What's new? Do people actually expect their phones or PCs to survive encounters with offensive USB hardware? Nevermind RIL access I can plug a keyboard or mouse into a phone USB port and hack away without authorization as well. It only takes a couple of seconds to drop a payload with malicious HID USB via preprogrammed keystrokes. Attack surface of USB is as massive as it is indefensible.
From TFA 5 of the 13 devices they tested give access to serial interface over USB by default. The others require explicit configuration to expose interface.
So you have a plan to prevent all the idiots out there from believing fake news?
I'll get around to it eventually. First I have to prevent billions of idiots out there from believing in fake gods.
You can be personally responsible all you want and preach personal responsibility of others, but you will continue to be affected by the others that choose to believe fake news since they are part of shaping your society.
So? Given they are part of society why would they not be entitled to shape it?
The only thing worse than having to work to build consensus for the ideologies you support are the alternatives.
Well done on the analysis, you should tell SpaceX and NASA right now,
Remarks were questions rather than conclusions or "analysis". If you have a substantive explanation you care to contribute it would be appreciated.
they clearly know nothing about spaceflight.
My guess people who build working rockets and space dinghys probably know at least something about spaceflight. Some may have even played KSP at least once during their lives.
From TFA I expected to see text replaced or removed but all it seems to do is add Asbestos and a specific list of uses to substance list of 40 CFR 721.
Does the presence of this text somehow weaken existing new use restrictions of Asbestos? Or is it just that the text added while intentionally nerfed does not in any way reduce existing regulations/laws/whatever governing use of Asbestos?
I don't care about the distinctions. All irrelevant as far as I'm concerned.
It makes it possible to precompute the password to a WPA2-PSK network without having to wait for a valid client to authenticate against the network in the first place.
So what? Being patient or deauth yields same result. Hurdle to successful compromise has not substantially changed has it? Brute force campaign required in either scenario is substantially more labor intensive.
This breaks WPA2-PSK by making attacks trivial to do.
No more or less trivial than brute force campaign required to crack the password.
The computer user password is not to protect against local access to the data.
PSK algorithm is not designed to protect against offline brute force campaigns. Well known property of PSK. It's why people have always had to chose increasingly absurdly long passwords to secure their APs.
You need to encrypt the files or entire drive like you are planning.
You need to use a secure authentication protocol like what's included with WPA3 to avoid susceptibility to offline brute force campaigns.
Only for WPA3 they chose a crappy authentication protocol out of the gate opting for a balanced PAKE when better (augmented) versions are readily available on similar terms.
Difference between balanced and augmented is a bit like the difference between a password file stored as plaintext or hashed.
If it's hashed (augmented) and stolen someone needs to crack it before they can login as you. If it's plaintext (balanced) as what was selected for WPA3 they can login as you immediately without cracking it.
A lifetime ago Cisco released an undocumented authentication protocol for username/password wireless authentication (LEAP) that was quickly revealed in all ways that mattered to essentially be MSCHAPv1.
At the time of release shortcomings of MSCHAPv1 were well known. Surely someone must have known yet they went ahead and did it anyway. While not nearly as egregious the same theme is being repeated with WPA3. Better algorithms with better properties are readily available yet they elect to go forward with the inferior one anyway.
While looking for ways to encrypt unencrypted data stored on my hard disk I discovered if you forget the password to your computer all files can still be accessed by mounting hard disk on a different system or by booting an alternate operating system from a USB stick.
Stay tuned for full article, naming party and mascot imagery for new vulnerability I just "discovered".
It's amazing people still think and speak like this. You clearly show knowledge on how certificate trust chains work on a technical level, yet demonstrate clearly you have no idea what they are for, what problem they solve, how they do that, or why.
Amazing to see such a long winded post missing basic fact "certificate chains" are about "trust".
Failure to establish trust renders underlying technology moot. It doesn't matter how great the crypto is.
Every DV system these days is automated relying on combination of DNS, SMTP and HTTP. All completely insecure protocols operating over completely insecure networks leveraged to make critical value judgments about whether party in question is trustworthy or not.
DV = LEAP OF FAITH
It may work in practice most of the time yet it certainly is not a trustworthy process. Sad part about all of this is that it's a completely unnecessary and avoidable problem.
There are two basic solutions.
