Is "social science" real science? Let's just trot this out again.
Humor aside, the lack of ability to reproduce experiments doesn't necessarily make a field of study more or less scientific. After all, you could include astronomy and climate science among those, at least to some degree. But I think you can definitely argue about some fields having more scientific rigor than others, to be sure.
C++ employers will be employable in the videogame industry for the foreseeable future, at least. I presume that they'll also be employable for working on any large-scale applications that requires support or compatibility beyond what some of the newer, safer, high-performance compiled languages can provide.
People always talk about how terrible C++ is (and it's hard to argue with many of their points), but it continually shows up in the language rankings as a steady #3 to #7 or so, depending on how language "popularity" is figured. It benefits less from being "pure" and more from being incredibly pragmatic as a language, similar to C. R and Go are still lagging far behind, with D almost out of sight. Swift is moving up thanks to iOS, and maybe Kotlin will do the same thanks to Android (but we'll see - I'd literally never heard of it until recently), but those are almost pre-destined to be one-trick ponies due their strong platform ties.
Ultimately, the big problem is that I don't see a real universal contender for high-performance native code taking over from C/C++. There are a lot of promising languages, but at the moment, nothing is really taking off. Simple inertia is pretty hard to overcome, as it turns out.
Final point:
But the regional dean of Northeastern University-Silicon Valley has the glummest prediction of all. "If I were to look at a crystal ball, I don't think the world's going to need as many coders after 2020. Ninety percent of coding is taking some business specs and translating them into computer logic. That's really ripe for machine learning and low-end AI."
Bwahahahahahaha! Oh damn, we can't even get our chat bots working reliably (we use them to auto-generate bugs and tasks). And in three years they're going to be replacing programmers? Fucking priceless!
Each week I seem to learn about a helpful new online service or two thanks to their massive user data breach. Thanks Slashdot! Even better, I get a taste of the corporate-level bullshit they spout. This is a grade-a prime, four star example:
"Over 120 million users visit Zomato every month. What binds all of these varied individuals is the desire to enjoy the best a city has to offer, in terms of food. When Zomato users trust us with their personal information, they naturally expect the information to be safeguarded. And that's something we do diligently, without fail. We take cyber security very seriously -- if you've been a regular at Zomato for years, you'd agree."
If this is security "without fail", I'm thinking maybe they don't have a clear grasp on what "fail" means. Because if you've been a regular at Zomato for years, your personal data is now out there flapping in the breeze.
It's a portable computer and communication device, nothing more. You can buy a decent one for as little as $150 and as much as $800, and typically last for several years if you take reasonably good care of it. If it's causing some existential crisis in your life, that's all on you, not on the smartphone.
Saying hopes for Trump on climate issues "fade" is implying they were ever there to begin with. Was anyone ever that uninformed to think that Trump was going to be some environmental crusader?
If you want Trump to do anything about climate change, get behind nuclear to replace coal for base load power generation, which I'd imagine he'd support. A large number of environmentalists have, for many decades now, been hurting their own cause by blocking nuclear at every opportunity, allowing perfect to be the enemy of good.
Of course, it won't happen, as some environmentalist would apparently rather see the apocalypse occur than build more nuke plants. Many of those people have even been going after *hydro* in recent years, which is about as clean as large-scale power generation is going to get. It weakens environmental arguments when practical solutions seem to be rejected out of hand.
Agreed, blame the US TLAs for this. It falls *directly* on them in this particular case. Microsoft made a mistake, but they made a good-faith efforts to fix said mistake. And if you're going to castigate organizations for making security mistakes, there's no widely used OSes that haven't had their share of doozies in the last few years alone.
That being said, the last country I want to hear casting blame about regarding cyberattacks is China.
Okay, I guess it's past its statute of limitations for plot secrets, especially those which probably everyone but me knew about. Yay for never reading entertainment news.
