How complex is that problem anyhow?
I mean is the problem bounded by CPU time or by how fast you can twist the cube?
4850 publicly visible posts • joined 9 Mar 2007
I mean for many companies import duties won't actually matter. Large International corporations surely will find ways to dodge any import duty, as they can simply avoid crossing US borders.
There might be another point. Large companies might move out of the US and set their headquarters somewhere else. Some highly qualified employees might move them, while others might simply quit... bringing a lot more decently qualified people on the "market". They might perhaps found their own company, or work at another company raising the average of skill there.
In any case, there is not much telling what Trump will actually do.
Back then people escaped their walled gardens to be on the open Internet. Now many people go to walled gardens such as Facebook.
Perhaps one thing is still the same. People using "online services" such as AOL were often regarded as the less smart ones, the conformists, the people who don't quite think for themselves. It's still like this with Facebook in some regard. More and more people apologize for being on Facebook or say that their account is just there for some legacy application.
It's a discussion that goes on for decades. The official magazine of the Chaos Computer Club already posted the question if it's right to be on "commercial mailboxes". Back then it was about "BTX" the German version of "PRESTEL". (had much fancier graphics conforming to the latest standard for teletext)
https://www.youtube.com/watch?v=iBfvIh2K4G0 (it even impressed aliens back then)
There is no way to have a system that's easy enough to be understood by everyone and involve computers. Once you have a computer, the average person has no chance of understanding it any more and therefore no chance of having informed trust in it.
Pen and paper systems may be easy to fake, but they are also very easy to understand and check. Particularly if you hold elections on sunday or a public holiday, everyone has the chance to check that election... or even be involved in it by volunteering to run it. (you get a small amount of money for that)
Usually pen and paper systems are also rather quick to count. In Germany the polls close at 18:00, and at 20:00 you already have the full result for the news.
"You could always release your own stripped down browser."
No you can't, that's the point. Web developers expect more and more stupid features because mainstream browsers have them. If mainstream browsers would only implement essential features, web developers wouldn't use all that cruft.
Everyone wants to create something even if they are bad at it. Creating a new feature and API is just an example for that. That's why you get so many bad new protocolls or things like systemd.
There are people who have neither achieved the maturity nor the laziness it takes to design a good system, and increasingly they have the ability to mess things up.
In the past we had a natural filter and that was productivity. If you wanted to make an operating system what was more complex than UNIX you had trouble getting enough people to do so. Today everyone wants to join an Open Source project to have something for their resume.
I mean there's also the USB API or the Bluetooth one, both having even stronger security implications. Then there's HTTP/2 which doesn't actually solve any problems and at best tries to masquerade web developer idiocy, but makes the whole problem of web application and even simple web sites _much_ more complex. More complexity means more bugs and therefore more security critical bugs.
However the W3C was created to increase the number of features, and all players in the browser oligopoly want more features as it keeps the competition out.
"something something terrorists"
No, back then it was "something something Russian spies".
Back when GSM came out there was a huge crypto discussion on whether it should be allowed to be encrypted. Not allowing the network to authenticate itself to the handset was the compromise.
Well even if you cannot change people themselves, you can easily influence their behaviour. How many people do you know that got electrocuted by their household appliances? With all those appliances around, that must be a high number, doesn't it? The fact that this number is rather low is that household appliances are designed to prevent you from doing stupid things. You cannot simply touch any conductors inside, because they are encased in plastic.
However in computing there is no sense for security. Yes we tell people not to execute code from the Internet, yet when you click on a link to download an executable in your browser, it'll actually offer you to execute it right away. That's a stupid thing that should never have been offered. Same goes for all kinds of app containers like apk or flatpack. If you click on a link, and your system will install software that's a _really_ bad thing.
Instead you can make stupid things hard and provide safer alternatives. This then will influence people into not doing stupid things. Also make sure that the things they actually need to do (e.g. opening PDF files) is as safe as possible (e.g. not using a feature complete PDF reader).
BTW the stupidity doesn't always just lie on the end user side, often it's also in the IT departments. Just think of the many computers that have office software installed without needing it, or Acrobat Reader when a more secure PDF reader would be good enough.
"Easy access to everything allows them to get on with treating patients and every clinician loves their e-mail."
Yes, but seriously it's not a conflict between "easy access" and security. It's a conflict between stupidity and security. If you can just stop people from being stupid you'll have solved most of the problem.
Just like there are basic safety standards for things like light fixtures, the NHS could enforce those for the software they use. Since software security doesn't really cost money (only features) that should be easy to do.