1. Have registrars handle DV certs as a basic feature of domain ownership leveraging existing trust relationship between domain owners and registrar. (Existing DV CAs are flushed down the toilet)
2. Have means for registrars to provide authorization tokens as basic feature of domain ownership allowing third parties to securely demonstrate trust relationship between user and registrar for DV signing and other activities.
Pretending the problem doesn't exist is not a solution.
Cloudfare doesn't log your requests, so using cloudfare DNS is not a privacy problem (even if law-enforcement requests your DNS lookups from them, they have no log to provide).
Their own site explicitly says otherwise.
Cloudflare will collect only the following information from Firefox users: âTimestamp âIP Version (IPv4 vs IPv6) âResolver IP address + Port the Query Originated From âProtocol (TCP, UDP, TLS or HTTPS) âQuery Name âQuery Type âQuery Class âQuery Rd bit set âQuery Do bit set âQuery Size Query EDNS âEDNS Version âEDNS Payload âEDNS Nsid âResponse Type (normal, timeout, blocked) âResponse Code âResponse Size âResponse Count âResponse Time in Milliseconds âResponse Cached âDNSSEC Validation State (secure, insecure, bogus, indeterminate) âColo ID âServer ID
What we really need anyway is Distributed DNS so it can't be bogarted.
Facepalm.
the meantime, Cloudflare's guaranteed secure and private DNS servers are the best we have, other than OpenDNS.
When cloudflare uses system to resolve names guess what... that process itself uses insecure protocol to query root resolvers up to whoever owns the zone so claiming that cloudflare is secure is rather comical. It's actually no more secure than running your own server using default root list without a forwarder.
Why is it even relevant whether name resolution is secure? The underlying network isn't secure. Anyone in the network path can fuck you. Heck there is a long history of those normally outside of the path fucking with users both by mistake and with malicious intent by screwing with BGP. Every once in a while it even makes the news.
-- this is the big point -- they guarantee that they keep no records and do not even log the traffic going through those servers.
LOL...
Cloudflare will collect only the following information from Firefox users: âTimestamp âIP Version (IPv4 vs IPv6) âResolver IP address + Port the Query Originated From âProtocol (TCP, UDP, TLS or HTTPS) âQuery Name âQuery Type âQuery Class âQuery Rd bit set âQuery Do bit set âQuery Size Query EDNS âEDNS Version âEDNS Payload âEDNS Nsid âResponse Type (normal, timeout, blocked) âResponse Code âResponse Size âResponse Count âResponse Time in Milliseconds âResponse Cached âDNSSEC Validation State (secure, insecure, bogus, indeterminate) âColo ID âServer ID
And since the Firefox developer team has a big subset of that demographic, is quite clear why this was included.
This is of course complete bullshit.
As if anyone with something better to do than snoop on the wire at Starbucks won't see destination IP, SNI or servers public key identity and have access to the exact same data DNS provides.
DNS is one of the few remaining services yet to be totally centralized. Assertions centralized systems (Mozilla) are more trustworthy and privacy preserving than federated ones is doublespeak.
Mozilla is basically asserting without evidence everyone's DNS servers are untrustworthy and therefore for users own good only theirs can be trusted.
It is not even clear what even practical theoretical benefit to the end user would be given anyone in data path can see destination address, SNI, PKI Identity and TLS session identifiers. It isn't ever any secret where you are going unless you use an overlay network like Tor.
Mozilla's unilateral decision to bypass name service administrative policy including DNS based filtering of harmful domains greatly reduces user privacy and security for no reason.
It also creates unnecessary administrative problems accessing resources using naming services not globally resolvable from cloudflare in addition to TFA's points.
Enabling this by default is unconscionable. Mozilla should be boycotted if they actually go through with it. I'm tired of them falling all over themselves asserting they care so much about privacy when reality is Firefox by default is an endless parade of excuses to call home. It requires an unreasonable amount of effort screwing around in about:config to actually stop it.
While it seems we are largely in agreement on the problems, you seem to have nothing resembling a solution or any constructive improvements for mine. A "problem" with no solution is just part of reality. If you can't fix it, then you better learn to enjoy living with it.
I don't use app stores. Never have, never will. I don't have Google app store/play services installed on my phone.
It is sufficient to provide users with tools to manage and transform trust. Monopoly dictation of standards from up high by those who claim to "know better" is dangerous and counterproductive to society.
Users should have the ability to configure systems to visit only approved sites or run approved software by any authorities user deems to be trustworthy.
