"Open apps" != "Execute arbitrary files off the Internet". If you gave Cortana that command (and it was parsed correctly, which it might not be, because unlike an installed app there's no list of installed names to check against), it would just open the default browser to that page, which would then ask you to open or save the file. If you clicked Open, Windows would pop up a warning that the program might be dangerous. If you clicked though that too, then you would probably get a UAC prompt. If you clicked through that too, you are too fucking stupid to use a computer.
The problem there is not with the shell programs (cmd.exe, powershell.exe, etc.) at all, actually. Powershell has some excellent features as a shell, but you can also run things like Bash on Windows just fine if you install it. Still not resizable horizontally, though. Those are text-oriented programs and don't know a thing about windows and window management features like resizing.
The problem is with the Windows (graphical) program that hosts them, what in UNIX-land would be called a virtual terminal program (think xterm, Konsole, etc.). On Windows, it's this antique POS called conhost.exe (Console Window Host). I don't know when conhost was last updated, aside from being ported to 64-bit, but it's sucked for a long time now. Win10 is (finally!) fixing some of that suck.
Even a really low-power fission reactor puts out a few megawatts. A few MW of photovoltaics, even in Earth's orbit (and it only gets worse as you head out to Mars) is huge and fragile. Ion engines (or any other form of electric drive) are extremely energy-hungry; the energy demand goes up as the square of the exhaust velocity (E = 1/2 m v^2) and the whole point of electric drives is that they derive their extreme efficiency in terms of reaction mass by using absurdly high exhaust velocity.
There may be a point where it's practical to run a spacecraft propulsion drive (rather than a satellite's station-keeping thrusters) using electric thrust, and yet the energy demand is low enough that it makes sense to use photovoltaic, but I'm not holding my breath. Developing a drive practical for interplanetary flight would probably require literally orders of magnitude more thrust than currently-flying ion drives produce, so the fact that those can get by on photovoltaics really shouldn't be taken to mean anything useful.
Many types of sex work, even including outright prostitution, at legal in some if not all of the US. Amazon probably sells pr0n (never checked; who buys that stuff?) but they probably do not sell the services of cam girls. It wouldn't surprise me if they sell stripper poles, but I'm pretty sure you can't order a lapdance from them anywhere.
The (idiotic) way you're attempting to use that phrase demonstrates that you don't have a clue what it actually means. Here's an actual example: a sign saying "service animals allowed". There is no accompanying sign saying that non-service animals are disallowed; it is implied by the fact that you mentioned an exception. The exception (allowing service animals) proves that the rule (animals disallowed) exists otherwise.
What rule is implied by the fact that the ACLU defends freedom of all non-harmful expression?
You don't get to use the magical phrase "exception that proves the rule" as a fully general argument for why counterexamples to your bullshit are actually supporting it. That makes no logical sense and isn't what the phrase means. Go put on the dunce cap and sit in a corner.
Hey, at least your cops actually go on trial for shooting people. Around these parts, it usually doesn't even make it *to* the prosecutor's office, much lest through it.
That said, while Canada is lovely in many ways and would be a relatively small cultural shift for me, it's several places down on my "where I'd emigrate to" list. The Nordic countries are nearly all more appealing, for example.
Would you mind pointing me to the place that gstoddart implied that anybody thought that?
Nice attempt to derail the comment. Some idiot even modded you up for it. Your post is a blatant attempt to shift the discussion into some red herring topic that, as you yourself point out, nobody is actually advocating for. Piss off.
Securing airplane cabin doors is the only rational lesson we (the US, collectively) learned after Sep 11, and it doesn't require anything even vaguely like the "security" apparatus that is the TSA.
It's been a while, but I definitely remember what it was like pre-TSA. The security checkpoints were pretty much as they are now, except the lines were shorter and you went through a metal detector instead of a scanner that third parties aren't allowed to examine. You didn't need a boarding pass until you got to the terminal itself, but you definitely did there; you could not, in theory, just wander out onto the tarmac or down the jetway (the airports I've flown through mostly use jetways, so you can't get into the passenger cabin from the ground anyhow) and onto the plane.