We all know how hard it is to secure an entire network (although companies like Google, Amazon, and Microsoft seem to have figured it out for the most part). Most people will forgive a company that gets breached, but they MUST come clean and be completely honest and transparent. Just like with any other transaction, I don't expect perfection, but I expect a company to try to make things right if they happen to go wrong. Otherwise, I find another company to do business with.
This sort of secrecy in the face of a breach is inexcusable. In fact, maybe it should be *illegal*. I'm not certain, but at the moment, I think that only applies to financial institutions (although I think California has such a law). I'm not typically one to screech "there aughta be a law!" when anything bad happens, but I consider this basic consumer protection at this point, as more of our business and personal infrastructure goes online. By not sending out a warning e-mail, DocuSign is (obviously) favoring its own reputation over its customers safety.
One of the last Star Trek reboot movies apparently decided that they didn't give a damn about their big villain reveal, and just spelled it all out on the back of the Blu-Ray box. I hadn't watched any trailers (may have been equally spoilerific, I don't know), and fortunately didn't read the back of the box, or I'd have been rather peeved. Did they assume that the only people who had seen the movie or knew about it would buy the Blu-ray? Apparently so.
A lot of movie trailers are just as bad about showing really blatant spoilers. Even if unintentional, I often tend to remember trailer scenes when replayed in the movie, which can be a bit distracting if you're mentally anticipating it.
I certainly understand the marketing dilemma in creating effective trailers, but I just no longer trust them to be spoiler free anymore, and as such, try to avoid them. Like with you, cutting cable helped a lot. I guess it's sort of like online advertising in a way. It got bad enough that I just said "enough", and blocked it all.
One of the problems is that MS poisoned any good will about upgrading with their own actions... first by more or less tricking people into upgrading to Windows 10, and second, by making that upgrade (and all other upgrades) less trusted by pushing telemetry as required updates, and by making Windows 10 updates incredibly annoying, disruptive, and on occasion, simply broken.
I don't blame MS for not writing perfect code, especially older code. No OS used today has zero exploits, so I think it's disingenuous to bash Microsoft with each new bug found but somehow give Linux a pass when the same damned things happen. But I'm sure as hell going to blame them for encouraging so many people to distrust Microsoft's own security patches in the first place, even going so far as to actively block them. That was all because of their OWN tone-deaf policies of "we know what's best for you, so shut up and update. Oh, and don't mind the telemetry we're slurping up. We promise its benign. What? No, there's no way to turn it off."
Well, you're brave to defend the TLAs. Hopefully you don't get unfairly mod-bombed because of it, as too often happens to unpopular posts.
The core problem with your scenario is the implicit assumption that only the TLAs know about those particular exploits. There could very well have been other countries' agencies that knew about them as well, or criminals using them judiciously for their own zero-day exploits. Why assume that any other major state player couldn't collect these same bugs? We may know more in the months ahead if anyone discovers new information in old logs relating to these exploits.
The other faulty assumption is that the only way to do offensive intelligence operations is with software exploits. Plenty of attacks, from many different criminal and/or government groups have shown that to absolutely not be the case. Human operators can be fooled into installing malware in targeted phishing attacks, or maybe even bribed into installing it. Or you can use more traditional bugging methods, installing hardware that intercepts information pre-encryption. Etc, etc...
Holding onto an exploit that affects your own country's software (and the world's in fact), is playing a very risky game. And, as you rightly acknowledged, it just blew up in their faces. Given the proven inability of these agencies to hold onto secrets, I think playing a little more defense isn't a bad thing, at least until its been established that they don't leak their own secrets like a sieve.
I fully understand and acknowledge that there are very bad people in the world, and these agencies help to protect the US from them. But I do wonder if, at the moment, that price is becoming a little too steep for what we're getting out of the deal. The problems is, though, that we'll never really know. The leaders at the top of that agency know, but sure as hell they're never going to admit to anyone anything that has a chance of ever reducing the power of their own little government fiefdom.
