but you *can* fire the biggest assholes and keep them from making women feel like they don't belong there.
Advocating firing the person who in good faith is attempting to offer suggestions for getting more women into the field makes *YOU* the biggest asshole.
Google is a hostile workplace--for people like Damore. The toxic people who cannot remain civil in the face of disagreement should be the ones who are removed & punished. Anything else will result in a race to the bottom.
Isn't this what Google at its very core represents... a race to the bottom? When everything is ad and cyber stalking supported... when everything must be "free".
Eh, that's like Costco or Sam's Club, though. Presumably that item was selling at invoice or just barely over.
This isn't about stores requiring memberships. If Amazon went membership only I would respect it although personally would chose not to purchase a membership because they offer nothing I can't get on same or more favorable terms elsewhere.
Bottom line if your going to pretend to be open to the public then don't play games with me and expect to keep my business.
This was Star Wars blu ray selling at full rip-off price something like $25. Ended up rolling the dice on eBay and picked up non-bootleg for less than half that. Refuse to believe they were not making money. This was unambiguously a calculated harassment campaign to upsell prime memberships.
The end result was they lost my business. Not worth my time to be fucked with like this. Amazon offers nothing above and beyond what others are offering to justify yearly membership dues.
For me last straw was Amazon's refusal to sell an item I wanted unless I was a prime member.
When a company gets so big that they feel secure enough in their position to intentionally fuck with their customers essentially telling them to screw off it's time to write that company off and move on.
How do viewers of your site know that your competitor didn't pay the ISP to change your phone number appearing on its subscribers' view of your site to that of your competitor?
This is a good illustration of the difference between possibility and probability.
Yes it is possible for someone to change the phone number in transit over the network. What is the probability of occurrence? Is it worth my time to care? I suspect the answer to the above questions are "very small" and "hell no".
After all similar risks remain regardless:
How do viewers of your site know your competitor didn't pay the ISP to redirect your site to/dev/null?
How do you know your competitor didn't pay off your web host to hang an "out of business" banner only visible to potential customers on the other side of town?
I really do think that weaning the web off non-SSL HTTP is a good thing, I dont know how anyone can oppose protecting peoples privacy.
The privacy case for publicly accessible websites is tedious at best and harmful at worst. It is tedious at best because use of timing and payload length side channels have been successfully demonstrated to unmask user activities on public sites.
It is harmful to privacy because all those OSCP queries to centrally managed servers represent a new vector to track users en-masse without requiring any in-path compromise of communications channels.
TLS session caching may leak data that can be used to correlate requests within a privacy preserving overlay network.
Theres no cost any more to getting an TLS cert so theres just no excuse any more to not go HTTPS.
There exist management costs and additional RTT costs both in initial TLS setup and an additional round trip with every subsequent request. This can be mitigated in the future by using session tickets.
For all public IP addresses I would actually support throwing up an "insecure site" warning for all non-SSL sites that users have to click an exception button, then eventually requiring SSL of all web sites
No doubt TLS is better than nothing yet ends don't justify means. Just because you want everyone to use TLS does not make it acceptable to force others to use it if they don't want to for whatever reason.
In a world where everything is secured via TLS there is no real security. The value of compromising CAs approach infinity at the same time CAs are squeezed by the everything must be free machine (LE freeloaders). Not that CAs have any business existing in the first place. DV should be a function of the registrar who should be handling signing as a standard included feature of domain ownership for no additional cost with none of this any CA has capability to sign globally for any domain they want bullshit.
Every government in the world worth fearing is assured to have the means of compromising the system as currently deployed. As we have seen with Google's unnecessary unilateral removal of the ONLY means of detection of government compromise (key pinning) in order to support a half-baked "experimental" IETF draft that does nothing to actually prevent compromise in it's tracks it seems to me the current system worthless to anyone with a need for security beyond low value ecommerce transactions and that design is intentional. Any new features such as rolling out support for PAKEs that stand to improve security by providing off-ramps to trust not based on global PKI house-of-cards is systematically ignored by all browser vendors.
