I am currently an avid Android user.

I used to be an avid Windows Mobile user. WM5/6 were actually, when they existed, the MOST power-user/business-friendly mobile OSes out there. They were more geek-friendly than any of the horrifically locked-down "Linux-based" mobile OSes.

Then Microsoft dropped WP7 on the world - an OS which was unusable for nearly 100% of the core WM5/WM6 user base. At the same time, Android was coming onto the scene, which had everything that WM5/WM6's core user base wanted. MS never recovered, they utterly screwed up. NEVER alienate the majority of your core user base, even if it's trying to reach a "new" audience - especially when the "new" audience you're targeting is already drooling over a competitor (Apple).

Assuming there isn't something that prevents the boot image from being replaced. See my other, more extensive, comment in this thread.

They're better than that. Surgeons in operating rooms are cribbing from the FAA for techniques and procedures to improve patient safety. The safety record of the airline industry is quite remarkable and the FAA deserves a huge amount of the credit for that achievement. I've worked as a quality engineer and whatever their other flaws might be, the FAA groks quality and safety as well as any organization I've ever seen.

As would I. The only thing I really worry about with the FAA is in keeping Congress from meddling with them too much. They are in my opinion one of the best run agencies in our government. That's not to say they don't have their flaws but on the big picture stuff, especially safety, they do a pretty good job overall even when they don't have all the resources they might.

Why should it shock you? We have many people in our government who are remarkably competent. I'd be happy to introduce you to some that I know personally. The FAA does not only have good workers but they have a safety first framework and have built a culture and procedures to support that. They also have the advantage of not being a political football for Congress to fight over. A good worker can be put into a system that doesn't work and chances are they will fail. Safety and reliability are NOT about competent people working hard. Those are important things but they will not get the job done unless you also have an organizational framework that supports them properly. The FAA has oversight over the entire process from certifying the airplanes before they even get built, to overseeing the ongoing maintenance and supply, to being able to force private companies to be grounded if they don't do what they are supposed to do when they are supposed to do it. They are able to get into all the corners of the industry that affect safety and they largely do a good job of ensuring that things are done properly like a regulator is suppose to.

Don't be condescending. I'm not saying rebooting is a magic anything.

Whether or not this matters depends on the threat model and why the attacker is interested in patching the kernel. For example, one purpose would be to disable other kernel security features, such as SELinux, or dm-verity. Most SELinux rules are configured and the configuration can be altered by root, but some are compiled into the kernel and can only be modified by modifying the kernel. Altering the persistent kernel image may not be possible for a variety of reasons (read-only media, SecureBoot, etc.). In addition, in security-sensitive and mission-critical contexts an unexpected reboot may well be noticed.

I don't understand your assertion about SecureBoot. Are you referring to some known vulnerability of some particular secure boot system? Given a decent implementation of secure/verified boot, an attacker should not be able to convince the system to boot a modified kernel image, which means that run-time modification of the kernel is the only option if the attacker needs to bypass some kernel security enforcement.

In general, the security model of a high-security Linux system assumes that the kernel is more trustworthy than root. The ability for root to modify the running kernel invalidates this assumption, which most definitely is a security issue.

In the context of a system without mandatory access controls there may not be any reason to care, since once an attacker has obtained root there probably isn't any limit to what he can do.

Yes it has been, and your following paragraphs demonstrate clearly why this is so

The problem with the current system is that the PTO has taken the approach of only rejecting patents if they can find documented evidence that someone has done the exact same thing before. If there is a single independent claim for which they can't find exact prior art in a timely manner, then they approve the patent, regardless of how similar it is to other prior art. They deliberately ignore the obviousness of the patent because they don't want to have to defend subjective decisions against appeal.

The recent Supreme Court rulings have forcefully asserted that this is not acceptable. The law clearly states that obviousness is one of the criteria for patentability and therefore the USPTO and courts must take that into consideration when deciding patentability. Furthermore, they have stated that if the improvement that an invention makes on prior art is not patentable by itself, then the invention is not patentable. This is a huge decision because it rules out a ton of "on a computer" and business model patents that combined things that weren't patentable on their own into something that was patentable in aggregate. This second issue is likely to have an even bigger impact as it can be applied more objectively than the first which increases the chances that the USPTO will embrace it. Furthermore, if anything these changes decrease the amount of research the PTO has to perform for an average application.

