It could be done today, and isn't. Reality proves you wrong. Go argue with reality, not me.
I'd only argue with reality if reality showed someone currently voting via cipher block with less fraud than the paper ballot system. The fact that it *could* be done but isn't shows that I'm right -- the issue isn't technology, it's the human factor.
Or were you meaning that the reality of companies being able to do the absentee ballot thing? That has its own glaring differences to a nation-wide absentee ballot system (which is basically what a token based system would be) -- I'm sure you can figure out those differences as well as I can.
Again: it can technically be done, the problem lies in human psychology.
I think you just proved his point: the issue isn't that it can't be done -- the issue is that people can't be bothered because there are better alternatives.
In my grandparent's generation, you had the farmer's almanac and the local experts -- but that's about it for information sources, other than some manuals someone had collected. These days, you could be just about anywhere and still be able to look up what that error code on your car means and see video step-by-step instructions on how to carry out the repair.
So it used to be a valuable asset to be one of those people who could fix things, as the alternative was having a broken thing. Nowadays, the alternative is getting it replaced at a reasonable cost. And people don't bother memorizing how to fix things, because that information is widely available for looking up, should one want to waste one's time doing so.
the under 40s expect everything to 'just work' and have no idea what to do when things go wrong. Unlike previous generations who would ‘make do and mend’ now young people will just chuck out their faulty appliances and buy new ones.
Why does he target the under 40s? These days, most people I know above AND under 40 fit this profile. It's because the stuff we use generally "just works" and when things DO go wrong, the products are no longer designed to be easy to figure out how to fix, let alone fix it. Young people do a cost/benefit analysis and discover that their time is worth more than buying a replacement whatever.
What gets me is things like this: recently the diverter in my shower failed -- I took the device apart, discovered that there was a crack in the plastic arm, and a rubber gasket had worn out. I figured that I could epoxy the arm, and just needed to replace the gasket to make everything happy again. So, I went looking for the gasket. Turned out that the gasket by itself cost more than buying a new diverter unit.
Similarly, recently the cassette flywheel on my bike went. I figured there was an internal component that needed to be replaced, and there was -- but the tools and components to do this replacement were an order of magnitude more expensive than just replacing the cassette. As I ran out of time figuring this out, I figured I'd get a bike shop to drop in a new cassette for me -- only to discover that they didn't have that specific one in stock, and the cost of ordering and installing it would be more than buying an entirely new wheel they had hanging on the wall. So I bought the new wheel and kept the old one for parts.
Then there's my toaster oven, my breadmaker....
Actually, the one thing I've been able to fix recently without going over the cost of a replacement was the toggle switch on my vacuum cleaner. A pair of needle nosed pliers and a drop of solder did the trick. I'm pretty sure I would have had to purchase the entire toggle assembly, even though the only problem was a worn dimple and bent piece of copper.
Long story short, while I am quite capable of repairing these sorts of things, we have reached a stage where the cost to do so exceeds the cost of replacement. Produced parts are custom and produced to match the volume required for industrial assembly. Maybe instead of muttering "Young people these days" the professor should have asked the question "Why are they replacing instead of repairing?" The "can't figure it out" seems more like an assumption than a scientifically tested conclusion.
Yeah; but with a rocket, I expect every unit of measurement to suddenly be unique to the individual -- it'll make cm vs inches look like a rounding error.
Not to mention, Systran and Google would have the issue fixed in a matter of weeks -- assuming the engineers could still read source code.
I remember back in the days of QuickTax -- Windows users could buy QuickTax for a decent price and do their taxes. However, if you had a Mac, you needed to buy Deluxe, as that was the only version provided for the platform -- at a higher price than the Windows Deluxe version, both of which were twice the price of the regular version.
What were the extras you got? IIRC, it was the self-employment, investment income and asset depreciation packages, along with some retirement planning tools.
The other gotcha: the schedules were never updated until AFTER the early filing deadline, which meant I always had to file an update once I'd re-calculated for actual retirement values/contributions.