I think the key to using biometric authentication safely is to never push it to the cloud, and thus eliminate the temptation to use it as a single-factor authentication, not to mention minimize the risk of getting it stolen. Instead, it should only be used when there's a secure electronic enclave that can store it and use it for authentication on your behalf.
In this way, your biometric data is just an authentication proxy on known-good systems. It doesn't leave your local devices, which means a random attacker can't use it to log in from elsewhere, or hack into a server to steal it. Even if they did, it wouldn't do any good, because the biometric data isn't used as the authentication in any way on the server side.
That leaves the problem of the initial login, or periodic re-authentication, but I think there are solutions to that as well, such as derived data that don't involve the user inventing passwords, like QR codes that can be flashed in front of a camera. For a business, these could be one-time codes generated by the IT dept, and for home users, some sort of recovery code they keep in a safe place. But since these would be rarer events, it would be more acceptable to have them be a bit more burdensome, so long as they don't involve the user having to memorize anything.
I'm more and more convinced that the username + password paradigm is just too untenable. Remember, the security model to compare against isn't theoretically perfect passwords - it's the shortcuts people use to bypass the technical requirements of password complexity by the most minimal amount possible. Moreover, the realistic threat isn't some super-villain that will physically breach your environment and physically impersonate your biometrics. The big threat is remote intrusion, and this would help, because your back-end authentication token would probably be 256 bits of pure randomness.
I bought an high-quality phone over 3 1/2 years ago, and it's still perfectly functional, but gets no more security updates. Essentially, I'm screwed as soon as the next major issue hits that has no mitigation. Even Google, with their high-end Pixel devices, apparently only guarantees security patches for 3 years from launch or 18 months from buy date, whichever is longer. That's pretty lame for an $800 phone.
If HTC wanted to get back into the market, they should sell high-end phones and guarantee five years of software updates. I'd buy one tomorrow.
Few others can devote such intense, continuous computational resources to finding bugs. Fuzz testing relies on a lot of brute-force computational power to test such a unfathomable number of potential test permutations, and it seems like this is essentially what they're providing.
Given how many bugs they've found, I'd call "promotion of a worthwhile service" rather than "attention whoring". I mean, Google is essentially sponsoring projects to help make them more secure.
I understand your point about attribution, but I think you're underestimating Google's contribution as well.
If you haven't done this for your projects, fuzz testing is an awesome stability and security test for any sort of input parser.
I maintain a small open source project (that no one but me uses, but hey, it's there if people want), and I found several bugs in the parser with my fuzz tests. I just wrote a *very* simple test myself using basic mutation techniques (randomly altering samples of valid input data), and it was still pretty effective.
I'm looking forward to hearing about further positive results from this project.
I've never liked picking sides in the "manned vs unmanned" space debate, as I believe a comprehensive space program requires both, although perhaps not in equal numbers.
Deep space missions and exploration? Yeah, it's pretty clear that robotics are the way to go. But I also want to get humans seeded on other worlds, or in permanent, self-sustaining space-based colonies. It's true that crewed space missions inflate the costs tremendously, so we have to pick those missions very carefully.
Well, good luck explaining to the average person what the hell you're marching about / advocating. Try to explain, and watch their eyes glaze over. The disinterest of average people regarding stuff like this is something that geeks seem to underestimate time after time. The importance of free and open source software is another one of these "eyes glazing" topics.
Slashdot Mirror
I think you may have mixed up your metaphors a bit at the end there.
The same can be said of astronomy too. It's just that there are no highly disruptive public policy agendas being driven by it.
Wait for those "dark matter" taxes. I'll definitely have something to say then.
Is "social science" real science? Let's just trot this out again.
Humor aside, the lack of ability to reproduce experiments doesn't necessarily make a field of study more or less scientific. After all, you could include astronomy and climate science among those, at least to some degree. But I think you can definitely argue about some fields having more scientific rigor than others, to be sure.