On the other hand, it's hardly as if "some asshole can't walk in straight off of the street and get on the plane without some form of identification and property checks" today, either. Even if he's drunk. http://www.dailymail.co.uk/new... OK, he banged on the engine instead of getting on the plane, but he could have done whatever he felt like. The TSA is bloody incompetent. In addition to that news article (which mentions two incidents on the SAME DAY) from just over a year ago, there are plenty of other examples (the first page of search results, alone, also mentions incidents in San Jose, Tampa, Dallas, and New York).
OK, I'll buy that... but then why do they miss bottles in my bags if I position them such that my tablet blocks the X-ray emitter (which is easy to figure out, if you ever glanced at the screens after going through the area)? Are you saying the machine can scan through the (thin) metal chassis of the tablet but then is blocked by the battery, and they're OK with that?
Actually, this is not terribly shocking, I guess. In Europe, for example, you have to take *all* electronics - not just the devices themselves, but also their chargers, external HDDs, etc.) out of your bag. Maybe some of that is wasted time and the X-ray could see through the outside and determine that yep, that's a power brick, but it probably couldn't see anything on the other side and some of those bricks are really big.
"Very few incidents"... I'm not actually aware of *any* scenarios where they stopped something terrorist-related. It feels like there probably ought to be at least one by now - surely some wannabe terrorist somewhere was too stupid to not get caught - but you'd think they would have made a big deal out of it and I don't remember any such thing. The only terror attempts on American flights that I can remember since Sep 11 made it past the TSA and then were stopped by the passengers.
Meanwhile, the TSA generates headlines such as "TSA seizes record number of firearms" but you have to scroll down to find even an implication (never outright stated) that any of those weapons were intended for malicious, much less terrorist, use. "The vast majority of passengers have no nefarious intent but forgot their firearm in their carry-on bag,"
but it does feel a bit nicer when you're in a tin can miles above the earth
Only if you're utterly ignorant or a complete coward. The TSA hasn't actually stopped any terrorist attempts. They haven't even stopped people from making terrorist attempts - there have been a few (leading to the reasons we now have to take off our shoes, for example) - but the TSA missed those.
If you know how, it's utterly trivial to get shit past the TSA. I routinely opt out and go with the pat-down (which is significantly better security than the scanners, though only about half the time does the agent do a decent job of it) and still get prohibited items through the X-ray in my carry-on bags all the time. It's easy. For example, you're allowed to leave tablets in your bag (apparently, the dangerous part of a laptop is its keyboard? That's all that distinguishes it from a tablet these days) and the ones with metal cases do a pretty great job of blocking X-ray. You can get bottles full of liquids and gels through that way, no problem. I haven't actually tried it with anything that could plausibly be considered a weapon, but that's only subset of prohibited stuff anyhow...
If security theater makes you "feel nicer", you're a weak-minded idiot and part of the problem.
Note that I have no problem with the security practices of a lot of the rest of the world. Unlike the USA, India actually has a terrorist problem, and they are way, *way* better about screening people... but it still takes less time than the USA's checkpoints! (At least, that was my experience the two times I've flown through Delhi.)
The driving one is actually a really important point that deserves its own mention. Driving is a *lot* more dangerous than flying, even including Sep 11 and everything since. It not only wastes more of your life (takes longer), it (on average) shortens it. Keep people pissed off about TSA bullshit enough to drive instead of fly for long enough, and the TSA will (actually, quite possibly already has) be responsible for more American deaths than the Sep 11 terrorists.
Taking Sense Away is/was a great blog. I hope we get more from it soon. Since discovering it, I've found a few other TSA-focused blogs, but none that amused and informed me as much.