Well, it's been around 15 years now since I ditched Intuit for a web-based alternative that just works (I get tax refunds now within two weeks of filing), and I see absolutely no reason to go back, or recommend anyone else uses an Intuit product. This is just another nail in the Intuit coffin.
But I hear they're one of the best places to work....
Apple would be positively pilloried in these pages if they tried something even remotely as irresponsible and high-handed as Google is doing (or rather not doing) in this case.
Really?
How long does Apple support an older point release after a new one comes out? Answer: about a month, after which you can't roll back. How long does Apple support an older version release after a new one comes out? Answer: about 2.5 years.
Google's stats on this are significantly better. The problem is in the manufacturer and carrier agreements:
Apple pretty much forces point upgrades (which include the security fixes) and strongly encourages version upgrades, up to the point where the hardware no longer supports the next version. This has been most strongly felt with iOS 4 and iOS 6. In fact, at one point, the best way to protect your iOS 6 device from a known security issue was to jailbreak it and apply a community fix.
Google, on the other hand, keeps patching and upgrading the older version releases, and Cyanogenmod does a great job of making them available to end users who are willing to install it. The problem comes in the fact that neither the phone manufacturers nor the carriers have any vested interest in forcing firmware upgrades, and Google doesn't have the right to mess with phones that belong to the carriers (which they do, if you haven't bought your phone outright).
That said, you still have the issue of protecting against malicious software running on top of the OS, and so far Apple's done a much better job of that than Google.
So the employer can demand your token, and you give it up. Would you give up your personal email password? Facebook password? The actions of the employer are illegal. Why aren't you reporting him?
Many people prefer to be employed and not have their employer penalized (and can't afford a lawsuit and the time off that would entail).
Working backward: Yes, it is illegal, as are all the shenanigans that currently go on. The point is in the cost/benefit analysis, people don't think a single vote is worth biting the hand that feeds them.
There have been numerous studies showing that people are more than willing to give up their facebook password to get a job. Some don't even change it after giving it up.
People give up their email passwords all the time -- every time you check your email without using TLS encryption or similar, you're sending your email password in the clear. Do this from public wifi, and you are broadcasting your login credentials to anyone listening.
Considering that the token doesn't benefit you in any real way and isn't linked to your identity at all, it's much less valuable to most people than your other cited examples. In fact, such tokens only become valuable when enough of them are cast for a specific politician. Election reform could fix that (runoff voting etc) but don't hold your breath. Currently, unless you live in a few key districts, it truly doesn't matter what happens to your vote in the US. That doesn't mean you shouldn't vote, but it means that you also need to convince a bunch of others to vote the same way you do if you want any sort of change.
In reality, the only thing making it "more secret" is the fact that you can split the communications up into small UDP packets instead of a TCP stream. That means that for certain uses, it can be more secret; but performing HTTP transactions isn't one of them.
It got closely linked with kiddie porn, has abysmal throughput and drops "non-fresh" content.
It actually seems like the perfect solution for hosting torrent magnet files though (not so good for static content you want to sit around for any given amount of time).
"Naturally. Now, I also took a video. So I get that from iMovie?"
Yes, you do. And if iMovie is open when you plug in any device with video stored on it, it'll grab that for you and load it into iMovie. In fact, if you have iMovie, iPhoto, iTunes and Image Capture open, they'll ALL try to grab your media. So will Adobe Photo Downloader, and a number of other apps.
Thing is, in all cases, you get prompted, so you don't have to initiate things, you just have to make the choices.
I understand the purpose... the problem is that it opens up an attack surface such that you can't trust your hardware anymore.
Now one thing that WOULD be useful in this specific situation is to have the flashing code separate from the EEPROM data itself, such that you can't swap out the signing key and lock out the original manufacturer from re-flashing the device. This would mean that a manual re-flash would always be possible. But a simple software or hardware-based "factory reset" runs afoul of the "who watches the watchers" conundrum -- now you need to worry about the default code that is tucked away somewhere (hopefully on ROM, but that'd be expensive).
so in case 1): you may have a point, except it's probably cheaper to just replace the equipment. In case 2, you're no further ahead -- how do you know the factory-reset hasn't been tampered with?
