PCI is a contractual thing rather than a criminal law, and unless I'm unusually badly mistaken the criminal penalties of HIPAA only come up for deliberate breaches (e.g. selling Tiger Woods's STD report to the National Enquirer, as opposed to being careless with infosec).
You are mistaken: while the most serious category of criminal penalty under HIPAA (up to $250,000 fine and up to 10 years in prison) is reserved for offenses involving the intent to sell, transfer, or use individually identifiable health information for commercial advantage, gain or malicious harm. Lesser offenses include violations committed under false pretenses (up to $100,000 fine and up to 5 years in prison) that don't meet the intent requirement for the most serious offense category, and even simple offenses (those that neither involve false pretenses nor the intent requirement for the most serious category) which are subject to a $50,000 fine and imprisonment for up to a year.
True, but isn't that goal defeated by the fact that these new formats are already incompatible with existing players?
No.
If you are going to have to buy new hardware anyway, what's the point?
Expense, for one thing.
A device that supports BD-XL/IH-BD with backwards compatibility for Blu-ray could also have been built to support a 1TB format with backwards compatibility for Blu-ray.
Maybe, maybe not. The proposed "different wavelength laser 1TB" format from GGP would involve less common hardware between the new format and existing BD, so that backward compatibility would be more expensive (it would probably also involve more development risk compared to an incremental update, ignoring backward compatibility issues.)
Its essentially like asking why people making high-density 3.5" floppies didn't instead make something that used a radically different technology from existing double-density floppies, but that was also backwards compatible, so that existing floppies could still be used.
Of which specific rules, and what is the basis for this belief?
and the requirements full of loopholes thus it gives a false sense of security to the public.
Actually, the fact that the part of the public that pays any attention at all hasn't felt secure even with the rules imposed under HIPAA is why those rules have been tightened substantially several times since they were initially imposed. The most recent major legislative tightening of the rules relating to security being in the 2009 HITECH Act (part of the larger "stimulus" act, the American Recovery and Reinvestment Act).
I would rather the public be made acutely aware of the risks and that instead of just trusting that the law will protect the public, that we start relying on other mechanisms, like minimizing the data we give to health care companies and allow them to keep.
Minimizing the information you provide to your health care provider can have fatal consequences, so that may not be the best choice.
Note that if the Feds required that all of your marketing department drive Rolls-Royces, then what you said would still be true.
It would even be true if the Feds required that any software guy had to wear a clown suit to work.
Neither of these things is at all relevant to your business, however.
If the consequence of violating the federal requirements is large fines, throwing your noncompliant employees in prison, and prohibiting you from operating in your current line of business, then they all would be directly relevant to your business.
If there aren't any consequences for violating the requirements, then, sure, they aren't relevant to your business. And, in that case, I bet you'd find not a lot of money would get spent on compliance, either.
It looks this is not a new format for the most predominant usage of Blu-ray media that is Video/Videogames.
For BDXL, I agree.
For IHBD, if its not for video (for storing playback preferences, later premium downloadable features, etc., with the original video) and videogames (for storing savegames, later premium DLC, etc.) back to the install media, so that those can be tied back to the original medium rather than a player device, I don't see the use case for it at all.
Because we all enjoyed the format war just that much and it didn't hamper adoption at all, they are now proposing a format civil war, where the two or more blu-ray factions fight to the death in a toxic stew of consumer confusion and apathy?
Seriously?
No, they are proposing two different BD variants intended for distinct use cases that don't really overlap (one is a pure "higher-capacity storage" version, the other is a "fixed content plus rewritable"), both of which would be used on devices that would also be able to use existing Blu-Ray disks. Since the variants aren't designed for the same use case, they don't compete with each other.
If you are just now going to start designing a new optical disc format, why only 100-128GB? Why not use ultraviolet lasers (or whatever else it takes) and aim at a 1TB optical disc?
Because neither is really intended as a completely new optical disk format, they are incremental updates of Blu-Ray for specialized needs, where it is assumed that continued use of existing blu-ray disks in the same devices is important. One is essentially "BD-ROM plus BD-RW", the other is "High capacity BD-ROM".
I have a feeling this is not about raking in more cash and creating onflicting standards, but about reducing Piracy.
I have a feeling that BD-XL is about exactly what they say -- supporting industries with needs for higher-capacity archival storage.