Users should have the ability to configure systems to visit any site yet be warned of sites or software known to authorities to be harmful.
Users should have the ability to visit any site or run any software with themselves being the exclusive judge of trustworthiness.
The problem of judging trustworthiness is as old as civilization. The Internet sucks so hard at it because analogous tools to manage trust suck or don't exist. There will always be risk beyond which efforts to mitigate are deleterious.
Beyond trust there are two critical problems with Android OS that must be resolved:
1. Fundamental design defects enabling parade of privilege escalation vulnerabilities and other effective isolation gaps.
2. Android must not be intentionally engineered to be hostile to the end user's interests. Take it or leave it demands of users by applications carries unacceptably deleterious consequences.
Denying access to contacts, messaging history, location, networks, storage and other resources must be able to be achieved secretly without applications having the means of understanding access was denied.
This is something Google explicitly refuses to do in order to protect its interests in exchange for significant unnecessary peril borne by end users.
That word doesn't mean what you think it does. In fact, the sentence almost says the opposite of what you intended.
Intent was to convey sloppiness rather generosity. Monopolies can afford to be lazy and sloppy with allocation of resources. A company held to the fire of a functioning market is forced to work for it while remaining frugal or die.
Excellent example of how the insane greed of the corporate cancers is bad for the human peasants caught in the crossfire.
It's an excellent example of how monopolies begin to crack under the weight of their own largesse.
NOT to suggest that the Google Play website properly vets the security of the apps, but it's better than nothing.
No absolutely not. It's much worse than nothing. The existence of the app store is a potent source of perverse market incentive fueling the creation of malware.
I completely get why Epic wants to do this: 30% adds up to a lot of money for a game that pulls in hundreds of millions a month. But for the broader Android user base this is a terrible idea.
The only terrible idea is monocultures and single vendor monopoly rule.
Having the ability to install external APKs and actually enticing non-technical users to do it are two different things. The average smartphone user isn't prepared to use external sources,
It's actually trivial and learning something new is a great experience.
and if they do, it's going to end up like malware on Windows.
Unlikely, security models are vastly different.
Which is to say there's going to be trojan APKs left and right pretending to be Fortnite, or Fortnite with hacks, etc.
LOL thank goodness Google app store doesn't have malware and fake apps.
All this does is punt the same set of trust issues from app stores to web sites. Whether an app store or web site there are established mechanisms for centrally reporting and blocking harmful sites.
Doing away with app stores mitigates some perverse market incentives to produce malware in the first place.
Fortnite's original game mode - Save The World - was a zombie survival game. If users have to install APKs from unknown sources, we're going to be surviving a whole new kind of zombie outbreak...
An outbreak of freedom from single vendor dominance. Zombies hate it.
Where does the law that defines broadband say that?
If I want to read a webpage the GET request is tiny, the page bigger. If I want to stream a movie, asking for it doesn't take much while receiving the movie takes a ton.
What about video conferencing, telemedicine, telework, running a business?
What is the difference between streaming a movie and teleconference with family and colleagues? If anything I would expect teleconferencing to require MORE bandwidth than Netflix for same quality due to computational limitations of real-time encoding and delay intolerance.
I don't recall any FCC hearing in which the purpose of the Internet and public funding to promote universal access is making sure everyone can watch Netflix. Broadband deployment and funding is about jobs, health, education and opportunity parity not wasting time.
Now I understand that power users and IT professionals need to upload stuff, however we are greatly outnumbered by those who just want to consume the internet.
I fail to see the relevance. Can you cite definition of broadband that supports the above assertion? I cited one that refutes it.
Slashdot Mirror
What's new? Do people actually expect their phones or PCs to survive encounters with offensive USB hardware? Nevermind RIL access I can plug a keyboard or mouse into a phone USB port and hack away without authorization as well. It only takes a couple of seconds to drop a payload with malicious HID USB via preprogrammed keystrokes. Attack surface of USB is as massive as it is indefensible.
From TFA 5 of the 13 devices they tested give access to serial interface over USB by default. The others require explicit configuration to expose interface.
Remember kids if you are not continuously outraged and afraid money is being left on the table.
So you have a plan to prevent all the idiots out there from believing fake news?
I'll get around to it eventually. First I have to prevent billions of idiots out there from believing in fake gods.