Actually, it would be worse: the attacker could factory-reset your machine and then apply the attack, making any applied patches useless.
1) The attacker would have to have physical access to the device to do the factory reset. Either that or trick the user into getting out the screwdriver.
2) Applying a subsequent factory-reset would remove any malware installed by the attacker. Data loss would result, but at least you wouldn't have a permanently-compromised machine.
1) The attacker already needs physical access to the device to perform this attack.
2) As someone else said, unless you factory reset each time you use your computer, this is useless (as you won't know if the malware is installed until you perform a reset). After a reset, you would of course have to apply all the patches again before you could use your system safely.
An example of this is DeCSS, which allows you to play DVD content on Linux. As an added benefit, platform shifting is done as part of making it compatible.
You've nailed it. I took a couple of semesters off my 4-year degree to take some courses at a community college while dealing with the rest of my life. My experience was the same as yours.
The truth is, when it comes to education, you get out what you put in (not what you pay for). If you're just in it for the paper, you'll find CC pretty worthless. If you're in it to learn about a specific theoretical domain from experts, it's worth it.
Another difference is that universities generally have courses taught by academics who have minimal qualifications for actually teaching domain material (they're just good at it themselves) whereas community colleges usually have instructors who are passionate about teaching. So you have to be more self-motivated for a bachelors' program than for two years of college -- but if you ARE that self-motivated, you can often get the same benefit out of the CC.
For the second two years of a bachelors' degree, university is usually better, as you already know enough to understand what the experts who potentially have a slim grasp of teaching techniques (and sometimes regular language) are talking about, and since you already know a bit, they're also more motivated to share what they know with you.
Not to mention, if I were an ISP, I'd be sending my users another note alongside that notice, pointing out that its statements are untrue, and outlining the actual legal penalties.
Unless you're going to factory-reset every time you leave you machine unattended it won't actually help you avoid this, it will only help you recovery once you detect it.
Actually, it would be worse: the attacker could factory-reset your machine and then apply the attack, making any applied patches useless.
You now know about this issue and can do it to your Macs... and that of your family & friends... but what about all of those people who do not have a person like you? How do they get the fix?
Short of a mandatory update that is pushed down even on devices that opt out of automatic updates... how do you propose to push such a change?
So yes... too late. If the device leaves the factory in an insecure state, a significant number of units are basically guarenteed to remain that way until they are decommissioned years from now.
You don't seem to understand The Apple Way. Apple users in general don't disable automatic updates.
However, on Macs, some security updates are pushed to the systems as you describe. And beyond that, Apple has XProtect, which can push out-of-band updates even faster. This can be a headache for rolling macs out to the enterprise, as Apple sometimes (rarely) pushes fixes that local IT isn't prepared for.
Added to that, automatic updates are rarely avoided by Mac users.
Who these things will really affect are the users who went to EOL on a previous OS version (10.6 mostly, as 10.7+ users should all have no problems updating through to 10.10) that no longer receives security updates. 10.4-10.6 users for example are left having to install the ntpd patch via MacPorts because Apple hasn't published a security patch for them (although they've provided the source to do it yourself). The firmware issue is much less of a problem to fix for anyone who *turns off* automatic updates.
They do know earthquakes aren't on the same delay as the game's TV broadcasts, right?
Depends on how far you are away from the epicentre. Earthquakes travel at approximately the speed of sound. I've had notification of an earthquake before I felt it before -- it's a somewhat spooky experience.
Slashdot Mirror
It could be done today, and isn't. Reality proves you wrong. Go argue with reality, not me.
I'd only argue with reality if reality showed someone currently voting via cipher block with less fraud than the paper ballot system. The fact that it *could* be done but isn't shows that I'm right -- the issue isn't technology, it's the human factor.