The path and query string themselves are enough to infer "people's information". With cleartext HTTP, a passive attacker can infer which medical condition you looked up on Wikipedia or WebMD. With HTTPS, an attacker can see the server's hostname in the Server Name Indication of the ClientHello message, such as en.wikipedia.org or www.webmd.com, but everything else is encrypted.
Incorrect. On a public website you can infer what the user is looking at via analysis of timing and payload size.
I'm sure NY Times has an Android app you can download and use if you don't want to use their web site, but then when there is an article regarding apps for Windows or Android market place, we can find you complaining that there are too many apps, and why does NY Times need an app?
I advocate using the proper tool for the job. Browsers are suitable for viewing published documents. They are unsuitable for executing arbitrary software.
In regards to browser switching, I haven't had that problem for a long time,
Why is this relevant to my situation?
maybe you need to visit better sites!
I don't have a choice.
You don't trust the browser sandbox, run it in the VM!
Less than two weeks ago we received yet another example of why this does not work.
And the browser hasn't been a document viewer for at least 15 years, so why don't you get with the times grandpa!
The browser is and has always been a document viewer. Just because you can write a web server in postscript doesn't mean you should.
No one is forcing you to rewrite your application using the latest fad framework!
Developing a product using components only supported for 2 or 3 years is totally insane.
You have access to the source after official support ends and can continue to modify it and use it for development it as long as your heart desires!
Official support is the point.
But if you want the latest, most cutting edge features, then you might want to rewrite your presentation layer using a newer framework.
What specifically do you get in return for a critical dependency only being supported for 2 or 3 years? Are there new conceptual advances in UI design requiring cutting edge support libraries to implement?
Part of this is simply efficiency. With an SPA loaded, clicking on each link to a static article simply sends the relevant data rather than rebuilding the entire page server-side. That's a whole lot faster and cheaper to do.
Not necessarily.
Once you yank out all of the unnecessary abstraction and complexity in the attempt to create a thick client all of the sudden cost of reloading page vs reloading content is irrelevant.
Often what really matters with regards to outcomes is round trip delay. If you have a page constantly doing a bunch of piecemeal loads (A practice that seems to be quite widespread) it's going to take longer regardless of how many fewer bytes went over the wire or how many fewer CPU cycles were burned.
If you application is well written and there is a good separation of business logic from the UI, then 2 to 3 year lifespan for a framework is pretty good.
Every time there is an article about Javascript, there is an individual like you complaining about why Javascript is needed. I'm sorry that all you want to use your browser is to read news on NY Times, but the truth is that there are a lot of people out there who want to do more than just browse static pages.
Hence the reason operating systems allow programs other than web browsers to be executed.
The browser is the most efficient app delivery system today. You no longer have to worry about whether the end user has the latest update of your app, and which OS or version they are running, your app will just work!
This must be why I regularly find myself switching browsers. It's always stupid shit like buttons that do nothing when clicked.
If you are paranoid and don't trust the browser sandboxing
Browser sandboxes have proven themselves not to be trustworthy.
then maybe you should run Qubes OS or browser in a VM, otherwise, perhaps it is best to stick to printed news.
Or maybe people should stop confusing a document viewer with an execution environment for general purpose software.
I dismiss wired articles regarding Damore as worthless noise due to gratuitous use of loaded words. Clearly using their platform to communication opinion rather than objective information.
An easier analogy is to imagine that you are selling a food item that only appeals to 31% of the population and you want to grow revenue. Well, if you could make it appealing for 100% of the population, that may be easier than trying to win market share among the 31%.
You can get me to eat fruits by selling it in the form of a banana split or candy apple.
Didn't RTFA. What's the problem? AFAICT AMP is an open standard suggested by Google. Is this some new petty RSS wars thing? Can someone explain?
Google by virtue of defacto search monopoly is compelling content to use Google hosted AMP in order to receive a higher search ranking vs. someone electing not to participate.
This has NOTHING to do with whether AMP is good or not as a technical standard or whether people with slow crappy web sites deserve lower ranking vs. those with faster web sites.
It has everything to do with Google leveraging a very substantial near total monopoly position to force the industry to bend to its will in a way that stands to directly enrich Google at the expense of everyone else.