You can be personally responsible all you want and preach personal responsibility of others, but you will continue to be affected by the others that choose to believe fake news since they are part of shaping your society.
So? Given they are part of society why would they not be entitled to shape it?
The only thing worse than having to work to build consensus for the ideologies you support are the alternatives.
Well done on the analysis, you should tell SpaceX and NASA right now,
Remarks were questions rather than conclusions or "analysis". If you have a substantive explanation you care to contribute it would be appreciated.
they clearly know nothing about spaceflight.
My guess people who build working rockets and space dinghys probably know at least something about spaceflight. Some may have even played KSP at least once during their lives.
Three touch screens and lack of buttons... there are some physical knobs hard to tell from the images... overall looks painful.
High G's...Vibrations...space suite gloves and touch screens??
If unbreakable encryption is illegal then ISPs can tell law enforcement of anyone using it on their networks.
Only against low hanging fruit making no attempt to mask the fact encrypted communication is taking place.
Does anyone know what is actually going on here?
From TFA I expected to see text replaced or removed but all it seems to do is add Asbestos and a specific list of uses to substance list of 40 CFR 721.
Does the presence of this text somehow weaken existing new use restrictions of Asbestos? Or is it just that the text added while intentionally nerfed does not in any way reduce existing regulations/laws/whatever governing use of Asbestos?
I'm so confused...
What if there is an existential alien threat they know about but haven't told the public about?
https://www.youtube.com/watch?...
Can almost see Google in a VW rolling down the street with fanta in hand, stack of holerith cards in the trunk snapping kodaks for the AP.
You don't seem to understand this attack at all.
I don't care about the distinctions. All irrelevant as far as I'm concerned.
It makes it possible to precompute the password to a WPA2-PSK network without having to wait for a valid client to authenticate against the network in the first place.
So what? Being patient or deauth yields same result. Hurdle to successful compromise has not substantially changed has it? Brute force campaign required in either scenario is substantially more labor intensive.
This breaks WPA2-PSK by making attacks trivial to do.
No more or less trivial than brute force campaign required to crack the password.
Was having fun with analogy.
The computer user password is not to protect against local access to the data.
PSK algorithm is not designed to protect against offline brute force campaigns. Well known property of PSK. It's why people have always had to chose increasingly absurdly long passwords to secure their APs.
You need to encrypt the files or entire drive like you are planning.
You need to use a secure authentication protocol like what's included with WPA3 to avoid susceptibility to offline brute force campaigns.
Only for WPA3 they chose a crappy authentication protocol out of the gate opting for a balanced PAKE when better (augmented) versions are readily available on similar terms.
Difference between balanced and augmented is a bit like the difference between a password file stored as plaintext or hashed.
If it's hashed (augmented) and stolen someone needs to crack it before they can login as you. If it's plaintext (balanced) as what was selected for WPA3 they can login as you immediately without cracking it.
A lifetime ago Cisco released an undocumented authentication protocol for username/password wireless authentication (LEAP) that was quickly revealed in all ways that mattered to essentially be MSCHAPv1.
At the time of release shortcomings of MSCHAPv1 were well known. Surely someone must have known yet they went ahead and did it anyway. While not nearly as egregious the same theme is being repeated with WPA3. Better algorithms with better properties are readily available yet they elect to go forward with the inferior one anyway.
While looking for ways to encrypt unencrypted data stored on my hard disk I discovered if you forget the password to your computer all files can still be accessed by mounting hard disk on a different system or by booting an alternate operating system from a USB stick.
Stay tuned for full article, naming party and mascot imagery for new vulnerability I just "discovered".
It's amazing people still think and speak like this.
You clearly show knowledge on how certificate trust chains work on a technical level, yet demonstrate clearly you have no idea what they are for, what problem they solve, how they do that, or why.
Amazing to see such a long winded post missing basic fact "certificate chains" are about "trust".
Failure to establish trust renders underlying technology moot. It doesn't matter how great the crypto is.
Every DV system these days is automated relying on combination of DNS, SMTP and HTTP. All completely insecure protocols operating over completely insecure networks leveraged to make critical value judgments about whether party in question is trustworthy or not.
DV = LEAP OF FAITH
It may work in practice most of the time yet it certainly is not a trustworthy process. Sad part about all of this is that it's a completely unnecessary and avoidable problem.
There are two basic solutions.