It's an audit, not a re-write. The results of the audit may drive re-writes, and the re-writes may lead to code breakage or at least loss of compatibility, but that's irrelevant to the audit itself. This is essentially a read-only review. It's definitely not a fork, a la LibreSSL.
Past a certain level, certs are a pure waste of time. Relatively few people at my current employer (a large multinational InfoSec consulting firm; most of my work is pentesting) have any security-type certification except for the compliance blokes, and nobody could have gotten the job on the basis of certifications alone. They're probably worth it if you're coming from *no* security background, and they aren't worthless (though they may well be a relative waste of time) at the higher levels of the field, but the idea of some ultra-elite cert that will open every door and command respect from all you meet is a joke.
Pedantic, but... Writing a vuln is dead easy. Here's one (compile this into a world-executable program with setuid:root): #include <stdio> void vulnerable () {
char buf[8];
gets(buf); } int main () {
vulnerable(); }
Writing a functional exploit, on the other hand, is a lot trickier, especially with all the exploit mitigation stuff found in modern operating systems (and libraries; some of them won't let you call gets() anymore by default). Fortunately, in my professional experience (4+ years of pentesting, both as part of a company's internal security team and as a security consultant), this is rarely requested. The client may want a PoC on occasion, if they think their stuff can't possibly be vulnerable, but even then it needn't do anything special or be robust across system configurations or anything.
Getting back to the core question: if you're going to be pentesting native code, especially whitebox testing where you are expected to review source code as well, you need to know C/C++, maybe Objective-C, maybe pre-.NET Visual Basic or even things like FORTRAN or COBOL if your client's codebase is old enough. For web apps, you need to know your HTML and JS, but it's also important to know HTTP - yes, the protocol - and browser security features like same-origin policy. For the server side of web stuff, there's a hundred different languages and probably ten times as many frameworks that you might need to know, but for the most part knowing PHP, Java, Ruby, at least one.NET language, and maybe Python is good enough for the vast majority of sites (add perl if you want to go old-school).
Scripting languages like Powershell and Python are actually really useful to a pentester, because you can knock together little utilities to try things out that way. Want to send a carefully crafted sequence of UDP packets, or decrypt all that stuff the client has "protected" with a hardcoded AES key and find their secrets? A few minutes of work will get you a tool that will save you lots of time in the future.
Running metasploit is "pentesting" only in the sense that microwaving a TV dinner is "cooking". If that's all you can do, you don't know jack.
Now, metasploit is a useful tool, in the same way that a microwave can be a useful tool even in a professional kitchen, but knowing when and how to use it to good effect is very different from just relying on it because you don't know how to do anything else. Finding the right target is a pretty important skill, for one thing. For another, there's a ton of stuff that isn't in metasploit (or similar tools), so a real pentester needs to be sufficiently familiar with attack techniques to find stuff the tools don't know about. Similarly, often the exact attack in the tool is blocked even though the target remains vulnerable to the vulnerability, because somebody who doesn't know any better than "running metasploit == penetration testing" saw that they could make their system pass the scan by blacklisting a particular input or operation without understanding the underlying vulnerability at all.
Well, speaking as a professional "information security consultant" (who, on occasion, uses nmap and even more-destructive tools against clients), I guarantee you that mutually acceptable employment terms which permit and even expect the use of such tools is what has been paying my very comfortable standard of living for the past few years. From tiny companies that have a mobile app to supplement their primary business, to "stealth mode" silicon valley startups, to healthcare-related companies that are paranoid about leaking info, to huge financial firms (ugh, avoid those), to colossi of the computer/software/cloud industry, I've worked all kinds of places.
Of course, it helps that I'm employed by a company with an excellent reputation. Very little of my work actually involves automated tools; I will run them (unless the client asks not to, which is uncommon) because there's no reason not to, but that's not what they pay me for. My job is to find the stuff that the tools won't, like XSS in an optional parameter that you'll never see used while spidering a site, or exploitable race conditions in a driver when you send the right pair of IOCTLs in close succession, or... you get the idea. Yes, it takes longer, and yes, it costs more that hiring some script kiddie (or telling your sysadmin to turn into one), but it's worth it in the end.