C++ employers will be employable in the videogame industry for the foreseeable future, at least. I presume that they'll also be employable for working on any large-scale applications that requires support or compatibility beyond what some of the newer, safer, high-performance compiled languages can provide.
People always talk about how terrible C++ is (and it's hard to argue with many of their points), but it continually shows up in the language rankings as a steady #3 to #7 or so, depending on how language "popularity" is figured. It benefits less from being "pure" and more from being incredibly pragmatic as a language, similar to C. R and Go are still lagging far behind, with D almost out of sight. Swift is moving up thanks to iOS, and maybe Kotlin will do the same thanks to Android (but we'll see - I'd literally never heard of it until recently), but those are almost pre-destined to be one-trick ponies due their strong platform ties.
Ultimately, the big problem is that I don't see a real universal contender for high-performance native code taking over from C/C++. There are a lot of promising languages, but at the moment, nothing is really taking off. Simple inertia is pretty hard to overcome, as it turns out.
Final point:
But the regional dean of Northeastern University-Silicon Valley has the glummest prediction of all. "If I were to look at a crystal ball, I don't think the world's going to need as many coders after 2020. Ninety percent of coding is taking some business specs and translating them into computer logic. That's really ripe for machine learning and low-end AI."
Bwahahahahahaha! Oh damn, we can't even get our chat bots working reliably (we use them to auto-generate bugs and tasks). And in three years they're going to be replacing programmers? Fucking priceless!
We're used to being shafted by the free market. That won't change.
It sounds like you're about to be shafted by your government, not the free market, .
I'm rooting for BrickerBot. Shut those vulnerable devices down permanently, and there's less for the rest of us to worry about.
Each week I seem to learn about a helpful new online service or two thanks to their massive user data breach. Thanks Slashdot! Even better, I get a taste of the corporate-level bullshit they spout. This is a grade-a prime, four star example:
"Over 120 million users visit Zomato every month. What binds all of these varied individuals is the desire to enjoy the best a city has to offer, in terms of food. When Zomato users trust us with their personal information, they naturally expect the information to be safeguarded. And that's something we do diligently, without fail. We take cyber security very seriously -- if you've been a regular at Zomato for years, you'd agree."
If this is security "without fail", I'm thinking maybe they don't have a clear grasp on what "fail" means. Because if you've been a regular at Zomato for years, your personal data is now out there flapping in the breeze.
It's a portable computer and communication device, nothing more. You can buy a decent one for as little as $150 and as much as $800, and typically last for several years if you take reasonably good care of it. If it's causing some existential crisis in your life, that's all on you, not on the smartphone.
Saying hopes for Trump on climate issues "fade" is implying they were ever there to begin with. Was anyone ever that uninformed to think that Trump was going to be some environmental crusader?
If you want Trump to do anything about climate change, get behind nuclear to replace coal for base load power generation, which I'd imagine he'd support. A large number of environmentalists have, for many decades now, been hurting their own cause by blocking nuclear at every opportunity, allowing perfect to be the enemy of good.
Of course, it won't happen, as some environmentalist would apparently rather see the apocalypse occur than build more nuke plants. Many of those people have even been going after *hydro* in recent years, which is about as clean as large-scale power generation is going to get. It weakens environmental arguments when practical solutions seem to be rejected out of hand.
Agreed, blame the US TLAs for this. It falls *directly* on them in this particular case. Microsoft made a mistake, but they made a good-faith efforts to fix said mistake. And if you're going to castigate organizations for making security mistakes, there's no widely used OSes that haven't had their share of doozies in the last few years alone.
That being said, the last country I want to hear casting blame about regarding cyberattacks is China.
Maybe we can just call this a sequel. Next year, another editor can post it a third time as a reboot.
Dude... spoiler!