Or were you meaning that the reality of companies being able to do the absentee ballot thing? That has its own glaring differences to a nation-wide absentee ballot system (which is basically what a token based system would be) -- I'm sure you can figure out those differences as well as I can.
Again: it can technically be done, the problem lies in human psychology.
Only problem of course is that they wouldn't be able to defend their theses, due to nobody understanding what they're talking about.
Oh wait....
I think you just proved his point: the issue isn't that it can't be done -- the issue is that people can't be bothered because there are better alternatives.
In my grandparent's generation, you had the farmer's almanac and the local experts -- but that's about it for information sources, other than some manuals someone had collected. These days, you could be just about anywhere and still be able to look up what that error code on your car means and see video step-by-step instructions on how to carry out the repair.
So it used to be a valuable asset to be one of those people who could fix things, as the alternative was having a broken thing. Nowadays, the alternative is getting it replaced at a reasonable cost. And people don't bother memorizing how to fix things, because that information is widely available for looking up, should one want to waste one's time doing so.
I was going to make an opposing point...
the under 40s expect everything to 'just work' and have no idea what to do when things go wrong. Unlike previous generations who would ‘make do and mend’ now young people will just chuck out their faulty appliances and buy new ones.
Why does he target the under 40s? These days, most people I know above AND under 40 fit this profile. It's because the stuff we use generally "just works" and when things DO go wrong, the products are no longer designed to be easy to figure out how to fix, let alone fix it. Young people do a cost/benefit analysis and discover that their time is worth more than buying a replacement whatever.
What gets me is things like this: recently the diverter in my shower failed -- I took the device apart, discovered that there was a crack in the plastic arm, and a rubber gasket had worn out. I figured that I could epoxy the arm, and just needed to replace the gasket to make everything happy again. So, I went looking for the gasket. Turned out that the gasket by itself cost more than buying a new diverter unit.
Similarly, recently the cassette flywheel on my bike went. I figured there was an internal component that needed to be replaced, and there was -- but the tools and components to do this replacement were an order of magnitude more expensive than just replacing the cassette. As I ran out of time figuring this out, I figured I'd get a bike shop to drop in a new cassette for me -- only to discover that they didn't have that specific one in stock, and the cost of ordering and installing it would be more than buying an entirely new wheel they had hanging on the wall. So I bought the new wheel and kept the old one for parts.
Then there's my toaster oven, my breadmaker....
Actually, the one thing I've been able to fix recently without going over the cost of a replacement was the toggle switch on my vacuum cleaner. A pair of needle nosed pliers and a drop of solder did the trick. I'm pretty sure I would have had to purchase the entire toggle assembly, even though the only problem was a worn dimple and bent piece of copper.
Long story short, while I am quite capable of repairing these sorts of things, we have reached a stage where the cost to do so exceeds the cost of replacement. Produced parts are custom and produced to match the volume required for industrial assembly. Maybe instead of muttering "Young people these days" the professor should have asked the question "Why are they replacing instead of repairing?" The "can't figure it out" seems more like an assumption than a scientifically tested conclusion.
Yeah; but with a rocket, I expect every unit of measurement to suddenly be unique to the individual -- it'll make cm vs inches look like a rounding error.
Not to mention, Systran and Google would have the issue fixed in a matter of weeks -- assuming the engineers could still read source code.
I remember back in the days of QuickTax -- Windows users could buy QuickTax for a decent price and do their taxes. However, if you had a Mac, you needed to buy Deluxe, as that was the only version provided for the platform -- at a higher price than the Windows Deluxe version, both of which were twice the price of the regular version.
What were the extras you got? IIRC, it was the self-employment, investment income and asset depreciation packages, along with some retirement planning tools.
The other gotcha: the schedules were never updated until AFTER the early filing deadline, which meant I always had to file an update once I'd re-calculated for actual retirement values/contributions.
Well, it's been around 15 years now since I ditched Intuit for a web-based alternative that just works (I get tax refunds now within two weeks of filing), and I see absolutely no reason to go back, or recommend anyone else uses an Intuit product. This is just another nail in the Intuit coffin.
