- That the government has not demonstrated that delving into the user's private search history is relevant or may advance the case at all,
A search warrant merely needs probable cause. One user's history seems like "a particular place or thing to be searched". The gov't doesn't have to prove that any evidence seized will even be used.
- That the data is not the property of the individual but rather a trade secret, or
That might work for a civil lawsuit, but it's absolutely not gonna fly in a murder case.
- That Amazon is an unrelated 3rd party and should not be compelled to cooperate in something which it is peripherally related.
Doesn't work for banks, telephone companies, Internet providers, etc. It doesn't work for a retailer with security cameras. This also isn't a fishing expedition; it's probable (at least according to the judge who approved the warrant) that Amazon has evidence that may be relevant. Besides, for all we know, they have exculpatory evidence. Both sides have the right to compulsory process.
All that said, I have a modest proposal.
If Amazon intends to keep recordings and use them for profit, they should be compelled to produce those recordings when the public interest so demands.
If Amazon wants to be exempt from that, they can submit to rigorous and frequent government audits to prove they are not recording anything, in the public interest of privacy of citizens.
Commercial aircraft operators (and possibly other common carriers) are required to keep a passenger (pax) manifest, for notification purposes in case of an accident or an incident involving a passenger. I think this was first required by the Warsaw Convention (now Montreal Convention). In theory it applies only to international air travel, but many nations have applied it to domestic air travel as well, because what is or is not "international air travel" under the Convention is a convoluted definition. Easier just to have everyone keep a manifest.
I'm not backing the NFL here, but this blackout rule doesn't bother me much and it has at least some basis in reality and fairness: to have a full stadium experience (I won't argue whether that's really worth it these days). IIRC, the doesn't kick in until 72 hours before kickoff, it only applies to networks within 75 miles and it only applies to local broadcast/cable TV (you still get the game on Sunday Ticket). And, in most cases, local businesses will buy up the unused tickets to give to charity, and the NFL relents, and the whole issue is moot.
I'm far more pissed with the blackout rules for MLB. I live in Las Vegas, I have the MLB.TV package, and I am blacked out from at least 6 teams (Dodgers, Angels, D-Backs, Padres, A's, Giants). None of those teams are within 300 miles of me, so I'm not driving to home games. And yet, I can't watch any of those teams, because (in theory) I should have access to those teams from my local cable network. But the cable cos and the networks like to bitch about retransmission fees and so I haven't seen the Dodgers all year.
The REALLY stupid blackout rule: Hawaii is blacked out from the Giants & A's. HAWAII !!!! I know there's kayaks in McCovey Cove every game, but I have yet to see any Polynesian catamarans.
1) If the job is really terrible -- crazy boss, lousy environment, not enough funding -- it should be obvious within 30 days or so. At most companies this is a probationary period anyway. I've quit a couple of jobs quickly for these reasons, and I've found that HR (if not the boss) is generally okay with this. Act professionally, of course, give notice and all that, but It's better to cut ties early if you feel that you and the employer are not a good match.
2) Assuming I get past 30 days and still like it, I've always tried to make it to 2 years before trading up. I've found that after year 1, I'll get a bonus or a bump in salary almost automatically. Year 2 is when the employer starts to look for something more out of me, and also when I'll get a better idea of possible career paths within the company.
My experience is that job hopping is not a big deal as long as you have good reasons, and as long as it's not TOO often. Good reasons include relocation, a substantial (I'd say 25%+) bump in pay, or changing jobs to do what you really want to do. No one will care that you only worked 3 months at The Gap before finding a Web developer job.
I'd say you follow the same process: inform them, wait 1/3/7 days or whatever, then go public. If you suspect the exploit is deliberate, informing the manufacturer isn't telling them anything they didn't already know. Or, maybe it IS telling them, since in the case of open source, the exploit could have been introduced surreptitiously by a developer who's long gone, and the current developers have no idea of the exploit's existence.
Caveat: if you suspect revealing the bug will cause blowback to you. If you think the NSA/FBI/CIA will come after you for threatening to reveal it, I'd say just go public immediately, and include major press orgs so they can't just silence you.
Minor quibble with this. SEAD is a combat tactic which assumes you're already at war and suppressing defenses to advance a specific mission. A no-fly zone is a strategic patrol. It tells the enemy that you have overwhelming air superiority within the theater, and it assumes the enemy isn't willing to risk testing the no-fly zone. In the past no-fly zones have been more or less declared and imposed, and actually SEAD missions were unnecessary.