Not worth supporting is more like it. It may sound like this is going to spell losses for Intel, and I'll grant that they've seen a momentary dip in stock prices, but you can bet good money that this will ultimately result in a rush on new Intel hardware to replace "bad" hardware. And people will just throw piles of cash at them, because reasons.
There is no new Intel hardware available for sale to replace "bad" hardware. There *IS* however new AMD hardware.
From my understanding, it's not even incompetence that brought this about in the first place. Lack of foresight more than anything else. No one imagined trying an exploit like these until recently. Unless they have, but have been keeping it quiet, much like the Allies kept the cracking of Enigma quiet...
People did more than imagine. They wrote research papers on this very topic over a decade ago about the very thing the spectre ghost is holding in its hand.
But people are people, programmers are programmers, and there are bell curves of skill, care and attention, schedule reasonableness under which programs are created.
So let's not assume every programmer writing a potentially security-relevant piece of code is a really good, well educated in best practices, really safe designer and coder with enough time for testing and iteration. Assuming that would be naive.
It would be naive to assume general purpose language selection makes a meaningful difference with regards to security outcomes.
It's up to the architect to manage risk by selecting appropriate tools and methodologies to best address specific problem domain. Placing programmers in an environment that ensures failure by giving them the wrong tool for the job before them or where they are required to always be extra careful in order to avert disaster is extremely counterproductive.
So why not protect against common errors using the programming language constraints and checks? Most of these protections can be done with very little cost, performance wise or in loss of program expressive power.
It is not clear to me specifically what you believe is not being done that can be.
Compile time checks, static analysis, profilers, fuzzers and runtime bounds check code inserted automatically by compilers by default are generally available to programmers at little to no cost. Quite a lot of the old standard C library has over the years been marked as hazardous to your health by modern compilers.
We can teach drivers not to start the car engine with the car in "drive" because they might run someone over, or we can just design the car not to start except in park.
Obvious solutions to obvious problems already exist. Yet it does not follow obvious problems necessarily have tractable solutions. For example designing a car incapable of ever running anyone over is reasonably beyond current technology even though instances of reasonable measures to mitigate the problem exist.
One thing that has always fascinated me over the years is the lack of sufficient advances in outcomes commensurate with development and selection of new languages. Most instances of productivity gains and capabilities can be traced back to hard won incremental development of complex domain specific systems and hardware improvements rather than advancement of underlying general purpose language.
The fact virtually all system programming is still some flavor of C in my view speaks for the difference between hype, wishful thinking and reality. We've had decades and so far very little of substance to show for it.
Decade ago when processors that could execute java byte code natively were taped out I actually believed this would change. I assumed we would all be running java everything by now and this is from someone who personally never cared for the language.
Dated how? What media streamer has better hardware? I sure haven't found any.
Shield is using the same processor from 2013. It has a fan and consumes at least twice the power both at idle and while in use compared to my sub $50 SBC at 1/4th the price of shield.
For all that your treated to a mandatory Google account and associated Google/NVIDIA spyware. You have to try not to find a SoC that can't push 4k HEVC @ 60 fps these days.
that is a fucking awful option for anyone but techo's and fails the wife acceptability test. This isn't just an anti MS post either, Linux machines with Kodi, XBMC etc all fit into this category as they just need to much knowledge to maintain.
Personally this is why I'm a fan of libreelec. A "Just Enough OS" to run Kodi front end. Trivial to install and manage yet you still have access/shell if you want one.
Buy a Roku, apple TV, Fire TV or at worst a chromecast (though that can be just as painful sometimes) whatever your preferred option is and all the latest happily support 4k TV
If you don't mind something that records every key stroke, every letter of every search, every pause, rewind, play, every thing you watch or say into the microphone and uploads it all to god knows who where it will be used for god knows what.
Slashdot Mirror
*I was amazed to see that Word Perfect is still lumbering along. I had no idea.
It's the lawyers. They will never give up word perfect.
but you *can* fire the biggest assholes and keep them from making women feel like they don't belong there.
Advocating firing the person who in good faith is attempting to offer suggestions for getting more women into the field makes *YOU* the biggest asshole.
Google is a hostile workplace--for people like Damore. The toxic people who cannot remain civil in the face of disagreement should be the ones who are removed & punished. Anything else will result in a race to the bottom.
