That is cute, but how does it react to new threats and changes in the patterns? We've been fighting this war for decades - improved detection leads to improved evasion leads to improved detection, etc. etc. - will it maintain this advantage or after attackers have adapted just become one more piece of expensive latency generator?
It better be, because the first one wasn't. Some of the visuals were impressive, but the story was pretty much... how to say it... like written by a 1st year student. "Here's the standard book on Hollywood stories, add some aliens and VR because that's a hype right now. Also, you have one week."
My iPhone 4 is not broken, but aging, so I replaced it with an iPhone SE now (no way I was going to get a 6, I don't live in the Bronx, I don't have baggy pants). Touch ID was a main thing I wanted, and a better camera.
Sometimes, upgrading is a reason for replacement, the same way you sometimes get a new car even though your old one still works - better safety, more efficient fuel consumption, etc.
Instead of that, how about you split the view into three instead of two parts? Paid, IAP and actually free?
there was a time when the "free" section of the AppStore was a great place to discover small gems, demo versions and more. Now 90% of it is FarmVille clones.
B) Keep the old people out, because they can't handle modern technology and society.
You mean the same "old" people who invented and built this "modern technology"? Who will run circles around the kids who grew up with a smartphone but don't have a clue how it works, so the second something goes wrong, they call daddy/support/god ?
Right, we can't handle modern technology. You're just running an OS that has some code in it that I wrote, but go ahead and tell me I can't handle it.
Now for the society part, that is where it gets interesting. You see, society is a construct. It is part made and part evolved. We are having these discussions because of the "made" part. Some people think that giving people a space where they can behave as they want is how society should be made. Other people think that "society" contains a part from "social" meaning people should be taught how to live with other people in the same space, and that being considerate of those around you is not akin to the death penalty.
Are you kidding me? Which 22 year olds they asked? Antisocial autistics from death row? "Don't bother other people" is something anyone 5 and older should understand and that talking on your phone while one metre away from someone who paid money to understand some dialog falls into that category should be another basic life skill.
No, we need to stop this bullshit of adapting the world to idiots. Two, three generations ago, children were treated completely differently. They were "adults in the making", expected to conform to more and more adult-like depending on age.
A good mix of the authoritarian and the libertarian view of childhood would give us some reasonable approach. But, being human, we will for another five thousand years figure out that one extreme doesn't work and promptly try the other extreme instead.
Given the 39% tax bracket that he falls under, he's writing the government a huge check
Please, who are you kidding? Gates made about 1 mio. in salary at MS. But he made 100-200 times that much in dividends.
let alone the fact that he's done more for the world than the government will ever do with that tax revenue
Locking the worlds computers into a monopoly, extracting monopoly rent from the market that could've been spent on R&D, damaging countless small, innovative companies with his business practice, dividing and preventing standardisation in multiple fields - shall I go on?
The Bill & Melinda Gates foundation is doing great things across the globe.
That is true, though there is some criticism aimed at it as well (driving out alternatives, monopolising its "market", etc), it does have a beneficial impact.
I've yet to find a statistically significant number of people who cry in favor of taxation that are also charitable in any sense.
Are you fucking mental? One of the most well-established facts of social science is that in share of income, poor people tend to give much, much more to charity then rich people. Generally, they overlap favoribly with the people who wouldn't mind higher taxes on the super-rich.
For example, The Economist - http://www.economist.com/blogs... - says the formula is changing back, the low point was in the 50s, ever since the ratio of inherited vs. earned wealth has tilted back towards inheritance.
The ratio of wealth creators among the 1% is probably also on the order of 1%. Most of the super-rich don't create wealth, except for themselves. In my country, recent statistics say that 80% of the wealth of the rich (millionaires and above) is inherited.
Lots of the famous super-rich started that way. Gates parents were wealthy, and the Trump empire was built by two generations (not including Donald).
The real wealth creators are in the middle class. Not the one-in-a-million startups that make billion dollar IPOs, but the one-in-five startups that create a viable, middle-sized company and employ a dozen or a hundred people.
That is where wealth is created. And incidentally, it is also where taxes are the most heavy. Because all the tax breaks that are pushed through with your argument are always for the top.
there's no reason why we can't also have lists of "rogue tax-haven nations"
There is. The reason is that the USA would be on that list. Many US states are now tax havens, and that they eroded the banking secrecy of Switzerland, for example, has turned out to be just an effort to eliminate competition.