To be sure, actually enforcing a no-fly zone could require SEAD missions, in which case, it's not so no-fly. But yeah, it's still a dumb idea here, and it could provoke a wider war.
Suppression of Enemy Air Defense (SEAD aka Wild Weasel) is a combat tactic intended to reduce friendly losses and improve the effectiveness of air strikes. That is, to kill more of them and less of us. How in hell does someone consider that "humanitarian"?
This is one of the most Orwellian pieces of doublespeak I've read all year.
No. Experts in their field shouldn't need to be taught how to understand your system; that's part of being an expert ( or indeed, even a professional).
I completely agree but how are we even calling this "expert" or "professional"? Do I need to educate someone, a "programmer" let's say, about the fundamentals of Java? About electronics? About physics? How to type? How to use the toilet?
Maybe that's over the top, but at some point, if someone claims they can do X, we assume a basic level of skill. To use a car analogy: cars basically all work the same way. The car dealer doesn't make you take a test before you buy it and drive it home. They have to make sure you have a valid license, of course, but licensure is not their problem, and licensure by the state assumes that the basics of driving are the same across different models of cars.
You address it through the statute of limitations and the 6th Amendment. Only the most heinous crimes have no limitations, and for misdemeanors and non-violent felonies, the prosecution must file charges within 2-7 years (depending on the state and crime). Once charges are filed, the right to a speedy trial attaches.
Also, it's not really practical for a prosecutor to run serial trials. They basically have to go to all the same trouble, but it ends up costing more time and money since it's not done all at once, and it will piss off most judges royally. Prosecutors are also usually elected, so they don't often get away with this tactic. The only time it's really useful is if you have a defendant who you can charge with, say, burglary, while gathering evidence toward a murder charge. This is more to prevent the defendant from fleeing, but they still might get bail on the lesser charge. Lots of episodes of "Law & Order" use this as a plot device.
I can appreciate your sentiment, but I think it's wishful thinking. We can certainly argue that these devices SHOULD not be connected to the Internet, but the simple fact is that a great deal of them ARE connected, and many that are not "intended" to be connected will end up connected, and those systems need to be designed with that possibility in mind. They are currently designed with no more security than my pull-start lawn mower.
All good ideas. I think a lot of people are actually open to change as long as they feel their skill and experience is being valued. Suggest that it would be good to simplify and modernise the process and find out what ideas Bob has and the challenges he sees in implementing any changes.
This is definitely true but I would also add "offer to help with the changes" (or find someone who is capable of helping). Outsiders may have good ideas about how to fix things, but anyone can be a critic. That can be annoying to the original maintainer who has to do the work, regardless of how much it improves the system.
That's actually a really cool setup you described. Would you be willing to share detailed build instructions, including the software setup? Strictly for educational and entertainment purposes, of course:)
GPUs only tend to allow you to offload the strait-shot parallelized stuff - graphic blits, audio, textures & lighting - but the core of the game logic is still tied to the CPU. Even if you aren't straining the limits of the CPU in the final implementation, programmers are still limited by the capacity of them.
Your theory is basically valid, but the practical reality and the empirical evidence of the last, I dunno, 20 years or so, is that the graphics processing takes a significant amount of computing power. There's a reason that virtually every computer and every game console has a dedicated GPU. For that matter, a dedicated sound processing chip. It's all offloaded and the APIs have improved to the point that it doesn't seem like much work, but those specialized chips are burning an awful lot of power.
For a wide variety of games, the game logic just isn't that complicated, or rather, it doesn't require as much computing horsepower as the rendering. Sports games and FPS are the most obvious but I'm sure there's others. The most CPU intensive game I can think of is Civilization 4. I'm sure it's been surpassed, and yeah the AI still sucks, but late in games you can really tell that the CPU is chugging away.
The truth, of course, is that something will ALWAYS be a bottleneck. The argument seems to be: is it the CPU or GPU?
This is sensationalism. Even small planes have a boatload of "distractions" to observe: radio, gauges, displays, maps, etc. Adding a cell phone into the mix isn't exactly overloading the pilot, unless he's doing something REALLY stupid like texting on final. He might have been USING a cell phone, but he was probably just overconfident as to his abilities as a pilot.
There's also a major difference between talking on the phone in your car and in a plane. In auto traffic, you have to manage the car continuously, keep an eye out for traffic, deal with traffic lights, and on and on. Piloting certainly requires a lot of skill but you aren't twitching the stick and throttle and braking every 2 seconds, and since most planes have autopilot, it can be pretty relaxed.. There's plenty of time en route to send a text or make a call, and to do so safely.
