Safe is not a binary yes or no. It's more of a spectrum.
No, it's not. You are safe, or you are compromised. The millisecond you get compromised, you change state hard from one to the other.
There are things that are more or less likely to get you compromised. You apparently confuse that. But there is no confusion. An image has a specific purpose. A scripting language does not. If I allow you to send me an image to display, my intention is clear - I want to see an image. If I allow you to run a script on my machine, my intention is not clear.
GP is correct. Ads need to move back to display-only functionality. All the tracking, malware and other shit is because we have given greedy fuckers too many toys. The horse is out of the stable, we won't get it back in, we will not get any kind of "responsible advertisement". Too late. Static only is the solution. Ad blocking the other. Nothing else will work. Exactly because there is no spectrum. If you give advertisers, who have proven time and time again that they are shady, something that can be exploited, then it will be exploited.
And with that, all the "good advertisers" bullshit is dead. Not just scammy and shady ad networks deliver malware. Advertisement is evil and needs to die, at least the way it is handled right now. The whole thing needs to be made illegal and restarted fresh with a clean slate and the first question should be "what do we, the users, want from advertisement?".
I like product information, for example. I'm a big fan of sites that compare products. These days, there are a thousand mobile phones, or printers, or vacation destinations, or chairs or cars or really anything, and it's not easy to find the one that's perfect for you. There's also new and interesting stuff coming out all the time, and most of us miss most of it. Something that focusses on these aspects, on the customer desires, that would be wonderful.
As much as I cringe on the mentioning of VB, bad software is made by bad programmers, not by bad languages. I have seen many, many, MANY pieces of really crappy software in C, C++, Java as well as in PHP, Perl, Prolog and a dozen other languages. Some languages are better than others, no doubt about that. But idiots will manage to write shit in any language, and with any tool. The solution is not to give the idiots better tools, but to not allow the idiots to write software.
When they are asked? Hell no! You do that even once, you will be on my list of vendors I will never, ever work with, and recommend every client I consult to not touch with a ten foot pole, either.
When served with a proper court order? That's a different story.
By removing the need for would-be programmers to learn esoteric programming languages, the method has the potential to significantly expand the number of people engaged in programming
Because we really need more amateur programmers fucking things up and creating software with exploitable bugs. Who needs information security anyway...
Like another poster, you confuse monetary or economic value with the value of education. These are not the same things and they don't cleanly exchange into each other.
The reason we spend money on a childs education is that education takes time. If you could get the same education in, say, one day via brain implants, it would be smarter to wait it out until you are 18 and can decide by yourself which education you want. But since it takes years, you need to start early because life time is limited.
These are really trivial arguments to follow. Why do I have to spell it out?
Scientific evidence is not a belief. We understand a little bit about economy, you know? It's taught at universities.
The reason circulating money adds to the economy is the assumption that circulating money equals work, and work improves life on the planet.
That's the most stupid bullshit I've read in a long time.
The reason circulating money adds to the economy is that if I spend $100 at your shop, you can now spend $100 on buying something, and the person you buy it from can spend $100 on some service and that person can donate $100 to the poor and they go to ten shops, spending those $100 and those shops come to me to buy something for $100. At the end, the $100 has made a full circle, so no money was created or destroyed and everyone has as much money as they had before, but everyone also got goods or services worth $100 that they didn't have before. Or, in other words: Those $100 of money have turned into $700 of wealth.
That's simplified, of course, ignoring a lot of details, but that's the basic principle.
In reality, if I discover a great unknown artist and give him $100 to paint something, that produces more value than if I give a crappy unknown artist $100 to paint something.
You are clearly confusing cultural value with economic value. Besides, great or crappy in the arts is very often judged long after the artist and the original buyer are both dead.
The question is whether you think stuff like fighting malaria with $1 billion is subjectively worth more than a bunch of poor people spending $1 billion on big screen TVs from China
Again, you are confusing values, in this case moral values with economic values. Those things are not the same.
I didn't advocate it as a program. The point was to illustrate just how crazy rich these people are. If one person can have such a global effect, you understand how poor everyone else is compared to them. He could literally pay for the life of millions of people.
Yes, he could give each and every person $10.50 and have nothing - and we'd still have needy and homeless people all over the world
900 million people live under the global poverty line of $1.90 a day.
That is 1.71 billion dollars a day to lift the entire planet out of poverty.