"...so that the students currently graduating actually have the skills that employers want."
I'm sorry, but that's exactly the problem we have today. Universities are aligning their courses to what employers want. The result are incredibly narrow minded studends who have never learned the basics of their field and are unable to cope with any change. From this you get people who spend 20 years doing the same. When they get layed off, they'll never find a propper job again.
"... but the R&D staff made it very clear that their personal notebooks had to be checked in and out of locked storage at the opposite ends of the working day and that they were under strict purdah when it came to discussing any details of their job with anyone else."
I am not sure how much of that is PR (look how innovative we are, we cannot even tell you what we are working on) and how much is legitimate. However considering that Dyson is one of the more innovative companies and how much even completely non innovative companies seem to care about such things, it seems proportionate.
It seems like this would bring out more of the same we have now, teaching students a job instead of a field. If you do that, you'll end up with more and more narrow minded people.
Education is not about getting a job, it's about learning new things for the goal of knowing more. Being more suitable for the more interresting jobs in the world is just a side benefit.
Of course they could technically comply. After all they control the client (with updates and possibly hidden extra features), so they can instruct it to either give them the key or even the complete conversation. There is no incentive for Skype not to have that feature. (appart from the few hours of work that feature would require)
Of course they need to claim that they have no control over their clients. Paying 30k€ is a low price for all the positive publicity they get in the newspapers.
We already have an increasing amount of Javascript Malware in forms like tracking software. Until now you could simply defend against it by having locally patched versions of them. Patching WebAssembly will make this a lot harder.
The reason why browser manufacturers adopt WebAssembly is probably because it makes browsers more complex, creating a higher point of entry for new competitors. It's impossible to develop a new browser (engine) with a small team. You will always need a fairly large organisation. Those organisations want to continue existing. Making the web simpler could increase competition and could kill or harm any of them. An oligopoly is a rather nice place to be in.
I'd rather want one that speaks WIFI as that would reach through the access point from my kitchen to where I want to know its status.
We live in a world where even single chip WIFI solutions have enough horsepower to provide a simple webserver you can talk to directly with your browser.
Well unfortunately browser sandboxes aren't any more secure than any other kind of sandbox. For most users they don't protect anything as most things are happening in the browser anyhow.
Yes, native apps are a problem, but since people are aware that those are shit, people might stop buying shitty devices that don't adhere to simple public protocols.
They have a tack record of implementing and backing every bad idea. APIs like this one (or the USB one, or just about any that came out in recent years) make browsers more complex so it's harder if not even impossible to fork your own browser engine or even write one from scratch.
This keeps the browser market in an oligopoly, something all players there can live with. For them its good, for the user it's bad... but nobody cares about those anyhow.
As always, more complexity will mean more bugs and therefore more security problems.
Virtualisation has been proven to not be very effective over and over again. Essentially even if it works perfectly you just have a "separate computer" which still needs to communicate with other computers. You can't fix one of the most prominent problems, an SQL injection, that way, for example.
Then storing a key on a separate machine (i.e. one owned by Amazon) you may not be able to get them externally. However since you probably get to a password database through the web app... which needs to authenticate you, it's likely you'll get that secret key used to encrypt the password database along with the database.
You could actually do something Kaminsky-like more for security if you'd store webpages in DNS. Since DNS is extremely well cached, a DOS wouldn't be so bad, most users would still get the cached copy.
There's also the obvious solution of eliminating complexity. Every line of code that's not there cannot be a bug and cannot be a security problem. Every framework brings you new bugs, and if you load javascript from other servers you don't own, those servers will own you and your users.
For example if you don't ACK the "200 OK", the call will be left open in a half open stage, and there are ways to leave a call open in the "ringing" state without it closing on a timeout.
Essentially if you have an Asterisk server and you run lots of calls from lots of different (usually broken) devices through it, it _will_ crash eventually. While it is certainly among the best VoIP software packages, it's certainly not good.
"Question. Is that hardware keyboard really, REALLY necessary?"
Well there is a simple test to check if you need a hardware keyboard or not. Look into the distance and focus on an object there. Now take your hand and put it in front of both of your eyes. If you can still see that object, that means you have transparent fingers and a touchscreen keyboard will be right for you.
However if you don't have transparent fingers that means that you'll have to type blindly which means that you need some feedback on how far you were off the centre of the key.