Isn't this what Google at its very core represents... a race to the bottom? When everything is ad and cyber stalking supported ... when everything must be "free".
Eh, that's like Costco or Sam's Club, though. Presumably that item was selling at invoice or just barely over.
This isn't about stores requiring memberships. If Amazon went membership only I would respect it although personally would chose not to purchase a membership because they offer nothing I can't get on same or more favorable terms elsewhere.
Bottom line if your going to pretend to be open to the public then don't play games with me and expect to keep my business.
This was Star Wars blu ray selling at full rip-off price something like $25. Ended up rolling the dice on eBay and picked up non-bootleg for less than half that. Refuse to believe they were not making money. This was unambiguously a calculated harassment campaign to upsell prime memberships.
The end result was they lost my business. Not worth my time to be fucked with like this. Amazon offers nothing above and beyond what others are offering to justify yearly membership dues.
What item, specifically, did they refuse to sell to a non-prime customer?
Star Wars: The Force Awakens
For me last straw was Amazon's refusal to sell an item I wanted unless I was a prime member.
When a company gets so big that they feel secure enough in their position to intentionally fuck with their customers essentially telling them to screw off it's time to write that company off and move on.
How do viewers of your site know that your competitor didn't pay the ISP to change your phone number appearing on its subscribers' view of your site to that of your competitor?
This is a good illustration of the difference between possibility and probability.
Yes it is possible for someone to change the phone number in transit over the network. What is the probability of occurrence? Is it worth my time to care? I suspect the answer to the above questions are "very small" and "hell no".
After all similar risks remain regardless:
How do viewers of your site know your competitor didn't pay the ISP to redirect your site to /dev/null?
How do you know your competitor didn't pay off your web host to hang an "out of business" banner only visible to potential customers on the other side of town?
I really do think that weaning the web off non-SSL HTTP is a good thing, I dont know how anyone can oppose protecting peoples privacy.
The privacy case for publicly accessible websites is tedious at best and harmful at worst. It is tedious at best because use of timing and payload length side channels have been successfully demonstrated to unmask user activities on public sites.
It is harmful to privacy because all those OSCP queries to centrally managed servers represent a new vector to track users en-masse without requiring any in-path compromise of communications channels.
TLS session caching may leak data that can be used to correlate requests within a privacy preserving overlay network.
Theres no cost any more to getting an TLS cert so theres just no excuse any more to not go HTTPS.
There exist management costs and additional RTT costs both in initial TLS setup and an additional round trip with every subsequent request. This can be mitigated in the future by using session tickets.
For all public IP addresses I would actually support throwing up an "insecure site" warning for all non-SSL sites that users have to click an exception button, then eventually requiring SSL of all web sites
No doubt TLS is better than nothing yet ends don't justify means. Just because you want everyone to use TLS does not make it acceptable to force others to use it if they don't want to for whatever reason.
In a world where everything is secured via TLS there is no real security. The value of compromising CAs approach infinity at the same time CAs are squeezed by the everything must be free machine (LE freeloaders). Not that CAs have any business existing in the first place. DV should be a function of the registrar who should be handling signing as a standard included feature of domain ownership for no additional cost with none of this any CA has capability to sign globally for any domain they want bullshit.
Every government in the world worth fearing is assured to have the means of compromising the system as currently deployed. As we have seen with Google's unnecessary unilateral removal of the ONLY means of detection of government compromise (key pinning) in order to support a half-baked "experimental" IETF draft that does nothing to actually prevent compromise in it's tracks it seems to me the current system worthless to anyone with a need for security beyond low value ecommerce transactions and that design is intentional. Any new features such as rolling out support for PAKEs that stand to improve security by providing off-ramps to trust not based on global PKI house-of-cards is systematically ignored by all browser vendors.
The path and query string themselves are enough to infer "people's information". With cleartext HTTP, a passive attacker can infer which medical condition you looked up on Wikipedia or WebMD. With HTTPS, an attacker can see the server's hostname in the Server Name Indication of the ClientHello message, such as en.wikipedia.org or www.webmd.com, but everything else is encrypted.