The fact alone that one person could do that for a month and still have more money left over than he can spend in a lifetime just boggles the mind.
If you further assume that most of these people don't have nothing, they just have less than $1.90 it becomes more crazy. My old statistics professor said that if you have no information, assume the average. So let's assume it takes 95 cents on average to bring someone just above the poverty line. That means Bill Gates alone could lift the entire planet out of poverty for three months before his fortune runs out.
While that shows how little these crazy fortunes are in global contexts, it also shows how crazy rich these people are compared to everyone else. It means the richest top ten could end poverty for a year and still be rich. Can you even imagine what it could mean to the poor of the world to not be poor for a year? How many of them would use the opportunity to secure a better future? At the end of that year, many of the poor would not go back to being poor. Millions would be permanently enabled to have a better life.
I applaud Melanie Gates to convince Bill to use a good part of his fortune like this, even if there's a lot of shady deals involved that the future will judge (largely, the crowding out of other organisations that try to help).
But the real problem is not that this money could be used to feed the poor. The real problem is that this money, if it had not been taken by the super-rich, would circulate much faster within the economy and would create more wealth. After the "trickle down" bullshit, a number of real economists have done the checking and they all come to the conclusion that money given to the rich hurts the economy while money given to the average people stimulates it.
Or in other words: In Bill Gates hands, these are 78 billion. In the hands of ordinary people, this would be 90, 100 or more billions. That is the real damage the super-rich do to all of us.
I am all for people being compensated for their efforts and have nothing against people taking risk and profiting from the risk taking.
Me neither. Sadly, this discussion is always brought to an end with the oldest strawman in the world. Because apparently if you point out that the differences are just crazy, it means you are against differences at all.
Where is the proper wording to say that "I want rich to be rich, I'm fine with that. I just want them to be rich, not super-crazy insanely-boggles-the-mind beyond-all-imagination hyper-rich." ?
There is no amount of personal effort or risk taking that justifies taking in billions. If you want to know how much personal risk is actually worth, look at what the hazard pay we give to people whose job includes risking their lives. There's no greater risk than that.
I'd be completely ok with someone having 78 million of personal fortune, or even of someone making 18.4 million profit in a good year. But we are talking about people who make a thousand times that. The only reason we are not on the street to hang them when thousands of people are actually in starvation poverty is that the mind boggles and we simply can't comprehend this amount of money.
The divide between the rich and the poor today is much bigger than it was at the time when the famous "if the people don't have bread, why don't they eat cake?" quote was allegedly made.
The fact that this article comes right above the "A Bit of Cash Can Keep Someone Off the Streets For 2 Years or More " one says a lot.
So from the gain of one year alone, one of these guys by himself could save 18.4 million people from being homeless for two years, meaning he could do that every other year and his net worth would still rise.
But the USA has less than 600,000 homeless. I understand the other article is about people who are on the edge of becoming homeless, so it's hard to apply it in general, but let's just do it anyway because everyone who is homeless at one point became homeless. Let's also imagine that on average, such a person would need 2-3 such cash infusions to permanently turn their life around and not end on the street at all. Meaning it takes around 900 million a year to end homelessness forever. Or in other words, with the money that one of these super-rich people make in two weeks, homelessness within the USA would be over.
Which begs only one question: Why is homelessness still a thing?
We wanted to go out yesterday, but the sky was a complete overcast. Looks like the same today. It's such a shame, really. I've seen them before and it was magnificent.
This and the rotten tomatoes thing makes me wonder if people really get so emotional about a friggin' movie or if that's all an ad campaign to keep it in the headlines.
Most of the standards don't actually require any specific password policy rules, only that a password policy exists.
Yes, there is a big management by numbers part there, but also a big "we don't want to think, let's google the best practice and use it". part. But some of those best practices were authored 20, 30 years ago, and only slightly updated since then.
Someone stealing your DB will find a) properly hashed and salted passwords or b) not. In the case of b) you are toast no matter what. In the case of a) he will almost always run his cracker for a few hours, maybe a few days, to grab the low-hanging fruit, and then move on to the next DB he stole somewhere. His ROI goes down massively after he collected the easy hits, so why should he bother? If your password is "123456", changing it doesn't matter. If your password is "aaaaaaaaaaaa" (which is in no dictionary, no word list I'm aware of and brute-forcing won't reach it this millenium) then you don't have a reason to rotate it.