But I hear they're one of the best places to work....
NSA guy sees "metadata management" and has a wet dream.
That's not metadata as you think of it. It's the metadata associated with storage.
But... it's just metadata, isn't it?
It can construct space! awesome!
I thought we called those bombs?
Not a good idea, considering what happened at the Tower of Babel....
Apple would be positively pilloried in these pages if they tried something even remotely as irresponsible and high-handed as Google is doing (or rather not doing) in this case.
Really?
How long does Apple support an older point release after a new one comes out?
Answer: about a month, after which you can't roll back.
How long does Apple support an older version release after a new one comes out?
Answer: about 2.5 years.
Google's stats on this are significantly better. The problem is in the manufacturer and carrier agreements:
Apple pretty much forces point upgrades (which include the security fixes) and strongly encourages version upgrades, up to the point where the hardware no longer supports the next version. This has been most strongly felt with iOS 4 and iOS 6. In fact, at one point, the best way to protect your iOS 6 device from a known security issue was to jailbreak it and apply a community fix.
Google, on the other hand, keeps patching and upgrading the older version releases, and Cyanogenmod does a great job of making them available to end users who are willing to install it. The problem comes in the fact that neither the phone manufacturers nor the carriers have any vested interest in forcing firmware upgrades, and Google doesn't have the right to mess with phones that belong to the carriers (which they do, if you haven't bought your phone outright).
That said, you still have the issue of protecting against malicious software running on top of the OS, and so far Apple's done a much better job of that than Google.
So the employer can demand your token, and you give it up. Would you give up your personal email password? Facebook password? The actions of the employer are illegal. Why aren't you reporting him?
Many people prefer to be employed and not have their employer penalized (and can't afford a lawsuit and the time off that would entail).
Working backward:
Yes, it is illegal, as are all the shenanigans that currently go on. The point is in the cost/benefit analysis, people don't think a single vote is worth biting the hand that feeds them.
There have been numerous studies showing that people are more than willing to give up their facebook password to get a job. Some don't even change it after giving it up.
People give up their email passwords all the time -- every time you check your email without using TLS encryption or similar, you're sending your email password in the clear. Do this from public wifi, and you are broadcasting your login credentials to anyone listening.
Considering that the token doesn't benefit you in any real way and isn't linked to your identity at all, it's much less valuable to most people than your other cited examples. In fact, such tokens only become valuable when enough of them are cast for a specific politician. Election reform could fix that (runoff voting etc) but don't hold your breath. Currently, unless you live in a few key districts, it truly doesn't matter what happens to your vote in the US. That doesn't mean you shouldn't vote, but it means that you also need to convince a bunch of others to vote the same way you do if you want any sort of change.
In reality, the only thing making it "more secret" is the fact that you can split the communications up into small UDP packets instead of a TCP stream. That means that for certain uses, it can be more secret; but performing HTTP transactions isn't one of them.
It got closely linked with kiddie porn, has abysmal throughput and drops "non-fresh" content.
It actually seems like the perfect solution for hosting torrent magnet files though (not so good for static content you want to sit around for any given amount of time).
"Naturally. Now, I also took a video. So I get that from iMovie?"
Yes, you do. And if iMovie is open when you plug in any device with video stored on it, it'll grab that for you and load it into iMovie. In fact, if you have iMovie, iPhoto, iTunes and Image Capture open, they'll ALL try to grab your media. So will Adobe Photo Downloader, and a number of other apps.
Thing is, in all cases, you get prompted, so you don't have to initiate things, you just have to make the choices.
I understand the purpose... the problem is that it opens up an attack surface such that you can't trust your hardware anymore.
Now one thing that WOULD be useful in this specific situation is to have the flashing code separate from the EEPROM data itself, such that you can't swap out the signing key and lock out the original manufacturer from re-flashing the device. This would mean that a manual re-flash would always be possible. But a simple software or hardware-based "factory reset" runs afoul of the "who watches the watchers" conundrum -- now you need to worry about the default code that is tucked away somewhere (hopefully on ROM, but that'd be expensive).
so in case 1): you may have a point, except it's probably cheaper to just replace the equipment. In case 2, you're no further ahead -- how do you know the factory-reset hasn't been tampered with?