Because they can sell your data better the more they have. With your phone number, they have a cross-plattform unique identifier that is just wonderful at correlating data.
it actually doesn't effect security in a fundamental way at all
Famous last words.
This API defines a standardized way for the USB device to send data in a more secure way than by pretending to be a keyboard.
Pretending to be a keyboard has the advantage of having a very small exposed section. Most importantly, the part that interacts with the browser has gone through the whole OS stack and it is highly unlikely that the browser can do anything with it that is outside the "receive a key code" area.
"What could possibly go wrong?" was rarely written in such big and bright letters.
You're already (IMHO) grossly negligent if your browser doesn't run in a sandbox. But sure, give it USB access. That's only where your keyboard and mouse are also connected. And maybe your external harddrive. The one with the backups.
This case needs to be decided on technical and law enforcement merits, and the uninformed masses shouldn't count.
Bullshit.
The uninformed masses should count. But they need to understand what they decide about. The role of the expert is that of advisor, not of decider.
Besides, in what world can you simply educate the masses on an issue? People don't want to learn about anything that threatens their close-guarded feelings.
Yes, but that is true not just of the unwashed masses, but also of the freshly washed subject matter experts.
Can you educate the masses? Of course you can. They do not need to understand the mathematics of AES, and the relevant crypto concepts can be explained in one or two pages of text. What symmetric encryption is, what a cryptographic key is, what it means to have a backdoor to a crypto algorithm and what the difference to an escrow key is, etc.
We managed to educate the masses about global warming, more or less.
While I agree with you in general, you are too strict and don't understand the concept of democracy. Look:
There are exactly two groups of people whose opinions matter in this case: law enforcement and the technology industry.
That is a technocracy, not a democracy. Rulership by the people means exactly that. If people are uninformed, make them informed. That is the actual reason why we have representative democracy (i.e. parliaments and such), because a small group of people whose sole job it is actually has the opportunity to become informed and then decide.
Of course, the current political system doesn't work that way because they don't (any of that), but at least that is the idea.
People should decide, otherwise we end up in what we have in Brussels: A technocratic government completely detached from the people it governs making decisions purely on administrative merit.
Yes, the Europeans in that case will be technically wrong, but who can really blame them for not being at least a little gunshy in that regard?
We would be technically wrong, but procedurally correct, because if you have laws like that, plus secret courts and gag orders, staying as far away as possible is the only way to keep data safe.
The secret courts are the worst. You know when we over here had them the last time? It was in Nazi Germany.
You are creating the false impression in people that talking to politicians has an effect. It doesn't. The few ones that listen come out and talk to us. The ones who hide see us as bothersome, because they understand the political process to be about money, money and also money. From the crazy election system and fundraising to the outright bribery and lobbyism, nothing matters if it doesn't come with a cheque.
Writing won't fix this problem. The system is broken, so stop pretending the system works and there are only a few issues that don't quite work but with some mild gestures we can correct it.
There's a point where being moderate is being evil, because it sustains the system.
This is news, wh... oh, wait. USA. Everywhere else in the world, that kind of leave is absolute standard, mandated by law, and typically longer than 20 weeks.
Hi guys. How does it feel to get a bit closer to civilization? Congratulations, step by step, you will eventually be a first world country.
So doing things securely (which is hard and time consuming) means you miss the window.
Only because you're doing it wrong. Security is like plumbing: Easy to do when you think about it from the start, a shitty mess if you need to add it in later when you've already moved in and only then realize you forgot something important.
Maybe they fix it later, once they're established.
At which stage it will cost 5 times as much and be half as good as if they had thought about it from the start. I'm not complaining, it's why I earn good money. But sometimes you go home shaking your head and saying "really?" to yourself for an hour or so.
Well, that's the point - there's bigger stakes now, and the actors are more significant using more sophisticated tools.
No, you missed the entire point.
When we were up against script kiddies, we would start with a system in a secured and defined state. Our task as security people was to keep it in that state.