I never worked in the same industry but I guess it is a bit obvious this is an issue. Basically what PayPal is saying is this distributor is at a higher risk because of their already documented history of charge backs. OK that I can deal with. Charge a higher premium to the distributor to compensate.
Credit card merchant banks already do this. Merchants pay more for "card not present" transactions (anything online) and certain types of businesses pay different discount rates. Hotels generally pay more than "regular" storefront merchants, for example. Restaurants and gas stations pay different rates. I think government agencies generally get the best rates but I'm not sure.
However, the rates for adult content merchants are already sky high (12-15% vs around 3% for non-adult merchants) because, surprise, there's a lot of fraud. Many banks have decided that they simply don't want to deal with it for ANY price. Paypal served adult merchants at one time but they stopped long ago, maybe 2004.
Two words: "common carrier". They get to escape liability but the trade-off is that they are regulated and have to cooperate with law enforcement.
You can of course run a Tor node, and claim you are cooperating but unable to trace the connection. I can almost guarantee that some enterprising prosecutor will eventually decide that this is obstruction of justice, or aiding and abetting, and then you will be charged for someone else's criminal activity. Why anyone would want to take this risk is beyond me. You won't even be able to cut a plea bargain because you can't figure out who the crook is to give up.
Only the most paranoid can remember if they last logged in at 8:15 or 8:25. It's not a credible method of deterring casual logins when the attacker already has the login info. Also, some form factors don't provide a simple means of returning additional information upon a successful login. Think of a Web service where the username and password are included in the request. You'll get a success or failure response and that's it. Even if the service returns more detail, there isn't always a sensible way to alert the actual user, other than denying access on a failure.
Slashdot Mirror
A one-thousand page employee handbook? What the actual fuck? I've worked for a lot of places and the most I've seen is 40-50 pages.
What in the world is in this dense tome, and who actually reads it?
I wouldn't say we missed it, Bob...
Those roaming charges will be astronomical.
- That the government has not demonstrated that delving into the user's private search history is relevant or may advance the case at all,
A search warrant merely needs probable cause. One user's history seems like "a particular place or thing to be searched". The gov't doesn't have to prove that any evidence seized will even be used.
- That the data is not the property of the individual but rather a trade secret, or
That might work for a civil lawsuit, but it's absolutely not gonna fly in a murder case.
- That Amazon is an unrelated 3rd party and should not be compelled to cooperate in something which it is peripherally related.
Doesn't work for banks, telephone companies, Internet providers, etc. It doesn't work for a retailer with security cameras. This also isn't a fishing expedition; it's probable (at least according to the judge who approved the warrant) that Amazon has evidence that may be relevant. Besides, for all we know, they have exculpatory evidence. Both sides have the right to compulsory process.
All that said, I have a modest proposal.
If Amazon intends to keep recordings and use them for profit, they should be compelled to produce those recordings when the public interest so demands.
If Amazon wants to be exempt from that, they can submit to rigorous and frequent government audits to prove they are not recording anything, in the public interest of privacy of citizens.
Commercial aircraft operators (and possibly other common carriers) are required to keep a passenger (pax) manifest, for notification purposes in case of an accident or an incident involving a passenger. I think this was first required by the Warsaw Convention (now Montreal Convention). In theory it applies only to international air travel, but many nations have applied it to domestic air travel as well, because what is or is not "international air travel" under the Convention is a convoluted definition. Easier just to have everyone keep a manifest.
It put North Haverbrook on the map.
I'm not backing the NFL here, but this blackout rule doesn't bother me much and it has at least some basis in reality and fairness: to have a full stadium experience (I won't argue whether that's really worth it these days). IIRC, the doesn't kick in until 72 hours before kickoff, it only applies to networks within 75 miles and it only applies to local broadcast/cable TV (you still get the game on Sunday Ticket). And, in most cases, local businesses will buy up the unused tickets to give to charity, and the NFL relents, and the whole issue is moot.
I'm far more pissed with the blackout rules for MLB. I live in Las Vegas, I have the MLB.TV package, and I am blacked out from at least 6 teams (Dodgers, Angels, D-Backs, Padres, A's, Giants). None of those teams are within 300 miles of me, so I'm not driving to home games. And yet, I can't watch any of those teams, because (in theory) I should have access to those teams from my local cable network. But the cable cos and the networks like to bitch about retransmission fees and so I haven't seen the Dodgers all year.
