Comment Re:What's the UTF-8 encoding of THAT? (Score 1) 549
I'd say +1 Informative except, well, already posted ...
Leave it to a Great Old One to figure out a way to completely befuddle the password policy enforcer.
The potassium hydroxide electrolyte used in typical alkaline batteries will dissolve its way through the zinc canister over time even when not under load. The other common electrolytes, zinc chloride and ammonium chloride, will do the same. Zinc will corrode if exposed to acid, alkali, or sometimes if you just look at it cross-eyed, but the ease with which it gives up electrons makes it an effective primary cell anode.
One workaround is to swap positions of the electrodes: make the canister out of carbon and use a zinc center electrode shaped to give it as much surface area as a canister would have. I imagine you'd have problems with the carbon breaking easily from rough handling, though, and it might cost more to make. Maybe powdered carbon with a plastic binder instead?
ksh
Pfffft. I should have expected Korny jokes. (Ba-dum-csh.)
Also the scientific method of formulating a hypothesis and performing an experiment to test it.
Slow down, cowboy! The article is about anthropology — 'social studies' — with some speculation thrown in. It doesn't have to be science, just 'news for nerds', whatever that means.
Now lets say some well meaning and compassionate politicians decided to take care of them and built high rise apartments for all of them who were having trouble paying their rent to live in. Sounds good and compassionate right?
By Hanlon's razor as modified by Clark's law, this is more likely a simple backfire of what was intended to be a helpful act rather than some sort of evil plot; nothing deliberately planned would have gone so horribly right.
Starting with an assumption is not an action that is compatible with science.
Wait, what? At its core, to apply the scientific method is to create a hypothesis and attempt to falsify it. Creating a relevant hypothesis usually requires some sort of initial assumption, though one must be open to the possibility the process will demonstrate that said initial assumption is incorrect.
The technical solution would be to design their storage in such a way that it is _impossible_ for the company to read a customer's data.
"Impossible to read a customer's data" is not a strong enough condition. For example, if a provider uses a convergent encryption scheme, they clearly cannot read their customers' data, yet it becomes possible to deduplicate encrypted data — and consequently to identify everyone who has copies of a given plaintext, or perhaps to guess at a password embedded in a configuration file.
A shell / powershell script is plain text.
Well then, the obvious solution is to disable #! recognition and set-executionpolicy restricted, so shell scripts become useless!
Oh well, back to the drawing board.
Doesn't this create an awkward tension between two objectives of lawful authority? On the one hand, collecting taxes on income generated by commerce; on the other, extinguishing that commerce that tempts the wrath of other laws of the land (and with it the taxable income that commerce ostensibly generates).
This is oddly close to what I think DRM ought to be: advisory, not enforcing. Remove the accountability aspect, not least because it's a farce that leaves the most recent honest party holding the bag, and you have my concept of an ideal DRM engine: provenance meta-tags that let you know what color your bits are, which you can use if it affects you or ignore if it doesn't, leaving no rights-holder the wiser no matter what course you take.
Accountability-oriented DRM, which prevents no action but forces your use of certain combinations of certain colors of bits into public record, would be prone to false positives. Pulled in some GPL code to a local build of 7-Zip? Chances are the other code doesn't have a GPL exception to allow linking against the non-Open unrar, so the resulting software likely may not be conveyed (in the GPLv3 sense) at all, but creating or using the resulting combined work won't infringe anyone's rights and shouldn't require you posting public notice that you have created such a combined work if you have no intent to convey it.
All I see here is a bunch of stuff that all depends on trusted third parties... and in security circles, "trusted" means "can screw you over if they act against your interests". In this case it relies on trusted identity providers, labeled 'Verification Agent' in the paper.
It all breaks down if a verification agent is compromised, and the breach of even a single identity can have severe consequences that the accountability system cannot trace once information is in the hands of bad actors.
The authors effectively admit that this entire mechanism relies on the honor system; it explicitly cannot strictly enforce any access control, because in the context of medical data access control may stand between life and death.
Finally, the deliberate gathering of all this information-flow metadata would add another layer to the panopticon the net is turning into.
My point is that there is probably some dollar value at which the cost to find the next vuln would never increase beyond that... That's what I'm calling the infinite bug threshold.
In other words, some point at which the marginal cost of finding a zero-day roughly levels off, and thus the price elasticity of supply becomes extremely high; your "infinite bug threshold" is a hypothetical limiting case where marginal cost flattens and price elasticity of supply approaches infinity.
On the other hand, there is clearly a segmented market of consumers: software vendors themselves, white hat groups, script kiddies, organized crime rings, information warfare organizations, and covert intelligence-gathering organizations, to name a few. The same vulnerability will have a significantly different price elasticity of demand for each type of consumer, and I expect covert intelligence-gathering organizations backed by world-power governments to have awesomely inelastic demand curves.
Whether or not the marginal cost of finding a new vulnerability levels off, there will almost invariably be some actor willing and able to pay the price to obtain it.
"Aww, if you make me cry anymore, you'll fog up my helmet." -- "Visionaries" cartoon