Agreed which is why we need these reforms. They proposed two important changes. First is to strictly limit how much information the plaintiff can subpoena during discover. This prevents fishing expeditions and prevents discovery from turning into a war of attrition, which will make defending oneself against patent claims faster and less expensive. Secondly it allows defendant to challenge the validity of the patent before discovery has taken place, potentially avoiding the vast majority of the expense of defending oneself, if the patent is determined to be invalid by the new post-Alice standards.

I have no disillusions that these changes will magically make the patent system perfect. In fact I expect the USPTO and the lower courts to continue to be slow to adopt them, but they address the two biggest issues with the patent system today - the low standards for patents and the cost of defending against them - which is more than I can say about any other proposed changes to the patent system in the last 50 years.

Sure, if your concern is error, rather than malice. An attacker who gains root could use this to dynamically patch a backdoor into the running kernel. Rebooting the machine would potentially enable someone to notice.

As another poster noted, though, you can already dynamically patch the kernel for malicious purposes by loading a malicious module, assuming that hasn't been disabled. In contexts where security is crucial, I would disable both dynamic module loading and run-time patching.

The GP wasn't suggesting that excessive data was handed over, he said that an NSL could be used to demand installation of a backdoor. If I were a vendor, even one who really wanted to be cooperative, I'd balk at that, because the chances of something like a backdoor being discovered are too high. It would be actively sabotaging my customers, and not just to the NSA... a backdoor can't distinguish between users, it lets in anyone who figures it out. And, of course, if the existence of the backdoor were published it would do serious damage to my business.

Even companies who want to cooperate are going to be reluctant to do potentially business-destroying favors for the government. There would be a great deal of incentive to fall back on the law and refuse on the grounds that the law doesn't authorize such requests.

I'm skeptical that an Android device would survive running flat out for two years to crack a PIN. The heat and battery life issues I experienced when I tested it demonstrate clearly that mobile devices simply aren't designed to run full-speed 24x7.

Also, it should be pointed out that the attack I described is far from easy to carry out. Among other things, it requires dumping the contents of flash, which basically requires removing the flash chips from the mainboard without damaging it, then either putting the flash chips back or installing new flash, then the device must be unlocked, a custom, hostile OS flashed, and finally the attacker can start the multi-year process.

Note that the 630-day figure I cited is on average. It would take twice that long for a guaranteed break.

Finally, if you add one more character to your passcode (7-character alphanumeric), the crack time jumps from 630 days on average to 124 years.

I agree that Lollipop FDE still needs some improvement, but it's already quite good.

Apart from the loser pays part (which I dislike as well), the rest of reforms were about limiting the ability for either party to draw out the pre-trial proceedings, which wouldn't harm legitimate small plaintiffs.

I guess you don't know how the grid actually works. It does NOT involve running wires directly from the generator to some distant location. Again, I don't know that much about how it's set up in the UK, but physics there is the same as in the US. In the US, electricity is often sold across multiple states (easily far enough to reach another country in Europe). even when it's generated with fossil fuels. Since losing money isn't a popular hobby, I would have to say it makes economic sense.

It's a problem in two parts, but what it really comes down to is that when you double click, you don't actually know if data will be viewed or a program will execute. Is it REALLY a surprise to anyone that that's a gamble you will lose sooner or later?

Fundamentally, having the same action mean more than one thing is asking for trouble. There needs to be one action to open and another to execute.

Next, the icons themselves should indicate an executable even if it does not end in .EXE. Some sort of emblem should take care of it.

Granted, the biggest problem with the patent system has been that the criteria for patentability has been so loose, and the recent Supreme Court rulings will certainly do more to fix that root cause than the recent patent reform bills. Hopefully going forward these new rulings will improve the quality of patents approved and upheld in court, which is by far the single most important reform needed in the long run.

But in the meanwhile there are more than 20 years of bad patents that have been granted, and the costs of defending against a patent lawsuit is still far greater than the cost of settling. We need to make it less expensive to challenge existing patents if we don't want them to continue to be a burden for the next 20+ years. That is exactly what the reform bills were about. They were designed to be complementary to the Supreme Court rulings, addressing a different parts of the problem.

Given that the grid exists and power is sold on it now, it stands to reason that it can be done in an economically sound manner. Otherwise it wouldn't exist.