The REALLY stupid blackout rule: Hawaii is blacked out from the Giants & A's. HAWAII !!!! I know there's kayaks in McCovey Cove every game, but I have yet to see any Polynesian catamarans.
I have 2 simple rules:
1) If the job is really terrible -- crazy boss, lousy environment, not enough funding -- it should be obvious within 30 days or so. At most companies this is a probationary period anyway. I've quit a couple of jobs quickly for these reasons, and I've found that HR (if not the boss) is generally okay with this. Act professionally, of course, give notice and all that, but It's better to cut ties early if you feel that you and the employer are not a good match.
2) Assuming I get past 30 days and still like it, I've always tried to make it to 2 years before trading up. I've found that after year 1, I'll get a bonus or a bump in salary almost automatically. Year 2 is when the employer starts to look for something more out of me, and also when I'll get a better idea of possible career paths within the company.
My experience is that job hopping is not a big deal as long as you have good reasons, and as long as it's not TOO often. Good reasons include relocation, a substantial (I'd say 25%+) bump in pay, or changing jobs to do what you really want to do. No one will care that you only worked 3 months at The Gap before finding a Web developer job.
Applied Cryptography by Bruce Schneier. Really any and all of his books.
Well, they did say "it is more important to focus on how things look from the top than how they actually are down below".
I'd say you follow the same process: inform them, wait 1/3/7 days or whatever, then go public. If you suspect the exploit is deliberate, informing the manufacturer isn't telling them anything they didn't already know. Or, maybe it IS telling them, since in the case of open source, the exploit could have been introduced surreptitiously by a developer who's long gone, and the current developers have no idea of the exploit's existence.
Caveat: if you suspect revealing the bug will cause blowback to you. If you think the NSA/FBI/CIA will come after you for threatening to reveal it, I'd say just go public immediately, and include major press orgs so they can't just silence you.
Minor quibble with this. SEAD is a combat tactic which assumes you're already at war and suppressing defenses to advance a specific mission. A no-fly zone is a strategic patrol. It tells the enemy that you have overwhelming air superiority within the theater, and it assumes the enemy isn't willing to risk testing the no-fly zone. In the past no-fly zones have been more or less declared and imposed, and actually SEAD missions were unnecessary.
To be sure, actually enforcing a no-fly zone could require SEAD missions, in which case, it's not so no-fly. But yeah, it's still a dumb idea here, and it could provoke a wider war.
Suppression of Enemy Air Defense (SEAD aka Wild Weasel) is a combat tactic intended to reduce friendly losses and improve the effectiveness of air strikes. That is, to kill more of them and less of us. How in hell does someone consider that "humanitarian"?
This is one of the most Orwellian pieces of doublespeak I've read all year.
No. Experts in their field shouldn't need to be taught how to understand your system; that's part of being an expert ( or indeed, even a professional).
I completely agree but how are we even calling this "expert" or "professional"? Do I need to educate someone, a "programmer" let's say, about the fundamentals of Java? About electronics? About physics? How to type? How to use the toilet?
Maybe that's over the top, but at some point, if someone claims they can do X, we assume a basic level of skill. To use a car analogy: cars basically all work the same way. The car dealer doesn't make you take a test before you buy it and drive it home. They have to make sure you have a valid license, of course, but licensure is not their problem, and licensure by the state assumes that the basics of driving are the same across different models of cars.
Since when did the car owner's manual teach the owner how to drive?
I work for an airline. We train pilots on our aircraft and our procedures. We certainly do not teach them how to fly.
It's been a while since I read it, but "Showstopper" is a pretty good history of Cutler & Windows NT: http://www.amazon.com/Showstopper-Breakneck-Windows-Generation-Microsoft/dp/0759285780/ref=sr_1_6?ie=UTF8&qid=1370920903&sr=8-6&keywords=showstopper
You address it through the statute of limitations and the 6th Amendment. Only the most heinous crimes have no limitations, and for misdemeanors and non-violent felonies, the prosecution must file charges within 2-7 years (depending on the state and crime). Once charges are filed, the right to a speedy trial attaches. Also, it's not really practical for a prosecutor to run serial trials. They basically have to go to all the same trouble, but it ends up costing more time and money since it's not done all at once, and it will piss off most judges royally. Prosecutors are also usually elected, so they don't often get away with this tactic. The only time it's really useful is if you have a defendant who you can charge with, say, burglary, while gathering evidence toward a murder charge. This is more to prevent the defendant from fleeing, but they still might get bail on the lesser charge. Lots of episodes of "Law & Order" use this as a plot device.