Incorrect. On a public website you can infer what the user is looking at via analysis of timing and payload size.
Then we can talk.
Rolling out DNSSEC without first addressing DNS amplification is dangerous and irresponsible.
I'm sure NY Times has an Android app you can download and use if you don't want to use their web site, but then when there is an article regarding apps for Windows or Android market place, we can find you complaining that there are too many apps, and why does NY Times need an app?
I advocate using the proper tool for the job. Browsers are suitable for viewing published documents. They are unsuitable for executing arbitrary software.
In regards to browser switching, I haven't had that problem for a long time,
Why is this relevant to my situation?
maybe you need to visit better sites!
I don't have a choice.
You don't trust the browser sandbox, run it in the VM!
Less than two weeks ago we received yet another example of why this does not work.
And the browser hasn't been a document viewer for at least 15 years, so why don't you get with the times grandpa!
The browser is and has always been a document viewer. Just because you can write a web server in postscript doesn't mean you should.
No one is forcing you to rewrite your application using the latest fad framework!
Developing a product using components only supported for 2 or 3 years is totally insane.
You have access to the source after official support ends and can continue to modify it and use it for development it as long as your heart desires!
Official support is the point.
But if you want the latest, most cutting edge features, then you might want to rewrite your presentation layer using a newer framework.
What specifically do you get in return for a critical dependency only being supported for 2 or 3 years? Are there new conceptual advances in UI design requiring cutting edge support libraries to implement?
Part of this is simply efficiency. With an SPA loaded, clicking on each link to a static article simply sends the relevant data rather than rebuilding the entire page server-side. That's a whole lot faster and cheaper to do.
Not necessarily.
Once you yank out all of the unnecessary abstraction and complexity in the attempt to create a thick client all of the sudden cost of reloading page vs reloading content is irrelevant.
Often what really matters with regards to outcomes is round trip delay. If you have a page constantly doing a bunch of piecemeal loads (A practice that seems to be quite widespread) it's going to take longer regardless of how many fewer bytes went over the wire or how many fewer CPU cycles were burned.
If you application is well written and there is a good separation of business logic from the UI, then 2 to 3 year lifespan for a framework is pretty good.
This is fucking insanity.
Every time there is an article about Javascript, there is an individual like you complaining about why Javascript is needed. I'm sorry that all you want to use your browser is to read news on NY Times, but the truth is that there are a lot of people out there who want to do more than just browse static pages.
Hence the reason operating systems allow programs other than web browsers to be executed.
The browser is the most efficient app delivery system today. You no longer have to worry about whether the end user has the latest update of your app, and which OS or version they are running, your app will just work!
This must be why I regularly find myself switching browsers. It's always stupid shit like buttons that do nothing when clicked.
If you are paranoid and don't trust the browser sandboxing
Browser sandboxes have proven themselves not to be trustworthy.
then maybe you should run Qubes OS or browser in a VM, otherwise, perhaps it is best to stick to printed news.
Or maybe people should stop confusing a document viewer with an execution environment for general purpose software.
Quote
I dismiss wired articles regarding Damore as worthless noise due to gratuitous use of loaded words. Clearly using their platform to communication opinion rather than objective information.
An easier analogy is to imagine that you are selling a food item that only appeals to 31% of the population and you want to grow revenue. Well, if you could make it appealing for 100% of the population, that may be easier than trying to win market share among the 31%.
You can get me to eat fruits by selling it in the form of a banana split or candy apple.
Didn't RTFA. What's the problem? AFAICT AMP is an open standard suggested by Google. Is this some new petty RSS wars thing? Can someone explain?
Google by virtue of defacto search monopoly is compelling content to use Google hosted AMP in order to receive a higher search ranking vs. someone electing not to participate.
This has NOTHING to do with whether AMP is good or not as a technical standard or whether people with slow crappy web sites deserve lower ranking vs. those with faster web sites.
It has everything to do with Google leveraging a very substantial near total monopoly position to force the industry to bend to its will in a way that stands to directly enrich Google at the expense of everyone else.
Not worth supporting is more like it. It may sound like this is going to spell losses for Intel, and I'll grant that they've seen a momentary dip in stock prices, but you can bet good money that this will ultimately result in a rush on new Intel hardware to replace "bad" hardware. And people will just throw piles of cash at them, because reasons.