Now you might say that you don't actually type text on your mobile device, or that you can use autocorrect. That's all fine and good unless you actually want to store data on that device securely. To store data on the device you must encrypt it. For such an encryption you need to have some sort of a secret. If you store that secret inside the device it's next to your data so an attacker can get to it relatively easily (may cost a few thousand Euros and involve uncapping chips, but that has been done in the past). So you need to have an external secret. Legally (in many countries) it must not be stored inside of something you "have", but instead something you "know". So you use a passphrase. However typing in such a passphrase quickly requires you to be able to type quickly and precisely. Having autocorrect on your password prompt would be a _huge_ security problem, as autocorrect would remember all those purposefully misspelled words in your passphrase.
Again if you have transparent fingers, you're probably fine with a screen keyboard.
Can you root it so you can limit the IP-Addresses it will talk to? (would be a _big_ security improvement)
Can you strip down the operating system to just the things you need? (would be a _big_ security improvement)
So essentially, from the security standpoint this is not better than your average Chinese Android device for 50 Euros.
Confidentiality or integrity of the message isn't much of a problem for many areas. However mobile phones have other security problems. The most obvious is that the mobile telephone network has to know where the receiver is. That's a really bad idea in some areas as carrying around a tracking beacon has heavy privacy implications.
Plus there are the obvious practical problems of the pager network having _much_ better coverage than mobile telephony.
... instead of having a simple HTTP-Server at the manufacturer which simply serves a fixed signed firmware file, this requires a rather complex system which has to take complicated input from the outside.
So essentially they make a simple process _much_ more complex and believe that this would somehow increase security.
Increasing complexity somehow seems to be a thing for mbed.
... it used to be that on Linux or other unixoid operating systems, people tried to avoid those problems. They tried to make code as simple as possible so there is more care going into each and every line of code. (this changes now with the FreeDesktop/systemd people)
Also on Linux you already had those problems and the libraries tend to be fixed already. There's also more of a culture of fixing bugs, which may or may not turn out to be security problems, as a priority. (again apparently except for the systemd FreeDesktop people)
CAPI already stands for the Common ISDN Application Programming Interface, a rather bad API to talk to your ISDN card. Unfortunately that API was so widespread it even got ported to Linux and depreciated much better APIs. That's one of the reasons why classical ISDN cards on Linux suck.
Yes, we still have a surprising amount of work. One reason for this is of course that we can burn through more and more resources. However resources are typically finite. There's only so much oil you can turn into cheap plastic toys.
For areas where the limiting factor is the workforce, we have found other ways to keep more people employed. In engineering we purposefully stop giving students good education so they will get worse and worse. This results in engineers needing exponentially more time to solve problems. Essentially since they have never learned how to actually solve problems, or how other people have solved problems in the past, their solutions often involve creating more problems than they were trying to solve. This causes a chain reaction which can even become critical.
In other areas like management, we are seeing the creation of "bullshit jobs". Jobs which serve no purpose but to create things for people to do. There are companies producing household appliances which have whole departments thinking about how to create an overarching theme of management so they can justify, more or less logically, why they have production plants.
We are currently still doing rather well at wasting work, however I believe it is very naive to think that this can go on for ever.
I mean writing a patent isn't a very creative project, you just combine existing ideas and find a new use for them. There is no creativity involved as you can just brute force your way through a finite space of potential patents.
You won't get very novel or useful patents, but that's not the idea behind it, is it?
However you will easily be able to overload the patent system, and nobody will be able to find out if they are infringing on patents. Essentially the whole absurdity of much of the modern patent system would become even more obvious.
"If I had a Belkin product, the absolute last thing I'd want it to do is communicate with Belkin's cloud service."
Of course, but that's your opinion. In the commercial IT world you are not the customer you are the product. It's always possible to extract more money from you being there if you are the product than if you just pay.
"Belkin" (or any other company of course) believes they have the right to your data or the right to turn the light bulb into a subscription service. This cannot work without a connection to their cloud services. They believe that whatever data they gathered about you, will be valuable eventually... and seriously once you have a live feed of 10 million light bulbs there surely is some sort of fake business model you can come up with that's plausible enough to extract money from investors.
Every programmer goes through a phase where they do not understand that complexity is a huge problem. Therefore they design systems which lay one layer of complexity on top of another, without doing that in a way that actually works towards solving your problem.
So only hire programmers and software architects which have learned that the more lines of code you write and the more boxes you draw on a whiteboard, the worse your code will be.
If you look at todays systems, you'll notice that they don't get popped because of things like buffer overflows, but because someone left a debugging option open over the network which should only have been available over the serial port... and that debug port gives you access to a full fledged operating system.
