus, but I'm not going to run their OS just so it can repeatedly try to sell themes to me. If there was a Lineage ChromiumOS, I'd put that on my Chromebook.
If you hide a time-lock safe, people go, "Shit, I didn't bring the tools for this." That's the odd thing about computers: they can be perfectly secure. A safe you can drill through in a week or so; code is math, and you have to find a mistake in the math or else no amount of axes and sledgehammers is getting you in.
That's why reducing attack surface and layered security are paramount: less attack surface means the flaws are more-likely to be somewhere else; layers of security means you need to find multiple flaws in your attack surface--and you may need to get through higher layers to exploit flaws in lower layers anyway (although that doesn't matter, since you still need to break it all). This is why hacking into a home network directly is nigh on impossible (you can't even get into the Web configuration UI! You're looking for a high-impact kernel-level networking bug in a NAT router!), while hacking banks and corporate Web services is a constant threat (lots and lots of shit to attack).
Security is an odd topic.
It's easy. They'll secretly stop paying attention to comments at all, thus mitigating the whole thing. This has already been put through numerous test runs over the past months.
The point wasn't that they used a password; there was a further point down that LinkedIn had de-authorized them from non-password-protected mechanisms: they told them they're now specifically not allowed to do that, which means they're not.
Imagine if you ssh'd to a bank's accounting system across the 'net and found that it just lets you log in as root, no password. Is that also legal?