Password rotation is actually intended to make us change passwords just in case we missed any of the signs that our security has been compromised and we have an actual reason to do it. It's a bit like in the old joke about hitting your wife even if you don't know why.
Most password policies are shit and most of the "best practice" password rules are at best useless. At least that's what I've been saying in a couple speeches. They try to do A by making a rule that says B. It's because of a fixation to auditing and processes. Making people understand just why "password" is not a very good password does a lot more than writing down 10 rules that together prevent them from choosing "password".
I should publish my paper on the subject.
Basically we try to teach people to not be idiots, without actually teaching them anything.
Makes no difference. The attack scenarios that justify regular password changes have almost no overlap with the attack scenarios that require complexity.
Today I wish I could easily find my old postings where I said I'll say "told you so".
But I'm not the only one. A lot of security experts have been critical of these requirements for some time. I'm just glad it finally hit mainstream with some quotable words. Now we have a chance to update some of the braindead password policies.
That particular remark was aimed more at the other e-mail scandal, where the whole world wonders which strings had to be pulled to make high treason an offense that doesn't justify being pursued.
Even if it's the russians, or the chinese, or the devil himself - they don't deny that the mails are real, and that is what matters. Who leaked them is an interesting academic question, and it might have influenced the timing, but that's about it.
They are crooked and corrupt and criminals, and no amount of fingerpointing changes that - but given the state of the media and the attention span of the public, it might work anyway.
Someone posted something the other day that was interesting. In essence, the "lesser of two evils" argument doesn't work for Hillary or the Democrats this time.
If we go into more depth on this, I would say that I see self-driving cars more in replacing taxis than busses, but the mental model would need to shift because taxis are considered a bit of a luxury and not public transport.
The point is that a lot of people would consider taking such a system that do not currently consider taking the bus. Especially in cities, where you spend half your driving time searching for a parking space.
Slashdot Mirror
You're talking about end users. Something pops up they just click whatever makes it go away. You think they pay attention to that?
They would if Microsoft hadn't spent 10 years training them otherwise.
Confirmation dialogs are a good thing that has been destroyed by overexposure.
Safe is not a binary yes or no. It's more of a spectrum.
No, it's not. You are safe, or you are compromised. The millisecond you get compromised, you change state hard from one to the other.
There are things that are more or less likely to get you compromised. You apparently confuse that. But there is no confusion. An image has a specific purpose. A scripting language does not. If I allow you to send me an image to display, my intention is clear - I want to see an image. If I allow you to run a script on my machine, my intention is not clear.
GP is correct. Ads need to move back to display-only functionality. All the tracking, malware and other shit is because we have given greedy fuckers too many toys. The horse is out of the stable, we won't get it back in, we will not get any kind of "responsible advertisement". Too late. Static only is the solution. Ad blocking the other. Nothing else will work. Exactly because there is no spectrum. If you give advertisers, who have proven time and time again that they are shady, something that can be exploited, then it will be exploited.
And with that, all the "good advertisers" bullshit is dead. Not just scammy and shady ad networks deliver malware. Advertisement is evil and needs to die, at least the way it is handled right now. The whole thing needs to be made illegal and restarted fresh with a clean slate and the first question should be "what do we, the users, want from advertisement?".
I like product information, for example. I'm a big fan of sites that compare products. These days, there are a thousand mobile phones, or printers, or vacation destinations, or chairs or cars or really anything, and it's not easy to find the one that's perfect for you.
There's also new and interesting stuff coming out all the time, and most of us miss most of it. Something that focusses on these aspects, on the customer desires, that would be wonderful.
As much as I cringe on the mentioning of VB, bad software is made by bad programmers, not by bad languages. I have seen many, many, MANY pieces of really crappy software in C, C++, Java as well as in PHP, Perl, Prolog and a dozen other languages. Some languages are better than others, no doubt about that. But idiots will manage to write shit in any language, and with any tool. The solution is not to give the idiots better tools, but to not allow the idiots to write software.
When they are asked? Hell no! You do that even once, you will be on my list of vendors I will never, ever work with, and recommend every client I consult to not touch with a ten foot pole, either.
When served with a proper court order? That's a different story.
By removing the need for would-be programmers to learn esoteric programming languages, the method has the potential to significantly expand the number of people engaged in programming
Because we really need more amateur programmers fucking things up and creating software with exploitable bugs. Who needs information security anyway...