I agree. "I, Robot" wasn't a movie of a book, it was a movie of a *concept* (that had also been explored in a book). The movie, judged either on its own merits or merely as an exploration of Asimov's three laws, is good. It doesn't cover as many scenarios of human-robot interaction as the book does, but the part that it does cover goes pretty well.
Treason has an extremely specific definition in the USA. It what way does what he did qualify as such? Cite specific a specific example if you don't want to be dismissed as a brainless idiot proudly parroting your tribal allegiance.
Out of curiosity, how much less do you think he should have done? What secrets should he have kept from the citizens of the US and its (nominal) allies?
Sigh. You really don't get economics at *all*, do you? (Dragonslicer, talking to you too.)
The very concept of "get away with raising the price" shows an incredible lack of understanding. The optimal price is a function of supply and demand. If a company charges less than the optimal price, they will make less money off their available supply than would otherwise be the case. If the company charges more than the optimal price ("oh my $DEITY they are getting away with it!") they will price themselves out of the range of some of their potential demand, and wind up with unsold supply. Both of these options reduce revenue, but there's nothing impossible about them; they're just bad for business.
Hopefully this is reasonably understandable. Of course, things get a bit more complicated when you consider the ways in which supply and demand can be manipulated. For example, setting a high price on a luxury can actually increase demand, up to a point, and if you have a monopoly you can restrict supply to keep prices (and profits) high as well. There's also funny, semi-irrational effects like customer/brand loyalty, where some people will voluntarily give one company a monopoly on their business.
What regulation does (at the first order) is add a new cost of doing business. This cost reduces the money a company has available to obtain supply. Thus, the balance of supply and demand shifts; when supply goes does, unless demand goes down commensurately, the optimal price goes up. The company does take less profit, yes, but (assuming demand stays constant), not by the full amount that the regulation costs them; their customers also pay more.
The catch is that demand for that company's product only remains constant when the price goes up if all of their competitors are subjected to the same regulatory cost and commensurately raise their prices as well. If not - for example, if one company is subjected to a charge that all the others are not, and they compete for the same customers - then the company being regulated will lose about that much in profit. They will probably be able to recoup some of that by accepting lower supply but raising prices a little and relying on their loyal customers to keep buying that supply, but they will end up with less money.
Mind you, it should come as no surprise that regulation, when viewed from the perspective of a single established company, is pretty much always bad. View it from other perspectives, though, and it can be quite good. A company that wants to break into a monopolized market may be able to undercut the regulated competition. A potential customer who was previously not served due to being insufficiently profitable (not unprofitable, just not maximally profitable for the company) may now be able to purchase goods or services. Somebody who was completely unrelated to the company but was being harmed by an externality of its business (for example, environmental pollutants) will have their life improved.
Bandwidth is absolutely a physical thing. There is a physical hard limit on bits per second of information transmitted through any medium. There is also a significantly tighter (though growing) technological limit on our ability to transmit, route, and receive those bits in the physical transmission media we currently employ.
Saying "transmitting a lot... data uses nothing" is ridiculous. It uses part of the limited supply of bandwidth. This bandwidth can be expanded by installing more transmission media (cable, fiber, microwave antennas, network switches, etc.) wherever the bottleneck happens to be, but that costs money too, and companies won't do it unless they expect to be able to capitalize on the increased capacity.
He never actually really says, at least in the interview transcript. He claims a technological solution exists that doesn't weaken the security otherwise, but - speaking as a information security engineer - I'm not buying it. He says what he actually *wants* is a "legal framework" to compel decryption of data. This implies that the decryption keys would have to be kept around (goodbye forward secrecy), though it doesn't actually say so. It also implies that he wants something that a subpoena can't already get, which is more than a little concerning.