IHBD might be used a number of ways, most that involve incorporating user data that "goes with" published content on the same bit of media, so that the user content "follows" the published content. This could be used, e.g., to save user preferences or state back to a disc used for video (rather than storing these on the player), allowing, e.g., continuing from a stopping point even if you switch players. Or, similarly, to put save games back on the disc with the game,
How many Blue Ray players am I supposed to buy before they stop coming up with new formats?
The succession of newer, higher capacity formats stretches way back before blu-ray. Personally, I think that the fact that, since CD-ROM, there's been a focus on allowing older media to play in newer devices is a good thing.
Median IS an average, as is the mean, which is what you're probably thinking of.
All means are averages, including the arithmetic mean, which is probably what they are thinking of.
If they simply state "average" though, then it's possible that they went with the median over the mean (or not - it really doesn't indicate either way).
Usually, if they simply state "average", it means the arithmetic mean, though since average is ambiguous, it could be the median, mode, or any kind of mean (geometric mean, harmonic mean, or something else.) But really, the arithmetic mean is almost certainly what it means. But, in practice, virtually no one ever uses "average" to mean anything other than the arithmetic mean when presenting numbers.
I was under the impression that licensing couldn't be changed retroactively
Licensing can't generally be changed "retroactively", but gratuitous licenses (that is, ones that aren't contracts supported by mutual consideration -- which includes most open source licenses in most circumstances) can be revoked at will by the party granting the license in the first place.
Under the doctrine of promissory estoppel, such a revoked license may nevertheless be granted a kind of residual effect by a court, to the extent necessary to avoid manifest injustice resulting from a licensee's reasonable reliance on the license where that reliance occurred before the revocation.
Of course this is precisely the reason for licenses like the GPL that explicitly prohibit this kind of bait and switch tactic for "open source" software development.
Had OpenSolaris been GPL rather than Sun's own open license (CDDL, I think, but that doesn't really matter), it would have had no effect on their ability to: (1) also sell a closed-licensed version, which also had free-as-in-beer licenses, (2) stop giving new free-as-in-beer licenses for the closed version, (3) stop including new features made for the closed version in the open version, (4) stop, ultimately, releasing new versions of the open version at all.
Hence my allusion to fobs late in the post, which of course many banks are adopting. But that still leaves no good alternative to SSL for ecommerce.
If there is a good alternative for banks, there is a good alternative for ecommerce -- essentially, clearing transactions through the bank through which payment (whether from a deposit account or credit line) is made, using the "good for banking" system.
1. Public relations need to be fixed somehow, so calling in NASA shows that the company is 'dead serious' about fixing this problem and they are going for the best people to do it, right?
2. A small token of appreciation to the government of USA by hiring NASA people, creating some employment, probably this is done with an involvement of a senator or two, some governor maybe, whatever, some politicians will get involved and this is probably important for Toyota now.
3. Something else, again not really related to the actual car problem, but trying to save the company's ass.
First, That's three, not two.
Second, with regard to #1, the company didn't call in NASA, the NHTSA did. So, it can't possibly be a PR stunt to show that the company is "dead serious", since the company didn't do it. (Unless its a really subtle stunt that involves manipulating the NHTSA to call in NASA with the hope that people won't notice who called in NASA and will just assume that Toyota did. But, I mean, if Toyota wants people to think they called in NASA, it would be a lot simpler for them to overtly do so.)
Third, with regard to #2, again, Toyota isn't "hiring NASA people", and no one is "creating some employment". NHTSA is getting help from people employed by NASA that already have jobs.
Your #3 also doesn't make sense because, like #1 and #2, it seems to rest on the assumption that Toyota, not the NHTSA, is initiating this. Unless, again, you assume that the NHTSA is doing so because of some under-the-table manipulation by Toyota, for which no evidence is provided.
Nice theory, but Toyota's problems predate the Government acquisition of GM (by several years).
Nice theory, but the recent events which GP claims are a sign off the US government pursuing its interest in protecting its investment in US companies do not predate the Government's investment in US companies.
I'm sorry to say it, but if you want privacy, this is wrong. You can have authentication without encryption (digital signatures) but encryption without authentication = Man in the Middle. PGP and SSH don't get around this in any way, shape, or form--they just seed trust differently, with PGP using the web-of-trust model and SSH a repeatability model. Neither of those work very well for the classic "online banking" use case, however--average users are not going to seed their trust webs, and expect to be able to bank from computers at cafes, work, and friends' houses--none of which would have connected previously, making the SSH model unworkable.