Hate you already. :-)
Africa exists, I've been there. But China doesn't exist, we all know that. ;-)
Like another poster, you confuse monetary or economic value with the value of education. These are not the same things and they don't cleanly exchange into each other.
The reason we spend money on a childs education is that education takes time. If you could get the same education in, say, one day via brain implants, it would be smarter to wait it out until you are 18 and can decide by yourself which education you want. But since it takes years, you need to start early because life time is limited.
These are really trivial arguments to follow. Why do I have to spell it out?
lol what? Do you really believe that nonsense?
Scientific evidence is not a belief. We understand a little bit about economy, you know? It's taught at universities.
The reason circulating money adds to the economy is the assumption that circulating money equals work, and work improves life on the planet.
That's the most stupid bullshit I've read in a long time.
The reason circulating money adds to the economy is that if I spend $100 at your shop, you can now spend $100 on buying something, and the person you buy it from can spend $100 on some service and that person can donate $100 to the poor and they go to ten shops, spending those $100 and those shops come to me to buy something for $100. At the end, the $100 has made a full circle, so no money was created or destroyed and everyone has as much money as they had before, but everyone also got goods or services worth $100 that they didn't have before. Or, in other words: Those $100 of money have turned into $700 of wealth.
That's simplified, of course, ignoring a lot of details, but that's the basic principle.
In reality, if I discover a great unknown artist and give him $100 to paint something, that produces more value than if I give a crappy unknown artist $100 to paint something.
You are clearly confusing cultural value with economic value. Besides, great or crappy in the arts is very often judged long after the artist and the original buyer are both dead.
The question is whether you think stuff like fighting malaria with $1 billion is subjectively worth more than a bunch of poor people spending $1 billion on big screen TVs from China
Again, you are confusing values, in this case moral values with economic values. Those things are not the same.
I didn't advocate it as a program. The point was to illustrate just how crazy rich these people are. If one person can have such a global effect, you understand how poor everyone else is compared to them. He could literally pay for the life of millions of people.
Yes, he could give each and every person $10.50 and have nothing - and we'd still have needy and homeless people all over the world
900 million people live under the global poverty line of $1.90 a day.
That is 1.71 billion dollars a day to lift the entire planet out of poverty.
The fact alone that one person could do that for a month and still have more money left over than he can spend in a lifetime just boggles the mind.
If you further assume that most of these people don't have nothing, they just have less than $1.90 it becomes more crazy. My old statistics professor said that if you have no information, assume the average. So let's assume it takes 95 cents on average to bring someone just above the poverty line. That means Bill Gates alone could lift the entire planet out of poverty for three months before his fortune runs out.
While that shows how little these crazy fortunes are in global contexts, it also shows how crazy rich these people are compared to everyone else. It means the richest top ten could end poverty for a year and still be rich. Can you even imagine what it could mean to the poor of the world to not be poor for a year? How many of them would use the opportunity to secure a better future? At the end of that year, many of the poor would not go back to being poor. Millions would be permanently enabled to have a better life.
I applaud Melanie Gates to convince Bill to use a good part of his fortune like this, even if there's a lot of shady deals involved that the future will judge (largely, the crowding out of other organisations that try to help).
But the real problem is not that this money could be used to feed the poor. The real problem is that this money, if it had not been taken by the super-rich, would circulate much faster within the economy and would create more wealth. After the "trickle down" bullshit, a number of real economists have done the checking and they all come to the conclusion that money given to the rich hurts the economy while money given to the average people stimulates it.
Or in other words: In Bill Gates hands, these are 78 billion. In the hands of ordinary people, this would be 90, 100 or more billions. That is the real damage the super-rich do to all of us.
I am all for people being compensated for their efforts and have nothing against people taking risk and profiting from the risk taking.
Me neither. Sadly, this discussion is always brought to an end with the oldest strawman in the world. Because apparently if you point out that the differences are just crazy, it means you are against differences at all.
Where is the proper wording to say that "I want rich to be rich, I'm fine with that. I just want them to be rich, not super-crazy insanely-boggles-the-mind beyond-all-imagination hyper-rich." ?
There is no amount of personal effort or risk taking that justifies taking in billions. If you want to know how much personal risk is actually worth, look at what the hazard pay we give to people whose job includes risking their lives. There's no greater risk than that.
I'd be completely ok with someone having 78 million of personal fortune, or even of someone making 18.4 million profit in a good year. But we are talking about people who make a thousand times that. The only reason we are not on the street to hang them when thousands of people are actually in starvation poverty is that the mind boggles and we simply can't comprehend this amount of money.