Slashdot Mirror
"Open apps" != "Execute arbitrary files off the Internet". If you gave Cortana that command (and it was parsed correctly, which it might not be, because unlike an installed app there's no list of installed names to check against), it would just open the default browser to that page, which would then ask you to open or save the file. If you clicked Open, Windows would pop up a warning that the program might be dangerous. If you clicked though that too, then you would probably get a UAC prompt. If you clicked through that too, you are too fucking stupid to use a computer.
The problem there is not with the shell programs (cmd.exe, powershell.exe, etc.) at all, actually. Powershell has some excellent features as a shell, but you can also run things like Bash on Windows just fine if you install it. Still not resizable horizontally, though. Those are text-oriented programs and don't know a thing about windows and window management features like resizing.
The problem is with the Windows (graphical) program that hosts them, what in UNIX-land would be called a virtual terminal program (think xterm, Konsole, etc.). On Windows, it's this antique POS called conhost.exe (Console Window Host). I don't know when conhost was last updated, aside from being ported to 64-bit, but it's sucked for a long time now. Win10 is (finally!) fixing some of that suck.
Even a really low-power fission reactor puts out a few megawatts. A few MW of photovoltaics, even in Earth's orbit (and it only gets worse as you head out to Mars) is huge and fragile. Ion engines (or any other form of electric drive) are extremely energy-hungry; the energy demand goes up as the square of the exhaust velocity (E = 1/2 m v^2) and the whole point of electric drives is that they derive their extreme efficiency in terms of reaction mass by using absurdly high exhaust velocity.
There may be a point where it's practical to run a spacecraft propulsion drive (rather than a satellite's station-keeping thrusters) using electric thrust, and yet the energy demand is low enough that it makes sense to use photovoltaic, but I'm not holding my breath. Developing a drive practical for interplanetary flight would probably require literally orders of magnitude more thrust than currently-flying ion drives produce, so the fact that those can get by on photovoltaics really shouldn't be taken to mean anything useful.
Many types of sex work, even including outright prostitution, at legal in some if not all of the US. Amazon probably sells pr0n (never checked; who buys that stuff?) but they probably do not sell the services of cam girls. It wouldn't surprise me if they sell stripper poles, but I'm pretty sure you can't order a lapdance from them anywhere.
The (idiotic) way you're attempting to use that phrase demonstrates that you don't have a clue what it actually means. Here's an actual example: a sign saying "service animals allowed". There is no accompanying sign saying that non-service animals are disallowed; it is implied by the fact that you mentioned an exception. The exception (allowing service animals) proves that the rule (animals disallowed) exists otherwise.
What rule is implied by the fact that the ACLU defends freedom of all non-harmful expression?
You don't get to use the magical phrase "exception that proves the rule" as a fully general argument for why counterexamples to your bullshit are actually supporting it. That makes no logical sense and isn't what the phrase means. Go put on the dunce cap and sit in a corner.
Hey, at least your cops actually go on trial for shooting people. Around these parts, it usually doesn't even make it *to* the prosecutor's office, much lest through it.
That said, while Canada is lovely in many ways and would be a relatively small cultural shift for me, it's several places down on my "where I'd emigrate to" list. The Nordic countries are nearly all more appealing, for example.
Would you mind pointing me to the place that gstoddart implied that anybody thought that?
Nice attempt to derail the comment. Some idiot even modded you up for it. Your post is a blatant attempt to shift the discussion into some red herring topic that, as you yourself point out, nobody is actually advocating for. Piss off.
Securing airplane cabin doors is the only rational lesson we (the US, collectively) learned after Sep 11, and it doesn't require anything even vaguely like the "security" apparatus that is the TSA.
It's been a while, but I definitely remember what it was like pre-TSA. The security checkpoints were pretty much as they are now, except the lines were shorter and you went through a metal detector instead of a scanner that third parties aren't allowed to examine. You didn't need a boarding pass until you got to the terminal itself, but you definitely did there; you could not, in theory, just wander out onto the tarmac or down the jetway (the airports I've flown through mostly use jetways, so you can't get into the passenger cabin from the ground anyhow) and onto the plane.
