Penn & Teller did an episode of Bullshit! several years about bottled water. They set up hidden cameras at a restaurant and offered a "premium bottled water" menu to the guests. Each and every glass of "premium" water was just filled from the garden hose outside the restaurant, but none of the patrons could tell the difference.
If I have the choice at the store between buying "Fluffernutter" brand water, vs Nestle, Arrowhead, Crystal Geyser water, I think I'll go with the names that I know over the one I don't.
As long as anybody can buy Google stock on the open market, they are a public company. They still have many, many individual stock holders, but XXVI is the majority stock holder. If XXVI bought up all of the stock, only then can they be as non-transparent as they want.
Given the general quality of British television these days*, I'm tempted to hypothesize an inverse correlation between understanding a show and enjoying it.
Millions of non-billionaires donate to all sorts of charities. In 2016 it amounted to almost $400B. In every one of those cases they get a tax deduction. Are all of those people doing something wrong? Are all of those people not 'paying their full tax burden'?
Those people are probably making those donations by giving cash (check/credit card). They have (presumably) already paid tax on that money when they received it as a paycheck, and that is why they get the tax deduction. Bill Gates is giving stock that he owns, not cash from his bank account. When the foundation wants to use some of this money, they have to sell the stock on the open market, and then they can spend the proceeds of the stock sale. Gates has not paid any taxes on the stock that he is donating because he has not sold it. I think that is what people are complaining about; that he can avoid paying taxes on billions of dollars, but he still gets to spend that money through his charities.
I can certainly see the appeal to signing with a streaming company. They are not (currently) regulated by the FCC, so you can do whatever you want, and say whatever you want.
Now you have unlimited instant streaming choices on Netflix and others, I can't imagine too many people picking Letterman over the other options.
That's the beauty of Netflix (and online streaming in general). You don't have to choose between watching one show or another. You can watch them both if you want because they are on-demand. You don't even have to watch them when they come out. Since Netflix owns the content, it will be available as long as Netflix is around.
Search engines create an index that is searchable and make money by selling ads on the search page. Search engines are NOT collecting the website data, and make correlations about the data on the website and selling that data to companies.
We respond to all fire alarms equally, and thus far all but 3 in the past 50 years have been false. However, if the alarm happens to come in on a nice afternoon, and there's not much else going on, we'll use it as a training opportunity. Pull hose, enter/search the building as though it is filled with smoke, charge the hoses and train on handling them, you name it.
The difference is that when you get to a false fire, you can quickly determine that it is fake, and then choose to use it for training, or go back to the fire house. The coast guard has to continue searching for the boat for a time because it may have drifted from the location that was reported.
I think the OP's point was, that they can play nice for 5 years while the oversight is in place, but then after 5 years, they could do whatever they want with no oversight.
Wikipedia should be able to see from the HTTP referrer header whether the visits are coming from a link on another site or not. This should not be a mystery.
As I've explained in the quote you're replying to, if the attacker has control of the website, they can do pretty much everything they want.
At that point, getting a LE certificate is spending needless time on useless stuff that won't bring you much access beyond what you do.
If they are able to get a LE cert and successfully MITM the site, then they can run all of their bad stuff on their own server instead of the real server. This limits their exposure to being caught, and the website owner fixing their security holes. If the website owner never sees any bad behavior in their systems, they may never know they were compromised.
If anything, a changed certificate or even a changed authority might look conspicuous (and some power users have tools to detect exactly that).
Websites change CAs and certificates all the time. I managed a website, and when we moved to a different hosting provider, the next cert was issued by their preferred CA and nobody complained. Unless the website owners themselves are checking their certificate, then the power users might just assume that the website changed to LE by their own decision, since LE is free, and easier than dealing with commercial CAs.
Why setup a separate LE certificate, when they can use the actual key and rely on whatever expensive signing the site went for ? (and then, for all intent and purpose, the interaction with the pish looks cryptographically exactly the same as if coming from the genuine site.
If the website is running an SSL proxy, then the hacker cannot get the private key from the web server itself, unless they are able to jump to the proxy and hack it as well.
The attacker would *ALSO* need to have access to the server they are trying to impersonate in order to successfully pass the validation.
(And by that point, if the attacker actually controls that server, there's no need to fuss around with man-in-the-middle attack).
An attacker could use LE to setup a MITM attack, if they can hack the website.
1) Take control over the website.
2) Get a LE certificate for the domain
3) Export the certificate, and install onto their own malware site.
4) Phish a user into going to their MITM site, which has a LE signed certificate, that your browser trusts.
5)...
6) Profit!
Slashdot Mirror
Which sends data to Microsoft. Is that safer?
As long as it's not going to Russia, then yes!
You have freedom for your own political speech, not freedom to violate someone else's rights - in this case copyrights granted by government.
Am I free to get a copy of these scientific papers, and make a recording of them, and put that recording on YouTube?
You'd need a magnetar in orbit to erase tapes.
It's the only way to be sure.
Penn & Teller did an episode of Bullshit! several years about bottled water. They set up hidden cameras at a restaurant and offered a "premium bottled water" menu to the guests. Each and every glass of "premium" water was just filled from the garden hose outside the restaurant, but none of the patrons could tell the difference.