There is no new Intel hardware available for sale to replace "bad" hardware. There *IS* however new AMD hardware.
From my understanding, it's not even incompetence that brought this about in the first place. Lack of foresight more than anything else. No one imagined trying an exploit like these until recently. Unless they have, but have been
keeping it quiet, much like the Allies kept the cracking of Enigma quiet...
People did more than imagine. They wrote research papers on this very topic over a decade ago about the very thing the spectre ghost is holding in its hand.
https://eprint.iacr.org/2006/2...
Amazing the company that does it right and is not vulnerable to "Meltdown" in the first place is being actively punished for that fact.
But if that was such a stupid bug, why did it go unnoticed for years ??? Kudos to the security researchers finding it.
1.) What is the relationship between time to detection and the level of stupidity necessary to create a bug in the first place?
2.) If a bug gets noticed immediately does that necessarily make it stupid?
3.) If a bug goes unnoticed for some period of time does that necessarily make it not stupid?
Answers:
1 = None
2 = No
3 = No
But people are people, programmers are programmers, and there are bell curves of skill, care and attention, schedule reasonableness under which programs are created.
So let's not assume every programmer writing a potentially security-relevant piece of code is a really good, well educated in best practices, really safe designer and coder with enough time for testing and iteration. Assuming that would be naive.
It would be naive to assume general purpose language selection makes a meaningful difference with regards to security outcomes.
It's up to the architect to manage risk by selecting appropriate tools and methodologies to best address specific problem domain. Placing programmers in an environment that ensures failure by giving them the wrong tool for the job before them or where they are required to always be extra careful in order to avert disaster is extremely counterproductive.
So why not protect against common errors using the programming language constraints and checks? Most of these protections can be done with very little cost, performance wise or in loss of program expressive power.
It is not clear to me specifically what you believe is not being done that can be.
Compile time checks, static analysis, profilers, fuzzers and runtime bounds check code inserted automatically by compilers by default are generally available to programmers at little to no cost. Quite a lot of the old standard C library has over the years been marked as hazardous to your health by modern compilers.
We can teach drivers not to start the car engine with the car in "drive" because they might run someone over, or we can just design the car not to start except in park.
Obvious solutions to obvious problems already exist. Yet it does not follow obvious problems necessarily have tractable solutions. For example designing a car incapable of ever running anyone over is reasonably beyond current technology even though instances of reasonable measures to mitigate the problem exist.
One thing that has always fascinated me over the years is the lack of sufficient advances in outcomes commensurate with development and selection of new languages. Most instances of productivity gains and capabilities can be traced back to hard won incremental development of complex domain specific systems and hardware improvements rather than advancement of underlying general purpose language.
The fact virtually all system programming is still some flavor of C in my view speaks for the difference between hype, wishful thinking and reality. We've had decades and so far very little of substance to show for it.
Decade ago when processors that could execute java byte code natively were taped out I actually believed this would change. I assumed we would all be running java everything by now and this is from someone who personally never cared for the language.
Dated how? What media streamer has better hardware? I sure haven't found any.
Shield is using the same processor from 2013. It has a fan and consumes at least twice the power both at idle and while in use compared to my sub $50 SBC at 1/4th the price of shield.
For all that your treated to a mandatory Google account and associated Google/NVIDIA spyware. You have to try not to find a SoC that can't push 4k HEVC @ 60 fps these days.
that is a fucking awful option for anyone but techo's and fails the wife acceptability test. This isn't just an anti MS post either, Linux machines with Kodi, XBMC etc all fit into this category as they just need to much knowledge to maintain.
Personally this is why I'm a fan of libreelec. A "Just Enough OS" to run Kodi front end. Trivial to install and manage yet you still have access/shell if you want one.
Buy a Roku, apple TV, Fire TV or at worst a chromecast (though that can be just as painful sometimes) whatever your preferred option is and all the latest happily support 4k TV
If you don't mind something that records every key stroke, every letter of every search, every pause, rewind, play, every thing you watch or say into the microphone and uploads it all to god knows who where it will be used for god knows what.