Okay, I guess it's past its statute of limitations for plot secrets, especially those which probably everyone but me knew about. Yay for never reading entertainment news.
Also: Rosebud was his sled.
We all know how hard it is to secure an entire network (although companies like Google, Amazon, and Microsoft seem to have figured it out for the most part). Most people will forgive a company that gets breached, but they MUST come clean and be completely honest and transparent. Just like with any other transaction, I don't expect perfection, but I expect a company to try to make things right if they happen to go wrong. Otherwise, I find another company to do business with.
This sort of secrecy in the face of a breach is inexcusable. In fact, maybe it should be *illegal*. I'm not certain, but at the moment, I think that only applies to financial institutions (although I think California has such a law). I'm not typically one to screech "there aughta be a law!" when anything bad happens, but I consider this basic consumer protection at this point, as more of our business and personal infrastructure goes online. By not sending out a warning e-mail, DocuSign is (obviously) favoring its own reputation over its customers safety.
One of the last Star Trek reboot movies apparently decided that they didn't give a damn about their big villain reveal, and just spelled it all out on the back of the Blu-Ray box. I hadn't watched any trailers (may have been equally spoilerific, I don't know), and fortunately didn't read the back of the box, or I'd have been rather peeved. Did they assume that the only people who had seen the movie or knew about it would buy the Blu-ray? Apparently so.
A lot of movie trailers are just as bad about showing really blatant spoilers. Even if unintentional, I often tend to remember trailer scenes when replayed in the movie, which can be a bit distracting if you're mentally anticipating it.
I certainly understand the marketing dilemma in creating effective trailers, but I just no longer trust them to be spoiler free anymore, and as such, try to avoid them. Like with you, cutting cable helped a lot. I guess it's sort of like online advertising in a way. It got bad enough that I just said "enough", and blocked it all.
That is quite a chip on your shoulder.
Sounds like maybe he's wearing his VR headset wrong.
One of the problems is that MS poisoned any good will about upgrading with their own actions... first by more or less tricking people into upgrading to Windows 10, and second, by making that upgrade (and all other upgrades) less trusted by pushing telemetry as required updates, and by making Windows 10 updates incredibly annoying, disruptive, and on occasion, simply broken.
I don't blame MS for not writing perfect code, especially older code. No OS used today has zero exploits, so I think it's disingenuous to bash Microsoft with each new bug found but somehow give Linux a pass when the same damned things happen. But I'm sure as hell going to blame them for encouraging so many people to distrust Microsoft's own security patches in the first place, even going so far as to actively block them. That was all because of their OWN tone-deaf policies of "we know what's best for you, so shut up and update. Oh, and don't mind the telemetry we're slurping up. We promise its benign. What? No, there's no way to turn it off."
Well, you're brave to defend the TLAs. Hopefully you don't get unfairly mod-bombed because of it, as too often happens to unpopular posts.
The core problem with your scenario is the implicit assumption that only the TLAs know about those particular exploits. There could very well have been other countries' agencies that knew about them as well, or criminals using them judiciously for their own zero-day exploits. Why assume that any other major state player couldn't collect these same bugs? We may know more in the months ahead if anyone discovers new information in old logs relating to these exploits.
The other faulty assumption is that the only way to do offensive intelligence operations is with software exploits. Plenty of attacks, from many different criminal and/or government groups have shown that to absolutely not be the case. Human operators can be fooled into installing malware in targeted phishing attacks, or maybe even bribed into installing it. Or you can use more traditional bugging methods, installing hardware that intercepts information pre-encryption. Etc, etc...
Holding onto an exploit that affects your own country's software (and the world's in fact), is playing a very risky game. And, as you rightly acknowledged, it just blew up in their faces. Given the proven inability of these agencies to hold onto secrets, I think playing a little more defense isn't a bad thing, at least until its been established that they don't leak their own secrets like a sieve.