On the other hand, it's hardly as if "some asshole can't walk in straight off of the street and get on the plane without some form of identification and property checks" today, either. Even if he's drunk. http://www.dailymail.co.uk/new...
OK, he banged on the engine instead of getting on the plane, but he could have done whatever he felt like. The TSA is bloody incompetent. In addition to that news article (which mentions two incidents on the SAME DAY) from just over a year ago, there are plenty of other examples (the first page of search results, alone, also mentions incidents in San Jose, Tampa, Dallas, and New York).
OK, I'll buy that... but then why do they miss bottles in my bags if I position them such that my tablet blocks the X-ray emitter (which is easy to figure out, if you ever glanced at the screens after going through the area)? Are you saying the machine can scan through the (thin) metal chassis of the tablet but then is blocked by the battery, and they're OK with that?
Actually, this is not terribly shocking, I guess. In Europe, for example, you have to take *all* electronics - not just the devices themselves, but also their chargers, external HDDs, etc.) out of your bag. Maybe some of that is wasted time and the X-ray could see through the outside and determine that yep, that's a power brick, but it probably couldn't see anything on the other side and some of those bricks are really big.
"Very few incidents"... I'm not actually aware of *any* scenarios where they stopped something terrorist-related. It feels like there probably ought to be at least one by now - surely some wannabe terrorist somewhere was too stupid to not get caught - but you'd think they would have made a big deal out of it and I don't remember any such thing. The only terror attempts on American flights that I can remember since Sep 11 made it past the TSA and then were stopped by the passengers.
Meanwhile, the TSA generates headlines such as "TSA seizes record number of firearms" but you have to scroll down to find even an implication (never outright stated) that any of those weapons were intended for malicious, much less terrorist, use. "The vast majority of passengers have no nefarious intent but forgot their firearm in their carry-on bag,"
Oh come on, how has this not been modded Funny yet? My points have expired. :-(
Only if you're utterly ignorant or a complete coward. The TSA hasn't actually stopped any terrorist attempts. They haven't even stopped people from making terrorist attempts - there have been a few (leading to the reasons we now have to take off our shoes, for example) - but the TSA missed those.
If you know how, it's utterly trivial to get shit past the TSA. I routinely opt out and go with the pat-down (which is significantly better security than the scanners, though only about half the time does the agent do a decent job of it) and still get prohibited items through the X-ray in my carry-on bags all the time. It's easy. For example, you're allowed to leave tablets in your bag (apparently, the dangerous part of a laptop is its keyboard? That's all that distinguishes it from a tablet these days) and the ones with metal cases do a pretty great job of blocking X-ray. You can get bottles full of liquids and gels through that way, no problem. I haven't actually tried it with anything that could plausibly be considered a weapon, but that's only subset of prohibited stuff anyhow...
If security theater makes you "feel nicer", you're a weak-minded idiot and part of the problem.
Note that I have no problem with the security practices of a lot of the rest of the world. Unlike the USA, India actually has a terrorist problem, and they are way, *way* better about screening people... but it still takes less time than the USA's checkpoints! (At least, that was my experience the two times I've flown through Delhi.)
The driving one is actually a really important point that deserves its own mention. Driving is a *lot* more dangerous than flying, even including Sep 11 and everything since. It not only wastes more of your life (takes longer), it (on average) shortens it. Keep people pissed off about TSA bullshit enough to drive instead of fly for long enough, and the TSA will (actually, quite possibly already has) be responsible for more American deaths than the Sep 11 terrorists.
One site reporting the story (though not the primary source): http://thehill.com/blogs/blog-...
Taking Sense Away is/was a great blog. I hope we get more from it soon. Since discovering it, I've found a few other TSA-focused blogs, but none that amused and informed me as much.