Now that we're up against our own governments fucking us over, the system you freshly unpacked from its box is already compromised. You don't know how and by whom (plural, you also don't know how many), and you need to bring it into a secured and defined state that you do not know how to verify because you don't have a defined clear baseline.
I see the single biggest threat to security is that decision makers in companies feel they should be able to do whatever the fuck they want and should never have to ask for anything.
Go to a better company, yours is going to go under.
Good management understands that it needs to lead by example, and if management needs special rules, that is fine as long as they are special rules, i.e. properly documented parts of the official policy.
I expected about that, but it turns out the guy said something smarter then I had thought.
Yes, the problem very much is that when you buy a device today, you don't know anymore who has backdoors to it already, before it's even in your hands.
That is a very real and very serious problem, and it makes pretty much everything you do afterwards, including buying his products, completely pointless.
with the implications that security is, at best, an afterthought in product design.
And that, exactly, is the reason everything is going to shit (and has been doing so for 30+ years).
If you would design security into your product, not afterwards as a fix, but from the very beginning, from the first stroke on the drawing board, the whole thing would be twice as good and five times less expensive and you could integrate it into your normal design and implementation workflows.
As it is, you pay a shitload of money to people like me so we tell you afterwards where and how much you've fucked up and then you pay a shitload more to your developers to patch it. And usually you do it after some bad press has already hit you in the face.
on the other side:
The only person who went to jail by Sarbanes-Oxley law
yes, but SOX had big corporations scared shitless and if the big consulting companies wouldn't have seen $$$ and turned a simple thing into this monster that brings them a neverending supply of income because you need to hire one of them to implement this impossibly convoluted "standard" to be compliant (where the standard is written by those same guys, and the actual law is so much more easy to comply with - been there, done that) - well, if that consulting money-grab hadn't happened, SOX could have brought so much security into corporations, because for the first time upper management actually was accountable, and if they don't understand security, they do understand accountability.
Slashdot Mirror
That is cute, but how does it react to new threats and changes in the patterns? We've been fighting this war for decades - improved detection leads to improved evasion leads to improved detection, etc. etc. - will it maintain this advantage or after attackers have adapted just become one more piece of expensive latency generator?
It better be, because the first one wasn't. Some of the visuals were impressive, but the story was pretty much... how to say it... like written by a 1st year student. "Here's the standard book on Hollywood stories, add some aliens and VR because that's a hype right now. Also, you have one week."
My iPhone 4 is not broken, but aging, so I replaced it with an iPhone SE now (no way I was going to get a 6, I don't live in the Bronx, I don't have baggy pants). Touch ID was a main thing I wanted, and a better camera.
Sometimes, upgrading is a reason for replacement, the same way you sometimes get a new car even though your old one still works - better safety, more efficient fuel consumption, etc.
Two egomaniacs with too much power in a battle for the public opinion?
Bring me the popcorn. Hopefully, at the end of it all, they will both implode.
Instead of that, how about you split the view into three instead of two parts? Paid, IAP and actually free?
there was a time when the "free" section of the AppStore was a great place to discover small gems, demo versions and more. Now 90% of it is FarmVille clones.
B) Keep the old people out, because they can't handle modern technology and society.
You mean the same "old" people who invented and built this "modern technology"? Who will run circles around the kids who grew up with a smartphone but don't have a clue how it works, so the second something goes wrong, they call daddy/support/god ?
Right, we can't handle modern technology. You're just running an OS that has some code in it that I wrote, but go ahead and tell me I can't handle it.
Now for the society part, that is where it gets interesting. You see, society is a construct. It is part made and part evolved. We are having these discussions because of the "made" part. Some people think that giving people a space where they can behave as they want is how society should be made. Other people think that "society" contains a part from "social" meaning people should be taught how to live with other people in the same space, and that being considerate of those around you is not akin to the death penalty.
And she was just named as an example of a self-made rich person in another topic here.
Thanks for reminding me, I should have added "criminal" to "inherited".
Are you kidding me? Which 22 year olds they asked? Antisocial autistics from death row? "Don't bother other people" is something anyone 5 and older should understand and that talking on your phone while one metre away from someone who paid money to understand some dialog falls into that category should be another basic life skill.
No, we need to stop this bullshit of adapting the world to idiots. Two, three generations ago, children were treated completely differently. They were "adults in the making", expected to conform to more and more adult-like depending on age.