1. Have registrars handle DV certs as a basic feature of domain ownership leveraging existing trust relationship between domain owners and registrar. (Existing DV CAs are flushed down the toilet)
2. Have means for registrars to provide authorization tokens as basic feature of domain ownership allowing third parties to securely demonstrate trust relationship between user and registrar for DV signing and other activities.
Pretending the problem doesn't exist is not a solution.
This MITM would have to intercept the server's connection to the Internet through several paths at every renewal time
Compromise of single path to victims server or authoritative name server is sufficient.
and the rightful owner of the domain would notice the misissued certificate through Certificate Transparency logs.
LOL sure they would notice.
Mozilla employee here, though not involved with this project.
Will Mozilla be disclosing its financial relationship with cloudflare and provide a full accounting of funds it receives as a result of this insanity?
Cloudfare doesn't log your requests, so using cloudfare DNS is not a privacy problem (even if law-enforcement requests your DNS lookups from them, they have no log to provide).
Their own site explicitly says otherwise.
Cloudflare will collect only the following information from Firefox users:
âTimestamp
âIP Version (IPv4 vs IPv6)
âResolver IP address + Port the Query Originated From
âProtocol (TCP, UDP, TLS or HTTPS)
âQuery Name
âQuery Type
âQuery Class
âQuery Rd bit set
âQuery Do bit set
âQuery Size Query EDNS
âEDNS Version
âEDNS Payload
âEDNS Nsid
âResponse Type (normal, timeout, blocked)
âResponse Code
âResponse Size
âResponse Count
âResponse Time in Milliseconds
âResponse Cached
âDNSSEC Validation State (secure, insecure, bogus, indeterminate)
âColo ID
âServer ID
What we really need anyway is Distributed DNS so it can't be bogarted.
Facepalm.
the meantime, Cloudflare's guaranteed secure and private DNS servers are the best we have, other than OpenDNS.
When cloudflare uses system to resolve names guess what ... that process itself uses insecure protocol to query root resolvers up to whoever owns the zone so claiming that cloudflare is secure is rather comical. It's actually no more secure than running your own server using default root list without a forwarder.
Why is it even relevant whether name resolution is secure? The underlying network isn't secure. Anyone in the network path can fuck you. Heck there is a long history of those normally outside of the path fucking with users both by mistake and with malicious intent by screwing with BGP. Every once in a while it even makes the news.
https://www.theregister.co.uk/...
This is why secure E2E shit like https cross checks name against CN/SAN fields of servers public key.
-- this is the big point -- they guarantee that they keep no records and do not even log the traffic going through those servers.
LOL...
Cloudflare will collect only the following information from Firefox users:
âTimestamp
âIP Version (IPv4 vs IPv6)
âResolver IP address + Port the Query Originated From
âProtocol (TCP, UDP, TLS or HTTPS)
âQuery Name
âQuery Type
âQuery Class
âQuery Rd bit set
âQuery Do bit set
âQuery Size Query EDNS
âEDNS Version
âEDNS Payload
âEDNS Nsid
âResponse Type (normal, timeout, blocked)
âResponse Code
âResponse Size
âResponse Count
âResponse Time in Milliseconds
âResponse Cached
âDNSSEC Validation State (secure, insecure, bogus, indeterminate)
âColo ID
âServer ID
... need this feature a lot.
And since the Firefox developer team has a big subset of that demographic, is quite clear why this was included.
This is of course complete bullshit.
As if anyone with something better to do than snoop on the wire at Starbucks won't see destination IP, SNI or servers public key identity and have access to the exact same data DNS provides.
What they really need is 802.1x.
DNS is one of the few remaining services yet to be totally centralized. Assertions centralized systems (Mozilla) are more trustworthy and privacy preserving than federated ones is doublespeak.
Mozilla is basically asserting without evidence everyone's DNS servers are untrustworthy and therefore for users own good only theirs can be trusted.
It is not even clear what even practical theoretical benefit to the end user would be given anyone in data path can see destination address, SNI, PKI Identity and TLS session identifiers. It isn't ever any secret where you are going unless you use an overlay network like Tor.
Mozilla's unilateral decision to bypass name service administrative policy including DNS based filtering of harmful domains greatly reduces user privacy and security for no reason.
It also creates unnecessary administrative problems accessing resources using naming services not globally resolvable from cloudflare in addition to TFA's points.