It's an audit, not a re-write. The results of the audit may drive re-writes, and the re-writes may lead to code breakage or at least loss of compatibility, but that's irrelevant to the audit itself. This is essentially a read-only review. It's definitely not a fork, a la LibreSSL.
Past a certain level, certs are a pure waste of time. Relatively few people at my current employer (a large multinational InfoSec consulting firm; most of my work is pentesting) have any security-type certification except for the compliance blokes, and nobody could have gotten the job on the basis of certifications alone. They're probably worth it if you're coming from *no* security background, and they aren't worthless (though they may well be a relative waste of time) at the higher levels of the field, but the idea of some ultra-elite cert that will open every door and command respect from all you meet is a joke.
Pedantic, but... Writing a vuln is dead easy. Here's one (compile this into a world-executable program with setuid:root):
#include <stdio>
void vulnerable () {
char buf[8];
gets(buf);
}
int main () {
vulnerable();
}
Writing a functional exploit, on the other hand, is a lot trickier, especially with all the exploit mitigation stuff found in modern operating systems (and libraries; some of them won't let you call gets() anymore by default). Fortunately, in my professional experience (4+ years of pentesting, both as part of a company's internal security team and as a security consultant), this is rarely requested. The client may want a PoC on occasion, if they think their stuff can't possibly be vulnerable, but even then it needn't do anything special or be robust across system configurations or anything.
Getting back to the core question: if you're going to be pentesting native code, especially whitebox testing where you are expected to review source code as well, you need to know C/C++, maybe Objective-C, maybe pre-.NET Visual Basic or even things like FORTRAN or COBOL if your client's codebase is old enough. For web apps, you need to know your HTML and JS, but it's also important to know HTTP - yes, the protocol - and browser security features like same-origin policy. For the server side of web stuff, there's a hundred different languages and probably ten times as many frameworks that you might need to know, but for the most part knowing PHP, Java, Ruby, at least one .NET language, and maybe Python is good enough for the vast majority of sites (add perl if you want to go old-school).
Scripting languages like Powershell and Python are actually really useful to a pentester, because you can knock together little utilities to try things out that way. Want to send a carefully crafted sequence of UDP packets, or decrypt all that stuff the client has "protected" with a hardcoded AES key and find their secrets? A few minutes of work will get you a tool that will save you lots of time in the future.
Running metasploit is "pentesting" only in the sense that microwaving a TV dinner is "cooking". If that's all you can do, you don't know jack.
Now, metasploit is a useful tool, in the same way that a microwave can be a useful tool even in a professional kitchen, but knowing when and how to use it to good effect is very different from just relying on it because you don't know how to do anything else. Finding the right target is a pretty important skill, for one thing. For another, there's a ton of stuff that isn't in metasploit (or similar tools), so a real pentester needs to be sufficiently familiar with attack techniques to find stuff the tools don't know about. Similarly, often the exact attack in the tool is blocked even though the target remains vulnerable to the vulnerability, because somebody who doesn't know any better than "running metasploit == penetration testing" saw that they could make their system pass the scan by blacklisting a particular input or operation without understanding the underlying vulnerability at all.
Well, speaking as a professional "information security consultant" (who, on occasion, uses nmap and even more-destructive tools against clients), I guarantee you that mutually acceptable employment terms which permit and even expect the use of such tools is what has been paying my very comfortable standard of living for the past few years. From tiny companies that have a mobile app to supplement their primary business, to "stealth mode" silicon valley startups, to healthcare-related companies that are paranoid about leaking info, to huge financial firms (ugh, avoid those), to colossi of the computer/software/cloud industry, I've worked all kinds of places.
Of course, it helps that I'm employed by a company with an excellent reputation. Very little of my work actually involves automated tools; I will run them (unless the client asks not to, which is uncommon) because there's no reason not to, but that's not what they pay me for. My job is to find the stuff that the tools won't, like XSS in an optional parameter that you'll never see used while spidering a site, or exploitable race conditions in a driver when you send the right pair of IOCTLs in close succession, or... you get the idea. Yes, it takes longer, and yes, it costs more that hiring some script kiddie (or telling your sysadmin to turn into one), but it's worth it in the end.