A good mix of the authoritarian and the libertarian view of childhood would give us some reasonable approach. But, being human, we will for another five thousand years figure out that one extreme doesn't work and promptly try the other extreme instead.
Given the 39% tax bracket that he falls under, he's writing the government a huge check
Please, who are you kidding? Gates made about 1 mio. in salary at MS. But he made 100-200 times that much in dividends.
let alone the fact that he's done more for the world than the government will ever do with that tax revenue
Locking the worlds computers into a monopoly, extracting monopoly rent from the market that could've been spent on R&D, damaging countless small, innovative companies with his business practice, dividing and preventing standardisation in multiple fields - shall I go on?
The Bill & Melinda Gates foundation is doing great things across the globe.
That is true, though there is some criticism aimed at it as well (driving out alternatives, monopolising its "market", etc), it does have a beneficial impact.
I've yet to find a statistically significant number of people who cry in favor of taxation that are also charitable in any sense.
Are you fucking mental? One of the most well-established facts of social science is that in share of income, poor people tend to give much, much more to charity then rich people. Generally, they overlap favoribly with the people who wouldn't mind higher taxes on the super-rich.
Other sources disagree with Forbes.
For example, The Economist - http://www.economist.com/blogs... - says the formula is changing back, the low point was in the 50s, ever since the ratio of inherited vs. earned wealth has tilted back towards inheritance.
And The Wall Street Journal - http://blogs.wsj.com/wealth/20... - directly picks apart the Forbes article you quote.
Maybe the US or the world is not as twisted as here, I only had numbers for Germany when I posted. But the WSJ article is a good read.
The ratio of wealth creators among the 1% is probably also on the order of 1%. Most of the super-rich don't create wealth, except for themselves. In my country, recent statistics say that 80% of the wealth of the rich (millionaires and above) is inherited.
Lots of the famous super-rich started that way. Gates parents were wealthy, and the Trump empire was built by two generations (not including Donald).
The real wealth creators are in the middle class. Not the one-in-a-million startups that make billion dollar IPOs, but the one-in-five startups that create a viable, middle-sized company and employ a dozen or a hundred people.
That is where wealth is created. And incidentally, it is also where taxes are the most heavy. Because all the tax breaks that are pushed through with your argument are always for the top.
there's no reason why we can't also have lists of "rogue tax-haven nations"
There is. The reason is that the USA would be on that list. Many US states are now tax havens, and that they eroded the banking secrecy of Switzerland, for example, has turned out to be just an effort to eliminate competition.
Because they can sell your data better the more they have. With your phone number, they have a cross-plattform unique identifier that is just wonderful at correlating data.
it actually doesn't effect security in a fundamental way at all
Famous last words.
This API defines a standardized way for the USB device to send data in a more secure way than by pretending to be a keyboard.
Pretending to be a keyboard has the advantage of having a very small exposed section. Most importantly, the part that interacts with the browser has gone through the whole OS stack and it is highly unlikely that the browser can do anything with it that is outside the "receive a key code" area.
"What could possibly go wrong?" was rarely written in such big and bright letters.
You're already (IMHO) grossly negligent if your browser doesn't run in a sandbox. But sure, give it USB access. That's only where your keyboard and mouse are also connected. And maybe your external harddrive. The one with the backups.
And for what? Solution looking for a problem?
This case needs to be decided on technical and law enforcement merits, and the uninformed masses shouldn't count.
Bullshit.
The uninformed masses should count. But they need to understand what they decide about. The role of the expert is that of advisor, not of decider.
Besides, in what world can you simply educate the masses on an issue? People don't want to learn about anything that threatens their close-guarded feelings.
Yes, but that is true not just of the unwashed masses, but also of the freshly washed subject matter experts.
Can you educate the masses? Of course you can. They do not need to understand the mathematics of AES, and the relevant crypto concepts can be explained in one or two pages of text. What symmetric encryption is, what a cryptographic key is, what it means to have a backdoor to a crypto algorithm and what the difference to an escrow key is, etc.
We managed to educate the masses about global warming, more or less.
While I agree with you in general, you are too strict and don't understand the concept of democracy. Look:
There are exactly two groups of people whose opinions matter in this case: law enforcement and the technology industry.
