It does not matter. Console security systems are designed to sandbox code written with the SDKs, game developers are seen as adversaries for the purposes of security because otherwise a hacked game makes it too easy to "level up" to full control and then piracy. For example an early Xbox 360 exploit was based on replacing an unsigned shader file in a specific game, which allowed arbitrary shader execution and from that control over the CPU.

The Xbox 360 security system was very impressive and only encountered truly serious problems right at the very end of the consoles much extended lifespan. I've got an interest in computer security so I'm eagerly awaiting talks on how the Xbox One is done, but given the general success of the 360 architecture I suspect the One is very similar, with some tweaks and additional defence in depth.

Anyway at least for germany I support the regulation and uber being forced to obey it.

And I suspect that eventually they will, for things like that, unless they are forced out by explicit bans. As you say, most of those regulations are not particularly bothersome ..... although unfortunately trying to fix problems with laws can go wrong so easily. For example if there's a regulation about a working money counter (meter), and Uber drivers don't use meters because the app is doing the calculations instead, then a detail as trivial as that can easily end up causing the whole thing to collapse.

The problem Uber has is that it's a global brand. When Uber and their drivers do things like ignoring medallion systems in the USA, and get slated for ignoring the law, that impacts their brand in other parts of the world where maybe they aren't ignoring it or are coming into compliance. On the other hand, a global brand gives great economies of scale. I suspect they can't win.

To be fair, either Uber needs to meet the same requirements as traditional taxi companies, or the conditions need to be lifted for all firms wishing to offer cars and drivers for hire.

Well, let's face it, the latter isn't going to happen. Last time Uber came up we were discussing India where the regulations spell out how many phone lines you need going to your (New Delhi based) HQ. The people running taxi licensing there hadn't even heard of Uber before some local media blowup. Taxi licensing is so sclerotic, so fragmented and so beholden to the existing taxi companies that the chances of the system reforming itself appear to be zero.

That leaves option (1), Uber complying with the existing regulations. There are two different issues here.

One is, do Uber customers get the same protections that customers of existing taxi companies do? Although I've never used Uber, from what I can tell the answer seems to be yes ... at least in that Uber polices their drivers for scamming and other poor service. The commercial insurance issue seems still unresolved, but I read conflicting things about this. But I see no evidence that local government regulators can do a better job of policing drivers than Uber, and frequent evidence that they cannot.

Two is, do the regulations Uber ignore even make sense? Frequently the main regulation they're violating is lack of a license, which is not itself any consumer protection at all. In a lot of American cities licensing seems to have become some kind of horribly corrupt and utterly unreformable racket. To get upset about Uber drivers ignoring the New York medallion system for example, you would have to believe that law is the same as morality and that driving without a medallion is ipso facto unethical, as opposed to "just" illegal.

Medium doesn't have ads, so I'm not sure where you're going with that ...

What's wrong with Medium? It's essentially just a blogging platform, right?

It's not quite that easy. You need multiple sources of evidence, you need up to date feeds of VAT changes from every EU authority, and then you need to (unless your local government does it for you) fill out tax returns for every EU country, assuming you have customers all over the place.

I am not yet aware of equivalents to the UK VAT MOSS in other countries, though I'm sure they'll get it together. But bear in mind by registering with the MOSS you forfeit your "too small to matter" VAT registration exemption. And you still have to collect all the evidence. There are other catches too that I don't remember. But mostly it doesn't help anyone not in the UK.

They have fake certificates from trusted authorities for some major sites

I believe at this point I have read all Snowden documents, especially all that are relevant to SSL. Only one of them has even mentioned fake certificates, and that was a GCHQ presentation saying that they spotted the Iran attack using the hacked DigiNotar certs in their metadata databases.

So far there is zero evidence that western IC's are compromising certificate authorities. I know that this was the favourite conspiracy theory of the last ten years, but Snowden happened, and it turned out to be false.

What there is LOTS of, is talk about stealing the private keys through hacking and decrypting TLS intercepts that way.

We know that GCHQ loves doing the latter, so it's a question of working out which certificate authorities have been compromised and deleting them.

You are referring to QUANTUM INSERT. There is no requirement to break SSL for this system to work, because it relies on browser exploit kits. It just waits until you visit a non-SSLd protected website (any will do) and redirects you to an exploitation server.