I can appreciate your sentiment, but I think it's wishful thinking. We can certainly argue that these devices SHOULD not be connected to the Internet, but the simple fact is that a great deal of them ARE connected, and many that are not "intended" to be connected will end up connected, and those systems need to be designed with that possibility in mind. They are currently designed with no more security than my pull-start lawn mower.
All good ideas. I think a lot of people are actually open to change as long as they feel their skill and experience is being valued. Suggest that it would be good to simplify and modernise the process and find out what ideas Bob has and the challenges he sees in implementing any changes.
This is definitely true but I would also add "offer to help with the changes" (or find someone who is capable of helping). Outsiders may have good ideas about how to fix things, but anyone can be a critic. That can be annoying to the original maintainer who has to do the work, regardless of how much it improves the system.
That's actually a really cool setup you described. Would you be willing to share detailed build instructions, including the software setup? Strictly for educational and entertainment purposes, of course :)
GPUs only tend to allow you to offload the strait-shot parallelized stuff - graphic blits, audio, textures & lighting - but the core of the game logic is still tied to the CPU. Even if you aren't straining the limits of the CPU in the final implementation, programmers are still limited by the capacity of them.
Your theory is basically valid, but the practical reality and the empirical evidence of the last, I dunno, 20 years or so, is that the graphics processing takes a significant amount of computing power. There's a reason that virtually every computer and every game console has a dedicated GPU. For that matter, a dedicated sound processing chip. It's all offloaded and the APIs have improved to the point that it doesn't seem like much work, but those specialized chips are burning an awful lot of power.
For a wide variety of games, the game logic just isn't that complicated, or rather, it doesn't require as much computing horsepower as the rendering. Sports games and FPS are the most obvious but I'm sure there's others. The most CPU intensive game I can think of is Civilization 4. I'm sure it's been surpassed, and yeah the AI still sucks, but late in games you can really tell that the CPU is chugging away.
The truth, of course, is that something will ALWAYS be a bottleneck. The argument seems to be: is it the CPU or GPU?
This is sensationalism. Even small planes have a boatload of "distractions" to observe: radio, gauges, displays, maps, etc. Adding a cell phone into the mix isn't exactly overloading the pilot, unless he's doing something REALLY stupid like texting on final. He might have been USING a cell phone, but he was probably just overconfident as to his abilities as a pilot. There's also a major difference between talking on the phone in your car and in a plane. In auto traffic, you have to manage the car continuously, keep an eye out for traffic, deal with traffic lights, and on and on. Piloting certainly requires a lot of skill but you aren't twitching the stick and throttle and braking every 2 seconds, and since most planes have autopilot, it can be pretty relaxed.. There's plenty of time en route to send a text or make a call, and to do so safely.
I never worked in the same industry but I guess it is a bit obvious this is an issue. Basically what PayPal is saying is this distributor is at a higher risk because of their already documented history of charge backs. OK that I can deal with. Charge a higher premium to the distributor to compensate.
Credit card merchant banks already do this. Merchants pay more for "card not present" transactions (anything online) and certain types of businesses pay different discount rates. Hotels generally pay more than "regular" storefront merchants, for example. Restaurants and gas stations pay different rates. I think government agencies generally get the best rates but I'm not sure.
However, the rates for adult content merchants are already sky high (12-15% vs around 3% for non-adult merchants) because, surprise, there's a lot of fraud. Many banks have decided that they simply don't want to deal with it for ANY price. Paypal served adult merchants at one time but they stopped long ago, maybe 2004.
Two words: "common carrier". They get to escape liability but the trade-off is that they are regulated and have to cooperate with law enforcement. You can of course run a Tor node, and claim you are cooperating but unable to trace the connection. I can almost guarantee that some enterprising prosecutor will eventually decide that this is obstruction of justice, or aiding and abetting, and then you will be charged for someone else's criminal activity. Why anyone would want to take this risk is beyond me. You won't even be able to cut a plea bargain because you can't figure out who the crook is to give up.
Only the most paranoid can remember if they last logged in at 8:15 or 8:25. It's not a credible method of deterring casual logins when the attacker already has the login info. Also, some form factors don't provide a simple means of returning additional information upon a successful login. Think of a Web service where the username and password are included in the request. You'll get a success or failure response and that's it. Even if the service returns more detail, there isn't always a sensible way to alert the actual user, other than denying access on a failure.