I mean of course you can for example use DVB-T signals of a SFN and estimate the distance differences to the individual transmitters. However that requires a receiver that can tune to those frequencies as well as process them in a way to estimate the impulse response.
It's much simpler to just ennumerate the WLAN access points and then go from there. WLAN chipsets are cheap as they only need to work on a comparatively small band.
So in short its one of those things that are fun to try, but probably won't have much practical use in the foreseable future. Just like those "Lifi" setups which transmit data via LED lighting.
" if used properly the phone is WAY more secure than it would be if you rooted it and installed Linux."
I'm sorry, but unless you root your phone you cannot even prevent your vendor from installing new malware via the update feature, or your browser from exposing its security bugs to the web.
"Concentrate on making the encryption secure"
Actually secure encryption on a mobile device is mostly an illusion. Encryption always requires you to have a secret which is ungessable. However entering a secret is virtually impossible on a touchscreen. Even if you could use a strong passphrase, since your device will be always on, you can often just fish the secret out of RAM.
Storing a secret un a security chip doesn't solve the problem, as there are multiple attacks against chips theese days. Pay-TV companies use the most secure chipcards you can have on a budget, and yet they have in the past regularly broken their competitor systems.
So actually your chances of security are best if you root your device and install some propper Linux OS. Once you have iptables you can enforce actual security by only allowing your device to talk to your server. (big security benefit!) Then use ssh with public key authentication and make the server erase you key regularly so you are forced to rekey.
I have a Pocket Chip which is one of the most interresting mobile devices I've seen in recent years. Unfortunately mine has a severe display problem, plunging me into support hell. For what seems like half a year (got one of the first ones) I'm trying to get a fix or a replacement.
Adding to that is probably the most braindead way of flashing the firmware. It requires you to install Chrome _and_ an extension for accessing the USB. No other way seems to be available.
There is virtually no affordable PPC hardware. It kinda moved to the high-end sector with IBM workstations and servers.
Of course you could take the specifications made for PPC and just apply them to ARM. After all there were full specifications for PPC-PCs. They even included bizarre things like the boot sector having to contain some x86 code to display an error message when you run it.
"As an appetizer: How about this google.... for hardware to be certified for use with the google apps, all of the drivers must be open source."
That's essentially a business decision. Google has little interest in hardware and software being open to competitors. Every device that gets rooted and runs non-Google software means less revenue to Google. In the past, they simply may not have cared, but they will more and more.
Also Google is a platform provider here, and their actual customers want DRM and they want it to be impossible to copy their crappy Apps.
There's a third point and that is that SoC manufacturers like vendor lock-ins. They want to make it as hard was possible to change hardware. This is why SoC hardware typically is as obscure as possible.
"I think TalkTalk deciding that they didn't want to pay for any serious investment in IT security infrastructure was."
Problems in IT security don't happen because of a lack of money, but because people decide to do incredibly stupid things.They happen because people choose to go the complex route instead of the simple and elegant one. They happen when someone creates a complex web GUI using multiple highly complex frameworks, just to do something a couple of shell scripts could have done, accessed via ssh.
"1GB is nothing. Think of all the audio which needs to be uploaded to the "cloud" for voice recognition."
The standard for sending compressed voice to a central server is 4800 bits per second. 600 Bytes per second. So a Gigabyte will last for 20.7 days of uninterrupted voice.
(Those 4800 bits are not meant to be turned back into voice, but instead the output of the first stage of the voice recognition.)
So far the results were fairly mixed. Windows, probably the most famous system based on OOP principles, has changed so often into so many directions, you can hardly see the original idea of objects (Windows and GUI elements) passing around messages (events).
BeOS seems to have been rather decent, but thanks to it being closed source and rather incompatible, it didn't actually have a chance.
My guess, and I actually hope that people will proof me wrong, is that it'll be just a mess like Android. A system far to complex to be maintained without the help of Google. A system that offers so little useful functionality under a coat of shiny stuff. A system that sees locking out the user as a security feature. Much of this won't be because of the system design itself, but because of the people such a design will attract.
However there is one really good thing that could come out of this. It could attract the systemd/freedesktop people away from Linux.
First of all Sun has already done this in the 1990s:
http://www.javaworld.com/article/2076641/learn-java/an-introduction-to-the-java-ring.html
What you can do to actually make this moderately secure is to have a public key authentication scheme. Just have a private key on the device near your body and the public key wherever you want to authorize. This works great for ssh and would eliminate passwords in the browser once browser manufacturers would get off their asses and make TLS client authentication usable.