Yeah, but they will have likely dealt with the bank in person first, which makes the "out-of-band exchange" mechanism work, which is much better than using any delegated authentication model (web-of-trust or CA-based).
A mixed economy that recognizes that markets work well when both the benefits and the costs of an exchange are realized by the people deciding to make the exchange, but that decisions that involve large externalities require collective social action, usually through government, to internalize the externalities.
There's a reason that systems that even approximate pure capitalism are pretty hard to find, and every developed modern economy is a mixed economy with considerable areas of government involvement in the economy, and that among those developed economies, those that have the highest level of apparent realized utility (=popular satisfaction) tend to be on the higher end of the government involvement spectrum, even if they don't perform as well in the aggregeate performance measures that would seem most relevant from a capitalist perspective. (GDP/capita, etc.)
guess I'm not seeing the difference between Java-the-platform (JVM + Java-the-language + buttload of libraries) and Python-the-platform (PythonVM + Python-the-language + buttload of libraries).
The difference is that the Java platform is a platform targetted by many languages. There's no reason Python's VM couldn't grow into such a thing if effort was put into that direction, but that's not really what the (core, CPython) VM is today (there are Python implementations for Java,.NET, Parrot, etc., but you don't see the reverse -- Java language or C# implementations that target the Python VM.) Right now, CPython's VM is just an implementation detail of a particular Python language runtime, not a separate "platform" in the sense of the Java platform.
Please explain. Python is compiled into bytecode, then executed on a VM. Java is compiled into bytecode, then executed on a VM. What substantial distinction would you draw between the two?
I think GGP, when saying.NET was more comparable to Java than Python was saying that.NET is more comparable to the Java platform than to the Python language. You seem to have taken it to mean.NET is more like the Java language than the Python language.
"Java" is used to refer both to a language and a platform, which is sometimes confusing.
It's worth pointing out that the technique described here isn't a "hack" that can be patched, it's an intrinsic feature of public-key crypto, and specifically a direct consequence of unreservedly trusting the CAs.
Unreserved trust for CAs isn't an intrinsic feature of "public key crypto", or even of SSL more specifically. Its quite possible to use SSL without trusting any third party CA (though that means you can only deal with people using SSL that you have a preexisting relationship with to exchange certs), or less intrusively, one could design user agents to provide an option of whether to trust a certificate (including providing the CA information) the first time it was presented, rather than treating trust of a CA as absolute.
And within the broader realm of public key crypto, its possible to do "web of trust" systems which amount to requiring validation of the identity of an entity from multiple CAs, none of which is extended more than minimal trust individually.
If we only saw 10% of them before, how do we know we're seeing all of them this time?
The same way we knew how many of them we expected to find before we figured out how to see them: we have a model of the universe that predicts how many there are, and which also successfully predicted other observations made previously.
Other universes, if they exist, cannot interact with ours.
That's an assertion, but we don't know this for a fact.
No, its neither an assertion, nor a fact in the observational sense, it is a statement that is true by definition. If something can interact with things in our universe then it is in our universe, in the same sense that if you can add 1 to a number and get an integer, that number is also an integer.
When you break into a home or car, the hard part is to get through the front door made of solid wood, which is as designed.
Only if you are trying to break into the rare home or car that lacks windows. (Not to mention that most cars don't have doors made of "Solid wood" in the first place.)
The system is broken because it causes people to be less secure, when the ostensible goal is to make them more secure.
A security question does not have even the ostensible goal of providing additional security, its purpose is to add convenience in the event of a lost password, at the expense of security. The "security" in "security question" refers to it being (though only slightly) more secure than just giving your password to anyone who claims to be you who asks for it.
If thats all it takes then the system is broken, not the people abusing it.
Its pretty trivial to break into most homes, cars, etc., but when people actually do it, we consider their actions to be the problem.
I don't see why the fact that it is a computer system means that there is suddenly nothing wrong with the actions of the person deliberately breaking in.
Sure, its fairly trivial for an online service to institute better security than "guess an fairly easy question and get access", so there are grounds for saying that the system has a problem. Its another thing, though, to go further and say that it is the system and not the intruder that is the problem.
You are mistaken: while the most serious category of criminal penalty under HIPAA (up to $250,000 fine and up to 10 years in prison) is reserved for offenses involving the intent to sell, transfer, or use individually identifiable health information for commercial advantage, gain or malicious harm. Lesser offenses include violations committed under false pretenses (up to $100,000 fine and up to 5 years in prison) that don't meet the intent requirement for the most serious offense category, and even simple offenses (those that neither involve false pretenses nor the intent requirement for the most serious category) which are subject to a $50,000 fine and imprisonment for up to a year.
