How did he hold it hostage? He disclosed the vulnerabilities to them privately before doing anything else. This wasn't a case of "shame them now, hope for a payout later". It was a case of "responsible disclose it privately, then do a stupid thing by disclosing it publicly before they've had a chance to pay you". As much as I don't like Groupon, I'm not sure which side of this disagreement I think is (most) in the wrong.

Good points all around. The one thing I might quibble about is the inability to remove the WiFi network. I can't check it at the moment, but I distinctly recall trying to delete "attwifi" as a recognized network years ago, back when I first noticed I had connected to it unexpectedly. That said, I'm not representative of a typical user, and 34% is higher than I had realized, so as I said, good points, and thanks for the rebuttal.

You're doing just fine, and your response to all of our comments has been both polite and appropriate. We'll always complain about the summary. :P

They use the word "force", but as the attack was originally described, what they're actually talking about doing is spoofing a network that your device already recognizes. More or less, if an attacker knows your home WiFi SSD or can make a lucky guess about what other SSIDs your device might already recognize (e.g. ones that your device was programmed to know out of the box), they can name their malicious network in such a way to possibly get you to automatically connect to it as a recognized network.

There's nothing particularly novel about that attack, and contrary to their verbiage, it doesn't force anyone to join a network, nor can it even easily be used in conjunction with this attack for the vast majority of users. Is it a potential problem? Absolutely, but only for a small subset of users. The way they're phrasing it and talking about it, it seems pretty clear that they're trying to boost their own profile a bit. For most cases, the two attacks can't be used together unless the malicious agent is stalking their victim.

I loaded the page before you comment existed, started reading the source material, typed up a response to the first OP in the comments with the same question I had, posted my response, and only then had the page refresh with your comment. That's what I was getting at. Sorry if I was unclear.

We all make mistakes, and your comment down below that you're referring to didn't exist at the time that I started reading and then typing a response to the first OP who had the same question I had. By the time I posted, your comment existed, of course, but I hadn't seen it.

I was curious as well, so I read through their presentation slides and their press release.

The gist of the attack is that they've crafted a malicious SSL cert that can cause strange behavior in apps and the OS itself, including the possibility of initiating a crash-reboot-get malicious SSL cert-crash cycle. Once you get stuck in that cycle, there's no way to turn off WiFi, hence why they said that offline mode would not remedy the issue. That said, offline mode can indeed keep you from getting stuck in that cycle to begin with, and the researchers even recommended it as one of the ways to avoid the problem entirely. Alternatively, if it's already too late for you and you're in the crash loop, simply leaving the area will fix the issue for you, since you'll be able to pull down valid SSL certs and reboot as normal.

Which is to say, the summary has it wrong, since the attack cannot cause you to enter the crash loop while you're in offline mode, but you won't be able to enter offline mode once you're in the crash loop, so offline mode cannot save you at that point. Only leaving the area will work.

In the case of GlucoWatch, the page you linked indicates that it's used for up to 13 hours at a time, taking samples every 10 minutes. In contrast, this device can only do one sample at a time, after which you send it off to a lab for testing. They're targeting patients who may need to monitor cancer or infection on an infrequent basis with a turnaround of a few days, as opposed to people who need immediate blood measurements, such as diabetics monitoring their blood sugar levels.

I don't know enough to suggest that that addresses your concern, but at the very least it would seem to lessen the chances that the problems associated with long-term use would occur.

You pay into the tax system with the promise that your children could take advantage of public schools if you so desired. In this case, that promise is being broken, hence why I mentioned the idea I did. That said, I'm clearly not a fan of my own idea, as I had hoped I made clear.

Even when "cut off" from the roads, you still benefit from their presence in other ways, such as public transit, postal service, or produce getting delivered to your grocer. Moreover, driving is considered a privilege, not a right. That's why you need training, testing, and a license, rather than being able to just grab a car and get on the road.

Incarceration is a special case, but it does bear some similarity to the case at hand, since in both cases we're talking about removing from the general population people who are a danger to society. The big difference is, however, is that criminals are responsible for the danger that they themselves present, whereas these children are not. Yet regardless of that, we're talking about stripping them of their rights all the same.

You can see why I'm conflicted.

Isn't questioning the efficacy of the vaccine a bit moot at this point? It's well-established that the rate of measles occurrences has declined by more than 99% in the US since the prevaccine era. No doubt, there are several contributing factors (e.g. decrease in measles parties, as you said), but there's no way to account for that change absent the consideration of the vaccine (e.g. measles was endemic before measles parties were a thing, so it likely isn't that measles parties are gone). Suggesting the link is "tenuous" seems rather disingenuous. It's possible the vaccine may not be effective to the degree people claim it's effective, but suggesting there's even a possibility that it's not effective at all is rather absurd.

Medical exemptions are standard practice, and I believe most of us assumed that they weren't even on the table for discussion since they would continue being standard practice. That's why it's so important to get anti-vaxxing out of the picture, since without a well-established herd immunity, people in your shoes are exactly the ones who end up getting hurt unfairly. No one is suggesting we force people who are allergic to the vaccines to take them. We're talking about forcing those who can take the vaccine so that we can all be safe.

Exactly. I'm with you in terms of supporting vouchers, but I agree that tying it to this debate by making anti-vaxxing a means for obtaining vouchers would be a very bad idea. It'd just encourage people wanting vouchers to practice anti-vaxxing, which is the exact opposite of what's in everyone's best interest.

I don't know. I'm conflicted over its use here. That was kinda the point of my entire comment.

I'm firmly in the "what the hell is wrong with you anti-vaxxers?!" camp, and almost any of us here could rattle off a laundry list of the ways that these parents are just plain wrong, but this bill would more or less enforce a quarantine for at-risk children, depriving them of access to a state-provided resource (education) that they are entitled to, for reasons that are unrelated to the resource being offered (i.e. the parents don't have a problem with public schooling). I'm tempted to suggest that the "fair" thing to do would be to give the family a refund on the school district's share of their taxes if they've been cut off from that resource, but I also don't like the idea of giving tax breaks for engaging in idiocy.

As I said, I'm conflicted. I agree that steps need to be taken to disincentivize anti-vaxxing. I like that some doctors are refusing to accept patients who aren't vaccinated, but I'd like to see the deterrents get into the public space somewhere. I'm just not convinced that this is the way to do it.