Actually, it would be worse: the attacker could factory-reset your machine and then apply the attack, making any applied patches useless.
1) The attacker would have to have physical access to the device to do the factory reset. Either that or trick the user into getting out the screwdriver.
2) Applying a subsequent factory-reset would remove any malware installed by the attacker. Data loss would result, but at least you wouldn't have a permanently-compromised machine.
1) The attacker already needs physical access to the device to perform this attack.
2) As someone else said, unless you factory reset each time you use your computer, this is useless (as you won't know if the malware is installed until you perform a reset). After a reset, you would of course have to apply all the patches again before you could use your system safely.
"reverse engineering for software compatibility;"
An example of this is DeCSS, which allows you to play DVD content on Linux. As an added benefit, platform shifting is done as part of making it compatible.
You've nailed it. I took a couple of semesters off my 4-year degree to take some courses at a community college while dealing with the rest of my life. My experience was the same as yours.
The truth is, when it comes to education, you get out what you put in (not what you pay for). If you're just in it for the paper, you'll find CC pretty worthless. If you're in it to learn about a specific theoretical domain from experts, it's worth it.
Another difference is that universities generally have courses taught by academics who have minimal qualifications for actually teaching domain material (they're just good at it themselves) whereas community colleges usually have instructors who are passionate about teaching. So you have to be more self-motivated for a bachelors' program than for two years of college -- but if you ARE that self-motivated, you can often get the same benefit out of the CC.
For the second two years of a bachelors' degree, university is usually better, as you already know enough to understand what the experts who potentially have a slim grasp of teaching techniques (and sometimes regular language) are talking about, and since you already know a bit, they're also more motivated to share what they know with you.
Not to mention, if I were an ISP, I'd be sending my users another note alongside that notice, pointing out that its statements are untrue, and outlining the actual legal penalties.
Unless you're going to factory-reset every time you leave you machine unattended it won't actually help you avoid this, it will only help you recovery once you detect it.
Actually, it would be worse: the attacker could factory-reset your machine and then apply the attack, making any applied patches useless.
You now know about this issue and can do it to your Macs... and that of your family & friends... but what about all of those people who do not have a person like you? How do they get the fix?
Short of a mandatory update that is pushed down even on devices that opt out of automatic updates... how do you propose to push such a change?
So yes... too late. If the device leaves the factory in an insecure state, a significant number of units are basically guarenteed to remain that way until they are decommissioned years from now.
You don't seem to understand The Apple Way. Apple users in general don't disable automatic updates.
However, on Macs, some security updates are pushed to the systems as you describe. And beyond that, Apple has XProtect, which can push out-of-band updates even faster. This can be a headache for rolling macs out to the enterprise, as Apple sometimes (rarely) pushes fixes that local IT isn't prepared for.
Added to that, automatic updates are rarely avoided by Mac users.
Who these things will really affect are the users who went to EOL on a previous OS version (10.6 mostly, as 10.7+ users should all have no problems updating through to 10.10) that no longer receives security updates. 10.4-10.6 users for example are left having to install the ntpd patch via MacPorts because Apple hasn't published a security patch for them (although they've provided the source to do it yourself). The firmware issue is much less of a problem to fix for anyone who *turns off* automatic updates.
Are you going to go all "no mainstream Scotsman" on us now?
No *true* mainstream Scotsman anyway.
But we all know that Apple Macintosh isn't a true Scotsman's name....
They do know earthquakes aren't on the same delay as the game's TV broadcasts, right?
Depends on how far you are away from the epicentre. Earthquakes travel at approximately the speed of sound. I've had notification of an earthquake before I felt it before -- it's a somewhat spooky experience.
I'm really starting to tire of this latest troll meme....
I was just realizing that when this was published, Heinlein would have been expecting the work to be in the public domain by now..