That said, I anticipate that NSA/GCHQ might be tempted to start using forged certificates in future as strong TLS becomes more widespread and they keep losing visibility into consumer web traffic. There wasn't much incentive until now because most encrypted traffic they cared about is VPN traffic where there are no CAs anyway, it's all pre-shared keys. But this is what certificate transparency is for. It forces CAs to make public logs of all certificates that can then be data mined by anyone.

Speak for yourself. Hating on HTML and web tech because you're bad at it is the lamest of the lame excuses. My users much prefer our HTML GUI over our shitty old desktop apps

Sounds like you're hating on desktop apps because you're bad at them .... though certainly that's a common problem.

Upper management are making these arguments because they're afraid of exactly that - if they can't hire the best people, their competitors will and their company will lose out (i.e. they will lose out).

Silk Road did a spinoff where guns were being sold as the primary goods (the Armory) and they closed it because it wasn't profitable enough.

You're probably unaware that the GP specifically used 'HSBC' because they were caught laundering trillions of dollars of drug money and nobody was indicted.

He probably isn't unaware of that. He may well have actually read the indictment itself or a detailed summary of it, which made clear that the US case was very weak to the point of hardly working at all. In particular, not only did they fail to clearly establish that drug money was really moving (their case was "there is so much cash, some of it must be from cartels") but in particular they failed to show intent by HSBC execs to help drug cartels. Actually their case boiled down to HSBC didn't try hard enough, they weren't suspicious enough, etc. (I'm ignoring the Iranian transactions here which gets into issues of international jurisdiction, as you only brought up drugs).

The reason you think the are guilty is twofold. Firstly US anti money laundering laws are unbelievably extreme. The PATRIOT Act removed the need to have intent to be found guilty of money laundering. Bankers can now be found guilty of AML violations even if they genuinely tried hard and had no intent to break the law. Hence the accusations from the DoJ that were of the form "HSBC should have designated Mexico as high risk", etc. Secondly as part of the plea agreement HSBC had to act guilty and accept whatever the DoJ said about them. So you only heard one side of the story, the prosecutions side (except there was no court case). No surprises that you think the whole thing is cut and dried.

It's no crime to be ignorant of such things, but just try not to hold any policy positions on the subject.

Given that there was never any court case and HSBC was never able to defend themselves, pretty much everyone is ignorant in this case because we never heard the full story. But I'm pretty sure if DoJ had emails from HSBC execs that looked like the ones from BitInstant there would indeed have been prosecutions.

No but if you got a government request for your keys you'd know about it.

The government "request" would come in form of customised malware and you'd never even know you got hacked.

If google gets such a request you wouldn't know you were compromised.

You aren't gonna know, no matter what.

It isn't like they are sending l33t hackers to break in and get the data.

Schmidt isn't an idiot, despite how the press like to portray him via selective quoting (note that TFA does not provide much context for this quote). When he says Google is the safest place to put your data, he's probably comparing Google to other companies that provide similar services, not some hypothetical fully self hosted system - bearing in mind self hosting of email is rapidly going the way of the dodo even in business situations (it died for home email a long time ago).

Given that Yahoo still have not fully deployed SSL everywhere let alone encrypted their internal datacenter links, and if Microsoft have a similar effort they aren't talking about it, there's some evidence that he might be right. After all, if you get a government warrant for your data you're just as stuck as Google is: not much you can do about it. On the other hand, you are unlikely to secure your infrastructure as well as Google does.

But Google makes money from targeted advertising

Google makes significant sums of dough from paying corporate customers who use Google Apps. These clients can switch off advertising if they like. These are also the places where some of the most sensitive data is stored.

So Google have both the financial means and incentive to solve the end to end crypto problem for such clients. The difficulty is not financial. It's technological. Matching even just the feature set of Gmail with end to end crypto is insanely hard, and that's before you hit the "everything is a web app" problem.

The point of forward secrecy is there are no such keys to seize. The "master keys" are only used for identification, not encryption. So whilst a gov could theoretically seize Google's keys, this does not help them decrypt wire traffic. They'd have to do a large MITM attack, and to get everything? They'd have to decrypt and forward ALL Google's traffic. Not feasible.

Good use of applied cryptography means that realistically the only way for a government to get data out of it means requesting it specifically from the providers. In places where the warrant system has been vapourised (which certainly includes the USA and UK), this might not seem like much, but it does help prevent fishing expeditions.