If I have the choice at the store between buying "Fluffernutter" brand water, vs Nestle, Arrowhead, Crystal Geyser water, I think I'll go with the names that I know over the one I don't.
This was my first thought as well...
As long as anybody can buy Google stock on the open market, they are a public company. They still have many, many individual stock holders, but XXVI is the majority stock holder. If XXVI bought up all of the stock, only then can they be as non-transparent as they want.
Given the general quality of British television these days*, I'm tempted to hypothesize an inverse correlation between understanding a show and enjoying it.
The show in the study was from the BBC. FTFY.
The internet is a series of connections that require physical wires.
You're wrong. The Internet is a series of tubes.
Also, if you don't already know this, every hacker knows that the most common passwords are "love", "secret", "sex", and "God".
Thanks for the tip, Crash Override.
"Over time, Sonos sales will begin to disappear." FTFY
Millions of non-billionaires donate to all sorts of charities. In 2016 it amounted to almost $400B. In every one of those cases they get a tax deduction. Are all of those people doing something wrong? Are all of those people not 'paying their full tax burden'?
Those people are probably making those donations by giving cash (check/credit card). They have (presumably) already paid tax on that money when they received it as a paycheck, and that is why they get the tax deduction. Bill Gates is giving stock that he owns, not cash from his bank account. When the foundation wants to use some of this money, they have to sell the stock on the open market, and then they can spend the proceeds of the stock sale. Gates has not paid any taxes on the stock that he is donating because he has not sold it. I think that is what people are complaining about; that he can avoid paying taxes on billions of dollars, but he still gets to spend that money through his charities.
Traffic cameras, security cameras... Hell London alone probably already has a 5.9 million of them just watching the streets, and that was in 2013.
I can certainly see the appeal to signing with a streaming company. They are not (currently) regulated by the FCC, so you can do whatever you want, and say whatever you want.
No they didn't. Which is why they applaud, when he tells jokes, instead of laughing at them.
Your parents must have been weird. My parents never applauded at the TV when watching Letterman.
Now you have unlimited instant streaming choices on Netflix and others, I can't imagine too many people picking Letterman over the other options.
That's the beauty of Netflix (and online streaming in general). You don't have to choose between watching one show or another. You can watch them both if you want because they are on-demand. You don't even have to watch them when they come out. Since Netflix owns the content, it will be available as long as Netflix is around.
Then blacklist IP's at the firewall(s) for endpoints that are scraping your site.
IP addresses are fairly easy to change. You can use something like TOR, so your public IP always changes.
What do search engines do, then?
Search engines create an index that is searchable and make money by selling ads on the search page. Search engines are NOT collecting the website data, and make correlations about the data on the website and selling that data to companies.
We respond to all fire alarms equally, and thus far all but 3 in the past 50 years have been false. However, if the alarm happens to come in on a nice afternoon, and there's not much else going on, we'll use it as a training opportunity. Pull hose, enter/search the building as though it is filled with smoke, charge the hoses and train on handling them, you name it.
The difference is that when you get to a false fire, you can quickly determine that it is fake, and then choose to use it for training, or go back to the fire house. The coast guard has to continue searching for the boat for a time because it may have drifted from the location that was reported.
That would deprive the website of the clickbait and advertising revenue that this post was intended to generate.
Oh, no. This was a good hombre who came to the US to build his business.
Apparently he didn't build it very well.
That's why Amazon Prime, for example, is annual, not monthly.
Check again
I think the OP's point was, that they can play nice for 5 years while the oversight is in place, but then after 5 years, they could do whatever they want with no oversight.
Wikipedia should be able to see from the HTTP referrer header whether the visits are coming from a link on another site or not. This should not be a mystery.
As I've explained in the quote you're replying to, if the attacker has control of the website, they can do pretty much everything they want. At that point, getting a LE certificate is spending needless time on useless stuff that won't bring you much access beyond what you do.
If they are able to get a LE cert and successfully MITM the site, then they can run all of their bad stuff on their own server instead of the real server. This limits their exposure to being caught, and the website owner fixing their security holes. If the website owner never sees any bad behavior in their systems, they may never know they were compromised.
If anything, a changed certificate or even a changed authority might look conspicuous (and some power users have tools to detect exactly that).
Websites change CAs and certificates all the time. I managed a website, and when we moved to a different hosting provider, the next cert was issued by their preferred CA and nobody complained. Unless the website owners themselves are checking their certificate, then the power users might just assume that the website changed to LE by their own decision, since LE is free, and easier than dealing with commercial CAs.
Why setup a separate LE certificate, when they can use the actual key and rely on whatever expensive signing the site went for ? (and then, for all intent and purpose, the interaction with the pish looks cryptographically exactly the same as if coming from the genuine site.
If the website is running an SSL proxy, then the hacker cannot get the private key from the web server itself, unless they are able to jump to the proxy and hack it as well.
The attacker would *ALSO* need to have access to the server they are trying to impersonate in order to successfully pass the validation. (And by that point, if the attacker actually controls that server, there's no need to fuss around with man-in-the-middle attack).
An attacker could use LE to setup a MITM attack, if they can hack the website.
1) Take control over the website.
2) Get a LE certificate for the domain
3) Export the certificate, and install onto their own malware site.
4) Phish a user into going to their MITM site, which has a LE signed certificate, that your browser trusts.
5)...
6) Profit!