No.
Expense, for one thing.
Maybe, maybe not. The proposed "different wavelength laser 1TB" format from GGP would involve less common hardware between the new format and existing BD, so that backward compatibility would be more expensive (it would probably also involve more development risk compared to an incremental update, ignoring backward compatibility issues.)
Its essentially like asking why people making high-density 3.5" floppies didn't instead make something that used a radically different technology from existing double-density floppies, but that was also backwards compatible, so that existing floppies could still be used.
Maybe HIPPA is, but what about HIPAA?
Of which specific rules, and what is the basis for this belief?
Actually, the fact that the part of the public that pays any attention at all hasn't felt secure even with the rules imposed under HIPAA is why those rules have been tightened substantially several times since they were initially imposed. The most recent major legislative tightening of the rules relating to security being in the 2009 HITECH Act (part of the larger "stimulus" act, the American Recovery and Reinvestment Act).
Minimizing the information you provide to your health care provider can have fatal consequences, so that may not be the best choice.
If the consequence of violating the federal requirements is large fines, throwing your noncompliant employees in prison, and prohibiting you from operating in your current line of business, then they all would be directly relevant to your business.
If there aren't any consequences for violating the requirements, then, sure, they aren't relevant to your business. And, in that case, I bet you'd find not a lot of money would get spent on compliance, either.
For BDXL, I agree.
For IHBD, if its not for video (for storing playback preferences, later premium downloadable features, etc., with the original video) and videogames (for storing savegames, later premium DLC, etc.) back to the install media, so that those can be tied back to the original medium rather than a player device, I don't see the use case for it at all.
No, they are proposing two different BD variants intended for distinct use cases that don't really overlap (one is a pure "higher-capacity storage" version, the other is a "fixed content plus rewritable"), both of which would be used on devices that would also be able to use existing Blu-Ray disks. Since the variants aren't designed for the same use case, they don't compete with each other.
Because neither is really intended as a completely new optical disk format, they are incremental updates of Blu-Ray for specialized needs, where it is assumed that continued use of existing blu-ray disks in the same devices is important. One is essentially "BD-ROM plus BD-RW", the other is "High capacity BD-ROM".
I have a feeling that BD-XL is about exactly what they say -- supporting industries with needs for higher-capacity archival storage.
IHBD might be used a number of ways, most that involve incorporating user data that "goes with" published content on the same bit of media, so that the user content "follows" the published content. This could be used, e.g., to save user preferences or state back to a disc used for video (rather than storing these on the player), allowing, e.g., continuing from a stopping point even if you switch players. Or, similarly, to put save games back on the disc with the game,
The succession of newer, higher capacity formats stretches way back before blu-ray. Personally, I think that the fact that, since CD-ROM, there's been a focus on allowing older media to play in newer devices is a good thing.
All means are averages, including the arithmetic mean, which is probably what they are thinking of.
Usually, if they simply state "average", it means the arithmetic mean, though since average is ambiguous, it could be the median, mode, or any kind of mean (geometric mean, harmonic mean, or something else.) But really, the arithmetic mean is almost certainly what it means. But, in practice, virtually no one ever uses "average" to mean anything other than the arithmetic mean when presenting numbers.
Licensing can't generally be changed "retroactively", but gratuitous licenses (that is, ones that aren't contracts supported by mutual consideration -- which includes most open source licenses in most circumstances) can be revoked at will by the party granting the license in the first place.
Under the doctrine of promissory estoppel, such a revoked license may nevertheless be granted a kind of residual effect by a court, to the extent necessary to avoid manifest injustice resulting from a licensee's reasonable reliance on the license where that reliance occurred before the revocation.
Had OpenSolaris been GPL rather than Sun's own open license (CDDL, I think, but that doesn't really matter), it would have had no effect on their ability to:
(1) also sell a closed-licensed version, which also had free-as-in-beer licenses,
(2) stop giving new free-as-in-beer licenses for the closed version,
(3) stop including new features made for the closed version in the open version,
(4) stop, ultimately, releasing new versions of the open version at all.
If there is a good alternative for banks, there is a good alternative for ecommerce -- essentially, clearing transactions through the bank through which payment (whether from a deposit account or credit line) is made, using the "good for banking" system.