I fully understand and acknowledge that there are very bad people in the world, and these agencies help to protect the US from them. But I do wonder if, at the moment, that price is becoming a little too steep for what we're getting out of the deal. The problems is, though, that we'll never really know. The leaders at the top of that agency know, but sure as hell they're never going to admit to anyone anything that has a chance of ever reducing the power of their own little government fiefdom.
I think the key to using biometric authentication safely is to never push it to the cloud, and thus eliminate the temptation to use it as a single-factor authentication, not to mention minimize the risk of getting it stolen. Instead, it should only be used when there's a secure electronic enclave that can store it and use it for authentication on your behalf.
In this way, your biometric data is just an authentication proxy on known-good systems. It doesn't leave your local devices, which means a random attacker can't use it to log in from elsewhere, or hack into a server to steal it. Even if they did, it wouldn't do any good, because the biometric data isn't used as the authentication in any way on the server side.
That leaves the problem of the initial login, or periodic re-authentication, but I think there are solutions to that as well, such as derived data that don't involve the user inventing passwords, like QR codes that can be flashed in front of a camera. For a business, these could be one-time codes generated by the IT dept, and for home users, some sort of recovery code they keep in a safe place. But since these would be rarer events, it would be more acceptable to have them be a bit more burdensome, so long as they don't involve the user having to memorize anything.
I'm more and more convinced that the username + password paradigm is just too untenable. Remember, the security model to compare against isn't theoretically perfect passwords - it's the shortcuts people use to bypass the technical requirements of password complexity by the most minimal amount possible. Moreover, the realistic threat isn't some super-villain that will physically breach your environment and physically impersonate your biometrics. The big threat is remote intrusion, and this would help, because your back-end authentication token would probably be 256 bits of pure randomness.
I bought an high-quality phone over 3 1/2 years ago, and it's still perfectly functional, but gets no more security updates. Essentially, I'm screwed as soon as the next major issue hits that has no mitigation. Even Google, with their high-end Pixel devices, apparently only guarantees security patches for 3 years from launch or 18 months from buy date, whichever is longer. That's pretty lame for an $800 phone.
If HTC wanted to get back into the market, they should sell high-end phones and guarantee five years of software updates. I'd buy one tomorrow.
Few others can devote such intense, continuous computational resources to finding bugs. Fuzz testing relies on a lot of brute-force computational power to test such a unfathomable number of potential test permutations, and it seems like this is essentially what they're providing.
Given how many bugs they've found, I'd call "promotion of a worthwhile service" rather than "attention whoring". I mean, Google is essentially sponsoring projects to help make them more secure.
I understand your point about attribution, but I think you're underestimating Google's contribution as well.
Take a drink whenever Tim Berners-Lee is mentioned in the summary.
If you haven't done this for your projects, fuzz testing is an awesome stability and security test for any sort of input parser.
I maintain a small open source project (that no one but me uses, but hey, it's there if people want), and I found several bugs in the parser with my fuzz tests. I just wrote a *very* simple test myself using basic mutation techniques (randomly altering samples of valid input data), and it was still pretty effective.
I'm looking forward to hearing about further positive results from this project.
From TFA (in case anyone was wondering about the criteria):
"To qualify for these rewards, a project needs to have a large user base and/or be critical to global IT infrastructure."
I've never liked picking sides in the "manned vs unmanned" space debate, as I believe a comprehensive space program requires both, although perhaps not in equal numbers.
Deep space missions and exploration? Yeah, it's pretty clear that robotics are the way to go. But I also want to get humans seeded on other worlds, or in permanent, self-sustaining space-based colonies. It's true that crewed space missions inflate the costs tremendously, so we have to pick those missions very carefully.
Well, good luck explaining to the average person what the hell you're marching about / advocating. Try to explain, and watch their eyes glaze over. The disinterest of average people regarding stuff like this is something that geeks seem to underestimate time after time. The importance of free and open source software is another one of these "eyes glazing" topics.