Enabling this by default is unconscionable. Mozilla should be boycotted if they actually go through with it. I'm tired of them falling all over themselves asserting they care so much about privacy when reality is Firefox by default is an endless parade of excuses to call home. It requires an unreasonable amount of effort screwing around in about:config to actually stop it.
While it seems we are largely in agreement on the problems, you seem to have nothing resembling a solution or any constructive improvements for mine. A "problem" with no solution is just part of reality. If you can't fix it, then you better learn to enjoy living with it.
I don't use app stores. Never have, never will. I don't have Google app store/play services installed on my phone.
It is sufficient to provide users with tools to manage and transform trust. Monopoly dictation of standards from up high by those who claim to "know better" is dangerous and counterproductive to society.
Users should have the ability to configure systems to visit only approved sites or run approved software by any authorities user deems to be trustworthy.
Users should have the ability to configure systems to visit any site yet be warned of sites or software known to authorities to be harmful.
Users should have the ability to visit any site or run any software with themselves being the exclusive judge of trustworthiness.
The problem of judging trustworthiness is as old as civilization. The Internet sucks so hard at it because analogous tools to manage trust suck or don't exist. There will always be risk beyond which efforts to mitigate are deleterious.
Beyond trust there are two critical problems with Android OS that must be resolved:
1. Fundamental design defects enabling parade of privilege escalation vulnerabilities and other effective isolation gaps.
2. Android must not be intentionally engineered to be hostile to the end user's interests. Take it or leave it demands of users by applications carries unacceptably deleterious consequences.
Denying access to contacts, messaging history, location, networks, storage and other resources must be able to be achieved secretly without applications having the means of understanding access was denied.
This is something Google explicitly refuses to do in order to protect its interests in exchange for significant unnecessary peril borne by end users.
That word doesn't mean what you think it does.
In fact, the sentence almost says the opposite of what you intended.
Intent was to convey sloppiness rather generosity. Monopolies can afford to be lazy and sloppy with allocation of resources. A company held to the fire of a functioning market is forced to work for it while remaining frugal or die.
Excellent example of how the insane greed of the corporate cancers is bad for the human peasants caught in the crossfire.
It's an excellent example of how monopolies begin to crack under the weight of their own largesse.
NOT to suggest that the Google Play website properly vets the security of the apps, but it's better than nothing.
No absolutely not. It's much worse than nothing. The existence of the app store is a potent source of perverse market incentive fueling the creation of malware.
I completely get why Epic wants to do this: 30% adds up to a lot of money for a game that pulls in hundreds of millions a month. But for the broader Android user base this is a terrible idea.
The only terrible idea is monocultures and single vendor monopoly rule.
Having the ability to install external APKs and actually enticing non-technical users to do it are two different things. The average smartphone user isn't prepared to use external sources,
It's actually trivial and learning something new is a great experience.
and if they do, it's going to end up like malware on Windows.
Unlikely, security models are vastly different.
Which is to say there's going to be trojan APKs left and right pretending to be Fortnite, or Fortnite with hacks, etc.
LOL thank goodness Google app store doesn't have malware and fake apps.
All this does is punt the same set of trust issues from app stores to web sites. Whether an app store or web site there are established mechanisms for centrally reporting and blocking harmful sites.
Doing away with app stores mitigates some perverse market incentives to produce malware in the first place.
Fortnite's original game mode - Save The World - was a zombie survival game. If users have to install APKs from unknown sources, we're going to be surviving a whole new kind of zombie outbreak...
An outbreak of freedom from single vendor dominance. Zombies hate it.
Because residential service is for consumption.
Where does the law that defines broadband say that?
If I want to read a webpage the GET request is tiny, the page bigger. If I want to stream a movie, asking for it doesn't take much while receiving the movie takes a ton.
What about video conferencing, telemedicine, telework, running a business?
What is the difference between streaming a movie and teleconference with family and colleagues? If anything I would expect teleconferencing to require MORE bandwidth than Netflix for same quality due to computational limitations of real-time encoding and delay intolerance.
I don't recall any FCC hearing in which the purpose of the Internet and public funding to promote universal access is making sure everyone can watch Netflix. Broadband deployment and funding is about jobs, health, education and opportunity parity not wasting time.
Now I understand that power users and IT professionals need to upload stuff, however we are greatly outnumbered by those who just want to consume the internet.
I fail to see the relevance. Can you cite definition of broadband that supports the above assertion? I cited one that refutes it.