First, That's three, not two.
Second, with regard to #1, the company didn't call in NASA, the NHTSA did. So, it can't possibly be a PR stunt to show that the company is "dead serious", since the company didn't do it. (Unless its a really subtle stunt that involves manipulating the NHTSA to call in NASA with the hope that people won't notice who called in NASA and will just assume that Toyota did. But, I mean, if Toyota wants people to think they called in NASA, it would be a lot simpler for them to overtly do so.)
Third, with regard to #2, again, Toyota isn't "hiring NASA people", and no one is "creating some employment". NHTSA is getting help from people employed by NASA that already have jobs.
Your #3 also doesn't make sense because, like #1 and #2, it seems to rest on the assumption that Toyota, not the NHTSA, is initiating this. Unless, again, you assume that the NHTSA is doing so because of some under-the-table manipulation by Toyota, for which no evidence is provided.
Nice theory, but the recent events which GP claims are a sign off the US government pursuing its interest in protecting its investment in US companies do not predate the Government's investment in US companies.
Yeah, but they will have likely dealt with the bank in person first, which makes the "out-of-band exchange" mechanism work, which is much better than using any delegated authentication model (web-of-trust or CA-based).
A mixed economy that recognizes that markets work well when both the benefits and the costs of an exchange are realized by the people deciding to make the exchange, but that decisions that involve large externalities require collective social action, usually through government, to internalize the externalities.
There's a reason that systems that even approximate pure capitalism are pretty hard to find, and every developed modern economy is a mixed economy with considerable areas of government involvement in the economy, and that among those developed economies, those that have the highest level of apparent realized utility (=popular satisfaction) tend to be on the higher end of the government involvement spectrum, even if they don't perform as well in the aggregeate performance measures that would seem most relevant from a capitalist perspective. (GDP/capita, etc.)
Can I have my +5 now?
The difference is that the Java platform is a platform targetted by many languages. There's no reason Python's VM couldn't grow into such a thing if effort was put into that direction, but that's not really what the (core, CPython) VM is today (there are Python implementations for Java, .NET, Parrot, etc., but you don't see the reverse -- Java language or C# implementations that target the Python VM.) Right now, CPython's VM is just an implementation detail of a particular Python language runtime, not a separate "platform" in the sense of the Java platform.
I think GGP, when saying .NET was more comparable to Java than Python was saying that .NET is more comparable to the Java platform than to the Python language. You seem to have taken it to mean .NET is more like the Java language than the Python language.
"Java" is used to refer both to a language and a platform, which is sometimes confusing.
Unreserved trust for CAs isn't an intrinsic feature of "public key crypto", or even of SSL more specifically. Its quite possible to use SSL without trusting any third party CA (though that means you can only deal with people using SSL that you have a preexisting relationship with to exchange certs), or less intrusively, one could design user agents to provide an option of whether to trust a certificate (including providing the CA information) the first time it was presented, rather than treating trust of a CA as absolute.
And within the broader realm of public key crypto, its possible to do "web of trust" systems which amount to requiring validation of the identity of an entity from multiple CAs, none of which is extended more than minimal trust individually.
It references saving ink and the cost of ink.
That means that they are using printers that use ink rather than toner.
The same way we knew how many of them we expected to find before we figured out how to see them: we have a model of the universe that predicts how many there are, and which also successfully predicted other observations made previously.
No, its neither an assertion, nor a fact in the observational sense, it is a statement that is true by definition. If something can interact with things in our universe then it is in our universe, in the same sense that if you can add 1 to a number and get an integer, that number is also an integer.
Only if you are trying to break into the rare home or car that lacks windows. (Not to mention that most cars don't have doors made of "Solid wood" in the first place.)
A security question does not have even the ostensible goal of providing additional security, its purpose is to add convenience in the event of a lost password, at the expense of security. The "security" in "security question" refers to it being (though only slightly) more secure than just giving your password to anyone who claims to be you who asks for it.
Its pretty trivial to break into most homes, cars, etc., but when people actually do it, we consider their actions to be the problem.
I don't see why the fact that it is a computer system means that there is suddenly nothing wrong with the actions of the person deliberately breaking in.
Sure, its fairly trivial for an online service to institute better security than "guess an fairly easy question and get access", so there are grounds for saying that the system has a problem. Its another thing, though, to go further and say that it is the system and not the intruder that is the problem.