I agree. "I, Robot" wasn't a movie of a book, it was a movie of a *concept* (that had also been explored in a book). The movie, judged either on its own merits or merely as an exploration of Asimov's three laws, is good. It doesn't cover as many scenarios of human-robot interaction as the book does, but the part that it does cover goes pretty well.
Treason has an extremely specific definition in the USA. It what way does what he did qualify as such? Cite specific a specific example if you don't want to be dismissed as a brainless idiot proudly parroting your tribal allegiance.
Out of curiosity, how much less do you think he should have done? What secrets should he have kept from the citizens of the US and its (nominal) allies?
Sigh. You really don't get economics at *all*, do you? (Dragonslicer, talking to you too.)
The very concept of "get away with raising the price" shows an incredible lack of understanding. The optimal price is a function of supply and demand. If a company charges less than the optimal price, they will make less money off their available supply than would otherwise be the case. If the company charges more than the optimal price ("oh my $DEITY they are getting away with it!") they will price themselves out of the range of some of their potential demand, and wind up with unsold supply. Both of these options reduce revenue, but there's nothing impossible about them; they're just bad for business.
Hopefully this is reasonably understandable. Of course, things get a bit more complicated when you consider the ways in which supply and demand can be manipulated. For example, setting a high price on a luxury can actually increase demand, up to a point, and if you have a monopoly you can restrict supply to keep prices (and profits) high as well. There's also funny, semi-irrational effects like customer/brand loyalty, where some people will voluntarily give one company a monopoly on their business.
What regulation does (at the first order) is add a new cost of doing business. This cost reduces the money a company has available to obtain supply. Thus, the balance of supply and demand shifts; when supply goes does, unless demand goes down commensurately, the optimal price goes up. The company does take less profit, yes, but (assuming demand stays constant), not by the full amount that the regulation costs them; their customers also pay more.
The catch is that demand for that company's product only remains constant when the price goes up if all of their competitors are subjected to the same regulatory cost and commensurately raise their prices as well. If not - for example, if one company is subjected to a charge that all the others are not, and they compete for the same customers - then the company being regulated will lose about that much in profit. They will probably be able to recoup some of that by accepting lower supply but raising prices a little and relying on their loyal customers to keep buying that supply, but they will end up with less money.
Mind you, it should come as no surprise that regulation, when viewed from the perspective of a single established company, is pretty much always bad. View it from other perspectives, though, and it can be quite good. A company that wants to break into a monopolized market may be able to undercut the regulated competition. A potential customer who was previously not served due to being insufficiently profitable (not unprofitable, just not maximally profitable for the company) may now be able to purchase goods or services. Somebody who was completely unrelated to the company but was being harmed by an externality of its business (for example, environmental pollutants) will have their life improved.
Bandwidth is absolutely a physical thing. There is a physical hard limit on bits per second of information transmitted through any medium. There is also a significantly tighter (though growing) technological limit on our ability to transmit, route, and receive those bits in the physical transmission media we currently employ.
Saying "transmitting a lot ... data uses nothing" is ridiculous. It uses part of the limited supply of bandwidth. This bandwidth can be expanded by installing more transmission media (cable, fiber, microwave antennas, network switches, etc.) wherever the bottleneck happens to be, but that costs money too, and companies won't do it unless they expect to be able to capitalize on the increased capacity.
He never actually really says, at least in the interview transcript. He claims a technological solution exists that doesn't weaken the security otherwise, but - speaking as a information security engineer - I'm not buying it. He says what he actually *wants* is a "legal framework" to compel decryption of data. This implies that the decryption keys would have to be kept around (goodbye forward secrecy), though it doesn't actually say so. It also implies that he wants something that a subpoena can't already get, which is more than a little concerning.