The divide between the rich and the poor today is much bigger than it was at the time when the famous "if the people don't have bread, why don't they eat cake?" quote was allegedly made.
The fact that this article comes right above the "A Bit of Cash Can Keep Someone Off the Streets For 2 Years or More " one says a lot.
So from the gain of one year alone, one of these guys by himself could save 18.4 million people from being homeless for two years, meaning he could do that every other year and his net worth would still rise.
But the USA has less than 600,000 homeless. I understand the other article is about people who are on the edge of becoming homeless, so it's hard to apply it in general, but let's just do it anyway because everyone who is homeless at one point became homeless. Let's also imagine that on average, such a person would need 2-3 such cash infusions to permanently turn their life around and not end on the street at all. Meaning it takes around 900 million a year to end homelessness forever. Or in other words, with the money that one of these super-rich people make in two weeks, homelessness within the USA would be over.
Which begs only one question: Why is homelessness still a thing?
We wanted to go out yesterday, but the sky was a complete overcast. Looks like the same today. It's such a shame, really. I've seen them before and it was magnificent.
No, ads are not "part of the experience". Yes, they are "tacked on".
What the professional liar actually means is that ads are part of the business model.
I feel like the early 1990s have returned. Anyone else remember Spamford Wallace claiming that people are genuinely interested in his "newsletter"?
This and the rotten tomatoes thing makes me wonder if people really get so emotional about a friggin' movie or if that's all an ad campaign to keep it in the headlines.
Most of the standards don't actually require any specific password policy rules, only that a password policy exists.
Yes, there is a big management by numbers part there, but also a big "we don't want to think, let's google the best practice and use it". part. But some of those best practices were authored 20, 30 years ago, and only slightly updated since then.
It's a nonsense scenario.
Someone stealing your DB will find a) properly hashed and salted passwords or b) not. In the case of b) you are toast no matter what. In the case of a) he will almost always run his cracker for a few hours, maybe a few days, to grab the low-hanging fruit, and then move on to the next DB he stole somewhere. His ROI goes down massively after he collected the easy hits, so why should he bother? If your password is "123456", changing it doesn't matter. If your password is "aaaaaaaaaaaa" (which is in no dictionary, no word list I'm aware of and brute-forcing won't reach it this millenium) then you don't have a reason to rotate it.
Password rotation is actually intended to make us change passwords just in case we missed any of the signs that our security has been compromised and we have an actual reason to do it. It's a bit like in the old joke about hitting your wife even if you don't know why.
Most password policies are shit and most of the "best practice" password rules are at best useless. At least that's what I've been saying in a couple speeches. They try to do A by making a rule that says B. It's because of a fixation to auditing and processes. Making people understand just why "password" is not a very good password does a lot more than writing down 10 rules that together prevent them from choosing "password".
I should publish my paper on the subject.
Basically we try to teach people to not be idiots, without actually teaching them anything.
Makes no difference. The attack scenarios that justify regular password changes have almost no overlap with the attack scenarios that require complexity.
Today I wish I could easily find my old postings where I said I'll say "told you so".
But I'm not the only one. A lot of security experts have been critical of these requirements for some time. I'm just glad it finally hit mainstream with some quotable words. Now we have a chance to update some of the braindead password policies.
And nobody in his/her right mind would connect industrial control systems directly to the Internet.
aka "someone is sure to do exactly that"
That particular remark was aimed more at the other e-mail scandal, where the whole world wonders which strings had to be pulled to make high treason an offense that doesn't justify being pursued.
Even if it's the russians, or the chinese, or the devil himself - they don't deny that the mails are real, and that is what matters. Who leaked them is an interesting academic question, and it might have influenced the timing, but that's about it.
They are crooked and corrupt and criminals, and no amount of fingerpointing changes that - but given the state of the media and the attention span of the public, it might work anyway.
Someone posted something the other day that was interesting. In essence, the "lesser of two evils" argument doesn't work for Hillary or the Democrats this time.
If we go into more depth on this, I would say that I see self-driving cars more in replacing taxis than busses, but the mental model would need to shift because taxis are considered a bit of a luxury and not public transport.
The point is that a lot of people would consider taking such a system that do not currently consider taking the bus. Especially in cities, where you spend half your driving time searching for a parking space.