That is a technocracy, not a democracy. Rulership by the people means exactly that. If people are uninformed, make them informed. That is the actual reason why we have representative democracy (i.e. parliaments and such), because a small group of people whose sole job it is actually has the opportunity to become informed and then decide.
Of course, the current political system doesn't work that way because they don't (any of that), but at least that is the idea.
People should decide, otherwise we end up in what we have in Brussels: A technocratic government completely detached from the people it governs making decisions purely on administrative merit.
Yes, the Europeans in that case will be technically wrong, but who can really blame them for not being at least a little gunshy in that regard?
We would be technically wrong, but procedurally correct, because if you have laws like that, plus secret courts and gag orders, staying as far away as possible is the only way to keep data safe.
The secret courts are the worst. You know when we over here had them the last time? It was in Nazi Germany.
Stop doing that.
You are creating the false impression in people that talking to politicians has an effect. It doesn't. The few ones that listen come out and talk to us. The ones who hide see us as bothersome, because they understand the political process to be about money, money and also money. From the crazy election system and fundraising to the outright bribery and lobbyism, nothing matters if it doesn't come with a cheque.
Writing won't fix this problem. The system is broken, so stop pretending the system works and there are only a few issues that don't quite work but with some mild gestures we can correct it.
There's a point where being moderate is being evil, because it sustains the system.
This is news, wh... oh, wait. USA. Everywhere else in the world, that kind of leave is absolute standard, mandated by law, and typically longer than 20 weeks.
Hi guys. How does it feel to get a bit closer to civilization? Congratulations, step by step, you will eventually be a first world country.
So doing things securely (which is hard and time consuming) means you miss the window.
Only because you're doing it wrong. Security is like plumbing: Easy to do when you think about it from the start, a shitty mess if you need to add it in later when you've already moved in and only then realize you forgot something important.
Maybe they fix it later, once they're established.
At which stage it will cost 5 times as much and be half as good as if they had thought about it from the start. I'm not complaining, it's why I earn good money. But sometimes you go home shaking your head and saying "really?" to yourself for an hour or so.
Well, that's the point - there's bigger stakes now, and the actors are more significant using more sophisticated tools.
No, you missed the entire point.
When we were up against script kiddies, we would start with a system in a secured and defined state. Our task as security people was to keep it in that state.
Now that we're up against our own governments fucking us over, the system you freshly unpacked from its box is already compromised. You don't know how and by whom (plural, you also don't know how many), and you need to bring it into a secured and defined state that you do not know how to verify because you don't have a defined clear baseline.
That's a different game.
I see the single biggest threat to security is that decision makers in companies feel they should be able to do whatever the fuck they want and should never have to ask for anything.
Go to a better company, yours is going to go under.
Good management understands that it needs to lead by example, and if management needs special rules, that is fine as long as they are special rules, i.e. properly documented parts of the official policy.
I expected about that, but it turns out the guy said something smarter then I had thought.
Yes, the problem very much is that when you buy a device today, you don't know anymore who has backdoors to it already, before it's even in your hands.
That is a very real and very serious problem, and it makes pretty much everything you do afterwards, including buying his products, completely pointless.
with the implications that security is, at best, an afterthought in product design.
And that, exactly, is the reason everything is going to shit (and has been doing so for 30+ years).
If you would design security into your product, not afterwards as a fix, but from the very beginning, from the first stroke on the drawing board, the whole thing would be twice as good and five times less expensive and you could integrate it into your normal design and implementation workflows.
As it is, you pay a shitload of money to people like me so we tell you afterwards where and how much you've fucked up and then you pay a shitload more to your developers to patch it. And usually you do it after some bad press has already hit you in the face.
on the other side:
The only person who went to jail by Sarbanes-Oxley law
yes, but SOX had big corporations scared shitless and if the big consulting companies wouldn't have seen $$$ and turned a simple thing into this monster that brings them a neverending supply of income because you need to hire one of them to implement this impossibly convoluted "standard" to be compliant (where the standard is written by those same guys, and the actual law is so much more easy to comply with - been there, done that) - well, if that consulting money-grab hadn't happened, SOX could have brought so much security into corporations, because for the first time upper management actually was accountable, and if they don't understand security, they do understand accountability.